Handle missing Network.framework peer certificate chain

[liveans]

Fixes crash in #123395

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull request overview

Fixes a crash in Apple Network Framework TLS/WebSockets scenarios by safely handling cases where the peer certificate chain handle is missing/invalid, avoiding a NullReferenceException during remote certificate extraction.

Changes:

• Make the Network.framework peer chain handle nullable when retrieving the remote certificate.
• Early-return null when the chain handle is missing or invalid, preventing calls into AppleCrypto with a null handle.
• Ensure the copied certificate chain handle is disposed when it was created via SslCopyCertChain (SafeDeleteSslContext path), even on the early-return path.

[rzikm]

I wonder how do we get to the situation that the remote certificate chain handle is missing or invalid. Since NW is used only for client scenario, there should always be remote (=server) certificate by the time we call the callback. Or am I missing something? The only possibility that occurs to me at the moment is TLS resumption and NW not storing remote cert alongside the TLS session ticket for future inspection.

[wfurt]

I wonder how do we get to the situation that the remote certificate chain handle is missing or invalid. Since NW is used only for client scenario, there should always be remote (=server) certificate by the time we call the callback. Or am I missing something? The only possibility that occurs to me at the moment is TLS resumption and NW not storing remote cert alongside the TLS session ticket for future inspection.

my suspicion is TLS resume but since we do not have repro it is hard to know. The other option could be error states - like the TLS state machine got TLS alert but it did not bubble up yet and fail in the handshake validation.