From c866b35001316290a2b5ba090204915224351104 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ahmet=20=C4=B0brahim=20Aksoy?= <aaksoy@microsoft.com>
Date: Mon, 27 Apr 2026 13:54:04 +0200
Subject: [PATCH] Fix NetworkFramework certificate chain

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../System/Net/CertificateValidationPal.OSX.cs    | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs
index 97ffc38aaf841a..9b5825ac70df0d 100644
--- a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs
+++ b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs
@@ -35,13 +35,24 @@ internal static SslPolicyErrors VerifyCertificateProperties(
 
             X509Certificate2? result = null;
 
-            SafeX509ChainHandle chainHandle = securityContext switch
+            SafeX509ChainHandle? chainHandle = securityContext switch
             {
-                SafeDeleteNwContext nwContext => nwContext.PeerX509ChainHandle!,
+                SafeDeleteNwContext nwContext => nwContext.PeerX509ChainHandle,
                 SafeDeleteSslContext sslContext => Interop.AppleCrypto.SslCopyCertChain(sslContext.SslContext),
                 _ => throw new ArgumentException("Invalid context type", nameof(securityContext))
             };
 
+            if (chainHandle is null || chainHandle.IsInvalid)
+            {
+                if (securityContext is SafeDeleteSslContext)
+                {
+                    chainHandle?.Dispose();
+                }
+
+                if (NetEventSource.Log.IsEnabled()) NetEventSource.Log.RemoteCertificate(result);
+                return result;
+            }
+
             try
             {
                 long chainSize = Interop.AppleCrypto.X509ChainGetChainSize(chainHandle);