[PM-19601] Introduce options for adding certificates to trust without root (#5609)

* Introduce options for adding certificates to the X509ChainPolicy.CustomTrustStore Co-authored-by: tangowithfoxtrot <tangowithfoxtrot@users.noreply.github.com> * Add comments * Fix places I am still calling it TLS options * Format * Format from root * Add more tests * Add HTTP Tests * Format * Switch to empty builder * Remove unneeded helper * Configure logging only once --------- Co-authored-by: tangowithfoxtrot <tangowithfoxtrot@users.noreply.github.com>
2025-07-11 04:43:44 -05:00 · 2025-04-07 14:10:36 -04:00
parent 1cf9ff34c1
commit a8403f3dc2
9 changed files with 610 additions and 26 deletions
--- a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
+++ b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
@ -1,7 +1,10 @@
-using Bit.Core.Settings;
+using System.Security.Cryptography.X509Certificates;
+using Bit.Core.Platform.X509ChainCustomization;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using MailKit.Net.Smtp;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using MimeKit;

 namespace Bit.Core.Services;
@ -10,12 +13,14 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
 {
    private readonly GlobalSettings _globalSettings;
    private readonly ILogger<MailKitSmtpMailDeliveryService> _logger;
+    private readonly X509ChainOptions _x509ChainOptions;
    private readonly string _replyDomain;
    private readonly string _replyEmail;

    public MailKitSmtpMailDeliveryService(
        GlobalSettings globalSettings,
-        ILogger<MailKitSmtpMailDeliveryService> logger)
+        ILogger<MailKitSmtpMailDeliveryService> logger,
+        IOptions<X509ChainOptions> x509ChainOptions)
    {
        if (globalSettings.Mail?.Smtp?.Host == null)
        {
@ -31,6 +36,7 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService

        _globalSettings = globalSettings;
        _logger = logger;
+        _x509ChainOptions = x509ChainOptions.Value;
    }

    public async Task SendEmailAsync(Models.Mail.MailMessage message)
@ -75,6 +81,13 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
            {
                client.ServerCertificateValidationCallback = (s, c, h, e) => true;
            }
+            else if (_x509ChainOptions.TryGetCustomRemoteCertificateValidationCallback(out var callback))
+            {
+                client.ServerCertificateValidationCallback = (sender, cert, chain, errors) =>
+                {
+                    return callback(new X509Certificate2(cert), chain, errors);
+                };
+            }

            if (!_globalSettings.Mail.Smtp.StartTls && !_globalSettings.Mail.Smtp.Ssl &&
                _globalSettings.Mail.Smtp.Port == 25)