Unknown CriticalExtensions is not handled by X509 PAL on macOS

[vcsjones]

If you use X509Chain.Build on a certificate that has a critical extension that is not understood, a CryptographicException is thrown on macOS. (repros on master)

For example, attempting to build a chain on a certificate that contains the CT Precertificate Poison extension:

Sample code to reproduce:

using RSA key = RSA.Create();
CertificateRequest certReq = new CertificateRequest(
    new X500DistinguishedName("CN=Cert"),
    key,
    HashAlgorithmName.SHA256,
    RSASignaturePadding.Pkcs1);

certReq.CertificateExtensions.Add(new X509Extension(
    new AsnEncodedData(new Oid("1.3.6.1.4.1.11129.2.4.3"), new byte[] { 5, 0 }), true
));

DateTimeOffset notBefore = DateTimeOffset.UtcNow.AddDays(-1);
DateTimeOffset notAfter = notBefore.AddDays(30);

using X509Certificate2 cert = certReq.CreateSelfSigned(notBefore, notAfter);
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.Build(cert);

On MacOS will result in

Unhandled exception. System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
   at Internal.Cryptography.Pal.SecTrustChainPal.ParseResults(SafeX509ChainHandle chainHandle, X509RevocationMode revocationMode)

Running with a debug build gives us:

Unknown Chain Status: CriticalExtensions

I think we are missing a mapping of "CriticalExtensions" ➡️ X509ChainStatusFlags.HasNotSupportedCriticalExtension

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq
Notify danmosemsft if you want to be subscribed.

[vcsjones]

I'll submit a PR for this once I confirm what other platforms are doing, and some other PRs in the same area go through since I'm likely just going to make a bunch of PRs that will result in merge conflicts with each other.