From ec4091f1869f4a20bd791619b542aea32a5ea46f Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Tue, 15 Jul 2025 13:58:45 -0400 Subject: [PATCH 1/2] Make Pkcs12LoaderLimits.AllowDuplicateAttributes public --- .../X509Certificates/Pkcs12LoaderLimits.cs | 2 +- ...509CertificateLoaderPkcs12CollectionTests.cs | 15 ++++----------- .../X509CertificateLoaderPkcs12Tests.cs | 17 +++++------------ .../ref/System.Security.Cryptography.cs | 1 + 4 files changed, 11 insertions(+), 24 deletions(-) diff --git a/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs b/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs index 678e8ea6d78a34..f88b2c2a53ae8d 100644 --- a/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs +++ b/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs @@ -372,7 +372,7 @@ public bool IgnoreEncryptedAuthSafes /// to fail loading when duplicate attributes are found. /// The default is . /// - internal bool AllowDuplicateAttributes + public bool AllowDuplicateAttributes { get => _allowDuplicateAttributes; set diff --git a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs index da5a2d6a7e929a..9b1b5e99d4816c 100644 --- a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs +++ b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs @@ -178,7 +178,7 @@ public abstract partial class X509CertificateLoaderPkcs12CollectionTests #if NETFRAMEWORK X509KeyStorageFlags.DefaultKeySet; #else - PlatformDetection.UsesAppleCrypto ? + PlatformDetection.UsesAppleCrypto ? X509KeyStorageFlags.DefaultKeySet : X509KeyStorageFlags.EphemeralKeySet; #endif @@ -301,7 +301,7 @@ private void LoadKnownFormat_Fails(byte[] data, string path, X509ContentType con Assert.Equal(contentType, actualType); } } - + if (path is null) { Assert.ThrowsAny(() => LoadPfxNoFile(data)); @@ -747,16 +747,9 @@ public void LoadPfx_VerifyIgnoreEncryptedSafes_EmptyIfIgnored(bool ignoreEncrypt [InlineData(true)] public void LoadWithDuplicateAttributes(bool allowDuplicates) { - Pkcs12LoaderLimits limits = Pkcs12LoaderLimits.Defaults; - - if (allowDuplicates) - { - limits = Pkcs12LoaderLimits.DangerousNoLimits; - } - - // remove the edit lock - limits = new Pkcs12LoaderLimits(limits) + Pkcs12LoaderLimits limits = new(Pkcs12LoaderLimits.Defaults) { + AllowDuplicateAttributes = allowDuplicates, PreserveCertificateAlias = false, PreserveKeyName = false, PreserveStorageProvider = false, diff --git a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs index b2005ab6052ac0..2deaf931935309 100644 --- a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs +++ b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs @@ -179,7 +179,7 @@ public abstract partial class X509CertificateLoaderPkcs12Tests #if NETFRAMEWORK X509KeyStorageFlags.DefaultKeySet; #else - PlatformDetection.UsesAppleCrypto ? + PlatformDetection.UsesAppleCrypto ? X509KeyStorageFlags.DefaultKeySet : X509KeyStorageFlags.EphemeralKeySet; #endif @@ -302,7 +302,7 @@ private void LoadKnownFormat_Fails(byte[] data, string path, X509ContentType con Assert.Equal(contentType, actualType); } } - + if (path is null) { Assert.ThrowsAny(() => LoadPfxNoFile(data)); @@ -742,16 +742,9 @@ public void VerifyIndependentLifetime() [InlineData(true)] public void LoadWithDuplicateAttributes(bool allowDuplicates) { - Pkcs12LoaderLimits limits = Pkcs12LoaderLimits.Defaults; - - if (allowDuplicates) - { - limits = Pkcs12LoaderLimits.DangerousNoLimits; - } - - // remove the edit lock - limits = new Pkcs12LoaderLimits(limits) + Pkcs12LoaderLimits limits = new(Pkcs12LoaderLimits.Defaults) { + AllowDuplicateAttributes = allowDuplicates, PreserveCertificateAlias = false, PreserveKeyName = false, PreserveStorageProvider = false, @@ -788,7 +781,7 @@ public void LoadWithLegacyProvider(bool preserveStorageProvider, bool ephemeralI // EphemeralKeySet is not available by name in the netfx build. const X509KeyStorageFlags EphemeralKeySet = (X509KeyStorageFlags)0x20; - bool expectLegacy = (flags & EphemeralKeySet) == 0 && preserveStorageProvider; + bool expectLegacy = (flags & EphemeralKeySet) == 0 && preserveStorageProvider; using (X509Certificate2 cert = LoadPfxNoFile(TestData.SChannelPfx, TestData.PlaceholderPw, flags, limits)) { diff --git a/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs b/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs index 5e945c446a2ed3..81bfc96492b27f 100644 --- a/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs +++ b/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs @@ -3386,6 +3386,7 @@ public sealed partial class Pkcs12LoaderLimits { public Pkcs12LoaderLimits() { } public Pkcs12LoaderLimits(System.Security.Cryptography.X509Certificates.Pkcs12LoaderLimits copyFrom) { } + public bool AllowDuplicateAttributes { get { throw null; } set { } } public static System.Security.Cryptography.X509Certificates.Pkcs12LoaderLimits DangerousNoLimits { get { throw null; } } public static System.Security.Cryptography.X509Certificates.Pkcs12LoaderLimits Defaults { get { throw null; } } public bool IgnoreEncryptedAuthSafes { get { throw null; } set { } } From 245d908e1e1ad712290c86d3d13dfd4c2733953f Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Tue, 15 Jul 2025 15:01:43 -0400 Subject: [PATCH 2/2] Do not OOB the new property as public --- .../X509Certificates/Pkcs12LoaderLimits.cs | 7 ++++++- .../X509CertificateLoaderPkcs12CollectionTests.cs | 14 +++++++++++++- .../X509CertificateLoaderPkcs12Tests.cs | 14 +++++++++++++- 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs b/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs index f88b2c2a53ae8d..c9c0a6a6f772d8 100644 --- a/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs +++ b/src/libraries/Common/src/System/Security/Cryptography/X509Certificates/Pkcs12LoaderLimits.cs @@ -372,7 +372,12 @@ public bool IgnoreEncryptedAuthSafes /// to fail loading when duplicate attributes are found. /// The default is . /// - public bool AllowDuplicateAttributes +#if NET10_0_OR_GREATER + public +#else + internal +#endif + bool AllowDuplicateAttributes { get => _allowDuplicateAttributes; set diff --git a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs index 9b1b5e99d4816c..791c64ff9f87c4 100644 --- a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs +++ b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12CollectionTests.cs @@ -747,9 +747,21 @@ public void LoadPfx_VerifyIgnoreEncryptedSafes_EmptyIfIgnored(bool ignoreEncrypt [InlineData(true)] public void LoadWithDuplicateAttributes(bool allowDuplicates) { - Pkcs12LoaderLimits limits = new(Pkcs12LoaderLimits.Defaults) + Pkcs12LoaderLimits limits = Pkcs12LoaderLimits.Defaults; + +#if !NET10_0_OR_GREATER + if (allowDuplicates) { + limits = Pkcs12LoaderLimits.DangerousNoLimits; + } +#endif + + // remove the edit lock + limits = new Pkcs12LoaderLimits(limits) + { +#if NET10_0_OR_GREATER AllowDuplicateAttributes = allowDuplicates, +#endif PreserveCertificateAlias = false, PreserveKeyName = false, PreserveStorageProvider = false, diff --git a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs index 2deaf931935309..2c58efcda33a6d 100644 --- a/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs +++ b/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderPkcs12Tests.cs @@ -742,9 +742,21 @@ public void VerifyIndependentLifetime() [InlineData(true)] public void LoadWithDuplicateAttributes(bool allowDuplicates) { - Pkcs12LoaderLimits limits = new(Pkcs12LoaderLimits.Defaults) + Pkcs12LoaderLimits limits = Pkcs12LoaderLimits.Defaults; + +#if !NET10_0_OR_GREATER + if (allowDuplicates) { + limits = Pkcs12LoaderLimits.DangerousNoLimits; + } +#endif + + // remove the edit lock + limits = new Pkcs12LoaderLimits(limits) + { +#if NET10_0_OR_GREATER AllowDuplicateAttributes = allowDuplicates, +#endif PreserveCertificateAlias = false, PreserveKeyName = false, PreserveStorageProvider = false,