Improve platform detection for tests

dotnet · rzikm · Mar 16, 2022 · Feb 24, 2022 · Mar 2, 2022 · Mar 2, 2022
commit fc93cea69ebb14c03b7a5d8d972abe875c73eed9
diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs
@@ -238,13 +238,14 @@ private static bool GetAlpnSupport()
         private static Lazy<bool> s_supportsTls11 = new Lazy<bool>(GetTls11Support);
         private static Lazy<bool> s_supportsTls12 = new Lazy<bool>(GetTls12Support);
         private static Lazy<bool> s_supportsTls13 = new Lazy<bool>(GetTls13Support);
-        private static Lazy<bool> s_supportsSendingCANamesInTls = new Lazy<bool>(GetTlsHandshakeCAListSupport);
+        private static Lazy<bool> s_sendsCAListByDefault = new Lazy<bool>(GetSendsCAListByDefault);
 
         public static bool SupportsTls10 => s_supportsTls10.Value;
         public static bool SupportsTls11 => s_supportsTls11.Value;
         public static bool SupportsTls12 => s_supportsTls12.Value;
         public static bool SupportsTls13 => s_supportsTls13.Value;
-        public static bool SupportsSendingCANamesInTls => s_supportsSendingCANamesInTls.Value;
+        public static bool SendsCAListByDefault => s_sendsCAListByDefault.Value;
+        public static bool SupportsSendingCustomCANamesInTls => UsesAppleCrypto || IsOpenSslSupported || (PlatformDetection.IsWindows8xOrLater && SendsCAListByDefault);
 
         private static Lazy<bool> s_largeArrayIsNotSupported = new Lazy<bool>(IsLargeArrayNotSupported);
 
@@ -514,16 +515,12 @@ private static bool GetTls13Support()
             return false;
         }
 
-        private static bool GetTlsHandshakeCAListSupport()
+        private static bool GetSendsCAListByDefault()
         {
-            if (IsOpenSslSupported || IsOSX)
-            {
-                return true;
-            }
-
             if (IsWindows)
             {
-                // Sending TrustedIssuers is conditioned on the registry.
+                // Sending TrustedIssuers is conditioned on the registry. Win7 sends trusted issuer list by default,
+                // newer Windows versions don't.
                 object val = Registry.GetValue(@"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", "SendTrustedIssuerList", IsWindows7 ? 1 : 0);
                 if (val is int i)
                 {

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslCertificateTrust.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslCertificateTrust.cs
@@ -21,7 +21,9 @@ public static SslCertificateTrust CreateForX509Store(X509Store store, bool sendT
                 throw new PlatformNotSupportedException(SR.net_ssl_trust_store);
             }
 #else
-            if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS())
+            if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS() &&
+                // Necessary functions are available only on win 8 onwards
+                !OperatingSystem.IsWindowsVersionAtLeast(6, 2))
             {
                 // to be removed when implemented.
                 throw new PlatformNotSupportedException(SR.net_ssl_trust_handshake);
@@ -43,16 +45,9 @@ public static SslCertificateTrust CreateForX509Collection(X509Certificate2Collec
         {
             if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS())
             {
-                // to be removed when implemented.
                 throw new PlatformNotSupportedException(SR.net_ssl_trust_handshake);
             }
 
-#if TARGET_WINDOWS
-            if (sendTrustInHandshake)
-            {
-                throw new PlatformNotSupportedException(SR.net_ssl_trust_collection);
-            }
-#endif
             var trust = new SslCertificateTrust();
             trust._trustList = trustList;
             trust._sendTrustInHandshake = sendTrustInHandshake;

diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamCertificateTrustTests.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamCertificateTrustTests.cs
@@ -15,9 +15,10 @@ namespace System.Net.Security.Tests
 
     public class SslStreamCertificateTrustTest
     {
-        public static bool SupportsSendingCANamesInTls => PlatformDetection.SupportsSendingCANamesInTls;
+        public static bool SupportsSendingCustomCANamesInTls => PlatformDetection.SupportsSendingCustomCANamesInTls;
+        public static bool DoesNotSupportSendingCustomCANamesInTls => !PlatformDetection.SupportsSendingCustomCANamesInTls;
 
-        [ConditionalFact(nameof(SupportsSendingCANamesInTls))]
+        [ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
         [SkipOnPlatform(TestPlatforms.Windows, "CertificateCollection-based SslCertificateTrust is not Supported on Windows")]
         public async Task SslStream_SendCertificateTrust_CertificateCollection()
         {
@@ -30,7 +31,7 @@ public async Task SslStream_SendCertificateTrust_CertificateCollection()
             Assert.Equal(caCerts.Select(c => c.Subject), acceptableIssuers);
         }
 
-        [ConditionalFact(nameof(SupportsSendingCANamesInTls))]
+        [ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
         public async Task SslStream_SendCertificateTrust_CertificateStore()
         {
             using X509Store store = new X509Store("Root", StoreLocation.LocalMachine);
@@ -88,5 +89,25 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                 return acceptableIssuers;
             }
         }
+
+        [ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
+        public void SslStream_SendCertificateTrust_CertificateCollection_ThrowsOnWindows()
+        {
+            (X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));
+
+            Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Collection(caCerts, sendTrustInHandshake: true));
+        }
+
+        [ConditionalFact(nameof(DoesNotSupportSendingCustomCANamesInTls))]
+        [SkipOnPlatform(TestPlatform.Windows)]
+        public void SslStream_SendCertificateTrust_ThrowsOnUnsupportedPlatform()
+        {
+            (X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));
+
+            using X509Store store = new X509Store("Root", StoreLocation.LocalMachine);
+
+            Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Collection(caCerts, sendTrustInHandshake: true));
+            Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Store(store, sendTrustInHandshake: true));
+        }
     }
 }
diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamEKUTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamEKUTest.cs
@@ -11,11 +11,12 @@
 
 namespace System.Net.Security.Tests
 {
-    using Configuration =   System.Net.Test.Common.Configuration;
+    using Configuration = System.Net.Test.Common.Configuration;
 
     public class SslStreamEKUTest
     {
         public static bool IsRootCertificateInstalled => Capability.IsTrustedRootCertificateInstalled();
+        public static bool DoesNotSendCAListByDefault => !PlatformDetection.SendsCAListByDefault;
 
         public const int TestTimeoutMilliseconds = 15 * 1000;
 
@@ -134,7 +135,7 @@ public async Task SslStream_ServerEKUClientAuth_Fails()
             }
         }
 
-        [ConditionalFact(nameof(IsRootCertificateInstalled))]
+        [ConditionalFact(nameof(IsRootCertificateInstalled), nameof(DoesNotSendCAListByDefault))]
         public async Task SslStream_SelfSignedClientEKUClientAuth_Ok()
         {
             var serverOptions = new HttpsTestServer.Options();

diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs
@@ -275,8 +275,11 @@ public async Task SslStream_NegotiateClientCertificateAsyncNoRenego_Succeeds(boo
                     return sendClientCertificate ? clientCertificate : null;
                 };
 
-                SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions() { ServerCertificate = serverCertificate,
-                                                                                                      AllowRenegotiation = false  };
+                SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions()
+                {
+                    ServerCertificate = serverCertificate,
+                    AllowRenegotiation = false
+                };
                 serverOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
                 {
                     if (negotiateClientCertificateCalled && sendClientCertificate)
@@ -353,7 +356,7 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                 // Send application data instead of Client hello.
                 await client.WriteAsync(new byte[500], cts.Token);
                 // Fail as it is not allowed to receive non handshake frames during handshake.
-                await Assert.ThrowsAsync<InvalidOperationException>(()=> t);
+                await Assert.ThrowsAsync<InvalidOperationException>(() => t);
             }
         }
 
@@ -404,7 +407,7 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                 int read = await server.ReadAsync(buffer, cts.Token);
 
                 // Fail as there are still some undrained data (incomplete incoming TLS frame)
-                await Assert.ThrowsAsync<InvalidOperationException>(()=>
+                await Assert.ThrowsAsync<InvalidOperationException>(() =>
                     server.NegotiateClientCertificateAsync(cts.Token)
                 );
 
@@ -472,17 +475,10 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
         }
 
         [ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.SupportsTls13))]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/58927", TestPlatforms.Windows)]
         [InlineData(true)]
         [InlineData(false)]
         public async Task SslStream_NegotiateClientCertificateAsyncTls13_Succeeds(bool sendClientCertificate)
         {
-            if (PlatformDetection.IsWindows10Version22000OrGreater)
-            {
-                // [ActiveIssue("https://github.com/dotnet/runtime/issues/58927")]
-                throw new SkipTestException("Unstable on Windows 11");
-            }
-
             bool negotiateClientCertificateCalled = false;
             using CancellationTokenSource cts = new CancellationTokenSource();
             cts.CancelAfter(TestConfiguration.PassingTestTimeout);
@@ -727,12 +723,11 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
         [Theory]
         [InlineData(true)]
         [InlineData(false)]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/46837", TestPlatforms.OSX)]
         public async Task SslStream_UntrustedCaWithCustomCallback_OK(bool usePartialChain)
         {
             int split = Random.Shared.Next(0, certificates.serverChain.Count - 1);
 
-            var clientOptions = new  SslClientAuthenticationOptions() { TargetHost = "localhost" };
+            var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost" };
             clientOptions.RemoteCertificateValidationCallback =
                 (sender, certificate, chain, sslPolicyErrors) =>
                 {
@@ -790,11 +785,10 @@ public async Task SslStream_UntrustedCaWithCustomCallback_OK(bool usePartialChai
         [PlatformSpecific(TestPlatforms.AnyUnix)]
         [InlineData(true)]
         [InlineData(false)]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/46837", TestPlatforms.OSX)]
         public async Task SslStream_UntrustedCaWithCustomCallback_Throws(bool customCallback)
         {
             string errorMessage;
-            var clientOptions = new  SslClientAuthenticationOptions() { TargetHost = "localhost" };
+            var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost" };
             if (customCallback)
             {
                 clientOptions.RemoteCertificateValidationCallback =
@@ -836,8 +830,7 @@ public async Task SslStream_UntrustedCaWithCustomCallback_Throws(bool customCall
             }
         }
 
-        [ConditionalFact]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/46837", TestPlatforms.OSX)]
+        [Fact]
         public async Task SslStream_ClientCertificate_SendsChain()
         {
             List<SslStream> streams = new List<SslStream>();
@@ -864,7 +857,7 @@ public async Task SslStream_ClientCertificate_SendsChain()
                 }
             }
 
-            var clientOptions = new  SslClientAuthenticationOptions() { TargetHost = "localhost",  };
+            var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost", };
             clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
             clientOptions.LocalCertificateSelectionCallback = (sender, target, certificates, remoteCertificate, issuers) => clientCertificate;
 
@@ -908,7 +901,7 @@ public async Task SslStream_ClientCertificate_SendsChain()
                 c.Dispose();
             }
 
-            foreach (SslStream s in  streams)
+            foreach (SslStream s in streams)
             {
                 s.Dispose();
             }