Condition Windows SslCertificateTrust test on Registry value

[rzikm]

Fixes #65515

Sending trusted issuers list on Windows is problematic (depends on registry settings), so there were no tests. This PR conditionally enables existing tests on Windows if the relevant registry setting is set.

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Fixes #65515

Author:	rzikm
Assignees:	-
Labels:	area-System.Net.Security
Milestone:	-

[wfurt]

I think Windows7 sends the list by default. e.g. even without registry. There are some test that condition on Windows7 but they really should use this.

[rzikm]

I use different default values depending if we are running on Windows7 or not, so we should be okay here, unless sending cert issuer list can't be disabled on Windows7 using the registry key below.

[wfurt]

Do you know if all tests pass now when SendTrustedIssuerList is set to 1?

[rzikm]

Do you know if all tests pass now when SendTrustedIssuerList is set to 1?

I tried only tests in System.Net.Security, and one of the EKU certificate tests was failing, the cert was filtered out because it did not match any of the issuers. I think it was SslStream_SelfSignedClientEKUClientAuth_Ok.

[rzikm]

I will have to approach it a bit differently, tests fail on Windows7 because it does not support specifying custom trust store

 System.Net.Security.Tests.SslStreamCertificateTrustTest.SslStream_SendCertificateTrust_CertificateStore [FAIL]
      System.Security.Authentication.AuthenticationException : Authentication failed, see inner exception.
      ---- System.ComponentModel.Win32Exception : The function requested is not supported

[wfurt]

I will have to approach it a bit differently, tests fail on Windows7 because it does not support specifying custom trust store

 System.Net.Security.Tests.SslStreamCertificateTrustTest.SslStream_SendCertificateTrust_CertificateStore [FAIL]
      System.Security.Authentication.AuthenticationException : Authentication failed, see inner exception.
      ---- System.ComponentModel.Win32Exception : The function requested is not supported

There are two parts IMHO.
Sending the list impacts client certificate selection. That can be done by default or by changing the registry. It would be nice IMHO if our test don't fail in either case.
The second part is the SendCertificateTrust - It would be nice IMHO to throw PlatformNotSupportedException consitently if given OS/TLS stack cannot do it ... including Windows7.
And have test to verify that guarded by !SupportsSendingCANamesInTls.

[rzikm]

It would be nice IMHO to throw PlatformNotSupportedException consitently if given OS/TLS stack cannot do it ... including Windows7.

Should we also throw on Windows if sending is not enabled using the registry? That way we would have to check registry at runtime, which we are not doing for any feature AFAIK

[wfurt]

LGTM

[rzikm]

@wfurt can you answer my question from #65848 (comment), please?

[rzikm]

/azp run runtime-libraries-coreclr outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

It would be nice IMHO to throw PlatformNotSupportedException consitently if given OS/TLS stack cannot do it ... including Windows7.

Should we also throw on Windows if sending is not enabled using the registry? That way we would have to check registry at runtime, which we are not doing for any feature AFAIK

I would be in favor to throw in product as well if it is not enabled in registry to make it visible. Would that be any problem for AAD @avparuch? (e.g. do you have code that expect. ti send the list but the the registry is not set?)

[rzikm]

CI failures are #66100

[rzikm]

PR for updating docs: dotnet/dotnet-api-docs#7832