Fix X509Certficate error in .NET10 (#5480)

* Fix X509Certficate issue

* Checking the certificateContentType before calling the methods

* Adding check for PKCS#7 certificate type

* Refactoring the code

* Changing the certificate selection logic in PKCS#7

* Refactoring and supporting more formats of certificates

* Cleaning the common util function to handle only the supported certificate types and rest are handled by the old constructor

* Adding L0 test cases for the new utility function

* Resolving conflicts and code cleanup

* Minor change

Author: surajitshil-03

src/Agent.Listener/ValidationHelper/InstallerVerifier.cs

@@ -111,8 +111,6 @@ public static void VerifyFileSignedByMicrosoft(string filePath, Tracing trace, s
                 CRYPT_PROVIDER_CERT provCert = (CRYPT_PROVIDER_CERT)Marshal.PtrToStructure(pProviderCertificate, typeof(CRYPT_PROVIDER_CERT));
 
                 // Check for our EKU in the certificate
-                // Disable the warning. TODO: Remove this warning suppression after the code is refactored to use X509CertificateLoader instead.
-                #pragma warning disable SYSLIB0057
                 using (X509Certificate2 x509Cert = new X509Certificate2(provCert.pCert))
                 {
                     if (((X509EnhancedKeyUsageExtension)x509Cert.Extensions[EXTENDED_KEY_USAGE]).EnhancedKeyUsages[expectedEKU] == null)
@@ -123,8 +121,6 @@ public static void VerifyFileSignedByMicrosoft(string filePath, Tracing trace, s
 
                     trace.Info(String.Format("Authenticode signature for file {0} is signed with a certificate containing the EKU {1}.", filePath, expectedEKU));
                 }
-                // Re-enable the warning.
-                #pragma warning restore SYSLIB0057
             }
             finally
             {

src/Agent.Plugins/TFCliManager.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using Agent.Sdk;
+using Agent.Sdk.Util;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -158,18 +159,17 @@ public void SetupProxy(string proxyUrl, string proxyUsername, string proxyPasswo
         }
 
         public void SetupClientCertificate(string clientCert, string clientCertKey, string clientCertArchive, string clientCertPassword)
-        {   // Disable the warning. TODO: Remove this warning suppression after the code is refactored to use X509CertificateLoader instead.
-            #pragma warning disable SYSLIB0057
+        {
             ArgUtil.File(clientCert, nameof(clientCert));
-            X509Certificate2 cert = new X509Certificate2(clientCert);
+
+            // Pass null for password to maintain original behavior (certificate without password)
+            X509Certificate2 cert = CertificateUtil.LoadCertificate(clientCert, password: null);
+
             ExecutionContext.Debug($"Set VstsClientCertificate={cert.Thumbprint} for Tf.exe to support client certificate.");
             AdditionalEnvironmentVariables["VstsClientCertificate"] = cert.Thumbprint;
 
             // Script Tf commands in tasks
             ExecutionContext.SetVariable("VstsClientCertificate", cert.Thumbprint);
-
-            // Re-enable the warning.
-            #pragma warning restore SYSLIB0057
         }
 
         public async Task ShelveAsync(string shelveset, string commentFile, bool move)

src/Agent.Sdk/AgentClientCertificateManager.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System.Security.Cryptography.X509Certificates;
+using Agent.Sdk.Util;
 using Microsoft.VisualStudio.Services.Common;
 
 namespace Agent.Sdk
@@ -35,11 +36,7 @@ public void AddClientCertificate(string clientCertificateArchiveFile, string cli
         {
             if (!string.IsNullOrEmpty(clientCertificateArchiveFile))
             {
-                // Disable the warning. TODO: Remove this warning suppression after the code is refactored to use X509CertificateLoader instead.
-                #pragma warning disable SYSLIB0057
-                _clientCertificates.Add(new X509Certificate2(clientCertificateArchiveFile, clientCertificatePassword));
-                // Re-enable the warning.
-                #pragma warning restore SYSLIB0057
+                _clientCertificates.Add(CertificateUtil.LoadCertificate(clientCertificateArchiveFile, clientCertificatePassword));
             }
         }
     }

src/Agent.Sdk/Util/CertificateUtil.cs

@@ -0,0 +1,60 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Security.Cryptography.X509Certificates;
+
+namespace Agent.Sdk.Util
+{
+    public static class CertificateUtil
+    {
+        /// <summary>
+        /// Loads an X509Certificate2 from a file, handling different certificate formats.
+        /// Uses X509CertificateLoader for .NET 9+ for Cert and Pkcs12 formats.
+        /// For all other formats, uses the legacy constructor with warning suppression.
+        /// </summary>
+        /// <param name="certificatePath">Path to the certificate file</param>
+        /// <param name="password">Optional password for PKCS#12/PFX files</param>
+        /// <returns>The loaded X509Certificate2</returns>
+        public static X509Certificate2 LoadCertificate(string certificatePath, string password = null)
+        {
+#if NET9_0_OR_GREATER
+            var contentType = X509Certificate2.GetCertContentType(certificatePath);
+            switch (contentType)
+            {
+                case X509ContentType.Cert:
+                    // DER-encoded or PEM-encoded certificate
+                    return X509CertificateLoader.LoadCertificateFromFile(certificatePath);
+
+                case X509ContentType.Pkcs12:
+                    // Note: X509ContentType.Pfx has the same value (3) as Pkcs12 refer: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509contenttype?view=net-10.0
+                    return X509CertificateLoader.LoadPkcs12FromFile(certificatePath, password);
+
+                default:
+                    // For all other formats (Pkcs7, SerializedCert, SerializedStore, Authenticode, Unknown),
+                    // use the legacy constructor with warning suppression
+#pragma warning disable SYSLIB0057
+                    if (string.IsNullOrEmpty(password))
+                    {
+                        return new X509Certificate2(certificatePath);
+                    }
+                    else
+                    {
+                        return new X509Certificate2(certificatePath, password);
+                    }
+#pragma warning restore SYSLIB0057
+            }
+#else
+            // For .NET 8 and earlier, use the traditional constructor
+            // The constructor automatically handles all certificate types
+            if (string.IsNullOrEmpty(password))
+            {
+                return new X509Certificate2(certificatePath);
+            }
+            else
+            {
+                return new X509Certificate2(certificatePath, password);
+            }
+#endif
+        }
+    }
+}

src/Agent.Worker/Build/TFCommandManager.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
+using Agent.Sdk.Util;
 using Microsoft.VisualStudio.Services.Agent.Util;
 using System;
 using System.Collections.Generic;
@@ -156,18 +157,16 @@ public void SetupProxy(string proxyUrl, string proxyUsername, string proxyPasswo
 
         public void SetupClientCertificate(string clientCert, string clientCertKey, string clientCertArchive, string clientCertPassword)
         {
-            // Disable the warning. TODO: Remove this warning suppression after the code is refactored to use X509CertificateLoader instead.
-            #pragma warning disable SYSLIB0057
             ArgUtil.File(clientCert, nameof(clientCert));
-            X509Certificate2 cert = new X509Certificate2(clientCert);
+
+            // Pass null for password to maintain original behavior (certificate without password)
+            X509Certificate2 cert = CertificateUtil.LoadCertificate(clientCert, password: null);
+
             ExecutionContext.Debug($"Set VstsClientCertificate={cert.Thumbprint} for Tf.exe to support client certificate.");
             AdditionalEnvironmentVariables["VstsClientCertificate"] = cert.Thumbprint;
 
             // Script Tf commands in tasks
             ExecutionContext.SetVariable("VstsClientCertificate", cert.Thumbprint, false, false);
-
-            // Re-enable the warning.
-            #pragma warning restore SYSLIB0057
         }
 
         public async Task ShelveAsync(string shelveset, string commentFile, bool move)

src/Test/L0/Util/CertificateUtilL0.cs

@@ -0,0 +1,210 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Agent.Sdk.Util;
+using Xunit;
+
+namespace Microsoft.VisualStudio.Services.Agent.Tests.Util
+{
+    /// <summary>
+    /// Tests for CertificateUtil.LoadCertificate which works on both .NET 8 and .NET 10.
+    /// Tests cover: Cert (DER/PEM) and PFX/PKCS#12 formats.
+    /// </summary>
+    public sealed class CertificateUtilL0 : IDisposable
+    {
+        private readonly string _tempDir;
+
+        public CertificateUtilL0()
+        {
+            _tempDir = Path.Combine(Path.GetTempPath(), $"CertUtilTests_{Guid.NewGuid():N}");
+            Directory.CreateDirectory(_tempDir);
+        }
+
+        public void Dispose()
+        {
+            if (Directory.Exists(_tempDir))
+            {
+                Directory.Delete(_tempDir, recursive: true);
+            }
+        }
+
+        #region PFX/PKCS#12 Tests (X509ContentType.Pkcs12)
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void LoadCertificate_Pfx_WithPassword_LoadsSuccessfully()
+        {
+            // Arrange
+            var (expectedThumbprint, pfxPath) = CreatePfxCertificate("test-password");
+
+            // Act
+            using var loadedCert = CertificateUtil.LoadCertificate(pfxPath, "test-password");
+
+            // Assert
+            Assert.NotNull(loadedCert);
+            Assert.Equal(expectedThumbprint, loadedCert.Thumbprint);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void LoadCertificate_Pfx_WithoutPassword_LoadsSuccessfully()
+        {
+            // Arrange
+            var (expectedThumbprint, pfxPath) = CreatePfxCertificate(password: null);
+
+            // Act
+            using var loadedCert = CertificateUtil.LoadCertificate(pfxPath, password: null);
+
+            // Assert
+            Assert.NotNull(loadedCert);
+            Assert.Equal(expectedThumbprint, loadedCert.Thumbprint);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void LoadCertificate_Pfx_WrongPassword_ThrowsException()
+        {
+            // Arrange
+            var (_, pfxPath) = CreatePfxCertificate("correct-password");
+
+            // Act & Assert
+            Assert.ThrowsAny<CryptographicException>(() =>
+                CertificateUtil.LoadCertificate(pfxPath, "wrong-password"));
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void LoadCertificate_Pfx_PasswordProtectedButNoPasswordProvided_ThrowsException()
+        {
+            // Arrange
+            var (_, pfxPath) = CreatePfxCertificate("some-password");
+
+            // Act & Assert
+            Assert.ThrowsAny<CryptographicException>(() =>
+                CertificateUtil.LoadCertificate(pfxPath, password: null));
+        }
+
+        #endregion
+
+        #region DER Tests (X509ContentType.Cert)
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void LoadCertificate_Der_LoadsSuccessfully()
+        {
+            // Arrange
+            var (expectedThumbprint, derPath) = CreateDerCertificate();
+
+            // Act
+            using var loadedCert = CertificateUtil.LoadCertificate(derPath);
+
+            // Assert
+            Assert.NotNull(loadedCert);
+            Assert.Equal(expectedThumbprint, loadedCert.Thumbprint);
+        }
+
+        #endregion
+
+        #region PEM Tests (X509ContentType.Cert)
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void LoadCertificate_Pem_LoadsSuccessfully()
+        {
+            // Arrange
+            var (expectedThumbprint, pemPath) = CreatePemCertificate();
+
+            // Act
+            using var loadedCert = CertificateUtil.LoadCertificate(pemPath);
+
+            // Assert
+            Assert.NotNull(loadedCert);
+            Assert.Equal(expectedThumbprint, loadedCert.Thumbprint);
+        }
+
+        #endregion
+
+        #region Helper Methods
+
+        /// <summary>
+        /// Creates a test PFX/PKCS#12 certificate file (X509ContentType.Pkcs12).
+        /// </summary>
+        private (string thumbprint, string path) CreatePfxCertificate(string password)
+        {
+            using var rsa = RSA.Create(2048);
+            var request = new CertificateRequest(
+                "CN=TestPfxCertificate",
+                rsa,
+                HashAlgorithmName.SHA256,
+                RSASignaturePadding.Pkcs1);
+
+            using var cert = request.CreateSelfSigned(
+                DateTimeOffset.UtcNow.AddMinutes(-5),
+                DateTimeOffset.UtcNow.AddYears(1));
+
+            var pfxPath = Path.Combine(_tempDir, $"test_{Guid.NewGuid():N}.pfx");
+            var pfxBytes = cert.Export(X509ContentType.Pfx, password);
+            File.WriteAllBytes(pfxPath, pfxBytes);
+
+            return (cert.Thumbprint, pfxPath);
+        }
+
+        /// <summary>
+        /// Creates a test DER-encoded certificate file (X509ContentType.Cert).
+        /// </summary>
+        private (string thumbprint, string path) CreateDerCertificate()
+        {
+            using var rsa = RSA.Create(2048);
+            var request = new CertificateRequest(
+                "CN=TestDerCertificate",
+                rsa,
+                HashAlgorithmName.SHA256,
+                RSASignaturePadding.Pkcs1);
+
+            using var cert = request.CreateSelfSigned(
+                DateTimeOffset.UtcNow.AddMinutes(-5),
+                DateTimeOffset.UtcNow.AddYears(1));
+
+            var derPath = Path.Combine(_tempDir, $"test_{Guid.NewGuid():N}.cer");
+            var derBytes = cert.Export(X509ContentType.Cert);
+            File.WriteAllBytes(derPath, derBytes);
+
+            return (cert.Thumbprint, derPath);
+        }
+
+        /// <summary>
+        /// Creates a test PEM-encoded certificate file.
+        /// </summary>
+        private (string thumbprint, string path) CreatePemCertificate()
+        {
+            using var rsa = RSA.Create(2048);
+            var request = new CertificateRequest(
+                "CN=TestPemCertificate",
+                rsa,
+                HashAlgorithmName.SHA256,
+                RSASignaturePadding.Pkcs1);
+
+            using var cert = request.CreateSelfSigned(
+                DateTimeOffset.UtcNow.AddMinutes(-5),
+                DateTimeOffset.UtcNow.AddYears(1));
+
+            var pemPath = Path.Combine(_tempDir, $"test_{Guid.NewGuid():N}.pem");
+            var pemContent = cert.ExportCertificatePem();
+            File.WriteAllText(pemPath, pemContent);
+
+            return (cert.Thumbprint, pemPath);
+        }
+
+        #endregion
+    }
+}