new X509Certificate2 fails on macOS for concatenated certificates #26276
Description
new X509Certificate2(string) and new X509Certificate2(byte[]) fail under .NET Core 2.0 on macOS if there is more than one certificate in the file being loaded. The following exception is thrown:
Unhandled Exception: Interop+AppleCrypto+AppleCommonCryptoCryptographicException: Unknown format in import.
at Interop.AppleCrypto.X509ImportCertificate(Byte[] bytes, X509ContentType contentType, SafePasswordHandle importPassword, SafeKeychainHandle keychain, Boolean exportable, SafeSecIdentityHandle& identityHandle)
at Internal.Cryptography.Pal.CertificatePal.FromBlob(Byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName)
at LoadCertificateFromBytes.Program.Main(String[] args) in /Users/bgrainger/Code/LoadCertificateFromBytes/Program.cs:line 11
The same data is accepted without failure on Windows 10 and Ubuntu 14.04 (and just the first certificate in the file is loaded).
A minimal repro is here: https://github.com/bgrainger/LoadCertificateFromBytes/blob/master/Program.cs
This issue arose when trying to load https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem (linked from https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html). On Linux and Windows, the file is loaded without error, but only the first certificate in the file is loaded. On macOS, an exception is thrown.
I'm not sure what the "right" behaviour should be. On the one hand, it's nice that macOS provides some feedback that most of the certificates in the file were ignored. On the other hand, changing Windows/Linux might be a major breaking change. Overall, it would just be nice to have cross-platform consistency.