tomeksowi
diff --git a/‎src/libraries/Common/src/System/Security/Cryptography/KdfWorkLimiter.cs‎
Lines changed: 86 additions & 0 deletions b/‎src/libraries/Common/src/System/Security/Cryptography/KdfWorkLimiter.cs‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs‎
Lines changed: 1 addition & 0 deletions b/‎src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/libraries/Common/src/System/Security/Cryptography/Pkcs12Kdf.cs‎
Lines changed: 1 addition & 0 deletions b/‎src/libraries/Common/src/System/Security/Cryptography/Pkcs12Kdf.cs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/libraries/Common/tests/System/Net/Http/TestHelper.cs‎
Lines changed: 1 addition & 1 deletion b/‎src/libraries/Common/tests/System/Net/Http/TestHelper.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/RevocationResponder.cs‎
Lines changed: 46 additions & 3 deletions b/‎src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/RevocationResponder.cs‎
Lines changed: 46 additions & 3 deletions
diff --git a/‎src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamStreamToStreamTest.cs‎
Lines changed: 1 addition & 1 deletion b/‎src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamStreamToStreamTest.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/libraries/System.Net.Security/tests/FunctionalTests/TestHelper.cs‎
Lines changed: 1 addition & 1 deletion b/‎src/libraries/System.Net.Security/tests/FunctionalTests/TestHelper.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/libraries/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj‎
Lines changed: 3 additions & 1 deletion b/‎src/libraries/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/libraries/System.Security.Cryptography.Cng/src/System.Security.Cryptography.Cng.csproj‎
Lines changed: 2 additions & 0 deletions b/‎src/libraries/System.Security.Cryptography.Cng/src/System.Security.Cryptography.Cng.csproj‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/libraries/System.Security.Cryptography.Pkcs/src/System.Security.Cryptography.Pkcs.csproj‎
Lines changed: 5 additions & 3 deletions b/‎src/libraries/System.Security.Cryptography.Pkcs/src/System.Security.Cryptography.Pkcs.csproj‎
Lines changed: 5 additions & 3 deletions
@@ -0,0 +1,86 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+
+namespace System.Security.Cryptography
+{
+    // Places KDF work limits on the current thread.
+    internal static class KdfWorkLimiter
+    {
+        [ThreadStatic]
+        private static State? t_state;
+
+        // Entry point: sets the iteration limit to a new value.
+        internal static void SetIterationLimit(ulong workLimit)
+        {
+            Debug.Assert(t_state == null, "This method is not intended to be called recursively.");
+            State state = new State();
+            state.RemainingAllowedWork = workLimit;
+            t_state = state;
+        }
+
+        internal static bool WasWorkLimitExceeded()
+        {
+            Debug.Assert(t_state != null, "This method should only be called within a protected block.");
+            return t_state.WorkLimitWasExceeded;
+        }
+
+        // Removes any iteration limit on the current thread.
+        internal static void ResetIterationLimit()
+        {
+            t_state = null;
+        }
+
+        // Records that we're about to perform some amount of work.
+        // Overflows if the work count is exceeded.
+        internal static void RecordIterations(int workCount)
+        {
+            RecordIterations((long)workCount);
+        }
+
+        // Records that we're about to perform some amount of work.
+        // Overflows if the work count is exceeded.
+        internal static void RecordIterations(long workCount)
+        {
+            State? state = t_state;
+            if (state == null)
+            {
+                return;
+            }
+
+            bool success = false;
+
+            if (workCount < 0)
+            {
+                throw new CryptographicException();
+            }
+
+            try
+            {
+                if (!state.WorkLimitWasExceeded)
+                {
+                    state.RemainingAllowedWork = checked(state.RemainingAllowedWork - (ulong)workCount);
+                    success = true;
+                }
+            }
+            finally
+            {
+                // If for any reason we failed, mark the thread as "no further work allowed" and
+                // normalize to CryptographicException.
+                if (!success)
+                {
+                    state.RemainingAllowedWork = 0;
+                    state.WorkLimitWasExceeded = true;
+                    throw new CryptographicException();
+                }
+            }
+        }
+
+        private sealed class State
+        {
+            internal ulong RemainingAllowedWork;
+            internal bool WorkLimitWasExceeded;
+        }
+    }
+}
@@ -377,6 +377,7 @@ internal static unsafe int Encrypt(
                         Debug.Assert(pwdTmpBytes!.Length == 0);
                     }
 
+                    KdfWorkLimiter.RecordIterations(iterationCount);
                     using (var pbkdf2 = new Rfc2898DeriveBytes(pwdTmpBytes, salt.ToArray(), iterationCount, prf))
                     {
                         derivedKey = pbkdf2.GetBytes(keySizeBytes);
 
@@ -147,6 +147,7 @@ private static void Derive(
                 I = IRented.AsSpan(0, ILen);
             }
 
+            KdfWorkLimiter.RecordIterations(iterationCount);
             IncrementalHash hash = IncrementalHash.CreateHash(hashAlgorithm);
 
             try
 
@@ -157,7 +157,7 @@ public static X509Certificate2 CreateServerSelfSignedCertificate(string name = "
                 X509Certificate2 cert = req.CreateSelfSigned(start, end);
                 if (PlatformDetection.IsWindows)
                 {
-                    cert = new X509Certificate2(cert.Export(X509ContentType.Pfx));
+                    cert = new X509Certificate2(cert.Export(X509ContentType.Pfx), (string?)null);
                 }
 
                 return cert;
 
@@ -7,6 +7,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using System.Web;
+using Xunit;
 
 namespace System.Security.Cryptography.X509Certificates.Tests.Common
 {
@@ -29,6 +30,7 @@ private readonly Dictionary<string, CertificateAuthority> _crlPaths
         public string UriPrefix { get; }
 
         public bool RespondEmpty { get; set; }
+        public AiaResponseKind AiaResponseKind { get; set; }
 
         public TimeSpan ResponseDelay { get; set; }
         public DelayedActionsFlag DelayedActions { get; set; }
@@ -181,13 +183,13 @@ private void HandleRequest(HttpListenerContext context, ref bool responded)
                     Thread.Sleep(ResponseDelay);
                 }
 
-                byte[] certData = RespondEmpty ? Array.Empty<byte>() : authority.GetCertData();
+                byte[] certData = RespondEmpty ? Array.Empty<byte>() : GetCertDataForAiaResponseKind(AiaResponseKind, authority);
 
                 responded = true;
                 context.Response.StatusCode = 200;
-                context.Response.ContentType = "application/pkix-cert";
+                context.Response.ContentType = AiaResponseKindToContentType(AiaResponseKind);
                 context.Response.Close(certData, willBlock: true);
-                Trace($"Responded with {certData.Length}-byte certificate from {authority.SubjectName}.");
+                Trace($"Responded with {certData.Length}-byte {AiaResponseKind} from {authority.SubjectName}.");
                 return;
             }
 
@@ -295,6 +297,41 @@ private static HttpListener OpenListener(out string uriPrefix)
             }
         }
 
+        private static string AiaResponseKindToContentType(AiaResponseKind kind)
+        {
+            if (kind == AiaResponseKind.Cert)
+            {
+                return "application/pkix-cert";
+            }
+            else if (kind == AiaResponseKind.Pkcs12)
+            {
+                return "application/x-pkcs12";
+            }
+            else
+            {
+                Assert.True(false, $"Unknown value AiaResponseKind.`{kind}`.");
+                return null;
+            }
+        }
+
+        private static byte[] GetCertDataForAiaResponseKind(AiaResponseKind kind, CertificateAuthority authority)
+        {
+            if (kind == AiaResponseKind.Cert)
+            {
+                return authority.GetCertData();
+            }
+            else if (kind == AiaResponseKind.Pkcs12)
+            {
+                using X509Certificate2 cert = new X509Certificate2(authority.GetCertData());
+                return cert.Export(X509ContentType.Pkcs12);
+            }
+            else
+            {
+                Assert.True(false, $"Unknown value AiaResponseKind.`{kind}`.");
+                return null;
+            }
+        }
+
         private static bool TryGetOcspRequestBytes(HttpListenerRequest request, string prefix, out byte[] requestBytes)
         {
             requestBytes = null;
@@ -425,4 +462,10 @@ public enum DelayedActionsFlag : byte
         Aia = 0b100,
         All = 0b11111111
     }
+
+    public enum AiaResponseKind
+    {
+        Cert = 0,
+        Pkcs12 = 1,
+    }
 }
@@ -63,7 +63,7 @@ public static IEnumerable<object[]> SslStream_StreamToStream_Authentication_Succ
             using (X509Certificate2 clientCert = Configuration.Certificates.GetClientCertificate())
             {
                 yield return new object[] { new X509Certificate2(serverCert), new X509Certificate2(clientCert) };
-                yield return new object[] { new X509Certificate(serverCert.Export(X509ContentType.Pfx)), new X509Certificate(clientCert.Export(X509ContentType.Pfx)) };
+                yield return new object[] { new X509Certificate(serverCert.Export(X509ContentType.Pfx), (string)null, X509KeyStorageFlags.DefaultKeySet), new X509Certificate(clientCert.Export(X509ContentType.Pfx), (string)null, X509KeyStorageFlags.DefaultKeySet) };
             }
         }
 
 
@@ -169,7 +169,7 @@ internal static (X509Certificate2 certificate, X509Certificate2Collection) Gener
             if (PlatformDetection.IsWindows)
             {
                 X509Certificate2 ephemeral = endEntity;
-                endEntity = new X509Certificate2(endEntity.Export(X509ContentType.Pfx));
+                endEntity = new X509Certificate2(endEntity.Export(X509ContentType.Pfx), (string)null, X509KeyStorageFlags.DefaultKeySet);
                 ephemeral.Dispose();
             }
 
 
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <DefineConstants>$(DefineConstants);INTERNAL_ASYMMETRIC_IMPLEMENTATIONS</DefineConstants>
@@ -132,6 +132,8 @@
              Link="Common\System\Security\Cryptography\KeyFormatHelper.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\KeyFormatHelper.Encrypted.cs"
              Link="Common\System\Security\Cryptography\KeyFormatHelper.Encrypted.cs" />
+    <Compile Include="$(CommonPath)System\Security\Cryptography\KdfWorkLimiter.cs"
+             Link="Common\System\Security\Cryptography\KdfWorkLimiter.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\KeySizeHelpers.cs"
              Link="Common\System\Security\Cryptography\KeySizeHelpers.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\Oids.cs"
 
@@ -212,6 +212,8 @@
              Link="Common\System\Security\Cryptography\KeyFormatHelper.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\KeyFormatHelper.Encrypted.cs"
              Link="Common\System\Security\Cryptography\KeyFormatHelper.Encrypted.cs" />
+    <Compile Include="$(CommonPath)System\Security\Cryptography\KdfWorkLimiter.cs"
+             Link="Common\System\Security\Cryptography\KdfWorkLimiter.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\KeySizeHelpers.cs"
              Link="Common\System\Security\Cryptography\KeySizeHelpers.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\Oids.cs"
 
@@ -7,8 +7,8 @@
     <TargetFrameworks>$(NetCoreAppCurrent)-windows;$(NetCoreAppCurrent);netcoreapp3.1-windows;netcoreapp3.1;netstandard2.1-windows;netstandard2.1;netstandard2.0-windows;netstandard2.0;net461-windows</TargetFrameworks>
     <IsPackable>true</IsPackable>
     <!-- If you enable GeneratePackageOnBuild for this package and bump ServicingVersion, make sure to also bump ServicingVersion in Microsoft.Windows.Compatibility.csproj once for the next release. -->
-    <GeneratePackageOnBuild>false</GeneratePackageOnBuild>
-    <ServicingVersion>2</ServicingVersion>
+    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
+    <ServicingVersion>3</ServicingVersion>
     <PackageDescription>Provides support for PKCS and CMS algorithms.
 
 Commonly Used Types:
@@ -613,6 +613,8 @@ System.Security.Cryptography.Pkcs.EnvelopedCms</PackageDescription>
       <Link>Common\System\Security\Cryptography\Asn1\Pkcs7\EncryptedDataAsn.xml.cs</Link>
       <DependentUpon>Common\System\Security\Cryptography\Asn1\Pkcs7\EncryptedDataAsn.xml</DependentUpon>
     </Compile>
+    <Compile Include="$(CommonPath)System\Security\Cryptography\KdfWorkLimiter.cs"
+             Link="Common\System\Security\Cryptography\KdfWorkLimiter.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\PasswordBasedEncryption.cs"
              Link="Common\System\Security\Cryptography\PasswordBasedEncryption.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\Pkcs12Kdf.cs"
@@ -650,7 +652,7 @@ System.Security.Cryptography.Pkcs.EnvelopedCms</PackageDescription>
     <ProjectReference Include="$(LibrariesProjectRoot)System.Formats.Asn1\src\System.Formats.Asn1.csproj" />
   </ItemGroup>
   <ItemGroup Condition="$(TargetFramework.StartsWith('netstandard2.0'))">
-    <PackageReference Include="System.Buffers"  Version="$(SystemBuffersVersion)" />
+    <PackageReference Include="System.Buffers" Version="$(SystemBuffersVersion)" />
     <PackageReference Include="System.Memory" Version="$(SystemMemoryVersion)" />
     <!-- S.R.C.Unsafe isn't a primary but transitive dependency and this P2P makes sure that the live version is used. -->
     <ProjectReference Include="$(LibrariesProjectRoot)System.Runtime.CompilerServices.Unsafe\src\System.Runtime.CompilerServices.Unsafe.ilproj" PrivateAssets="all" />
Original file line number	Diff line number	Diff line change
`@@ -377,6 +377,7 @@ internal static unsafe int Encrypt(`
`377`	`377`	`Debug.Assert(pwdTmpBytes!.Length == 0);`
`378`	`378`	`}`
`379`	`379`
	`380`	`+ KdfWorkLimiter.RecordIterations(iterationCount);`
`380`	`381`	`using (var pbkdf2 = new Rfc2898DeriveBytes(pwdTmpBytes, salt.ToArray(), iterationCount, prf))`
`381`	`382`	`{`
`382`	`383`	`derivedKey = pbkdf2.GetBytes(keySizeBytes);`
Original file line number	Diff line number	Diff line change
`@@ -147,6 +147,7 @@ private static void Derive(`
`147`	`147`	`I = IRented.AsSpan(0, ILen);`
`148`	`148`	`}`
`149`	`149`
	`150`	`+ KdfWorkLimiter.RecordIterations(iterationCount);`
`150`	`151`	`IncrementalHash hash = IncrementalHash.CreateHash(hashAlgorithm);`
`151`	`152`
`152`	`153`	`try`
Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ public static X509Certificate2 CreateServerSelfSignedCertificate(string name = "`
`157`	`157`	`X509Certificate2 cert = req.CreateSelfSigned(start, end);`
`158`	`158`	`if (PlatformDetection.IsWindows)`
`159`	`159`	`{`
`160`		`- cert = new X509Certificate2(cert.Export(X509ContentType.Pfx));`
	`160`	`+ cert = new X509Certificate2(cert.Export(X509ContentType.Pfx), (string?)null);`
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`return cert;`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ public static IEnumerable<object[]> SslStream_StreamToStream_Authentication_Succ`
`63`	`63`	`using (X509Certificate2 clientCert = Configuration.Certificates.GetClientCertificate())`
`64`	`64`	`{`
`65`	`65`	`yield return new object[] { new X509Certificate2(serverCert), new X509Certificate2(clientCert) };`
`66`		`- yield return new object[] { new X509Certificate(serverCert.Export(X509ContentType.Pfx)), new X509Certificate(clientCert.Export(X509ContentType.Pfx)) };`
	`66`	`+ yield return new object[] { new X509Certificate(serverCert.Export(X509ContentType.Pfx), (string)null, X509KeyStorageFlags.DefaultKeySet), new X509Certificate(clientCert.Export(X509ContentType.Pfx), (string)null, X509KeyStorageFlags.DefaultKeySet) };`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`
Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ internal static (X509Certificate2 certificate, X509Certificate2Collection) Gener`
`169`	`169`	`if (PlatformDetection.IsWindows)`
`170`	`170`	`{`
`171`	`171`	`X509Certificate2 ephemeral = endEntity;`
`172`		`- endEntity = new X509Certificate2(endEntity.Export(X509ContentType.Pfx));`
	`172`	`+ endEntity = new X509Certificate2(endEntity.Export(X509ContentType.Pfx), (string)null, X509KeyStorageFlags.DefaultKeySet);`
`173`	`173`	`ephemeral.Dispose();`
`174`	`174`	`}`
`175`	`175`