< Summary - Kestrun — Combined Coverage

Information

Class:	Kestrun.Certificates.CertificateManager
Assembly:	Kestrun
File(s):	/home/runner/work/Kestrun/Kestrun/src/CSharp/Kestrun/Certificates/CertificateManager.cs
Tag:	Kestrun/Kestrun@2d87023b37eb91155071c91dd3d6a2eeb3004705

Line coverage

71%

Covered lines:	311
Uncovered lines:	124
Coverable lines:	435
Total lines:	1227
Line coverage:	71.4%

Branch coverage

55%

Covered branches:	103
Total branches:	184
Branch coverage:	55.9%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Coverage history

Metrics

Method	Branch coverage	Crap Score	Cyclomatic complexity	Line coverage
get_ShouldAppendKeyToPem()	50%	2	2	100%
.ctor(...)	100%	1	1	100%
get_DnsNames()	100%	1	1	100%
get_KeyType()	100%	1	1	100%
get_KeyLength()	100%	1	1	100%
get_Purposes()	100%	1	1	100%
get_ValidDays()	100%	1	1	100%
get_Ephemeral()	100%	1	1	100%
get_Exportable()	100%	1	1	100%
.ctor(...)	100%	1	1	100%
get_DnsNames()	100%	1	1	100%
get_KeyType()	100%	1	1	100%
get_KeyLength()	100%	1	1	100%
get_Country()	100%	1	1	100%
get_Org()	100%	1	1	100%
get_OrgUnit()	100%	1	1	100%
get_CommonName()	100%	1	1	100%
NewSelfSigned(...)	58.33%	12	12	95.23%
NewCertificateRequest(...)	75%	13	12	84.05%
Add()	100%	2	2	100%
Import(...)	83.33%	12	12	88.88%
ValidateImportInputs(...)	100%	8	8	100%
ImportPfx(...)	100%	1	1	100%
ImportDer(...)	100%	1	1	100%
ImportPem(...)	83.33%	6	6	100%
ImportPemUnencrypted(...)	100%	1	1	100%
ImportPemEncrypted(...)	25%	6	4	50%
TryManualEncryptedPemPairing(...)	0%	20	4	0%
ExtractEncryptedPemDer(...)	0%	110	10	0%
TryPairCertificateWithKey(...)	0%	42	6	0%
TryPairWithRsa(...)	0%	20	4	0%
TryPairWithEcdsa(...)	0%	20	4	0%
LoadCertOnlyPem(...)	50%	4	4	85.71%
Import(...)	100%	1	1	100%
Import(...)	100%	1	1	100%
Import(...)	100%	1	1	100%
Export(...)	75%	4	4	88.88%
NormalizeExportPath(...)	35.71%	72	14	33.33%
EnsureOutputDirectoryExists(...)	75%	5	4	60%
.ctor(...)	100%	1	1	100%
get_Secure()	100%	1	1	100%
get_Chars()	100%	1	1	100%
Dispose()	100%	4	4	100%
CreatePasswordShapes(...)	100%	4	4	100%
ExportPfx(...)	100%	1	1	100%
ExportPem(...)	50%	23	10	50%
WritePrivateKey(...)	40%	12	10	71.42%
Export(...)	100%	1	1	100%
Validate(...)	83.33%	13	12	83.33%
IsWithinValidityPeriod(...)	50%	2	2	100%
BuildChainOk(...)	75%	4	4	100%
PurposesOk(...)	100%	6	6	100%
UsesWeakAlgorithms(...)	50%	10	10	100%
GetPurposes(...)	50%	2	2	100%
GenRsaKeyPair(...)	100%	1	1	100%
GenEcKeyPair(...)	33.33%	6	6	84.61%
ToX509Cert2(...)	100%	2	2	65.21%

File(s)

/home/runner/work/Kestrun/Kestrun/src/CSharp/Kestrun/Certificates/CertificateManager.cs

#	Line	Line coverage
	`1`	`using System.Net;`
	`2`	`using System.Security;`
	`3`	`using System.Security.Cryptography;`
	`4`	`using System.Security.Cryptography.X509Certificates;`
	`5`	`using Org.BouncyCastle.Asn1;`
	`6`	`using Org.BouncyCastle.Asn1.Pkcs;`
	`7`	`using Org.BouncyCastle.Asn1.X509;`
	`8`	`using Org.BouncyCastle.Crypto;`
	`9`	`using Org.BouncyCastle.Crypto.Generators;`
	`10`	`using Org.BouncyCastle.Crypto.Operators;`
	`11`	`using Org.BouncyCastle.Crypto.Parameters;`
	`12`	`using Org.BouncyCastle.Crypto.Prng;`
	`13`	`using Org.BouncyCastle.Math;`
	`14`	`using Org.BouncyCastle.OpenSsl;`
	`15`	`using Org.BouncyCastle.Pkcs;`
	`16`	`using Org.BouncyCastle.Security;`
	`17`	`using Org.BouncyCastle.Utilities;`
	`18`	`using Org.BouncyCastle.X509;`
	`19`	`using System.Text;`
	`20`	`using Org.BouncyCastle.Asn1.X9;`
	`21`	`using Serilog;`
	`22`	`using Kestrun.Utilities;`
	`23`
	`24`
	`25`	`namespace Kestrun.Certificates;`
	`26`
	`27`	`/// <summary>`
	`28`	`/// Drop-in replacement for Pode’s certificate helpers, powered by Bouncy Castle.`
	`29`	`/// </summary>`
	`30`	`public static class CertificateManager`
	`31`	`{`
	`32`	`/// <summary>`
	`33`	`/// Controls whether the private key is appended to the certificate PEM file in addition to`
	`34`	`/// writing a separate .key file. Appending was initially added to work around platform`
	`35`	`/// inconsistencies when importing encrypted PEM pairs on some Linux runners. However, having`
	`36`	`/// both a combined (cert+key) file and a separate key file can itself introduce ambiguity in`
	`37`	`/// which API path <see cref="X509Certificate2"/> chooses (single-file vs dual-file), which was`
	`38`	`/// observed to contribute to rare flakiness (private key occasionally not attached after`
	`39`	`/// import). To make behavior deterministic we now disable appending by default and allow it to`
	`40`	`/// be re-enabled explicitly via the environment variable KESTRUN_APPEND_KEY_TO_PEM.`
	`41`	`/// Set KESTRUN_APPEND_KEY_TO_PEM=1 (or "true") to re-enable.`
	`42`	`/// </summary>`
	`43`	`private static bool ShouldAppendKeyToPem =>`
2	`44`	`string.Equals(Environment.GetEnvironmentVariable("KESTRUN_APPEND_KEY_TO_PEM"), "1", StringComparison.OrdinalIgno`
2	`45`	`string.Equals(Environment.GetEnvironmentVariable("KESTRUN_APPEND_KEY_TO_PEM"), "true", StringComparison.OrdinalI`
	`46`	`#region enums / option records`
	`47`	`/// <summary>`
	`48`	`/// Specifies the type of cryptographic key to use for certificate operations.`
	`49`	`/// </summary>`
	`50`	`/// <summary>`
	`51`	`/// Specifies the cryptographic key type.`
	`52`	`/// </summary>`
	`53`	`public enum KeyType`
	`54`	`{`
	`55`	`/// <summary>`
	`56`	`/// RSA key type.`
	`57`	`/// </summary>`
	`58`	`Rsa,`
	`59`	`/// <summary>`
	`60`	`/// ECDSA key type.`
	`61`	`/// </summary>`
	`62`	`Ecdsa`
	`63`	`}`
	`64`
	`65`	`/// <summary>`
	`66`	`/// Specifies the format to use when exporting certificates.`
	`67`	`/// </summary>`
	`68`	`/// <summary>`
	`69`	`/// Specifies the format to use when exporting certificates.`
	`70`	`/// </summary>`
	`71`	`public enum ExportFormat`
	`72`	`{`
	`73`	`/// <summary>`
	`74`	`/// PFX/PKCS#12 format.`
	`75`	`/// </summary>`
	`76`	`Pfx,`
	`77`	`/// <summary>`
	`78`	`/// PEM format.`
	`79`	`/// </summary>`
	`80`	`Pem`
	`81`	`}`
	`82`
	`83`	`/// <summary>`
	`84`	`/// Options for creating a self-signed certificate.`
	`85`	`/// </summary>`
	`86`	`/// <param name="DnsNames">The DNS names to include in the certificate's Subject Alternative Name (SAN) extension.</`
	`87`	`/// <param name="KeyType">The type of cryptographic key to use (RSA or ECDSA).</param>`
	`88`	`/// <param name="KeyLength">The length of the cryptographic key in bits.</param>`
	`89`	`/// <param name="Purposes">The key purposes (Extended Key Usage) for the certificate.</param>`
	`90`	`/// <param name="ValidDays">The number of days the certificate will be valid.</param>`
	`91`	`/// <param name="Ephemeral">If true, the certificate will not be stored in the Windows certificate store.</param>`
	`92`	`/// <param name="Exportable">If true, the private key can be exported from the certificate.</param>`
	`93`	`/// <remarks>`
	`94`	`/// This record is used to specify options for creating a self-signed certificate.`
	`95`	`/// </remarks>`
12	`96`	`public record SelfSignedOptions(`
24	`97`	`IEnumerable<string> DnsNames,`
24	`98`	`KeyType KeyType = KeyType.Rsa,`
12	`99`	`int KeyLength = 2048,`
12	`100`	`IEnumerable<KeyPurposeID>? Purposes = null,`
12	`101`	`int ValidDays = 365,`
12	`102`	`bool Ephemeral = false,`
12	`103`	`bool Exportable = false`
12	`104`	`);`
	`105`
	`106`	`/// <summary>`
	`107`	`/// Options for creating a Certificate Signing Request (CSR).`
	`108`	`/// </summary>`
	`109`	`/// <param name="DnsNames">The DNS names to include in the CSR's Subject Alternative Name (SAN) extension.</param>`
	`110`	`/// <param name="KeyType">The type of cryptographic key to use (RSA or ECDSA).</param>`
	`111`	`/// <param name="KeyLength">The length of the cryptographic key in bits.</param>`
	`112`	`/// <param name="Country">The country code for the subject distinguished name.</param>`
	`113`	`/// <param name="Org">The organization name for the subject distinguished name.</param>`
	`114`	`/// <param name="OrgUnit">The organizational unit for the subject distinguished name.</param>`
	`115`	`/// <param name="CommonName">The common name for the subject distinguished name.</param>`
	`116`	`/// <remarks>`
	`117`	`/// This record is used to specify options for creating a Certificate Signing Request (CSR).`
	`118`	`/// </remarks>`
2	`119`	`public record CsrOptions(`
2	`120`	`IEnumerable<string> DnsNames,`
4	`121`	`KeyType KeyType = KeyType.Rsa,`
2	`122`	`int KeyLength = 2048,`
2	`123`	`string? Country = null,`
2	`124`	`string? Org = null,`
2	`125`	`string? OrgUnit = null,`
4	`126`	`string? CommonName = null);`
	`127`	`#endregion`
	`128`
	`129`	`#region Self-signed certificate`
	`130`	`/// <summary>`
	`131`	`/// Creates a new self-signed X509 certificate using the specified options.`
	`132`	`/// </summary>`
	`133`	`/// <param name="o">Options for creating the self-signed certificate.</param>`
	`134`	`/// <returns>A new self-signed X509Certificate2 instance.</returns>`
	`135`	`public static X509Certificate2 NewSelfSigned(SelfSignedOptions o)`
	`136`	`{`
12	`137`	`var random = new SecureRandom(new CryptoApiRandomGenerator());`
	`138`
	`139`	`// ── 1. Key pair ───────────────────────────────────────────────────────────`
12	`140`	`var keyPair =`
12	`141`	`o.KeyType switch`
12	`142`	`{`
12	`143`	`KeyType.Rsa => GenRsaKeyPair(o.KeyLength, random),`
0	`144`	`KeyType.Ecdsa => GenEcKeyPair(o.KeyLength, random),`
0	`145`	`_ => throw new ArgumentOutOfRangeException()`
12	`146`	`};`
	`147`
	`148`	`// ── 2. Certificate body ───────────────────────────────────────────────────`
12	`149`	`var notBefore = DateTime.UtcNow.AddMinutes(-5);`
12	`150`	`var notAfter = notBefore.AddDays(o.ValidDays);`
12	`151`	`var serial = BigIntegers.CreateRandomInRange(`
12	`152`	`BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);`
	`153`
12	`154`	`var subjectDn = new X509Name($"CN={o.DnsNames.First()}");`
12	`155`	`var gen = new X509V3CertificateGenerator();`
12	`156`	`gen.SetSerialNumber(serial);`
12	`157`	`gen.SetIssuerDN(subjectDn);`
12	`158`	`gen.SetSubjectDN(subjectDn);`
12	`159`	`gen.SetNotBefore(notBefore);`
12	`160`	`gen.SetNotAfter(notAfter);`
12	`161`	`gen.SetPublicKey(keyPair.Public);`
	`162`
	`163`	`// SANs`
12	`164`	`var altNames = o.DnsNames`
23	`165`	`.Select(n => new GeneralName(`
23	`166`	`IPAddress.TryParse(n, out _) ?`
23	`167`	`GeneralName.IPAddress : GeneralName.DnsName, n))`
12	`168`	`.ToArray();`
12	`169`	`gen.AddExtension(X509Extensions.SubjectAlternativeName, false,`
12	`170`	`new DerSequence(altNames));`
	`171`
	`172`	`// EKU`
12	`173`	`var eku = o.Purposes ??`
12	`174`	`[`
12	`175`	`KeyPurposeID.id_kp_serverAuth,`
12	`176`	`KeyPurposeID.id_kp_clientAuth`
12	`177`	`];`
12	`178`	`gen.AddExtension(X509Extensions.ExtendedKeyUsage, false,`
12	`179`	`new ExtendedKeyUsage([.. eku]));`
	`180`
	`181`	`// KeyUsage – allow digitalSignature & keyEncipherment`
12	`182`	`gen.AddExtension(X509Extensions.KeyUsage, true,`
12	`183`	`new KeyUsage(KeyUsage.DigitalSignature \| KeyUsage.KeyEncipherment));`
	`184`
	`185`	`// ── 3. Sign & output ──────────────────────────────────────────────────────`
12	`186`	`var sigAlg = o.KeyType == KeyType.Rsa ? "SHA256WITHRSA" : "SHA384WITHECDSA";`
12	`187`	`var signer = new Asn1SignatureFactory(sigAlg, keyPair.Private, random);`
12	`188`	`var cert = gen.Generate(signer);`
	`189`
12	`190`	`return ToX509Cert2(cert, keyPair.Private,`
12	`191`	`o.Exportable ? X509KeyStorageFlags.Exportable : X509KeyStorageFlags.DefaultKeySet,`
12	`192`	`o.Ephemeral);`
	`193`	`}`
	`194`	`#endregion`
	`195`
	`196`	`#region CSR`
	`197`
	`198`	`/// <summary>`
	`199`	`/// Creates a new Certificate Signing Request (CSR) and returns the PEM-encoded CSR and the private key.`
	`200`	`/// </summary>`
	`201`	`/// <param name="options">The options for the CSR.</param>`
	`202`	`/// <param name="encryptionPassword">The password to encrypt the private key, if desired.</param>`
	`203`	`/// <returns>A <see cref="CsrResult"/> containing the CSR and private key information.</returns>`
	`204`	`/// <exception cref="ArgumentOutOfRangeException"></exception>`
	`205`	`public static CsrResult NewCertificateRequest(CsrOptions options, ReadOnlySpan<char> encryptionPassword = default)`
	`206`	`{`
	`207`	`// 0️⃣ Keypair`
2	`208`	`var random = new SecureRandom(new CryptoApiRandomGenerator());`
2	`209`	`var keyPair = options.KeyType switch`
2	`210`	`{`
1	`211`	`KeyType.Rsa => GenRsaKeyPair(options.KeyLength, random),`
1	`212`	`KeyType.Ecdsa => GenEcKeyPair(options.KeyLength, random),`
0	`213`	`_ => throw new ArgumentOutOfRangeException(nameof(options.KeyType))`
2	`214`	`};`
	`215`
	`216`	`// 1️⃣ Subject DN`
2	`217`	`var order = new List<DerObjectIdentifier>();`
2	`218`	`var attrs = new Dictionary<DerObjectIdentifier, string>();`
	`219`	`void Add(DerObjectIdentifier oid, string? v)`
	`220`	`{`
12	`221`	`if (!string.IsNullOrWhiteSpace(v)) { order.Add(oid); attrs[oid] = v!; }`
8	`222`	`}`
2	`223`	`Add(X509Name.C, options.Country);`
2	`224`	`Add(X509Name.O, options.Org);`
2	`225`	`Add(X509Name.OU, options.OrgUnit);`
2	`226`	`Add(X509Name.CN, options.CommonName ?? options.DnsNames.First());`
2	`227`	`var subject = new X509Name(order, attrs);`
	`228`
	`229`	`// 2️⃣ SAN extension`
2	`230`	`var altNames = options.DnsNames`
3	`231`	`.Select(d => new GeneralName(`
3	`232`	`IPAddress.TryParse(d, out _)`
3	`233`	`? GeneralName.IPAddress`
3	`234`	`: GeneralName.DnsName, d))`
2	`235`	`.ToArray();`
2	`236`	`var sanSeq = new DerSequence(altNames);`
	`237`
2	`238`	`var extGen = new X509ExtensionsGenerator();`
2	`239`	`extGen.AddExtension(X509Extensions.SubjectAlternativeName, false, sanSeq);`
2	`240`	`var extensions = extGen.Generate();`
	`241`
2	`242`	`var extensionRequestAttr = new AttributePkcs(`
2	`243`	`PkcsObjectIdentifiers.Pkcs9AtExtensionRequest,`
2	`244`	`new DerSet(extensions));`
2	`245`	`var attrSet = new DerSet(extensionRequestAttr);`
	`246`
	`247`	`// 3️⃣ CSR`
2	`248`	`var sigAlg = options.KeyType == KeyType.Rsa ? "SHA256WITHRSA" : "SHA384WITHECDSA";`
2	`249`	`var csr = new Pkcs10CertificationRequest(sigAlg, subject, keyPair.Public, attrSet, keyPair.Private);`
	`250`
	`251`	`// 4️⃣ CSR PEM + DER`
	`252`	`string csrPem;`
2	`253`	`using (var sw = new StringWriter())`
	`254`	`{`
2	`255`	`new PemWriter(sw).WriteObject(csr);`
2	`256`	`csrPem = sw.ToString();`
2	`257`	`}`
2	`258`	`var csrDer = csr.GetEncoded();`
	`259`
	`260`	`// 5️⃣ Private key PEM + DER`
	`261`	`string privateKeyPem;`
2	`262`	`using (var sw = new StringWriter())`
	`263`	`{`
2	`264`	`new PemWriter(sw).WriteObject(keyPair.Private);`
2	`265`	`privateKeyPem = sw.ToString();`
2	`266`	`}`
2	`267`	`var pkInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(keyPair.Private);`
2	`268`	`var privateKeyDer = pkInfo.GetEncoded();`
	`269`
	`270`	`// 6️⃣ Optional encrypted PEM`
2	`271`	`string? privateKeyPemEncrypted = null;`
2	`272`	`if (!encryptionPassword.IsEmpty)`
	`273`	`{`
0	`274`	`var pwd = encryptionPassword.ToArray(); // BC requires char[]`
	`275`	`try`
	`276`	`{`
0	`277`	`var gen = new Pkcs8Generator(keyPair.Private, Pkcs8Generator.PbeSha1_3DES)`
0	`278`	`{`
0	`279`	`Password = pwd`
0	`280`	`};`
0	`281`	`using var encSw = new StringWriter();`
0	`282`	`new PemWriter(encSw).WriteObject(gen);`
0	`283`	`privateKeyPemEncrypted = encSw.ToString();`
	`284`	`}`
	`285`	`finally`
	`286`	`{`
0	`287`	`Array.Clear(pwd, 0, pwd.Length); // wipe memory`
0	`288`	`}`
	`289`	`}`
	`290`
	`291`	`// 7️⃣ Public key PEM + DER`
2	`292`	`var spki = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public);`
2	`293`	`var publicKeyDer = spki.GetEncoded();`
	`294`	`string publicKeyPem;`
2	`295`	`using (var sw = new StringWriter())`
	`296`	`{`
2	`297`	`new PemWriter(sw).WriteObject(spki);`
2	`298`	`publicKeyPem = sw.ToString();`
2	`299`	`}`
	`300`
2	`301`	`return new CsrResult(`
2	`302`	`csrPem,`
2	`303`	`csrDer,`
2	`304`	`keyPair.Private,`
2	`305`	`privateKeyPem,`
2	`306`	`privateKeyDer,`
2	`307`	`privateKeyPemEncrypted,`
2	`308`	`publicKeyPem,`
2	`309`	`publicKeyDer`
2	`310`	`);`
	`311`	`}`
	`312`
	`313`
	`314`	`#endregion`
	`315`
	`316`	`#region Import`
	`317`	`/// <summary>`
	`318`	`/// Imports an X509 certificate from the specified file path, with optional password and private key file.`
	`319`	`/// </summary>`
	`320`	`/// <param name="certPath">The path to the certificate file.</param>`
	`321`	`/// <param name="password">The password for the certificate, if required.</param>`
	`322`	`/// <param name="privateKeyPath">The path to the private key file, if separate.</param>`
	`323`	`/// <param name="flags">Key storage flags for the imported certificate.</param>`
	`324`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`325`	`public static X509Certificate2 Import(`
	`326`	`string certPath,`
	`327`	`ReadOnlySpan<char> password = default,`
	`328`	`string? privateKeyPath = null,`
	`329`	`X509KeyStorageFlags flags = X509KeyStorageFlags.DefaultKeySet \| X509KeyStorageFlags.Exportable)`
	`330`	`{`
9	`331`	`ValidateImportInputs(certPath, privateKeyPath);`
	`332`
6	`333`	`var ext = Path.GetExtension(certPath).ToLowerInvariant();`
6	`334`	`return ext switch`
6	`335`	`{`
2	`336`	`".pfx" or ".p12" => ImportPfx(certPath, password, flags),`
1	`337`	`".cer" or ".der" => ImportDer(certPath),`
3	`338`	`".pem" or ".crt" => ImportPem(certPath, password, privateKeyPath),`
0	`339`	`_ => throw new NotSupportedException($"Certificate extension '{ext}' is not supported.")`
6	`340`	`};`
	`341`	`}`
	`342`
	`343`	`/// <summary>`
	`344`	`/// Validates the inputs for importing a certificate.`
	`345`	`/// </summary>`
	`346`	`/// <param name="certPath">The path to the certificate file.</param>`
	`347`	`/// <param name="privateKeyPath">The path to the private key file, if separate.</param>`
	`348`	`private static void ValidateImportInputs(string certPath, string? privateKeyPath)`
	`349`	`{`
9	`350`	`if (string.IsNullOrEmpty(certPath))`
	`351`	`{`
1	`352`	`throw new ArgumentException("Certificate path cannot be null or empty.", nameof(certPath));`
	`353`	`}`
8	`354`	`if (!File.Exists(certPath))`
	`355`	`{`
1	`356`	`throw new FileNotFoundException("Certificate file not found.", certPath);`
	`357`	`}`
7	`358`	`if (!string.IsNullOrEmpty(privateKeyPath) && !File.Exists(privateKeyPath))`
	`359`	`{`
1	`360`	`throw new FileNotFoundException("Private key file not found.", privateKeyPath);`
	`361`	`}`
6	`362`	`}`
	`363`
	`364`	`/// <summary>`
	`365`	`/// Imports a PFX certificate from the specified file path.`
	`366`	`/// </summary>`
	`367`	`/// <param name="certPath">The path to the certificate file.</param>`
	`368`	`/// <param name="password">The password for the certificate, if required.</param>`
	`369`	`/// <param name="flags">Key storage flags for the imported certificate.</param>`
	`370`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`371`	`private static X509Certificate2 ImportPfx(string certPath, ReadOnlySpan<char> password, X509KeyStorageFlags flags)`
	`372`	`#if NET9_0_OR_GREATER`
2	`373`	`=> X509CertificateLoader.LoadPkcs12FromFile(certPath, password, flags, Pkcs12LoaderLimits.Defaults);`
	`374`	`#else`
	`375`	`=> new(File.ReadAllBytes(certPath), password, flags);`
	`376`	`#endif`
	`377`
	`378`	`private static X509Certificate2 ImportDer(string certPath)`
	`379`	`#if NET9_0_OR_GREATER`
1	`380`	`=> X509CertificateLoader.LoadCertificateFromFile(certPath);`
	`381`	`#else`
	`382`	`=> new(File.ReadAllBytes(certPath));`
	`383`	`#endif`
	`384`
	`385`
	`386`	`/// <summary>`
	`387`	`/// Imports a PEM certificate from the specified file path.`
	`388`	`/// </summary>`
	`389`	`/// <param name="certPath">The path to the certificate file.</param>`
	`390`	`/// <param name="password">The password for the certificate, if required.</param>`
	`391`	`/// <param name="privateKeyPath">The path to the private key file, if separate.</param>`
	`392`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`393`	`private static X509Certificate2 ImportPem(string certPath, ReadOnlySpan<char> password, string? privateKeyPath)`
	`394`	`{`
	`395`	`// No separate key file provided`
3	`396`	`if (string.IsNullOrEmpty(privateKeyPath))`
	`397`	`{`
1	`398`	`return password.IsEmpty`
1	`399`	`? LoadCertOnlyPem(certPath)`
1	`400`	`: X509Certificate2.CreateFromEncryptedPemFile(certPath, password);`
	`401`	`}`
	`402`
	`403`	`// Separate key file provided`
2	`404`	`return password.IsEmpty`
2	`405`	`? ImportPemUnencrypted(certPath, privateKeyPath)`
2	`406`	`: ImportPemEncrypted(certPath, password, privateKeyPath);`
	`407`	`}`
	`408`
	`409`	`/// <summary>`
	`410`	`/// Imports an unencrypted PEM certificate from the specified file path.`
	`411`	`/// </summary>`
	`412`	`/// <param name="certPath">The path to the certificate file.</param>`
	`413`	`/// <param name="privateKeyPath">The path to the private key file.</param>`
	`414`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`415`	`private static X509Certificate2 ImportPemUnencrypted(string certPath, string privateKeyPath)`
1	`416`	`=> X509Certificate2.CreateFromPemFile(certPath, privateKeyPath);`
	`417`
	`418`	`/// <summary>`
	`419`	`/// Imports a PEM certificate from the specified file path.`
	`420`	`/// </summary>`
	`421`	`/// <param name="certPath">The path to the certificate file.</param>`
	`422`	`/// <param name="password">The password for the certificate, if required.</param>`
	`423`	`/// <param name="privateKeyPath">The path to the private key file, if separate.</param>`
	`424`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`425`	`private static X509Certificate2 ImportPemEncrypted(string certPath, ReadOnlySpan<char> password, string privateKeyPa`
	`426`	`{`
	`427`	`// Prefer single-file path (combined) first for reliability on some platforms`
	`428`	`try`
	`429`	`{`
1	`430`	`var single = X509Certificate2.CreateFromEncryptedPemFile(certPath, password);`
0	`431`	`if (single.HasPrivateKey)`
	`432`	`{`
0	`433`	`Log.Debug("Imported encrypted PEM using single-file path (combined cert+key) for {CertPath}", certPath);`
0	`434`	`return single;`
	`435`	`}`
0	`436`	`}`
1	`437`	`catch (Exception exSingle)`
	`438`	`{`
1	`439`	`Log.Debug(exSingle, "Single-file encrypted PEM import failed, falling back to separate key file {KeyFile}",`
1	`440`	`}`
	`441`
1	`442`	`var loaded = X509Certificate2.CreateFromEncryptedPemFile(certPath, password, privateKeyPath);`
	`443`
1	`444`	`if (loaded.HasPrivateKey)`
	`445`	`{`
1	`446`	`return loaded;`
	`447`	`}`
	`448`
	`449`	`// Fallback manual pairing if platform failed to associate the key`
0	`450`	`TryManualEncryptedPemPairing(certPath, password, privateKeyPath, ref loaded);`
0	`451`	`return loaded;`
0	`452`	`}`
	`453`
	`454`	`/// <summary>`
	`455`	`/// Tries to manually pair an encrypted PEM certificate with its private key.`
	`456`	`/// </summary>`
	`457`	`/// <param name="certPath">The path to the certificate file.</param>`
	`458`	`/// <param name="password">The password for the certificate, if required.</param>`
	`459`	`/// <param name="privateKeyPath">The path to the private key file, if separate.</param>`
	`460`	`/// <param name="loaded">The loaded X509Certificate2 instance.</param>`
	`461`	`private static void TryManualEncryptedPemPairing(string certPath, ReadOnlySpan<char> password, string privateKeyPath`
	`462`	`{`
	`463`	`try`
	`464`	`{`
0	`465`	`var certOnly = LoadCertOnlyPem(certPath);`
0	`466`	`var encDer = ExtractEncryptedPemDer(privateKeyPath);`
	`467`
0	`468`	`if (encDer is null)`
	`469`	`{`
0	`470`	`Log.Debug("Encrypted PEM manual pairing fallback skipped: markers not found in key file {KeyFile}", priv`
0	`471`	`return;`
	`472`	`}`
	`473`
0	`474`	`var lastErr = TryPairCertificateWithKey(certOnly, password, encDer, ref loaded);`
	`475`
0	`476`	`if (lastErr != null)`
	`477`	`{`
0	`478`	`Log.Debug(lastErr, "Encrypted PEM manual pairing attempts failed (all rounds); returning original loaded`
	`479`	`}`
0	`480`	`}`
0	`481`	`catch (Exception ex)`
	`482`	`{`
0	`483`	`Log.Debug(ex, "Encrypted PEM manual pairing fallback failed unexpectedly; returning original loaded certific`
0	`484`	`}`
0	`485`	`}`
	`486`
	`487`	`/// <summary>`
	`488`	`/// Extracts the encrypted PEM DER bytes from a private key file.`
	`489`	`/// </summary>`
	`490`	`/// <param name="privateKeyPath">The path to the private key file.</param>`
	`491`	`/// <returns>The DER bytes if successful, null otherwise.</returns>`
	`492`	`private static byte[]? ExtractEncryptedPemDer(string privateKeyPath)`
	`493`	`{`
	`494`	`const string encBegin = "-----BEGIN ENCRYPTED PRIVATE KEY-----";`
	`495`	`const string encEnd = "-----END ENCRYPTED PRIVATE KEY-----";`
	`496`
0	`497`	`byte[]? encDer = null;`
0	`498`	`for (var attempt = 0; attempt < 5 && encDer is null; attempt++)`
	`499`	`{`
0	`500`	`var keyPem = File.ReadAllText(privateKeyPath);`
0	`501`	`var start = keyPem.IndexOf(encBegin, StringComparison.Ordinal);`
0	`502`	`var end = keyPem.IndexOf(encEnd, StringComparison.Ordinal);`
0	`503`	`if (start >= 0 && end > start)`
	`504`	`{`
0	`505`	`start += encBegin.Length;`
0	`506`	`var b64 = keyPem[start..end].Replace("\r", "").Replace("\n", "").Trim();`
0	`507`	`try { encDer = Convert.FromBase64String(b64); }`
0	`508`	`catch (FormatException fe)`
	`509`	`{`
0	`510`	`Log.Debug(fe, "Base64 decode failed on attempt {Attempt} reading encrypted key; retrying", attempt +`
0	`511`	`}`
	`512`	`}`
0	`513`	`if (encDer is null)`
	`514`	`{`
0	`515`	`Thread.Sleep(40 * (attempt + 1));`
	`516`	`}`
	`517`	`}`
	`518`
0	`519`	`return encDer;`
	`520`	`}`
	`521`
	`522`	`/// <summary>`
	`523`	`/// Attempts to pair a certificate with an encrypted private key using RSA and ECDSA.`
	`524`	`/// </summary>`
	`525`	`/// <param name="certOnly">The certificate without a private key.</param>`
	`526`	`/// <param name="password">The password for the encrypted key.</param>`
	`527`	`/// <param name="encDer">The encrypted DER bytes.</param>`
	`528`	`/// <param name="loaded">The loaded certificate (updated if pairing succeeds).</param>`
	`529`	`/// <returns>The last exception encountered, or null if pairing succeeded.</returns>`
	`530`	`private static Exception? TryPairCertificateWithKey(X509Certificate2 certOnly, ReadOnlySpan<char> password, byte[] e`
	`531`	`{`
0	`532`	`Exception? lastErr = null;`
0	`533`	`for (var round = 0; round < 2; round++)`
	`534`	`{`
0	`535`	`if (TryPairWithRsa(certOnly, password, encDer, round, ref loaded, ref lastErr))`
	`536`	`{`
0	`537`	`return null;`
	`538`	`}`
	`539`
0	`540`	`if (TryPairWithEcdsa(certOnly, password, encDer, round, ref loaded, ref lastErr))`
	`541`	`{`
0	`542`	`return null;`
	`543`	`}`
	`544`
0	`545`	`Thread.Sleep(25 * (round + 1));`
	`546`	`}`
0	`547`	`return lastErr;`
	`548`	`}`
	`549`
	`550`	`/// <summary>`
	`551`	`/// Tries to pair a certificate with an RSA private key.`
	`552`	`/// </summary>`
	`553`	`/// <param name="certOnly">The certificate without a private key.</param>`
	`554`	`/// <param name="password">The password for the encrypted key.</param>`
	`555`	`/// <param name="encDer">The encrypted DER bytes.</param>`
	`556`	`/// <param name="round">The attempt round number.</param>`
	`557`	`/// <param name="loaded">The loaded certificate (updated if pairing succeeds).</param>`
	`558`	`/// <param name="lastErr">The last exception encountered (updated on failure).</param>`
	`559`	`/// <returns>True if pairing succeeded, false otherwise.</returns>`
	`560`	`private static bool TryPairWithRsa(X509Certificate2 certOnly, ReadOnlySpan<char> password, byte[] encDer, int round,`
	`561`	`{`
	`562`	`try`
	`563`	`{`
0	`564`	`using var rsa = RSA.Create();`
0	`565`	`rsa.ImportEncryptedPkcs8PrivateKey(password, encDer, out _);`
0	`566`	`var withKey = certOnly.CopyWithPrivateKey(rsa);`
0	`567`	`if (withKey.HasPrivateKey)`
	`568`	`{`
0	`569`	`Log.Debug("Encrypted PEM manual pairing succeeded with RSA private key (round {Round}).", round + 1);`
0	`570`	`loaded = withKey;`
0	`571`	`return true;`
	`572`	`}`
0	`573`	`}`
0	`574`	`catch (Exception exRsa)`
	`575`	`{`
0	`576`	`lastErr = lastErr is null ? exRsa : new AggregateException(lastErr, exRsa);`
0	`577`	`}`
0	`578`	`return false;`
0	`579`	`}`
	`580`
	`581`	`/// <summary>`
	`582`	`/// Tries to pair a certificate with an ECDSA private key.`
	`583`	`/// </summary>`
	`584`	`/// <param name="certOnly">The certificate without a private key.</param>`
	`585`	`/// <param name="password">The password for the encrypted key.</param>`
	`586`	`/// <param name="encDer">The encrypted DER bytes.</param>`
	`587`	`/// <param name="round">The attempt round number.</param>`
	`588`	`/// <param name="loaded">The loaded certificate (updated if pairing succeeds).</param>`
	`589`	`/// <param name="lastErr">The last exception encountered (updated on failure).</param>`
	`590`	`/// <returns>True if pairing succeeded, false otherwise.</returns>`
	`591`	`private static bool TryPairWithEcdsa(X509Certificate2 certOnly, ReadOnlySpan<char> password, byte[] encDer, int roun`
	`592`	`{`
	`593`	`try`
	`594`	`{`
0	`595`	`using var ecdsa = ECDsa.Create();`
0	`596`	`ecdsa.ImportEncryptedPkcs8PrivateKey(password, encDer, out _);`
0	`597`	`var withKey = certOnly.CopyWithPrivateKey(ecdsa);`
0	`598`	`if (withKey.HasPrivateKey)`
	`599`	`{`
0	`600`	`Log.Debug("Encrypted PEM manual pairing succeeded with ECDSA private key (round {Round}).", round + 1);`
0	`601`	`loaded = withKey;`
0	`602`	`return true;`
	`603`	`}`
0	`604`	`}`
0	`605`	`catch (Exception exEc)`
	`606`	`{`
0	`607`	`lastErr = lastErr is null ? exEc : new AggregateException(lastErr, exEc);`
0	`608`	`}`
0	`609`	`return false;`
0	`610`	`}`
	`611`
	`612`	`/// <summary>`
	`613`	`/// Loads a certificate from a PEM file that contains only a CERTIFICATE block (no key).`
	`614`	`/// </summary>`
	`615`	`/// <param name="certPath">The path to the certificate file.</param>`
	`616`	`/// <returns>The loaded X509Certificate2 instance.</returns>`
	`617`	`private static X509Certificate2 LoadCertOnlyPem(string certPath)`
	`618`	`{`
	`619`	`// 1) Read + trim the whole PEM text`
1	`620`	`var pem = File.ReadAllText(certPath).Trim();`
	`621`
	`622`	`// 2) Define the BEGIN/END markers`
	`623`	`const string begin = "-----BEGIN CERTIFICATE-----";`
	`624`	`const string end = "-----END CERTIFICATE-----";`
	`625`
	`626`	`// 3) Find their positions`
1	`627`	`var start = pem.IndexOf(begin, StringComparison.Ordinal);`
1	`628`	`if (start < 0)`
	`629`	`{`
0	`630`	`throw new InvalidDataException("BEGIN CERTIFICATE marker not found");`
	`631`	`}`
	`632`
1	`633`	`start += begin.Length;`
	`634`
1	`635`	`var stop = pem.IndexOf(end, start, StringComparison.Ordinal);`
1	`636`	`if (stop < 0)`
	`637`	`{`
0	`638`	`throw new InvalidDataException("END CERTIFICATE marker not found");`
	`639`	`}`
	`640`
	`641`	`// 4) Extract, clean, and decode the Base64 payload`
1	`642`	`var b64 = pem[start..stop]`
1	`643`	`.Replace("\r", "")`
1	`644`	`.Replace("\n", "")`
1	`645`	`.Trim();`
1	`646`	`var der = Convert.FromBase64String(b64);`
	`647`
	`648`	`// 5) Return the X509Certificate2`
	`649`
	`650`	`#if NET9_0_OR_GREATER`
1	`651`	`return X509CertificateLoader.LoadCertificate(der);`
	`652`	`#else`
	`653`	`// .NET 8 or earlier path, using X509Certificate2 ctor`
	`654`	`// Note: this will not work in .NET 9+ due to the new X509CertificateLoader API`
	`655`	`// which requires a byte array or a file path.`
	`656`	`return new X509Certificate2(der);`
	`657`	`#endif`
	`658`	`}`
	`659`
	`660`	`/// <summary>`
	`661`	`/// Imports an X509 certificate from the specified file path, using a SecureString password and optional private key`
	`662`	`/// </summary>`
	`663`	`/// <param name="certPath">The path to the certificate file.</param>`
	`664`	`/// <param name="password">The SecureString password for the certificate, if required.</param>`
	`665`	`/// <param name="privateKeyPath">The path to the private key file, if separate.</param>`
	`666`	`/// <param name="flags">Key storage flags for the imported certificate.</param>`
	`667`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`668`	`public static X509Certificate2 Import(`
	`669`	`string certPath,`
	`670`	`SecureString password,`
	`671`	`string? privateKeyPath = null,`
	`672`	`X509KeyStorageFlags flags = X509KeyStorageFlags.DefaultKeySet \| X509KeyStorageFlags.Exportable)`
	`673`	`{`
1	`674`	`X509Certificate2? result = null;`
1	`675`	`Log.Debug("Importing certificate from {CertPath} with flags {Flags}", certPath, flags);`
	`676`	`// ToSecureSpan zero-frees its buffer as soon as this callback returns.`
1	`677`	`password.ToSecureSpan(span =>`
1	`678`	`{`
1	`679`	`// capture the return value of the span-based overload`
1	`680`	`result = Import(certPath: certPath, password: span, privateKeyPath: privateKeyPath, flags: flags);`
2	`681`	`});`
	`682`
	`683`	`// at this point, unmanaged memory is already zeroed`
1	`684`	`return result!; // non-null because the callback always runs exactly once`
	`685`	`}`
	`686`
	`687`	`/// <summary>`
	`688`	`/// Imports an X509 certificate from the specified file path, with optional private key file and key storage flags.`
	`689`	`/// </summary>`
	`690`	`/// <param name="certPath">The path to the certificate file.</param>`
	`691`	`/// <param name="privateKeyPath">The path to the private key file, if separate.</param>`
	`692`	`/// <param name="flags">Key storage flags for the imported certificate.</param>`
	`693`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`694`	`public static X509Certificate2 Import(`
	`695`	`string certPath,`
	`696`	`string? privateKeyPath = null,`
	`697`	`X509KeyStorageFlags flags = X509KeyStorageFlags.DefaultKeySet \| X509KeyStorageFlags.Exportable)`
	`698`	`{`
	`699`	`// ToSecureSpan zero-frees its buffer as soon as this callback returns.`
2	`700`	`ReadOnlySpan<char> passwordSpan = default;`
	`701`	`// capture the return value of the span-based overload`
2	`702`	`var result = Import(certPath: certPath, password: passwordSpan, privateKeyPath: privateKeyPath, flags: flags);`
1	`703`	`return result!;`
	`704`	`}`
	`705`
	`706`	`/// <summary>`
	`707`	`/// Imports an X509 certificate from the specified file path.`
	`708`	`/// </summary>`
	`709`	`/// <param name="certPath">The path to the certificate file.</param>`
	`710`	`/// <returns>The imported X509Certificate2 instance.</returns>`
	`711`	`public static X509Certificate2 Import(string certPath)`
	`712`	`{`
	`713`	`// ToSecureSpan zero-frees its buffer as soon as this callback returns.`
4	`714`	`ReadOnlySpan<char> passwordSpan = default;`
	`715`	`// capture the return value of the span-based overload`
4	`716`	`var result = Import(certPath: certPath, password: passwordSpan);`
2	`717`	`return result!;`
	`718`	`}`
	`719`
	`720`
	`721`
	`722`	`#endregion`
	`723`
	`724`	`#region Export`
	`725`	`/// <summary>`
	`726`	`/// Exports the specified X509 certificate to a file in the given format, with optional password and private key inc`
	`727`	`/// </summary>`
	`728`	`/// <param name="cert">The X509Certificate2 to export.</param>`
	`729`	`/// <param name="filePath">The file path to export the certificate to.</param>`
	`730`	`/// <param name="fmt">The export format (Pfx or Pem).</param>`
	`731`	`/// <param name="password">The password to protect the exported certificate or private key, if applicable.</param>`
	`732`	`/// <param name="includePrivateKey">Whether to include the private key in the export.</param>`
	`733`	`public static void Export(X509Certificate2 cert, string filePath, ExportFormat fmt,`
	`734`	`ReadOnlySpan<char> password = default, bool includePrivateKey = false)`
	`735`	`{`
	`736`	`// Normalize/validate target path and format`
4	`737`	`filePath = NormalizeExportPath(filePath, fmt);`
	`738`
	`739`	`// Ensure output directory exists`
4	`740`	`EnsureOutputDirectoryExists(filePath);`
	`741`
	`742`	`// Prepare password shapes once`
4	`743`	`using var shapes = CreatePasswordShapes(password);`
	`744`
	`745`	`switch (fmt)`
	`746`	`{`
	`747`	`case ExportFormat.Pfx:`
2	`748`	`ExportPfx(cert, filePath, shapes.Secure);`
2	`749`	`break;`
	`750`	`case ExportFormat.Pem:`
2	`751`	`ExportPem(cert, filePath, password, includePrivateKey);`
2	`752`	`break;`
	`753`	`default:`
0	`754`	`throw new NotSupportedException($"Unsupported export format: {fmt}");`
	`755`	`}`
4	`756`	`}`
	`757`
	`758`	`/// <summary>`
	`759`	`/// Normalizes the export file path based on the desired export format.`
	`760`	`/// </summary>`
	`761`	`/// <param name="filePath">The original file path.</param>`
	`762`	`/// <param name="fmt">The desired export format.</param>`
	`763`	`/// <returns>The normalized file path.</returns>`
	`764`	`private static string NormalizeExportPath(string filePath, ExportFormat fmt)`
	`765`	`{`
4	`766`	`var fileExtension = Path.GetExtension(filePath).ToLowerInvariant();`
	`767`	`switch (fileExtension)`
	`768`	`{`
	`769`	`case ".pfx":`
2	`770`	`if (fmt != ExportFormat.Pfx)`
	`771`	`{`
0	`772`	`throw new NotSupportedException(`
0	`773`	`$"File extension '{fileExtension}' for '{filePath}' is not supported for PFX certificates.")`
	`774`	`}`
	`775`
	`776`	`break;`
	`777`	`case ".pem":`
2	`778`	`if (fmt != ExportFormat.Pem)`
	`779`	`{`
0	`780`	`throw new NotSupportedException(`
0	`781`	`$"File extension '{fileExtension}' for '{filePath}' is not supported for PEM certificates.")`
	`782`	`}`
	`783`
	`784`	`break;`
	`785`	`case "":`
	`786`	`// no extension, use the format as the extension`
0	`787`	`filePath += fmt == ExportFormat.Pfx ? ".pfx" : ".pem";`
0	`788`	`break;`
	`789`	`default:`
0	`790`	`throw new NotSupportedException(`
0	`791`	`$"File extension '{fileExtension}' for '{filePath}' is not supported. Use .pfx or .pem.");`
	`792`	`}`
4	`793`	`return filePath;`
	`794`	`}`
	`795`
	`796`	`/// <summary>`
	`797`	`/// Ensures the output directory exists for the specified file path.`
	`798`	`/// </summary>`
	`799`	`/// <param name="filePath">The file path to check.</param>`
	`800`	`private static void EnsureOutputDirectoryExists(string filePath)`
	`801`	`{`
4	`802`	`var dir = Path.GetDirectoryName(filePath);`
4	`803`	`if (!string.IsNullOrEmpty(dir) && !Directory.Exists(dir))`
	`804`	`{`
0	`805`	`throw new DirectoryNotFoundException(`
0	`806`	`$"Directory '{dir}' does not exist. Cannot export certificate to {filePath}.");`
	`807`	`}`
4	`808`	`}`
	`809`
	`810`	`/// <summary>`
	`811`	`/// Represents the password shapes used for exporting certificates.`
	`812`	`/// </summary>`
4	`813`	`private sealed class PasswordShapes(SecureString? secure, char[]? chars) : IDisposable`
	`814`	`{`
10	`815`	`public SecureString? Secure { get; } = secure;`
14	`816`	`public char[]? Chars { get; } = chars;`
	`817`
	`818`	`public void Dispose()`
	`819`	`{`
	`820`	`try`
	`821`	`{`
4	`822`	`Secure?.Dispose();`
3	`823`	`}`
	`824`	`finally`
	`825`	`{`
4	`826`	`if (Chars is not null)`
	`827`	`{`
3	`828`	`Array.Clear(Chars, 0, Chars.Length);`
	`829`	`}`
4	`830`	`}`
4	`831`	`}`
	`832`	`}`
	`833`
	`834`	`/// <summary>`
	`835`	`/// Creates password shapes from the provided password span.`
	`836`	`/// </summary>`
	`837`	`/// <param name="password">The password span.</param>`
	`838`	`/// <returns>The created password shapes.</returns>`
	`839`	`private static PasswordShapes CreatePasswordShapes(ReadOnlySpan<char> password)`
	`840`	`{`
4	`841`	`var secure = password.IsEmpty ? null : SecureStringUtils.ToSecureString(password);`
4	`842`	`var chars = password.IsEmpty ? null : password.ToArray();`
4	`843`	`return new PasswordShapes(secure, chars);`
	`844`	`}`
	`845`
	`846`	`/// <summary>`
	`847`	`/// Exports the specified X509 certificate to a file in the given format.`
	`848`	`/// </summary>`
	`849`	`/// <param name="cert">The X509Certificate2 to export.</param>`
	`850`	`/// <param name="filePath">The file path to export the certificate to.</param>`
	`851`	`/// <param name="password">The SecureString password to protect the exported certificate.</param>`
	`852`	`private static void ExportPfx(X509Certificate2 cert, string filePath, SecureString? password)`
	`853`	`{`
2	`854`	`var pfx = cert.Export(X509ContentType.Pfx, password);`
2	`855`	`File.WriteAllBytes(filePath, pfx);`
2	`856`	`}`
	`857`
	`858`	`/// <summary>`
	`859`	`/// Exports the specified X509 certificate to a file in the given format.`
	`860`	`/// </summary>`
	`861`	`/// <param name="cert">The X509Certificate2 to export.</param>`
	`862`	`/// <param name="filePath">The file path to export the certificate to.</param>`
	`863`	`/// <param name="password">The SecureString password to protect the exported certificate.</param>`
	`864`	`/// <param name="includePrivateKey">Whether to include the private key in the export.</param>`
	`865`	`private static void ExportPem(X509Certificate2 cert, string filePath, ReadOnlySpan<char> password, bool includePriva`
	`866`	`{`
	`867`	`// Write certificate first, then dispose writer before optional key append to avoid file locks on Windows`
2	`868`	`using (var sw = new StreamWriter(filePath, false, Encoding.ASCII))`
	`869`	`{`
2	`870`	`new PemWriter(sw).WriteObject(DotNetUtilities.FromX509Certificate(cert));`
2	`871`	`}`
	`872`
2	`873`	`if (includePrivateKey)`
	`874`	`{`
1	`875`	`WritePrivateKey(cert, password, filePath);`
	`876`	`// Fallback safeguard: if append was requested but key block missing, try again`
	`877`	`try`
	`878`	`{`
1	`879`	`if (ShouldAppendKeyToPem && !File.ReadAllText(filePath).Contains("PRIVATE KEY", StringComparison.Ordinal`
	`880`	`{`
0	`881`	`var baseName = Path.GetFileNameWithoutExtension(filePath);`
0	`882`	`var dir = Path.GetDirectoryName(filePath);`
0	`883`	`var keyFile = string.IsNullOrEmpty(dir) ? baseName + ".key" : Path.Combine(dir!, baseName + ".key");`
0	`884`	`if (File.Exists(keyFile))`
	`885`	`{`
0	`886`	`File.AppendAllText(filePath, Environment.NewLine + File.ReadAllText(keyFile));`
	`887`	`}`
	`888`	`}`
1	`889`	`}`
0	`890`	`catch (Exception ex)`
	`891`	`{`
0	`892`	`Log.Debug(ex, "Fallback attempt to append private key to PEM failed");`
0	`893`	`}`
	`894`	`}`
2	`895`	`}`
	`896`
	`897`	`/// <summary>`
	`898`	`/// Writes the private key of the specified X509 certificate to a file.`
	`899`	`/// </summary>`
	`900`	`/// <param name="cert">The X509Certificate2 to export.</param>`
	`901`	`/// <param name="password">The SecureString password to protect the exported private key.</param>`
	`902`	`/// <param name="certFilePath">The file path to export the certificate to.</param>`
	`903`	`private static void WritePrivateKey(X509Certificate2 cert, ReadOnlySpan<char> password, string certFilePath)`
	`904`	`{`
	`905`	`byte[] keyDer;`
	`906`	`string pemLabel;`
1	`907`	`if (password.IsEmpty)`
	`908`	`{`
	`909`	`// unencrypted PKCS#8`
0	`910`	`keyDer = cert.GetRSAPrivateKey() is RSA rsa`
0	`911`	`? rsa.ExportPkcs8PrivateKey()`
0	`912`	`: cert.GetECDsaPrivateKey()!.ExportPkcs8PrivateKey();`
0	`913`	`pemLabel = "PRIVATE KEY";`
	`914`	`}`
	`915`	`else`
	`916`	`{`
	`917`	`// encrypted PKCS#8`
1	`918`	`var pbe = new PbeParameters(`
1	`919`	`PbeEncryptionAlgorithm.Aes256Cbc,`
1	`920`	`HashAlgorithmName.SHA256,`
1	`921`	`100_000`
1	`922`	`);`
	`923`
1	`924`	`keyDer = cert.GetRSAPrivateKey() is RSA rsaEnc`
1	`925`	`? rsaEnc.ExportEncryptedPkcs8PrivateKey(password, pbe)`
1	`926`	`: cert.GetECDsaPrivateKey()!.ExportEncryptedPkcs8PrivateKey(password, pbe);`
1	`927`	`pemLabel = "ENCRYPTED PRIVATE KEY";`
	`928`	`}`
	`929`
1	`930`	`var keyPem = PemEncoding.WriteString(pemLabel, keyDer);`
1	`931`	`var certDir = Path.GetDirectoryName(certFilePath);`
1	`932`	`var baseName = Path.GetFileNameWithoutExtension(certFilePath);`
1	`933`	`var keyFilePath = string.IsNullOrEmpty(certDir)`
1	`934`	`? baseName + ".key"`
1	`935`	`: Path.Combine(certDir!, baseName + ".key");`
1	`936`	`File.WriteAllText(keyFilePath, keyPem);`
	`937`
	`938`	`try`
	`939`	`{`
1	`940`	`if (ShouldAppendKeyToPem)`
	`941`	`{`
	`942`	`// Optional: append the key to the main certificate PEM when explicitly enabled.`
0	`943`	`File.AppendAllText(certFilePath, Environment.NewLine + keyPem);`
	`944`	`}`
1	`945`	`}`
0	`946`	`catch (Exception ex)`
	`947`	`{`
0	`948`	`Log.Debug(ex, "Failed to append private key to certificate PEM file {CertFilePath}; continuing with separate`
0	`949`	`}`
1	`950`	`}`
	`951`
	`952`	`/// <summary>`
	`953`	`/// Exports the specified X509 certificate to a file in the given format, using a SecureString password and optional`
	`954`	`/// </summary>`
	`955`	`/// <param name="cert">The X509Certificate2 to export.</param>`
	`956`	`/// <param name="filePath">The file path to export the certificate to.</param>`
	`957`	`/// <param name="fmt">The export format (Pfx or Pem).</param>`
	`958`	`/// <param name="password">The SecureString password to protect the exported certificate or private key, if applicab`
	`959`	`/// <param name="includePrivateKey">Whether to include the private key in the export.</param>`
	`960`	`public static void Export(`
	`961`	`X509Certificate2 cert,`
	`962`	`string filePath,`
	`963`	`ExportFormat fmt,`
	`964`	`SecureString password,`
	`965`	`bool includePrivateKey = false)`
	`966`	`{`
1	`967`	`password.ToSecureSpan(span =>`
1	`968`	`Export(cert, filePath, fmt, span, includePrivateKey)`
1	`969`	`// this will run your span‐based implementation,`
1	`970`	`// then immediately zero & free the unmanaged buffer`
1	`971`	`);`
1	`972`	`}`
	`973`
	`974`	`#endregion`
	`975`
	`976`	`#region Validation helpers (Test-PodeCertificate equivalent)`
	`977`	`/// <summary>`
	`978`	`/// Validates the specified X509 certificate according to the provided options.`
	`979`	`/// </summary>`
	`980`	`/// <param name="cert">The X509Certificate2 to validate.</param>`
	`981`	`/// <param name="checkRevocation">Whether to check certificate revocation status.</param>`
	`982`	`/// <param name="allowWeakAlgorithms">Whether to allow weak algorithms such as SHA-1 or small key sizes.</param>`
	`983`	`/// <param name="denySelfSigned">Whether to deny self-signed certificates.</param>`
	`984`	`/// <param name="expectedPurpose">A collection of expected key purposes (EKU) for the certificate.</param>`
	`985`	`/// <param name="strictPurpose">If true, the certificate must match the expected purposes exactly.</param>`
	`986`	`/// <returns>True if the certificate is valid according to the specified options; otherwise, false.</returns>`
	`987`	`public static bool Validate(`
	`988`	`X509Certificate2 cert,`
	`989`	`bool checkRevocation = false,`
	`990`	`bool allowWeakAlgorithms = false,`
	`991`	`bool denySelfSigned = false,`
	`992`	`OidCollection? expectedPurpose = null,`
	`993`	`bool strictPurpose = false)`
	`994`	`{`
	`995`	`// 1) Validity period`
7	`996`	`if (!IsWithinValidityPeriod(cert))`
	`997`	`{`
0	`998`	`return false;`
	`999`	`}`
	`1000`
	`1001`	`// 2) Self-signed policy`
7	`1002`	`var isSelfSigned = cert.Subject == cert.Issuer;`
7	`1003`	`if (denySelfSigned && isSelfSigned)`
	`1004`	`{`
1	`1005`	`return false;`
	`1006`	`}`
	`1007`
	`1008`	`// 3) Chain build (with optional revocation)`
6	`1009`	`if (!BuildChainOk(cert, checkRevocation, isSelfSigned))`
	`1010`	`{`
0	`1011`	`return false;`
	`1012`	`}`
	`1013`
	`1014`	`// 4) EKU / purposes`
6	`1015`	`if (!PurposesOk(cert, expectedPurpose, strictPurpose))`
	`1016`	`{`
1	`1017`	`return false;`
	`1018`	`}`
	`1019`
	`1020`	`// 5) Weak algorithms`
5	`1021`	`if (!allowWeakAlgorithms && UsesWeakAlgorithms(cert))`
	`1022`	`{`
1	`1023`	`return false;`
	`1024`	`}`
	`1025`
4	`1026`	`return true; // ✅ everything passed`
	`1027`	`}`
	`1028`
	`1029`	`/// <summary>`
	`1030`	`/// Checks if the certificate is within its validity period.`
	`1031`	`/// </summary>`
	`1032`	`/// <param name="cert">The X509Certificate2 to check.</param>`
	`1033`	`/// <returns>True if the certificate is within its validity period; otherwise, false.</returns>`
	`1034`	`private static bool IsWithinValidityPeriod(X509Certificate2 cert)`
7	`1035`	`=> DateTime.UtcNow >= cert.NotBefore && DateTime.UtcNow <= cert.NotAfter;`
	`1036`
	`1037`	`/// <summary>`
	`1038`	`/// Checks if the certificate chain is valid.`
	`1039`	`/// </summary>`
	`1040`	`/// <param name="cert">The X509Certificate2 to check.</param>`
	`1041`	`/// <param name="checkRevocation">Whether to check certificate revocation status.</param>`
	`1042`	`/// <param name="isSelfSigned">Whether the certificate is self-signed.</param>`
	`1043`	`/// <returns>True if the certificate chain is valid; otherwise, false.</returns>`
	`1044`	`private static bool BuildChainOk(X509Certificate2 cert, bool checkRevocation, bool isSelfSigned)`
	`1045`	`{`
6	`1046`	`using var chain = new X509Chain();`
6	`1047`	`chain.ChainPolicy.RevocationMode = checkRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck;`
6	`1048`	`chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;`
6	`1049`	`chain.ChainPolicy.DisableCertificateDownloads = !checkRevocation;`
	`1050`
6	`1051`	`if (isSelfSigned)`
	`1052`	`{`
6	`1053`	`chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;`
	`1054`	`}`
	`1055`
6	`1056`	`return chain.Build(cert);`
6	`1057`	`}`
	`1058`
	`1059`	`/// <summary>`
	`1060`	`/// Checks if the certificate has the expected key purposes (EKU).`
	`1061`	`/// </summary>`
	`1062`	`/// <param name="cert">The X509Certificate2 to check.</param>`
	`1063`	`/// <param name="expectedPurpose">A collection of expected key purposes (EKU) for the certificate.</param>`
	`1064`	`/// <param name="strictPurpose">If true, the certificate must match the expected purposes exactly.</param>`
	`1065`	`/// <returns>True if the certificate has the expected purposes; otherwise, false.</returns>`
	`1066`	`private static bool PurposesOk(X509Certificate2 cert, OidCollection? expectedPurpose, bool strictPurpose)`
	`1067`	`{`
6	`1068`	`if (expectedPurpose is not { Count: > 0 })`
	`1069`	`{`
3	`1070`	`return true; // nothing to check`
	`1071`	`}`
	`1072`
3	`1073`	`var eku = cert.Extensions`
3	`1074`	`.OfType<X509EnhancedKeyUsageExtension>()`
3	`1075`	`.SelectMany(e => e.EnhancedKeyUsages.Cast<Oid>())`
6	`1076`	`.Select(o => o.Value)`
3	`1077`	`.ToHashSet();`
	`1078`
3	`1079`	`var wanted = expectedPurpose.Cast<Oid>()`
4	`1080`	`.Select(o => o.Value)`
3	`1081`	`.ToHashSet();`
	`1082`
3	`1083`	`return strictPurpose ? eku.SetEquals(wanted) : wanted.All(eku.Contains);`
	`1084`	`}`
	`1085`
	`1086`	`/// <summary>`
	`1087`	`/// Checks if the certificate uses weak algorithms.`
	`1088`	`/// </summary>`
	`1089`	`/// <param name="cert">The X509Certificate2 to check.</param>`
	`1090`	`/// <returns>True if the certificate uses weak algorithms; otherwise, false.</returns>`
	`1091`	`private static bool UsesWeakAlgorithms(X509Certificate2 cert)`
	`1092`	`{`
4	`1093`	`var isSha1 = cert.SignatureAlgorithm?.FriendlyName?`
4	`1094`	`.Contains("sha1", StringComparison.OrdinalIgnoreCase) == true;`
	`1095`
4	`1096`	`var weakRsa = cert.GetRSAPublicKey() is { KeySize: < 2048 };`
4	`1097`	`var weakDsa = cert.GetDSAPublicKey() is { KeySize: < 2048 };`
4	`1098`	`var weakEcdsa = cert.GetECDsaPublicKey() is { KeySize: < 256 }; // P-256 minimum`
	`1099`
4	`1100`	`return isSha1 \|\| weakRsa \|\| weakDsa \|\| weakEcdsa;`
	`1101`	`}`
	`1102`
	`1103`
	`1104`	`/// <summary>`
	`1105`	`/// Gets the enhanced key usage purposes (EKU) from the specified X509 certificate.`
	`1106`	`/// </summary>`
	`1107`	`/// <param name="cert">The X509Certificate2 to extract purposes from.</param>`
	`1108`	`/// <returns>An enumerable of purpose names or OID values.</returns>`
	`1109`	`public static IEnumerable<string> GetPurposes(X509Certificate2 cert) =>`
1	`1110`	`cert.Extensions`
1	`1111`	`.OfType<X509EnhancedKeyUsageExtension>()`
1	`1112`	`.SelectMany(x => x.EnhancedKeyUsages.Cast<Oid>())`
2	`1113`	`.Select(o => (o.FriendlyName ?? o.Value)!) // ← null-forgiving`
3	`1114`	`.Where(s => s.Length > 0); // optional: drop empties`
	`1115`	`#endregion`
	`1116`
	`1117`	`#region private helpers`
	`1118`	`private static AsymmetricCipherKeyPair GenRsaKeyPair(int bits, SecureRandom rng)`
	`1119`	`{`
13	`1120`	`var gen = new RsaKeyPairGenerator();`
13	`1121`	`gen.Init(new KeyGenerationParameters(rng, bits));`
13	`1122`	`return gen.GenerateKeyPair();`
	`1123`	`}`
	`1124`
	`1125`	`/// <summary>`
	`1126`	`/// Generates an EC key pair.`
	`1127`	`/// </summary>`
	`1128`	`/// <param name="bits">The key size in bits.</param>`
	`1129`	`/// <param name="rng">The secure random number generator.</param>`
	`1130`	`/// <returns>The generated EC key pair.</returns>`
	`1131`	`private static AsymmetricCipherKeyPair GenEcKeyPair(int bits, SecureRandom rng)`
	`1132`	`{`
	`1133`	`// NIST-style names are fine here`
1	`1134`	`var name = bits switch`
1	`1135`	`{`
1	`1136`	`<= 256 => "P-256",`
0	`1137`	`<= 384 => "P-384",`
0	`1138`	`_ => "P-521"`
1	`1139`	`};`
	`1140`
	`1141`	`// ECNamedCurveTable knows about SEC and NIST names`
1	`1142`	`var ecParams = ECNamedCurveTable.GetByName(name)`
1	`1143`	`?? throw new InvalidOperationException($"Curve not found: {name}");`
	`1144`
1	`1145`	`var domain = new ECDomainParameters(`
1	`1146`	`ecParams.Curve, ecParams.G, ecParams.N, ecParams.H, ecParams.GetSeed());`
	`1147`
1	`1148`	`var gen = new ECKeyPairGenerator();`
1	`1149`	`gen.Init(new ECKeyGenerationParameters(domain, rng));`
1	`1150`	`return gen.GenerateKeyPair();`
	`1151`	`}`
	`1152`
	`1153`	`/// <summary>`
	`1154`	`/// Converts a BouncyCastle X509Certificate to a .NET X509Certificate2.`
	`1155`	`/// </summary>`
	`1156`	`/// <param name="cert">The BouncyCastle X509Certificate to convert.</param>`
	`1157`	`/// <param name="privKey">The private key associated with the certificate.</param>`
	`1158`	`/// <param name="flags">The key storage flags to use.</param>`
	`1159`	`/// <param name="ephemeral">Whether the key is ephemeral.</param>`
	`1160`	`/// <returns></returns>`
	`1161`	`private static X509Certificate2 ToX509Cert2(`
	`1162`	`Org.BouncyCastle.X509.X509Certificate cert,`
	`1163`	`AsymmetricKeyParameter privKey,`
	`1164`	`X509KeyStorageFlags flags,`
	`1165`	`bool ephemeral)`
	`1166`	`{`
12	`1167`	`var store = new Pkcs12StoreBuilder().Build();`
12	`1168`	`var entry = new X509CertificateEntry(cert);`
	`1169`	`const string alias = "cert";`
12	`1170`	`store.SetCertificateEntry(alias, entry);`
12	`1171`	`store.SetKeyEntry(alias, new AsymmetricKeyEntry(privKey),`
12	`1172`	`[entry]);`
	`1173`
12	`1174`	`using var ms = new MemoryStream();`
12	`1175`	`store.Save(ms, [], new SecureRandom());`
12	`1176`	`var raw = ms.ToArray();`
	`1177`
	`1178`	`#if NET9_0_OR_GREATER`
	`1179`	`try`
	`1180`	`{`
12	`1181`	`return X509CertificateLoader.LoadPkcs12(`
12	`1182`	`raw,`
12	`1183`	`password: default,`
12	`1184`	`keyStorageFlags: flags \| (ephemeral ? X509KeyStorageFlags.EphemeralKeySet : 0),`
12	`1185`	`loaderLimits: Pkcs12LoaderLimits.Defaults`
12	`1186`	`);`
	`1187`	`}`
0	`1188`	`catch (PlatformNotSupportedException) when (ephemeral)`
	`1189`	`{`
	`1190`	`// Some platforms (e.g. certain Linux/macOS runners) don't yet support`
	`1191`	`// EphemeralKeySet with the new X509CertificateLoader API. In that case`
	`1192`	`// we fall back to re-loading without the EphemeralKeySet flag. The`
	`1193`	`// intent of Ephemeral in our API is simply "do not persist in a store" –`
	`1194`	`// loading without the flag here still keeps the cert in-memory only.`
0	`1195`	`Log.Debug("EphemeralKeySet not supported on this platform for X509CertificateLoader; falling back without th`
0	`1196`	`return X509CertificateLoader.LoadPkcs12(`
0	`1197`	`raw,`
0	`1198`	`password: default,`
0	`1199`	`keyStorageFlags: flags, // omit EphemeralKeySet`
0	`1200`	`loaderLimits: Pkcs12LoaderLimits.Defaults`
0	`1201`	`);`
	`1202`	`}`
	`1203`	`#else`
	`1204`	`try`
	`1205`	`{`
	`1206`	`return new X509Certificate2(`
	`1207`	`raw,`
	`1208`	`(string?)null,`
	`1209`	`flags \| (ephemeral ? X509KeyStorageFlags.EphemeralKeySet : 0)`
	`1210`	`);`
	`1211`	`}`
	`1212`	`catch (PlatformNotSupportedException) when (ephemeral)`
	`1213`	`{`
	`1214`	`// macOS (and some Linux distros) under net8 may not support EphemeralKeySet here.`
	`1215`	`Log.Debug("EphemeralKeySet not supported on this platform (net8); falling back without the flag.");`
	`1216`	`return new X509Certificate2(`
	`1217`	`raw,`
	`1218`	`(string?)null,`
	`1219`	`flags // omit EphemeralKeySet`
	`1220`	`);`
	`1221`	`}`
	`1222`
	`1223`	`#endif`
12	`1224`	`}`
	`1225`
	`1226`	`#endregion`
	`1227`	`}`

Methods/Properties