Merge pull request #91916 from dotnet-maestro-bot/merge/release/7.0-to-release/7.0-staging

[automated] Merge branch 'release/7.0' => 'release/7.0-staging'

Author: carlossanlop

eng/Versions.props

@@ -140,7 +140,7 @@
     <optimizationlinuxarm64MIBCRuntimeVersion>1.0.0-prerelease.22415.6</optimizationlinuxarm64MIBCRuntimeVersion>
     <optimizationPGOCoreCLRVersion>1.0.0-prerelease.22415.6</optimizationPGOCoreCLRVersion>
     <!-- Not auto-updated. -->
-    <MicrosoftDiaSymReaderNativeVersion>16.11.27-beta1.23180.1</MicrosoftDiaSymReaderNativeVersion>
+    <MicrosoftDiaSymReaderNativeVersion>16.11.29-beta1.23404.4</MicrosoftDiaSymReaderNativeVersion>
     <SystemCommandLineVersion>2.0.0-beta4.22355.1</SystemCommandLineVersion>
     <TraceEventVersion>3.0.3</TraceEventVersion>
     <NETStandardLibraryRefVersion>2.1.0</NETStandardLibraryRefVersion>

src/libraries/Common/src/System/Net/Http/X509ResourceClient.cs

@@ -12,6 +12,9 @@ namespace System.Net.Http
 {
     internal static partial class X509ResourceClient
     {
+        private const long DefaultAiaDownloadLimit = 100 * 1024 * 1024;
+
+        private static long AiaDownloadLimit { get; } = GetValue("System.Security.Cryptography.AiaDownloadLimit", DefaultAiaDownloadLimit);
         private static readonly Func<string, CancellationToken, bool, ValueTask<byte[]?>>? s_downloadBytes = CreateDownloadBytesFunc();
 
         static partial void ReportNoClient();
@@ -115,6 +118,7 @@ internal static partial class X509ResourceClient
                 ConstructorInfo? httpRequestMessageCtor = httpRequestMessageType.GetConstructor(Type.EmptyTypes);
                 MethodInfo? sendMethod = httpClientType.GetMethod("Send", new Type[] { httpRequestMessageType, typeof(CancellationToken) });
                 MethodInfo? sendAsyncMethod = httpClientType.GetMethod("SendAsync", new Type[] { httpRequestMessageType, typeof(CancellationToken) });
+                PropertyInfo? maxResponseContentBufferSizeProp = httpClientType.GetProperty("MaxResponseContentBufferSize");
                 PropertyInfo? responseContentProp = httpResponseMessageType.GetProperty("Content");
                 PropertyInfo? responseStatusCodeProp = httpResponseMessageType.GetProperty("StatusCode");
                 PropertyInfo? responseHeadersProp = httpResponseMessageType.GetProperty("Headers");
@@ -125,7 +129,7 @@ internal static partial class X509ResourceClient
                 if (socketsHttpHandlerCtor == null || pooledConnectionIdleTimeoutProp == null ||
                     allowAutoRedirectProp == null || httpClientCtor == null ||
                     requestUriProp == null || httpRequestMessageCtor == null ||
-                    sendMethod == null || sendAsyncMethod == null ||
+                    sendMethod == null || sendAsyncMethod == null || maxResponseContentBufferSizeProp == null ||
                     responseContentProp == null || responseStatusCodeProp == null ||
                     responseHeadersProp == null || responseHeadersLocationProp == null ||
                     readAsStreamMethod == null || taskOfHttpResponseMessageResultProp == null)
@@ -149,6 +153,7 @@ internal static partial class X509ResourceClient
                 pooledConnectionIdleTimeoutProp.SetValue(socketsHttpHandler, TimeSpan.FromSeconds(PooledConnectionIdleTimeoutSeconds));
                 allowAutoRedirectProp.SetValue(socketsHttpHandler, false);
                 object? httpClient = httpClientCtor.Invoke(new object?[] { socketsHttpHandler });
+                maxResponseContentBufferSizeProp.SetValue(httpClient, AiaDownloadLimit);
 
                 return async (string uriString, CancellationToken cancellationToken, bool async) =>
                 {
@@ -306,5 +311,24 @@ private static bool IsAllowedScheme(string scheme)
         {
             return string.Equals(scheme, "http", StringComparison.OrdinalIgnoreCase);
         }
+
+        private static long GetValue(string name, long defaultValue)
+        {
+            object? data = AppContext.GetData(name);
+
+            if (data is null)
+            {
+                return defaultValue;
+            }
+
+            try
+            {
+                return Convert.ToInt64(data);
+            }
+            catch
+            {
+                return defaultValue;
+            }
+        }
     }
 }

src/libraries/Microsoft.Windows.Compatibility/src/Microsoft.Windows.Compatibility.csproj

@@ -5,8 +5,8 @@
     <!-- Reference the outputs for the dependency nodes calculation. -->
     <NoTargetsDoNotReferenceOutputAssemblies>false</NoTargetsDoNotReferenceOutputAssemblies>
     <IsPackable>true</IsPackable>
-    <GeneratePackageOnBuild>false</GeneratePackageOnBuild>
-    <ServicingVersion>4</ServicingVersion>
+    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
+    <ServicingVersion>5</ServicingVersion>
     <!-- This is a meta package and doesn't contain any libs. -->
     <NoWarn>$(NoWarn);NU5128</NoWarn>
     <PackageDescription>This Windows Compatibility Pack provides access to APIs that were previously available only for .NET Framework. It can be used from both .NET as well as .NET Standard.</PackageDescription>

src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs

@@ -3,6 +3,7 @@
 
 using System.Linq;
 using System.Security.Cryptography.X509Certificates.Tests.Common;
+using Microsoft.DotNet.RemoteExecutor;
 using Test.Cryptography;
 using Xunit;
 
@@ -177,5 +178,44 @@ public static void DisableAiaOptionWorks()
                 });
             }
         }
+
+        [ActiveIssue("https://github.com/dotnet/runtime/issues/57506", typeof(PlatformDetection), nameof(PlatformDetection.IsMonoRuntime), nameof(PlatformDetection.IsMariner))]
+        [PlatformSpecific(TestPlatforms.Linux)]
+        [ConditionalFact(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported))]
+        public static void AiaIgnoresCertOverLimit()
+        {
+            RemoteExecutor.Invoke(() =>
+            {
+                AppContext.SetData("System.Security.Cryptography.AiaDownloadLimit", 100);
+                CertificateAuthority.BuildPrivatePki(
+                    PkiOptions.AllRevocation,
+                    out RevocationResponder responder,
+                    out CertificateAuthority root,
+                    out CertificateAuthority intermediate,
+                    out X509Certificate2 endEntity,
+                    pkiOptionsInSubject: false,
+                    testName: Guid.NewGuid().ToString());
+
+                using (responder)
+                using (root)
+                using (intermediate)
+                using (endEntity)
+                using (X509Certificate2 rootCert = root.CloneIssuerCert())
+                {
+                    responder.AiaResponseKind = AiaResponseKind.Cert;
+
+                    using (ChainHolder holder = new ChainHolder())
+                    {
+                        X509Chain chain = holder.Chain;
+                        chain.ChainPolicy.CustomTrustStore.Add(rootCert);
+                        chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                        chain.ChainPolicy.VerificationTime = endEntity.NotBefore.AddMinutes(1);
+                        chain.ChainPolicy.UrlRetrievalTimeout = DynamicRevocationTests.s_urlRetrievalLimit;
+
+                        Assert.False(chain.Build(endEntity));
+                    }
+                }
+            }).Dispose();
+        }
     }
 }