Use a SafeHandle when duplicating a certificate context

CertDuplicateCertificateContext does not ensure the CERT_CONTEXT pointer it is incrementing has not been freed.
If the duplicate and dispose race, duplicating a disposed handle will lead to unspecified behavior.

For .NET 10, we can use the SafeHandle around the certificate before we duplicate the handle. For OOB, we don't have
access to the internals, so we will continue to use the IntPtr Handle property.

Author: vcsjones

src/libraries/Common/src/System/Security/Cryptography/X509Certificates/CertificateHelpers.Windows.cs

@@ -25,6 +25,8 @@ internal static partial class CertificateHelpers
 
         private static partial int GuessKeySpec(CngProvider provider, string keyName, bool machineKey, CngAlgorithmGroup? algorithmGroup);
 
+        private static partial SafeCertContextHandle DuplicateCertificateHandle(TCertificate certificate);
+
 #if !SYSTEM_SECURITY_CRYPTOGRAPHY
         [SupportedOSPlatform("windows")]
 #endif
@@ -75,7 +77,7 @@ internal static TCertificate CopyWithPrivateKey(TCertificate certificate, MLDsa
         internal static T? GetPrivateKey<T>(TCertificate certificate, Func<CspParameters, T> createCsp, Func<CngKey, T?> createCng)
             where T : class, IDisposable
         {
-            using (SafeCertContextHandle certContext = Interop.Crypt32.CertDuplicateCertificateContext(certificate.Handle))
+            using (SafeCertContextHandle certContext = DuplicateCertificateHandle(certificate))
             {
                 SafeNCryptKeyHandle? ncryptKey = TryAcquireCngPrivateKey(certContext, out CngKeyHandleOpenOptions cngHandleOptions);
                 if (ncryptKey != null)

src/libraries/Microsoft.Bcl.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateHelpers.Windows.cs

@@ -42,5 +42,10 @@ private static partial SafeNCryptKeyHandle CreateSafeNCryptKeyHandle(IntPtr hand
             return new SafeNCryptKeyHandle(handle, parentHandle);
 #endif
         }
+
+        private static partial SafeCertContextHandle DuplicateCertificateHandle(X509Certificate2 certificate)
+        {
+            return Interop.Crypt32.CertDuplicateCertificateContext(certificate.Handle);
+        }
     }
 }

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateHelpers.Windows.cs

@@ -166,5 +166,33 @@ private static bool TryGuessDsaKeySpec(CspParameters cspParameters, out int keyS
             keySpec = 0;
             return false;
         }
+
+        private static partial SafeCertContextHandle DuplicateCertificateHandle(CertificatePal certificate)
+        {
+            SafeCertContextHandle? handle = certificate.SafeHandle;
+            bool addedRef = false;
+
+            try
+            {
+                if (handle is not null)
+                {
+                    handle.DangerousAddRef(ref addedRef);
+                    return Interop.Crypt32.CertDuplicateCertificateContext(handle.DangerousGetHandle());
+                }
+            }
+            catch (ObjectDisposedException)
+            {
+                // Let this go to the invalid handle throw.
+            }
+            finally
+            {
+                if (addedRef)
+                {
+                    handle!.DangerousRelease();
+                }
+            }
+
+            throw new CryptographicException(SR.Format(SR.Cryptography_InvalidHandle, nameof(handle)));
+        }
     }
 }

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificatePal.Windows.cs

@@ -50,6 +50,8 @@ public IntPtr Handle
             get { return _certContext.DangerousGetHandle(); }
         }
 
+        internal SafeCertContextHandle? SafeHandle => _certContext;
+
         public string Issuer => GetIssuerOrSubject(issuer: true, reverse: true);
 
         public string Subject => GetIssuerOrSubject(issuer: false, reverse: true);