Condition Windows SslCertificateTrust test on Registry value

src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs

@@ -238,11 +238,14 @@ private static bool GetAlpnSupport()
         private static Lazy<bool> s_supportsTls11 = new Lazy<bool>(GetTls11Support);
         private static Lazy<bool> s_supportsTls12 = new Lazy<bool>(GetTls12Support);
         private static Lazy<bool> s_supportsTls13 = new Lazy<bool>(GetTls13Support);
+        private static Lazy<bool> s_sendsCAListByDefault = new Lazy<bool>(GetSendsCAListByDefault);
 
         public static bool SupportsTls10 => s_supportsTls10.Value;
         public static bool SupportsTls11 => s_supportsTls11.Value;
         public static bool SupportsTls12 => s_supportsTls12.Value;
         public static bool SupportsTls13 => s_supportsTls13.Value;
+        public static bool SendsCAListByDefault => s_sendsCAListByDefault.Value;
+        public static bool SupportsSendingCustomCANamesInTls => UsesAppleCrypto || IsOpenSslSupported || (PlatformDetection.IsWindows8xOrLater && SendsCAListByDefault);
 
         private static Lazy<bool> s_largeArrayIsNotSupported = new Lazy<bool>(IsLargeArrayNotSupported);
 
@@ -295,7 +298,7 @@ private static bool GetStaticNonPublicBooleanPropertyValue(string typeName, stri
 
         public static bool IsInvariantGlobalization => m_isInvariant.Value;
         public static bool IsNotInvariantGlobalization => !IsInvariantGlobalization;
-        public static bool IsIcuGlobalization => ICUVersion > new Version(0,0,0,0);
+        public static bool IsIcuGlobalization => ICUVersion > new Version(0, 0, 0, 0);
         public static bool IsNlsGlobalization => IsNotInvariantGlobalization && !IsIcuGlobalization;
 
         public static bool IsSubstAvailable
@@ -360,7 +363,7 @@ private static bool GetIsInContainer()
 
         private static bool GetProtocolSupportFromWindowsRegistry(SslProtocols protocol, bool defaultProtocolSupport)
         {
-            string registryProtocolName = protocol switch 
+            string registryProtocolName = protocol switch
             {
 #pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete
                 SslProtocols.Ssl3 => "SSL 3.0",
@@ -410,7 +413,7 @@ private static bool GetSsl3Support()
 #pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete
                 return GetProtocolSupportFromWindowsRegistry(SslProtocols.Ssl3, ssl3DefaultSupport);
 #pragma warning restore CS0618
-                
+
             }
 
             return (IsOSX || (IsLinux && OpenSslVersion < new Version(1, 0, 2) && !IsDebian));
@@ -437,7 +440,7 @@ private static bool GetTls10Support()
             if (IsOSXLike || IsAndroid)
             {
                 return true;
-            } 
+            }
             if (IsWindows)
             {
                 return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls, true);
@@ -466,7 +469,7 @@ private static bool GetTls11Support()
         private static bool GetTls12Support()
         {
             // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default.
-            bool defaultProtocolSupport =  !IsWindows7;
+            bool defaultProtocolSupport = !IsWindows7;
             return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport);
         }
 
@@ -506,7 +509,23 @@ private static bool GetTls13Support()
             else if (IsOpenSslSupported)
             {
                 // Covers Linux, FreeBSD, illumos and Solaris
-                return OpenSslVersion >= new Version(1,1,1);
+                return OpenSslVersion >= new Version(1, 1, 1);
+            }
+
+            return false;
+        }
+
+        private static bool GetSendsCAListByDefault()
+        {
+            if (IsWindows)
+            {
+                // Sending TrustedIssuers is conditioned on the registry. Win7 sends trusted issuer list by default,
+                // newer Windows versions don't.
+                object val = Registry.GetValue(@"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", "SendTrustedIssuerList", IsWindows7 ? 1 : 0);
+                if (val is int i)
+                {
+                    return i == 1;
+                }
             }
 
             return false;

src/libraries/System.Net.Security/src/System/Net/Security/SslCertificateTrust.cs

@@ -21,7 +21,9 @@ public static SslCertificateTrust CreateForX509Store(X509Store store, bool sendT
                 throw new PlatformNotSupportedException(SR.net_ssl_trust_store);
             }
 #else
-            if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS())
+            if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS() &&
+                // Necessary functions are available only on win 8 onwards
+                !OperatingSystem.IsWindowsVersionAtLeast(6, 2))
             {
                 // to be removed when implemented.
                 throw new PlatformNotSupportedException(SR.net_ssl_trust_handshake);
@@ -43,16 +45,9 @@ public static SslCertificateTrust CreateForX509Collection(X509Certificate2Collec
         {
             if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS())
             {
-                // to be removed when implemented.
                 throw new PlatformNotSupportedException(SR.net_ssl_trust_handshake);
             }
 
-#if TARGET_WINDOWS
-            if (sendTrustInHandshake)
-            {
-                throw new PlatformNotSupportedException(SR.net_ssl_trust_collection);
-            }
-#endif
             var trust = new SslCertificateTrust();
             trust._trustList = trustList;
             trust._sendTrustInHandshake = sendTrustInHandshake;

src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamCertificateTrustTests.cs

@@ -15,9 +15,11 @@ namespace System.Net.Security.Tests
 
     public class SslStreamCertificateTrustTest
     {
-        [Fact]
-        // not supported on Windows, not implemented elsewhere
-        [PlatformSpecific(TestPlatforms.Linux | TestPlatforms.OSX)]
+        public static bool SupportsSendingCustomCANamesInTls => PlatformDetection.SupportsSendingCustomCANamesInTls;
+        public static bool DoesNotSupportSendingCustomCANamesInTls => !PlatformDetection.SupportsSendingCustomCANamesInTls;
+
+        [ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
+        [SkipOnPlatform(TestPlatforms.Windows, "CertificateCollection-based SslCertificateTrust is not Supported on Windows")]
         public async Task SslStream_SendCertificateTrust_CertificateCollection()
         {
             (X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));
@@ -29,9 +31,7 @@ public async Task SslStream_SendCertificateTrust_CertificateCollection()
             Assert.Equal(caCerts.Select(c => c.Subject), acceptableIssuers);
         }
 
-        [Fact]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/65515", TestPlatforms.Windows)]
-        [PlatformSpecific(TestPlatforms.Windows | TestPlatforms.Linux | TestPlatforms.OSX)]
+        [ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
         public async Task SslStream_SendCertificateTrust_CertificateStore()
         {
             using X509Store store = new X509Store("Root", StoreLocation.LocalMachine);
@@ -89,5 +89,26 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                 return acceptableIssuers;
             }
         }
+
+        [ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
+        [PlatformSpecific(TestPlatforms.Windows)]
+        public void SslStream_SendCertificateTrust_CertificateCollection_ThrowsOnWindows()
+        {
+            (X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));
+
+            Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Collection(caCerts, sendTrustInHandshake: true));
+        }
+
+        [ConditionalFact(nameof(DoesNotSupportSendingCustomCANamesInTls))]
+        [SkipOnPlatform(TestPlatforms.Windows, "Windows tested separately")]
+        public void SslStream_SendCertificateTrust_ThrowsOnUnsupportedPlatform()
+        {
+            (X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));
+
+            using X509Store store = new X509Store("Root", StoreLocation.LocalMachine);
+
+            Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Collection(caCerts, sendTrustInHandshake: true));
+            Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Store(store, sendTrustInHandshake: true));
+        }
     }
 }

src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamEKUTest.cs

@@ -11,11 +11,12 @@
 
 namespace System.Net.Security.Tests
 {
-    using Configuration =   System.Net.Test.Common.Configuration;
+    using Configuration = System.Net.Test.Common.Configuration;
 
     public class SslStreamEKUTest
     {
         public static bool IsRootCertificateInstalled => Capability.IsTrustedRootCertificateInstalled();
+        public static bool DoesNotSendCAListByDefault => !PlatformDetection.SendsCAListByDefault;
 
         public const int TestTimeoutMilliseconds = 15 * 1000;
 
@@ -134,7 +135,7 @@ public async Task SslStream_ServerEKUClientAuth_Fails()
             }
         }
 
-        [ConditionalFact(nameof(IsRootCertificateInstalled))]
+        [ConditionalFact(nameof(IsRootCertificateInstalled), nameof(DoesNotSendCAListByDefault))]
         public async Task SslStream_SelfSignedClientEKUClientAuth_Ok()
         {
             var serverOptions = new HttpsTestServer.Options();