From e78b72b1fdf43d9678877400bcfe801b38c14681 Mon Sep 17 00:00:00 2001
From: Jeremy Barton <jbarton@microsoft.com>
Date: Thu, 4 Jul 2024 10:50:30 -0700
Subject: [PATCH] Fix certificate test failures on iOS(-likes)

Also don't run ExportMultiplePrivateKeys on platforms that don't have Exportable
---
 .../X509CertificateLoader.iOS.cs              | 24 ++++++++++++++++++-
 .../tests/X509Certificates/CollectionTests.cs |  1 +
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.iOS.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.iOS.cs
index 11e253150053cf..3dc0df1700b567 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.iOS.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.iOS.cs
@@ -22,7 +22,29 @@ private static partial ICertificatePal LoadCertificatePal(ReadOnlySpan<byte> dat
                 throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
             }
 
-            return LoadX509(data);
+            ICertificatePal? result = null;
+
+            // If the data starts with 0x30, only try the DER loader.
+            // Otherwise, try PEM.
+            // If it's not PEM and not 0x30, still call the DER loader to get the system error.
+            if (data[0] != 0x30)
+            {
+                AppleCertificatePal.TryDecodePem(
+                    data,
+                    (derData, contentType) =>
+                    {
+                        if (contentType != X509ContentType.Cert)
+                        {
+                            // true: keep looking
+                            return true;
+                        }
+
+                        result = LoadX509(derData);
+                        return false;
+                    });
+            }
+
+            return result ?? LoadX509(data);
         }
 
         private static partial ICertificatePal LoadCertificatePalFromFile(string path)
diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/CollectionTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/CollectionTests.cs
index ac871b95631532..caf9ed53ea1be8 100644
--- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/CollectionTests.cs
+++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/CollectionTests.cs
@@ -800,6 +800,7 @@ public static void MultipleImport()
         }
 
         [Fact]
+        [SkipOnPlatform(TestPlatforms.iOS | TestPlatforms.MacCatalyst | TestPlatforms.tvOS, "The PKCS#12 Exportable flag is not supported on iOS/MacCatalyst/tvOS")]
         public static void ExportMultiplePrivateKeys()
         {
             var collection = new X509Certificate2Collection();