diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs
index 397f95a31baa77..6012d65fdeb3a6 100644
--- a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs
+++ b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs
@@ -21,14 +21,5 @@ internal static partial SafeX509ExtensionHandle X509ExtensionCreateByObj(
[LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_X509V3ExtPrint")]
[return: MarshalAs(UnmanagedType.Bool)]
internal static partial bool X509V3ExtPrint(SafeBioHandle buf, SafeX509ExtensionHandle ext);
-
- [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_DecodeX509BasicConstraints2Extension")]
- [return: MarshalAs(UnmanagedType.Bool)]
- internal static partial bool DecodeX509BasicConstraints2Extension(
- byte[] encoded,
- int encodedLength,
- [MarshalAs(UnmanagedType.Bool)] out bool certificateAuthority,
- [MarshalAs(UnmanagedType.Bool)] out bool hasPathLengthConstraint,
- out int pathLengthConstraint);
}
}
diff --git a/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj b/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj
index c609292d4059f6..ad075113cf7d26 100644
--- a/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj
+++ b/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj
@@ -692,6 +692,7 @@
+
@@ -906,8 +907,8 @@
+
-
@@ -1052,8 +1053,8 @@
+
-
@@ -1183,8 +1184,8 @@
+
-
@@ -1784,6 +1785,7 @@
+
@@ -1793,7 +1795,6 @@
-
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs
index d19f6e900bb0f7..991986bd0eab16 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs
@@ -13,9 +13,5 @@ internal interface IX509Pal
string X500DistinguishedNameFormat(byte[] encodedDistinguishedName, bool multiLine);
X509ContentType GetCertContentType(ReadOnlySpan rawData);
X509ContentType GetCertContentType(string fileName);
- bool SupportsLegacyBasicConstraintsExtension { get; }
- byte[] EncodeX509BasicConstraints2Extension(bool certificateAuthority, bool hasPathLengthConstraint, int pathLengthConstraint);
- void DecodeX509BasicConstraintsExtension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint);
- void DecodeX509BasicConstraints2Extension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint);
}
}
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.NotSupported.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.NotSupported.cs
new file mode 100644
index 00000000000000..09fcfae607aa81
--- /dev/null
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.NotSupported.cs
@@ -0,0 +1,24 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace System.Security.Cryptography.X509Certificates
+{
+ internal static class LegacyBasicConstraintsDecoder
+ {
+ internal static bool IsSupported => false;
+
+ internal static void DecodeX509BasicConstraintsExtension(
+ byte[] encoded,
+ out bool certificateAuthority,
+ out bool hasPathLengthConstraint,
+ out int pathLengthConstraint)
+ {
+ // No RFC nor ITU document describes the layout of the 2.5.29.10 structure,
+ // and OpenSSL doesn't have a decoder for it, either.
+ //
+ // Since it was never published as a standard (2.5.29.19 replaced it before publication)
+ // there shouldn't be too many people upset that we can't decode it for them on Unix.
+ throw new PlatformNotSupportedException(SR.NotSupported_LegacyBasicConstraints);
+ }
+ }
+}
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.Windows.cs
new file mode 100644
index 00000000000000..a1331df3f33818
--- /dev/null
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.Windows.cs
@@ -0,0 +1,35 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using Internal.Cryptography;
+
+namespace System.Security.Cryptography.X509Certificates
+{
+ internal static class LegacyBasicConstraintsDecoder
+ {
+ internal static bool IsSupported => true;
+
+ internal static void DecodeX509BasicConstraintsExtension(
+ byte[] encoded,
+ out bool certificateAuthority,
+ out bool hasPathLengthConstraint,
+ out int pathLengthConstraint)
+ {
+ unsafe
+ {
+ (certificateAuthority, hasPathLengthConstraint, pathLengthConstraint) = encoded.DecodeObject(
+ CryptDecodeObjectStructType.X509_BASIC_CONSTRAINTS,
+ static delegate (void* pvDecoded, int cbDecoded)
+ {
+ Debug.Assert(cbDecoded >= sizeof(CERT_BASIC_CONSTRAINTS_INFO));
+ CERT_BASIC_CONSTRAINTS_INFO* pBasicConstraints = (CERT_BASIC_CONSTRAINTS_INFO*)pvDecoded;
+ return ((Marshal.ReadByte(pBasicConstraints->SubjectType.pbData) & CERT_BASIC_CONSTRAINTS_INFO.CERT_CA_SUBJECT_FLAG) != 0,
+ pBasicConstraints->fPathLenConstraint != 0,
+ pBasicConstraints->dwPathLenConstraint);
+ });
+ }
+ }
+ }
+}
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ManagedX509ExtensionProcessor.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ManagedX509ExtensionProcessor.cs
deleted file mode 100644
index 561cb039cfaece..00000000000000
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ManagedX509ExtensionProcessor.cs
+++ /dev/null
@@ -1,57 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using System.Diagnostics;
-using System.Formats.Asn1;
-using System.Security.Cryptography.Asn1;
-using System.Security.Cryptography.X509Certificates.Asn1;
-
-namespace System.Security.Cryptography.X509Certificates
-{
- internal class ManagedX509ExtensionProcessor
- {
- public virtual byte[] EncodeX509BasicConstraints2Extension(
- bool certificateAuthority,
- bool hasPathLengthConstraint,
- int pathLengthConstraint)
- {
- BasicConstraintsAsn constraints = default;
-
- constraints.CA = certificateAuthority;
- if (hasPathLengthConstraint)
- constraints.PathLengthConstraint = pathLengthConstraint;
-
- AsnWriter writer = new AsnWriter(AsnEncodingRules.DER);
- constraints.Encode(writer);
- return writer.Encode();
- }
-
- public virtual bool SupportsLegacyBasicConstraintsExtension => false;
-
- public virtual void DecodeX509BasicConstraintsExtension(
- byte[] encoded,
- out bool certificateAuthority,
- out bool hasPathLengthConstraint,
- out int pathLengthConstraint)
- {
- // No RFC nor ITU document describes the layout of the 2.5.29.10 structure,
- // and OpenSSL doesn't have a decoder for it, either.
- //
- // Since it was never published as a standard (2.5.29.19 replaced it before publication)
- // there shouldn't be too many people upset that we can't decode it for them on Unix.
- throw new PlatformNotSupportedException(SR.NotSupported_LegacyBasicConstraints);
- }
-
- public virtual void DecodeX509BasicConstraints2Extension(
- byte[] encoded,
- out bool certificateAuthority,
- out bool hasPathLengthConstraint,
- out int pathLengthConstraint)
- {
- BasicConstraintsAsn constraints = BasicConstraintsAsn.Decode(encoded, AsnEncodingRules.BER);
- certificateAuthority = constraints.CA;
- hasPathLengthConstraint = constraints.PathLengthConstraint.HasValue;
- pathLengthConstraint = constraints.PathLengthConstraint.GetValueOrDefault();
- }
- }
-}
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs
index fd2a8cef7c0c6a..8966b760df1f0a 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs
@@ -9,7 +9,7 @@
namespace System.Security.Cryptography.X509Certificates
{
- internal sealed class OpenSslX509Encoder : ManagedX509ExtensionProcessor, IX509Pal
+ internal sealed class OpenSslX509Encoder : IX509Pal
{
public ECDsa DecodeECDsaPublicKey(ICertificatePal? certificatePal)
{
@@ -152,23 +152,6 @@ public X509ContentType GetCertContentType(string fileName)
throw new CryptographicException();
}
- public override void DecodeX509BasicConstraints2Extension(
- byte[] encoded,
- out bool certificateAuthority,
- out bool hasPathLengthConstraint,
- out int pathLengthConstraint)
- {
- if (!Interop.Crypto.DecodeX509BasicConstraints2Extension(
- encoded,
- encoded.Length,
- out certificateAuthority,
- out hasPathLengthConstraint,
- out pathLengthConstraint))
- {
- throw Interop.Crypto.CreateOpenSslCryptographicException();
- }
- }
-
private static RSAOpenSsl BuildRsaPublicKey(byte[] encodedData)
{
var rsa = new RSAOpenSsl();
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs
index d092d06b9d07c3..e1e6b91c2455c8 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs
@@ -1,6 +1,9 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Formats.Asn1;
+using System.Security.Cryptography.X509Certificates.Asn1;
+
namespace System.Security.Cryptography.X509Certificates
{
public sealed class X509BasicConstraintsExtension : X509Extension
@@ -111,19 +114,63 @@ private static byte[] EncodeExtension(bool certificateAuthority, bool hasPathLen
ArgumentOutOfRangeException.ThrowIfNegative(pathLengthConstraint);
}
- return X509Pal.Instance.EncodeX509BasicConstraints2Extension(certificateAuthority, hasPathLengthConstraint, pathLengthConstraint);
+ return EncodeX509BasicConstraints2Extension(certificateAuthority, hasPathLengthConstraint, pathLengthConstraint);
}
private void DecodeExtension()
{
if (Oid!.Value == Oids.BasicConstraints)
- X509Pal.Instance.DecodeX509BasicConstraintsExtension(RawData, out _certificateAuthority, out _hasPathLenConstraint, out _pathLenConstraint);
+ {
+ LegacyBasicConstraintsDecoder.DecodeX509BasicConstraintsExtension(
+ RawData,
+ out _certificateAuthority,
+ out _hasPathLenConstraint,
+ out _pathLenConstraint);
+ }
else
- X509Pal.Instance.DecodeX509BasicConstraints2Extension(RawData, out _certificateAuthority, out _hasPathLenConstraint, out _pathLenConstraint);
+ {
+ DecodeX509BasicConstraints2Extension(
+ RawData,
+ out _certificateAuthority,
+ out _hasPathLenConstraint,
+ out _pathLenConstraint);
+ }
_decoded = true;
}
+ private static byte[] EncodeX509BasicConstraints2Extension(
+ bool certificateAuthority,
+ bool hasPathLengthConstraint,
+ int pathLengthConstraint)
+ {
+ BasicConstraintsAsn constraints = default;
+
+ constraints.CA = certificateAuthority;
+
+ if (hasPathLengthConstraint)
+ {
+ constraints.PathLengthConstraint = pathLengthConstraint;
+ }
+
+ // Largest possible encoded extension is 11 bytes when pathLenConstraint is int.MaxValue.
+ AsnWriter writer = new AsnWriter(AsnEncodingRules.DER, initialCapacity: 11);
+ constraints.Encode(writer);
+ return writer.Encode();
+ }
+
+ private static void DecodeX509BasicConstraints2Extension(
+ byte[] encoded,
+ out bool certificateAuthority,
+ out bool hasPathLengthConstraint,
+ out int pathLengthConstraint)
+ {
+ BasicConstraintsAsn constraints = BasicConstraintsAsn.Decode(encoded, AsnEncodingRules.BER);
+ certificateAuthority = constraints.CA;
+ hasPathLengthConstraint = constraints.PathLengthConstraint.HasValue;
+ pathLengthConstraint = constraints.PathLengthConstraint.GetValueOrDefault();
+ }
+
private bool _certificateAuthority;
private bool _hasPathLenConstraint;
private int _pathLenConstraint;
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs
index ea56200fd74ba4..7fc6beb3fe5a12 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs
@@ -1496,7 +1496,7 @@ private static X509Certificate2 ExtractKeyFromEncryptedPem(
internal static X509Extension? CreateCustomExtensionIfAny(string? oidValue) =>
oidValue switch
{
- Oids.BasicConstraints => X509Pal.Instance.SupportsLegacyBasicConstraintsExtension ? new X509BasicConstraintsExtension() : null,
+ Oids.BasicConstraints => LegacyBasicConstraintsDecoder.IsSupported ? new X509BasicConstraintsExtension() : null,
Oids.BasicConstraints2 => new X509BasicConstraintsExtension(),
Oids.KeyUsage => new X509KeyUsageExtension(),
Oids.EnhancedKeyUsage => new X509EnhancedKeyUsageExtension(),
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs
index 608ee19b855791..f836a62ab7e898 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs
@@ -18,7 +18,7 @@ private static partial IX509Pal BuildSingleton()
return new AndroidX509Pal();
}
- private sealed partial class AndroidX509Pal : ManagedX509ExtensionProcessor, IX509Pal
+ private sealed partial class AndroidX509Pal : IX509Pal
{
public ECDsa DecodeECDsaPublicKey(ICertificatePal? certificatePal)
{
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs
index 8d1696721b1a45..01627dfdb2ddf9 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs
@@ -7,7 +7,7 @@ namespace System.Security.Cryptography.X509Certificates
{
internal partial class X509Pal
{
- private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal
+ private sealed partial class AppleX509Pal : IX509Pal
{
public ECDsa DecodeECDsaPublicKey(ICertificatePal? certificatePal)
{
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs
index b5fe1db6575335..50153c8fee03a8 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs
@@ -5,7 +5,7 @@ namespace System.Security.Cryptography.X509Certificates
{
internal partial class X509Pal
{
- private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal
+ private sealed partial class AppleX509Pal : IX509Pal
{
public string X500DistinguishedNameDecode(byte[] encodedDistinguishedName, X500DistinguishedNameFlags flag)
{
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Windows.CustomExtensions.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Windows.CustomExtensions.cs
deleted file mode 100644
index e731b31c9aae7b..00000000000000
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Windows.CustomExtensions.cs
+++ /dev/null
@@ -1,70 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using System.Diagnostics;
-using System.Runtime.InteropServices;
-using Internal.Cryptography;
-
-namespace System.Security.Cryptography.X509Certificates
-{
- ///
- /// A singleton class that encapsulates the native implementation of various X509 services. (Implementing this as a singleton makes it
- /// easier to split the class into abstract and implementation classes if desired.)
- ///
- internal sealed partial class X509Pal : IX509Pal
- {
- public bool SupportsLegacyBasicConstraintsExtension
- {
- get { return true; }
- }
-
- public byte[] EncodeX509BasicConstraints2Extension(bool certificateAuthority, bool hasPathLengthConstraint, int pathLengthConstraint)
- {
- unsafe
- {
- CERT_BASIC_CONSTRAINTS2_INFO constraintsInfo = new CERT_BASIC_CONSTRAINTS2_INFO()
- {
- fCA = certificateAuthority ? 1 : 0,
- fPathLenConstraint = hasPathLengthConstraint ? 1 : 0,
- dwPathLenConstraint = pathLengthConstraint,
- };
-
- return Interop.crypt32.EncodeObject(Oids.BasicConstraints2, &constraintsInfo);
- }
- }
-
- public void DecodeX509BasicConstraintsExtension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint)
- {
- unsafe
- {
- (certificateAuthority, hasPathLengthConstraint, pathLengthConstraint) = encoded.DecodeObject(
- CryptDecodeObjectStructType.X509_BASIC_CONSTRAINTS,
- static delegate (void* pvDecoded, int cbDecoded)
- {
- Debug.Assert(cbDecoded >= sizeof(CERT_BASIC_CONSTRAINTS_INFO));
- CERT_BASIC_CONSTRAINTS_INFO* pBasicConstraints = (CERT_BASIC_CONSTRAINTS_INFO*)pvDecoded;
- return ((Marshal.ReadByte(pBasicConstraints->SubjectType.pbData) & CERT_BASIC_CONSTRAINTS_INFO.CERT_CA_SUBJECT_FLAG) != 0,
- pBasicConstraints->fPathLenConstraint != 0,
- pBasicConstraints->dwPathLenConstraint);
- });
- }
- }
-
- public void DecodeX509BasicConstraints2Extension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint)
- {
- unsafe
- {
- (certificateAuthority, hasPathLengthConstraint, pathLengthConstraint) = encoded.DecodeObject(
- CryptDecodeObjectStructType.X509_BASIC_CONSTRAINTS2,
- static delegate (void* pvDecoded, int cbDecoded)
- {
- Debug.Assert(cbDecoded >= sizeof(CERT_BASIC_CONSTRAINTS2_INFO));
- CERT_BASIC_CONSTRAINTS2_INFO* pBasicConstraints2 = (CERT_BASIC_CONSTRAINTS2_INFO*)pvDecoded;
- return (pBasicConstraints2->fCA != 0,
- pBasicConstraints2->fPathLenConstraint != 0,
- pBasicConstraints2->dwPathLenConstraint);
- });
- }
- }
- }
-}
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs
index 76ac0eaec42099..4b2a317f08c7e5 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs
@@ -13,7 +13,7 @@ private static partial IX509Pal BuildSingleton()
return new AppleX509Pal();
}
- private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal
+ private sealed partial class AppleX509Pal : IX509Pal
{
public AsymmetricAlgorithm DecodePublicKey(Oid oid, byte[] encodedKeyValue, byte[] encodedParameters,
ICertificatePal? certificatePal)
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs
index c154551bcde3eb..78d28c984c99fa 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs
@@ -17,7 +17,7 @@ private static partial IX509Pal BuildSingleton()
return new AppleX509Pal();
}
- private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal
+ private sealed partial class AppleX509Pal : IX509Pal
{
public AsymmetricAlgorithm DecodePublicKey(Oid oid, byte[] encodedKeyValue, byte[] encodedParameters,
ICertificatePal? certificatePal)
diff --git a/src/native/libs/System.Security.Cryptography.Native/entrypoints.c b/src/native/libs/System.Security.Cryptography.Native/entrypoints.c
index d41e1944250f29..329d0932ecf72e 100644
--- a/src/native/libs/System.Security.Cryptography.Native/entrypoints.c
+++ b/src/native/libs/System.Security.Cryptography.Native/entrypoints.c
@@ -57,7 +57,6 @@ static const Entry s_cryptoNative[] =
DllImportEntry(CryptoNative_DecodePkcs8PrivateKey)
DllImportEntry(CryptoNative_DecodeSubjectPublicKeyInfo)
DllImportEntry(CryptoNative_DecodeX509)
- DllImportEntry(CryptoNative_DecodeX509BasicConstraints2Extension)
DllImportEntry(CryptoNative_DecodeX509Crl)
DllImportEntry(CryptoNative_DsaDestroy)
DllImportEntry(CryptoNative_DsaGenerateKey)
diff --git a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
index 4c6b176f1de74c..b5b9de23928630 100644
--- a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+++ b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
@@ -259,7 +259,6 @@ extern bool g_libSslUses32BitTime;
REQUIRED_FUNCTION(ASN1_TIME_set) \
FALLBACK_FUNCTION(ASN1_TIME_to_tm) \
REQUIRED_FUNCTION(ASN1_TIME_free) \
- REQUIRED_FUNCTION(BASIC_CONSTRAINTS_free) \
REQUIRED_FUNCTION(BIO_ctrl) \
REQUIRED_FUNCTION(BIO_ctrl_pending) \
REQUIRED_FUNCTION(BIO_free) \
@@ -298,7 +297,6 @@ extern bool g_libSslUses32BitTime;
REQUIRED_FUNCTION(CRYPTO_malloc) \
LEGACY_FUNCTION(CRYPTO_num_locks) \
LEGACY_FUNCTION(CRYPTO_set_locking_callback) \
- REQUIRED_FUNCTION(d2i_BASIC_CONSTRAINTS) \
REQUIRED_FUNCTION(d2i_OCSP_RESPONSE) \
REQUIRED_FUNCTION(d2i_PKCS12_fp) \
REQUIRED_FUNCTION(d2i_PKCS7) \
@@ -807,7 +805,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr;
#define ASN1_TIME_new ASN1_TIME_new_ptr
#define ASN1_TIME_set ASN1_TIME_set_ptr
#define ASN1_TIME_to_tm ASN1_TIME_to_tm_ptr
-#define BASIC_CONSTRAINTS_free BASIC_CONSTRAINTS_free_ptr
#define BIO_ctrl BIO_ctrl_ptr
#define BIO_ctrl_pending BIO_ctrl_pending_ptr
#define BIO_free BIO_free_ptr
@@ -846,7 +843,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr;
#define CRYPTO_malloc CRYPTO_malloc_ptr
#define CRYPTO_num_locks CRYPTO_num_locks_ptr
#define CRYPTO_set_locking_callback CRYPTO_set_locking_callback_ptr
-#define d2i_BASIC_CONSTRAINTS d2i_BASIC_CONSTRAINTS_ptr
#define d2i_OCSP_RESPONSE d2i_OCSP_RESPONSE_ptr
#define d2i_PKCS12_fp d2i_PKCS12_fp_ptr
#define d2i_PKCS7 d2i_PKCS7_ptr
diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c
index fc9d8818f5d0d1..d05e3c866a30a1 100644
--- a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c
+++ b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c
@@ -26,48 +26,3 @@ int32_t CryptoNative_X509V3ExtPrint(BIO* out, X509_EXTENSION* ext)
ERR_clear_error();
return X509V3_EXT_print(out, ext, X509V3_EXT_DEFAULT, /*indent*/ 0);
}
-
-int32_t CryptoNative_DecodeX509BasicConstraints2Extension(const uint8_t* encoded,
- int32_t encodedLength,
- int32_t* certificateAuthority,
- int32_t* hasPathLengthConstraint,
- int32_t* pathLengthConstraint)
-{
- if (!certificateAuthority || !hasPathLengthConstraint || !pathLengthConstraint)
- {
- return false;
- }
-
- *certificateAuthority = false;
- *hasPathLengthConstraint = false;
- *pathLengthConstraint = 0;
- int32_t result = false;
-
- ERR_clear_error();
-
- BASIC_CONSTRAINTS* constraints = d2i_BASIC_CONSTRAINTS(NULL, &encoded, encodedLength);
- if (constraints)
- {
- *certificateAuthority = constraints->ca != 0;
-
- if (constraints->pathlen != NULL)
- {
- *hasPathLengthConstraint = true;
- long pathLength = ASN1_INTEGER_get(constraints->pathlen);
-
- // pathLengthConstraint needs to be in the Int32 range
- assert(pathLength <= INT32_MAX);
- *pathLengthConstraint = (int32_t)pathLength;
- }
- else
- {
- *hasPathLengthConstraint = false;
- *pathLengthConstraint = 0;
- }
-
- BASIC_CONSTRAINTS_free(constraints);
- result = true;
- }
-
- return result;
-}
diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h
index 0da81f9d124cd3..0b686ab01439f8 100644
--- a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h
+++ b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h
@@ -32,18 +32,3 @@ Shims the X509V3_EXT_print method.
Returns 1 on success, otherwise 0 if there was an error.
*/
PALEXPORT int32_t CryptoNative_X509V3ExtPrint(BIO* out, X509_EXTENSION* ext);
-
-/*
-Decodes the X509 BASIC_CONSTRAINTS information and fills the out variables:
-1. bool certificateAuthority
-2. bool hasPathLengthConstraint
-3. int32_t pathLengthConstraint
-
-Returns 1 if the BASIC_CONSTRAINTS information was successfully decoded,
-otherwise 0.
-*/
-PALEXPORT int32_t CryptoNative_DecodeX509BasicConstraints2Extension(const uint8_t* encoded,
- int32_t encodedLength,
- int32_t* certificateAuthority,
- int32_t* hasPathLengthConstraint,
- int32_t* pathLengthConstraint);