NCBC-4120: Prevent Capella CA certificate disposal on .NET 10

Motivation
----------
SSL certificate validation callbacks in .NET 10 gained an extra dispose
operation on some X509Chain certificates. This is causing the shared
copy of the certificate to be disposed, which in turn causes subsequent
operations to fail with NREs during certificate validation.

Modifications
-------------
- Remove the Capella CA certificate from the ExtraStore before the
  callback completes
- Use a UTF-8 encoded constant that reads directly from embedded storage
  in the binary for the certificate, avoiding some minor additional
  memory allocations and transcoding during startup

Change-Id: Id4c9cadcb77e6996b4d6791112c9abb440080d62
Reviewed-on: https://review.couchbase.org/c/couchbase-net-client/+/238451
Reviewed-by: Jeffry Morris <jeffrymorris@gmail.com>
Tested-by: Build Bot <build@couchbase.com>

Author: brantburnett

src/Couchbase/Core/IO/Authentication/X509/CertificateFactory.cs

@@ -2,7 +2,6 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Security;
-using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Couchbase.Core.Compatibility;
 using Couchbase.Core.Logging;
@@ -57,26 +56,28 @@ public static ICertificateFactory GetCertificatesFromStore(CertificateStoreSearc
         /// <remarks>
         /// This in-memory certificate does not work on .NET Framework (legacy) clients.
         /// </remarks>
-        internal const string CapellaCaCertPem =
-@"-----BEGIN CERTIFICATE-----
-MIIDFTCCAf2gAwIBAgIRANLVkgOvtaXiQJi0V6qeNtswDQYJKoZIhvcNAQELBQAw
-JDESMBAGA1UECgwJQ291Y2hiYXNlMQ4wDAYDVQQLDAVDbG91ZDAeFw0xOTEyMDYy
-MjEyNTlaFw0yOTEyMDYyMzEyNTlaMCQxEjAQBgNVBAoMCUNvdWNoYmFzZTEOMAwG
-A1UECwwFQ2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfvOIi
-enG4Dp+hJu9asdxEMRmH70hDyMXv5ZjBhbo39a42QwR59y/rC/sahLLQuNwqif85
-Fod1DkqgO6Ng3vecSAwyYVkj5NKdycQu5tzsZkghlpSDAyI0xlIPSQjoORA/pCOU
-WOpymA9dOjC1bo6rDyw0yWP2nFAI/KA4Z806XeqLREuB7292UnSsgFs4/5lqeil6
-rL3ooAw/i0uxr/TQSaxi1l8t4iMt4/gU+W52+8Yol0JbXBTFX6itg62ppb/Eugmn
-mQRMgL67ccZs7cJ9/A0wlXencX2ohZQOR3mtknfol3FH4+glQFn27Q4xBCzVkY9j
-KQ20T1LgmGSngBInAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
-FJQOBPvrkU2In1Sjoxt97Xy8+cKNMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
-AQsFAAOCAQEARgM6XwcXPLSpFdSf0w8PtpNGehmdWijPM3wHb7WZiS47iNen3oq8
-m2mm6V3Z57wbboPpfI+VEzbhiDcFfVnK1CXMC0tkF3fnOG1BDDvwt4jU95vBiNjY
-xdzlTP/Z+qr0cnVbGBSZ+fbXstSiRaaAVcqQyv3BRvBadKBkCyPwo+7svQnScQ5P
-Js7HEHKVms5tZTgKIw1fbmgR2XHleah1AcANB+MAPBCcTgqurqr5G7W2aPSBLLGA
-fRIiVzm7VFLc7kWbp7ENH39HVG6TZzKnfl9zJYeiklo5vQQhGSMhzBsO70z4RRzi
-DPFAN/4qZAgD5q3AFNIq2WWADFQGSwVJhg==
------END CERTIFICATE-----";
+        internal static ReadOnlySpan<byte> CapellaCaCertPem =>
+            """
+            -----BEGIN CERTIFICATE-----
+            MIIDFTCCAf2gAwIBAgIRANLVkgOvtaXiQJi0V6qeNtswDQYJKoZIhvcNAQELBQAw
+            JDESMBAGA1UECgwJQ291Y2hiYXNlMQ4wDAYDVQQLDAVDbG91ZDAeFw0xOTEyMDYy
+            MjEyNTlaFw0yOTEyMDYyMzEyNTlaMCQxEjAQBgNVBAoMCUNvdWNoYmFzZTEOMAwG
+            A1UECwwFQ2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfvOIi
+            enG4Dp+hJu9asdxEMRmH70hDyMXv5ZjBhbo39a42QwR59y/rC/sahLLQuNwqif85
+            Fod1DkqgO6Ng3vecSAwyYVkj5NKdycQu5tzsZkghlpSDAyI0xlIPSQjoORA/pCOU
+            WOpymA9dOjC1bo6rDyw0yWP2nFAI/KA4Z806XeqLREuB7292UnSsgFs4/5lqeil6
+            rL3ooAw/i0uxr/TQSaxi1l8t4iMt4/gU+W52+8Yol0JbXBTFX6itg62ppb/Eugmn
+            mQRMgL67ccZs7cJ9/A0wlXencX2ohZQOR3mtknfol3FH4+glQFn27Q4xBCzVkY9j
+            KQ20T1LgmGSngBInAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
+            FJQOBPvrkU2In1Sjoxt97Xy8+cKNMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
+            AQsFAAOCAQEARgM6XwcXPLSpFdSf0w8PtpNGehmdWijPM3wHb7WZiS47iNen3oq8
+            m2mm6V3Z57wbboPpfI+VEzbhiDcFfVnK1CXMC0tkF3fnOG1BDDvwt4jU95vBiNjY
+            xdzlTP/Z+qr0cnVbGBSZ+fbXstSiRaaAVcqQyv3BRvBadKBkCyPwo+7svQnScQ5P
+            Js7HEHKVms5tZTgKIw1fbmgR2XHleah1AcANB+MAPBCcTgqurqr5G7W2aPSBLLGA
+            fRIiVzm7VFLc7kWbp7ENH39HVG6TZzKnfl9zJYeiklo5vQQhGSMhzBsO70z4RRzi
+            DPFAN/4qZAgD5q3AFNIq2WWADFQGSwVJhg==
+            -----END CERTIFICATE-----
+            """u8;
 
         /// <summary>
         /// The certificate to use by default for connecting to *.cloud.couchbase.com.
@@ -87,12 +88,11 @@ public static ICertificateFactory GetCertificatesFromStore(CertificateStoreSearc
         [InterfaceStability(Level.Volatile)]
         #if NETSTANDARD2_0 || NETSTANDARD2_1 || NET8_0
          internal static readonly X509Certificate2 CapellaCaCert = new X509Certificate2(
-              rawData: System.Text.Encoding.ASCII.GetBytes(CapellaCaCertPem),
+              rawData: CapellaCaCertPem.ToArray(),
               password: (string?)null);
         #else
         internal static X509Certificate2 CapellaCaCert =
-            X509CertificateLoader.LoadCertificate(
-                System.Text.Encoding.ASCII.GetBytes(CapellaCaCertPem));
+            X509CertificateLoader.LoadCertificate(CapellaCaCertPem);
         #endif
 
         /// <summary>
@@ -136,15 +136,27 @@ internal static RemoteCertificateValidationCallback GetValidatorWithPredefinedCe
                 {
                     // first attempt - validation from system trust store plus whatever certs have been provided
                     // user supplied or Capella. If self-signed, will not be sufficient and need to be CustomTrustStore
-                    foreach (var defaultCert in certs)
+
+                    bool built;
+                    try
                     {
-                        MaybeLogCert("X509 adding from certs to ExtraStore", defaultCert, logger);
-                        chain.ChainPolicy.ExtraStore.Add(defaultCert);
-                    }
+                        foreach (var defaultCert in certs)
+                        {
+                            MaybeLogCert("X509 adding from certs to ExtraStore", defaultCert, logger);
+                            chain.ChainPolicy.ExtraStore.Add(new X509Certificate2(defaultCert));
+                        }
 
-                    MaybeLogChainElements("X509 chain element cert is", chain, logger);
+                        MaybeLogChainElements("X509 chain element cert is", chain, logger);
+
+                        built = chain.Build(cert2);
+                    }
+                    finally
+                    {
+                        // Remove the extra certs so they aren't disposed during .NET cleanup after
+                        // the callback completes.
+                        chain.ChainPolicy.ExtraStore.Clear();
+                    }
 
-                    var built = chain.Build(cert2);
                     if (!built &&
                         (chain.ChainStatus.First().Status ==
                          X509ChainStatusFlags.UntrustedRoot /* probably Capella self-signed KV */ ||