Can we can't get to the final version of the package for the .NET 9 release? Will timings work out?

If not, is it ok to ship a preview package?

@joperezr @davidfowl any concerns here?

There are some concerns, but perhaps not really ship-blockers. Starting from RC2, all of the packages from dotnet/runtime will only flow internally, and so far we are mostly just building externally. Our two options would be either ship depending on RC2 build (which while not ideal wouldn't have a big impact since the dashboard ships as a published app with no package references, and hence it can be stable still), or building internally so that we get the final 9.0 version that will get shipped. cc: @bartonjs

"99%" of the reason to use the new X509CertificateLoader over the old constructors is to not load a PKCS#12/PFX when you weren't expecting to. Since you were expecting to load a PFX, and you're loading from a local file, it's not the end of the world if you continue calling the legacy constructor. (And since you're only loading it once you don't care about "we made parallel-loading the same PFX better" feature, etc.)

So, while it is forward looking to get off of this ctor and on to the new loader model, it's not "important" right now.

Technically speaking, you have a functionality regression here. The old code would load any of

• A single certificate
  • Which is 99% useless, but SslStream has a feature where it looks in the cert stores to see if maybe you happened to have specified a certificate that you already know about and have a private key for... (which might only be on Windows?)
• A PKCS#7 SignedCms file.
  • Where it loads the certificate used by the first signer, or fails if it can't find one (or there is no first signer).
  • And then is the same as the "plain certificate" case.
• A Windows SerializedCert blob (Windows only)
  • This "might" have an associated private key, just by virtue of it might have written down "and my private key is named {whatever}" AND that key happens to be available on this machine/user-context.
  • Otherwise it's just a "plain certificate"
  • But basically no one uses this format.
• An Authenticode-signed file (exe, dll, msu, cab, etc). (Windows-only)
  • It extracts the certificate of the first signer.
  • Sounds a bit like SignedCms, eh? Oh, wait, Authenticode uses SignedCms. Less coincidence, more "same code".
• A PKCS#12/PFX file
  • Probably has a certificate in it with a private key, but, might not.

The new code will throw if it encounters any of those three middle formats, because the new loader is "one method (group), one file format". The middle ones don't really make sense in context for you, so they're not really important... but this is, technically, marginally, a breaking change.

https://github.com/dotnet/core/blob/main/release-notes/9.0/preview/preview7/libraries.md#changes-to-x509-certificate-loading shows an equivalent to what new X509Certificate2(bytesOrPath, password, flags) does.

You should be able to keep working in terms of the path, and not need to use ReadAllBytes.

GetCertContentType accepts path-or-bytes, but the cert load functions you need the "FromFile" variants.

The FromFile variants do things smarter than File.ReadAllBytes; but since it's a one-time/startup cost it probably doesn't matter for you.

It's a little weird to me that you're testing with DSA, since that algorithm itself is now entirely obsolete. (FIPS 186-5 withdrew it, so it's not just "the least popular", it's "RIP")