Fix X509 test failures on Android

[jkoritzinsky]

Disable tests on Android that use unsupported features (Brainpool curve, PSS padding in cert signatures).

Disable outerloop test that checks against a validation status that is unsupported on Android.

Handle JNI thread shutdown (Android API Level 21 is more strict about this than API Level 29).

Fix some memory leaks.

Disable tests that depend on OCSP when on older Android versions.

Older versions of Android can include the same cert in the cert collection twice if it is also the trusted root. Handle this case and don't return the cert twice.

Fixes #50565

[ghost]

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Disable tests on Android that use unsupported features (Brainpool curve, PSS padding in cert signatures).

Disable outerloop test that checks against a validation status that is unsupported on Android.

Handle JNI thread shutdown (Android API Level 21 is more strict about this than API Level 29).

Fix some memory leaks.

Disable tests that depend on OCSP when on older Android versions.

Older versions of Android can include the same cert in the cert collection twice if it is also the trusted root. Handle this case and don't return the cert twice.

Author:	jkoritzinsky
Assignees:	-
Labels:	area-System.Security, os-android
Milestone:	-

[bartonjs]

Let's reuse existing groups when possible.

[elinor-fung]

CI wasm failure is happening because of the added [ConditionalClass(typeof(DynamicRevocationTests), nameof(SupportsDynamicRevocation))] attribute. During test discovery, this results in DynamicRevocationTests being loaded and its static fields being initialized. This fails because using Oid from System.Security.Cryptography.Encoding is throwing PNSE on browser.

runtime/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs

Line 18 in 6617892

private static readonly Oid s_tlsServerOid = new Oid("1.3.6.1.5.5.7.3.1", null);

This entire test assembly is actually disabled / marked as failing on browser:

runtime/src/libraries/System.Security.Cryptography.X509Certificates/tests/AssemblyInfo.cs

Line 7 in 6617892

[assembly: ActiveIssue("https://github.com/dotnet/runtime/issues/37669", TestPlatforms.Browser)]

But the test discovery still goes through every test method and tries to determine the traits for each method. We could rework this so that it continues avoiding using any types that will hit PNSE on browser during test discovery, but it seems weird/wasteful that we're making our test runs go through bundling, sending off to helix, test discovery, and result reporting when we know the entire suite (and many of its dependencies) are not currently supported.

@steveisok / @lewing is there a reason we want to have this suite disabled on browser through the ActiveIssue attribute instead of adding it to ProjectExclusions?

[steveisok]

@elinor-fung There was probably a point in time where we thought labeling ActiveIssue at the assembly level was the way to skip whole suites. I think it makes sense to add to <ProjectExclusions> instead.

[bartonjs]

PublicKeyTests.SupportsBrainpool shouldn't be needed.

[bartonjs]

Thanks for humoring me.

[ghost]

Hello @jkoritzinsky!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.