Import PEM keys

[vcsjones]

Closes #31201

[Dotnet-GitSync-Bot]

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, to please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

[vcsjones]

@bartonjs this is ready for review when ever you have time to spare.

[bartonjs]

In bizarro-world, where TryFromBase64Chars reports a different answer in a release build, let's use the answer it gave.

Suggested change

	Span<byte> decodedBase64 = decodeBuffer.AsSpan(0, base64size);
	Span<byte> decodedBase64 = decodeBuffer.AsSpan(0, bytesWritten);

[bartonjs]

I don't know if we need a PemHeaders constants class; but at least using a const string in this class would be better than repeating the literal across methods.

[bartonjs]

I assume that you've made a conscious choice to say it's OK to ignore trailing bytes here, since there's no check that the import action reports bytesRead == base64Size.

I can accept that... but a comment saying so would be nice. (Reasonable justification includes that the key has already been modified, so throwing and not have the same object modification effect)

[bartonjs]

Please use the braced using statement anywhere a using statement is used.

[bartonjs]

I don't see a test that says what happens to this input when sent to the encrypted PEM import. (Either success, or still throwing). (Perhaps I'm just bad at searching/remembering)

[bartonjs]

Some user friendliness enhancement suggestions:

Suggested change

	<data name="Argument_PemImport_NoPemFound" xml:space="preserve">
	<value>A supported key was not found.</value>
	</data>
	<data name="Argument_PemImport_AmbiguousPem" xml:space="preserve">
	<value>Multiple supported keys were found.</value>
	</data>
	<data name="Argument_PemImport_EncryptedPem" xml:space="preserve">
	<value>An encrypted key was found, but attempted to import it without a password.</value>
	</data>
	<data name="Argument_PemImport_NoPemFound" xml:space="preserve">
	<value>No supported key formats were found. Check that the input represents the contents of a PEM-encoded key file, not the path to such a file.</value>
	</data>
	<data name="Argument_PemImport_AmbiguousPem" xml:space="preserve">
	<value>The input contains multiple keys, but only one key can be imported.</value>
	</data>
	<data name="Argument_PemImport_EncryptedPem" xml:space="preserve">
	<value>An encrypted key was found, but no password was provided. Use ImportFromEncryptedPem to import this key.</value>
	</data>

[bartonjs]

I believe once one para is being used everything needs to be para-ified.

<exception cref="ArgumentException">
  <para><paramref name="input"/> does not contain a PEM-encoded key with a recognized label.</para>
  <para>-or</para>
  ...
</exception>

[bartonjs]

Suggested change

	/// are found, an exception is raised to prevent importing a key when
	/// are found, an exception is thrown to prevent importing a key when

[vcsjones]

It seems it is going to take a while longer for Ruby part of my career path to wear off.

[bartonjs]

I think that this method only supports the PEM encoded version of EncryptedPrivateKeyInfo 😄.

[vcsjones]

🤦‍♂

[vcsjones]

Oh, I recall what I was trying to communicate - it just came out poorly. I was trying to say that the base-64 contents, when decoded, must be a BER, DER, CER {Encrypted}PrivateKeyInfo.

[bartonjs]

Since these literals are spread out across multiple files, I think we should go ahead and create a PemConstants/PemHeaders/PemLabels constants file.

[vcsjones]

@bartonjs I think this addresses all of your feedback. The mono/linux/X509Certificates failure is unrelated.