Fix X.509 tests on macOS 26 beta 6

Apple made a few changes to their trust stores in macOS 26 beta 6.

The first, BuildChainForCertificateSignedWithDisallowedKey is they no longer have a list of disallowed keys. Prior to macOS 26, Apple kept a list of blocked keys at /System/Library/Security/Certificates.bundle/Contents/Resources/Blocked.plist. These values in the plist were SHA-1 subjectKeyIdentifiers. This list is no longer present on macOS 26. This seems largely sensible - all of those certificates that had those subject key identifiers are distrusted by other means, such as expiration or simply no longer being present in the root store.

The second, SystemTrustCertificateWithCustomRootTrust, is failing because Apple yanked an expired root from their trust store. So it's going in to the same logical path as OpenSSL is now.

Author: vcsjones

src/libraries/Common/tests/TestUtilities/System/PlatformDetection.Unix.cs

@@ -44,6 +44,7 @@ public static partial class PlatformDetection
         public static bool IsNotMacOsAppleSilicon => !IsMacOsAppleSilicon;
         public static bool IsAppSandbox => Environment.GetEnvironmentVariable("APP_SANDBOX_CONTAINER_ID") != null;
         public static bool IsNotAppSandbox => !IsAppSandbox;
+        public static bool IsApplePlatform26OrLater => IsApplePlatform && Environment.OSVersion.Version.Major >= 26;
 
         public static Version OpenSslVersion => !IsApplePlatform && !IsWindows && !IsAndroid ?
             GetOpenSslVersion() :

src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs

@@ -288,13 +288,13 @@ public static void SystemTrustCertificateWithCustomRootTrust(bool addCertificate
 
                     // Check some known conditions.
 
-                    if (PlatformDetection.UsesAppleCrypto)
+                    if (OperatingSystem.IsLinux() || PlatformDetection.IsApplePlatform26OrLater)
                     {
-                        Assert.Equal(3, chain.ChainElements.Count);
+                        Assert.Equal(2, chain.ChainElements.Count);
                     }
-                    else if (OperatingSystem.IsLinux())
+                    else if (PlatformDetection.IsApplePlatform)
                     {
-                        Assert.Equal(2, chain.ChainElements.Count);
+                        Assert.Equal(3, chain.ChainElements.Count);
                     }
                 }
             }
@@ -1112,7 +1112,6 @@ public static void BuildChainForFraudulentCertificate()
         }
 
         [Fact]
-        [SkipOnPlatform(TestPlatforms.Linux, "Not supported on Linux.")]
         public static void BuildChainForCertificateSignedWithDisallowedKey()
         {
             // The intermediate certificate is from the now defunct CA DigiNotar.
@@ -1178,12 +1177,13 @@ public static void BuildChainForCertificateSignedWithDisallowedKey()
                 chain.ChainPolicy.ExtraStore.Add(intermediateCert);
                 Assert.False(chain.Build(cert));
 
-                if (PlatformDetection.IsAndroid)
+                if (PlatformDetection.IsAndroid || PlatformDetection.IsApplePlatform26OrLater || PlatformDetection.IsLinux)
                 {
                     // Android always validates trust as part of building a path,
                     // so violations comes back as PartialChain with no elements
+                    // Apple 26 no longer block these SKIs since the roots are no longer trusted at all and are expired.
+                    // Linux has no concept of a blocked key list, they just remove certificates from a trust store.
                     Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags());
-                    Assert.Equal(0, chain.ChainElements.Count);
                 }
                 else
                 {