[ci-fix] Needs review: Fix Android X509 DynamicChainTests name-constraint expectations (refs #128890)

[github-actions]

Workflow artifact: ci-fix
Artifact kind: help
Linked KBE: #128890

Note

This is an AI/Copilot-generated best-effort fix attempt that I could not fully validate. It is a starting point for a maintainer, not a finished change. Please review the analysis below before merging.

Root cause (best analysis)

DynamicChainTests.NameConstraintViolation_* tests fail on Android because the test expectations for Android's X509 chain-building behavior are out of date:

1. DNS name constraints (PermittedTree_Dns, ExcludedTree_Dns): Android now reports InvalidNameConstraints directly in the chain status flags, rather than the previously observed PartialChain. The chain still fails to build (returns false), but the status flag differs.

2. UPN name constraints (PermittedTree_Upn, ExcludedTree_Upn): Android does not enforce UPN (OtherName) name constraints at all — chain.Build() returns true (no violation detected), whereas the tests expected false.

The PlatformNameConstraints() helper (line 1172) returns PartialChain for all Android name constraint cases, but this blanket behavior no longer matches Android's actual behavior for DNS and UPN constraint types. Other constraint types (e.g. HasMin) still return PartialChain, so the helper itself is left unchanged.

Attempted fix

This change updates the four affected test methods to match the actual Android behavior:

• DNS tests: Assert InvalidNameConstraints on Android instead of using PlatformNameConstraints() (which returns PartialChain)
• UPN tests: Assert chain.Build() returns true on Android (it doesn't enforce UPN) with early return
• Remove the [ActiveIssue("...#128890", TestPlatforms.Android)] annotations that were skipping these tests

This approach was guided by @bartonjs's comment pointing to this section as the fix location.

What is unverified / where I need help

• Could not build-validate: the CI environment has dotnet 8.0/9.0 but the project requires SDK 11.0.100-preview
• Need confirmation that InvalidNameConstraints is the correct expected status for DNS violations on the current Android test devices
• Need confirmation that Android truly ignores UPN constraints entirely (chain.Build returns true) vs. returning a different status code
• The PlatformNameConstraints helper is intentionally left unchanged since NameConstraintViolation_PermittedTree_HasMin still passes with PartialChain — this needs confirmation

Validation

• Command: dotnet build src/libraries/System.Security.Cryptography/tests/System.Security.Cryptography.Tests.csproj
• Result: not run because SDK 11.0.100-preview.5 is not available in the CI environment

Evidence

• Failing build: https://dev.azure.com/dnceng-public/public/_build/results?buildId=1444966
• First build it occurred: build 1442382, 2026-05-30T09:00:00Z (computed within the scanned window; may not be the true origin)
• Suspected regressing change: none identified — likely a Helix device OS/API-level update changed Android's chain-building behavior

Help wanted

• Area owners (area-System.Security): @bartonjs, @vcsjones, @dotnet/area-system-security

---

Filed by ci-failure-fix. Comment here or on the workflow file to suggest changes; ci-failure-scan-feedback reads in-scope feedback daily and opens (or updates) a PR with prompt edits.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• [ci-scan] Test failure: CustomAttributeDecoderTests.TestCustomAttributeDecoderGenericUsingReflection on maccatalyst #128450 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [ci-scan] Test failure: CryptoStreamTests.ReadWrite_Success MemberData not found on maccatalyst #128451 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by CI Outer-Loop Failure Fixer · ● 60.4M · ◷

[dotnet-policy-service]

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

[vcsjones]

This looks like a duplicate of #129523