Introduce a new .NET 9.0 TFM and use the new X509CertificateLoader API

1 year ago · ef2e02ee23
19 changed files with 243 additions and 100 deletions
--- a/Directory.Build.props
+++ b/Directory.Build.props
@ -107,27 +107,32 @@

    <NetCoreTargetFrameworks Condition=" '$(NetCoreTargetFrameworks)' == '' ">
      net6.0;
-      net8.0
+      net8.0;
+      net9.0
    </NetCoreTargetFrameworks>

    <NetCoreAndroidTargetFrameworks
      Condition=" '$(NetCoreAndroidTargetFrameworks)' == '' And '$(SupportsAndroidTargeting)' == 'true' ">
-      net8.0-android34.0
+      net8.0-android34.0;
+      net9.0-android35.0
    </NetCoreAndroidTargetFrameworks>

    <NetCoreIOSTargetFrameworks
      Condition=" '$(NetCoreIOSTargetFrameworks)' == '' And '$(SupportsIOSTargeting)' == 'true' ">
-      net8.0-ios17.5
+      net8.0-ios17.5;
+      net9.0-ios17.5
    </NetCoreIOSTargetFrameworks>

    <NetCoreMacCatalystTargetFrameworks
      Condition=" '$(NetCoreMacCatalystTargetFrameworks)' == '' And '$(SupportsMacCatalystTargeting)' == 'true' ">
-      net8.0-maccatalyst17.5
+      net8.0-maccatalyst17.5;
+      net9.0-maccatalyst17.5
    </NetCoreMacCatalystTargetFrameworks>

    <NetCoreMacOSTargetFrameworks
      Condition=" '$(NetCoreMacOSTargetFrameworks)' == '' And '$(SupportsMacOSTargeting)' == 'true' ">
-      net8.0-macos14.5
+      net8.0-macos14.5;
+      net9.0-macos14.5
    </NetCoreMacOSTargetFrameworks>

    <NetCoreWindowsTargetFrameworks
@ -135,7 +140,9 @@
      net6.0-windows7.0;
      net6.0-windows10.0.17763;
      net8.0-windows7.0;
-      net8.0-windows10.0.17763
+      net8.0-windows10.0.17763;
+      net9.0-windows7.0;
+      net9.0-windows10.0.17763
    </NetCoreWindowsTargetFrameworks>

    <NetStandardTargetFrameworks Condition=" '$(NetStandardTargetFrameworks)' == '' ">
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@ -150,6 +150,11 @@
    <DefineConstants>$(DefineConstants);SUPPORTS_TIME_PROVIDER</DefineConstants>
  </PropertyGroup>

+  <PropertyGroup
+    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionGreaterThanOrEquals($(TargetFrameworkVersion), '9.0'))) ">
+    <DefineConstants>$(DefineConstants);SUPPORTS_CERTIFICATE_LOADER</DefineConstants>
+  </PropertyGroup>
+
  <PropertyGroup
    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionGreaterThanOrEquals($(TargetFrameworkVersion), '5.0')) And
                 '$(TargetPlatformIdentifier)'  == 'Android'     And '$(TargetPlatformVersion)' != '' And
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@ -304,26 +304,74 @@
    <PackageVersion Include="Moq"                                                             Version="4.18.4"          />
    <PackageVersion Include="System.Linq.Async"                                               Version="6.0.1"           />

+    <!--
+      Note: OpenIddict uses PolySharp to dynamically generate polyfills for types that are not available on
+      some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
+    -->
+    <GlobalPackageReference Include="PolySharp" Condition=" '$(DisablePolySharp)' != 'true' " Version="1.13.1"          />
+  </ItemGroup>
+
+  <!--
+                                          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                          █████ ▀██ ██ ▄▄▄█▄▄ ▄▄███▀▄▄▀████ ▄▄ ██
+                                          █▀▀██ █ █ ██ ▄▄▄███ █████▄▀▀ █▀▀█ ▀▄ ██
+                                          █▄▄██ ██▄ ██ ▀▀▀███ ██████▀▀▄█▄▄█ ▀▀ ██
+                                          ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <ItemGroup Label="Package versions for .NET 9.0"
+    Condition=" '$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionEquals($(TargetFrameworkVersion), '9.0')) ">
+    <PackageVersion Include="EntityFramework"                                                 Version="6.5.1"                   />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Relational"                        Version="9.0.0-rc.1.24451.1"      />
+    <PackageVersion Include="Microsoft.Extensions.Caching.Abstractions"                       Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.Caching.Memory"                             Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions"           Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions"                       Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.Http.Polly"                                 Version="9.0.0-rc.1.24452.1"      />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience"                            Version="9.0.0-preview.8.24460.1" />
+    <PackageVersion Include="Microsoft.Extensions.Logging"                                    Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.Options"                                    Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.Primitives"                                 Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.WebEncoders"                                Version="9.0.0-rc.1.24452.1"      />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens"                           Version="8.0.1"                   />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols"                               Version="8.0.1"                   />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens"                                  Version="8.0.1"                   />
+    <PackageVersion Include="Microsoft.Net.Http.Headers"                                      Version="9.0.0-rc.1.24452.1"      />
+    <PackageVersion Include="MongoDB.Bson"                                                    Version="2.20.0"                  />
+    <PackageVersion Include="MongoDB.Driver"                                                  Version="2.20.0"                  />
+    <PackageVersion Include="Quartz.Extensions.DependencyInjection"                           Version="3.5.0"                   />
+    <PackageVersion Include="Xamarin.AndroidX.Browser"                                        Version="1.8.0.4"                 />
+
+    <!--
+      Note: the following references are exclusively used in the test projects:
+    -->
+    <PackageVersion Include="AngleSharp"                                                      Version="0.17.1"                  />
+    <PackageVersion Include="MartinCostello.Logging.XUnit"                                    Version="0.3.0"                   />
+    <PackageVersion Include="Microsoft.AspNetCore.TestHost"                                   Version="9.0.0-rc.1.24452.1"      />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection"                        Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Moq"                                                             Version="4.18.4"                  />
+    <PackageVersion Include="System.Linq.Async"                                               Version="6.0.1"                   />
+
    <!--
      Note: the following references are exclusively used in the samples:
    -->
-    <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.AppServices"                 Version="1.0.14"          />
-    <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.WinForms"                    Version="1.0.14"          />
-    <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.Wpf"                         Version="1.0.14"          />
-    <PackageVersion Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore"               Version="8.0.7"           />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite"                            Version="8.0.7"           />
-    <PackageVersion Include="Microsoft.Extensions.Hosting"                                    Version="8.0.0"           />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Debug"                              Version="8.0.0"           />
-    <PackageVersion Include="Microsoft.Maui.Controls"                                         Version="8.0.70"          />
-    <PackageVersion Include="Microsoft.Maui.Controls.Compatibility"                           Version="8.0.70"          />
-    <PackageVersion Include="Quartz.Extensions.Hosting"                                       Version="3.5.0"           />
-    <PackageVersion Include="Spectre.Console"                                                 Version="0.48.0"          />
+    <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.AppServices"                 Version="1.0.14"                  />
+    <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.WinForms"                    Version="1.0.14"                  />
+    <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.Wpf"                         Version="1.0.14"                  />
+    <PackageVersion Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore"               Version="9.0.0-rc.1.24452.1"      />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite"                            Version="9.0.0-rc.1.24451.1"      />
+    <PackageVersion Include="Microsoft.Extensions.Hosting"                                    Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Debug"                              Version="9.0.0-rc.1.24431.7"      />
+    <PackageVersion Include="Microsoft.Maui.Controls"                                         Version="9.0.0-rc.1.24453.9"      />
+    <PackageVersion Include="Microsoft.Maui.Controls.Compatibility"                           Version="9.0.0-rc.1.24453.9"      />
+    <PackageVersion Include="Quartz.Extensions.Hosting"                                       Version="3.5.0"                   />
+    <PackageVersion Include="Spectre.Console"                                                 Version="0.48.0"                  />

    <!--
      Note: OpenIddict uses PolySharp to dynamically generate polyfills for types that are not available on
      some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
    -->
-    <GlobalPackageReference Include="PolySharp" Condition=" '$(DisablePolySharp)' != 'true' " Version="1.13.1"          />
+    <GlobalPackageReference Include="PolySharp" Condition=" '$(DisablePolySharp)' != 'true' " Version="1.13.1"                  />
  </ItemGroup>

  <!--
--- a/WorkloadRollback.json
+++ b/WorkloadRollback.json
@ -1,15 +1,17 @@
 {
-  "microsoft.net.sdk.android": "34.0.113/8.0.100",
-  "microsoft.net.sdk.ios": "17.5.8020/8.0.100",
-  "microsoft.net.sdk.maccatalyst": "17.5.8020/8.0.100",
-  "microsoft.net.sdk.macos": "14.5.8020/8.0.100",
-  "microsoft.net.sdk.maui": "8.0.72/8.0.100",
-  "microsoft.net.sdk.tvos": "17.5.8020/8.0.100",
-  "microsoft.net.workload.mono.toolchain.current": "8.0.8/8.0.100",
-  "microsoft.net.workload.emscripten.current": "8.0.8/8.0.100",
-  "microsoft.net.workload.emscripten.net6": "8.0.8/8.0.100",
-  "microsoft.net.workload.emscripten.net7": "8.0.8/8.0.100",
-  "microsoft.net.workload.mono.toolchain.net6": "8.0.8/8.0.100",
-  "microsoft.net.workload.mono.toolchain.net7": "8.0.8/8.0.100",
-  "microsoft.net.sdk.aspire": "8.1.0/8.0.100"
-}
+  "microsoft.net.sdk.android": "35.0.0-rc.1.80/9.0.100-rc.1",
+  "microsoft.net.sdk.ios": "17.5.9270-net9-rc1/9.0.100-rc.1",
+  "microsoft.net.sdk.maccatalyst": "17.5.9270-net9-rc1/9.0.100-rc.1",
+  "microsoft.net.sdk.macos": "14.5.9270-net9-rc1/9.0.100-rc.1",
+  "microsoft.net.sdk.maui": "9.0.0-rc.1.24453.9/9.0.100-rc.1",
+  "microsoft.net.sdk.tvos": "17.5.9270-net9-rc1/9.0.100-rc.1",
+  "microsoft.net.workload.mono.toolchain.current": "9.0.0-rc.1.24431.7/9.0.100-rc.1",
+  "microsoft.net.workload.emscripten.current": "9.0.0-rc.1.24430.3/9.0.100-rc.1",
+  "microsoft.net.workload.emscripten.net6": "9.0.0-rc.1.24430.3/9.0.100-rc.1",
+  "microsoft.net.workload.emscripten.net7": "9.0.0-rc.1.24430.3/9.0.100-rc.1",
+  "microsoft.net.workload.emscripten.net8": "9.0.0-rc.1.24430.3/9.0.100-rc.1",
+  "microsoft.net.workload.mono.toolchain.net6": "9.0.0-rc.1.24431.7/9.0.100-rc.1",
+  "microsoft.net.workload.mono.toolchain.net7": "9.0.0-rc.1.24431.7/9.0.100-rc.1",
+  "microsoft.net.workload.mono.toolchain.net8": "9.0.0-rc.1.24431.7/9.0.100-rc.1",
+  "microsoft.net.sdk.aspire": "8.2.0/8.0.100"
+}
--- a/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs
+++ b/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs
@ -611,10 +611,7 @@ public sealed partial class OpenIddictClientWebIntegrationBuilder
        /// </summary>
        /// <param name=""stream"">The stream containing the certificate.</param>
        /// <param name=""password"">The password used to open the certificate.</param>
-        /// <param name=""flags"">
-        /// An enumeration of flags indicating how and where
-        /// to store the private key of the certificate.
-        /// </param>
+        /// <param name=""flags"">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
        /// <returns>The <see cref=""OpenIddictClientWebIntegrationBuilder.{{ provider.name }}""/> instance.</returns>
        {{~ if setting.obsolete ~}}
        [Obsolete(""This option is no longer supported and will be removed in a future version."")]
@ -629,7 +626,17 @@ public sealed partial class OpenIddictClientWebIntegrationBuilder
            using var buffer = new MemoryStream();
            stream.CopyTo(buffer);

-            return Set{{ setting.property_name }}(new X509Certificate2(buffer.ToArray(), password, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+            var certificate = X509Certificate2.GetCertContentType(buffer.ToArray()) switch
+            {
+                X509ContentType.Pkcs12 => X509CertificateLoader.LoadPkcs12(buffer.ToArray(), password, flags),
+
+                _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0454))
+            };
+#else
+            var certificate = new X509Certificate2(buffer.ToArray(), password, flags);
+#endif
+            return Set{{ setting.property_name }}(certificate);
        }

        /// <summary>
--- a/global.json
+++ b/global.json
@ -1,16 +1,17 @@
 {
  "sdk": {
-    "version": "8.0.303",
+    "version": "9.0.100-rc.1.24452.12",
    "allowPrerelease": true,
    "rollForward": "major"
  },

  "tools": {
-    "dotnet": "8.0.303",
+    "dotnet": "9.0.100-rc.1.24452.12",

    "runtimes": {
      "aspnetcore": [
-        "6.0.32"
+        "6.0.32",
+        "8.0.8"
      ]
    }
  },
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/OpenIddict.Sandbox.AspNetCore.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/OpenIddict.Sandbox.AspNetCore.Client.csproj
@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
-    <TargetFrameworks>net48;net8.0</TargetFrameworks>
+    <TargetFrameworks>net48;net9.0</TargetFrameworks>
    <Nullable>disable</Nullable>
  </PropertyGroup>

--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj
@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
-    <TargetFrameworks>net48;net8.0</TargetFrameworks>
+    <TargetFrameworks>net48;net9.0</TargetFrameworks>
    <TypeScriptEnabled>false</TypeScriptEnabled>
    <Nullable>disable</Nullable>
  </PropertyGroup>
--- a/sandbox/OpenIddict.Sandbox.Console.Client/OpenIddict.Sandbox.Console.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.Console.Client/OpenIddict.Sandbox.Console.Client.csproj
@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFrameworks>net48;net8.0</TargetFrameworks>
+    <TargetFrameworks>net48;net9.0</TargetFrameworks>
  </PropertyGroup>

  <ItemGroup>
--- a/sandbox/OpenIddict.Sandbox.Maui.Client/App.xaml.cs
+++ b/sandbox/OpenIddict.Sandbox.Maui.Client/App.xaml.cs
@ -3,11 +3,8 @@ namespace OpenIddict.Sandbox.Maui.Client;

 public partial class App : Application
 {
-    public App()
-    {
-        InitializeComponent();
+    public App() => InitializeComponent();

-        MainPage = new AppShell();
-    }
+    protected override Window CreateWindow(IActivationState? activationState) => new(new AppShell());
 }
 #endif
--- a/sandbox/OpenIddict.Sandbox.Maui.Client/OpenIddict.Sandbox.Maui.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.Maui.Client/OpenIddict.Sandbox.Maui.Client.csproj
@ -2,11 +2,11 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFrameworks Condition=" '$(SupportsWindowsTargeting)' == 'true' ">net8.0-windows10.0.19041</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(SupportsIOSTargeting)' == 'true' ">$(TargetFrameworks);net8.0-ios17.5</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(SupportsMacCatalystTargeting)' == 'true' ">$(TargetFrameworks);net8.0-maccatalyst17.5</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(SupportsWindowsTargeting)' == 'true' ">net9.0-windows10.0.19041</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(SupportsIOSTargeting)' == 'true' ">$(TargetFrameworks);net9.0-ios17.5</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(SupportsMacCatalystTargeting)' == 'true' ">$(TargetFrameworks);net9.0-maccatalyst17.5</TargetFrameworks>
    <UseMaui Condition=" '$(TargetFrameworks)' != '' ">true</UseMaui>
-    <TargetFrameworks Condition=" '$(TargetFrameworks)' == '' ">net8.0</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(TargetFrameworks)' == '' ">net9.0</TargetFrameworks>
    <SingleProject>true</SingleProject>
  </PropertyGroup>

--- a/sandbox/OpenIddict.Sandbox.WinForms.Client/OpenIddict.Sandbox.WinForms.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.WinForms.Client/OpenIddict.Sandbox.WinForms.Client.csproj
@ -3,7 +3,7 @@
  <PropertyGroup>
    <OutputType>WinExe</OutputType>
    <TargetFrameworks>net48</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(SupportsWindowsTargeting)' == 'true' ">$(TargetFrameworks);net8.0-windows7.0</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(SupportsWindowsTargeting)' == 'true' ">$(TargetFrameworks);net9.0-windows7.0</TargetFrameworks>
    <UseWindowsForms>true</UseWindowsForms>
    <ApplicationManifest>app.manifest</ApplicationManifest>
    <ApplicationHighDpiMode>PerMonitorV2</ApplicationHighDpiMode>
--- a/sandbox/OpenIddict.Sandbox.Wpf.Client/OpenIddict.Sandbox.Wpf.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.Wpf.Client/OpenIddict.Sandbox.Wpf.Client.csproj
@ -3,7 +3,7 @@
  <PropertyGroup>
    <OutputType>WinExe</OutputType>
    <TargetFrameworks>net48</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(SupportsWindowsTargeting)' == 'true' ">$(TargetFrameworks);net8.0-windows10.0.17763</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(SupportsWindowsTargeting)' == 'true' ">$(TargetFrameworks);net9.0-windows10.0.17763</TargetFrameworks>
    <UseWPF>true</UseWPF>
    <EnableDefaultApplicationDefinition>false</EnableDefaultApplicationDefinition>
  </PropertyGroup>
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@ -1695,6 +1695,9 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
  <data name="ID0453" xml:space="preserve">
    <value>The specified intent doesn't contain a valid data URI.</value>
  </data>
+  <data name="ID0454" xml:space="preserve">
+    <value>The format of the specified certificate is not supported.</value>
+  </data>
  <data name="ID2000" xml:space="preserve">
    <value>The security token is missing.</value>
  </data>
--- a/src/OpenIddict.Client/OpenIddictClientBuilder.cs
+++ b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
@ -251,7 +251,12 @@ public sealed class OpenIddictClientBuilder
                        flags |= X509KeyStorageFlags.Exportable;
                    }

-                    certificates.Insert(0, certificate = new X509Certificate2(data, string.Empty, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+                    certificate = X509CertificateLoader.LoadPkcs12(data, string.Empty, flags);
+#else
+                    certificate = new X509Certificate2(data, string.Empty, flags);
+#endif
+                    certificates.Insert(0, certificate);
                }

                finally
@ -415,10 +420,7 @@ public sealed class OpenIddictClientBuilder
    /// </summary>
    /// <param name="stream">The stream containing the certificate.</param>
    /// <param name="password">The password used to open the certificate.</param>
-    /// <param name="flags">
-    /// An enumeration of flags indicating how and where
-    /// to store the private key of the certificate.
-    /// </param>
+    /// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
    /// <returns>The <see cref="OpenIddictClientBuilder"/> instance.</returns>
    public OpenIddictClientBuilder AddEncryptionCertificate(Stream stream, string? password, X509KeyStorageFlags flags)
    {
@ -430,7 +432,17 @@ public sealed class OpenIddictClientBuilder
        using var buffer = new MemoryStream();
        stream.CopyTo(buffer);

-        return AddEncryptionCertificate(new X509Certificate2(buffer.ToArray(), password, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+        var certificate = X509Certificate2.GetCertContentType(buffer.ToArray()) switch
+        {
+            X509ContentType.Pkcs12 => X509CertificateLoader.LoadPkcs12(buffer.ToArray(), password, flags),
+
+            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0454))
+        };
+#else
+        var certificate = new X509Certificate2(buffer.ToArray(), password, flags);
+#endif
+        return AddEncryptionCertificate(certificate);
    }

    /// <summary>
@ -626,7 +638,12 @@ public sealed class OpenIddictClientBuilder
                        flags |= X509KeyStorageFlags.Exportable;
                    }

-                    certificates.Insert(0, certificate = new X509Certificate2(data, string.Empty, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+                    certificate = X509CertificateLoader.LoadPkcs12(data, string.Empty, flags);
+#else
+                    certificate = new X509Certificate2(data, string.Empty, flags);
+#endif
+                    certificates.Insert(0, certificate);
                }

                finally
@ -818,10 +835,7 @@ public sealed class OpenIddictClientBuilder
    /// </summary>
    /// <param name="stream">The stream containing the certificate.</param>
    /// <param name="password">The password used to open the certificate.</param>
-    /// <param name="flags">
-    /// An enumeration of flags indicating how and where
-    /// to store the private key of the certificate.
-    /// </param>
+    /// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
    /// <returns>The <see cref="OpenIddictClientBuilder"/> instance.</returns>
    public OpenIddictClientBuilder AddSigningCertificate(Stream stream, string? password, X509KeyStorageFlags flags)
    {
@ -833,7 +847,17 @@ public sealed class OpenIddictClientBuilder
        using var buffer = new MemoryStream();
        stream.CopyTo(buffer);

-        return AddSigningCertificate(new X509Certificate2(buffer.ToArray(), password, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+        var certificate = X509Certificate2.GetCertContentType(buffer.ToArray()) switch
+        {
+            X509ContentType.Pkcs12 => X509CertificateLoader.LoadPkcs12(buffer.ToArray(), password, flags),
+
+            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0454))
+        };
+#else
+        var certificate = new X509Certificate2(buffer.ToArray(), password, flags);
+#endif
+        return AddSigningCertificate(certificate);
    }

    /// <summary>
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@ -260,7 +260,12 @@ public sealed class OpenIddictServerBuilder
                        flags |= X509KeyStorageFlags.Exportable;
                    }

-                    certificates.Insert(0, certificate = new X509Certificate2(data, string.Empty, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+                    certificate = X509CertificateLoader.LoadPkcs12(data, string.Empty, flags);
+#else
+                    certificate = new X509Certificate2(data, string.Empty, flags);
+#endif
+                    certificates.Insert(0, certificate);
                }

                finally
@ -424,10 +429,7 @@ public sealed class OpenIddictServerBuilder
    /// </summary>
    /// <param name="stream">The stream containing the certificate.</param>
    /// <param name="password">The password used to open the certificate.</param>
-    /// <param name="flags">
-    /// An enumeration of flags indicating how and where
-    /// to store the private key of the certificate.
-    /// </param>
+    /// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
    /// <returns>The <see cref="OpenIddictServerBuilder"/> instance.</returns>
    public OpenIddictServerBuilder AddEncryptionCertificate(Stream stream, string? password, X509KeyStorageFlags flags)
    {
@ -439,7 +441,17 @@ public sealed class OpenIddictServerBuilder
        using var buffer = new MemoryStream();
        stream.CopyTo(buffer);

-        return AddEncryptionCertificate(new X509Certificate2(buffer.ToArray(), password, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+        var certificate = X509Certificate2.GetCertContentType(buffer.ToArray()) switch
+        {
+            X509ContentType.Pkcs12 => X509CertificateLoader.LoadPkcs12(buffer.ToArray(), password, flags),
+
+            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0454))
+        };
+#else
+        var certificate = new X509Certificate2(buffer.ToArray(), password, flags);
+#endif
+        return AddEncryptionCertificate(certificate);
    }

    /// <summary>
@ -636,7 +648,12 @@ public sealed class OpenIddictServerBuilder
                        flags |= X509KeyStorageFlags.Exportable;
                    }

-                    certificates.Insert(0, certificate = new X509Certificate2(data, string.Empty, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+                    certificate = X509CertificateLoader.LoadPkcs12(data, string.Empty, flags);
+#else
+                    certificate = new X509Certificate2(data, string.Empty, flags);
+#endif
+                    certificates.Insert(0, certificate);
                }

                finally
@ -828,10 +845,7 @@ public sealed class OpenIddictServerBuilder
    /// </summary>
    /// <param name="stream">The stream containing the certificate.</param>
    /// <param name="password">The password used to open the certificate.</param>
-    /// <param name="flags">
-    /// An enumeration of flags indicating how and where
-    /// to store the private key of the certificate.
-    /// </param>
+    /// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
    /// <returns>The <see cref="OpenIddictServerBuilder"/> instance.</returns>
    public OpenIddictServerBuilder AddSigningCertificate(Stream stream, string? password, X509KeyStorageFlags flags)
    {
@ -843,7 +857,17 @@ public sealed class OpenIddictServerBuilder
        using var buffer = new MemoryStream();
        stream.CopyTo(buffer);

-        return AddSigningCertificate(new X509Certificate2(buffer.ToArray(), password, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+        var certificate = X509Certificate2.GetCertContentType(buffer.ToArray()) switch
+        {
+            X509ContentType.Pkcs12 => X509CertificateLoader.LoadPkcs12(buffer.ToArray(), password, flags),
+
+            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0454))
+        };
+#else
+        var certificate = new X509Certificate2(buffer.ToArray(), password, flags);
+#endif
+        return AddSigningCertificate(certificate);
    }

    /// <summary>
--- a/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
@ -273,10 +273,7 @@ public sealed class OpenIddictValidationBuilder
    /// </summary>
    /// <param name="stream">The stream containing the certificate.</param>
    /// <param name="password">The password used to open the certificate.</param>
-    /// <param name="flags">
-    /// An enumeration of flags indicating how and where
-    /// to store the private key of the certificate.
-    /// </param>
+    /// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
    /// <returns>The <see cref="OpenIddictValidationBuilder"/> instance.</returns>
    public OpenIddictValidationBuilder AddEncryptionCertificate(
        Stream stream, string? password, X509KeyStorageFlags flags)
@ -289,7 +286,17 @@ public sealed class OpenIddictValidationBuilder
        using var buffer = new MemoryStream();
        stream.CopyTo(buffer);

-        return AddEncryptionCertificate(new X509Certificate2(buffer.ToArray(), password, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+        var certificate = X509Certificate2.GetCertContentType(buffer.ToArray()) switch
+        {
+            X509ContentType.Pkcs12 => X509CertificateLoader.LoadPkcs12(buffer.ToArray(), password, flags),
+
+            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0454))
+        };
+#else
+        var certificate = new X509Certificate2(buffer.ToArray(), password, flags);
+#endif
+        return AddEncryptionCertificate(certificate);
    }

    /// <summary>
@ -514,10 +521,7 @@ public sealed class OpenIddictValidationBuilder
    /// </summary>
    /// <param name="stream">The stream containing the certificate.</param>
    /// <param name="password">The password used to open the certificate.</param>
-    /// <param name="flags">
-    /// An enumeration of flags indicating how and where
-    /// to store the private key of the certificate.
-    /// </param>
+    /// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
    /// <returns>The <see cref="OpenIddictValidationBuilder"/> instance.</returns>
    public OpenIddictValidationBuilder AddSigningCertificate(Stream stream, string? password, X509KeyStorageFlags flags)
    {
@ -529,7 +533,17 @@ public sealed class OpenIddictValidationBuilder
        using var buffer = new MemoryStream();
        stream.CopyTo(buffer);

-        return AddSigningCertificate(new X509Certificate2(buffer.ToArray(), password, flags));
+#if SUPPORTS_CERTIFICATE_LOADER
+        var certificate = X509Certificate2.GetCertContentType(buffer.ToArray()) switch
+        {
+            X509ContentType.Pkcs12 => X509CertificateLoader.LoadPkcs12(buffer.ToArray(), password, flags),
+
+            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0454))
+        };
+#else
+        var certificate = new X509Certificate2(buffer.ToArray(), password, flags);
+#endif
+        return AddSigningCertificate(certificate);
    }

    /// <summary>
--- a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Introspection.cs
+++ b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Introspection.cs
@ -1259,13 +1259,15 @@ public abstract partial class OpenIddictServerIntegrationTests
                mock.Setup(manager => manager.HasStatusAsync(token, Statuses.Valid, It.IsAny<CancellationToken>()))
                    .ReturnsAsync(true);

-                mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(
+                mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(new[]
+                {
                    TokenTypeHints.AccessToken,
                    TokenTypeHints.AuthorizationCode,
                    TokenTypeHints.DeviceCode,
                    TokenTypeHints.IdToken,
                    TokenTypeHints.RefreshToken,
-                    TokenTypeHints.UserCode), It.IsAny<CancellationToken>()))
+                    TokenTypeHints.UserCode
+                }), It.IsAny<CancellationToken>()))
                    .ReturnsAsync(true);

                mock.Setup(manager => manager.GetAuthorizationIdAsync(token, It.IsAny<CancellationToken>()))
@ -1360,13 +1362,15 @@ public abstract partial class OpenIddictServerIntegrationTests
                mock.Setup(manager => manager.HasStatusAsync(token, Statuses.Valid, It.IsAny<CancellationToken>()))
                    .ReturnsAsync(true);

-                mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(
+                mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(new[]
+                {
                    TokenTypeHints.AccessToken,
                    TokenTypeHints.AuthorizationCode,
                    TokenTypeHints.DeviceCode,
                    TokenTypeHints.IdToken,
                    TokenTypeHints.RefreshToken,
-                    TokenTypeHints.UserCode), It.IsAny<CancellationToken>()))
+                    TokenTypeHints.UserCode
+                }), It.IsAny<CancellationToken>()))
                    .ReturnsAsync(true);

                mock.Setup(manager => manager.GetAuthorizationIdAsync(token, It.IsAny<CancellationToken>()))
@ -1468,13 +1472,15 @@ public abstract partial class OpenIddictServerIntegrationTests
                mock.Setup(manager => manager.HasStatusAsync(token, Statuses.Valid, It.IsAny<CancellationToken>()))
                    .ReturnsAsync(true);

-                mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(
+                mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(new[]
+                {
                    TokenTypeHints.AccessToken,
                    TokenTypeHints.AuthorizationCode,
                    TokenTypeHints.DeviceCode,
                    TokenTypeHints.IdToken,
                    TokenTypeHints.RefreshToken,
-                    TokenTypeHints.UserCode), It.IsAny<CancellationToken>()))
+                    TokenTypeHints.UserCode
+                }), It.IsAny<CancellationToken>()))
                    .ReturnsAsync(true);

                mock.Setup(manager => manager.GetAuthorizationIdAsync(token, It.IsAny<CancellationToken>()))
@ -1531,13 +1537,15 @@ public abstract partial class OpenIddictServerIntegrationTests
            mock.Setup(manager => manager.HasStatusAsync(token, Statuses.Valid, It.IsAny<CancellationToken>()))
                .ReturnsAsync(false);

-            mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(
+            mock.Setup(manager => manager.HasTypeAsync(token, ImmutableArray.Create(new[]
+            {
                TokenTypeHints.AccessToken,
                TokenTypeHints.AuthorizationCode,
                TokenTypeHints.DeviceCode,
                TokenTypeHints.IdToken,
                TokenTypeHints.RefreshToken,
-                TokenTypeHints.UserCode), It.IsAny<CancellationToken>()))
+                TokenTypeHints.UserCode
+            }), It.IsAny<CancellationToken>()))
                .ReturnsAsync(true);
        });

--- a/test/OpenIddict.Validation.IntegrationTests/OpenIddictValidationIntegrationTests.cs
+++ b/test/OpenIddict.Validation.IntegrationTests/OpenIddictValidationIntegrationTests.cs
@ -277,13 +277,12 @@ public abstract partial class OpenIddictValidationIntegrationTests
                    {
                        new X509SecurityKey(GetSigningCertificate(
                            assembly: typeof(OpenIddictValidationIntegrationTests).Assembly,
-                            resource: "OpenIddict.Validation.IntegrationTests.Certificate.cer",
-                            password: null))
+                            resource: "OpenIddict.Validation.IntegrationTests.Certificate.cer"))
                    }
                });
            });

-        static X509Certificate2 GetSigningCertificate(Assembly assembly, string resource, string? password)
+        static X509Certificate2 GetSigningCertificate(Assembly assembly, string resource)
        {
            using var stream = assembly.GetManifestResourceStream(resource) ??
                throw new InvalidOperationException(SR.GetResourceString(SR.ID0064));
@ -291,7 +290,11 @@ public abstract partial class OpenIddictValidationIntegrationTests
            using var buffer = new MemoryStream();
            stream.CopyTo(buffer);

-            return new X509Certificate2(buffer.ToArray(), password, X509KeyStorageFlags.MachineKeySet);
+#if SUPPORTS_CERTIFICATE_LOADER
+            return X509CertificateLoader.LoadCertificate(buffer.ToArray());
+#else
+            return new X509Certificate2(buffer.ToArray());
+#endif
        }
    }