[release/9.0] Fix copying ephemeral keys to keychains

[github-actions[bot]]

Backport of #106973 to release/9.0

/cc @lewing @vcsjones @bartonjs

Customer Impact

• [X] Customer reported
• [ ] Found internally

Reported by multiple customers in https://github.com/dotnet/runtime/issues/106775.

Customers that use X509Certificate2.CopyWithPrivateKey will get a CryptographicException on macOS Sequoia, which is currently in beta. This breaks some key development scenarios, like CertificateRequest, which is used by ASP.NET for configuring local development HTTPS certificates.

This is due to Apple changing the behavior of one of their APIs to return a different error code. The change is to handle the new error code, in addition to the old one.

Regression

• [ ] Yes
• [ ] No
• [X] Reaction to platform changes in new OS version

Testing

Existing unit tests failed on the new macOS version. The tests now pass on macOS Sequoia.

Risk

Low. This adds an extra condition to an error handling path that already existed.

IMPORTANT: If this backport is for a servicing release, please verify that:

• The PR target branch is release/X.0-staging, not release/X.0.

• If the change touches code that ships in a NuGet package, you have added the necessary package authoring and gotten it explicitly reviewed.

[dotnet-policy-service[bot]]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones See info in area-owners.md if you want to be subscribed.

[lewing]

@vcsjones can you update the description for these backports

[lewing]

cc @jeffschwMSFT @artl93

[jeffhandley]

Tagging @artl93 for review (and merge) into release/9.0. This reacts to macOS Sequoia changing behavior; our existing unit tests were failing on the platform so no new tests were needed.

Once this is reviewed and merged into release/9.0, we will send [release/8.0-staging] Fix copying ephemeral keys to keychains (#107041) and [release/6.0-staging] Fix copying ephemeral keys to keychains (#107046) to Tactics for servicing consideration.