SignedCms: throws when manipulating certificates collection that contains a non-X.509 certificate

[dtivel]

Description

SignedCms.AddCertificate(...) throws when attempting to add a certificate when the existing certificates collection contains a non-X.509 certificate. It's worth reviewing other code paths in the class for similar behavior. For example, from a quick glance at the source code, it appears that SignedCms.RemoveCertificate(...) has a similar issue.

#62307 is related.

CC @bartonjs, @vcsjones, @clairernovotny

Reproduction Steps

internal class Program
{
    static void Main()
    {
        string base64 = "MIIXTgYJKoZIhvcNAQcCoIIXPzCCFzsCAQMxDzANBglghkgBZQMEAgEFADCCAWEGCyqGSIb3DQEJEAEEoIIBUASCAUwwggFIAgEBBgorBgEEAYRZCgMBMDEwDQYJYIZIAWUDBAIBBQAEIN/9YCG7K9Wwr2dikICew6Uxkd2Bx/cKSyhoijYhgphvAgZjoE0wcE0YEzIwMjIxMjIzMTQ0MDQwLjEzN1owBIACAfSggeCkgd0wgdoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkJCNzMtOTZGRC03N0VGMTUwMwYDVQQDEyxNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lIFN0YW1waW5nIEF1dGhvcml0eaCCEeYwggeCMIIFaqADAgECAhMzAAAABeXPD/9mLsmHAAAAAAAFMA0GCSqGSIb3DQEBDAUAMHcxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xSDBGBgNVBAMTP01pY3Jvc29mdCBJZGVudGl0eSBWZXJpZmljYXRpb24gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDExMTkyMDMyMzFaFw0zNTExMTkyMDQyMzFaMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnnznUmP94MWfBX1jtQYioxwe1+eXM9ETBb1lRkd3kcFdcG9/sqtDlwxKoVIcaqDb+omFio5DHC4RBcbyQHjXCwMk/l3TOYtgoBjxnG/eViS4sOx8y4gSq8Zg49REAf5huXhIkQRKe3Qxs8Sgp02KHAznEa/Ssah8nWo5hJM1xznkRsFPu6rfDHeZeG1Wa1wISvlkpOQooTULFm809Z0ZYlQ8Lp7i5F9YciFlyAKwn6yjN/kR4fkquUWfGmMopNq/B8U/pdoZkZZQbxNlqJOiBGgCWpx69uKqKhTPVi3gVErnc/qi+dR8A2MiAz0kN0nh7SqINGbmw5OIRC0EsZ31WF3Uxp3GgZwetEKxLms73KG/Z+MkeuaVDQQheangOEMGJ4pQZH55ngI0Tdy1bi69INBV5Kn2HVJo9XxRYR/JPGAaM6xGl57Ei95HUw9NV/uC3yFjrhc087qLJQawSC3xzY/EXzsT4I7sDbxOmM2rl4uKK6eEpurRduOQ2hTkmG1hSuWYBunFGNv21Kt4N20AKmbeuSnGnsBCd2cjRKG79+TX+sTehawOoxfeOO/jR7wo3liwkGdzPJYHgnJ54UxbckF914AqHOiEV7xTnD1a69w/UTxwjEugpIPMIIE67SFZ2PMo27xjlLAHWW3l1CEAFjLNHd3EQ79PUr8FUXetXr0CAwEAAaOCAhswggIXMA4GA1UdDwEB/wQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUa2koOjUvSGNAz3vYr0npPtk92yEwVAYDVR0gBE0wSzBJBgRVHSAAMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMh+0mqFKhvKGZgEByfPUBBPaKiiMIGEBgNVHR8EfTB7MHmgd6B1hnNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBJZGVudGl0eSUyMFZlcmlmaWNhdGlvbiUyMFJvb3QlMjBDZXJ0aWZpY2F0ZSUyMEF1dGhvcml0eSUyMDIwMjAuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDCBgQYIKwYBBQUHMAKGdWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwSWRlbnRpdHklMjBWZXJpZmljYXRpb24lMjBSb290JTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAyMDIwLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAX4h2x35ttVoVdedMeGj6TuHYRJklFaW4sTQ5r+k77iB79cSLNe+GzRjv4pVjJviceW6AF6ycWoEYR0LYhaa0ozJLU5Yi+LCmcrdovkl53DNt4EXs87KDogYb9eGEndSpZ5ZM74LNvVzY0/nPISHz0Xva71QjD4h+8z2XMOZzY7YQ0Psw+etyNZ1CesufU211rLslLKsO8F2aBs2cIo1k+aHOhrw9xw6JCWONNboZ497mwYW5EfN0W3zL5s3ad4Xtm7yFM7Ujrhc0aqy3xL7D5FR2J7x9cLWMq7eb0oYioXhqV2tgFqbKHeDick+P8tHYIFovIP7YG4ZkJWag1H91KlELGWi3SLv10o4KGag42pswjybTi4toQcC/irAodDW8HNtX+cbz0sMptFJK+KObAnDFHEsukxD+7jFfEV9Hh/+CSxKRsmnuiovCWIOb+H7DRon9TlxydiFhvu88o0w35JkNbJxTk4MhF/KgaXn0GxdH8elEa2Imq45gaa8D+mTm8LWVydt4ytxYP/bqjN49D9NZ81coE6aQWm88TwIf4R4YZbOpMKN0CyejaPNN41LGXHeCUMYmBx3PkP8ADHD1J2Cr/6tjuOOCztfp+o9Nc+ZoIAkpUcA/X2gSMkgHAPUvIdtoSAHEUKiBhI6JQivRepyvWcl+JYbYbBh7pmgAXVswggeWMIIFfqADAgECAhMzAAAAILABry+HZ1yLAAAAAAAgMA0GCSqGSIb3DQEBDAUAMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwMB4XDTIyMDcwNzE4MzcyNVoXDTIzMDcwNzE4MzcyNVowgdoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkJCNzMtOTZGRC03N0VGMTUwMwYDVQQDEyxNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lIFN0YW1waW5nIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJfrDPjIApwaQSPdWUxuANiv4GZE2obHbYId1LQ3rKeYkG2gI60gjkZ/r91gQk+MGJmwH3yYmwt7We73TZl5l0D5I5XWTZ5E5sNTIL2JVixc1AoQWdo3/0UnkL0EwlnXeY+0BjD4HLmrOd40ESmRIbEcySFPDTDJVKOHwHfZQmvAtYdJtzAYId5U1C2H9HYz8u8PrKomfNZNRTWZ4TOIgSQmp8wqdy5B+9zrccbIFbwHgrmOUBo1ZJ/Cnsa7bZjXIXd2tKkU7Busu20Kk37rmYtjAPeCtf3AxTePVuuyIfxehybPVCu8ARYYbh2gFv1gxkVr3WA/z9R2ou0mYthWWkoY3xNMpqDFoX7o2QLiLwS0KZtpfGR13Q+Zd/0/Gwm1lAnx5m9i33S2v/YmiQ5T78fnpDXNV1CB+m39aLrdqFkgRP4fvIvrmh55o/olCK909zawMUusIxuKjZzIhopUfmYIntghpArqAw1+Jbwh6GPYHhO5OJqkzdui7EQjYU7570hD6QF89vdLyZcdt2JLbAEAoi8Vv2p7pHrOf3kmwTh1JHzEm4ikXwK7lwU4jpQKkCRFZGB14KAH4NQhpzZUbsnocF3FSHdKqhujUgG1ZvfQSnC5v4YxK7vTXda/fVHFAe/lVeTWhd2nhwkipMQalTa5fGZMQhNsgakQCY7xLyN5AgMBAAGjggHLMIIBxzAdBgNVHQ4EFgQUuEIMWjpKNO9UmKDYjfBwcPO7p6UwHwYDVR0jBBgwFoAUa2koOjUvSGNAz3vYr0npPtk92yEwbAYDVR0fBGUwYzBhoF+gXYZbaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwUHVibGljJTIwUlNBJTIwVGltZXN0YW1waW5nJTIwQ0ElMjAyMDIwLmNybDB5BggrBgEFBQcBAQRtMGswaQYIKwYBBQUHMAKGXWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwUHVibGljJTIwUlNBJTIwVGltZXN0YW1waW5nJTIwQ0ElMjAyMDIwLmNydDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDBmBgNVHSAEXzBdMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wCAYGZ4EMAQQCMA0GCSqGSIb3DQEBDAUAA4ICAQA+BB8mdH2+dvIq3A3laqGQxsmTevSR70CoAJgTHxQyFHSdJoi+Rcmbb43cag8tk8/pdL+Jh3fl+hx9zs6jwupKnx9JDWINaHO1MwC1GXwB1KHHCaCkYmhOQlueyxNYzwg8A//3l9xG8TEGZCneaKqcvlYOd413usIgCNwtUQYBSmPYx0nTjGYdra2q5CfoK9W5MWvdmLdl+AVqkxuO0Upvoh68kt2yfQn2pf8SQ32O3M/H77pS4T/wz4SQl1acWsXY1AJa+WizVr15UU3BLPStQAPCDnIuE5aPuQ6jd5ipwZFt6dHlPDitCzfiR2q81gfCqwhdh2hXz2/ajBxSod276jO6JCk3ad7RW0Dp2M+n5jc1Y35YV/EKVihO/H3eckrEoVWGCymKXs3XT3kokUCplJLyGmbotNCx+ZvfSI48+uuvZC9+rAIqBmdqLQseAn9HXyuvLAgxsS94sMoBqvTq1ijKuU8LFKpe+uuHgvyoS9WQvKDf6LsqWMs7dAoO4AaiXHJ53MM3HUW25hD9mgOiXQ4/Swx1zTDY19tHkbAKSSkbXPWbaGG7lmobhDsmcA2K/pr7P1SyDwdum2Kb7b5vwThFMuOc7HHJAmNzd+iExdyAG7xtlXfUfZCq7dCHM359HyQQeXGq60LjJJnEmQg/1hCJLRi/6aXhs5ef11ByaaGCAsIwggIrAgEBMIIBCKGB4KSB3TCB2jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046QkI3My05NkZELTc3RUYxNTAzBgNVBAMTLE1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWUgU3RhbXBpbmcgQXV0aG9yaXR5oiMKAQEwBwYFKw4DAhoDFQBxP9XKMVHCfYLf94OEYCTUfcickqBnMGWkYzBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0EgMjAyMDANBgkqhkiG9w0BAQUFAAIFAOdQEbEwIhgPMjAyMjEyMjMxOTM4MjVaGA8yMDIyMTIyNDE5MzgyNVowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA51ARsQIBADAKAgEAAgIlpAIB/zAHAgEAAgIQPjAKAgUA51FjMQIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAImt1MTgbVpjSFDab7gZcHAVdQEhK3Zp5b1I7rLeWx0k1Y+tplXarYWhlDvcvxozw+48i2wvm6iHPSxEnUR+H0PEJF/pFy7l6rOEQs8uuBZVSGYo2wFFK+lFNA7r2FWmTikYGk9XjfnMFNArbxs9o9QVlUY/6WoM6WEkUgGuDvZkMYID1DCCA9ACAQEweDBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0EgMjAyMAITMwAAACCwAa8vh2dciwAAAAAAIDANBglghkgBZQMEAgEFAKCCAS0wGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCAVapw8u8Wag7VzCLn/V4PE9K93bMP+UpHwhjE/Wu3gNzCB3QYLKoZIhvcNAQkQAi8xgc0wgcowgccwgaAEIFhihPvZpcuYhxuCwBVX0TScD+2Y2bz889qjxrnB4/REMHwwZaRjMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwAhMzAAAAILABry+HZ1yLAAAAAAAgMCIEIEdqQU35FupEwXbf4BS3S3pyLz06tQR3G8WQf3bxQm3TMA0GCSqGSIb3DQEBCwUABIICACadEkAftX3fmQfnZ5iY4jThnD6zKzEW7XIfba+mHWtxsCV9GytDW86X/x7gzwhkEBuih7q6i1D/3EN2ceDMZP1W5g1Q2yqu/MnIR0FPykAtflXm/1i5Ac/fMM2yuaoWVAWm4J6zsZk3KwQT9D7ve6gMeo8qUbkiVM2pG2j4bnJaY9IeuPoa9zO4svyNtwgydPdGJydKL0SB2svTpRU8inu9VzMFaB2rCKWnsRN89OCisbj08EKlkhmAn+dWr1E+qw5RYibnvDzrgbIX+ukuiuIfpkmpwi4GpnTqpQQX28agDZ91O46MCKwGb053qxez90V3LyholdLe1SJ6aCagoK4WFKG9+b3nJsfG6hzxiDNPA3v6rTG69M5c2FUvqCBUwQAtMrIiSbPULaRiclZEnkbXoOS7074aBIGYr7vhRz02qMqydsSwAPspmXbn8w/Jy0ZqIzP0uaPxqpJBTK/UWh3mxI0QSDWXmo6DgVBuQF3Yr4Fd/EsQAd8GJZPgutQcIAnvoABm2HqO60vEbs5DbVmlNv+1GeZtrKQXd1tDxphHzkX1BjogAc/Kwa7XVmvPnLL/scQAM976kzcuWMMb5bxxXdqNHXEjH7FMPTvBparOkYMQuLnWdZ5t1XRJXnjTbS7ecrveEQmJRKtUQ+QwADGN8Mjb3C8JFk6Wu0dHMfbu";
        byte[] bytes = Convert.FromBase64String(base64);
        SignedCms signedCms = new();

        signedCms.Decode(bytes);

        using (RSA keyPair = RSA.Create(keySizeInBits: 4096))
        {
            CertificateRequest certificateRequest = new("CN=test", keyPair, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

            using (X509Certificate2 certificate = certificateRequest.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddMinutes(1)))
            {
                signedCms.AddCertificate(certificate);
            }
        }
    }
}

Expected behavior

Based on the resolution of #62307, the expected behavior here is that non-X.509 certificates will be ignored and adding/removing X.509 certificates will succeed/fail in the same way as if the SignedCms instance contained only X.509 certificates.

Actual behavior

System.InvalidOperationException: Nullable object must have a value.
   at System.Nullable`1.get_Value()
   at System.Security.Cryptography.Pkcs.SignedCms.AddCertificate(X509Certificate2 certificate)
   at ConsoleApp2.Program.Main() in E:\\throwaway\\ConsoleApp2\\Program.cs:line 23

Regression?

No

Known Workarounds

No response

Configuration

The version of System.Security.Cryptography.Pkcs used here contains #64348.

PS C:\> [System.Diagnostics.FileVersionInfo]::GetVersionInfo('***\System.Security.Cryptography.Pkcs.dll') | Format-List

OriginalFilename  : System.Security.Cryptography.Pkcs.dll
FileDescription   : System.Security.Cryptography.Pkcs
ProductName       : Microsoft® .NET
Comments          : Provides support for PKCS and CMS algorithms.

                    Commonly Used Types:
                    System.Security.Cryptography.Pkcs.EnvelopedCms
CompanyName       : Microsoft Corporation
FileName          : ***\System.Security.Cryptography.Pkcs.dll
FileVersion       : 7.0.22.51805
ProductVersion    : 7.0.0+d099f075e45d2aa6007a22b71b45a08758559f80
IsDebug           : False
IsPatched         : False
IsPreRelease      : False
IsPrivateBuild    : False
IsSpecialBuild    : False
Language          : Language Neutral
LegalCopyright    : © Microsoft Corporation. All rights reserved.
LegalTrademarks   :
PrivateBuild      :
SpecialBuild      :
FileVersionRaw    : 7.0.22.51805
ProductVersionRaw : 7.0.0.0

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

SignedCms.AddCertificate(...) throws when attempting to add a certificate when the existing certificates collection contains a non-X.509 certificate. It's worth reviewing other code paths in the class for similar behavior. For example, from a quick glance at the source code, it appears that SignedCms.RemoveCertificate(...) has a similar issue.

#62307 is related.

CC @bartonjs, @vcsjones, @clairernovotny

Reproduction Steps

internal class Program
{
    static void Main()
    {
        string base64 = "MIIXTgYJKoZIhvcNAQcCoIIXPzCCFzsCAQMxDzANBglghkgBZQMEAgEFADCCAWEGCyqGSIb3DQEJEAEEoIIBUASCAUwwggFIAgEBBgorBgEEAYRZCgMBMDEwDQYJYIZIAWUDBAIBBQAEIN/9YCG7K9Wwr2dikICew6Uxkd2Bx/cKSyhoijYhgphvAgZjoE0wcE0YEzIwMjIxMjIzMTQ0MDQwLjEzN1owBIACAfSggeCkgd0wgdoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkJCNzMtOTZGRC03N0VGMTUwMwYDVQQDEyxNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lIFN0YW1waW5nIEF1dGhvcml0eaCCEeYwggeCMIIFaqADAgECAhMzAAAABeXPD/9mLsmHAAAAAAAFMA0GCSqGSIb3DQEBDAUAMHcxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xSDBGBgNVBAMTP01pY3Jvc29mdCBJZGVudGl0eSBWZXJpZmljYXRpb24gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDExMTkyMDMyMzFaFw0zNTExMTkyMDQyMzFaMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnnznUmP94MWfBX1jtQYioxwe1+eXM9ETBb1lRkd3kcFdcG9/sqtDlwxKoVIcaqDb+omFio5DHC4RBcbyQHjXCwMk/l3TOYtgoBjxnG/eViS4sOx8y4gSq8Zg49REAf5huXhIkQRKe3Qxs8Sgp02KHAznEa/Ssah8nWo5hJM1xznkRsFPu6rfDHeZeG1Wa1wISvlkpOQooTULFm809Z0ZYlQ8Lp7i5F9YciFlyAKwn6yjN/kR4fkquUWfGmMopNq/B8U/pdoZkZZQbxNlqJOiBGgCWpx69uKqKhTPVi3gVErnc/qi+dR8A2MiAz0kN0nh7SqINGbmw5OIRC0EsZ31WF3Uxp3GgZwetEKxLms73KG/Z+MkeuaVDQQheangOEMGJ4pQZH55ngI0Tdy1bi69INBV5Kn2HVJo9XxRYR/JPGAaM6xGl57Ei95HUw9NV/uC3yFjrhc087qLJQawSC3xzY/EXzsT4I7sDbxOmM2rl4uKK6eEpurRduOQ2hTkmG1hSuWYBunFGNv21Kt4N20AKmbeuSnGnsBCd2cjRKG79+TX+sTehawOoxfeOO/jR7wo3liwkGdzPJYHgnJ54UxbckF914AqHOiEV7xTnD1a69w/UTxwjEugpIPMIIE67SFZ2PMo27xjlLAHWW3l1CEAFjLNHd3EQ79PUr8FUXetXr0CAwEAAaOCAhswggIXMA4GA1UdDwEB/wQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUa2koOjUvSGNAz3vYr0npPtk92yEwVAYDVR0gBE0wSzBJBgRVHSAAMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMh+0mqFKhvKGZgEByfPUBBPaKiiMIGEBgNVHR8EfTB7MHmgd6B1hnNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBJZGVudGl0eSUyMFZlcmlmaWNhdGlvbiUyMFJvb3QlMjBDZXJ0aWZpY2F0ZSUyMEF1dGhvcml0eSUyMDIwMjAuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDCBgQYIKwYBBQUHMAKGdWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwSWRlbnRpdHklMjBWZXJpZmljYXRpb24lMjBSb290JTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAyMDIwLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAX4h2x35ttVoVdedMeGj6TuHYRJklFaW4sTQ5r+k77iB79cSLNe+GzRjv4pVjJviceW6AF6ycWoEYR0LYhaa0ozJLU5Yi+LCmcrdovkl53DNt4EXs87KDogYb9eGEndSpZ5ZM74LNvVzY0/nPISHz0Xva71QjD4h+8z2XMOZzY7YQ0Psw+etyNZ1CesufU211rLslLKsO8F2aBs2cIo1k+aHOhrw9xw6JCWONNboZ497mwYW5EfN0W3zL5s3ad4Xtm7yFM7Ujrhc0aqy3xL7D5FR2J7x9cLWMq7eb0oYioXhqV2tgFqbKHeDick+P8tHYIFovIP7YG4ZkJWag1H91KlELGWi3SLv10o4KGag42pswjybTi4toQcC/irAodDW8HNtX+cbz0sMptFJK+KObAnDFHEsukxD+7jFfEV9Hh/+CSxKRsmnuiovCWIOb+H7DRon9TlxydiFhvu88o0w35JkNbJxTk4MhF/KgaXn0GxdH8elEa2Imq45gaa8D+mTm8LWVydt4ytxYP/bqjN49D9NZ81coE6aQWm88TwIf4R4YZbOpMKN0CyejaPNN41LGXHeCUMYmBx3PkP8ADHD1J2Cr/6tjuOOCztfp+o9Nc+ZoIAkpUcA/X2gSMkgHAPUvIdtoSAHEUKiBhI6JQivRepyvWcl+JYbYbBh7pmgAXVswggeWMIIFfqADAgECAhMzAAAAILABry+HZ1yLAAAAAAAgMA0GCSqGSIb3DQEBDAUAMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwMB4XDTIyMDcwNzE4MzcyNVoXDTIzMDcwNzE4MzcyNVowgdoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkJCNzMtOTZGRC03N0VGMTUwMwYDVQQDEyxNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lIFN0YW1waW5nIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJfrDPjIApwaQSPdWUxuANiv4GZE2obHbYId1LQ3rKeYkG2gI60gjkZ/r91gQk+MGJmwH3yYmwt7We73TZl5l0D5I5XWTZ5E5sNTIL2JVixc1AoQWdo3/0UnkL0EwlnXeY+0BjD4HLmrOd40ESmRIbEcySFPDTDJVKOHwHfZQmvAtYdJtzAYId5U1C2H9HYz8u8PrKomfNZNRTWZ4TOIgSQmp8wqdy5B+9zrccbIFbwHgrmOUBo1ZJ/Cnsa7bZjXIXd2tKkU7Busu20Kk37rmYtjAPeCtf3AxTePVuuyIfxehybPVCu8ARYYbh2gFv1gxkVr3WA/z9R2ou0mYthWWkoY3xNMpqDFoX7o2QLiLwS0KZtpfGR13Q+Zd/0/Gwm1lAnx5m9i33S2v/YmiQ5T78fnpDXNV1CB+m39aLrdqFkgRP4fvIvrmh55o/olCK909zawMUusIxuKjZzIhopUfmYIntghpArqAw1+Jbwh6GPYHhO5OJqkzdui7EQjYU7570hD6QF89vdLyZcdt2JLbAEAoi8Vv2p7pHrOf3kmwTh1JHzEm4ikXwK7lwU4jpQKkCRFZGB14KAH4NQhpzZUbsnocF3FSHdKqhujUgG1ZvfQSnC5v4YxK7vTXda/fVHFAe/lVeTWhd2nhwkipMQalTa5fGZMQhNsgakQCY7xLyN5AgMBAAGjggHLMIIBxzAdBgNVHQ4EFgQUuEIMWjpKNO9UmKDYjfBwcPO7p6UwHwYDVR0jBBgwFoAUa2koOjUvSGNAz3vYr0npPtk92yEwbAYDVR0fBGUwYzBhoF+gXYZbaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwUHVibGljJTIwUlNBJTIwVGltZXN0YW1waW5nJTIwQ0ElMjAyMDIwLmNybDB5BggrBgEFBQcBAQRtMGswaQYIKwYBBQUHMAKGXWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwUHVibGljJTIwUlNBJTIwVGltZXN0YW1waW5nJTIwQ0ElMjAyMDIwLmNydDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDBmBgNVHSAEXzBdMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wCAYGZ4EMAQQCMA0GCSqGSIb3DQEBDAUAA4ICAQA+BB8mdH2+dvIq3A3laqGQxsmTevSR70CoAJgTHxQyFHSdJoi+Rcmbb43cag8tk8/pdL+Jh3fl+hx9zs6jwupKnx9JDWINaHO1MwC1GXwB1KHHCaCkYmhOQlueyxNYzwg8A//3l9xG8TEGZCneaKqcvlYOd413usIgCNwtUQYBSmPYx0nTjGYdra2q5CfoK9W5MWvdmLdl+AVqkxuO0Upvoh68kt2yfQn2pf8SQ32O3M/H77pS4T/wz4SQl1acWsXY1AJa+WizVr15UU3BLPStQAPCDnIuE5aPuQ6jd5ipwZFt6dHlPDitCzfiR2q81gfCqwhdh2hXz2/ajBxSod276jO6JCk3ad7RW0Dp2M+n5jc1Y35YV/EKVihO/H3eckrEoVWGCymKXs3XT3kokUCplJLyGmbotNCx+ZvfSI48+uuvZC9+rAIqBmdqLQseAn9HXyuvLAgxsS94sMoBqvTq1ijKuU8LFKpe+uuHgvyoS9WQvKDf6LsqWMs7dAoO4AaiXHJ53MM3HUW25hD9mgOiXQ4/Swx1zTDY19tHkbAKSSkbXPWbaGG7lmobhDsmcA2K/pr7P1SyDwdum2Kb7b5vwThFMuOc7HHJAmNzd+iExdyAG7xtlXfUfZCq7dCHM359HyQQeXGq60LjJJnEmQg/1hCJLRi/6aXhs5ef11ByaaGCAsIwggIrAgEBMIIBCKGB4KSB3TCB2jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046QkI3My05NkZELTc3RUYxNTAzBgNVBAMTLE1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWUgU3RhbXBpbmcgQXV0aG9yaXR5oiMKAQEwBwYFKw4DAhoDFQBxP9XKMVHCfYLf94OEYCTUfcickqBnMGWkYzBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0EgMjAyMDANBgkqhkiG9w0BAQUFAAIFAOdQEbEwIhgPMjAyMjEyMjMxOTM4MjVaGA8yMDIyMTIyNDE5MzgyNVowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA51ARsQIBADAKAgEAAgIlpAIB/zAHAgEAAgIQPjAKAgUA51FjMQIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAImt1MTgbVpjSFDab7gZcHAVdQEhK3Zp5b1I7rLeWx0k1Y+tplXarYWhlDvcvxozw+48i2wvm6iHPSxEnUR+H0PEJF/pFy7l6rOEQs8uuBZVSGYo2wFFK+lFNA7r2FWmTikYGk9XjfnMFNArbxs9o9QVlUY/6WoM6WEkUgGuDvZkMYID1DCCA9ACAQEweDBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0EgMjAyMAITMwAAACCwAa8vh2dciwAAAAAAIDANBglghkgBZQMEAgEFAKCCAS0wGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCAVapw8u8Wag7VzCLn/V4PE9K93bMP+UpHwhjE/Wu3gNzCB3QYLKoZIhvcNAQkQAi8xgc0wgcowgccwgaAEIFhihPvZpcuYhxuCwBVX0TScD+2Y2bz889qjxrnB4/REMHwwZaRjMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwAhMzAAAAILABry+HZ1yLAAAAAAAgMCIEIEdqQU35FupEwXbf4BS3S3pyLz06tQR3G8WQf3bxQm3TMA0GCSqGSIb3DQEBCwUABIICACadEkAftX3fmQfnZ5iY4jThnD6zKzEW7XIfba+mHWtxsCV9GytDW86X/x7gzwhkEBuih7q6i1D/3EN2ceDMZP1W5g1Q2yqu/MnIR0FPykAtflXm/1i5Ac/fMM2yuaoWVAWm4J6zsZk3KwQT9D7ve6gMeo8qUbkiVM2pG2j4bnJaY9IeuPoa9zO4svyNtwgydPdGJydKL0SB2svTpRU8inu9VzMFaB2rCKWnsRN89OCisbj08EKlkhmAn+dWr1E+qw5RYibnvDzrgbIX+ukuiuIfpkmpwi4GpnTqpQQX28agDZ91O46MCKwGb053qxez90V3LyholdLe1SJ6aCagoK4WFKG9+b3nJsfG6hzxiDNPA3v6rTG69M5c2FUvqCBUwQAtMrIiSbPULaRiclZEnkbXoOS7074aBIGYr7vhRz02qMqydsSwAPspmXbn8w/Jy0ZqIzP0uaPxqpJBTK/UWh3mxI0QSDWXmo6DgVBuQF3Yr4Fd/EsQAd8GJZPgutQcIAnvoABm2HqO60vEbs5DbVmlNv+1GeZtrKQXd1tDxphHzkX1BjogAc/Kwa7XVmvPnLL/scQAM976kzcuWMMb5bxxXdqNHXEjH7FMPTvBparOkYMQuLnWdZ5t1XRJXnjTbS7ecrveEQmJRKtUQ+QwADGN8Mjb3C8JFk6Wu0dHMfbu";
        byte[] bytes = Convert.FromBase64String(base64);
        SignedCms signedCms = new();

        signedCms.Decode(bytes);

        // Any certificate will do, so use one that's readily available.
        X509Certificate2 certificate = signedCms.SignerInfos[0].Certificate!;

        signedCms.AddCertificate(certificate);
    }
}

Expected behavior

Based on the resolution of #62307, the expected behavior here is that non-X.509 certificates will be ignored and adding/removing X.509 certificates will succeed/fail in the same way as if the SignedCms instance contained only X.509 certificates.

Actual behavior

System.Security.Cryptography.CryptographicException: Certificate already present in the collection.
   at System.Security.Cryptography.Pkcs.SignedCms.AddCertificate(X509Certificate2 certificate)
   at ConsoleApp2.Program.Main() in E:\\throwaway\\ConsoleApp2\\Program.cs:line 19

Regression?

No

Known Workarounds

No response

Configuration

The version of System.Security.Cryptography.Pkcs used here contains #64348.

PS C:\> [System.Diagnostics.FileVersionInfo]::GetVersionInfo('***\System.Security.Cryptography.Pkcs.dll') | Format-List

OriginalFilename  : System.Security.Cryptography.Pkcs.dll
FileDescription   : System.Security.Cryptography.Pkcs
ProductName       : Microsoft® .NET
Comments          : Provides support for PKCS and CMS algorithms.

                    Commonly Used Types:
                    System.Security.Cryptography.Pkcs.EnvelopedCms
CompanyName       : Microsoft Corporation
FileName          : ***\System.Security.Cryptography.Pkcs.dll
FileVersion       : 7.0.22.51805
ProductVersion    : 7.0.0+d099f075e45d2aa6007a22b71b45a08758559f80
IsDebug           : False
IsPatched         : False
IsPreRelease      : False
IsPrivateBuild    : False
IsSpecialBuild    : False
Language          : Language Neutral
LegalCopyright    : © Microsoft Corporation. All rights reserved.
LegalTrademarks   :
PrivateBuild      :
SpecialBuild      :
FileVersionRaw    : 7.0.22.51805
ProductVersionRaw : 7.0.0.0

Other information

No response

Author:	dtivel
Assignees:	-
Labels:	area-System.Security
Milestone:	-

[vcsjones]

I think the repro you are looking for is something like this:

using System.Security.Cryptography;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;

internal class Program
{
    static void Main()
    {
        string base64 = "MIIXTgYJKoZIhvcNAQcCoIIXPzCCFzsCAQMxDzANBglghkgBZQMEAgEFADCCAWEGCyqGSIb3DQEJEAEEoIIBUASCAUwwggFIAgEBBgorBgEEAYRZCgMBMDEwDQYJYIZIAWUDBAIBBQAEIN/9YCG7K9Wwr2dikICew6Uxkd2Bx/cKSyhoijYhgphvAgZjoE0wcE0YEzIwMjIxMjIzMTQ0MDQwLjEzN1owBIACAfSggeCkgd0wgdoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkJCNzMtOTZGRC03N0VGMTUwMwYDVQQDEyxNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lIFN0YW1waW5nIEF1dGhvcml0eaCCEeYwggeCMIIFaqADAgECAhMzAAAABeXPD/9mLsmHAAAAAAAFMA0GCSqGSIb3DQEBDAUAMHcxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xSDBGBgNVBAMTP01pY3Jvc29mdCBJZGVudGl0eSBWZXJpZmljYXRpb24gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDExMTkyMDMyMzFaFw0zNTExMTkyMDQyMzFaMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnnznUmP94MWfBX1jtQYioxwe1+eXM9ETBb1lRkd3kcFdcG9/sqtDlwxKoVIcaqDb+omFio5DHC4RBcbyQHjXCwMk/l3TOYtgoBjxnG/eViS4sOx8y4gSq8Zg49REAf5huXhIkQRKe3Qxs8Sgp02KHAznEa/Ssah8nWo5hJM1xznkRsFPu6rfDHeZeG1Wa1wISvlkpOQooTULFm809Z0ZYlQ8Lp7i5F9YciFlyAKwn6yjN/kR4fkquUWfGmMopNq/B8U/pdoZkZZQbxNlqJOiBGgCWpx69uKqKhTPVi3gVErnc/qi+dR8A2MiAz0kN0nh7SqINGbmw5OIRC0EsZ31WF3Uxp3GgZwetEKxLms73KG/Z+MkeuaVDQQheangOEMGJ4pQZH55ngI0Tdy1bi69INBV5Kn2HVJo9XxRYR/JPGAaM6xGl57Ei95HUw9NV/uC3yFjrhc087qLJQawSC3xzY/EXzsT4I7sDbxOmM2rl4uKK6eEpurRduOQ2hTkmG1hSuWYBunFGNv21Kt4N20AKmbeuSnGnsBCd2cjRKG79+TX+sTehawOoxfeOO/jR7wo3liwkGdzPJYHgnJ54UxbckF914AqHOiEV7xTnD1a69w/UTxwjEugpIPMIIE67SFZ2PMo27xjlLAHWW3l1CEAFjLNHd3EQ79PUr8FUXetXr0CAwEAAaOCAhswggIXMA4GA1UdDwEB/wQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUa2koOjUvSGNAz3vYr0npPtk92yEwVAYDVR0gBE0wSzBJBgRVHSAAMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMh+0mqFKhvKGZgEByfPUBBPaKiiMIGEBgNVHR8EfTB7MHmgd6B1hnNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBJZGVudGl0eSUyMFZlcmlmaWNhdGlvbiUyMFJvb3QlMjBDZXJ0aWZpY2F0ZSUyMEF1dGhvcml0eSUyMDIwMjAuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDCBgQYIKwYBBQUHMAKGdWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwSWRlbnRpdHklMjBWZXJpZmljYXRpb24lMjBSb290JTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAyMDIwLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAX4h2x35ttVoVdedMeGj6TuHYRJklFaW4sTQ5r+k77iB79cSLNe+GzRjv4pVjJviceW6AF6ycWoEYR0LYhaa0ozJLU5Yi+LCmcrdovkl53DNt4EXs87KDogYb9eGEndSpZ5ZM74LNvVzY0/nPISHz0Xva71QjD4h+8z2XMOZzY7YQ0Psw+etyNZ1CesufU211rLslLKsO8F2aBs2cIo1k+aHOhrw9xw6JCWONNboZ497mwYW5EfN0W3zL5s3ad4Xtm7yFM7Ujrhc0aqy3xL7D5FR2J7x9cLWMq7eb0oYioXhqV2tgFqbKHeDick+P8tHYIFovIP7YG4ZkJWag1H91KlELGWi3SLv10o4KGag42pswjybTi4toQcC/irAodDW8HNtX+cbz0sMptFJK+KObAnDFHEsukxD+7jFfEV9Hh/+CSxKRsmnuiovCWIOb+H7DRon9TlxydiFhvu88o0w35JkNbJxTk4MhF/KgaXn0GxdH8elEa2Imq45gaa8D+mTm8LWVydt4ytxYP/bqjN49D9NZ81coE6aQWm88TwIf4R4YZbOpMKN0CyejaPNN41LGXHeCUMYmBx3PkP8ADHD1J2Cr/6tjuOOCztfp+o9Nc+ZoIAkpUcA/X2gSMkgHAPUvIdtoSAHEUKiBhI6JQivRepyvWcl+JYbYbBh7pmgAXVswggeWMIIFfqADAgECAhMzAAAAILABry+HZ1yLAAAAAAAgMA0GCSqGSIb3DQEBDAUAMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwMB4XDTIyMDcwNzE4MzcyNVoXDTIzMDcwNzE4MzcyNVowgdoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkJCNzMtOTZGRC03N0VGMTUwMwYDVQQDEyxNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lIFN0YW1waW5nIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJfrDPjIApwaQSPdWUxuANiv4GZE2obHbYId1LQ3rKeYkG2gI60gjkZ/r91gQk+MGJmwH3yYmwt7We73TZl5l0D5I5XWTZ5E5sNTIL2JVixc1AoQWdo3/0UnkL0EwlnXeY+0BjD4HLmrOd40ESmRIbEcySFPDTDJVKOHwHfZQmvAtYdJtzAYId5U1C2H9HYz8u8PrKomfNZNRTWZ4TOIgSQmp8wqdy5B+9zrccbIFbwHgrmOUBo1ZJ/Cnsa7bZjXIXd2tKkU7Busu20Kk37rmYtjAPeCtf3AxTePVuuyIfxehybPVCu8ARYYbh2gFv1gxkVr3WA/z9R2ou0mYthWWkoY3xNMpqDFoX7o2QLiLwS0KZtpfGR13Q+Zd/0/Gwm1lAnx5m9i33S2v/YmiQ5T78fnpDXNV1CB+m39aLrdqFkgRP4fvIvrmh55o/olCK909zawMUusIxuKjZzIhopUfmYIntghpArqAw1+Jbwh6GPYHhO5OJqkzdui7EQjYU7570hD6QF89vdLyZcdt2JLbAEAoi8Vv2p7pHrOf3kmwTh1JHzEm4ikXwK7lwU4jpQKkCRFZGB14KAH4NQhpzZUbsnocF3FSHdKqhujUgG1ZvfQSnC5v4YxK7vTXda/fVHFAe/lVeTWhd2nhwkipMQalTa5fGZMQhNsgakQCY7xLyN5AgMBAAGjggHLMIIBxzAdBgNVHQ4EFgQUuEIMWjpKNO9UmKDYjfBwcPO7p6UwHwYDVR0jBBgwFoAUa2koOjUvSGNAz3vYr0npPtk92yEwbAYDVR0fBGUwYzBhoF+gXYZbaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwUHVibGljJTIwUlNBJTIwVGltZXN0YW1waW5nJTIwQ0ElMjAyMDIwLmNybDB5BggrBgEFBQcBAQRtMGswaQYIKwYBBQUHMAKGXWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwUHVibGljJTIwUlNBJTIwVGltZXN0YW1waW5nJTIwQ0ElMjAyMDIwLmNydDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDBmBgNVHSAEXzBdMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wCAYGZ4EMAQQCMA0GCSqGSIb3DQEBDAUAA4ICAQA+BB8mdH2+dvIq3A3laqGQxsmTevSR70CoAJgTHxQyFHSdJoi+Rcmbb43cag8tk8/pdL+Jh3fl+hx9zs6jwupKnx9JDWINaHO1MwC1GXwB1KHHCaCkYmhOQlueyxNYzwg8A//3l9xG8TEGZCneaKqcvlYOd413usIgCNwtUQYBSmPYx0nTjGYdra2q5CfoK9W5MWvdmLdl+AVqkxuO0Upvoh68kt2yfQn2pf8SQ32O3M/H77pS4T/wz4SQl1acWsXY1AJa+WizVr15UU3BLPStQAPCDnIuE5aPuQ6jd5ipwZFt6dHlPDitCzfiR2q81gfCqwhdh2hXz2/ajBxSod276jO6JCk3ad7RW0Dp2M+n5jc1Y35YV/EKVihO/H3eckrEoVWGCymKXs3XT3kokUCplJLyGmbotNCx+ZvfSI48+uuvZC9+rAIqBmdqLQseAn9HXyuvLAgxsS94sMoBqvTq1ijKuU8LFKpe+uuHgvyoS9WQvKDf6LsqWMs7dAoO4AaiXHJ53MM3HUW25hD9mgOiXQ4/Swx1zTDY19tHkbAKSSkbXPWbaGG7lmobhDsmcA2K/pr7P1SyDwdum2Kb7b5vwThFMuOc7HHJAmNzd+iExdyAG7xtlXfUfZCq7dCHM359HyQQeXGq60LjJJnEmQg/1hCJLRi/6aXhs5ef11ByaaGCAsIwggIrAgEBMIIBCKGB4KSB3TCB2jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046QkI3My05NkZELTc3RUYxNTAzBgNVBAMTLE1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWUgU3RhbXBpbmcgQXV0aG9yaXR5oiMKAQEwBwYFKw4DAhoDFQBxP9XKMVHCfYLf94OEYCTUfcickqBnMGWkYzBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0EgMjAyMDANBgkqhkiG9w0BAQUFAAIFAOdQEbEwIhgPMjAyMjEyMjMxOTM4MjVaGA8yMDIyMTIyNDE5MzgyNVowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA51ARsQIBADAKAgEAAgIlpAIB/zAHAgEAAgIQPjAKAgUA51FjMQIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAImt1MTgbVpjSFDab7gZcHAVdQEhK3Zp5b1I7rLeWx0k1Y+tplXarYWhlDvcvxozw+48i2wvm6iHPSxEnUR+H0PEJF/pFy7l6rOEQs8uuBZVSGYo2wFFK+lFNA7r2FWmTikYGk9XjfnMFNArbxs9o9QVlUY/6WoM6WEkUgGuDvZkMYID1DCCA9ACAQEweDBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0EgMjAyMAITMwAAACCwAa8vh2dciwAAAAAAIDANBglghkgBZQMEAgEFAKCCAS0wGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCAVapw8u8Wag7VzCLn/V4PE9K93bMP+UpHwhjE/Wu3gNzCB3QYLKoZIhvcNAQkQAi8xgc0wgcowgccwgaAEIFhihPvZpcuYhxuCwBVX0TScD+2Y2bz889qjxrnB4/REMHwwZaRjMGExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWVzdGFtcGluZyBDQSAyMDIwAhMzAAAAILABry+HZ1yLAAAAAAAgMCIEIEdqQU35FupEwXbf4BS3S3pyLz06tQR3G8WQf3bxQm3TMA0GCSqGSIb3DQEBCwUABIICACadEkAftX3fmQfnZ5iY4jThnD6zKzEW7XIfba+mHWtxsCV9GytDW86X/x7gzwhkEBuih7q6i1D/3EN2ceDMZP1W5g1Q2yqu/MnIR0FPykAtflXm/1i5Ac/fMM2yuaoWVAWm4J6zsZk3KwQT9D7ve6gMeo8qUbkiVM2pG2j4bnJaY9IeuPoa9zO4svyNtwgydPdGJydKL0SB2svTpRU8inu9VzMFaB2rCKWnsRN89OCisbj08EKlkhmAn+dWr1E+qw5RYibnvDzrgbIX+ukuiuIfpkmpwi4GpnTqpQQX28agDZ91O46MCKwGb053qxez90V3LyholdLe1SJ6aCagoK4WFKG9+b3nJsfG6hzxiDNPA3v6rTG69M5c2FUvqCBUwQAtMrIiSbPULaRiclZEnkbXoOS7074aBIGYr7vhRz02qMqydsSwAPspmXbn8w/Jy0ZqIzP0uaPxqpJBTK/UWh3mxI0QSDWXmo6DgVBuQF3Yr4Fd/EsQAd8GJZPgutQcIAnvoABm2HqO60vEbs5DbVmlNv+1GeZtrKQXd1tDxphHzkX1BjogAc/Kwa7XVmvPnLL/scQAM976kzcuWMMb5bxxXdqNHXEjH7FMPTvBparOkYMQuLnWdZ5t1XRJXnjTbS7ecrveEQmJRKtUQ+QwADGN8Mjb3C8JFk6Wu0dHMfbu";
        byte[] bytes = Convert.FromBase64String(base64);
        SignedCms signedCms = new();

        signedCms.Decode(bytes);

        using ECDsa ec = ECDsa.Create(ECCurve.NamedCurves.nistP256);
        CertificateRequest req = new("CN=test", ec, HashAlgorithmName.SHA256);
        using X509Certificate2 cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now);


        signedCms.AddCertificate(cert);
    }
}

Which gives:

Unhandled exception. System.InvalidOperationException: Nullable object must have a value.
   at System.Nullable`1.get_Value()
   at System.Security.Cryptography.Pkcs.SignedCms.AddCertificate(X509Certificate2 certificate)

Your actual code an exception make sense, you are adding an existing certificate to the collection and getting an exception saying that it already exists.

This is related to #65163, where ACS timestamps contain attribute certificates. I will take a look at this as soon as possible.

[vcsjones]

I opened a pull request that should address the issue. I did a look through the codebase to see if there were any other areas that might be affected by attribute certificates. Nothing stood out to me, and the added tests check the attribute certificates round trip through encoding.

[dtivel]

Yes, @vcsjones, you're right about the incorrect repro. I had correct repro steps, and, in the process of simplifying, I oversimplified. I exchanged a new certificate with an existing certificate --- not noticing that the exception changed as a result of the oversimplification. I fixed the original repro steps.

[vcsjones]

Re-opening for backports.