diff --git a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs index d4084145ed4a..c7b48b05e519 100644 --- a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs +++ b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs @@ -29,7 +29,9 @@ private static string X500DistinguishedNameDecode( while (x500NameSequenceReader.HasData) { - rdnReaders.Add(x500NameSequenceReader.ReadSetOf()); + // To match Windows' behavior, permit multi-value RDN SETs to not + // be DER sorted. + rdnReaders.Add(x500NameSequenceReader.ReadSetOf(skipSortOrderValidation: true)); } // We need to allocate a StringBuilder to hold the data as we're building it, and there's the usual diff --git a/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs b/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs index a2e4977eb2dd..15d8cfdb9a71 100644 --- a/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs +++ b/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs @@ -210,6 +210,15 @@ public static void NameWithNumericString() Assert.Equal("OID.1.1.1.2.2.3=123 654 7890, CN=Test", dn.Decode(X500DistinguishedNameFlags.None)); } + [Fact] + public static void OrganizationUnitMultiValueWithIncorrectlySortedDerSet() + { + X500DistinguishedName dn = new X500DistinguishedName( + "301C311A300B060355040B13047A7A7A7A300B060355040B130461616161".HexToByteArray()); + + Assert.Equal("OU=zzzz + OU=aaaa", dn.Decode(X500DistinguishedNameFlags.None)); + } + public static readonly object[][] WhitespaceBeforeCases = { // Regular space.