From f0bc95760e18c725dcddee3227b47db50806d5d4 Mon Sep 17 00:00:00 2001
From: Jeff Handley <jeffhand@microsoft.com>
Date: Tue, 20 Jun 2023 18:28:40 +0000
Subject: [PATCH] Merged PR 32088: Merged PR 32017: [7.0] Fix regression
 loading null-password encrypted PFX certificates

When decrypting the payload with empty string and null passwords, try reading the payload with the Asn reader to ensure the header matches the expected format. If that succeeds, then proceed with the iteration counting. This guards against a false-positive match that previously caused our iteration count work to throw/abort, thus preventing some null-password encrypted payloads from being loaded.
---
 .../Cryptography/Asn1/Pkcs12/PfxAsn.manual.cs        | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs12/PfxAsn.manual.cs b/src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs12/PfxAsn.manual.cs
index b20fa4e016073c..b934884323724d 100644
--- a/src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs12/PfxAsn.manual.cs
+++ b/src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs12/PfxAsn.manual.cs
@@ -249,6 +249,12 @@ private static ArraySegment<byte> DecryptContentInfo(ContentInfoAsn contentInfo,
                         default,
                         encryptedData.EncryptedContentInfo.EncryptedContent.Value.Span,
                         destination);
+
+                    // When padding happens to be as expected (false-positive), we can detect gibberish and prevent unexpected failures later
+                    // This extra check makes it so it's very unlikely we'll end up with false positive.
+                    AsnValueReader outerSafeBag = new AsnValueReader(destination.AsSpan(0, written), AsnEncodingRules.BER);
+                    AsnValueReader safeBagReader = outerSafeBag.ReadSequence();
+                    outerSafeBag.ThrowIfNotEmpty();
                 }
                 catch
                 {
@@ -259,6 +265,12 @@ private static ArraySegment<byte> DecryptContentInfo(ContentInfoAsn contentInfo,
                         default,
                         encryptedData.EncryptedContentInfo.EncryptedContent.Value.Span,
                         destination);
+
+                    // When padding happens to be as expected (false-positive), we can detect gibberish and prevent unexpected failures later
+                    // This extra check makes it so it's very unlikely we'll end up with false positive.
+                    AsnValueReader outerSafeBag = new AsnValueReader(destination.AsSpan(0, written), AsnEncodingRules.BER);
+                    AsnValueReader safeBagReader = outerSafeBag.ReadSequence();
+                    outerSafeBag.ThrowIfNotEmpty();
                 }
             }
             finally