Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected exception type from X509Certificate2 .ctor #93676

Closed
sstronin opened this issue Oct 18, 2023 · 4 comments · Fixed by #109586
Closed

Unexpected exception type from X509Certificate2 .ctor #93676

sstronin opened this issue Oct 18, 2023 · 4 comments · Fixed by #109586
Labels
area-System.Security help wanted [up-for-grabs] Good issue for external contributors in-pr There is an active PR which will close this issue when it is merged
Milestone
10.0.0

Comments

@sstronin
Copy link
Contributor

sstronin commented Oct 18, 2023
edited by jeffhandley
Loading

Description

Some invalid data passed into X509Certificate2(byte[] rawData) ctor produces System.ArgumentOutOfRangeException instead of System.Security.Cryptography.CryptographicException which we could expect following https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor.

Reproduction Steps

Extract argument-exception.cer from argument-exception.zip and use the following constructor call.

new X509Certificate2(File.ReadAllBytes("argument-exception.cer"));

Expected behavior

instance of System.Security.Cryptography.CryptographicException is thrown

Actual behavior

System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable1 expectedTag) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded) at Internal.Cryptography.Pal.UnixPkcs12Reader.ParsePkcs12(ReadOnlySpan1 data)
at Internal.Cryptography.Pal.OpenSslPkcs12Reader..ctor(ReadOnlySpan1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader.TryRead(ReadOnlySpan1 data, OpenSslPkcs12Reader& pkcs12Reader, Exception& openSslException, Boolean captureException)
at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, Boolean readingFromFile, ICertificatePal& readPal, List1& readCerts, Exception& openSslException)
at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan1 data)

Regression?

found in NET Runtime 6.0.23

Known Workarounds

No response

Configuration

Linux x64

Other information

It seems either ParsePkcs12() or the documentation should be fixed to avoid unexpected behavior
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Oct 18, 2023
@ghost
Copy link

ghost commented Oct 18, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

Some invalid data passed into X509Certificate2(byte[] rawData) ctor produces System.ArgumentOutOfRangeException instead of System.Security.Cryptography.CryptographicException which we could expect following https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor.
argument-exception.zip

Reproduction Steps

new X509Certificate2(File.ReadAllBytes("argument-exception.cer"));

Expected behavior

instance of System.Security.Cryptography.CryptographicException is thrown

Actual behavior

System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable1 expectedTag) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded) at Internal.Cryptography.Pal.UnixPkcs12Reader.ParsePkcs12(ReadOnlySpan1 data)
at Internal.Cryptography.Pal.OpenSslPkcs12Reader..ctor(ReadOnlySpan1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader.TryRead(ReadOnlySpan1 data, OpenSslPkcs12Reader& pkcs12Reader, Exception& openSslException, Boolean captureException)
at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, Boolean readingFromFile, ICertificatePal& readPal, List1& readCerts, Exception& openSslException)
at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan1 data)

Regression?

found in NET Runtime 6.0.23

Known Workarounds

No response

Configuration

No response

Other information

It seems either ParsePkcs12() or the documentation should be fixed to avoid unexpected behavior

Author: sstronin
Assignees: -
Labels:

area-System.Security, untriaged
Milestone: -

@bartonjs
Copy link
Member

bartonjs commented Jul 5, 2024

Do you have an example of an input that produces this behavior

@filipnavara
Copy link
Member

The input is in the OP: https://github.com/dotnet/runtime/files/13031023/argument-exception.zip

@bartonjs
Copy link
Member

bartonjs commented Jul 5, 2024

@filipnavara Thanks for being better at reading than I am. I think I just saw that as part of the link to the docs page.

@jeffhandley jeffhandley removed the untriaged New issue has not been triaged by the area owner label Jul 19, 2024
@jeffhandley jeffhandley added this to the Future milestone Jul 19, 2024
@jeffhandley jeffhandley added the help wanted [up-for-grabs] Good issue for external contributors label Jul 19, 2024
@bartonjs bartonjs mentioned this issue Nov 6, 2024
Merged
@dotnet-policy-service dotnet-policy-service bot added the in-pr There is an active PR which will close this issue when it is merged label Nov 6, 2024
@bartonjs bartonjs modified the milestones: Future, 10.0.0 Nov 7, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Dec 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Security help wanted [up-for-grabs] Good issue for external contributors in-pr There is an active PR which will close this issue when it is merged
Projects
None yet
Milestone
10.0.0
Development

Successfully merging a pull request may close this issue.

Fix erroneous success in AsnDecoder.ReadEncodedValue bartonjs/runtime
4 participants
@jeffhandley @filipnavara @bartonjs @sstronin