From 21c5d554b2ff26d412b2547d6acec8d3dfe15d8e Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Thu, 20 Feb 2020 10:48:40 -0500 Subject: [PATCH 1/2] Permit incorrectly DER sorted SET for decoding X500 names. --- .../Pal.Unix/X500NameEncoder.ManagedDecode.cs | 2 +- .../tests/X500DistinguishedNameTests.cs | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs index 334a2aebd355f6..0e38da713e6442 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs @@ -29,7 +29,7 @@ private static string X500DistinguishedNameDecode( while (x500NameSequenceReader.HasData) { - rdnReaders.Add(x500NameSequenceReader.ReadSetOf()); + rdnReaders.Add(x500NameSequenceReader.ReadSetOf(skipSortOrderValidation: true)); } // We need to allocate a StringBuilder to hold the data as we're building it, and there's the usual diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs index 89818491196b34..ce47e677921b00 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs @@ -201,6 +201,15 @@ public static void NameWithNumericString() Assert.Equal("OID.1.1.1.2.2.3=123 654 7890, CN=Test", dn.Decode(X500DistinguishedNameFlags.None)); } + [Fact] + public static void OrganizationUnitMultiValueWithIncorrectlySortedDerSet() + { + X500DistinguishedName dn = new X500DistinguishedName( + "301C311A300B060355040B13047A7A7A7A300B060355040B130461616161".HexToByteArray()); + + Assert.Equal("OU=zzzz + OU=aaaa", dn.Decode(X500DistinguishedNameFlags.None)); + } + public static readonly object[][] WhitespaceBeforeCases = { // Regular space. From 942a73ec334a5a2cc5cc8acd6b3e2134fa393d12 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Thu, 20 Feb 2020 11:25:39 -0500 Subject: [PATCH 2/2] Add comment to explain. --- .../Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs index 0e38da713e6442..877762e189ba36 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs @@ -29,6 +29,8 @@ private static string X500DistinguishedNameDecode( while (x500NameSequenceReader.HasData) { + // To match Windows' behavior, permit multi-value RDN SETs to not + // be DER sorted. rdnReaders.Add(x500NameSequenceReader.ReadSetOf(skipSortOrderValidation: true)); }