search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.14k stars 4.71k forks source link

Unexpected exception type from X509Certificate2 .ctor #93676

Open sstronin opened 1 year ago

sstronin commented 1 year ago

Description

Some invalid data passed into X509Certificate2(byte[] rawData) ctor produces System.ArgumentOutOfRangeException instead of System.Security.Cryptography.CryptographicException which we could expect following https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor.

Reproduction Steps

Extract argument-exception.cer from argument-exception.zip and use the following constructor call.

new X509Certificate2(File.ReadAllBytes("argument-exception.cer"));

Expected behavior

instance of System.Security.Cryptography.CryptographicException is thrown

Actual behavior

System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable1 expectedTag) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded) at Internal.Cryptography.Pal.UnixPkcs12Reader.ParsePkcs12(ReadOnlySpan1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader..ctor(ReadOnlySpan1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader.TryRead(ReadOnlySpan1 data, OpenSslPkcs12Reader& pkcs12Reader, Exception& openSslException, Boolean captureException) at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, Boolean readingFromFile, ICertificatePal& readPal, List1& readCerts, Exception& openSslException) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan1 data)

Regression?

found in NET Runtime 6.0.23

Known Workarounds

No response

Configuration

Linux x64

Other information

It seems either ParsePkcs12() or the documentation should be fixed to avoid unexpected behavior

ghost commented 1 year ago

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones See info in area-owners.md if you want to be subscribed.

Issue Details
### Description Some invalid data passed into X509Certificate2(byte[] rawData) ctor produces System.ArgumentOutOfRangeException instead of System.Security.Cryptography.CryptographicException which we could expect following https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor. [argument-exception.zip](https://github.com/dotnet/runtime/files/13031023/argument-exception.zip) ### Reproduction Steps new X509Certificate2(File.ReadAllBytes("argument-exception.cer")); ### Expected behavior instance of System.Security.Cryptography.CryptographicException is thrown ### Actual behavior System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable`1 expectedTag) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, PfxAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, PfxAsn& decoded) at Internal.Cryptography.Pal.UnixPkcs12Reader.ParsePkcs12(ReadOnlySpan`1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader..ctor(ReadOnlySpan`1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader.TryRead(ReadOnlySpan`1 data, OpenSslPkcs12Reader& pkcs12Reader, Exception& openSslException, Boolean captureException) at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan`1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, Boolean readingFromFile, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan`1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan`1 data) ### Regression? found in NET Runtime 6.0.23 ### Known Workarounds _No response_ ### Configuration _No response_ ### Other information It seems either ParsePkcs12() or the documentation should be fixed to avoid unexpected behavior
Author: sstronin
Assignees: -
Labels: `area-System.Security`, `untriaged`
Milestone: -
bartonjs commented 3 months ago

Do you have an example of an input that produces this behavior

filipnavara commented 3 months ago

The input is in the OP: https://github.com/dotnet/runtime/files/13031023/argument-exception.zip

bartonjs commented 3 months ago

@filipnavara Thanks for being better at reading than I am. I think I just saw that as part of the link to the docs page.