Reachable assert in CertificateRevocationListBuilder.LoadPem with trailing data #122823
Description
Description
CertificateRevocationListBuilder.LoadPem asserts that the PEM contains no trailing data, however it defers to a DER loader that permits trailing data (and reports the number of bytes read). This means that a PEM can contain trailing data that gets ignored in release builds, and asserts in debug builds.
Reproduction Steps
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using ECDsa key = ECDsa.Create(ECCurve.NamedCurves.nistP256);
CertificateRequest req = new("CN=potato", key, HashAlgorithmName.SHA256);
req.CertificateExtensions.Add(X509BasicConstraintsExtension.CreateForCertificateAuthority());
using X509Certificate2 cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(1));
CertificateRevocationListBuilder builder = new();
builder.AddEntry([1, 2, 3]);
byte[] encoded = builder.Build(cert, 42, DateTimeOffset.Now.AddDays(7), HashAlgorithmName.SHA256);
string pem = PemEncoding.WriteString("X509 CRL", [..encoded, .."potato stew"u8]);
_ = CertificateRevocationListBuilder.LoadPem(pem, out _);Expected behavior
I assume the intention is to block loading with trailing data, so I would expect it to throw CryptographicException. i.e. throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
Actual behavior
Trailing data is ignored in release builds, asserts in debug builds.
at System.Diagnostics.Debug.Assert(Boolean condition, String message) in /Users/vcsjones/Projects/runtime/src/libraries/System.Private.CoreLib/src/System/Diagnostics/Debug.cs:line 88
at System.Security.Cryptography.X509Certificates.CertificateRevocationListBuilder.LoadPem(ReadOnlySpan`1 currentCrl, BigInteger& currentCrlNumber) in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateRevocationListBuilder.Load.cs:line 285
at System.Security.Cryptography.X509Certificates.CertificateRevocationListBuilder.LoadPem(String currentCrl, BigInteger& currentCrlNumber) in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateRevocationListBuilder.Load.cs:line 235
at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c.<LoadPem_TrailingData>b__45_0() in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/CrlBuilderTests.cs:line 1400
at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.LoadPem_TrailingData() in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/CrlBuilderTests.cs:line 1400
Regression?
No.
Known Workarounds
No response
Configuration
No response
Other information
No response