X509Certificate2 constructor throws exception only on macOS when a byte blob with multiple certificates is decoded #82682
Description
Description
The OPC UA protocol has an option to transfer multiple chain certificates during session negotiation. The raw data of the certificates are combined by adding all data to a byte array, as in this test .
Later, on the receiver side the certificates are decoded in a function called ParseCertificateChainBlob. Under the hood it calls new X509Certificate2(encodedData); to decode the first certificate in the blob, moves on to the remaining bytes in the blob to decode the next certificates and so on.
On windows and linux this works quite nicely, but on macOS it throws an ASN.1 parsing exception due to extra data in the blob and some extra code had to be introduced to extract the sequence. see ParseX509Blob.
Reproduction Steps
- clone repo https://github.com/OPCFoundation/UA-.NETStandard
- Run this test and comment out the special handling for macOS in ParseCertificateChainBlob
- decoding the chain throws ASN.1 parsing exception
Expected behavior
X509Certificate2(byte[])constructor behaves in the same way on windows, linux and macOS.
Actual behavior
X509Certificate2(byte[])constructor throws ASN.1 parsing exception only on macOS if a byte blob with multiple certificates is decoded.
Regression?
Not sure, I was not aware of it until recently when .NET7 was released.
Known Workarounds
- Add custom function to parse certificate blobs before handing to
X509Certificate2(byte[])
Configuration
- .NET6
- macOS ci build, mac OS 11
- x64
- specific to macOS
Other information
No response