Unexpected exception type from X509Certificate2 .ctor

[sstronin]

Description

Some invalid data passed into X509Certificate2(byte[] rawData) ctor produces System.ArgumentOutOfRangeException instead of System.Security.Cryptography.CryptographicException which we could expect following https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor.

Reproduction Steps

Extract argument-exception.cer from argument-exception.zip and use the following constructor call.

new X509Certificate2(File.ReadAllBytes("argument-exception.cer"));

Expected behavior

instance of System.Security.Cryptography.CryptographicException is thrown

Actual behavior

System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable1 expectedTag) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded) at Internal.Cryptography.Pal.UnixPkcs12Reader.ParsePkcs12(ReadOnlySpan1 data)
at Internal.Cryptography.Pal.OpenSslPkcs12Reader..ctor(ReadOnlySpan1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader.TryRead(ReadOnlySpan1 data, OpenSslPkcs12Reader& pkcs12Reader, Exception& openSslException, Boolean captureException)
at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, Boolean readingFromFile, ICertificatePal& readPal, List1& readCerts, Exception& openSslException)
at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan1 data)

Regression?

found in NET Runtime 6.0.23

Known Workarounds

No response

Configuration

Linux x64

Other information

It seems either ParsePkcs12() or the documentation should be fixed to avoid unexpected behavior

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Some invalid data passed into X509Certificate2(byte[] rawData) ctor produces System.ArgumentOutOfRangeException instead of System.Security.Cryptography.CryptographicException which we could expect following https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor.
argument-exception.zip

Reproduction Steps

new X509Certificate2(File.ReadAllBytes("argument-exception.cer"));

Expected behavior

instance of System.Security.Cryptography.CryptographicException is thrown

Actual behavior

System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable1 expectedTag) at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, ContentInfoAsn& decoded) at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory1 rebind, PfxAsn& decoded) at Internal.Cryptography.Pal.UnixPkcs12Reader.ParsePkcs12(ReadOnlySpan1 data)
at Internal.Cryptography.Pal.OpenSslPkcs12Reader..ctor(ReadOnlySpan1 data) at Internal.Cryptography.Pal.OpenSslPkcs12Reader.TryRead(ReadOnlySpan1 data, OpenSslPkcs12Reader& pkcs12Reader, Exception& openSslException, Boolean captureException)
at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, Boolean readingFromFile, ICertificatePal& readPal, List1& readCerts, Exception& openSslException)
at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan1 data)

Regression?

found in NET Runtime 6.0.23

Known Workarounds

No response

Configuration

No response

Other information

It seems either ParsePkcs12() or the documentation should be fixed to avoid unexpected behavior

Author:	sstronin
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[bartonjs]

Do you have an example of an input that produces this behavior

[filipnavara]

The input is in the OP: https://github.com/dotnet/runtime/files/13031023/argument-exception.zip

[bartonjs]

@filipnavara Thanks for being better at reading than I am. I think I just saw that as part of the link to the docs page.