Skip to content

Fix trailing data handling with CertificateRevocationListBuilder.LoadPem. #122825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stephentoub merged 3 commits into from
Jan 3, 2026
Merged

Fix trailing data handling with CertificateRevocationListBuilder.LoadPem. #122825

stephentoub merged 3 commits into from
Jan 3, 2026

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Jan 2, 2026

CRLBuilder.LoadPem asserted that the DER data read is the same amount as the decoded length of the data, however the DER reader does not enforce no trailing data, so this assert could be reached.

This change blocks trailing data in the PEM, and changes the assert to an actual exception.

Fixes #122823

@vcsjones
Fix trailing data handling with CertificateRevocationListBuilder.Load…
dbfc184 
…Pem.

CRLBuilder.LoadPem asserted that the DER data read is the same amount as the decoded length of the data, however the DER reader does not enforce no trailing data, so this assert could be reached.

This change blocks trailing data in the PEM, and changes the assert to an actual exception.
Copilot AI review requested due to automatic review settings January 2, 2026 18:25
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 2, 2026

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security vulnerability in CertificateRevocationListBuilder.LoadPem where trailing data in PEM-encoded CRLs was not properly validated. The fix converts a Debug.Assert into a proper exception and adds test coverage for the scenario.

  • Replaces Debug.Assert with proper validation that throws CryptographicException when trailing data is detected
  • Adds comprehensive test coverage for both string and ReadOnlySpan overloads of LoadPem with trailing data

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
CertificateRevocationListBuilder.Load.cs Replaces Debug.Assert with proper exception throwing when bytesConsumed != bytesWritten
CrlBuilderTests.cs Adds new test case LoadPem_TrailingData to verify trailing data is properly rejected

This was referenced Jan 3, 2026
Open
Open
@stephentoub
Copy link
Member

stephentoub commented Jan 3, 2026

/ba-g deadletter

@stephentoub stephentoub merged commit b57b9c9 into dotnet:main Jan 3, 2026
83 of 85 checks passed
@vcsjones vcsjones deleted the fix-122823 branch January 3, 2026 17:06
@dotnet-maestro dotnet-maestro bot mentioned this pull request Jan 9, 2026
Closed
@vcsjones vcsjones added this to the 11.0.0 milestone Jan 10, 2026
@dotnet-maestro dotnet-maestro bot mentioned this pull request Jan 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@stephentoub stephentoub stephentoub approved these changes

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

Reachable assert in CertificateRevocationListBuilder.LoadPem with trailing data

3 participants

@vcsjones @stephentoub @bartonjs