Skip to content

Permit trailing data when parsing an X.509 certificate by DER content #82688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adamsitnik merged 1 commit into from
Feb 27, 2023
Merged

Permit trailing data when parsing an X.509 certificate by DER content #82688

adamsitnik merged 1 commit into from
Feb 27, 2023

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Feb 26, 2023
edited
Loading

The managed X.509 decoder did not permit trailing data after the DER contents of the certificate. In #82682 it was reported that the Windows and Unix implementations permit this, so we should update the managed PAL to do the same.

n.b. I generally liked the managed PAL's behavior here. We can't make Windows and Unix more strict without possibly breaking someone, but we can make the managed implementation more relaxed.

Fixes #82682

@ghost ghost assigned vcsjones Feb 26, 2023
@ghost
Copy link

ghost commented Feb 26, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

The managed X.509 decoder did not permit trailing data after the DER contents of the certificate. In #82682 it was reported that the Windows and Unix PALs permit this, so we should update the managed PAL to do the same.

n.b. I generally liked the managed PAL's behavior here. We can't make Windows and Unix more strict without possibly breaking someone, but we can make the managed implementation more relaxed.

Fixes #82682

Author: vcsjones
Assignees: vcsjones
Labels:

area-System.Security
Milestone: -

@build-analysis build-analysis bot mentioned this pull request Feb 26, 2023
Closed
@vcsjones vcsjones marked this pull request as ready for review February 26, 2023 23:27
@vcsjones
Copy link
Member Author

vcsjones commented Feb 27, 2023

/azp run runtime-ioslike runtime-android

@azure-pipelines
Copy link

azure-pipelines bot commented Feb 27, 2023

No pipelines are associated with this pull request.

@vcsjones
Copy link
Member Author

vcsjones commented Feb 27, 2023

/azp help

@azure-pipelines
Copy link

azure-pipelines bot commented Feb 27, 2023

Supported commands
  • help:
    • Get descriptions, examples and documentation about supported commands
    • Example: help "command_name"
  • list:
    • List all pipelines for this repository using a comment.
    • Example: "list"
  • run:
    • Run all pipelines or specific pipelines for this repository using a comment. Use this command by itself to trigger all related pipelines, or specify specific pipelines to run.
    • Example: "run" or "run pipeline_name, pipeline_name, pipeline_name"
  • where:
    • Report back the Azure DevOps orgs that are related to this repository and org
    • Example: "where"

See additional documentation.

@vcsjones
Copy link
Member Author

vcsjones commented Feb 27, 2023

/azp run runtime-ioslike, runtime-android

@azure-pipelines
Copy link

azure-pipelines bot commented Feb 27, 2023

Azure Pipelines successfully started running 2 pipeline(s).

adamsitnik
adamsitnik approved these changes Feb 27, 2023
View reviewed changes
Copy link
Member

@adamsitnik adamsitnik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you @vcsjones !

@adamsitnik adamsitnik merged commit 1893c67 into dotnet:main Feb 27, 2023
@adamsitnik adamsitnik added this to the 8.0.0 milestone Feb 27, 2023
@vcsjones vcsjones deleted the fix-82682 branch February 27, 2023 12:50
@ghost ghost locked as resolved and limited conversation to collaborators Mar 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@adamsitnik adamsitnik adamsitnik approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security

Projects

None yet

Milestone

8.0.0

Development

Successfully merging this pull request may close these issues.

X509Certificate2 constructor throws exception only on macOS when a byte blob with multiple certificates is decoded

2 participants

@vcsjones @adamsitnik