Merged PR 32087: Merged PR 32016: [6.0] Fix regression loading null-password...

Merged PR 32087: Merged PR 32016: [6.0] Fix regression loading null-password encrypted PFX certificates When decrypting the payload with empty string and null passwords, try reading the payload with the Asn reader to ensure the header matches the expected format. If that succeeds, then proceed with the iteration counting. This guards against a false-positive match that previously caused our iteration count work to throw/abort, thus preventing some null-password encrypted payloads from being loaded.

Merged PR 32087: Merged PR 32016: [6.0] Fix regression loading null-password...
Merged PR 32087: Merged PR 32016: [6.0] Fix regression loading null-password encrypted PFX certificates When decrypting the payload with empty string and null passwords, try reading the payload with the Asn reader to ensure the header matches the expected format. If that succeeds, then proceed with the iteration counting. This guards against a false-positive match that previously caused our iteration count work to throw/abort, thus preventing some null-password encrypted payloads from being loaded.
07516cc6 · Jeff Handley · Matt Mitchell · ec47be08 · 07516cc6
Showing with 12 addition and 0 deletion

src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs ...urity/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs +12 -0

未找到文件。
--- a/src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs
+++ b/src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs
@@ -168,6 +168,12 @@ private static ArraySegment<byte> DecryptContentInfo(ContentInfoAsn contentInfo,
                        default,
                        encryptedData.EncryptedContentInfo.EncryptedContent.Value.Span,
                        destination);
+
+                    // When padding happens to be as expected (false-positive), we can detect gibberish and prevent unexpected failures later
+                    // This extra check makes it so it's very unlikely we'll end up with false positive.
+                    AsnValueReader outerSafeBag = new AsnValueReader(destination.AsSpan(0, written), AsnEncodingRules.BER);
+                    AsnValueReader safeBagReader = outerSafeBag.ReadSequence();
+                    outerSafeBag.ThrowIfNotEmpty();
                }
                catch
                {
@@ -178,6 +184,12 @@ private static ArraySegment<byte> DecryptContentInfo(ContentInfoAsn contentInfo,
                        default,
                        encryptedData.EncryptedContentInfo.EncryptedContent.Value.Span,
                        destination);
+
+                    // When padding happens to be as expected (false-positive), we can detect gibberish and prevent unexpected failures later
+                    // This extra check makes it so it's very unlikely we'll end up with false positive.
+                    AsnValueReader outerSafeBag = new AsnValueReader(destination.AsSpan(0, written), AsnEncodingRules.BER);
+                    AsnValueReader safeBagReader = outerSafeBag.ReadSequence();
+                    outerSafeBag.ThrowIfNotEmpty();
                }
            }
            finally