diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs b/src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs index aba715f7e3e082645ee60a54c37bb97f3708dc7f..66173ae838cc7063ea24fb7707eca014a86d9ccf 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/Asn1/PfxAsn.manual.cs @@ -168,6 +168,12 @@ private static ArraySegment DecryptContentInfo(ContentInfoAsn contentInfo, default, encryptedData.EncryptedContentInfo.EncryptedContent.Value.Span, destination); + + // When padding happens to be as expected (false-positive), we can detect gibberish and prevent unexpected failures later + // This extra check makes it so it's very unlikely we'll end up with false positive. + AsnValueReader outerSafeBag = new AsnValueReader(destination.AsSpan(0, written), AsnEncodingRules.BER); + AsnValueReader safeBagReader = outerSafeBag.ReadSequence(); + outerSafeBag.ThrowIfNotEmpty(); } catch { @@ -178,6 +184,12 @@ private static ArraySegment DecryptContentInfo(ContentInfoAsn contentInfo, default, encryptedData.EncryptedContentInfo.EncryptedContent.Value.Span, destination); + + // When padding happens to be as expected (false-positive), we can detect gibberish and prevent unexpected failures later + // This extra check makes it so it's very unlikely we'll end up with false positive. + AsnValueReader outerSafeBag = new AsnValueReader(destination.AsSpan(0, written), AsnEncodingRules.BER); + AsnValueReader safeBagReader = outerSafeBag.ReadSequence(); + outerSafeBag.ThrowIfNotEmpty(); } } finally