Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux and Mac have CryptographicException with generic HResult for bad password opening a PFX #735

Closed
heng-liu opened this issue Nov 25, 2019 · 8 comments · Fixed by #769
Assignees
Milestone

Comments

@heng-liu
Copy link

The Invalid ASN and bad password have both generic HResult in netcore5.0, so we're not able to differentiate them as we did in netcore3.0.
Can you pls help us change HResult for bad password? Thanks!

@bartonjs bartonjs changed the title Linux and Mac have CryptographicException with generic HResult Linux and Mac have CryptographicException with generic HResult for bad password opening a PFX Nov 25, 2019
@danmoseley
Copy link
Member

so we're not able to differentiate them as we did in netcore3.0.

Is this a change from 3.0 to 3.1 then?

@danmoseley danmoseley transferred this issue from dotnet/corefx Dec 10, 2019
@Dotnet-GitSync-Bot Dotnet-GitSync-Bot added the untriaged New issue has not been triaged by the area owner label Dec 10, 2019
@bartonjs
Copy link
Member

Is this a change from 3.0 to 3.1 then?

No, 3.x -> 5 (the custom PFX loader change)

@bartonjs bartonjs added this to the 5.0 milestone Dec 10, 2019
@bartonjs bartonjs added area-System.Security bug and removed untriaged New issue has not been triaged by the area owner labels Dec 10, 2019
@danmoseley
Copy link
Member

Thanks, misread.

@vcsjones
Copy link
Member

Windows appears to use ERROR_INVALID_PASSWORD converted to an HRESULT (0x80070056). Is this basically just adding the HRESULT to this line?

@bartonjs
Copy link
Member

@vcsjones Yep. You wanna take it? :)

@vcsjones
Copy link
Member

@bartonjs sure.

@vcsjones
Copy link
Member

vcsjones commented Dec 11, 2019

Looking at this a bit more, the Win32 PAL is inconsistent between the PAL using an HRESULT and a Win32 status code when setting the HResult on the CryptographicException.

In some cases, Marshal.GetHRForLastWin32Error().ToCryptographicException() is used:

So HResult will be 0x80070056.

In another case, Marshal.GetLastWin32Error().ToCryptographicException() is used:

So HResult will be 0x56 and won't really be an HR.

I suppose a question for @bartonjs then is, which is preferable for the Unix PAL to do? Do we want to do anything about the Windows PAL?

@bartonjs
Copy link
Member

Looks like .NET Framework threw with HResult=0x80070056 in both the collection and the single-cert case. (Largely because in .NET Framework we or-in 80070000 if the high bit isn't already set: https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/crypto.cs,108; perhaps that's missing in the ToCryptographicException extension method)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants