Permit incorrectly DER sorted SET for decoding X500 names. (dotnet#32604

) * Permit incorrectly DER sorted SET for decoding X500 names. * Add comment to explain.
xiaoshzx · Feb 20, 2020 · b12c901 · b12c901
1 parent c04271b
commit b12c901
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/...aphy.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs b/...aphy.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs
@@ -29,7 +29,9 @@ private static string X500DistinguishedNameDecode(
 
             while (x500NameSequenceReader.HasData)
             {
-                rdnReaders.Add(x500NameSequenceReader.ReadSetOf());
+                // To match Windows' behavior, permit multi-value RDN SETs to not
+                // be DER sorted.
+                rdnReaders.Add(x500NameSequenceReader.ReadSetOf(skipSortOrderValidation: true));
             }
 
             // We need to allocate a StringBuilder to hold the data as we're building it, and there's the usual

diff --git a/...braries/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs b/...braries/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs
@@ -201,6 +201,15 @@ public static void NameWithNumericString()
             Assert.Equal("OID.1.1.1.2.2.3=123 654 7890, CN=Test", dn.Decode(X500DistinguishedNameFlags.None));
         }
 
+        [Fact]
+        public static void OrganizationUnitMultiValueWithIncorrectlySortedDerSet()
+        {
+            X500DistinguishedName dn = new X500DistinguishedName(
+                "301C311A300B060355040B13047A7A7A7A300B060355040B130461616161".HexToByteArray());
+
+            Assert.Equal("OU=zzzz + OU=aaaa", dn.Decode(X500DistinguishedNameFlags.None));
+        }
+
         public static readonly object[][] WhitespaceBeforeCases =
         {
             // Regular space.