X509CertificateLoader does not shim HMAC in .NET Standard 2.0 correctly

[vcsjones]

This was initially reported at https://stackoverflow.com/questions/79392501/whats-so-dangerous-about-pkcs12loaderlimits-dangerousnolimits

This person reported a CryptographicException from here:

runtime/src/libraries/Microsoft.Bcl.Cryptography/src/System/Security/Cryptography/NetStandardShims.cs

Line 110 in f1901a0

_ => throw new CryptographicException(),

Which in theory should not be possible to hit, as the list of hash algorithms is closed and validated here:

runtime/src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs12/PfxAsn.manual.cs

Line 80 in f1901a0

if (!hmac.TryGetHashAndReset(derived, out int bytesWritten) || bytesWritten != expectedOutputSize)

However, in this shim, it as asking IncrementalHash "What is your algorithm name?". IncrementalHash prepends "HMAC" in front of the algorithm names:

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/IncrementalHash.cs

Line 43 in f1901a0

_algorithmName = new HashAlgorithmName("HMAC" + name.Name);

IncrementalHash answers with an algorithm of "HMACSHA1", not "SHA1" (for example). The switch in the shim does not handle the algorithm names that are prepended.

This only happens for the .NET Standard 2.0 build.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[vcsjones]

This reproduces it when using Microsoft.Bcl.Cryptography 9.0.1 when targeting netstandard2.0

using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

using ECDsa key1 = ECDsa.Create(ECCurve.NamedCurves.nistP256);
CertificateRequest req1 = new("CN=test1", key1, HashAlgorithmName.SHA256);
using X509Certificate2 cert1 = req1.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
byte[] content = cert1.Export(X509ContentType.Pkcs12, "test")!;
using X509Certificate2 cert = X509CertificateLoader.LoadPkcs12(content, "test");

Unhandled exception. System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
   at System.Security.Cryptography.NetStandardShims.TryGetHashAndReset(IncrementalHash hash, Span`1 destination, Int32& bytesWritten)
   at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.VerifyMac(ReadOnlySpan`1 macPassword, ReadOnlySpan`1 authSafeContents)
   at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ReadCertsAndKeys(BagState& bagState, ReadOnlyMemory`1 data, ReadOnlySpan`1& password, Pkcs12LoaderLimits loaderLimits)
   at System.Security.Cryptography.X509Certificates.X509CertificateLoader.LoadPkcs12(ReadOnlyMemory`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags, Pkcs12LoaderLimits loaderLimits)
   at System.Security.Cryptography.X509Certificates.X509CertificateLoader.LoadPkcs12(Byte[] data, String password, X509KeyStorageFlags keyStorageFlags, Pkcs12LoaderLimits loaderLimits)
   at Program.<Main>$(String[] args) in /Users/vcsjones/Projects/scratch/Program.cs:line 9

[j2jensen]

Here's a repository with a minimal repro, using a certificate that is not secret: https://github.com/j2jensen/certbugrepro

[vcsjones]

Here is a slightly convoluted way to reproduce it against .NET 9.

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net9.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Bcl.Cryptography" Version="9.0.1" ExcludeAssets="Compile" GeneratePathProperty="true" />
    <Reference Include="Microsoft.Bcl.Cryptography" Aliases="MBC">
      <HintPath>$(PkgMicrosoft_Bcl_Cryptography)\lib\netstandard2.0\Microsoft.Bcl.Cryptography.dll</HintPath>
    </Reference>
  </ItemGroup>
</Project>

extern alias MBC;

using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using X509CertificateLoader = MBC::System.Security.Cryptography.X509Certificates.X509CertificateLoader;

using ECDsa key1 = ECDsa.Create(ECCurve.NamedCurves.nistP256);
CertificateRequest req1 = new("CN=test1", key1, HashAlgorithmName.SHA256);
using X509Certificate2 cert1 = req1.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
byte[] content = cert1.Export(X509ContentType.Pkcs12, "test")!;
using X509Certificate2 cert = X509CertificateLoader.LoadPkcs12(content, "test");

[vcsjones]

Re-opening until there is a firm "yes" or "no" decision on attempting to backport.