Skip to content

New X509Certificate2 crashes PowerShell with AccessViolationException when certain properties are referenced #7806

Closed
Closed
New X509Certificate2 crashes PowerShell with AccessViolationException when certain properties are referenced#7806
Labels
Issue-BugIssue has been identified as a bug in the productResolution-No ActivityIssue has had no activity for 6 months or moreWG-Enginecore PowerShell engine, interpreter, and runtime
@rjmholt

Description

@rjmholt
rjmholt
opened on Sep 17, 2018

Issue from @keystroke.

When a new X509Certificate2 object is created with the empty constructor, it succeeds. However, it is initialised with its Handle property set to IntPtr.Zero. So accessing certain properties on that object try to dereference that Handle and cause an access violation.

Steps to reproduce

$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new(); $cert.SendAsTrustedIssue

Expected behavior

Value is possibly $null or False.

Actual behavior

PowerShell crashes (the window disappears)

Further Information

Also try

[System.Security.Cryptography.X509Certificates.X509Certificate2]::new() | fl *

This crash reproduces back to Windows PowerShell 5.1.

The property accessed in the particular repro is a script property that triggers this method:

PowerShell/src/Microsoft.PowerShell.Security/security/CertificateProvider.cs

Lines 2958 to 2988 in 8d4dd1e

[SuppressMessage("Microsoft.Design", "CA1011:ConsiderPassingBaseTypesAsParameters")]
public static bool ReadSendAsTrustedIssuerProperty(X509Certificate2 cert)
{
bool fHasProperty = false;
if (DownLevelHelper.TrustedIssuerSupported())
{
int propSize = 0;
//try to get the property
//it is fine if fail for not there
if (Security.NativeMethods.CertGetCertificateContextProperty(
cert.Handle,
Security.NativeMethods.CertPropertyId.CERT_SEND_AS_TRUSTED_ISSUER_PROP_ID,
IntPtr.Zero,
ref propSize))
{
//we have the property
fHasProperty = true;
}
else
{
//if fail
int error = Marshal.GetLastWin32Error();
if (error != Security.NativeMethods.CRYPT_E_NOT_FOUND)
{
throw new System.ComponentModel.Win32Exception(error);
}
}
}
return fHasProperty;
}

It seems that X509Certificate2 has a property called Handle which is set to IntPtr.Zero by default, causing the access violation.

Environment data

> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      6.1.0
PSEdition                      Core
GitCommitId                    6.1.0
OS                             Microsoft Windows 10.0.18242
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue-BugIssue has been identified as a bug in the productResolution-No ActivityIssue has had no activity for 6 months or moreWG-Enginecore PowerShell engine, interpreter, and runtime

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions