Merging internal commits for release/8.0#124237
Merged
wfurt merged 10 commits intodotnet:release/8.0from Feb 10, 2026
Merged
Conversation
CoseMessage's Decode routines say that any failure is a CryptographicException, but some of the validation failures leak out ArgumentException from the validation in CoseHeaderMap.
…-merge-8.0-2026-02-10-1100
Contributor
|
Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR merges internal release/8.0 changes into the COSE implementation, primarily improving decode behavior for indefinite-length CBOR structures and tightening critical header validation, with accompanying test coverage.
Changes:
- Update COSE header map decoding to support indefinite-length CBOR maps and improve error surfacing for well-known header validation failures.
- Update critical headers handling to properly process indefinite-length arrays and reject empty
critarrays. - Add decode tests for critical header error cases across Sign1 and MultiSign, including detached/attached and definite/indefinite encodings.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.Sign.CustomHeaderMaps.cs | Expands signing tests to cover definite vs indefinite critical header encodings (but currently has invalid argument ordering at call sites). |
| src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.DecodeSign1.cs | Adds decode tests validating exceptions for missing/empty/invalid critical headers across encoding variants. |
| src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.DecodeMultiSign.cs | Adds decode tests validating exceptions for missing/empty/invalid critical headers across encoding variants. |
| src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseMessage.cs | Updates header bucket decoding to handle indefinite-length maps; improves critical header parsing and exception behavior. |
| src/libraries/System.Security.Cryptography.Cose/src/System.Security.Cryptography.Cose.csproj | Bumps servicing version and changes package generation behavior on build. |
src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.Sign.CustomHeaderMaps.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.Sign.CustomHeaderMaps.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.Sign.CustomHeaderMaps.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.Sign.CustomHeaderMaps.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.Sign.CustomHeaderMaps.cs
Show resolved
Hide resolved
...aries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseMessage.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Cose/src/System.Security.Cryptography.Cose.csproj
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Cose/tests/CoseMessageTests.Sign.CustomHeaderMaps.cs
Show resolved
Hide resolved
wfurt
approved these changes
Feb 10, 2026
This was referenced Feb 11, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.