public static unsafe string CertGetNameString(
SafeCertContextHandle certContext,
Interop.Crypt32.CertNameType certNameType,
Interop.Crypt32.CertNameFlags certNameFlags,
Interop.Crypt32.CertNameStringType strType)
{
int cchCount = Crypt32.CertGetNameString(certContext, certNameType, certNameFlags, strType, null, 0);
if (cchCount == 0)
{
throw Marshal.GetLastWin32Error().ToCryptographicException();
}
Span <char> buffer = cchCount <= 256 ? stackalloc char[cchCount] : new char[cchCount];
fixed(char *ptr = &MemoryMarshal.GetReference(buffer))
{
if (Crypt32.CertGetNameString(certContext, certNameType, certNameFlags, strType, ptr, cchCount) == 0)
{
throw Marshal.GetLastWin32Error().ToCryptographicException();
}
Debug.Assert(buffer[cchCount - 1] == '\0');
return(new string(buffer.Slice(0, cchCount - 1)));
}
}
internal static byte[] Decode(string input, Crypt32.CrypBinaryFlags flags,
int inputSize)
{
int outputSize = 0;
int pdwSkip;
int pdwFlags;
if (!Crypt32.CryptStringToBinary(input, inputSize, flags, IntPtr.Zero,
ref outputSize, out pdwSkip, out pdwFlags))
{
int nativeError = Marshal.GetLastWin32Error();
throw new InteropException(nativeError);
}
IntPtr nativeBuffer = IntPtr.Zero;
try {
nativeBuffer = Marshal.AllocCoTaskMem(outputSize);
if (!Crypt32.CryptStringToBinary(input, inputSize, flags, nativeBuffer,
ref outputSize, out pdwSkip, out pdwFlags))
{
int nativeError = Marshal.GetLastWin32Error();
throw new InteropException(nativeError);
}
byte[] result = new byte[outputSize];
Marshal.Copy(nativeBuffer, result, 0, outputSize);
return(result);
}
finally { if (IntPtr.Zero != nativeBuffer)
{
Marshal.FreeCoTaskMem(nativeBuffer);
}
}
}
internal unsafe AuthenticodeTimestampCmsSignature(AsnEncodedData data, ICmsSignature owningSignature)
{
OwningSignature = owningSignature;
Kind = SignatureKind.AuthenticodeTimestamp;
AdditionalCertificates = owningSignature.AdditionalCertificates;
fixed(byte *dataPtr = data.RawData)
{
uint size = 0;
if (Crypt32.CryptDecodeObjectEx(EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING, (IntPtr)500, new IntPtr(dataPtr), (uint)data.RawData.Length, CryptDecodeFlags.CRYPT_DECODE_ALLOC_FLAG, IntPtr.Zero, out var localBuffer, ref size))
{
using (localBuffer)
{
var signerInfo = Marshal.PtrToStructure <CMSG_SIGNER_INFO>(localBuffer.DangerousGetHandle());
Signature = ReadBlob(signerInfo.EncryptedHash);
DigestAlgorithm = new Oid(signerInfo.HashAlgorithm.pszObjId);
HashEncryptionAlgorithm = new Oid(signerInfo.HashEncryptionAlgorithm.pszObjId);
SerialNumber = ReadBlob(signerInfo.SerialNumber);
UnsignedAttributes = ReadAttributes(signerInfo.UnauthAttrs);
SignedAttributes = ReadAttributes(signerInfo.AuthAttrs);
var subjectId = new UniversalSubjectIdentifier(signerInfo.Issuer, signerInfo.SerialNumber);
if (subjectId.Type == SubjectIdentifierType.SubjectKeyIdentifier)
{
Certificate = FindCertificate((string)subjectId.Value, OwningSignature.AdditionalCertificates);
}
else if (subjectId.Type == SubjectIdentifierType.IssuerAndSerialNumber)
{
Certificate = FindCertificate((X509IssuerSerial)subjectId.Value, OwningSignature.AdditionalCertificates);
}
}
}
public void ShouldTimestampData()
{
var data = new byte[] { 1, 2, 3 };
var parameters = new CRYPT_TIMESTAMP_PARA
{
cExtension = 0,
fRequestCerts = true,
pszTSAPolicyId = null
};
var ok = Crypt32.CryptRetrieveTimeStamp("http://timestamp.digicert.com", CryptRetrieveTimeStampRetrievalFlags.NONE, 30 * 1000, "1.3.14.3.2.26", ref parameters, data, (uint)data.Length, out var pointer, IntPtr.Zero, IntPtr.Zero);
Assert.True(ok);
bool success = false;
try
{
pointer.DangerousAddRef(ref success);
Assert.True(success);
var structure = Marshal.PtrToStructure <CRYPT_TIMESTAMP_CONTEXT>(pointer.DangerousGetHandle());
var encoded = new byte[structure.cbEncoded];
Marshal.Copy(structure.pbEncoded, encoded, 0, encoded.Length);
}
finally
{
if (success)
{
pointer.DangerousRelease();
}
}
}
public static List <TOCertificadoDigital> BuscarListaCertificados()
{
List <TOCertificadoDigital> lista = new List <TOCertificadoDigital>();
IntPtr hCertStore = Crypt32.CertOpenSystemStore(IntPtr.Zero, "My");
if (hCertStore == IntPtr.Zero)
{
throw new Exception("CertOpenSystemStore failed: " + Marshal.GetLastWin32Error().ToString());
}
IntPtr pCertContext = Crypt32.CertEnumCertificatesInStore(hCertStore, IntPtr.Zero);
while (pCertContext != IntPtr.Zero)
{
//X509Certificate2 x509 = new X509Certificate2("c:", "dec2017",X509KeyStorageFlags.MachineKeySet);
X509Certificate2 x509 = new X509Certificate2(pCertContext);
//Verifica se o certificado foi emitido pelo ICP-Brasil
if (x509.Issuer.Contains("O=ICP-Brasil") &&
x509.Issuer.Contains("C=BR"))
{
if (ValidarCertificado(x509, DateTime.Now))
{
lista.Add(new TOCertificadoDigital(x509));
}
}
pCertContext = Crypt32.CertEnumCertificatesInStore(hCertStore, pCertContext);
}
return(lista);
}
public static DateTimeOffset?DecodeAuthenticodeTimestamp(AsnEncodedData data)
{
if (data.Oid.Value != KnownOids.SigningTime)
{
throw new ArgumentException("Data is not a signing time object.", nameof(data));
}
const EncodingType encodingType = EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING;
unsafe
{
LocalBufferSafeHandle structBuffer;
fixed(byte *buffer = data.RawData)
{
uint size = 0;
if (!Crypt32.CryptDecodeObjectEx(encodingType, KnownOids.SigningTime, buffer, (uint)data.RawData.Length, CryptDecodeFlags.CRYPT_DECODE_ALLOC_FLAG, IntPtr.Zero, out structBuffer, ref size))
{
throw new InvalidOperationException("Failed to decode data.");
}
}
using (structBuffer)
{
var time = Marshal.PtrToStructure <FILETIME>(structBuffer.DangerousGetHandle());
long fileTimeVal = (long)time.dwHighDateTime << 32 | (uint)time.dwLowDateTime;
return(DateTimeOffset.FromFileTime(fileTimeVal));
}
}
}
internal static IntPtr ImportRsaPublicKey(byte[] rawData)
{
CryptoProvider provider = new CryptoProvider();
IntPtr nativeStructure = IntPtr.Zero;
int nativeStructureSize = 0;
try {
if (!Advapi32.CryptDecodeObjectEx(CertificateEncodingType.X509Asn,
InteropHelpers.GetWellKnownOIDPointer(InteropHelpers.WellKnownOIDs.X509PublicKeyInfo),
rawData, rawData.Length, Advapi32.EncodingFlags.AllocateMemory, IntPtr.Zero,
ref nativeStructure, ref nativeStructureSize))
{
throw new CryptographyException((WinErrors)(uint)Marshal.GetLastWin32Error());
}
IntPtr result = IntPtr.Zero;
if (!Crypt32.CryptImportPublicKeyInfo(provider.Handle, CertificateEncodingType.X509Asn,
nativeStructure, out result))
{
throw new CryptographyException((WinErrors)(uint)Marshal.GetLastWin32Error());
}
return(result);
}
finally {
if (IntPtr.Zero != nativeStructure)
{
if (IntPtr.Zero != Kernel32.LocalFree(nativeStructure))
{
throw new InteropException(Marshal.GetLastWin32Error());
}
}
provider.Dispose();
}
}
private void DoUpdate(byte[] input, byte[] output, bool do_final)
{
Buffer.BlockCopy(input, 0, output, 0, (int)_key_size);
int crypted_size = (int)_key_size;
bool result = Crypt32.CryptEncrypt(_key, IntPtr.Zero, do_final,
0, ref output, ref crypted_size, (int)_key_size);
}
static Wincrypt.CTL_ENTRY create_ctlentry(IntPtr handle, String thumbprint)
{
Wincrypt.CTL_ENTRY entry = new Wincrypt.CTL_ENTRY {
SubjectIdentifier =
{
pbData = get_thumbptr(thumbprint),
cbData = (UInt32)(thumbprint.Length / 2)
}
};
List <UInt32> ids = new List <UInt32>();
Boolean end = false;
do
{
UInt32 retn = Crypt32.CertEnumCertificateContextProperties(handle, 0);
if (retn == 0)
{
end = true;
}
else
{
ids.Add(retn);
}
} while (!end);
if (ids.Count > 0)
{
entry.cAttribute = (UInt32)ids.Count;
entry.rgAttribute = create_attributes(handle, ids);
}
return(entry);
}
void initializeLocal(String oid, OidGroupEnum group)
{
IntPtr ptr, oidptr;
if (searchBy.ToLower() == "byvalue")
{
oidptr = Marshal.StringToHGlobalAnsi(oid);
ptr = Crypt32.CryptFindOIDInfo(Wincrypt.CRYPT_OID_INFO_OID_KEY, oidptr, (UInt32)group);
}
else
{
oidptr = Marshal.StringToHGlobalUni(oid);
ptr = Crypt32.CryptFindOIDInfo(Wincrypt.CRYPT_OID_INFO_NAME_KEY, oidptr, (UInt32)group);
}
if (ptr.Equals(IntPtr.Zero))
{
return;
}
if (_cng)
{
Wincrypt.CRYPT_OID_INFO OidInfo = (Wincrypt.CRYPT_OID_INFO)Marshal.PtrToStructure(ptr, typeof(Wincrypt.CRYPT_OID_INFO));
FriendlyName = OidInfo.pwszName;
Value = OidInfo.pszOID;
OidGroup = (OidGroupEnum)OidInfo.dwGroupId;
}
else
{
Wincrypt.CRYPT_OID_INFO_Win2k3 OidInfo = (Wincrypt.CRYPT_OID_INFO_Win2k3)Marshal.PtrToStructure(ptr, typeof(Wincrypt.CRYPT_OID_INFO_Win2k3));
FriendlyName = OidInfo.pwszName;
Value = OidInfo.pszOID;
OidGroup = (OidGroupEnum)OidInfo.dwGroupId;
}
Marshal.FreeHGlobal(oidptr);
}
public IReadOnlyList <ISignature> Extract(string filePath)
{
EncodingType encodingType;
CryptQueryContentType contentType;
CryptQueryFormatType formatType;
CryptMsgSafeHandle message = CryptMsgSafeHandle.InvalidHandle;
var result = Crypt32.CryptQueryObject(CryptQueryObjectType.CERT_QUERY_OBJECT_FILE, filePath, CryptQueryContentFlagType.CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, CryptQueryFormatFlagType.CERT_QUERY_FORMAT_FLAG_BINARY, CryptQueryObjectFlags.NONE, out encodingType, out contentType, out formatType, IntPtr.Zero, out message, IntPtr.Zero);
if (!result)
{
var resultCode = Marshal.GetLastWin32Error();
switch (unchecked ((uint)resultCode))
{
case 0x80092009: //Cannot find request object. There's no signature.
return(Array.Empty <ISignature>());
default:
throw new Win32Exception(resultCode, "Failed to extract signature.");
}
}
using (message)
{
if (message.IsInvalid || message.IsClosed)
{
return(Array.Empty <ISignature>());
}
return(GetSignatures(message));
}
}
private bool ValidateNtAuthStore(X509Chain chain)
{
if (this.options.ValidationMethod != ClientCertificateValidationMethod.NtAuthStore)
{
return(true);
}
this.logger.LogTrace("Attempting to validate certificate against the NTAuth store");
Crypt32.CERT_CHAIN_POLICY_STATUS status = new Crypt32.CERT_CHAIN_POLICY_STATUS();
var para = new Crypt32.CERT_CHAIN_POLICY_PARA
{
cbSize = (uint)Marshal.SizeOf <Crypt32.CERT_CHAIN_POLICY_PARA>()
};
if (!Crypt32.CertVerifyCertificateChainPolicy(6, chain.ChainContext, para, ref status))
{
throw new CertificateValidationException("The function used to validate the certificate chain failed", new Win32Exception(Marshal.GetLastWin32Error()));
}
if (status.dwError != 0)
{
throw new CertificateValidationException("The certificate could not be validated against the NTAuth store. Ensure the issuer is from a trusted enterprise smart-card issuing CA", new Win32Exception((int)status.dwError));
}
this.logger.LogTrace("Certificate successfully validated against the NTAuth store");
return(true);
}
void m_initialize(Oid oid, Int32 majorVersion, Int32 minorVersion)
{
Oid = _eoid;
Asn1Utils.EncodeObjectIdentifier(oid);
Wincrypt.CERT_TEMPLATE_EXT pvStructInfo = new Wincrypt.CERT_TEMPLATE_EXT {
pszObjId = oid.Value,
dwMajorVersion = (UInt32)majorVersion,
dwMinorVersion = (UInt32)minorVersion,
fMinorVersion = true
};
UInt32 pcbEncoded = 0;
if (Crypt32.CryptEncodeObject(1, "1.3.6.1.4.1.311.21.7", ref pvStructInfo, null, ref pcbEncoded))
{
RawData = new Byte[pcbEncoded];
Crypt32.CryptEncodeObject(1, "1.3.6.1.4.1.311.21.7", ref pvStructInfo, RawData, ref pcbEncoded);
TemplateOid = new Oid(pvStructInfo.pszObjId);
MajorVersion = majorVersion;
MinorVersion = minorVersion;
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
void get_handle(Byte[] rawData)
{
Handle = Crypt32.CertCreateCTLContext(65537, rawData, (UInt32)rawData.Length);
if (Handle.Equals(IntPtr.Zero))
{
throw new Exception("Unable to retieve context. The data is invalid.");
}
}
/// <summary>
/// Releases persistent handle and frees allocated resources.
/// </summary>
/// <exception cref="UninitializedObjectException">If <see cref="X509CRL2"/> object is not initialized.</exception>
/// <returns><strong>True</strong> if the operation succeeds, otherwise <strong>False</strong>.</returns>
protected override Boolean ReleaseHandle()
{
if (!handle.Equals(IntPtr.Zero))
{
return(Crypt32.CertFreeCRLContext(handle));
}
throw new UninitializedObjectException();
}
/// <summary>
/// Gets a <see cref="SafeCRLHandleContext" /> for the X509 certificate revocation list. The caller of this
/// method owns the returned safe handle, and should dispose of it when they no longer need it.
/// This handle can be used independently of the lifetime of the original X509 certificate revocation list.
/// </summary>
/// <returns>Handle to a <strong>CRL_CONTEXT</strong> structure.</returns>
/// <permission cref="SecurityPermission">
/// The immediate caller must have SecurityPermission/UnmanagedCode to use this method
/// </permission>
/// <exception cref="UninitializedObjectException">An object is not initialized.</exception>
public void GetSafeContext()
{
if (Handle.IsInvalid || Handle.IsClosed)
{
Handle = Handle = Crypt32.CertCreateCRLContext(65537, RawData, (UInt32)RawData.Length);
GC.KeepAlive(this);
}
}
public unsafe X509Certificate2 GenerateCertificateAuthority(PrivateKey privateKey, X500DistinguishedName dn, HashAlgorithm signatureAlgorithm, DateTime?notBefore = null, DateTime?notAfter = null)
{
{
fixed(byte *dnPtr = dn.RawData)
{
var blob = new NATIVE_CRYPTOAPI_BLOB
{
cbData = (uint)dn.RawData.Length,
pbData = dnPtr
};
var signatureAlgorithmIdentifier = new CRYPT_ALGORITHM_IDENTIFIER
{
pszObjId = HashAlgorithmToSignatureAlgorithm(privateKey, signatureAlgorithm)
};
using (var extensions = new MarshalX509ExtensionCollection())
{
using (extensions.Freeze())
{
extensions.Add(new X509BasicConstraintsExtension(true, true, 1, true));
extensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.KeyCertSign, true));
extensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid(OIDs.EKU_SERVER)
}, false));
using (var publicKey = privateKey.ToPublicKey())
{
using (var sha1 = new SHA1CryptoServiceProvider())
{
var pubKeyHash = sha1.ComputeHash(publicKey.Key);
extensions.Add(new X509SubjectKeyIdentifierExtension(pubKeyHash, false));
extensions.Add(new X509AuthorityKeyIdentifierExtension(pubKeyHash, null));
}
}
}
var certExtensions = extensions.Extensions;
var keyProvInfo = new CRYPT_KEY_PROV_INFO
{
cProvParam = 0,
dwKeySpec = privateKey.KeySpec,
dwProvType = privateKey.Handle.IsNCryptKey ? ProviderType.CNG : ProviderType.PROV_RSA_AES,
pwszProvName = privateKey.ProviderName,
dwFlags = 0,
pwszContainerName = privateKey.Name
};
var beginning = new SYSTEMTIME(notBefore ?? DateTime.UtcNow.AddHours(-1));
var expiration = new SYSTEMTIME(notAfter ?? DateTime.UtcNow.AddHours(-1).AddYears(30));
var certContext = Crypt32.CertCreateSelfSignCertificate(privateKey.Handle, ref blob, SelfSignFlags.NONE, ref keyProvInfo, ref signatureAlgorithmIdentifier, beginning, expiration, ref certExtensions);
if (certContext == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(new X509Certificate2(certContext));
}
}
}
}
/// <summary>
/// Gets a <see cref="SafeCTLHandleContext" /> for the X509 certificate revocation list. The caller of this
/// method owns the returned safe handle, and should dispose of it when they no longer need it.
/// This handle can be used independently of the lifetime of the original X509 certificate revocation list.
/// </summary>
/// <returns>Safe handle to a current CTL instance.</returns>
/// <permission cref="SecurityPermission">
/// The immediate caller must have SecurityPermission/UnmanagedCode to use this method
/// </permission>
public SafeCTLHandleContext GetSafeContext()
{
if (!Handle.Equals(IntPtr.Zero))
{
SafeCTLHandleContext safeContext = Crypt32.CertDuplicateCTLContext(Handle);
GC.KeepAlive(this);
return(safeContext);
}
throw new UninitializedObjectException();
}
/// <summary>
/// Gets a <see cref="SafeCTLHandleContext" /> for the X509 certificate revocation list. The caller of this
/// method owns the returned safe handle, and should dispose of it when they no longer need it.
/// This handle can be used independently of the lifetime of the original X509 certificate revocation list.
/// </summary>
/// <returns>Safe handle to a current CTL instance.</returns>
/// <permission cref="SecurityPermission">
/// The immediate caller must have SecurityPermission/UnmanagedCode to use this method
/// </permission>
public SafeCTLHandleContext GetSafeContext()
{
if (ctx == null || ctx.IsInvalid || ctx.IsClosed)
{
ctx = Crypt32.CertCreateCTLContext(65537, RawData, (UInt32)RawData.Length);
GC.KeepAlive(this);
return(ctx);
}
return(ctx);
}
public UniversalSubjectIdentifier(CRYPTOAPI_BLOB issuer, CRYPTOAPI_BLOB serialNumber)
{
var allZeroSerial = IsBlobAllZero(serialNumber);
if (allZeroSerial)
{
var x500Name = LocalBufferSafeHandle.Zero;
var flags = EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING;
uint size = 0;
if (Crypt32.CryptDecodeObjectEx(flags, (IntPtr)7, issuer.pbData, issuer.cbData, CryptDecodeFlags.CRYPT_DECODE_ALLOC_FLAG, IntPtr.Zero, out x500Name, ref size))
{
using (x500Name)
{
var info = Marshal.PtrToStructure <CERT_NAME_INFO>(x500Name.DangerousGetHandle());
for (var i = 0L; i < info.cRDN; i++)
{
var rdn = Marshal.PtrToStructure <CERT_RDN>(new IntPtr(info.rgRDN.ToInt64() + i * Marshal.SizeOf <CERT_RDN>()));
for (var j = 0; j < rdn.cRDNAttr; j++)
{
var attribute = Marshal.PtrToStructure <CERT_RDN_ATTR>(new IntPtr(rdn.rgRDNAttr.ToInt64() + j * Marshal.SizeOf <CERT_RDN_ATTR>()));
if (attribute.pszObjId == KnownOids.KeyId)
{
Type = SubjectIdentifierType.SubjectKeyIdentifier;
var ski = new byte[attribute.Value.cbData];
Marshal.Copy(attribute.Value.pbData, ski, 0, ski.Length);
Value = HashHelpers.HexEncodeBigEndian(ski);
return;
}
}
}
}
}
}
unsafe
{
var result = Crypt32.CertNameToStr(EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING, new IntPtr(&issuer), CertNameStrType.CERT_X500_NAME_STR | CertNameStrType.CERT_NAME_STR_REVERSE_FLAG, null, 0);
if (result <= 1)
{
throw new InvalidOperationException();
}
var builder = new StringBuilder((int)result);
var final = Crypt32.CertNameToStr(EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING, new IntPtr(&issuer), CertNameStrType.CERT_X500_NAME_STR | CertNameStrType.CERT_NAME_STR_REVERSE_FLAG, builder, result);
if (final <= 1)
{
throw new InvalidOperationException();
}
var serial = new byte[serialNumber.cbData];
Marshal.Copy(serialNumber.pbData, serial, 0, serial.Length);
var issuerSerial = new X509IssuerSerial();
issuerSerial.IssuerName = builder.ToString();
issuerSerial.SerialNumber = HashHelpers.HexEncodeBigEndian(serial);
Value = issuerSerial;
Type = SubjectIdentifierType.IssuerAndSerialNumber;
}
}
private Task <TimestampResult> Win32TimeStamp(Uri timestampServer, HashAlgorithmName timestampAlgorithm, TimestampNonceFactory nonce)
{
var oid = HashAlgorithmTranslator.TranslateFromNameToOid(timestampAlgorithm);
var parameters = new CRYPT_TIMESTAMP_PARA
{
cExtension = 0,
fRequestCerts = true
};
parameters.Nonce.cbData = nonce.Size;
parameters.Nonce.pbData = nonce.NoncePointer;
parameters.pszTSAPolicyId = null;
var(signatureDocument, timestampSubject) = GetSignatureToTimestamp(_part);
var winResult = Crypt32.CryptRetrieveTimeStamp(
timestampServer.AbsoluteUri,
CryptRetrieveTimeStampRetrievalFlags.NONE,
(uint)Timeout.TotalMilliseconds,
oid.Value,
ref parameters,
timestampSubject,
(uint)timestampSubject.Length,
out var context,
IntPtr.Zero,
IntPtr.Zero
);
if (!winResult)
{
return(Task.FromResult(TimestampResult.Failed));
}
using (context)
{
var refSuccess = false;
try
{
context.DangerousAddRef(ref refSuccess);
if (!refSuccess)
{
return(Task.FromResult(TimestampResult.Failed));
}
var structure = Marshal.PtrToStructure <CRYPT_TIMESTAMP_CONTEXT>(context.DangerousGetHandle());
var encoded = new byte[structure.cbEncoded];
Marshal.Copy(structure.pbEncoded, encoded, 0, encoded.Length);
ApplyTimestamp(signatureDocument, _part, encoded);
return(Task.FromResult(TimestampResult.Success));
}
finally
{
if (refSuccess)
{
context.DangerousRelease();
}
}
}
}
internal void import_key(byte[] key_blob)
{
bool result = Crypt32.CryptImportKey(_provider.Handle, key_blob,
key_blob.Length, IntPtr.Zero, 0, out _key);
int param_size = sizeof(uint);
byte[] rawData = new byte[sizeof(int)];
Crypt32.CryptGetKeyParam(_key, Crypt32.KP_KEYLEN, ref rawData, ref param_size, 0);
_key_size = (((((rawData[3] * 256) + rawData[2]) * 256) + rawData[1]) + 256) + rawData[0];
_key_size /= 8;
}
private static unsafe Task <(TimestampResult, byte[])> SubmitTimestampRequest(Uri timestampUri, Oid digestOid, TimestampNonce nonce, TimeSpan timeout, byte[] digest)
{
var parameters = new CRYPT_TIMESTAMP_PARA
{
cExtension = 0,
fRequestCerts = true
};
using (var cNonce = nonce.Nonce.Pin())
{
parameters.Nonce.cbData = (uint)nonce.Nonce.Length;
parameters.Nonce.pbData = new IntPtr(cNonce.Pointer);
parameters.pszTSAPolicyId = null;
var winResult = Crypt32.CryptRetrieveTimeStamp(
timestampUri.AbsoluteUri,
CryptRetrieveTimeStampRetrievalFlags.TIMESTAMP_DONT_HASH_DATA,
(uint)timeout.TotalMilliseconds,
digestOid.Value,
ref parameters,
digest,
(uint)digest.Length,
out var context,
IntPtr.Zero,
IntPtr.Zero
);
if (!winResult)
{
return(Task.FromResult <(TimestampResult, byte[])>((TimestampResult.Failed, null)));
}
using (context)
{
var refSuccess = false;
try
{
context.DangerousAddRef(ref refSuccess);
if (!refSuccess)
{
return(Task.FromResult <(TimestampResult, byte[])>((TimestampResult.Failed, null)));
}
var structure = Marshal.PtrToStructure <CRYPT_TIMESTAMP_CONTEXT>(context.DangerousGetHandle());
var encoded = new byte[structure.cbEncoded];
Marshal.Copy(structure.pbEncoded, encoded, 0, encoded.Length);
return(Task.FromResult <(TimestampResult, byte[])>((TimestampResult.Success, encoded)));
}
finally
{
if (refSuccess)
{
context.DangerousRelease();
}
}
}
}
}
public static Byte[] CryptStringToBinary(String inputString, CryptEncoding inputEncoding = CryptEncoding.CRYPT_STRING_ANY)
{
UInt32 pcbBinary = 0;
if (Crypt32.CryptStringToBinary(inputString, (UInt32)inputString.Length, (UInt32)inputEncoding, null, ref pcbBinary, 0, 0))
{
Byte[] pbBinary = new Byte[pcbBinary];
Crypt32.CryptStringToBinary(inputString, (UInt32)inputString.Length, (UInt32)inputEncoding, pbBinary, ref pcbBinary, 0, 0);
return(pbBinary);
}
throw new Win32Exception(Marshal.GetLastWin32Error());
}
static void unregisterCNG(IEnumerable <Oid2> oid)
{
if (oid.Select(oid2 => new Wincrypt.CRYPT_OID_INFO {
cbSize = Marshal.SizeOf(typeof(Wincrypt.CRYPT_OID_INFO)),
pszOID = oid2.Value,
pwszName = oid2.FriendlyName,
dwGroupId = (Int32)oid2.OidGroup
}).Any(oidinfo => !Crypt32.CryptUnregisterOIDInfo(oidinfo)))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
internal void init(Mode aes_mode, KeySize aes_key_size, byte[] key)
{
_mode = aes_mode;
switch (aes_key_size)
{
case KeySize.Aes128:
_key_size = 16;
break;
case KeySize.Aes192:
_key_size = 24;
break;
case KeySize.Aes256:
_key_size = 32;
break;
default:
_key_size = 0;
break;
}
_counter.Zeroize();
_counter_out.Zeroize();
_keystream_pointer = 0xFFFF;
// initialize WinCrypt AES-128 key.
ms_aes_key key_blob = new ms_aes_key();
key_blob.header.bType = BlobType.PlainText;
key_blob.header.bVersion = CurrentBlobVersion;
key_blob.header.reserved = 0;
key_blob.header.aiKeyAlg = (uint)aes_key_size;
key_blob.size = _key_size;
Buffer.BlockCopy(key, 0, key_blob.key, 0, (int)key_blob.size);
int nativeKeySize;
IntPtr nativeKey = key_blob.Serialize(out nativeKeySize);
try {
bool result = Crypt32.CryptImportKey(_provider.Handle, nativeKey,
nativeKeySize, IntPtr.Zero, 0, out _key);
}
finally { Marshal.FreeCoTaskMem(nativeKey); }
_mode = aes_mode;
// WinCrypt cannot do CTR mode, we have to do it manually.
IntPtr buffer = Marshal.AllocCoTaskMem(sizeof(int));
try {
int mode = (int)((aes_mode == Mode.Ctr) ? Mode.Ecb : aes_mode);
Marshal.WriteInt32(buffer, mode);
bool result = Crypt32.CryptSetKeyParam(_key, 4 /* KP_MODE*/, buffer, 0);
}
finally { Marshal.FreeCoTaskMem(buffer); }
}
private static unsafe IReadOnlyList <ICmsSignature> GetSignatures(CryptMsgSafeHandle messageHandle)
{
var countSize = 0u;
if (!Crypt32.CryptMsgGetParam(messageHandle, CryptMsgParamType.CMSG_SIGNER_COUNT_PARAM, 0, LocalBufferSafeHandle.Zero, ref countSize))
{
return(Array.Empty <ICmsSignature>());
}
uint signerCount;
using (var countHandle = LocalBufferSafeHandle.Alloc(countSize))
{
if (!Crypt32.CryptMsgGetParam(messageHandle, CryptMsgParamType.CMSG_SIGNER_COUNT_PARAM, 0, countHandle, ref countSize))
{
return(Array.Empty <ICmsSignature>());
}
signerCount = (uint)Marshal.ReadInt32(countHandle.DangerousGetHandle());
}
var signatures = new List <ICmsSignature>();
var contentSize = 0u;
byte[] content = null;
if (Crypt32.CryptMsgGetParam(messageHandle, CryptMsgParamType.CMSG_CONTENT_PARAM, 0, LocalBufferSafeHandle.Zero, ref contentSize))
{
using (var contentHandle = LocalBufferSafeHandle.Alloc(contentSize))
{
if (Crypt32.CryptMsgGetParam(messageHandle, CryptMsgParamType.CMSG_CONTENT_PARAM, 0, contentHandle, ref contentSize))
{
content = new byte[contentSize];
Marshal.Copy(contentHandle.DangerousGetHandle(), content, 0, (int)contentSize);
}
}
}
for (var i = 0u; i < signerCount; i++)
{
var signerSize = 0u;
if (!Crypt32.CryptMsgGetParam(messageHandle, CryptMsgParamType.CMSG_SIGNER_INFO_PARAM, i, LocalBufferSafeHandle.Zero, ref signerSize))
{
continue;
}
using (var signerHandle = LocalBufferSafeHandle.Alloc(signerSize))
{
if (!Crypt32.CryptMsgGetParam(messageHandle, CryptMsgParamType.CMSG_SIGNER_INFO_PARAM, i, signerHandle, ref signerSize))
{
continue;
}
var signature = new CmsSignature(SignatureKind.Signature, messageHandle, signerHandle, content);
signatures.Add(signature);
}
}
return(signatures.AsReadOnly());
}
private void SetKey(byte[] keyData, string keyType)
{
int key_blob_size = 0;
_key_blob = null;
bool result = Crypt32.CryptDecodeObject(Crypt32.X509_ASN_ENCODING, keyType,
keyData, keyData.Length, 0, ref _key_blob, ref key_blob_size);
_key_blob = new byte[key_blob_size];
result = Crypt32.CryptDecodeObject(Crypt32.X509_ASN_ENCODING, keyType,
keyData, keyData.Length, 0, ref _key_blob, ref key_blob_size);
import_key(_key_blob);
}
static void registerCNG(Oid oid, OidGroupEnum group)
{
Wincrypt.CRYPT_OID_INFO oidinfo = new Wincrypt.CRYPT_OID_INFO {
cbSize = Marshal.SizeOf(typeof(Wincrypt.CRYPT_OID_INFO)),
pszOID = oid.Value,
pwszName = oid.FriendlyName,
dwGroupId = (Int32)@group
};
if (!Crypt32.CryptRegisterOIDInfo(oidinfo, 0))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
/// <summary>
/// Computes the hash value of the specified byte array using the specified hash algorithm, and signs the resulting hash value.
/// </summary>
/// <param name="certificate">An <see cref="X509Certificate2"/> object of the signer certificate.</param>
/// <param name="message">Message to be signed.</param>
/// <param name="hashAlgorithm">The name of the hash algorithm to use in the signature.</param>
/// <returns>The signature for the specified data.</returns>
public static Byte[] SignMessage(X509Certificate2 certificate, Byte[] message, Oid hashAlgorithm)
{
IntPtr phCryptProv = IntPtr.Zero;
UInt32 pdwKeySpec = 0;
Boolean pfCallerFreeProv = false;
if (!Crypt32.CryptAcquireCertificatePrivateKey(certificate.Handle, 0x00010000, IntPtr.Zero, ref phCryptProv, ref pdwKeySpec, ref pfCallerFreeProv))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
Oid2 hashalgorithm = new Oid2(
hashAlgorithm.FriendlyName.ToLower()
.Replace("rsa", null)
.Replace("ecdsa", null),
OidGroupEnum.HashAlgorithm, true);
String hashAlg;
// true -> CNG, false -> legacy
if (pdwKeySpec == UInt32.MaxValue)
{
Byte[] hashBytes = calculateHash(message, hashalgorithm, false, out hashAlg);
try {
UInt32 pcbResult;
Int32 hresult = nCrypt.NCryptSignHash(phCryptProv, IntPtr.Zero, hashBytes, (UInt32)hashBytes.Length, null, 0, out pcbResult, 0);
if (hresult != 0)
{
throw new CryptographicException(hresult);
}
Byte[] pbSignature = new byte[pcbResult];
hresult = nCrypt.NCryptSignHash(phCryptProv, IntPtr.Zero, hashBytes, (UInt32)hashBytes.Length, pbSignature, (UInt32)pbSignature.Length, out pcbResult, 0);
if (hresult != 0)
{
throw new CryptographicException(hresult);
}
return(pbSignature);
} finally {
if (pfCallerFreeProv)
{
nCrypt.NCryptFreeObject(phCryptProv);
}
}
}
if (pfCallerFreeProv)
{
AdvAPI.CryptReleaseContext(phCryptProv, 0);
}
calculateHash(message, hashalgorithm, false, out hashAlg);
RSACryptoServiceProvider key = (RSACryptoServiceProvider)certificate.PrivateKey;
return(key.SignData(message, hashAlg));
}
