Beispiel #1
0
        private static X509Certificate2 CreateRsaCertificate(byte[] cer, byte[] key)
        {
            if (!s_rsaInitializedImportPkcs8PrivateKeyMethod)
            {
                // ImportPkcs8PrivateKey was added in .NET Core 3.0 and is only present on Core. We will fall back to a lightweight decoder if this method is missing from the current runtime.
                s_rsaImportPkcs8PrivateKeyMethod            = typeof(RSA).GetMethod("ImportPkcs8PrivateKey", BindingFlags.Instance | BindingFlags.Public, null, new[] { typeof(ReadOnlySpan <byte>), typeof(int).MakeByRefType() }, null);
                s_rsaInitializedImportPkcs8PrivateKeyMethod = true;
            }

            if (s_rsaCopyWithPrivateKeyMethod is null)
            {
                s_rsaCopyWithPrivateKeyMethod = typeof(RSACertificateExtensions).GetMethod("CopyWithPrivateKey", BindingFlags.Static | BindingFlags.Public, null, new[] { typeof(X509Certificate2), typeof(RSA) }, null)
                                                ?? throw new PlatformNotSupportedException("The current platform does not support reading a private key from a PEM file");
            }

            RSA privateKey = null;

            try
            {
                if (s_rsaImportPkcs8PrivateKeyMethod != null)
                {
                    privateKey = RSA.Create();

                    // Because ImportPkcs8PrivateKey declares an out parameter we cannot call it directly using MethodInfo.Invoke since all arguments are passed as an object array.
                    // Instead we create a delegate with the correct signature and invoke it.
                    ImportPrivateKeyDelegate importPkcs8PrivateKey = (ImportPrivateKeyDelegate)s_rsaImportPkcs8PrivateKeyMethod.CreateDelegate(typeof(ImportPrivateKeyDelegate), privateKey);
                    importPkcs8PrivateKey.Invoke(key, out int bytesRead);

                    if (key.Length != bytesRead)
                    {
                        throw new InvalidDataException("Invalid PKCS#8 Data");
                    }
                }
                else
                {
                    privateKey = LightweightPkcs8Decoder.DecodeRSAPkcs8(key);
                }

                using X509Certificate2 certificateWithoutPrivateKey = new X509Certificate2(cer);
                X509Certificate2 certificate = (X509Certificate2)s_rsaCopyWithPrivateKeyMethod.Invoke(null, new object[] { certificateWithoutPrivateKey, privateKey });

                // On .NET Framework the PrivateKey member is not initialized after calling CopyWithPrivateKey.
                if (certificate.PrivateKey is null)
                {
                    certificate.PrivateKey = privateKey;
                }

                // Make sure the private key doesn't get disposed now that it's used.
                privateKey = null;

                return(certificate);
            }
            finally
            {
                // If we created and did not use the RSA private key, make sure it's disposed.
                privateKey?.Dispose();
            }
        }
Beispiel #2
0
        static partial void CreateECDsaCertificate(byte[] cer, byte[] key, X509KeyStorageFlags keyStorageFlags, ref X509Certificate2 certificate)
        {
            if (!s_ecInitializedImportPkcs8PrivateKeyMethod)
            {
                // ImportPkcs8PrivateKey was added in .NET Core 3.0 and is only present on Core. We will fall back to a lightweight decoder if this method is missing from the current runtime.
                s_ecImportPkcs8PrivateKeyMethod            = typeof(ECDsa).GetMethod("ImportPkcs8PrivateKey", BindingFlags.Instance | BindingFlags.Public, null, new[] { typeof(ReadOnlySpan <byte>), typeof(int).MakeByRefType() }, null);
                s_ecInitializedImportPkcs8PrivateKeyMethod = true;
            }

            if (s_ecCopyWithPrivateKeyMethod is null)
            {
                s_ecCopyWithPrivateKeyMethod = typeof(ECDsaCertificateExtensions).GetMethod("CopyWithPrivateKey", BindingFlags.Static | BindingFlags.Public, null, new[] { typeof(X509Certificate2), typeof(ECDsa) }, null)
                                               ?? throw new PlatformNotSupportedException("The current platform does not support reading an ECDsa private key from a PEM file");
            }

            // Create the certificate without the private key to pass to our PKCS8 decoder if needed to copy the prime curve.
            using X509Certificate2 certificateWithoutPrivateKey = new X509Certificate2(cer, (string)null, keyStorageFlags);

            ECDsa privateKey = null;

            try
            {
                if (s_ecImportPkcs8PrivateKeyMethod != null)
                {
                    privateKey = ECDsa.Create();

                    // Because ImportECPrivateKeyMethod declares an out parameter we cannot call it directly using MethodInfo.Invoke since all arguments are passed as an object array.
                    // Instead we create a delegate with the correct signature and invoke it.
                    ImportPrivateKeyDelegate importECPrivateKey = (ImportPrivateKeyDelegate)s_ecImportPkcs8PrivateKeyMethod.CreateDelegate(typeof(ImportPrivateKeyDelegate), privateKey);
                    importECPrivateKey.Invoke(key, out int bytesRead);

                    if (key.Length != bytesRead)
                    {
                        throw new InvalidDataException("Invalid PKCS#8 Data");
                    }
                }
                else
                {
                    // Copy the prime curve from the public key to mitigate risk parsing the ASN.1 structure ourselves.
                    using ECDsa publicKey = certificateWithoutPrivateKey.GetECDsaPublicKey();
                    privateKey            = LightweightPkcs8Decoder.DecodeECDsaPkcs8(key, publicKey);
                }

                certificate = (X509Certificate2)s_ecCopyWithPrivateKeyMethod.Invoke(null, new object[] { certificateWithoutPrivateKey, privateKey });

                // Make sure the private key doesn't get disposed now that it's used.
                privateKey = null;
            }
            finally
            {
                // If we created and did not use the RSA private key, make sure it's disposed.
                privateKey?.Dispose();
            }
        }
        /// <summary>
        /// Loads an <see cref="X509Certificate2"/> from PEM data.
        /// </summary>
        /// <param name="data">The PEM data to parse.</param>
        /// <param name="cer">Optional public certificate data if not defined within the PEM data.</param>
        /// <param name="allowCertificateOnly">Whether to create an <see cref="X509Certificate2"/> if no private key is read.</param>
        /// <returns>An <see cref="X509Certificate2"/> loaded from the PEM data.</returns>
        /// <exception cref="CryptographicException">A cryptographic exception occurred when trying to create the <see cref="X509Certificate2"/>.</exception>
        /// <exception cref="InvalidDataException"><paramref name="cer"/> is null and no CERTIFICATE field is defined in PEM, or no PRIVATE KEY is defined in PEM.</exception>
        /// <exception cref="PlatformNotSupportedException">Creating a <see cref="X509Certificate2"/> from PEM data is not supported on the current platform.</exception>
        public static X509Certificate2 LoadCertificate(ReadOnlySpan <char> data, byte[] cer = null, bool allowCertificateOnly = false)
        {
            byte[] priv = null;

            while (TryRead(data, out PemField field))
            {
                // TODO: Consider building up a chain to determine the leaf certificate: https://github.com/Azure/azure-sdk-for-net/issues/19043
                if (field.Label.Equals("CERTIFICATE".AsSpan(), StringComparison.Ordinal))
                {
                    cer = field.FromBase64Data();
                }
                else if (field.Label.Equals("PRIVATE KEY".AsSpan(), StringComparison.Ordinal))
                {
                    priv = field.FromBase64Data();
                }

                int offset = field.Start + field.Length;
                if (offset >= data.Length)
                {
                    break;
                }

                data = data.Slice(offset);
            }

            if (cer is null)
            {
                throw new InvalidDataException("The certificate is missing the public key");
            }

            if (priv is null)
            {
                if (allowCertificateOnly)
                {
                    return(new X509Certificate2(cer));
                }

                throw new InvalidDataException("The certificate is missing the private key");
            }

            if (!s_initializedImportPkcs8PrivateKeyMethod)
            {
                // ImportPkcs8PrivateKey was added in .NET Core 3.0 and is only present on Core. We will fall back to a lightweight decoder if this method is missing from the current runtime.
                s_importPkcs8PrivateKeyMethod            = typeof(RSA).GetMethod("ImportPkcs8PrivateKey", BindingFlags.Instance | BindingFlags.Public, null, new[] { typeof(ReadOnlySpan <byte>), typeof(int).MakeByRefType() }, null);
                s_initializedImportPkcs8PrivateKeyMethod = true;
            }

            if (s_copyWithPrivateKeyMethod is null)
            {
                s_copyWithPrivateKeyMethod = typeof(RSACertificateExtensions).GetMethod("CopyWithPrivateKey", BindingFlags.Static | BindingFlags.Public, null, new[] { typeof(X509Certificate2), typeof(RSA) }, null)
                                             ?? throw new PlatformNotSupportedException("The current platform does not support reading a private key from a PEM file");
            }

            RSA privateKey = null;

            try
            {
                if (s_importPkcs8PrivateKeyMethod != null)
                {
                    privateKey = RSA.Create();

                    // Because ImportPkcs8PrivateKey declares an out parameter we cannot call it directly using MethodInfo.Invoke since all arguments are passed as an object array.
                    // Instead we create a delegate with the correct signature and invoke it.
                    ImportPkcs8PrivateKeyDelegate importPkcs8PrivateKey = (ImportPkcs8PrivateKeyDelegate)s_importPkcs8PrivateKeyMethod.CreateDelegate(typeof(ImportPkcs8PrivateKeyDelegate), privateKey);
                    importPkcs8PrivateKey.Invoke(priv, out _);
                }
                else
                {
                    privateKey = LightweightPkcs8Decoder.DecodeRSAPkcs8(priv);
                }

                using X509Certificate2 certificateWithoutPrivateKey = new X509Certificate2(cer);
                X509Certificate2 certificate = (X509Certificate2)s_copyWithPrivateKeyMethod.Invoke(null, new object[] { certificateWithoutPrivateKey, privateKey });

                // On .NET Framework the PrivateKey member is not initialized after calling CopyWithPRivateKey.
                if (certificate.PrivateKey is null)
                {
                    certificate.PrivateKey = privateKey;
                }

                // Make sure the private key doesn't get disposed now that it's used.
                privateKey = null;

                return(certificate);
            }
            finally
            {
                // If we created and did not use the RSA private key, make sure it's disposed.
                privateKey?.Dispose();
            }
        }
Beispiel #4
0
        /// <summary>
        /// Loads an <see cref="X509Certificate2"/> from PEM data.
        /// </summary>
        /// <param name="data">The PEM data to parse.</param>
        /// <param name="cer">Optional public certificate data if not defined within the PEM data.</param>
        /// <param name="keyType">
        /// Optional <see cref="KeyType"/> of the certificate private key. The default is <see cref="KeyType.Auto"/> to automatically detect.
        /// Only support for <see cref="KeyType.RSA"/> is implemented by shared code.
        /// </param>
        /// <param name="allowCertificateOnly">Whether to create an <see cref="X509Certificate2"/> if no private key is read.</param>
        /// <returns>An <see cref="X509Certificate2"/> loaded from the PEM data.</returns>
        /// <exception cref="CryptographicException">A cryptographic exception occurred when trying to create the <see cref="X509Certificate2"/>.</exception>
        /// <exception cref="InvalidDataException"><paramref name="cer"/> is null and no CERTIFICATE field is defined in PEM, or no PRIVATE KEY is defined in PEM.</exception>
        /// <exception cref="NotSupportedException">The <paramref name="keyType"/> is not supported.</exception>
        /// <exception cref="PlatformNotSupportedException">Creating a <see cref="X509Certificate2"/> from PEM data is not supported on the current platform.</exception>
        public static X509Certificate2 LoadCertificate(ReadOnlySpan <char> data, byte[] cer = null, KeyType keyType = KeyType.Auto, bool allowCertificateOnly = false)
        {
            byte[] priv = null;

            while (TryRead(data, out PemField field))
            {
                // TODO: Consider building up a chain to determine the leaf certificate: https://github.com/Azure/azure-sdk-for-net/issues/19043
                if (field.Label.Equals("CERTIFICATE".AsSpan(), StringComparison.Ordinal))
                {
                    cer = field.FromBase64Data();
                }
                else if (field.Label.Equals("PRIVATE KEY".AsSpan(), StringComparison.Ordinal))
                {
                    priv = field.FromBase64Data();
                }

                int offset = field.Start + field.Length;
                if (offset >= data.Length)
                {
                    break;
                }

                data = data.Slice(offset);
            }

            if (cer is null)
            {
                throw new InvalidDataException("The certificate is missing the public key");
            }

            if (priv is null)
            {
                if (allowCertificateOnly)
                {
                    return(new X509Certificate2(cer));
                }

                throw new InvalidDataException("The certificate is missing the private key");
            }

            if (keyType == KeyType.Auto)
            {
                string oid = LightweightPkcs8Decoder.DecodePrivateKeyOid(priv);

                keyType = oid switch
                {
                    RSAAlgorithmId => KeyType.RSA,
                    ECDsaAlgorithmId => KeyType.ECDsa,
                    _ => throw new NotSupportedException($"The private key algorithm ID {oid} is not supported"),
                };
            }

            if (keyType == KeyType.ECDsa)
            {
                X509Certificate2 certificate = null;
                CreateECDsaCertificate(cer, priv, ref certificate);

                return(certificate ?? throw new NotSupportedException("Reading an ECDsa certificate from a PEM file is not supported"));
            }

            return(CreateRsaCertificate(cer, priv));
        }