private static ICertificatePal[] ReadPkcs12Collection(
ReadOnlySpan <byte> rawData,
SafePasswordHandle password,
bool ephemeralSpecified)
{
using (var reader = new AndroidPkcs12Reader(rawData))
{
reader.Decrypt(password, ephemeralSpecified);
ICertificatePal[] certs = new ICertificatePal[reader.GetCertCount()];
int idx = 0;
foreach (UnixPkcs12Reader.CertAndKey certAndKey in reader.EnumerateAll())
{
AndroidCertificatePal pal = (AndroidCertificatePal)certAndKey.Cert !;
if (certAndKey.Key != null)
{
pal.SetPrivateKey(AndroidPkcs12Reader.GetPrivateKey(certAndKey.Key));
}
certs[idx] = pal;
idx++;
}
return(certs);
}
}
internal static partial ICertificatePal FromFile(
string fileName,
SafePasswordHandle password,
X509KeyStorageFlags keyStorageFlags)
{
return(AndroidCertificatePal.FromFile(fileName, password, keyStorageFlags));
}
internal static partial ICertificatePal FromBlob(
ReadOnlySpan <byte> rawData,
SafePasswordHandle password,
X509KeyStorageFlags keyStorageFlags)
{
return(AndroidCertificatePal.FromBlob(rawData, password, keyStorageFlags));
}
public AndroidCertLoader(SafeX509Handle[] certHandles)
{
_certs = new ICertificatePal[certHandles.Length];
for (int i = 0; i < certHandles.Length; i++)
{
SafeX509Handle handle = certHandles[i];
Debug.Assert(!handle.IsInvalid);
_certs[i] = AndroidCertificatePal.FromHandle(handle.DangerousGetHandle());
}
}
protected override ICertificatePalCore ReadX509Der(ReadOnlyMemory <byte> data)
{
ICertificatePal?cert;
if (!AndroidCertificatePal.TryReadX509(data.Span, out cert))
{
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
}
return(cert);
}
private static IntPtr GetPublicKey(ICertificatePal pal, Interop.AndroidCrypto.PAL_KeyAlgorithm algorithm)
{
AndroidCertificatePal certPal = (AndroidCertificatePal)pal;
IntPtr ptr = Interop.AndroidCrypto.X509GetPublicKey(certPal.SafeHandle, algorithm);
if (ptr == IntPtr.Zero)
{
throw new CryptographicException();
}
return(ptr);
}
// Handles both DER and PEM
internal static bool TryReadX509(ReadOnlySpan <byte> rawData, [NotNullWhen(true)] out ICertificatePal?handle)
{
handle = null;
SafeX509Handle certHandle = Interop.AndroidCrypto.X509Decode(
ref MemoryMarshal.GetReference(rawData),
rawData.Length);
if (certHandle.IsInvalid)
{
certHandle.Dispose();
return(false);
}
handle = new AndroidCertificatePal(certHandle);
return(true);
}
public static ICertificatePal FromOtherCert(X509Certificate cert)
{
Debug.Assert(cert.Pal != null);
AndroidCertificatePal certPal = (AndroidCertificatePal)cert.Pal;
// Ensure private key is copied
if (certPal.PrivateKeyHandle != null)
{
return(certPal.CopyWithPrivateKeyHandle(certPal.PrivateKeyHandle.DuplicateHandle()));
}
SafeX509Handle handle = new SafeX509Handle(Interop.JObjectLifetime.NewGlobalReference(certPal.Handle));
return(new AndroidCertificatePal(handle));
}
private static ICertificatePal ReadPkcs12(ReadOnlySpan <byte> rawData, SafePasswordHandle password, bool ephemeralSpecified)
{
using (var reader = new AndroidPkcs12Reader(rawData))
{
reader.Decrypt(password, ephemeralSpecified);
UnixPkcs12Reader.CertAndKey certAndKey = reader.GetSingleCert();
AndroidCertificatePal pal = (AndroidCertificatePal)certAndKey.Cert !;
if (certAndKey.Key != null)
{
pal.SetPrivateKey(AndroidPkcs12Reader.GetPrivateKey(certAndKey.Key));
}
return(pal);
}
}
public void Add(ICertificatePal cert)
{
if (_readOnly)
{
throw new CryptographicException(SR.Cryptography_X509_StoreReadOnly);
}
AndroidCertificatePal certPal = (AndroidCertificatePal)cert;
string hashString = GetCertificateHashString(cert);
bool success;
if (certPal.HasPrivateKey)
{
Interop.AndroidCrypto.PAL_KeyAlgorithm algorithm = certPal.PrivateKeyHandle switch
{
// The AndroidKeyStore doesn't support adding DSA private key entries in newer versions (API 23+)
// Our minimum supported version (API 21) does support it, but for simplicity, we simply block adding
// certificates with DSA private keys on all versions instead of trying to support it on two versions.
SafeDsaHandle => throw new PlatformNotSupportedException(SR.Cryptography_X509_StoreDSAPrivateKeyNotSupported),
SafeEcKeyHandle => Interop.AndroidCrypto.PAL_KeyAlgorithm.EC,
SafeRsaHandle => Interop.AndroidCrypto.PAL_KeyAlgorithm.RSA,
_ => throw new NotSupportedException(SR.NotSupported_KeyAlgorithm)
};
success = Interop.AndroidCrypto.X509StoreAddCertificateWithPrivateKey(_keyStoreHandle, certPal.SafeHandle, certPal.PrivateKeyHandle, algorithm, hashString);
}
else
{
success = Interop.AndroidCrypto.X509StoreAddCertificate(_keyStoreHandle, certPal.SafeHandle, hashString);
}
if (!success)
{
throw new CryptographicException(SR.Cryptography_X509_StoreAddFailure);
}
}
public void Remove(ICertificatePal cert)
{
string hashString = GetCertificateHashString(cert);
AndroidCertificatePal certPal = (AndroidCertificatePal)cert;
if (_readOnly)
{
bool containsCert = Interop.AndroidCrypto.X509StoreContainsCertificate(_keyStoreHandle, certPal.SafeHandle, hashString);
if (containsCert)
{
throw new CryptographicException(SR.Cryptography_X509_StoreReadOnly);
}
// Removing a non-existent certificate is not an error
return;
}
bool success = Interop.AndroidCrypto.X509StoreRemoveCertificate(_keyStoreHandle, certPal.SafeHandle, hashString);
if (!success)
{
throw new CryptographicException(SR.Cryptography_X509_StoreRemoveFailure);
}
}
internal static partial ICertificatePal FromHandle(IntPtr handle)
{
return(AndroidCertificatePal.FromHandle(handle));
}
internal static partial ICertificatePal FromOtherCert(X509Certificate copyFrom)
{
return(AndroidCertificatePal.FromOtherCert(copyFrom));
}
