internal static bool IsPkcs7Der(SafeBioHandle fileBio)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.D2IPkcs7Bio(fileBio))
{
return(!pkcs7.IsInvalid);
}
}
internal static bool IsPkcs7(ReadOnlySpan <byte> rawData)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.DecodePkcs7(rawData))
{
if (pkcs7.IsInvalid)
{
Interop.Crypto.ErrClearError();
}
else
{
return(true);
}
}
using (SafeBioHandle bio = Interop.Crypto.CreateMemoryBio())
{
Interop.Crypto.CheckValidOpenSslHandle(bio);
if (Interop.Crypto.BioWrite(bio, rawData) != rawData.Length)
{
Interop.Crypto.ErrClearError();
}
using (SafePkcs7Handle pkcs7 = Interop.Crypto.PemReadBioPkcs7(bio))
{
if (pkcs7.IsInvalid)
{
Interop.Crypto.ErrClearError();
return(false);
}
return(true);
}
}
}
private static bool TryReadPkcs7Pem(
byte[] rawData,
bool single,
out ICertificatePal certPal,
out List <ICertificatePal> certPals)
{
using (SafeBioHandle bio = Interop.libcrypto.BIO_new(Interop.libcrypto.BIO_s_mem()))
{
Interop.Crypto.CheckValidOpenSslHandle(bio);
Interop.libcrypto.BIO_write(bio, rawData, rawData.Length);
SafePkcs7Handle pkcs7 =
Interop.libcrypto.PEM_read_bio_PKCS7(bio, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
if (pkcs7.IsInvalid)
{
certPal = null;
certPals = null;
return(false);
}
using (pkcs7)
{
return(TryReadPkcs7(pkcs7, single, out certPal, out certPals));
}
}
}
private byte[] ExportPkcs7()
{
// Pack all of the certificates into a new PKCS7*, export it to a byte[],
// then free the PKCS7*, since we don't need it any more.
using (SafePkcs7Handle pkcs7 = Interop.Crypto.Pkcs7CreateSigned())
{
Interop.Crypto.CheckValidOpenSslHandle(pkcs7);
foreach (X509Certificate2 cert in _certs)
{
// Pkcs7AddCertificate => PKCS7_add_certificate increments the
// reference count of the certificate, so passing just the Handle
// value is sufficient.
//
// It gets decremented again when the SafePkcs7Handle is released.
if (!Interop.Crypto.Pkcs7AddCertificate(pkcs7, cert.Handle))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
}
return(Interop.Crypto.OpenSslEncode(
handle => Interop.Crypto.GetPkcs7DerSize(handle),
(handle, buf) => Interop.Crypto.EncodePkcs7(handle, buf),
pkcs7));
}
}
internal static bool IsPkcs7Pem(SafeBioHandle fileBio)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.PemReadBioPkcs7(fileBio))
{
return(!pkcs7.IsInvalid);
}
}
internal static bool IsPkcs7Pem(SafeBioHandle fileBio)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.PemReadBioPkcs7(fileBio))
{
if (pkcs7.IsInvalid)
{
Interop.Crypto.ErrClearError();
return(false);
}
return(true);
}
}
private static bool TryReadPkcs7Der(
SafeBioHandle bio,
bool single,
out ICertificatePal certPal,
out List <ICertificatePal> certPals)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.D2IPkcs7Bio(bio))
{
if (pkcs7.IsInvalid)
{
certPal = null;
certPals = null;
return(false);
}
return(TryReadPkcs7(pkcs7, single, out certPal, out certPals));
}
}
private static bool TryReadPkcs7Der(
byte[] rawData,
bool single,
out ICertificatePal certPal,
out List <ICertificatePal> certPals)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.DecodePkcs7(rawData, rawData.Length))
{
if (pkcs7.IsInvalid)
{
certPal = null;
certPals = null;
return(false);
}
return(TryReadPkcs7(pkcs7, single, out certPal, out certPals));
}
}
private static bool TryReadPkcs7Der(
ReadOnlySpan <byte> rawData,
bool single,
out ICertificatePal?certPal,
[NotNullWhen(true)] out List <ICertificatePal>?certPals)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.DecodePkcs7(rawData))
{
if (pkcs7.IsInvalid)
{
certPal = null;
certPals = null;
Interop.Crypto.ErrClearError();
return(false);
}
return(TryReadPkcs7(pkcs7, single, out certPal, out certPals));
}
}
private static bool TryReadPkcs7Pem(
SafeBioHandle bio,
bool single,
out ICertificatePal?certPal,
[NotNullWhen(true)] out List <ICertificatePal>?certPals)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.PemReadBioPkcs7(bio))
{
if (pkcs7.IsInvalid)
{
certPal = null;
certPals = null;
Interop.Crypto.ErrClearError();
return(false);
}
return(TryReadPkcs7(pkcs7, single, out certPal, out certPals));
}
}
private byte[] ExportPkcs7()
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.Pkcs7CreateSigned())
{
Interop.Crypto.CheckValidOpenSslHandle(pkcs7);
foreach (X509Certificate2 cert in _certs)
{
if (!Interop.Crypto.Pkcs7AddCertificate(pkcs7, cert.Handle))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
}
return(Interop.Crypto.OpenSslEncode(
handle => Interop.Crypto.GetPkcs7DerSize(handle),
(handle, buf) => Interop.Crypto.EncodePkcs7(handle, buf),
pkcs7));
}
}
internal static SafeSharedX509StackHandle GetPkcs7Certificates(SafePkcs7Handle p7)
{
if (p7 == null || p7.IsInvalid)
{
return(SafeSharedX509StackHandle.InvalidHandle);
}
SafeSharedX509StackHandle certs;
int result = GetPkcs7Certificates(p7, out certs);
if (result != 1)
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
// Track the parent relationship for the interior pointer so lifetime is well-managed.
certs.SetParent(p7);
return(certs);
}
private static bool TryReadPkcs7Der(
SafeBioHandle bio,
bool single,
out ICertificatePal certPal,
out List <ICertificatePal> certPals)
{
SafePkcs7Handle pkcs7 = Interop.libcrypto.d2i_PKCS7_bio(bio, IntPtr.Zero);
if (pkcs7.IsInvalid)
{
certPal = null;
certPals = null;
return(false);
}
using (pkcs7)
{
return(TryReadPkcs7(pkcs7, single, out certPal, out certPals));
}
}
private static bool TryReadPkcs7(
SafePkcs7Handle pkcs7,
bool single,
out ICertificatePal?certPal,
[NotNullWhen(true)] out List <ICertificatePal> certPals)
{
List <ICertificatePal>?readPals = single ? null : new List <ICertificatePal>();
using (SafeSharedX509StackHandle certs = Interop.Crypto.GetPkcs7Certificates(pkcs7))
{
int count = Interop.Crypto.GetX509StackFieldCount(certs);
if (single)
{
// In single mode for a PKCS#7 signed or signed-and-enveloped file we're supposed to return
// the certificate which signed the PKCS#7 file.
//
// X509Certificate2Collection::Export(X509ContentType.Pkcs7) claims to be a signed PKCS#7,
// but doesn't emit a signature block. So this is hard to test.
//
// TODO(2910): Figure out how to extract the signing certificate, when it's present.
throw new CryptographicException(SR.Cryptography_X509_PKCS7_NoSigner);
}
Debug.Assert(readPals != null); // null if single == true
for (int i = 0; i < count; i++)
{
// Use FromHandle to duplicate the handle since it would otherwise be freed when the PKCS7
// is Disposed.
IntPtr certHandle = Interop.Crypto.GetX509StackField(certs, i);
ICertificatePal pal = CertificatePal.FromHandle(certHandle);
readPals.Add(pal);
}
}
certPal = null;
certPals = readPals;
return(true);
}
protected override byte[] ExportPkcs7()
{
// Pack all of the certificates into a new PKCS7*, export it to a byte[],
// then free the PKCS7*, since we don't need it any more.
using (SafeX509StackHandle certs = Interop.Crypto.NewX509Stack())
{
foreach (X509Certificate2 cert in _certs !)
{
PushHandle(cert.Handle, certs);
GC.KeepAlive(cert); // ensure cert's safe handle isn't finalized while raw handle is in use
}
using (SafePkcs7Handle pkcs7 = Interop.Crypto.Pkcs7CreateCertificateCollection(certs))
{
Interop.Crypto.CheckValidOpenSslHandle(pkcs7);
return(Interop.Crypto.OpenSslEncode(
Interop.Crypto.GetPkcs7DerSize,
Interop.Crypto.EncodePkcs7,
pkcs7));
}
}
}
internal static bool IsPkcs7(byte[] rawData)
{
using (SafePkcs7Handle pkcs7 = Interop.Crypto.DecodePkcs7(rawData, rawData.Length))
{
if (!pkcs7.IsInvalid)
{
return(true);
}
}
using (SafeBioHandle bio = Interop.Crypto.CreateMemoryBio())
{
Interop.Crypto.CheckValidOpenSslHandle(bio);
Interop.Crypto.BioWrite(bio, rawData, rawData.Length);
using (SafePkcs7Handle pkcs7 = Interop.Crypto.PemReadBioPkcs7(bio))
{
return(!pkcs7.IsInvalid);
}
}
}
private static unsafe bool TryReadPkcs7Der(
byte[] rawData,
bool single,
out ICertificatePal certPal,
out List <ICertificatePal> certPals)
{
SafePkcs7Handle pkcs7 = Interop.libcrypto.OpenSslD2I(
(ptr, b, i) => Interop.libcrypto.d2i_PKCS7(ptr, b, i),
rawData,
checkHandle: false);
if (pkcs7.IsInvalid)
{
certPal = null;
certPals = null;
return(false);
}
using (pkcs7)
{
return(TryReadPkcs7(pkcs7, single, out certPal, out certPals));
}
}
internal static partial int GetPkcs7DerSize(SafePkcs7Handle p7);
internal static partial int EncodePkcs7(SafePkcs7Handle p7, byte[] buf);
private static extern int GetPkcs7Certificates(SafePkcs7Handle p7, out SafeSharedX509StackHandle certs);
internal static extern bool Pkcs7AddCertificate(SafePkcs7Handle p7, IntPtr x509);
internal static extern int GetPkcs7DerSize(SafePkcs7Handle p7);
internal static extern int EncodePkcs7(SafePkcs7Handle p7, byte[] buf);
