public X509ContentType GetCertContentType(byte[] rawData)
{
{
ICertificatePal certPal;
if (OpenSslX509CertificateReader.TryReadX509Der(rawData, out certPal) ||
OpenSslX509CertificateReader.TryReadX509Pem(rawData, out certPal))
{
certPal.Dispose();
return(X509ContentType.Cert);
}
}
if (PkcsFormatReader.IsPkcs7(rawData))
{
return(X509ContentType.Pkcs7);
}
{
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(rawData, out pfx))
{
pfx.Dispose();
return(X509ContentType.Pkcs12);
}
}
// Unsupported format.
// Windows throws new CryptographicException(CRYPT_E_NO_MATCH)
throw new CryptographicException();
}
private static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader, out Exception openSslException, bool captureException)
{
SafePkcs12Handle handle = Interop.Crypto.DecodePkcs12(data, data.Length);
openSslException = null;
if (!handle.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(handle);
return(true);
}
handle.Dispose();
pkcs12Reader = null;
if (captureException)
{
openSslException = Interop.Crypto.CreateOpenSslCryptographicException();
}
else
{
Interop.Crypto.ErrClearError();
}
return(false);
}
private static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader, out Exception openSslException, bool captureException)
{
SafePkcs12Handle p12 = Interop.Crypto.DecodePkcs12FromBio(fileBio);
openSslException = null;
if (!p12.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(p12);
return(true);
}
p12.Dispose();
pkcs12Reader = null;
if (captureException)
{
openSslException = Interop.Crypto.CreateOpenSslCryptographicException();
}
else
{
Interop.Crypto.ErrClearError();
}
return(false);
}
private static IStorePal PfxToCollection(OpenSslPkcs12Reader pfx, string password)
{
pfx.Decrypt(password);
X509Certificate2Collection coll = new X509Certificate2Collection();
foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
{
coll.Add(new X509Certificate2(certPal));
}
return(new OpenSslX509StoreProvider(coll));
}
public static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle handle = Interop.Crypto.DecodePkcs12(data, data.Length);
if (!handle.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(handle);
return true;
}
pkcs12Reader = null;
return false;
}
public static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle p12 = Interop.libcrypto.d2i_PKCS12_bio(fileBio, IntPtr.Zero);
if (!p12.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(p12);
return true;
}
pkcs12Reader = null;
return false;
}
public static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle p12 = Interop.Crypto.DecodePkcs12FromBio(fileBio);
if (!p12.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(p12);
return(true);
}
pkcs12Reader = null;
return(false);
}
public static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle handle = Interop.Crypto.DecodePkcs12(data, data.Length);
if (!handle.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(handle);
return(true);
}
pkcs12Reader = null;
return(false);
}
public static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle p12 = Interop.Crypto.DecodePkcs12FromBio(fileBio);
if (!p12.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(p12);
return true;
}
pkcs12Reader = null;
return false;
}
public static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle p12 = Interop.libcrypto.d2i_PKCS12_bio(fileBio, IntPtr.Zero);
if (!p12.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(p12);
return(true);
}
pkcs12Reader = null;
return(false);
}
public static IStorePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(rawData, out pfx))
{
using (pfx)
{
return(PfxToCollection(pfx, password));
}
}
return(null);
}
private static bool TryReadPkcs12(
OpenSslPkcs12Reader pfx,
string password,
bool single,
out ICertificatePal readPal,
out List <ICertificatePal> readCerts)
{
pfx.Decrypt(password);
ICertificatePal first = null;
List <ICertificatePal> certs = null;
if (!single)
{
certs = new List <ICertificatePal>();
}
foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
{
if (single)
{
// When requesting an X509Certificate2 from a PFX only the first entry is
// returned. Other entries should be disposed.
if (first == null)
{
first = certPal;
}
else if (certPal.HasPrivateKey && !first.HasPrivateKey)
{
first.Dispose();
first = certPal;
}
else
{
certPal.Dispose();
}
}
else
{
certs.Add(certPal);
}
}
readPal = first;
readCerts = certs;
return(true);
}
public unsafe static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle handle = Interop.libcrypto.OpenSslD2I(
(ptr, b, i) => Interop.libcrypto.d2i_PKCS12(ptr, b, i),
data,
checkHandle: false);
if (!handle.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(handle);
return(true);
}
pkcs12Reader = null;
return(false);
}
public unsafe static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader)
{
SafePkcs12Handle handle = Interop.libcrypto.OpenSslD2I(
(ptr, b, i) => Interop.libcrypto.d2i_PKCS12(ptr, b, i),
data,
checkHandle: false);
if (!handle.IsInvalid)
{
pkcs12Reader = new OpenSslPkcs12Reader(handle);
return true;
}
pkcs12Reader = null;
return false;
}
public static IStorePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags)
{
using (SafeBioHandle fileBio = Interop.libcrypto.BIO_new_file(fileName, "rb"))
{
Interop.libcrypto.CheckValidOpenSslHandle(fileBio);
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(fileBio, out pfx))
{
using (pfx)
{
return(PfxToCollection(pfx, password));
}
}
}
return(null);
}
private static bool TryReadPkcs12(
OpenSslPkcs12Reader pfx,
SafePasswordHandle password,
bool single,
bool ephemeralSpecified,
out ICertificatePal?readPal,
out List <ICertificatePal>?readCerts)
{
pfx.Decrypt(password, ephemeralSpecified);
if (single)
{
UnixPkcs12Reader.CertAndKey certAndKey = pfx.GetSingleCert();
OpenSslX509CertificateReader pal = (OpenSslX509CertificateReader)certAndKey.Cert !;
if (certAndKey.Key != null)
{
pal.SetPrivateKey(OpenSslPkcs12Reader.GetPrivateKey(certAndKey.Key));
}
readPal = pal;
readCerts = null;
return(true);
}
readPal = null;
List <ICertificatePal> certs = new List <ICertificatePal>(pfx.GetCertCount());
foreach (UnixPkcs12Reader.CertAndKey certAndKey in pfx.EnumerateAll())
{
OpenSslX509CertificateReader pal = (OpenSslX509CertificateReader)certAndKey.Cert !;
if (certAndKey.Key != null)
{
pal.SetPrivateKey(OpenSslPkcs12Reader.GetPrivateKey(certAndKey.Key));
}
certs.Add(pal);
}
readCerts = certs;
return(true);
}
private static bool TryReadPkcs12(
byte[] rawData,
SafePasswordHandle password,
bool single,
out ICertificatePal readPal,
out List <ICertificatePal> readCerts)
{
// DER-PKCS12
OpenSslPkcs12Reader pfx;
if (!OpenSslPkcs12Reader.TryRead(rawData, out pfx))
{
readPal = null;
readCerts = null;
return(false);
}
using (pfx)
{
return(TryReadPkcs12(pfx, password, single, out readPal, out readCerts));
}
}
private static bool TryReadPkcs12(
SafeBioHandle bio,
string password,
bool single,
out ICertificatePal readPal,
out List <ICertificatePal> readCerts)
{
// DER-PKCS12
OpenSslPkcs12Reader pfx;
if (!OpenSslPkcs12Reader.TryRead(bio, out pfx))
{
readPal = null;
readCerts = null;
return(false);
}
using (pfx)
{
return(TryReadPkcs12(pfx, password, single, out readPal, out readCerts));
}
}
private static bool TryReadPkcs12(
ReadOnlySpan <byte> rawData,
SafePasswordHandle password,
bool single,
out ICertificatePal?readPal,
out List <ICertificatePal>?readCerts,
out Exception?openSslException)
{
// DER-PKCS12
OpenSslPkcs12Reader?pfx;
if (!OpenSslPkcs12Reader.TryRead(rawData, out pfx, out openSslException))
{
readPal = null;
readCerts = null;
return(false);
}
using (pfx)
{
return(TryReadPkcs12(pfx, password, single, out readPal, out readCerts));
}
}
private static bool TryRead(
byte[] data,
out OpenSslPkcs12Reader pkcs12Reader,
out Exception openSslException,
bool captureException)
{
openSslException = null;
try
{
pkcs12Reader = new OpenSslPkcs12Reader(data);
return(true);
}
catch (CryptographicException e)
{
if (captureException)
{
openSslException = e;
}
pkcs12Reader = null;
return(false);
}
}
public static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader) => TryRead(data, out pkcs12Reader, out _, captureException: false);
public X509ContentType GetCertContentType(string fileName)
{
// If we can't open the file, fail right away.
using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb"))
{
Interop.Crypto.CheckValidOpenSslHandle(fileBio);
int bioPosition = Interop.Crypto.BioTell(fileBio);
Debug.Assert(bioPosition >= 0);
// X509ContentType.Cert
{
ICertificatePal certPal;
if (OpenSslX509CertificateReader.TryReadX509Der(fileBio, out certPal))
{
certPal.Dispose();
return(X509ContentType.Cert);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
if (OpenSslX509CertificateReader.TryReadX509Pem(fileBio, out certPal))
{
certPal.Dispose();
return(X509ContentType.Cert);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
}
// X509ContentType.Pkcs7
{
if (PkcsFormatReader.IsPkcs7Der(fileBio))
{
return(X509ContentType.Pkcs7);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
if (PkcsFormatReader.IsPkcs7Pem(fileBio))
{
return(X509ContentType.Pkcs7);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
}
// X509ContentType.Pkcs12 (aka PFX)
{
OpenSslPkcs12Reader pkcs12Reader;
if (OpenSslPkcs12Reader.TryRead(fileBio, out pkcs12Reader))
{
pkcs12Reader.Dispose();
return(X509ContentType.Pkcs12);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
}
}
// Unsupported format.
// Windows throws new CryptographicException(CRYPT_E_NO_MATCH)
throw new CryptographicException();
}
private static bool TryReadPkcs12(
OpenSslPkcs12Reader pfx,
string password,
bool single,
out ICertificatePal readPal,
out List<ICertificatePal> readCerts)
{
pfx.Decrypt(password);
ICertificatePal first = null;
List<ICertificatePal> certs = null;
if (!single)
{
certs = new List<ICertificatePal>();
}
foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
{
if (single)
{
// When requesting an X509Certificate2 from a PFX only the first entry is
// returned. Other entries should be disposed.
if (first == null)
{
first = certPal;
}
else if (certPal.HasPrivateKey && !first.HasPrivateKey)
{
first.Dispose();
first = certPal;
}
else
{
certPal.Dispose();
}
}
else
{
certs.Add(certPal);
}
}
readPal = first;
readCerts = certs;
return true;
}
public static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader, out Exception openSslException) => TryRead(data, out pkcs12Reader, out openSslException, captureException: true);
public static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader) => TryRead(fileBio, out pkcs12Reader, out _, captureException: false);
public static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader, out Exception openSslException) => TryRead(fileBio, out pkcs12Reader, out openSslException, captureException: true);
public static unsafe ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
// If we can see a hyphen, assume it's PEM. Otherwise try DER-X509, then fall back to DER-PKCS12.
SafeX509Handle cert;
// PEM
if (rawData[0] == '-')
{
using (SafeBioHandle bio = Interop.libcrypto.BIO_new(Interop.libcrypto.BIO_s_mem()))
{
Interop.libcrypto.CheckValidOpenSslHandle(bio);
Interop.libcrypto.BIO_write(bio, rawData, rawData.Length);
cert = Interop.libcrypto.PEM_read_bio_X509_AUX(bio, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
}
Interop.libcrypto.CheckValidOpenSslHandle(cert);
return(new OpenSslX509CertificateReader(cert));
}
// DER-X509
cert = Interop.libcrypto.OpenSslD2I((ptr, b, i) => Interop.libcrypto.d2i_X509(ptr, b, i), rawData, checkHandle: false);
if (!cert.IsInvalid)
{
return(new OpenSslX509CertificateReader(cert));
}
// DER-PKCS12
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(rawData, out pfx))
{
using (pfx)
{
pfx.Decrypt(password);
ICertificatePal first = null;
foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
{
// When requesting an X509Certificate2 from a PFX only the first entry is
// returned. Other entries should be disposed.
if (first == null)
{
first = certPal;
}
else
{
certPal.Dispose();
}
}
if (first == null)
{
throw new CryptographicException();
}
return(first);
}
}
// Unsupported
throw Interop.libcrypto.CreateOpenSslCryptographicException();
}
internal static ICertificatePal FromBio(SafeBioHandle bio, string password)
{
// Try reading the value as: PEM-X509, DER-X509, DER-PKCS12.
int bioPosition = Interop.NativeCrypto.BioTell(bio);
Debug.Assert(bioPosition >= 0);
SafeX509Handle cert = Interop.libcrypto.PEM_read_bio_X509_AUX(bio, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
if (cert != null && !cert.IsInvalid)
{
return(new OpenSslX509CertificateReader(cert));
}
// Rewind, try again.
Interop.NativeCrypto.BioSeek(bio, bioPosition);
cert = Interop.NativeCrypto.ReadX509AsDerFromBio(bio);
if (cert != null && !cert.IsInvalid)
{
return(new OpenSslX509CertificateReader(cert));
}
// Rewind, try again.
Interop.NativeCrypto.BioSeek(bio, bioPosition);
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(bio, out pfx))
{
using (pfx)
{
pfx.Decrypt(password);
ICertificatePal first = null;
foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
{
// When requesting an X509Certificate2 from a PFX only the first entry is
// returned. Other entries should be disposed.
if (first == null)
{
first = certPal;
}
else
{
certPal.Dispose();
}
}
return(first);
}
}
// Since we aren't going to finish reading, leaving the buffer where it was when we got
// it seems better than leaving it in some arbitrary other position.
//
// But, before seeking back to start, save the Exception representing the last reported
// OpenSSL error in case the last BioSeek would change it.
Exception openSslException = Interop.libcrypto.CreateOpenSslCryptographicException();
Interop.NativeCrypto.BioSeek(bio, bioPosition);
throw openSslException;
}
private static IStorePal PfxToCollection(OpenSslPkcs12Reader pfx, string password)
{
pfx.Decrypt(password);
X509Certificate2Collection coll = new X509Certificate2Collection();
foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
{
coll.Add(new X509Certificate2(certPal));
}
return new OpenSslX509StoreProvider(coll);
}