//
// Returns:
// For the input type == X509Certificate2 cert the same ref
// For an older cert format clones it as X509Certificate2 and returns result
// For a derived type clones it as X509Certificate2 and returns result
//
static X509Certificate2 MakeEx(X509Certificate certificate)
{
if (certificate.GetType() == typeof(X509Certificate2))
return (X509Certificate2)certificate;
X509Certificate2 certificateEx = null;
try {
if (certificate.Handle!=IntPtr.Zero) {
certificateEx = new X509Certificate2(certificate);
}
}
catch (SecurityException) {
}
catch (CryptographicException) {
}
return certificateEx;
}
private static X509Certificate2 MakeEx(X509Certificate certificate)
{
Debug.Assert(certificate != null, "certificate != null");
if (certificate.GetType() == typeof(X509Certificate2))
{
return (X509Certificate2)certificate;
}
X509Certificate2 certificateEx = null;
try
{
if (certificate.Handle != IntPtr.Zero)
{
certificateEx = new X509Certificate2(certificate.Handle);
}
}
catch (SecurityException) { }
catch (CryptographicException) { }
return certificateEx;
}
//
// SECURITY: we open a private key container on behalf of the caller
// and we require the caller to have permission associated with that operation.
// After discussing with X509Certificate2 owners decided to demand KeyContainerPermission (Open)
// At the same time we assert StorePermission on the caller frame since for consistency
// we cannot predict when it will be demanded (SSL session reuse feature)
//
X509Certificate2 EnsurePrivateKey(X509Certificate certificate)
{
if (certificate == null)
return null;
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_locating_private_key_for_certificate, certificate.ToString(true)));
try {
X509Certificate2 certEx = certificate as X509Certificate2;
Type t = certificate.GetType();
string certHash = null;
// Protecting from X509Certificate2 derived classes
if (t != typeof(X509Certificate2) && t != typeof(X509Certificate))
{
if (certificate.Handle != IntPtr.Zero)
{
certEx = new X509Certificate2(certificate);
certHash = certEx.GetCertHashString();
}
}
else
{
certHash = certificate.GetCertHashString();
}
if (certEx != null)
{
if (certEx.HasPrivateKey)
{
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_cert_is_of_type_2));
return certEx;
}
if ((object)certificate != (object) certEx)
certEx.Reset();
}
//
// The certificate doesn't have a private key, so we need
// to open the store and search for it there. Demand the
// KeyContainerPermission with Open access before opening
// the store. If store.Open() or store.Cert.Find()
// demand the same permissions, then we should remove our
// demand here.
//
#if FEATURE_MONO_CAS
ExceptionHelper.KeyContainerPermissionOpen.Demand();
#endif
X509Certificate2Collection collectionEx;
// ELSE Try MY user and machine stores for private key check
// For server side mode MY machine store takes priority
X509Store store = EnsureStoreOpened(m_ServerMode);
if (store != null)
{
collectionEx = store.Certificates.Find(X509FindType.FindByThumbprint, certHash, false);
if (collectionEx.Count > 0 && collectionEx[0].HasPrivateKey)
{
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_found_cert_in_store, (m_ServerMode ? "LocalMachine" : "CurrentUser")));
return collectionEx[0];
}
}
store = EnsureStoreOpened(!m_ServerMode);
if (store != null)
{
collectionEx = store.Certificates.Find(X509FindType.FindByThumbprint, certHash, false);
if (collectionEx.Count > 0 && collectionEx[0].HasPrivateKey)
{
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_found_cert_in_store, (m_ServerMode ? "CurrentUser" : "LocalMachine")));
return collectionEx[0];
}
}
}
catch (CryptographicException) {
}
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_did_not_find_cert_in_store));
return null;
}
private X509Certificate2 EnsurePrivateKey(X509Certificate certificate)
{
if (certificate != null)
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_locating_private_key_for_certificate", new object[] { certificate.ToString(true) }));
}
try
{
X509Certificate2Collection certificates;
X509Certificate2 certificate2 = certificate as X509Certificate2;
Type type = certificate.GetType();
string findValue = null;
if ((type != typeof(X509Certificate2)) && (type != typeof(X509Certificate)))
{
if (certificate.Handle != IntPtr.Zero)
{
certificate2 = new X509Certificate2(certificate);
findValue = certificate2.GetCertHashString();
}
}
else
{
findValue = certificate.GetCertHashString();
}
if (certificate2 != null)
{
if (certificate2.HasPrivateKey)
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_cert_is_of_type_2"));
}
return certificate2;
}
if (certificate != certificate2)
{
certificate2.Reset();
}
}
ExceptionHelper.KeyContainerPermissionOpen.Demand();
X509Store store = EnsureStoreOpened(this.m_ServerMode);
if (store != null)
{
certificates = store.Certificates.Find(X509FindType.FindByThumbprint, findValue, false);
if ((certificates.Count > 0) && (certificates[0].PrivateKey != null))
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_found_cert_in_store", new object[] { this.m_ServerMode ? "LocalMachine" : "CurrentUser" }));
}
return certificates[0];
}
}
store = EnsureStoreOpened(!this.m_ServerMode);
if (store != null)
{
certificates = store.Certificates.Find(X509FindType.FindByThumbprint, findValue, false);
if ((certificates.Count > 0) && (certificates[0].PrivateKey != null))
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_found_cert_in_store", new object[] { this.m_ServerMode ? "CurrentUser" : "LocalMachine" }));
}
return certificates[0];
}
}
}
catch (CryptographicException)
{
}
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_did_not_find_cert_in_store"));
}
}
return null;
}
