public static void BuildWithFactoryReadDirect()
{
using (RSA rsa = RSA.Create())
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
Pkcs12KeyBag keyBag = contents.AddKeyUnencrypted(rsa);
using (RSA rsa2 = RSA.Create())
{
rsa2.ImportPkcs8PrivateKey(
keyBag.Pkcs8PrivateKey.Span,
out _);
byte[] sig = new byte[rsa.KeySize / 8];
Assert.True(rsa2.TrySignData(
keyBag.Pkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1,
out int sigLen));
Assert.Equal(sig.Length, sigLen);
Assert.True(rsa.VerifyData(
keyBag.Pkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1));
}
}
}
public static X509Certificate2 CreateCertificateWithPrivateKey(
X509Certificate2 certificate,
AsymmetricAlgorithm privateKey,
string password = null)
{
var builder = new Pkcs12Builder();
var contents = new Pkcs12SafeContents();
contents.AddCertificate(certificate);
contents.AddKeyUnencrypted(privateKey);
builder.AddSafeContentsUnencrypted(contents);
// OpenSSL requires the file to have a mac, without mac this will run on Windows but not on Linux
builder.SealWithMac(password, HashAlgorithmName.SHA256, 1);
var pkcs12bytes = builder.Encode();
if (string.IsNullOrEmpty(password))
{
var certificateOut = new X509Certificate2(pkcs12bytes);
return(certificateOut);
}
else
{
var certificateOut = new X509Certificate2(pkcs12bytes, password);
return(certificateOut);
}
}
public static void AddKeyUnencryptedDisallowedInReadOnly()
{
Pkcs12SafeContents contents = MakeReadonly(new Pkcs12SafeContents());
using (RSA rsa = RSA.Create())
{
Assert.Throws <InvalidOperationException>(() => contents.AddKeyUnencrypted(rsa));
}
}
public static void AddKeyUnencryptedDisallowsNull(bool forReadOnly)
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
if (forReadOnly)
{
contents = MakeReadonly(contents);
}
AssertExtensions.Throws <ArgumentNullException>(
"key",
() => contents.AddKeyUnencrypted(null));
}
private static X509Certificate2 CreateCertificateWithPrivateKey(X509Certificate2 certificate, AsymmetricAlgorithm privateKey)
{
var builder = new Pkcs12Builder();
var contents = new Pkcs12SafeContents();
contents.AddCertificate(certificate);
contents.AddKeyUnencrypted(privateKey);
builder.AddSafeContentsUnencrypted(contents);
// OpenSSL requires the file to have a mac, without mac this will run on Windows but not on Linux
builder.SealWithMac("temp", HashAlgorithmName.SHA256, 1);
var pkcs12bytes = builder.Encode();
var certificateWithKey = new X509Certificate2(pkcs12bytes, "temp");
return(certificateWithKey);
}
public static void WriteOneCertWithKey_Encrypted_SameSafe()
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
byte[] rawData;
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId(new byte[] { 1 });
using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey(true))
using (RSA certKey = cert.GetRSAPrivateKey())
using (RSA exportableKey = certKey.MakeExportable())
{
Pkcs12CertBag certBag = contents.AddCertificate(cert);
certBag.Attributes.Add(localKeyId);
rawData = cert.RawData;
Pkcs12KeyBag keyBag = contents.AddKeyUnencrypted(exportableKey);
keyBag.Attributes.Add(localKeyId);
}
const string password = nameof(WriteOneCertWithKey_Encrypted_SameSafe);
Pkcs12Builder builder = new Pkcs12Builder();
builder.AddSafeContentsEncrypted(
contents,
password,
s_win7Pbe);
builder.SealWithMac(password, HashAlgorithmName.SHA1, 1024);
byte[] pfx = builder.Encode();
ImportedCollection coll =
ImportedCollection.Import(pfx, password, X509KeyStorageFlags.EphemeralKeySet);
using (coll)
{
Assert.Equal(1, coll.Collection.Count);
Assert.Equal(rawData, coll.Collection[0].RawData);
Assert.True(coll.Collection[0].HasPrivateKey, "coll.Collection[0].HasPrivateKey");
}
}
public void OneCertWithOneKey(SingleCertOptions options)
{
bool sameContainer = (options & SingleCertOptions.KeyAndCertInSameContents) != 0;
bool dontShroudKey = (options & SingleCertOptions.UnshroudedKey) != 0;
bool keyContainerLast = (options & SingleCertOptions.KeyContentsLast) != 0;
bool encryptCertSafeContents = (options & SingleCertOptions.PlaintextCertContents) == 0;
bool encryptKeySafeContents = (options & SingleCertOptions.EncryptKeyContents) != 0;
bool skipMac = (options & SingleCertOptions.SkipMac) != 0;
string password = options.ToString();
using (var cert = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, s_exportableImportFlags))
using (RSA key = cert.GetRSAPrivateKey())
{
if (dontShroudKey && OperatingSystem.IsWindows())
{
// CNG keys are only encrypted-exportable, so we need to export them encrypted.
// Then we can import it into a new, fully-exportable key. (Sigh.)
byte[] tmpPkcs8 = key.ExportEncryptedPkcs8PrivateKey(password, s_windowsPbe);
key.ImportEncryptedPkcs8PrivateKey(password, tmpPkcs8, out _);
}
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeContents keyContents = sameContainer ? null : new Pkcs12SafeContents();
Pkcs12SafeContents keyEffectiveContents = keyContents ?? certContents;
Pkcs12SafeBag certBag = certContents.AddCertificate(cert);
Pkcs12SafeBag keyBag;
if (dontShroudKey)
{
keyBag = keyEffectiveContents.AddKeyUnencrypted(key);
}
else
{
keyBag = keyEffectiveContents.AddShroudedKey(key, password, s_windowsPbe);
}
certBag.Attributes.Add(s_keyIdOne);
keyBag.Attributes.Add(s_keyIdOne);
if (sameContainer)
{
AddContents(certContents, builder, password, encryptCertSafeContents);
}
else if (keyContainerLast)
{
AddContents(certContents, builder, password, encryptCertSafeContents);
AddContents(keyContents, builder, password, encryptKeySafeContents);
}
else
{
AddContents(keyContents, builder, password, encryptKeySafeContents);
AddContents(certContents, builder, password, encryptCertSafeContents);
}
if (skipMac)
{
builder.SealWithoutIntegrity();
}
else
{
builder.SealWithMac(password, s_digestAlgorithm, MacCount);
}
ReadPfx(builder.Encode(), password, cert);
}
}