//
// virtual methods
//
protected virtual AsymmetricAlgorithm GetPublicKey()
{
if (KeyInfo == null)
{
throw new CryptographicException(SR.Cryptography_Xml_KeyInfoRequired);
}
if (_x509Enum != null)
{
AsymmetricAlgorithm key = GetNextCertificatePublicKey();
if (key != null)
{
return(key);
}
}
if (_keyInfoEnum == null)
{
_keyInfoEnum = KeyInfo.GetEnumerator();
}
// In our implementation, we move to the next KeyInfo clause which is an RSAKeyValue, DSAKeyValue or KeyInfoX509Data
while (_keyInfoEnum.MoveNext())
{
RSAKeyValue rsaKeyValue = _keyInfoEnum.Current as RSAKeyValue;
if (rsaKeyValue != null)
{
return(rsaKeyValue.Key);
}
DSAKeyValue dsaKeyValue = _keyInfoEnum.Current as DSAKeyValue;
if (dsaKeyValue != null)
{
return(dsaKeyValue.Key);
}
KeyInfoX509Data x509Data = _keyInfoEnum.Current as KeyInfoX509Data;
if (x509Data != null)
{
_x509Collection = Utils.BuildBagOfCerts(x509Data, CertUsageType.Verification);
if (_x509Collection.Count > 0)
{
_x509Enum = _x509Collection.GetEnumerator();
AsymmetricAlgorithm key = GetNextCertificatePublicKey();
if (key != null)
{
return(key);
}
}
}
}
return(null);
}
private X509Certificate2Collection BuildBagOfCerts()
{
X509Certificate2Collection collection = new X509Certificate2Collection();
if (KeyInfo != null)
{
foreach (KeyInfoClause clause in KeyInfo)
{
KeyInfoX509Data x509Data = clause as KeyInfoX509Data;
if (x509Data != null)
{
collection.AddRange(Utils.BuildBagOfCerts(x509Data, CertUsageType.Verification));
}
}
}
return(collection);
}
// Try to decrypt the EncryptedKey given the key mapping
public virtual byte[] DecryptEncryptedKey(EncryptedKey encryptedKey)
{
if (encryptedKey == null)
{
throw new ArgumentNullException("encryptedKey");
}
if (encryptedKey.KeyInfo == null)
{
return(null);
}
IEnumerator keyInfoEnum = encryptedKey.KeyInfo.GetEnumerator();
KeyInfoName kiName;
KeyInfoX509Data kiX509Data;
KeyInfoRetrievalMethod kiRetrievalMethod;
KeyInfoEncryptedKey kiEncKey;
EncryptedKey ek = null;
bool fOAEP = false;
while (keyInfoEnum.MoveNext())
{
kiName = keyInfoEnum.Current as KeyInfoName;
if (kiName != null)
{
// Get the decryption key from the key mapping
string keyName = kiName.Value;
Object kek = m_keyNameMapping[keyName];
if (kek != null)
{
if (!Utils.GetLeaveCipherValueUnchecked() && (encryptedKey.CipherData == null || encryptedKey.CipherData.CipherValue == null))
{
throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_MissingAlgorithm"));
}
// kek is either a SymmetricAlgorithm or an RSA key, otherwise, we wouldn't be able to insert it in the hash table
if (kek is SymmetricAlgorithm)
{
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, (SymmetricAlgorithm)kek));
}
// kek is an RSA key: get fOAEP from the algorithm, default to false
fOAEP = (encryptedKey.EncryptionMethod != null && encryptedKey.EncryptionMethod.KeyAlgorithm == EncryptedXml.XmlEncRSAOAEPUrl);
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, (RSA)kek, fOAEP));
}
break;
}
kiX509Data = keyInfoEnum.Current as KeyInfoX509Data;
if (kiX509Data != null)
{
X509Certificate2Collection collection = Utils.BuildBagOfCerts(kiX509Data, CertUsageType.Decryption);
foreach (X509Certificate2 certificate in collection)
{
using (RSA privateKey = certificate.GetRSAPrivateKey()) {
if (privateKey != null)
{
if (!Utils.GetLeaveCipherValueUnchecked() && (encryptedKey.CipherData == null || encryptedKey.CipherData.CipherValue == null))
{
throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_MissingAlgorithm"));
}
fOAEP = (encryptedKey.EncryptionMethod != null && encryptedKey.EncryptionMethod.KeyAlgorithm == EncryptedXml.XmlEncRSAOAEPUrl);
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, privateKey, fOAEP));
}
}
}
break;
}
kiRetrievalMethod = keyInfoEnum.Current as KeyInfoRetrievalMethod;
if (kiRetrievalMethod != null)
{
string idref = Utils.ExtractIdFromLocalUri(kiRetrievalMethod.Uri);
ek = new EncryptedKey();
ek.LoadXml(GetIdElement(m_document, idref));
try {
//Following checks if XML dsig processing is in loop and within the limit defined by machine
// admin or developer. Once the recursion depth crosses the defined limit it will throw exception.
m_xmlDsigSearchDepthCounter++;
if (IsOverXmlDsigRecursionLimit())
{
//Throw exception once recursion limit is hit.
throw new CryptoSignedXmlRecursionException();
}
else
{
return(DecryptEncryptedKey(ek));
}
}
finally {
m_xmlDsigSearchDepthCounter--;
}
}
kiEncKey = keyInfoEnum.Current as KeyInfoEncryptedKey;
if (kiEncKey != null)
{
ek = kiEncKey.EncryptedKey;
// recursively process EncryptedKey elements
byte[] encryptionKey = DecryptEncryptedKey(ek);
if (encryptionKey != null)
{
// this is a symmetric algorithm for sure
SymmetricAlgorithm symAlg = Utils.CreateFromName <SymmetricAlgorithm>(encryptedKey.EncryptionMethod.KeyAlgorithm);
if (symAlg == null)
{
throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_MissingAlgorithm"));
}
symAlg.Key = encryptionKey;
if (!Utils.GetLeaveCipherValueUnchecked() && (encryptedKey.CipherData == null || encryptedKey.CipherData.CipherValue == null))
{
throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_MissingAlgorithm"));
}
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, symAlg));
}
}
}
return(null);
}
// Try to decrypt the EncryptedKey given the key mapping
public virtual byte[] DecryptEncryptedKey(EncryptedKey encryptedKey)
{
if (encryptedKey == null)
{
throw new ArgumentNullException("encryptedKey");
}
if (encryptedKey.KeyInfo == null)
{
return(null);
}
IEnumerator keyInfoEnum = encryptedKey.KeyInfo.GetEnumerator();
KeyInfoName kiName;
KeyInfoX509Data kiX509Data;
KeyInfoRetrievalMethod kiRetrievalMethod;
KeyInfoEncryptedKey kiEncKey;
EncryptedKey ek = null;
bool fOAEP = false;
while (keyInfoEnum.MoveNext())
{
kiName = keyInfoEnum.Current as KeyInfoName;
if (kiName != null)
{
// Get the decryption key from the key mapping
string keyName = kiName.Value;
Object kek = m_keyNameMapping[keyName];
if (kek != null)
{
// kek is either a SymmetricAlgorithm or an RSA key, otherwise, we wouldn't be able to insert it in the hash table
if (kek is SymmetricAlgorithm)
{
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, (SymmetricAlgorithm)kek));
}
// kek is an RSA key: get fOAEP from the algorithm, default to false
fOAEP = (encryptedKey.EncryptionMethod != null && encryptedKey.EncryptionMethod.KeyAlgorithm == EncryptedXml.XmlEncRSAOAEPUrl);
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, (RSA)kek, fOAEP));
}
break;
}
kiX509Data = keyInfoEnum.Current as KeyInfoX509Data;
if (kiX509Data != null)
{
X509Certificate2Collection collection = Utils.BuildBagOfCerts(kiX509Data, CertUsageType.Decryption);
foreach (X509Certificate2 certificate in collection)
{
RSA privateKey = certificate.PrivateKey as RSA;
if (privateKey != null)
{
fOAEP = (encryptedKey.EncryptionMethod != null && encryptedKey.EncryptionMethod.KeyAlgorithm == EncryptedXml.XmlEncRSAOAEPUrl);
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, privateKey, fOAEP));
}
}
break;
}
kiRetrievalMethod = keyInfoEnum.Current as KeyInfoRetrievalMethod;
if (kiRetrievalMethod != null)
{
string idref = Utils.ExtractIdFromLocalUri(kiRetrievalMethod.Uri);
ek = new EncryptedKey();
ek.LoadXml(GetIdElement(m_document, idref));
return(DecryptEncryptedKey(ek));
}
kiEncKey = keyInfoEnum.Current as KeyInfoEncryptedKey;
if (kiEncKey != null)
{
ek = kiEncKey.EncryptedKey;
// recursively process EncryptedKey elements
byte[] encryptionKey = DecryptEncryptedKey(ek);
if (encryptionKey != null)
{
// this is a symmetric algorithm for sure
SymmetricAlgorithm symAlg = (SymmetricAlgorithm)CryptoConfig.CreateFromName(encryptedKey.EncryptionMethod.KeyAlgorithm);
symAlg.Key = encryptionKey;
return(EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, symAlg));
}
}
}
return(null);
}
