public sealed override ContentInfo TryDecrypt(RecipientInfo recipientInfo, X509Certificate2 cert, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore, out Exception exception) { Debug.Assert(recipientInfo != null); Debug.Assert(cert != null); Debug.Assert(originatorCerts != null); Debug.Assert(extraStore != null); CryptKeySpec keySpec; exception = TryGetKeySpecForCertificate(cert, out keySpec); if (exception != null) { return(null); } // Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.) const bool Silent = false; // Note: Using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG rather than CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG // because wrapping an NCrypt wrapper over CAPI keys unconditionally causes some legacy features // (such as RC4 support) to break. const bool PreferNCrypt = false; using (SafeProvOrNCryptKeyHandle hKey = PkcsPalWindows.GetCertificatePrivateKey(cert, Silent, PreferNCrypt, out _, out exception)) { if (hKey == null) { return(null); } RecipientInfoType type = recipientInfo.Type; switch (type) { case RecipientInfoType.KeyTransport: exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec); break; case RecipientInfoType.KeyAgreement: exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore); break; default: // Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than // returning to the caller. Debug.Fail($"Unexpected RecipientInfoType: {type}"); throw new NotSupportedException(); } if (exception != null) { return(null); } // If we got here, we successfully decrypted. Return the decrypted content. return(_hCryptMsg.GetContentInfo()); } }
internal RecipientInfo(RecipientInfoType recipientInfoType, RecipientSubType recipientSubType, SafeLocalAllocHandle pCmsgRecipientInfo, object cmsgRecipientInfo, uint index) { if (recipientInfoType < RecipientInfoType.Unknown || recipientInfoType > RecipientInfoType.KeyAgreement) recipientInfoType = RecipientInfoType.Unknown; if (recipientSubType < RecipientSubType.Unknown || recipientSubType > RecipientSubType.PublicKeyAgreement) recipientSubType = RecipientSubType.Unknown; this.m_recipentInfoType = recipientInfoType; this.m_recipientSubType = recipientSubType; this.m_pCmsgRecipientInfo = pCmsgRecipientInfo; this.m_cmsgRecipientInfo = cmsgRecipientInfo; this.m_index = index; }
public sealed override ContentInfo TryDecrypt(RecipientInfo recipientInfo, X509Certificate2 cert, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore, out Exception exception) { Debug.Assert(recipientInfo != null); Debug.Assert(cert != null); Debug.Assert(originatorCerts != null); Debug.Assert(extraStore != null); CryptKeySpec keySpec; exception = TryGetKeySpecForCertificate(cert, out keySpec); if (exception != null) { return(null); } // Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.) using (SafeProvOrNCryptKeyHandle hKey = TryGetCertificatePrivateKey(cert, false, out exception)) { if (hKey == null) { return(null); } RecipientInfoType type = recipientInfo.Type; switch (type) { case RecipientInfoType.KeyTransport: exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec); break; case RecipientInfoType.KeyAgreement: exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore); break; default: // Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than // returning to the caller. Debug.Fail($"Unexpected RecipientInfoType: {type}"); throw new NotSupportedException(); } if (exception != null) { return(null); } // If we got here, we successfully decrypted. Return the decrypted content. return(_hCryptMsg.GetContentInfo()); } }
internal RecipientInfo(RecipientInfoType recipientInfoType, RecipientSubType recipientSubType, System.Security.Cryptography.SafeLocalAllocHandle pCmsgRecipientInfo, object cmsgRecipientInfo, uint index) { if ((recipientInfoType < RecipientInfoType.Unknown) || (recipientInfoType > RecipientInfoType.KeyAgreement)) { recipientInfoType = RecipientInfoType.Unknown; } if ((recipientSubType < RecipientSubType.Unknown) || (recipientSubType > RecipientSubType.PublicKeyAgreement)) { recipientSubType = RecipientSubType.Unknown; } this.m_recipentInfoType = recipientInfoType; this.m_recipientSubType = recipientSubType; this.m_pCmsgRecipientInfo = pCmsgRecipientInfo; this.m_cmsgRecipientInfo = cmsgRecipientInfo; this.m_index = index; }
internal RecipientInfo(RecipientInfoType recipientInfoType, RecipientSubType recipientSubType, SafeLocalAllocHandle pCmsgRecipientInfo, object cmsgRecipientInfo, uint index) { if (recipientInfoType < RecipientInfoType.Unknown || recipientInfoType > RecipientInfoType.KeyAgreement) { recipientInfoType = RecipientInfoType.Unknown; } if (recipientSubType < RecipientSubType.Unknown || recipientSubType > RecipientSubType.PublicKeyAgreement) { recipientSubType = RecipientSubType.Unknown; } this.m_recipentInfoType = recipientInfoType; this.m_recipientSubType = recipientSubType; this.m_pCmsgRecipientInfo = pCmsgRecipientInfo; this.m_cmsgRecipientInfo = cmsgRecipientInfo; this.m_index = index; }
internal static RecipientInfoType GetRecipientInfoType(X509Certificate2 certificate) { RecipientInfoType unknown = RecipientInfoType.Unknown; if (certificate == null) { return(unknown); } System.Security.Cryptography.CAPI.CERT_CONTEXT cert_context = (System.Security.Cryptography.CAPI.CERT_CONTEXT)Marshal.PtrToStructure(System.Security.Cryptography.X509Certificates.X509Utils.GetCertContext(certificate).DangerousGetHandle(), typeof(System.Security.Cryptography.CAPI.CERT_CONTEXT)); System.Security.Cryptography.CAPI.CERT_INFO cert_info = (System.Security.Cryptography.CAPI.CERT_INFO)Marshal.PtrToStructure(cert_context.pCertInfo, typeof(System.Security.Cryptography.CAPI.CERT_INFO)); switch (System.Security.Cryptography.X509Certificates.X509Utils.OidToAlgId(cert_info.SubjectPublicKeyInfo.Algorithm.pszObjId)) { case 0xa400: return(RecipientInfoType.KeyTransport); case 0xaa01: case 0xaa02: return(RecipientInfoType.KeyAgreement); } return(RecipientInfoType.Unknown); }
internal RecipientInfo(RecipientInfoType type, RecipientInfoPal pal) { #if DEBUG switch (type) { case RecipientInfoType.KeyTransport: Debug.Assert(pal is KeyTransRecipientInfoPal); break; case RecipientInfoType.KeyAgreement: Debug.Assert(pal is KeyAgreeRecipientInfoPal); break; default: Debug.Fail($"Illegal recipientInfoType: {type}"); break; } #endif Type = type; Pal = pal; }
internal static RecipientInfoType GetRecipientInfoType(X509Certificate2 certificate) { RecipientInfoType recipientInfoType = RecipientInfoType.Unknown; if (certificate != null) { switch (X509Utils.OidToAlgId(((CAPI.CERT_INFO)Marshal.PtrToStructure(((CAPI.CERT_CONTEXT)Marshal.PtrToStructure(X509Utils.GetCertContext(certificate).DangerousGetHandle(), typeof(CAPI.CERT_CONTEXT))).pCertInfo, typeof(CAPI.CERT_INFO))).SubjectPublicKeyInfo.Algorithm.pszObjId)) { case 41984U: recipientInfoType = RecipientInfoType.KeyTransport; break; case 43521U: case 43522U: recipientInfoType = RecipientInfoType.KeyAgreement; break; default: recipientInfoType = RecipientInfoType.Unknown; break; } } return(recipientInfoType); }
public unsafe sealed override ContentInfo TryDecrypt( RecipientInfo recipientInfo, X509Certificate2 cert, AsymmetricAlgorithm privateKey, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore, out Exception exception) { Debug.Assert((cert != null) ^ (privateKey != null)); if (privateKey != null) { RSA key = privateKey as RSA; if (key == null) { exception = new CryptographicException(SR.Cryptography_Cms_Ktri_RSARequired); return(null); } ContentInfo contentInfo = _hCryptMsg.GetContentInfo(); byte[] cek = AnyOS.ManagedPkcsPal.ManagedKeyTransPal.DecryptCekCore( cert, key, recipientInfo.EncryptedKey, recipientInfo.KeyEncryptionAlgorithm.Oid.Value, out exception); // Pin CEK to prevent it from getting copied during heap compaction. fixed(byte *pinnedCek = cek) { try { if (exception != null) { return(null); } return(AnyOS.ManagedPkcsPal.ManagedDecryptorPal.TryDecryptCore( cek, contentInfo.ContentType.Value, contentInfo.Content, _contentEncryptionAlgorithm, out exception)); } finally { if (cek != null) { Array.Clear(cek, 0, cek.Length); } } } } Debug.Assert(recipientInfo != null); Debug.Assert(cert != null); Debug.Assert(originatorCerts != null); Debug.Assert(extraStore != null); CryptKeySpec keySpec; exception = TryGetKeySpecForCertificate(cert, out keySpec); if (exception != null) { return(null); } // Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.) const bool Silent = false; // Note: Using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG rather than CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG // because wrapping an NCrypt wrapper over CAPI keys unconditionally causes some legacy features // (such as RC4 support) to break. const bool PreferNCrypt = false; using (SafeProvOrNCryptKeyHandle hKey = PkcsPalWindows.GetCertificatePrivateKey(cert, Silent, PreferNCrypt, out _, out exception)) { if (hKey == null) { return(null); } RecipientInfoType type = recipientInfo.Type; switch (type) { case RecipientInfoType.KeyTransport: exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec); break; case RecipientInfoType.KeyAgreement: exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore); break; default: // Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than // returning to the caller. Debug.Fail($"Unexpected RecipientInfoType: {type}"); throw new NotSupportedException(); } if (exception != null) { return(null); } // If we got here, we successfully decrypted. Return the decrypted content. return(_hCryptMsg.GetContentInfo()); } }
// constructors // documented as protected at http://longhorn.msdn.microsoft.com // but not present in the 1.2 beta SDK internal RecipientInfo (RecipientInfoType recipInfoType) { _type = recipInfoType; }
// constructors // documented as protected at http://longhorn.msdn.microsoft.com // but not present in the 1.2 beta SDK internal RecipientInfo(RecipientInfoType recipInfoType) { _type = recipInfoType; }