public sealed override ContentInfo TryDecrypt(RecipientInfo recipientInfo, X509Certificate2 cert, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore, out Exception exception)
{
Debug.Assert(recipientInfo != null);
Debug.Assert(cert != null);
Debug.Assert(originatorCerts != null);
Debug.Assert(extraStore != null);
CryptKeySpec keySpec;
exception = TryGetKeySpecForCertificate(cert, out keySpec);
if (exception != null)
{
return(null);
}
// Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.)
const bool Silent = false;
// Note: Using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG rather than CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG
// because wrapping an NCrypt wrapper over CAPI keys unconditionally causes some legacy features
// (such as RC4 support) to break.
const bool PreferNCrypt = false;
using (SafeProvOrNCryptKeyHandle hKey = PkcsPalWindows.GetCertificatePrivateKey(cert, Silent, PreferNCrypt, out _, out exception))
{
if (hKey == null)
{
return(null);
}
RecipientInfoType type = recipientInfo.Type;
switch (type)
{
case RecipientInfoType.KeyTransport:
exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec);
break;
case RecipientInfoType.KeyAgreement:
exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore);
break;
default:
// Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than
// returning to the caller.
Debug.Fail($"Unexpected RecipientInfoType: {type}");
throw new NotSupportedException();
}
if (exception != null)
{
return(null);
}
// If we got here, we successfully decrypted. Return the decrypted content.
return(_hCryptMsg.GetContentInfo());
}
}
internal RecipientInfo(RecipientInfoType recipientInfoType, RecipientSubType recipientSubType, SafeLocalAllocHandle pCmsgRecipientInfo, object cmsgRecipientInfo, uint index)
{
if (recipientInfoType < RecipientInfoType.Unknown || recipientInfoType > RecipientInfoType.KeyAgreement)
recipientInfoType = RecipientInfoType.Unknown;
if (recipientSubType < RecipientSubType.Unknown || recipientSubType > RecipientSubType.PublicKeyAgreement)
recipientSubType = RecipientSubType.Unknown;
this.m_recipentInfoType = recipientInfoType;
this.m_recipientSubType = recipientSubType;
this.m_pCmsgRecipientInfo = pCmsgRecipientInfo;
this.m_cmsgRecipientInfo = cmsgRecipientInfo;
this.m_index = index;
}
public sealed override ContentInfo TryDecrypt(RecipientInfo recipientInfo, X509Certificate2 cert, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore, out Exception exception)
{
Debug.Assert(recipientInfo != null);
Debug.Assert(cert != null);
Debug.Assert(originatorCerts != null);
Debug.Assert(extraStore != null);
CryptKeySpec keySpec;
exception = TryGetKeySpecForCertificate(cert, out keySpec);
if (exception != null)
{
return(null);
}
// Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.)
using (SafeProvOrNCryptKeyHandle hKey = TryGetCertificatePrivateKey(cert, false, out exception))
{
if (hKey == null)
{
return(null);
}
RecipientInfoType type = recipientInfo.Type;
switch (type)
{
case RecipientInfoType.KeyTransport:
exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec);
break;
case RecipientInfoType.KeyAgreement:
exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore);
break;
default:
// Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than
// returning to the caller.
Debug.Fail($"Unexpected RecipientInfoType: {type}");
throw new NotSupportedException();
}
if (exception != null)
{
return(null);
}
// If we got here, we successfully decrypted. Return the decrypted content.
return(_hCryptMsg.GetContentInfo());
}
}
internal RecipientInfo(RecipientInfoType recipientInfoType, RecipientSubType recipientSubType, System.Security.Cryptography.SafeLocalAllocHandle pCmsgRecipientInfo, object cmsgRecipientInfo, uint index)
{
if ((recipientInfoType < RecipientInfoType.Unknown) || (recipientInfoType > RecipientInfoType.KeyAgreement))
{
recipientInfoType = RecipientInfoType.Unknown;
}
if ((recipientSubType < RecipientSubType.Unknown) || (recipientSubType > RecipientSubType.PublicKeyAgreement))
{
recipientSubType = RecipientSubType.Unknown;
}
this.m_recipentInfoType = recipientInfoType;
this.m_recipientSubType = recipientSubType;
this.m_pCmsgRecipientInfo = pCmsgRecipientInfo;
this.m_cmsgRecipientInfo = cmsgRecipientInfo;
this.m_index = index;
}
internal RecipientInfo(RecipientInfoType recipientInfoType, RecipientSubType recipientSubType, SafeLocalAllocHandle pCmsgRecipientInfo, object cmsgRecipientInfo, uint index)
{
if (recipientInfoType < RecipientInfoType.Unknown || recipientInfoType > RecipientInfoType.KeyAgreement)
{
recipientInfoType = RecipientInfoType.Unknown;
}
if (recipientSubType < RecipientSubType.Unknown || recipientSubType > RecipientSubType.PublicKeyAgreement)
{
recipientSubType = RecipientSubType.Unknown;
}
this.m_recipentInfoType = recipientInfoType;
this.m_recipientSubType = recipientSubType;
this.m_pCmsgRecipientInfo = pCmsgRecipientInfo;
this.m_cmsgRecipientInfo = cmsgRecipientInfo;
this.m_index = index;
}
internal RecipientInfo(RecipientInfoType recipientInfoType, RecipientSubType recipientSubType, System.Security.Cryptography.SafeLocalAllocHandle pCmsgRecipientInfo, object cmsgRecipientInfo, uint index)
{
if ((recipientInfoType < RecipientInfoType.Unknown) || (recipientInfoType > RecipientInfoType.KeyAgreement))
{
recipientInfoType = RecipientInfoType.Unknown;
}
if ((recipientSubType < RecipientSubType.Unknown) || (recipientSubType > RecipientSubType.PublicKeyAgreement))
{
recipientSubType = RecipientSubType.Unknown;
}
this.m_recipentInfoType = recipientInfoType;
this.m_recipientSubType = recipientSubType;
this.m_pCmsgRecipientInfo = pCmsgRecipientInfo;
this.m_cmsgRecipientInfo = cmsgRecipientInfo;
this.m_index = index;
}
internal static RecipientInfoType GetRecipientInfoType(X509Certificate2 certificate)
{
RecipientInfoType unknown = RecipientInfoType.Unknown;
if (certificate == null)
{
return(unknown);
}
System.Security.Cryptography.CAPI.CERT_CONTEXT cert_context = (System.Security.Cryptography.CAPI.CERT_CONTEXT)Marshal.PtrToStructure(System.Security.Cryptography.X509Certificates.X509Utils.GetCertContext(certificate).DangerousGetHandle(), typeof(System.Security.Cryptography.CAPI.CERT_CONTEXT));
System.Security.Cryptography.CAPI.CERT_INFO cert_info = (System.Security.Cryptography.CAPI.CERT_INFO)Marshal.PtrToStructure(cert_context.pCertInfo, typeof(System.Security.Cryptography.CAPI.CERT_INFO));
switch (System.Security.Cryptography.X509Certificates.X509Utils.OidToAlgId(cert_info.SubjectPublicKeyInfo.Algorithm.pszObjId))
{
case 0xa400:
return(RecipientInfoType.KeyTransport);
case 0xaa01:
case 0xaa02:
return(RecipientInfoType.KeyAgreement);
}
return(RecipientInfoType.Unknown);
}
internal RecipientInfo(RecipientInfoType type, RecipientInfoPal pal)
{
#if DEBUG
switch (type)
{
case RecipientInfoType.KeyTransport:
Debug.Assert(pal is KeyTransRecipientInfoPal);
break;
case RecipientInfoType.KeyAgreement:
Debug.Assert(pal is KeyAgreeRecipientInfoPal);
break;
default:
Debug.Fail($"Illegal recipientInfoType: {type}");
break;
}
#endif
Type = type;
Pal = pal;
}
internal RecipientInfo(RecipientInfoType type, RecipientInfoPal pal)
{
#if DEBUG
switch (type)
{
case RecipientInfoType.KeyTransport:
Debug.Assert(pal is KeyTransRecipientInfoPal);
break;
case RecipientInfoType.KeyAgreement:
Debug.Assert(pal is KeyAgreeRecipientInfoPal);
break;
default:
Debug.Fail($"Illegal recipientInfoType: {type}");
break;
}
#endif
Type = type;
Pal = pal;
}
internal static RecipientInfoType GetRecipientInfoType(X509Certificate2 certificate)
{
RecipientInfoType recipientInfoType = RecipientInfoType.Unknown;
if (certificate != null)
{
switch (X509Utils.OidToAlgId(((CAPI.CERT_INFO)Marshal.PtrToStructure(((CAPI.CERT_CONTEXT)Marshal.PtrToStructure(X509Utils.GetCertContext(certificate).DangerousGetHandle(), typeof(CAPI.CERT_CONTEXT))).pCertInfo, typeof(CAPI.CERT_INFO))).SubjectPublicKeyInfo.Algorithm.pszObjId))
{
case 41984U:
recipientInfoType = RecipientInfoType.KeyTransport;
break;
case 43521U:
case 43522U:
recipientInfoType = RecipientInfoType.KeyAgreement;
break;
default:
recipientInfoType = RecipientInfoType.Unknown;
break;
}
}
return(recipientInfoType);
}
public unsafe sealed override ContentInfo TryDecrypt(
RecipientInfo recipientInfo,
X509Certificate2 cert,
AsymmetricAlgorithm privateKey,
X509Certificate2Collection originatorCerts,
X509Certificate2Collection extraStore,
out Exception exception)
{
Debug.Assert((cert != null) ^ (privateKey != null));
if (privateKey != null)
{
RSA key = privateKey as RSA;
if (key == null)
{
exception = new CryptographicException(SR.Cryptography_Cms_Ktri_RSARequired);
return(null);
}
ContentInfo contentInfo = _hCryptMsg.GetContentInfo();
byte[] cek = AnyOS.ManagedPkcsPal.ManagedKeyTransPal.DecryptCekCore(
cert,
key,
recipientInfo.EncryptedKey,
recipientInfo.KeyEncryptionAlgorithm.Oid.Value,
out exception);
// Pin CEK to prevent it from getting copied during heap compaction.
fixed(byte *pinnedCek = cek)
{
try
{
if (exception != null)
{
return(null);
}
return(AnyOS.ManagedPkcsPal.ManagedDecryptorPal.TryDecryptCore(
cek,
contentInfo.ContentType.Value,
contentInfo.Content,
_contentEncryptionAlgorithm,
out exception));
}
finally
{
if (cek != null)
{
Array.Clear(cek, 0, cek.Length);
}
}
}
}
Debug.Assert(recipientInfo != null);
Debug.Assert(cert != null);
Debug.Assert(originatorCerts != null);
Debug.Assert(extraStore != null);
CryptKeySpec keySpec;
exception = TryGetKeySpecForCertificate(cert, out keySpec);
if (exception != null)
{
return(null);
}
// Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.)
const bool Silent = false;
// Note: Using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG rather than CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG
// because wrapping an NCrypt wrapper over CAPI keys unconditionally causes some legacy features
// (such as RC4 support) to break.
const bool PreferNCrypt = false;
using (SafeProvOrNCryptKeyHandle hKey = PkcsPalWindows.GetCertificatePrivateKey(cert, Silent, PreferNCrypt, out _, out exception))
{
if (hKey == null)
{
return(null);
}
RecipientInfoType type = recipientInfo.Type;
switch (type)
{
case RecipientInfoType.KeyTransport:
exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec);
break;
case RecipientInfoType.KeyAgreement:
exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore);
break;
default:
// Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than
// returning to the caller.
Debug.Fail($"Unexpected RecipientInfoType: {type}");
throw new NotSupportedException();
}
if (exception != null)
{
return(null);
}
// If we got here, we successfully decrypted. Return the decrypted content.
return(_hCryptMsg.GetContentInfo());
}
}
// constructors
// documented as protected at http://longhorn.msdn.microsoft.com
// but not present in the 1.2 beta SDK
internal RecipientInfo (RecipientInfoType recipInfoType)
{
_type = recipInfoType;
}
// constructors
// documented as protected at http://longhorn.msdn.microsoft.com
// but not present in the 1.2 beta SDK
internal RecipientInfo(RecipientInfoType recipInfoType)
{
_type = recipInfoType;
}
