internal static void ReadEncryptedPkcs8(
ReadOnlySpan <byte> source,
ReadOnlySpan <byte> passwordBytes,
out int bytesRead,
out ECParameters key)
{
KeyFormatHelper.ReadEncryptedPkcs8 <ECParameters>(
s_validOids,
source,
passwordBytes,
FromECPrivateKey,
out bytesRead,
out key);
}
public override void ImportSubjectPublicKeyInfo(
ReadOnlySpan <byte> source,
out int bytesRead)
{
KeyFormatHelper.ReadSubjectPublicKeyInfo <ECParameters>(
s_validOids,
source,
EccKeyFormatHelper.FromECPublicKey,
out int localRead,
out ECParameters key);
ImportParameters(key);
bytesRead = localRead;
}
internal static unsafe Pkcs8Response ImportEncryptedPkcs8PrivateKey(
ReadOnlySpan <byte> passwordBytes,
ReadOnlySpan <byte> source,
out int bytesRead)
{
fixed(byte *ptr = &MemoryMarshal.GetReference(source))
{
using (MemoryManager <byte> manager = new PointerMemoryManager <byte>(ptr, source.Length))
{
// Since there's no bytes-based-password PKCS8 import in CNG, just do the decryption
// here and call the unencrypted PKCS8 import.
ArraySegment <byte> decrypted = KeyFormatHelper.DecryptPkcs8(
passwordBytes,
manager.Memory,
out bytesRead);
Span <byte> decryptedSpan = decrypted;
try
{
return(ImportPkcs8(decryptedSpan));
}
catch (CryptographicException e)
{
AsnWriter?pkcs8ZeroPublicKey = RewritePkcs8ECPrivateKeyWithZeroPublicKey(decryptedSpan);
if (pkcs8ZeroPublicKey == null)
{
throw new CryptographicException(SR.Cryptography_Pkcs8_EncryptedReadFailed, e);
}
try
{
return(ImportPkcs8(pkcs8ZeroPublicKey.EncodeAsSpan()));
}
catch (CryptographicException)
{
throw new CryptographicException(SR.Cryptography_Pkcs8_EncryptedReadFailed, e);
}
}
finally
{
CryptographicOperations.ZeroMemory(decryptedSpan);
CryptoPool.Return(decrypted.Array !);
}
}
}
}
public override unsafe void ImportPkcs8PrivateKey(ReadOnlySpan <byte> source, out int bytesRead)
{
fixed(byte *ptr = &MemoryMarshal.GetReference(source))
{
using (MemoryManager <byte> manager = new PointerMemoryManager <byte>(ptr, source.Length))
{
ReadOnlyMemory <byte> pkcs1 = KeyFormatHelper.ReadPkcs8(
s_validOids,
manager.Memory,
out int localRead);
ImportRSAPrivateKey(pkcs1.Span, out _);
bytesRead = localRead;
}
}
}
public override bool TryExportEncryptedPkcs8PrivateKey(
ReadOnlySpan <byte> passwordBytes,
PbeParameters pbeParameters,
Span <byte> destination,
out int bytesWritten)
{
ArgumentNullException.ThrowIfNull(pbeParameters);
PasswordBasedEncryption.ValidatePbeParameters(
pbeParameters,
ReadOnlySpan <char> .Empty,
passwordBytes);
AsnWriter pkcs8PrivateKey = WritePkcs8PrivateKey();
AsnWriter writer = KeyFormatHelper.WriteEncryptedPkcs8(
passwordBytes,
pkcs8PrivateKey,
pbeParameters);
return(writer.TryEncode(destination, out bytesWritten));
}
public override unsafe bool TryExportEncryptedPkcs8PrivateKey(
ReadOnlySpan <char> password,
PbeParameters pbeParameters,
Span <byte> destination,
out int bytesWritten)
{
if (pbeParameters == null)
{
throw new ArgumentNullException(nameof(pbeParameters));
}
PasswordBasedEncryption.ValidatePbeParameters(
pbeParameters,
password,
ReadOnlySpan <byte> .Empty);
ECParameters ecParameters = ExportParameters(true);
fixed(byte *privPtr = ecParameters.D)
{
try
{
AsnWriter pkcs8PrivateKey = EccKeyFormatHelper.WritePkcs8PrivateKey(ecParameters);
AsnWriter writer = KeyFormatHelper.WriteEncryptedPkcs8(
password,
pkcs8PrivateKey,
pbeParameters);
return(writer.TryEncode(destination, out bytesWritten));
}
finally
{
CryptographicOperations.ZeroMemory(ecParameters.D);
}
}
}
private static AsnWriter RewriteEncryptedPkcs8PrivateKey(
AsymmetricAlgorithm key,
ReadOnlySpan <char> password,
PbeParameters pbeParameters)
{
Debug.Assert(pbeParameters != null);
byte[] rented = ArrayPool <byte> .Shared.Rent(key.KeySize);
int rentWritten = 0;
try
{
while (!key.TryExportEncryptedPkcs8PrivateKey(
password,
s_platformParameters,
rented,
out rentWritten))
{
int size = rented.Length;
ArrayPool <byte> .Shared.Return(rented);
rented = ArrayPool <byte> .Shared.Rent(checked (size * 2));
}
return(KeyFormatHelper.ReencryptPkcs8(
password,
rented.AsMemory(0, rentWritten),
password,
pbeParameters));
}
finally
{
CryptographicOperations.ZeroMemory(rented.AsSpan(0, rentWritten));
ArrayPool <byte> .Shared.Return(rented);
}
}
/// <summary>
/// Imports the public/private keypair from a PKCS#8 PrivateKeyInfo structure
/// after decryption, replacing the keys for this object.
/// </summary>
/// <param name="source">The bytes of a PKCS#8 PrivateKeyInfo structure in the ASN.1-BER encoding.</param>
/// <param name="bytesRead">
/// When this method returns, contains a value that indicates the number
/// of bytes read from <paramref name="source" />. This parameter is treated as uninitialized.
/// </param>
/// <exception cref="NotSupportedException">
/// A derived class has not provided an implementation for <see cref="ImportParameters" />.
/// </exception>
/// <exception cref="CryptographicException">
/// <p>
/// The contents of <paramref name="source" /> do not represent an ASN.1-BER-encoded
/// PKCS#8 PrivateKeyInfo structure.
/// </p>
/// <p>-or-</p>
/// <p>
/// The contents of <paramref name="source" /> indicate the key is for an algorithm
/// other than the algorithm represented by this instance.
/// </p>
/// <p>-or-</p>
/// <p>The contents of <paramref name="source" /> represent the key in a format that is not supported.</p>
/// <p>-or-</p>
/// <p>
/// The algorithm-specific key import failed.
/// </p>
/// </exception>
/// <remarks>
/// This method only supports the binary (BER/CER/DER) encoding of PrivateKeyInfo.
/// If the value is Base64-encoded, the caller must Base64-decode the contents before calling this method.
/// If the value is PEM-encoded, <see cref="ImportFromPem" /> should be used.
/// </remarks>
public override unsafe void ImportPkcs8PrivateKey(
ReadOnlySpan <byte> source,
out int bytesRead)
{
KeyFormatHelper.ReadPkcs8 <ECParameters>(
s_validOids,
source,
EccKeyFormatHelper.FromECPrivateKey,
out int localRead,
out ECParameters key);
fixed(byte *privPin = key.D)
{
try
{
ImportParameters(key);
bytesRead = localRead;
}
finally
{
CryptographicOperations.ZeroMemory(key.D);
}
}
}
internal static unsafe Pkcs8Response ImportEncryptedPkcs8PrivateKey(
ReadOnlySpan <char> password,
ReadOnlySpan <byte> source,
out int bytesRead)
{
fixed(byte *ptr = &MemoryMarshal.GetReference(source))
{
using (MemoryManager <byte> manager = new PointerMemoryManager <byte>(ptr, source.Length))
{
AsnReader reader = new AsnReader(manager.Memory, AsnEncodingRules.BER);
int len = reader.ReadEncodedValue().Length;
source = source.Slice(0, len);
try
{
bytesRead = len;
return(ImportPkcs8(source, password));
}
catch (CryptographicException)
{
}
ArraySegment <byte> decrypted = KeyFormatHelper.DecryptPkcs8(
password,
manager.Memory.Slice(0, len),
out int innerRead);
Span <byte> decryptedSpan = decrypted;
try
{
if (innerRead != len)
{
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
}
bytesRead = len;
return(ImportPkcs8(decryptedSpan));
}
catch (CryptographicException e)
{
AsnWriter?pkcs8ZeroPublicKey = RewritePkcs8ECPrivateKeyWithZeroPublicKey(decryptedSpan);
if (pkcs8ZeroPublicKey == null)
{
throw new CryptographicException(SR.Cryptography_Pkcs8_EncryptedReadFailed, e);
}
try
{
bytesRead = len;
return(ImportPkcs8(pkcs8ZeroPublicKey.EncodeAsSpan()));
}
catch (CryptographicException)
{
throw new CryptographicException(SR.Cryptography_Pkcs8_EncryptedReadFailed, e);
}
}
finally
{
CryptographicOperations.ZeroMemory(decryptedSpan);
CryptoPool.Return(decrypted.Array !, clearSize: 0);
}
}
}
}
