Esempio n. 1
0
 public static void VerifyDuplicateKey_DistinctHandles()
 {
     using (RSAOpenSsl first = new RSAOpenSsl())
         using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
             using (SafeEvpPKeyHandle firstHandle2 = first.DuplicateKeyHandle())
             {
                 Assert.NotSame(firstHandle, firstHandle2);
             }
 }
Esempio n. 2
0
 public static void VerifyDuplicateKey_DistinctHandles()
 {
     using (RSAOpenSsl first = new RSAOpenSsl())
     using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
     using (SafeEvpPKeyHandle firstHandle2 = first.DuplicateKeyHandle())
     {
         Assert.NotSame(firstHandle, firstHandle2);
     }
 }
Esempio n. 3
0
        public SafeFreeCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
            : base(IntPtr.Zero, true)
        {
            Debug.Assert(
                certificate == null || certificate is X509Certificate2,
                "Only X509Certificate2 certificates are supported at this time");

            X509Certificate2 cert = (X509Certificate2)certificate;

            if (cert != null)
            {
                Debug.Assert(cert.HasPrivateKey, "cert.HasPrivateKey");

                using (RSAOpenSsl rsa = (RSAOpenSsl)cert.GetRSAPrivateKey())
                {
                    if (rsa != null)
                    {
                        _certKeyHandle = rsa.DuplicateKeyHandle();
                        Interop.Crypto.CheckValidOpenSslHandle(_certKeyHandle);
                    }
                }

                // TODO (3390): Add support for ECDSA.

                Debug.Assert(_certKeyHandle != null, "Failed to extract a private key handle");

                _certHandle = Interop.libcrypto.X509_dup(cert.Handle);
                Interop.Crypto.CheckValidOpenSslHandle(_certHandle);
            }

            _protocols = protocols;
            _policy    = policy;
        }
Esempio n. 4
0
 public static void VerifyDuplicateKey_RsaHandle()
 {
     using (RSAOpenSsl rsa = new RSAOpenSsl())
         using (SafeEvpPKeyHandle pkey = rsa.DuplicateKeyHandle())
         {
             Assert.ThrowsAny <CryptographicException>(() => new ECDsaOpenSsl(pkey));
         }
 }
Esempio n. 5
0
        public static void VerifyDuplicateKey_InvalidHandle()
        {
            using (RSAOpenSsl rsa = new RSAOpenSsl())
            {
                SafeEvpPKeyHandle pkey = rsa.DuplicateKeyHandle();

                using (pkey)
                {
                }

                AssertExtensions.Throws <ArgumentException>("pkeyHandle", () => new RSAOpenSsl(pkey));
            }
        }
Esempio n. 6
0
        public static void VerifyDuplicateKey_InvalidHandle()
        {
            using (RSAOpenSsl rsa = new RSAOpenSsl())
            {
                SafeEvpPKeyHandle pkey = rsa.DuplicateKeyHandle();

                using (pkey)
                {
                }

                Assert.Throws<ArgumentException>(() => new RSAOpenSsl(pkey));
            }
        }
Esempio n. 7
0
        public static void VerifyDuplicateKey_ValidHandle()
        {
            byte[] data = ByteUtils.RepeatByte(0x71, 11);

            using (RSAOpenSsl first = new RSAOpenSsl())
                using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
                {
                    using (RSA second = new RSAOpenSsl(firstHandle))
                    {
                        byte[] signed = second.SignData(data, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
                        Assert.True(first.VerifyData(data, signed, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1));
                    }
                }
        }
Esempio n. 8
0
        public static void VerifyDuplicateKey_ValidHandle()
        {
            byte[] data = ByteUtils.RepeatByte(0x71, 11);

            using (RSAOpenSsl first = new RSAOpenSsl())
            using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
            {
                using (RSA second = new RSAOpenSsl(firstHandle))
                {
                    byte[] signed = second.SignData(data, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
                    Assert.True(first.VerifyData(data, signed, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1));
                }
            }
        }
Esempio n. 9
0
        public SafeFreeCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
            : base(IntPtr.Zero, true)
        {
            Debug.Assert(
                certificate == null || certificate is X509Certificate2,
                "Only X509Certificate2 certificates are supported at this time");

            X509Certificate2 cert = (X509Certificate2)certificate;

            if (cert != null)
            {
                Debug.Assert(cert.HasPrivateKey, "cert.HasPrivateKey");

                using (RSAOpenSsl rsa = (RSAOpenSsl)cert.GetRSAPrivateKey())
                {
                    if (rsa != null)
                    {
                        _certKeyHandle = rsa.DuplicateKeyHandle();
                        Interop.Crypto.CheckValidOpenSslHandle(_certKeyHandle);
                    }
                }

                if (_certKeyHandle == null)
                {
                    using (ECDsaOpenSsl ecdsa = (ECDsaOpenSsl)cert.GetECDsaPrivateKey())
                    {
                        if (ecdsa != null)
                        {
                            _certKeyHandle = ecdsa.DuplicateKeyHandle();
                            Interop.Crypto.CheckValidOpenSslHandle(_certKeyHandle);
                        }
                    }
                }

                if (_certKeyHandle == null)
                {
                    throw new NotSupportedException(SR.net_ssl_io_no_server_cert);
                }

                _certHandle = Interop.Crypto.X509Duplicate(cert.Handle);
                Interop.Crypto.CheckValidOpenSslHandle(_certHandle);
            }

            _protocols = protocols;
            _policy    = policy;
        }
Esempio n. 10
0
        public static void VerifyDuplicateKey_RefCounts()
        {
            byte[] data = ByteUtils.RepeatByte(0x74, 11);
            byte[] signature;
            RSA    second;

            using (RSAOpenSsl first = new RSAOpenSsl())
                using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
                {
                    signature = first.SignData(data, HashAlgorithmName.SHA384, RSASignaturePadding.Pkcs1);
                    second    = new RSAOpenSsl(firstHandle);
                }

            // Now show that second still works, despite first and firstHandle being Disposed.
            using (second)
            {
                Assert.True(second.VerifyData(data, signature, HashAlgorithmName.SHA384, RSASignaturePadding.Pkcs1));
            }
        }
Esempio n. 11
0
        public static void VerifyDuplicateKey_RefCounts()
        {
            byte[] data = ByteUtils.RepeatByte(0x74, 11);
            byte[] signature;
            RSA second;

            using (RSAOpenSsl first = new RSAOpenSsl())
            using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
            {
                signature = first.SignData(data, HashAlgorithmName.SHA384, RSASignaturePadding.Pkcs1);
                second = new RSAOpenSsl(firstHandle);
            }

            // Now show that second still works, despite first and firstHandle being Disposed.
            using (second)
            {
                Assert.True(second.VerifyData(data, signature, HashAlgorithmName.SHA384, RSASignaturePadding.Pkcs1));
            }
        }
Esempio n. 12
0
        public ICertificatePal CopyWithPrivateKey(RSA privateKey)
        {
            RSAOpenSsl typedKey = privateKey as RSAOpenSsl;

            if (typedKey != null)
            {
                return(CopyWithPrivateKey((SafeEvpPKeyHandle)typedKey.DuplicateKeyHandle()));
            }

            RSAParameters rsaParameters = privateKey.ExportParameters(true);

            using (PinAndClear.Track(rsaParameters.D))
                using (PinAndClear.Track(rsaParameters.P))
                    using (PinAndClear.Track(rsaParameters.Q))
                        using (PinAndClear.Track(rsaParameters.DP))
                            using (PinAndClear.Track(rsaParameters.DQ))
                                using (PinAndClear.Track(rsaParameters.InverseQ))
                                    using (typedKey = new RSAOpenSsl(rsaParameters))
                                    {
                                        return(CopyWithPrivateKey((SafeEvpPKeyHandle)typedKey.DuplicateKeyHandle()));
                                    }
        }
Esempio n. 13
0
 public static void VerifyDuplicateKey_RsaHandle()
 {
     using (RSAOpenSsl rsa = new RSAOpenSsl())
     using (SafeEvpPKeyHandle pkey = rsa.DuplicateKeyHandle())
     {
         Assert.ThrowsAny<CryptographicException>(() => new ECDsaOpenSsl(pkey));
     }
 }
Esempio n. 14
0
            private int TlsClientCertCallback(IntPtr ssl, out IntPtr certHandle, out IntPtr privateKeyHandle)
            {
                EventSourceTrace("SSL: {0}", ssl);
                const int CertificateSet = 1, NoCertificateSet = 0, SuspendHandshake = -1;

                certHandle       = IntPtr.Zero;
                privateKeyHandle = IntPtr.Zero;

                if (ssl == IntPtr.Zero)
                {
                    Debug.Fail("Expected valid SSL pointer");
                    EventSourceTrace("Invalid SSL pointer in callback");
                    return(NoCertificateSet);
                }

                SafeSslHandle    sslHandle   = null;
                X509Chain        chain       = null;
                X509Certificate2 certificate = null;

                try
                {
                    sslHandle = new SafeSslHandle(ssl, ownsHandle: false);

                    ISet <string> issuerNames = GetRequestCertificateAuthorities(sslHandle);

                    if (_clientCertificates != null) // manual mode
                    {
                        // If there's one certificate, just use it. Otherwise, try to find the best one.
                        int certCount = _clientCertificates.Count;
                        if (certCount == 1)
                        {
                            EventSourceTrace("Single certificate.  Building chain.");
                            certificate = _clientCertificates[0];
                            chain       = TLSCertificateExtensions.BuildNewChain(certificate, includeClientApplicationPolicy: false);
                        }
                        else
                        {
                            EventSourceTrace("Finding the best of {0} certificates", certCount);
                            if (!_clientCertificates.TryFindClientCertificate(issuerNames, out certificate, out chain))
                            {
                                EventSourceTrace("No certificate set.");
                                return(NoCertificateSet);
                            }
                        }
                        EventSourceTrace("Chain built.");
                    }
                    else if (!GetAutomaticClientCertificate(issuerNames, out certificate, out chain)) // automatic mode
                    {
                        EventSourceTrace("No automatic certificate or chain.");
                        return(NoCertificateSet);
                    }

                    SafeEvpPKeyHandle privateKeySafeHandle = null;
                    Interop.Crypto.CheckValidOpenSslHandle(certificate.Handle);
                    using (RSAOpenSsl rsa = certificate.GetRSAPrivateKey() as RSAOpenSsl)
                    {
                        if (rsa != null)
                        {
                            privateKeySafeHandle = rsa.DuplicateKeyHandle();
                            EventSourceTrace("RSA key");
                        }
                        else
                        {
                            using (ECDsaOpenSsl ecdsa = certificate.GetECDsaPrivateKey() as ECDsaOpenSsl)
                            {
                                if (ecdsa != null)
                                {
                                    privateKeySafeHandle = ecdsa.DuplicateKeyHandle();
                                    EventSourceTrace("ECDsa key");
                                }
                            }
                        }
                    }

                    if (privateKeySafeHandle == null || privateKeySafeHandle.IsInvalid)
                    {
                        EventSourceTrace("Invalid private key");
                        return(NoCertificateSet);
                    }

                    SafeX509Handle certSafeHandle = Interop.Crypto.X509UpRef(certificate.Handle);
                    Interop.Crypto.CheckValidOpenSslHandle(certSafeHandle);
                    if (chain != null)
                    {
                        if (!Interop.Ssl.AddExtraChainCertificates(sslHandle, chain))
                        {
                            EventSourceTrace("Failed to add extra chain certificate");
                            return(SuspendHandshake);
                        }
                    }

                    certHandle       = certSafeHandle.DangerousGetHandle();
                    privateKeyHandle = privateKeySafeHandle.DangerousGetHandle();
                    EventSourceTrace("Client certificate set: {0}", certificate);

                    // Ownership has been transferred to OpenSSL; do not free these handles
                    certSafeHandle.SetHandleAsInvalid();
                    privateKeySafeHandle.SetHandleAsInvalid();

                    return(CertificateSet);
                }
                finally
                {
                    if (_clientCertificates == null)
                    {
                        certificate?.Dispose();                              // only dispose cert if it's automatic / newly created
                    }
                    chain?.Dispose();
                    sslHandle?.Dispose();
                }
            }
            private int TlsClientCertCallback(IntPtr ssl, out IntPtr certHandle, out IntPtr privateKeyHandle)
            {
                const int CertificateSet = 1, NoCertificateSet = 0, SuspendHandshake = -1;

                certHandle       = IntPtr.Zero;
                privateKeyHandle = IntPtr.Zero;

                if (ssl == IntPtr.Zero)
                {
                    Debug.Fail("Expected valid SSL pointer");
                    EventSourceTrace("Invalid SSL pointer in callback");
                    return(NoCertificateSet);
                }

                SafeSslHandle    sslHandle   = null;
                X509Chain        chain       = null;
                X509Certificate2 certificate = null;

                try
                {
                    sslHandle = new SafeSslHandle(ssl, ownsHandle: false);

                    ISet <string> issuerNames = GetRequestCertificateAuthorities(sslHandle);

                    if (_clientCertificates != null) // manual mode
                    {
                        // If there's one certificate, just use it. Otherwise, try to find the best one.
                        if (_clientCertificates.Count == 1)
                        {
                            certificate = _clientCertificates[0];
                            chain       = TLSCertificateExtensions.BuildNewChain(certificate, includeClientApplicationPolicy: false);
                        }
                        else if (!_clientCertificates.TryFindClientCertificate(issuerNames, out certificate, out chain))
                        {
                            EventSourceTrace("No manual certificate or chain.");
                            return(NoCertificateSet);
                        }
                    }
                    else if (!GetAutomaticClientCertificate(issuerNames, out certificate, out chain)) // automatic mode
                    {
                        EventSourceTrace("No automatic certificate or chain.");
                        return(NoCertificateSet);
                    }

                    Interop.Crypto.CheckValidOpenSslHandle(certificate.Handle);
                    using (RSAOpenSsl rsa = certificate.GetRSAPrivateKey() as RSAOpenSsl)
                    {
                        if (rsa != null)
                        {
                            _privateKeyHandle = rsa.DuplicateKeyHandle();
                            EventSourceTrace("RSA key");
                        }
                        else
                        {
                            using (ECDsaOpenSsl ecdsa = certificate.GetECDsaPrivateKey() as ECDsaOpenSsl)
                            {
                                if (ecdsa != null)
                                {
                                    _privateKeyHandle = ecdsa.DuplicateKeyHandle();
                                    EventSourceTrace("ECDsa key");
                                }
                            }
                        }
                    }

                    if (_privateKeyHandle == null || _privateKeyHandle.IsInvalid)
                    {
                        EventSourceTrace("Invalid private key");
                        return(NoCertificateSet);
                    }

                    _certHandle = Interop.Crypto.X509Duplicate(certificate.Handle);
                    Interop.Crypto.CheckValidOpenSslHandle(_certHandle);
                    if (chain != null)
                    {
                        for (int i = chain.ChainElements.Count - 2; i > 0; i--)
                        {
                            SafeX509Handle dupCertHandle = Interop.Crypto.X509Duplicate(chain.ChainElements[i].Certificate.Handle);
                            Interop.Crypto.CheckValidOpenSslHandle(dupCertHandle);
                            if (!Interop.Ssl.SslAddExtraChainCert(sslHandle, dupCertHandle))
                            {
                                EventSourceTrace("Failed to add extra chain certificate");
                                return(SuspendHandshake);
                            }
                        }
                    }

                    certHandle       = _certHandle.DangerousGetHandle();
                    privateKeyHandle = _privateKeyHandle.DangerousGetHandle();

                    EventSourceTrace("Client certificate set: {0}", certificate);
                    return(CertificateSet);
                }
                finally
                {
                    if (_clientCertificates == null)
                    {
                        certificate?.Dispose();                              // only dispose cert if it's automatic / newly created
                    }
                    chain?.Dispose();
                    sslHandle?.Dispose();
                }
            }
            private int TlsClientCertCallback(IntPtr ssl, out IntPtr certHandle, out IntPtr privateKeyHandle)
            {
                Interop.Crypto.CheckValidOpenSslHandle(ssl);
                using (SafeSslHandle sslHandle = new SafeSslHandle(ssl, false))
                {
                    certHandle       = IntPtr.Zero;
                    privateKeyHandle = IntPtr.Zero;
                    VerboseTrace("libssl's client certificate callback");

                    ISet <string>    issuerNames = GetRequestCertificateAuthorities(sslHandle);
                    X509Certificate2 certificate;
                    X509Chain        chain;
                    if (!GetClientCertificate(issuerNames, out certificate, out chain))
                    {
                        VerboseTrace("no cert or chain");
                        return(0);
                    }

                    Interop.Crypto.CheckValidOpenSslHandle(certificate.Handle);
                    using (RSAOpenSsl rsa = certificate.GetRSAPrivateKey() as RSAOpenSsl)
                    {
                        if (rsa != null)
                        {
                            _privateKeyHandle = rsa.DuplicateKeyHandle();
                        }
                        else
                        {
                            using (ECDsaOpenSsl ecdsa = certificate.GetECDsaPrivateKey() as ECDsaOpenSsl)
                            {
                                if (ecdsa != null)
                                {
                                    _privateKeyHandle = ecdsa.DuplicateKeyHandle();
                                }
                            }
                        }
                    }

                    if (_privateKeyHandle == null || _privateKeyHandle.IsInvalid)
                    {
                        VerboseTrace("invalid private key");
                        return(0);
                    }

                    _certHandle = Interop.Crypto.X509Duplicate(certificate.Handle);
                    Interop.Crypto.CheckValidOpenSslHandle(_certHandle);
                    if (chain != null)
                    {
                        for (int i = chain.ChainElements.Count - 2; i > 0; i--)
                        {
                            SafeX509Handle dupCertHandle = Interop.Crypto.X509Duplicate(chain.ChainElements[i].Certificate.Handle);
                            Interop.Crypto.CheckValidOpenSslHandle(dupCertHandle);
                            if (!Interop.Ssl.SslAddExtraChainCert(sslHandle, dupCertHandle))
                            {
                                VerboseTrace("failed to add extra chain cert");
                                return(-1);
                            }
                        }
                    }

                    certHandle       = _certHandle.DangerousGetHandle();
                    privateKeyHandle = _privateKeyHandle.DangerousGetHandle();
                    return(1);
                }
            }