internal static SafeOcspRequestHandle X509ChainBuildOcspRequest(SafeX509StoreCtxHandle storeCtx, int chainDepth)
{
SafeOcspRequestHandle req = CryptoNative_X509ChainBuildOcspRequest(storeCtx, chainDepth);
if (req.IsInvalid)
{
req.Dispose();
throw CreateOpenSslCryptographicException();
}
return(req);
}
internal static X509VerifyStatusCode X509ChainGetCachedOcspStatus(SafeX509StoreCtxHandle ctx, string cachePath, int chainDepth)
{
X509VerifyStatusCode response = CryptoNative_X509ChainGetCachedOcspStatus(ctx, cachePath, chainDepth);
if (response < 0)
{
Debug.Fail($"Unexpected response from X509ChainGetCachedOcspSuccess: {response}");
throw new CryptographicException();
}
return(response);
}
private static int VerifyCertChain(IntPtr storeCtxPtr, IntPtr arg)
{
List <X509Certificate2> otherCerts;
bool success;
using (SafeX509StoreCtxHandle storeCtx = new SafeX509StoreCtxHandle(storeCtxPtr, ownsHandle: false))
using (X509Chain chain = new X509Chain())
{
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
IntPtr leafCertPtr = Interop.Crypto.X509StoreCtxGetTargetCert(storeCtx);
if (IntPtr.Zero == leafCertPtr)
{
Debug.Fail("Invalid target certificate");
return(-1);
}
using (SafeSharedX509StackHandle extraStack = Interop.Crypto.X509StoreCtxGetSharedUntrusted(storeCtx))
{
int extraSize = extraStack.IsInvalid ? 0 : Interop.Crypto.GetX509StackFieldCount(extraStack);
otherCerts = new List <X509Certificate2>(extraSize);
for (int i = 0; i < extraSize; i++)
{
IntPtr certPtr = Interop.Crypto.GetX509StackField(extraStack, i);
if (certPtr != IntPtr.Zero)
{
X509Certificate2 cert = new X509Certificate2(certPtr);
otherCerts.Add(cert);
chain.ChainPolicy.ExtraStore.Add(cert);
}
}
}
using (X509Certificate2 leafCert = new X509Certificate2(leafCertPtr))
{
success = chain.Build(leafCert);
AddChannelBindingToken(leafCert, arg);
}
}
foreach (X509Certificate2 otherCert in otherCerts)
{
otherCert.Dispose();
}
return(success ? 1 : 0);
}
internal static OpenSslX509ChainProcessor InitiateChain(
SafeX509Handle leafHandle,
X509Certificate2Collection customTrustStore,
X509ChainTrustMode trustMode,
DateTime verificationTime,
TimeSpan remainingDownloadTime)
{
CachedSystemStoreProvider.GetNativeCollections(
out SafeX509StackHandle systemTrust,
out SafeX509StackHandle systemIntermediate);
SafeX509StoreHandle store = null;
SafeX509StackHandle untrusted = null;
SafeX509StoreCtxHandle storeCtx = null;
try
{
untrusted = Interop.Crypto.NewX509Stack();
Interop.Crypto.X509StackAddMultiple(untrusted, s_userIntermediateStore.GetNativeCollection());
Interop.Crypto.X509StackAddMultiple(untrusted, s_userPersonalStore.GetNativeCollection());
store = GetTrustStore(trustMode, customTrustStore, untrusted, systemTrust);
Interop.Crypto.X509StackAddMultiple(untrusted, systemIntermediate);
Interop.Crypto.X509StoreSetVerifyTime(store, verificationTime);
storeCtx = Interop.Crypto.X509StoreCtxCreate();
if (!Interop.Crypto.X509StoreCtxInit(storeCtx, store, leafHandle, untrusted))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
return(new OpenSslX509ChainProcessor(
leafHandle,
store,
untrusted,
storeCtx,
verificationTime,
remainingDownloadTime));
}
catch
{
store?.Dispose();
untrusted?.Dispose();
storeCtx?.Dispose();
throw;
}
}
private OpenSslX509ChainProcessor(
SafeX509Handle leafHandle,
SafeX509StoreHandle store,
SafeX509StackHandle untrusted,
SafeX509StoreCtxHandle storeCtx,
DateTime verificationTime,
TimeSpan remainingDownloadTime)
{
_leafHandle = leafHandle;
_store = store;
_untrustedLookup = untrusted;
_storeCtx = storeCtx;
_verificationTime = verificationTime;
_remainingDownloadTime = remainingDownloadTime;
}
internal static void X509StoreCtxResetForSignatureError(
SafeX509StoreCtxHandle ctx,
out SafeX509StoreHandle?newStore)
{
if (CryptoNative_X509StoreCtxResetForSignatureError(ctx, out newStore) != 1)
{
newStore.Dispose();
newStore = null;
throw CreateOpenSslCryptographicException();
}
if (newStore.IsInvalid)
{
newStore.Dispose();
newStore = null;
}
}
internal static OpenSslX509ChainProcessor InitiateChain(
SafeX509Handle leafHandle,
DateTime verificationTime,
TimeSpan remainingDownloadTime)
{
SafeX509StackHandle systemTrust = StorePal.GetMachineRoot().GetNativeCollection();
SafeX509StackHandle systemIntermediate = StorePal.GetMachineIntermediate().GetNativeCollection();
SafeX509StoreHandle store = null;
SafeX509StackHandle untrusted = null;
SafeX509StoreCtxHandle storeCtx = null;
try
{
store = Interop.Crypto.X509ChainNew(systemTrust, s_userRootPath);
untrusted = Interop.Crypto.NewX509Stack();
Interop.Crypto.X509StackAddDirectoryStore(untrusted, s_userIntermediatePath);
Interop.Crypto.X509StackAddDirectoryStore(untrusted, s_userPersonalPath);
Interop.Crypto.X509StackAddMultiple(untrusted, systemIntermediate);
Interop.Crypto.X509StoreSetVerifyTime(store, verificationTime);
storeCtx = Interop.Crypto.X509StoreCtxCreate();
if (!Interop.Crypto.X509StoreCtxInit(storeCtx, store, leafHandle, untrusted))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
return(new OpenSslX509ChainProcessor(
leafHandle,
store,
untrusted,
storeCtx,
verificationTime,
remainingDownloadTime));
}
catch
{
store?.Dispose();
untrusted?.Dispose();
storeCtx?.Dispose();
throw;
}
}
internal static void SetX509ChainVerifyTime(SafeX509StoreCtxHandle ctx, DateTime verifyTime)
{
// OpenSSL is going to convert our input time to universal, so we should be in Local or
// Unspecified (local-assumed).
Debug.Assert(verifyTime.Kind != DateTimeKind.Utc, "UTC verifyTime should have been normalized to Local");
int succeeded = SetX509ChainVerifyTime(
ctx,
verifyTime.Year,
verifyTime.Month,
verifyTime.Day,
verifyTime.Hour,
verifyTime.Minute,
verifyTime.Second,
verifyTime.IsDaylightSavingTime());
if (succeeded != 1)
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
}
internal int VerifyCallback(int ok, IntPtr ctx)
{
if (ok != 0)
{
return(ok);
}
try
{
using (var storeCtx = new SafeX509StoreCtxHandle(ctx, ownsHandle: false))
{
Interop.Crypto.X509VerifyStatusCode errorCode = Interop.Crypto.X509StoreCtxGetError(storeCtx);
int errorDepth = Interop.Crypto.X509StoreCtxGetErrorDepth(storeCtx);
// We don't report "OK" as an error.
// For compatibility with Windows / .NET Framework, do not report X509_V_CRL_NOT_YET_VALID.
if (errorCode != Interop.Crypto.X509VerifyStatusCode.X509_V_OK &&
errorCode != Interop.Crypto.X509VerifyStatusCode.X509_V_ERR_CRL_NOT_YET_VALID)
{
while (Errors.Count <= errorDepth)
{
Errors.Add(null);
}
if (Errors[errorDepth] == null)
{
Errors[errorDepth] = new List <Interop.Crypto.X509VerifyStatusCode>();
}
Errors[errorDepth].Add(errorCode);
}
}
return(1);
}
catch
{
return(-1);
}
}
internal static void SetX509ChainVerifyTime(SafeX509StoreCtxHandle ctx, DateTime verifyTime)
{
// Let Unspecified mean Local, so only convert if the source was UTC.
if (verifyTime.Kind == DateTimeKind.Utc)
{
verifyTime = verifyTime.ToLocalTime();
}
int succeeded = SetX509ChainVerifyTime(
ctx,
verifyTime.Year,
verifyTime.Month,
verifyTime.Day,
verifyTime.Hour,
verifyTime.Minute,
verifyTime.Second,
verifyTime.IsDaylightSavingTime());
if (succeeded != 1)
{
throw Interop.libcrypto.CreateOpenSslCryptographicException();
}
}
internal int VerifyCallback(int ok, IntPtr ctx)
{
if (ok < 0)
{
return(ok);
}
try
{
using (var storeCtx = new SafeX509StoreCtxHandle(ctx, ownsHandle: false))
{
Interop.Crypto.X509VerifyStatusCode errorCode = Interop.Crypto.X509StoreCtxGetError(storeCtx);
int errorDepth = Interop.Crypto.X509StoreCtxGetErrorDepth(storeCtx);
if (errorCode != Interop.Crypto.X509VerifyStatusCode.X509_V_OK)
{
while (Errors.Count <= errorDepth)
{
Errors.Add(null);
}
if (Errors[errorDepth] == null)
{
Errors[errorDepth] = new List <Interop.Crypto.X509VerifyStatusCode>();
}
Errors[errorDepth].Add(errorCode);
}
}
return(1);
}
catch
{
return(-1);
}
}
private static partial int CryptoNative_X509ChainVerifyOcsp(
SafeX509StoreCtxHandle ctx,
SafeOcspRequestHandle req,
SafeOcspResponseHandle resp,
string cachePath,
int chainDepth);
private static partial int CryptoNative_X509ChainGetCachedOcspStatus(
SafeX509StoreCtxHandle ctx,
string cachePath,
int chainDepth);
internal static extern void X509StoreCtxSetVerifyCallback(SafeX509StoreCtxHandle ctx, X509StoreVerifyCallback callback);
internal static extern int X509StoreCtxGetErrorDepth(SafeX509StoreCtxHandle ctx);
private static extern int CryptoNative_X509StoreCtxRebuildChain(SafeX509StoreCtxHandle ctx);
private static extern int CryptoNative_X509StoreCtxReset(SafeX509StoreCtxHandle ctx);
internal static extern X509VerifyStatusCode X509StoreCtxGetError(SafeX509StoreCtxHandle ctx);
private static extern int CryptoNative_X509VerifyCert(SafeX509StoreCtxHandle ctx);
internal static extern bool X509_STORE_CTX_init(SafeX509StoreCtxHandle ctx, SafeX509StoreHandle store, SafeX509Handle x509, IntPtr zero);
internal static extern X509VerifyStatusCode X509_STORE_CTX_get_error(SafeX509StoreCtxHandle ctx);
private static partial SafeOcspRequestHandle CryptoNative_X509ChainBuildOcspRequest(
SafeX509StoreCtxHandle storeCtx,
int chainDepth);
internal static extern SafeX509StackHandle X509StoreCtxGetChain(SafeX509StoreCtxHandle ctx);
internal static extern bool X509StoreCtxInit(SafeX509StoreCtxHandle ctx, SafeX509StoreHandle store, SafeX509Handle x509);
internal static extern SafeX509StackHandle X509_STORE_CTX_get1_chain(SafeX509StoreCtxHandle ctx);
internal static extern int X509VerifyCert(SafeX509StoreCtxHandle ctx);
internal static extern int X509_STORE_CTX_get_error_depth(SafeX509StoreCtxHandle ctx);
private static partial int CryptoNative_X509ChainHasStapledOcsp(SafeX509StoreCtxHandle storeCtx);
internal static extern int X509_verify_cert(SafeX509StoreCtxHandle ctx);
internal static extern bool X509StoreCtxInit(
SafeX509StoreCtxHandle ctx,
SafeX509StoreHandle store,
SafeX509Handle x509,
SafeX509StackHandle extraCerts);
