public static void VerifyDuplicateKey_DistinctHandles()
{
using (ECDsaOpenSsl first = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
using (SafeEvpPKeyHandle firstHandle2 = first.DuplicateKeyHandle())
{
Assert.NotSame(firstHandle, firstHandle2);
}
}
public static void VerifyDuplicateKey_ECDsaHandle()
{
using (ECDsaOpenSsl ecdsa = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle pkey = ecdsa.DuplicateKeyHandle())
{
Assert.ThrowsAny <CryptographicException>(() => new DSAOpenSsl(pkey));
}
}
public static void VerifyDuplicateKey_InvalidHandle()
{
using (ECDsaOpenSsl ecdsa = new ECDsaOpenSsl())
{
SafeEvpPKeyHandle pkey = ecdsa.DuplicateKeyHandle();
using (pkey)
{
}
Assert.Throws <ArgumentException>(() => new ECDsaOpenSsl(pkey));
}
}
public static void VerifyDuplicateKey_ValidHandle()
{
byte[] data = ByteUtils.RepeatByte(0x71, 11);
using (ECDsaOpenSsl first = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
{
using (ECDsa second = new ECDsaOpenSsl(firstHandle))
{
byte[] signed = second.SignData(data, HashAlgorithmName.SHA512);
Assert.True(first.VerifyData(data, signed, HashAlgorithmName.SHA512));
}
}
}
public SafeFreeCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
: base(IntPtr.Zero, true)
{
Debug.Assert(
certificate == null || certificate is X509Certificate2,
"Only X509Certificate2 certificates are supported at this time");
X509Certificate2 cert = (X509Certificate2)certificate;
if (cert != null)
{
Debug.Assert(cert.HasPrivateKey, "cert.HasPrivateKey");
using (RSAOpenSsl rsa = (RSAOpenSsl)cert.GetRSAPrivateKey())
{
if (rsa != null)
{
_certKeyHandle = rsa.DuplicateKeyHandle();
Interop.Crypto.CheckValidOpenSslHandle(_certKeyHandle);
}
}
if (_certKeyHandle == null)
{
using (ECDsaOpenSsl ecdsa = (ECDsaOpenSsl)cert.GetECDsaPrivateKey())
{
if (ecdsa != null)
{
_certKeyHandle = ecdsa.DuplicateKeyHandle();
Interop.Crypto.CheckValidOpenSslHandle(_certKeyHandle);
}
}
}
if (_certKeyHandle == null)
{
throw new NotSupportedException(SR.net_ssl_io_no_server_cert);
}
_certHandle = Interop.Crypto.X509Duplicate(cert.Handle);
Interop.Crypto.CheckValidOpenSslHandle(_certHandle);
}
_protocols = protocols;
_policy = policy;
}
public static void VerifyDuplicateKey_RefCounts()
{
byte[] data = ByteUtils.RepeatByte(0x74, 11);
byte[] signature;
ECDsa second;
using (ECDsaOpenSsl first = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
{
signature = first.SignData(data, HashAlgorithmName.SHA384);
second = new ECDsaOpenSsl(firstHandle);
}
// Now show that second still works, despite first and firstHandle being Disposed.
using (second)
{
Assert.True(second.VerifyData(data, signature, HashAlgorithmName.SHA384));
}
}
public ICertificatePal CopyWithPrivateKey(ECDsa privateKey)
{
ECDsaOpenSsl typedKey = privateKey as ECDsaOpenSsl;
if (typedKey != null)
{
return(CopyWithPrivateKey((SafeEvpPKeyHandle)typedKey.DuplicateKeyHandle()));
}
ECParameters ecParameters = privateKey.ExportParameters(true);
using (PinAndClear.Track(ecParameters.D))
using (typedKey = new ECDsaOpenSsl())
{
typedKey.ImportParameters(ecParameters);
return(CopyWithPrivateKey((SafeEvpPKeyHandle)typedKey.DuplicateKeyHandle()));
}
}
public static void VerifyDuplicateKey_InvalidHandle()
{
using (ECDsaOpenSsl ecdsa = new ECDsaOpenSsl())
{
SafeEvpPKeyHandle pkey = ecdsa.DuplicateKeyHandle();
using (pkey)
{
}
Assert.Throws<ArgumentException>(() => new ECDsaOpenSsl(pkey));
}
}
public static void VerifyDuplicateKey_RefCounts()
{
byte[] data = ByteUtils.RepeatByte(0x74, 11);
byte[] signature;
ECDsa second;
using (ECDsaOpenSsl first = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
{
signature = first.SignData(data, HashAlgorithmName.SHA384);
second = new ECDsaOpenSsl(firstHandle);
}
// Now show that second still works, despite first and firstHandle being Disposed.
using (second)
{
Assert.True(second.VerifyData(data, signature, HashAlgorithmName.SHA384));
}
}
public static void VerifyDuplicateKey_DistinctHandles()
{
using (ECDsaOpenSsl first = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
using (SafeEvpPKeyHandle firstHandle2 = first.DuplicateKeyHandle())
{
Assert.NotSame(firstHandle, firstHandle2);
}
}
public static void VerifyDuplicateKey_ValidHandle()
{
byte[] data = ByteUtils.RepeatByte(0x71, 11);
using (ECDsaOpenSsl first = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle firstHandle = first.DuplicateKeyHandle())
{
using (ECDsa second = new ECDsaOpenSsl(firstHandle))
{
byte[] signed = second.SignData(data, HashAlgorithmName.SHA512);
Assert.True(first.VerifyData(data, signed, HashAlgorithmName.SHA512));
}
}
}
private int TlsClientCertCallback(IntPtr ssl, out IntPtr certHandle, out IntPtr privateKeyHandle)
{
EventSourceTrace("SSL: {0}", ssl);
const int CertificateSet = 1, NoCertificateSet = 0, SuspendHandshake = -1;
certHandle = IntPtr.Zero;
privateKeyHandle = IntPtr.Zero;
if (ssl == IntPtr.Zero)
{
Debug.Fail("Expected valid SSL pointer");
EventSourceTrace("Invalid SSL pointer in callback");
return(NoCertificateSet);
}
SafeSslHandle sslHandle = null;
X509Chain chain = null;
X509Certificate2 certificate = null;
try
{
sslHandle = new SafeSslHandle(ssl, ownsHandle: false);
ISet <string> issuerNames = GetRequestCertificateAuthorities(sslHandle);
if (_clientCertificates != null) // manual mode
{
// If there's one certificate, just use it. Otherwise, try to find the best one.
int certCount = _clientCertificates.Count;
if (certCount == 1)
{
EventSourceTrace("Single certificate. Building chain.");
certificate = _clientCertificates[0];
chain = TLSCertificateExtensions.BuildNewChain(certificate, includeClientApplicationPolicy: false);
}
else
{
EventSourceTrace("Finding the best of {0} certificates", certCount);
if (!_clientCertificates.TryFindClientCertificate(issuerNames, out certificate, out chain))
{
EventSourceTrace("No certificate set.");
return(NoCertificateSet);
}
}
EventSourceTrace("Chain built.");
}
else if (!GetAutomaticClientCertificate(issuerNames, out certificate, out chain)) // automatic mode
{
EventSourceTrace("No automatic certificate or chain.");
return(NoCertificateSet);
}
SafeEvpPKeyHandle privateKeySafeHandle = null;
Interop.Crypto.CheckValidOpenSslHandle(certificate.Handle);
using (RSAOpenSsl rsa = certificate.GetRSAPrivateKey() as RSAOpenSsl)
{
if (rsa != null)
{
privateKeySafeHandle = rsa.DuplicateKeyHandle();
EventSourceTrace("RSA key");
}
else
{
using (ECDsaOpenSsl ecdsa = certificate.GetECDsaPrivateKey() as ECDsaOpenSsl)
{
if (ecdsa != null)
{
privateKeySafeHandle = ecdsa.DuplicateKeyHandle();
EventSourceTrace("ECDsa key");
}
}
}
}
if (privateKeySafeHandle == null || privateKeySafeHandle.IsInvalid)
{
EventSourceTrace("Invalid private key");
return(NoCertificateSet);
}
SafeX509Handle certSafeHandle = Interop.Crypto.X509UpRef(certificate.Handle);
Interop.Crypto.CheckValidOpenSslHandle(certSafeHandle);
if (chain != null)
{
if (!Interop.Ssl.AddExtraChainCertificates(sslHandle, chain))
{
EventSourceTrace("Failed to add extra chain certificate");
return(SuspendHandshake);
}
}
certHandle = certSafeHandle.DangerousGetHandle();
privateKeyHandle = privateKeySafeHandle.DangerousGetHandle();
EventSourceTrace("Client certificate set: {0}", certificate);
// Ownership has been transferred to OpenSSL; do not free these handles
certSafeHandle.SetHandleAsInvalid();
privateKeySafeHandle.SetHandleAsInvalid();
return(CertificateSet);
}
finally
{
if (_clientCertificates == null)
{
certificate?.Dispose(); // only dispose cert if it's automatic / newly created
}
chain?.Dispose();
sslHandle?.Dispose();
}
}
private int TlsClientCertCallback(IntPtr ssl, out IntPtr certHandle, out IntPtr privateKeyHandle)
{
const int CertificateSet = 1, NoCertificateSet = 0, SuspendHandshake = -1;
certHandle = IntPtr.Zero;
privateKeyHandle = IntPtr.Zero;
if (ssl == IntPtr.Zero)
{
Debug.Fail("Expected valid SSL pointer");
EventSourceTrace("Invalid SSL pointer in callback");
return(NoCertificateSet);
}
SafeSslHandle sslHandle = null;
X509Chain chain = null;
X509Certificate2 certificate = null;
try
{
sslHandle = new SafeSslHandle(ssl, ownsHandle: false);
ISet <string> issuerNames = GetRequestCertificateAuthorities(sslHandle);
if (_clientCertificates != null) // manual mode
{
// If there's one certificate, just use it. Otherwise, try to find the best one.
if (_clientCertificates.Count == 1)
{
certificate = _clientCertificates[0];
chain = TLSCertificateExtensions.BuildNewChain(certificate, includeClientApplicationPolicy: false);
}
else if (!_clientCertificates.TryFindClientCertificate(issuerNames, out certificate, out chain))
{
EventSourceTrace("No manual certificate or chain.");
return(NoCertificateSet);
}
}
else if (!GetAutomaticClientCertificate(issuerNames, out certificate, out chain)) // automatic mode
{
EventSourceTrace("No automatic certificate or chain.");
return(NoCertificateSet);
}
Interop.Crypto.CheckValidOpenSslHandle(certificate.Handle);
using (RSAOpenSsl rsa = certificate.GetRSAPrivateKey() as RSAOpenSsl)
{
if (rsa != null)
{
_privateKeyHandle = rsa.DuplicateKeyHandle();
EventSourceTrace("RSA key");
}
else
{
using (ECDsaOpenSsl ecdsa = certificate.GetECDsaPrivateKey() as ECDsaOpenSsl)
{
if (ecdsa != null)
{
_privateKeyHandle = ecdsa.DuplicateKeyHandle();
EventSourceTrace("ECDsa key");
}
}
}
}
if (_privateKeyHandle == null || _privateKeyHandle.IsInvalid)
{
EventSourceTrace("Invalid private key");
return(NoCertificateSet);
}
_certHandle = Interop.Crypto.X509Duplicate(certificate.Handle);
Interop.Crypto.CheckValidOpenSslHandle(_certHandle);
if (chain != null)
{
for (int i = chain.ChainElements.Count - 2; i > 0; i--)
{
SafeX509Handle dupCertHandle = Interop.Crypto.X509Duplicate(chain.ChainElements[i].Certificate.Handle);
Interop.Crypto.CheckValidOpenSslHandle(dupCertHandle);
if (!Interop.Ssl.SslAddExtraChainCert(sslHandle, dupCertHandle))
{
EventSourceTrace("Failed to add extra chain certificate");
return(SuspendHandshake);
}
}
}
certHandle = _certHandle.DangerousGetHandle();
privateKeyHandle = _privateKeyHandle.DangerousGetHandle();
EventSourceTrace("Client certificate set: {0}", certificate);
return(CertificateSet);
}
finally
{
if (_clientCertificates == null)
{
certificate?.Dispose(); // only dispose cert if it's automatic / newly created
}
chain?.Dispose();
sslHandle?.Dispose();
}
}
public static void VerifyDuplicateKey_ECDsaHandle()
{
using (ECDsaOpenSsl ecdsa = new ECDsaOpenSsl())
using (SafeEvpPKeyHandle pkey = ecdsa.DuplicateKeyHandle())
{
Assert.ThrowsAny<CryptographicException>(() => new DSAOpenSsl(pkey));
}
}
private int TlsClientCertCallback(IntPtr ssl, out IntPtr certHandle, out IntPtr privateKeyHandle)
{
Interop.Crypto.CheckValidOpenSslHandle(ssl);
using (SafeSslHandle sslHandle = new SafeSslHandle(ssl, false))
{
certHandle = IntPtr.Zero;
privateKeyHandle = IntPtr.Zero;
VerboseTrace("libssl's client certificate callback");
ISet <string> issuerNames = GetRequestCertificateAuthorities(sslHandle);
X509Certificate2 certificate;
X509Chain chain;
if (!GetClientCertificate(issuerNames, out certificate, out chain))
{
VerboseTrace("no cert or chain");
return(0);
}
Interop.Crypto.CheckValidOpenSslHandle(certificate.Handle);
using (RSAOpenSsl rsa = certificate.GetRSAPrivateKey() as RSAOpenSsl)
{
if (rsa != null)
{
_privateKeyHandle = rsa.DuplicateKeyHandle();
}
else
{
using (ECDsaOpenSsl ecdsa = certificate.GetECDsaPrivateKey() as ECDsaOpenSsl)
{
if (ecdsa != null)
{
_privateKeyHandle = ecdsa.DuplicateKeyHandle();
}
}
}
}
if (_privateKeyHandle == null || _privateKeyHandle.IsInvalid)
{
VerboseTrace("invalid private key");
return(0);
}
_certHandle = Interop.Crypto.X509Duplicate(certificate.Handle);
Interop.Crypto.CheckValidOpenSslHandle(_certHandle);
if (chain != null)
{
for (int i = chain.ChainElements.Count - 2; i > 0; i--)
{
SafeX509Handle dupCertHandle = Interop.Crypto.X509Duplicate(chain.ChainElements[i].Certificate.Handle);
Interop.Crypto.CheckValidOpenSslHandle(dupCertHandle);
if (!Interop.Ssl.SslAddExtraChainCert(sslHandle, dupCertHandle))
{
VerboseTrace("failed to add extra chain cert");
return(-1);
}
}
}
certHandle = _certHandle.DangerousGetHandle();
privateKeyHandle = _privateKeyHandle.DangerousGetHandle();
return(1);
}
}