public static void TestKeyTransRecipientIdValue_ExplicitSki_RoundTrip()
{
ContentInfo contentInfo = new ContentInfo(new byte[] { 1, 2, 3 });
EnvelopedCms ecms = new EnvelopedCms(contentInfo);
using (X509Certificate2 cert = Certificates.RSAKeyTransfer_ExplicitSki.GetCertificate())
{
CmsRecipient cmsRecipient = new CmsRecipient(SubjectIdentifierType.SubjectKeyIdentifier, cert);
ecms.Encrypt(cmsRecipient);
}
byte[] encodedMessage = ecms.Encode();
EnvelopedCms ecms2 = new EnvelopedCms();
ecms2.Decode(encodedMessage);
RecipientInfoCollection recipients = ecms2.RecipientInfos;
Assert.Equal(1, recipients.Count);
RecipientInfo recipientInfo = recipients[0];
Assert.IsType <KeyTransRecipientInfo>(recipientInfo);
KeyTransRecipientInfo recipient = (KeyTransRecipientInfo)recipientInfo;
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
object value = subjectIdentifier.Value;
Assert.IsType <string>(value);
string ski = (string)value;
Assert.Equal("01952851C55DB594B0C6167F5863C5B6B67AEFE6", ski);
}
public void SubjectKeyIdentifier()
{
SubjectIdentifier si = GetSubjectIdentifier(subjectKeyIdentifierSignature);
Assert.AreEqual(SubjectIdentifierType.SubjectKeyIdentifier, si.Type, "Type");
Assert.AreEqual("02E1A73254AEFDC0A43236F6FE236A037228B1F7", (string)si.Value, "SignerIdentifier.Value");
}
public static void TestKeyAgreeRecipientIdType_Ski_RoundTrip()
{
KeyAgreeRecipientInfo recipient = FixedValueKeyAgree1(SubjectIdentifierType.SubjectKeyIdentifier);
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
Assert.Equal(SubjectIdentifierType.SubjectKeyIdentifier, subjectIdentifier.Type);
}
public static void TestKeyTransRecipientIdType_RoundTrip()
{
KeyTransRecipientInfo recipient = EncodeKeyTransl();
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
Assert.Equal(SubjectIdentifierType.IssuerAndSerialNumber, subjectIdentifier.Type);
}
public static void TestKeyTransRecipientIdType_FixedValue()
{
KeyTransRecipientInfo recipient = FixedValueKeyTrans1();
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
Assert.Equal(SubjectIdentifierType.IssuerAndSerialNumber, subjectIdentifier.Type);
}
public static void ReuseEnvelopeCmsEncodeThenDecode()
{
// Test ability to encrypt, encode and decode all in one EnvelopedCms instance.
ContentInfo contentInfo = new ContentInfo(new byte[] { 1, 2, 3 });
EnvelopedCms ecms = new EnvelopedCms(contentInfo);
using (X509Certificate2 cert = Certificates.RSAKeyTransfer1.GetCertificate())
{
CmsRecipient cmsRecipient = new CmsRecipient(cert);
ecms.Encrypt(cmsRecipient);
}
byte[] encodedMessage = ecms.Encode();
ecms.Decode(encodedMessage);
RecipientInfoCollection recipients = ecms.RecipientInfos;
Assert.Equal(1, recipients.Count);
RecipientInfo recipientInfo = recipients[0];
KeyTransRecipientInfo recipient = recipientInfo as KeyTransRecipientInfo;
Assert.NotNull(recipientInfo);
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
object value = subjectIdentifier.Value;
Assert.True(value is X509IssuerSerial);
X509IssuerSerial xis = (X509IssuerSerial)value;
Assert.Equal("CN=RSAKeyTransfer1", xis.IssuerName);
Assert.Equal("31D935FB63E8CFAB48A0BF7B397B67C0", xis.SerialNumber);
}
public static void TestKeyTransRecipientIdType_Ski_FixedValue()
{
KeyTransRecipientInfo recipient = FixedValueKeyTrans1(SubjectIdentifierType.SubjectKeyIdentifier);
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
Assert.Equal(SubjectIdentifierType.SubjectKeyIdentifier, subjectIdentifier.Type);
}
public static void TestKeyTransRecipientIdType_Ski_RoundTrip()
{
KeyTransRecipientInfo recipient = EncodeKeyTransl(SubjectIdentifierType.SubjectKeyIdentifier);
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
Assert.Equal(SubjectIdentifierType.SubjectKeyIdentifier, subjectIdentifier.Type);
}
private Exception TryDecryptAgree(KeyAgreeRecipientInfo keyAgreeRecipientInfo, SafeProvOrNCryptKeyHandle hKey, CryptKeySpec keySpec, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore)
{
unsafe
{
KeyAgreeRecipientInfoPalWindows pal = (KeyAgreeRecipientInfoPalWindows)(keyAgreeRecipientInfo.Pal);
return(pal.WithCmsgCmsRecipientInfo <Exception>(
delegate(CMSG_KEY_AGREE_RECIPIENT_INFO * pKeyAgreeRecipientInfo)
{
CMSG_CTRL_KEY_AGREE_DECRYPT_PARA decryptPara = default(CMSG_CTRL_KEY_AGREE_DECRYPT_PARA);
decryptPara.cbSize = Marshal.SizeOf <CMSG_CTRL_KEY_AGREE_DECRYPT_PARA>();
decryptPara.hProv = hKey;
decryptPara.dwKeySpec = keySpec;
decryptPara.pKeyAgree = pKeyAgreeRecipientInfo;
decryptPara.dwRecipientIndex = pal.Index;
decryptPara.dwRecipientEncryptedKeyIndex = pal.SubIndex;
CMsgKeyAgreeOriginatorChoice originatorChoice = pKeyAgreeRecipientInfo->dwOriginatorChoice;
switch (originatorChoice)
{
case CMsgKeyAgreeOriginatorChoice.CMSG_KEY_AGREE_ORIGINATOR_CERT:
{
X509Certificate2Collection candidateCerts = new X509Certificate2Collection();
candidateCerts.AddRange(Helpers.GetStoreCertificates(StoreName.AddressBook, StoreLocation.CurrentUser, openExistingOnly: true));
candidateCerts.AddRange(Helpers.GetStoreCertificates(StoreName.AddressBook, StoreLocation.LocalMachine, openExistingOnly: true));
candidateCerts.AddRange(originatorCerts);
candidateCerts.AddRange(extraStore);
SubjectIdentifier originatorId = pKeyAgreeRecipientInfo->OriginatorCertId.ToSubjectIdentifier();
using (X509Certificate2 originatorCert = candidateCerts.TryFindMatchingCertificate(originatorId))
{
if (originatorCert == null)
{
return ErrorCode.CRYPT_E_NOT_FOUND.ToCryptographicException();
}
using (SafeCertContextHandle hCertContext = originatorCert.CreateCertContextHandle())
{
CERT_CONTEXT *pOriginatorCertContext = hCertContext.DangerousGetCertContext();
decryptPara.OriginatorPublicKey = pOriginatorCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey;
// Do not factor this call out of the switch statement as leaving this "using" block will free up
// native memory that decryptPara points to.
return TryExecuteDecryptAgree(ref decryptPara);
}
}
}
case CMsgKeyAgreeOriginatorChoice.CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY:
{
decryptPara.OriginatorPublicKey = pKeyAgreeRecipientInfo->OriginatorPublicKeyInfo.PublicKey;
return TryExecuteDecryptAgree(ref decryptPara);
}
default:
return new CryptographicException(SR.Format(SR.Cryptography_Cms_Invalid_Originator_Identifier_Choice, originatorChoice));
}
}));
}
}
public void IssuerAndSerialNumber()
{
SubjectIdentifier si = GetSubjectIdentifier(issuerAndSerialNumberSignature);
Assert.AreEqual(SubjectIdentifierType.IssuerAndSerialNumber, si.Type, "SignerIdentifier.Type");
Assert.IsTrue((si.Value.GetType() == typeof(X509IssuerSerial)), "SignerIdentifier.Value");
X509IssuerSerial xis = (X509IssuerSerial)si.Value;
Assert.AreEqual("CN=Motus Technologies inc.(test)", xis.IssuerName, "X509IssuerSerial.IssuerName");
Assert.AreEqual("91C44B0DB7D81084422671B397B50097", xis.SerialNumber, "X509IssuerSerial.SerialNumber");
}
public static void TestKeyTransRecipientIdValue_Ski_FixedValue()
{
KeyTransRecipientInfo recipient = FixedValueKeyTrans1(SubjectIdentifierType.SubjectKeyIdentifier);
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
object value = subjectIdentifier.Value;
Assert.True(value is string);
string ski = (string)value;
Assert.Equal("F2008AA9FA3742E8370CB1674CE1D1582921DCC3", ski);
}
public static void TestKeyAgreeRecipientIdValue_Ski_FixedValue()
{
KeyAgreeRecipientInfo recipient = FixedValueKeyAgree1(SubjectIdentifierType.SubjectKeyIdentifier);
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
object value = subjectIdentifier.Value;
Assert.True(value is string);
string ski = (string)value;
Assert.Equal("10DA1370316788112EB8594C864C2420AE7FBA42", ski);
}
public static void TestKeyTransRecipientIdValue_FixedValue()
{
KeyTransRecipientInfo recipient = FixedValueKeyTrans1();
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
object value = subjectIdentifier.Value;
Assert.True(value is X509IssuerSerial);
X509IssuerSerial xis = (X509IssuerSerial)value;
Assert.Equal("CN=RSAKeyTransfer1", xis.IssuerName);
Assert.Equal("31D935FB63E8CFAB48A0BF7B397B67C0", xis.SerialNumber);
}
public static void TestKeyAgreeRecipientIdValue_FixedValue()
{
KeyAgreeRecipientInfo recipient = FixedValueKeyAgree1();
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
object value = subjectIdentifier.Value;
Assert.True(value is X509IssuerSerial);
X509IssuerSerial xis = (X509IssuerSerial)value;
Assert.Equal("CN=\"Managed PKCS#7 Test Root Authority\"", xis.IssuerName);
Assert.Equal("0AE59B0CB8119F8942EDA74163413A02", xis.SerialNumber);
}
public static void ReuseEnvelopeCmsDecodeThenEncode()
{
byte[] encodedMessage =
("3082010c06092a864886f70d010703a081fe3081fb0201003181c83081c5020100302e301a311830160603550403130f5253"
+ "414b65795472616e7366657231021031d935fb63e8cfab48a0bf7b397b67c0300d06092a864886f70d01010105000481805e"
+ "bb2d08773594be9ec5d30c0707cf339f2b982a4f0797b74d520a0c973d668a9a6ad9d28066ef36e5b5620fef67f4d79ee50c"
+ "25eb999f0c656548347d5676ac4b779f8fce2b87e6388fbe483bb0fcf78ab1f1ff29169600401fded7b2803a0bf96cc160c4"
+ "96726216e986869eed578bda652855c85604a056201538ee56b6c4302b06092a864886f70d010701301406082a864886f70d"
+ "030704083adadf63cd297a86800835edc437e31d0b70").HexToByteArray();
EnvelopedCms ecms = new EnvelopedCms();
ecms.Decode(encodedMessage);
using (X509Certificate2 cert = Certificates.RSAKeyTransfer1.GetCertificate())
{
CmsRecipient cmsRecipient = new CmsRecipient(cert);
ecms.Encrypt(cmsRecipient);
}
encodedMessage = ecms.Encode();
ecms.Decode(encodedMessage);
RecipientInfoCollection recipients = ecms.RecipientInfos;
Assert.Equal(1, recipients.Count);
RecipientInfo recipientInfo = recipients[0];
KeyTransRecipientInfo recipient = recipientInfo as KeyTransRecipientInfo;
Assert.NotNull(recipientInfo);
SubjectIdentifier subjectIdentifier = recipient.RecipientIdentifier;
object value = subjectIdentifier.Value;
Assert.True(value is X509IssuerSerial);
X509IssuerSerial xis = (X509IssuerSerial)value;
Assert.Equal("CN=RSAKeyTransfer1", xis.IssuerName);
Assert.Equal("31D935FB63E8CFAB48A0BF7B397B67C0", xis.SerialNumber);
}
public static SubjectIdentifierOrKey ToSubjectIdentifierOrKey(this CERT_ID certId)
{
//
// SubjectIdentifierOrKey is just a SubjectIdentifier with an (irrelevant here) "key" option thumbtacked onto it so
// the easiest way is to subcontract the job to SubjectIdentifier.
//
SubjectIdentifier subjectIdentifier = certId.ToSubjectIdentifier();
SubjectIdentifierType subjectIdentifierType = subjectIdentifier.Type;
switch (subjectIdentifierType)
{
case SubjectIdentifierType.IssuerAndSerialNumber:
return(new SubjectIdentifierOrKey(SubjectIdentifierOrKeyType.IssuerAndSerialNumber, subjectIdentifier.Value));
case SubjectIdentifierType.SubjectKeyIdentifier:
return(new SubjectIdentifierOrKey(SubjectIdentifierOrKeyType.SubjectKeyIdentifier, subjectIdentifier.Value));
default:
Debug.Fail("Only the framework can construct SubjectIdentifier's so if we got a bad value here, that's our fault.");
throw new CryptographicException(SR.Format(SR.Cryptography_Cms_Invalid_Subject_Identifier_Type, subjectIdentifierType));
}
}
private void Reset(uint originatorChoice, uint version, CAPI.CMSG_RECIPIENT_ENCRYPTED_KEY_INFO encryptedKeyInfo, uint subIndex)
{
this.m_encryptedKeyInfo = encryptedKeyInfo;
this.m_originatorChoice = originatorChoice;
this.m_version = (int)version;
this.m_originatorIdentifier = (SubjectIdentifierOrKey)null;
this.m_userKeyMaterial = new byte[0];
this.m_encryptionAlgorithm = (AlgorithmIdentifier)null;
this.m_recipientIdentifier = (SubjectIdentifier)null;
this.m_encryptedKey = new byte[0];
this.m_date = DateTime.MinValue;
this.m_otherKeyAttribute = (CryptographicAttributeObject)null;
this.m_subIndex = subIndex;
}
/// <summary>
/// Desktop compat: We do not complain about multiple matches. Just take the first one and ignore the rest.
/// </summary>
public static X509Certificate2 TryFindMatchingCertificate(this X509Certificate2Collection certs, SubjectIdentifier recipientIdentifier)
{
//
// Note: SubjectIdentifier has no public constructor so the only one that can construct this type is this assembly.
// Therefore, we trust that the string-ized byte array (serial or ski) in it is correct and canonicalized.
//
SubjectIdentifierType recipientIdentifierType = recipientIdentifier.Type;
switch (recipientIdentifierType)
{
case SubjectIdentifierType.IssuerAndSerialNumber:
{
X509IssuerSerial issuerSerial = (X509IssuerSerial)(recipientIdentifier.Value);
byte[] serialNumber = issuerSerial.SerialNumber.ToSerialBytes();
string issuer = issuerSerial.IssuerName;
foreach (X509Certificate2 candidate in certs)
{
byte[] candidateSerialNumber = candidate.GetSerialNumber();
if (AreByteArraysEqual(candidateSerialNumber, serialNumber) && candidate.Issuer == issuer)
{
return(candidate);
}
}
}
break;
case SubjectIdentifierType.SubjectKeyIdentifier:
{
string skiString = (string)(recipientIdentifier.Value);
byte[] ski = skiString.ToSkiBytes();
foreach (X509Certificate2 cert in certs)
{
byte[] candidateSki = PkcsPal.Instance.GetSubjectKeyIdentifier(cert);
if (AreByteArraysEqual(ski, candidateSki))
{
return(cert);
}
}
}
break;
default:
// RecipientInfo's can only be created by this package so if this an invalid type, it's the package's fault.
Debug.Fail($"Invalid recipientIdentifier type: {recipientIdentifierType}");
throw new CryptographicException();
}
return(null);
}
/// <summary>
/// Note: Due to its use of X509Certificate2Collection.Find(), this returns a cloned certificate. So the caller should dispose it.
/// </summary>
public static X509Certificate2 TryFindMatchingCertificate(this X509Certificate2Collection certs, SubjectIdentifier recipientIdentifier)
{
SubjectIdentifierType recipientIdentifierType = recipientIdentifier.Type;
switch (recipientIdentifierType)
{
case SubjectIdentifierType.IssuerAndSerialNumber:
{
X509IssuerSerial issuerSerial = (X509IssuerSerial)(recipientIdentifier.Value);
using (ClonedCertificates matches1 = certs.FindCertificates(X509FindType.FindBySerialNumber, issuerSerial.SerialNumber))
{
using (ClonedCertificates matches2 = matches1.FindCertificates(X509FindType.FindByIssuerDistinguishedName, issuerSerial.IssuerName))
{
// Desktop compat: We do not complain about multiple matches. Just take the first one and ignore the rest.
return(matches2.Any ? matches2.ClaimResult() : null);
}
}
}
case SubjectIdentifierType.SubjectKeyIdentifier:
{
string ski = (string)(recipientIdentifier.Value);
using (ClonedCertificates matches = certs.FindCertificates(X509FindType.FindBySubjectKeyIdentifier, ski))
{
// Desktop compat: We do not complain about multiple matches. Just take the first one and ignore the rest.
return(matches.Any ? matches.ClaimResult() : null);
}
}
default:
// RecipientInfo's can only be created by this package so if this an invalid type, it's the package's fault.
Debug.Fail($"Invalid recipientIdentifier type: {recipientIdentifierType}");
throw new CryptographicException();
}
}
/// <summary>验证数据,通过抛出异常的方式提示验证失败。</summary>
/// <param name="isNew">是否插入</param>
public override void Valid(Boolean isNew)
{
// 如果没有脏数据,则不需要进行任何处理
if (!HasDirty)
{
return;
}
// 这里验证参数范围,建议抛出参数异常,指定参数名,前端用户界面可以捕获参数异常并聚焦到对应的参数输入框
if (When.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(When), "When不能为空!");
}
if (Source.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(Source), "Source不能为空!");
}
if (SubjectType.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(SubjectType), "SubjectType不能为空!");
}
if (SubjectIdentifier.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(SubjectIdentifier), "SubjectIdentifier不能为空!");
}
if (Subject.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(Subject), "Subject不能为空!");
}
if (Action.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(Action), "Action不能为空!");
}
if (ResourceType.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(ResourceType), "ResourceType不能为空!");
}
if (Resource.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(Resource), "Resource不能为空!");
}
if (ResourceIdentifier.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(ResourceIdentifier), "ResourceIdentifier不能为空!");
}
if (NormalisedSubject.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(NormalisedSubject), "NormalisedSubject不能为空!");
}
if (NormalisedAction.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(NormalisedAction), "NormalisedAction不能为空!");
}
if (NormalisedResource.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(NormalisedResource), "NormalisedResource不能为空!");
}
if (NormalisedSource.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(NormalisedSource), "NormalisedSource不能为空!");
}
// 在新插入数据或者修改了指定字段时进行修正
}
private void Reset(int version)
{
this.m_version = version;
this.m_recipientIdentifier = (SubjectIdentifier)null;
this.m_encryptionAlgorithm = (AlgorithmIdentifier)null;
this.m_encryptedKey = new byte[0];
}
