public static IStorePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
ICertificatePal singleCert;
if (CertificatePal.TryReadX509Der(rawData, out singleCert) ||
CertificatePal.TryReadX509Pem(rawData, out singleCert))
{
// The single X509 structure methods shouldn't return true and out null, only empty
// collections have that behavior.
Debug.Assert(singleCert != null);
return SingleCertToStorePal(singleCert);
}
List<ICertificatePal> certPals;
if (PkcsFormatReader.TryReadPkcs7Der(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out certPals))
{
Debug.Assert(certPals != null);
return ListToStorePal(certPals);
}
return null;
}
public static void TestRawData(X509KeyStorageFlags keyStorageFlags)
{
byte[] expectedRawData = (
"308201e530820152a0030201020210d5b5bc1c458a558845" +
"bff51cb4dff31c300906052b0e03021d05003011310f300d" +
"060355040313064d794e616d65301e170d31303034303130" +
"38303030305a170d3131303430313038303030305a301131" +
"0f300d060355040313064d794e616d6530819f300d06092a" +
"864886f70d010101050003818d0030818902818100b11e30" +
"ea87424a371e30227e933ce6be0e65ff1c189d0d888ec8ff" +
"13aa7b42b68056128322b21f2b6976609b62b6bc4cf2e55f" +
"f5ae64e9b68c78a3c2dacc916a1bc7322dd353b32898675c" +
"fb5b298b176d978b1f12313e3d865bc53465a11cca106870" +
"a4b5d50a2c410938240e92b64902baea23eb093d9599e9e3" +
"72e48336730203010001a346304430420603551d01043b30" +
"39801024859ebf125e76af3f0d7979b4ac7a96a113301131" +
"0f300d060355040313064d794e616d658210d5b5bc1c458a" +
"558845bff51cb4dff31c300906052b0e03021d0500038181" +
"009bf6e2cf830ed485b86d6b9e8dffdcd65efc7ec145cb93" +
"48923710666791fcfa3ab59d689ffd7234b7872611c5c23e" +
"5e0714531abadb5de492d2c736e1c929e648a65cc9eb63cd" +
"84e57b5909dd5ddf5dbbba4a6498b9ca225b6e368b94913b" +
"fc24de6b2bd9a26b192b957304b89531e902ffc91b54b237" +
"bb228be8afcda26476").HexToByteArray();
using (var c = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags))
{
byte[] rawData = c.RawData;
Assert.Equal(expectedRawData, rawData);
}
}
public static unsafe ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
// If we can see a hyphen, assume it's PEM. Otherwise try DER-X509, then fall back to DER-PKCS12.
SafeX509Handle cert;
// PEM
if (rawData[0] == '-')
{
using (SafeBioHandle bio = Interop.libcrypto.BIO_new(Interop.libcrypto.BIO_s_mem()))
{
Interop.libcrypto.CheckValidOpenSslHandle(bio);
Interop.libcrypto.BIO_write(bio, rawData, rawData.Length);
cert = Interop.libcrypto.PEM_read_bio_X509_AUX(bio, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
}
Interop.libcrypto.CheckValidOpenSslHandle(cert);
}
// DER-X509
cert = Interop.libcrypto.OpenSslD2I((ptr, b, i) => Interop.libcrypto.d2i_X509(ptr, b, i), rawData, checkHandle: false);
if (!cert.IsInvalid)
{
return new OpenSslX509CertificateReader(cert);
}
// DER-PKCS12
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(rawData, out pfx))
{
using (pfx)
{
pfx.Decrypt(password);
ICertificatePal first = null;
foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
{
// When requesting an X509Certificate2 from a PFX only the first entry is
// returned. Other entries should be disposed.
if (first == null)
{
first = certPal;
}
else
{
certPal.Dispose();
}
}
return first;
}
}
// Unsupported
throw Interop.libcrypto.CreateOpenSslCryptographicException();
}
public static void ImportPkcs12Bytes_Single(X509KeyStorageFlags keyStorageFlags)
{
using (ImportedCollection ic = Cert.Import(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
}
}
public X509Certificate(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
if (rawData == null || rawData.Length == 0)
throw new ArgumentException(SR.Arg_EmptyOrNullArray, nameof(rawData));
ValidateKeyStorageFlags(keyStorageFlags);
Pal = CertificatePal.FromBlob(rawData, password, keyStorageFlags);
}
public X509Certificate(string fileName, string password, X509KeyStorageFlags keyStorageFlags)
{
if (fileName == null)
throw new ArgumentNullException(nameof(fileName));
ValidateKeyStorageFlags(keyStorageFlags);
Pal = CertificatePal.FromFile(fileName, password, keyStorageFlags);
}
public X509Certificate(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
if (rawData == null || rawData.Length == 0)
throw new ArgumentException(SR.Arg_EmptyOrNullArray, "rawData");
if ((keyStorageFlags & ~KeyStorageFlagsAll) != 0)
throw new ArgumentException(SR.Argument_InvalidFlag, "keyStorageFlags");
Pal = CertificatePal.FromBlob(rawData, password, keyStorageFlags);
}
public X509Certificate(string fileName, string password, X509KeyStorageFlags keyStorageFlags)
{
if (fileName == null)
throw new ArgumentNullException("fileName");
if ((keyStorageFlags & ~KeyStorageFlagsAll) != 0)
throw new ArgumentException(SR.Argument_InvalidFlag, "keyStorageFlags");
Pal = CertificatePal.FromFile(fileName, password, keyStorageFlags);
}
public static IStorePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags)
{
using (SafeBioHandle bio = Interop.Crypto.BioNewFile(fileName, "rb"))
{
Interop.Crypto.CheckValidOpenSslHandle(bio);
return FromBio(bio, password);
}
}
public static void ImportPkcs12Bytes_Chain(X509KeyStorageFlags keyStorageFlags)
{
using (ImportedCollection ic = Cert.Import(TestData.ChainPfxBytes, TestData.ChainPfxPassword, keyStorageFlags))
{
X509Certificate2Collection certs = ic.Collection;
int count = certs.Count;
Assert.Equal(3, count);
}
}
public static ICertificatePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags)
{
// If we can't open the file, fail right away.
using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb"))
{
Interop.Crypto.CheckValidOpenSslHandle(fileBio);
return FromBio(fileBio, password);
}
}
public static void EnsurePrivateKeyPreferred(X509KeyStorageFlags keyStorageFlags)
{
using (var cert = new X509Certificate2(TestData.ChainPfxBytes, TestData.ChainPfxPassword, keyStorageFlags))
{
// While checking cert.HasPrivateKey first is most matching of the test description, asserting
// on the certificate's simple name will provide a more diagnosable failure.
Assert.Equal("test.local", cert.GetNameInfo(X509NameType.SimpleName, false));
Assert.True(cert.HasPrivateKey, "cert.HasPrivateKey");
}
}
public static X509Certificate2 GetCertificate(string filePath, string password, X509KeyStorageFlags flags)
{
try
{
return new X509Certificate2(filePath, password, flags);
}
catch (Exception)
{
throw;
}
}
internal static X509Certificate2Impl Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
var provider = MonoTlsProviderFactory.GetProvider ();
if (provider.HasNativeCertificates) {
var impl = provider.GetNativeCertificate (rawData, password, keyStorageFlags);
return impl;
} else {
var impl = new X509Certificate2ImplMono ();
impl.Import (rawData, password, keyStorageFlags);
return impl;
}
}
public static void TestConstructor(X509KeyStorageFlags keyStorageFlags)
{
byte[] expectedThumbprint = "71cb4e2b02738ad44f8b382c93bd17ba665f9914".HexToByteArray();
using (var c = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags))
{
string subject = c.Subject;
Assert.Equal("CN=MyName", subject);
byte[] thumbPrint = c.GetCertHash();
Assert.Equal(expectedThumbprint, thumbPrint);
}
}
public X509Certificate(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags)
{
if (rawData == null || rawData.Length == 0)
throw new ArgumentException(SR.Arg_EmptyOrNullArray, nameof(rawData));
ValidateKeyStorageFlags(keyStorageFlags);
using (var safePasswordHandle = new SafePasswordHandle(password))
{
Pal = CertificatePal.FromBlob(rawData, safePasswordHandle, keyStorageFlags);
}
}
// this method maps a X509KeyStorageFlags enum to a combination of crypto API flags
internal static uint MapKeyStorageFlags (X509KeyStorageFlags keyStorageFlags) {
uint dwFlags = 0;
if ((keyStorageFlags & X509KeyStorageFlags.UserKeySet) == X509KeyStorageFlags.UserKeySet)
dwFlags |= CAPI.CRYPT_USER_KEYSET;
else if ((keyStorageFlags & X509KeyStorageFlags.MachineKeySet) == X509KeyStorageFlags.MachineKeySet)
dwFlags |= CAPI.CRYPT_MACHINE_KEYSET;
if ((keyStorageFlags & X509KeyStorageFlags.Exportable) == X509KeyStorageFlags.Exportable)
dwFlags |= CAPI.CRYPT_EXPORTABLE;
if ((keyStorageFlags & X509KeyStorageFlags.UserProtected) == X509KeyStorageFlags.UserProtected)
dwFlags |= CAPI.CRYPT_USER_PROTECTED;
return dwFlags;
}
public static IStorePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(rawData, out pfx))
{
using (pfx)
{
return PfxToCollection(pfx, password);
}
}
return null;
}
public static IStorePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags)
{
using (SafeBioHandle fileBio = Interop.libcrypto.BIO_new_file(fileName, "rb"))
{
Interop.libcrypto.CheckValidOpenSslHandle(fileBio);
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(fileBio, out pfx))
{
using (pfx)
{
return PfxToCollection(pfx, password);
}
}
}
return null;
}
internal void LoadCerts(MemoryX509Store certStore, X509KeyStorageFlags flags)
{
if (!File.Exists(this.FilePath))
{
throw new FileNotFoundException("File does not exist", this.FilePath);
}
string ext = Path.GetExtension(this.FilePath) ?? string.Empty;
switch (ext.ToLower())
{
default:
certStore.ImportKeyFile(this.FilePath, flags);
break;
case ".pfx":
certStore.ImportKeyFile(FilePath, this.Password, flags);
break;
}
}
public static void ImportPkcs12Bytes_Single_VerifyContents(X509KeyStorageFlags keyStorageFlags)
{
using (var pfxCer = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, Cert.EphemeralIfPossible))
{
using (ImportedCollection ic = Cert.Import(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
using (X509Certificate2 c = cc2[0])
{
// pfxCer was loaded directly, cc2[0] was Imported, two distinct copies.
Assert.NotSame(pfxCer, c);
Assert.Equal(pfxCer, c);
Assert.Equal(pfxCer.Thumbprint, c.Thumbprint);
}
}
}
}
public static ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
ICertificatePal cert;
if (TryReadX509Der(rawData, out cert) ||
TryReadX509Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Der(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out cert))
{
if (cert == null)
{
// Empty collection, most likely.
throw new CryptographicException();
}
return cert;
}
// Unsupported
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
byte[] fileBytes = System.IO.File.ReadAllBytes(fileName);
return(FromBlob(fileBytes, password, keyStorageFlags));
}
/// <inheritdoc />
public X509Certificate2?LoadCertificate(string subjectName, X509KeyStorageFlags storageFlags)
{
string filePath = Path.Combine(getCertificatePath(false), subjectName + defaultCertificateFileExtension);
return(loadCertificate(filePath, string.Empty, storageFlags));
}
public static ICertificatePal FromBlob(
ReadOnlySpan <byte> rawData,
SafePasswordHandle password,
X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
X509ContentType contentType = X509Certificate2.GetCertContentType(rawData);
if (contentType == X509ContentType.Pkcs7)
{
// In single mode for a PKCS#7 signed or signed-and-enveloped file we're supposed to return
// the certificate which signed the PKCS#7 file.
//
// X509Certificate2Collection::Export(X509ContentType.Pkcs7) claims to be a signed PKCS#7,
// but doesn't emit a signature block. So this is hard to test.
//
// TODO(2910): Figure out how to extract the signing certificate, when it's present.
throw new CryptographicException(SR.Cryptography_X509_PKCS7_NoSigner);
}
if (contentType == X509ContentType.Pkcs12)
{
if ((keyStorageFlags & X509KeyStorageFlags.EphemeralKeySet) == X509KeyStorageFlags.EphemeralKeySet)
{
throw new PlatformNotSupportedException(SR.Cryptography_X509_NoEphemeralPfx);
}
bool exportable = (keyStorageFlags & X509KeyStorageFlags.Exportable) == X509KeyStorageFlags.Exportable;
bool persist =
(keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet;
SafeKeychainHandle keychain = persist
? Interop.AppleCrypto.SecKeychainCopyDefault()
: Interop.AppleCrypto.CreateTemporaryKeychain();
using (keychain)
{
return(ImportPkcs12(rawData, password, exportable, keychain));
}
}
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
rawData,
contentType,
SafePasswordHandle.InvalidHandle,
SafeTemporaryKeychainHandle.InvalidHandle,
exportable: true,
out identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
Debug.Fail("Non-PKCS12 import produced an identity handle");
identityHandle.Dispose();
certHandle.Dispose();
throw new CryptographicException();
}
internal override X509Certificate2Impl GetNativeCertificate(
byte[] data, string password, X509KeyStorageFlags flags)
{
using (var handle = new SafePasswordHandle(password))
return(GetNativeCertificate(data, handle, flags));
}
public static ICertificatePal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
return(FromBlobOrFile(rawData, null, password, keyStorageFlags));
}
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
ICertificatePal?pal;
// If we can't open the file, fail right away.
using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb"))
{
Interop.Crypto.CheckValidOpenSslHandle(fileBio);
pal = FromBio(fileBio);
}
if (pal == null)
{
PkcsFormatReader.TryReadPkcs12(
File.ReadAllBytes(fileName),
password,
out pal,
out Exception? exception);
if (exception != null)
{
throw exception;
}
Debug.Assert(pal != null);
}
return(pal);
}
/// <summary>
/// Provides a similar API call to new X509Certificate(byte[],string,X509KeyStorageFlags)
/// </summary>
/// <param name="rawData">The bytes that represent the certificate</param>
/// <param name="password">The certificate private password</param>
/// <param name="keyStorageFlags">The certificate loading options</param>
/// <param name="shouldValidatePfx">Flag to indicate if file should validated. Set to true if the rawData is retrieved from an untrusted source.</param>
/// <returns>An instance of the X509Certificate</returns>
public static X509Certificate2 NewX509Certificate2(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags, bool shouldValidatePfx)
{
string temporaryFileName = Path.GetTempFileName();
try
{
X509ContentType contentType = X509Certificate2.GetCertContentType(rawData);
File.WriteAllBytes(temporaryFileName, rawData);
return(new X509Certificate2(temporaryFileName, password, keyStorageFlags));
}
finally
{
try
{
File.Delete(temporaryFileName);
}
catch (Exception)
{
// Not deleting the file is fine
}
}
}
[System.Security.SecuritySafeCritical] // auto-generated
private void LoadCertificateFromBlob (byte[] rawData, object password, X509KeyStorageFlags keyStorageFlags) {
if (rawData == null || rawData.Length == 0)
throw new ArgumentException(Environment.GetResourceString("Arg_EmptyOrNullArray"), "rawData");
Contract.EndContractBlock();
X509ContentType contentType = X509Utils.MapContentType(X509Utils._QueryCertBlobType(rawData));
#if !FEATURE_CORECLR && !FEATURE_PAL
if (contentType == X509ContentType.Pkcs12 &&
(keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet) {
KeyContainerPermission kp = new KeyContainerPermission(KeyContainerPermissionFlags.Create);
kp.Demand();
}
#endif // !FEATURE_CORECLR && !FEATURE_PAL
uint dwFlags = X509Utils.MapKeyStorageFlags(keyStorageFlags);
IntPtr szPassword = IntPtr.Zero;
RuntimeHelpers.PrepareConstrainedRegions();
try {
szPassword = X509Utils.PasswordToHGlobalUni(password);
X509Utils._LoadCertFromBlob(rawData,
szPassword,
dwFlags,
#if FEATURE_CORECLR
false,
#else // FEATURE_CORECLR
(keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == 0 ? false : true,
#endif // FEATURE_CORECLR else
ref m_safeCertContext);
}
finally {
if (szPassword != IntPtr.Zero)
Marshal.ZeroFreeGlobalAllocUnicode(szPassword);
}
}
public X509Certificate2?LoadRootCertificate(string pathOrName, string password, X509KeyStorageFlags storageFlags)
{
string path = getRootCertificatePath(pathOrName);
return(loadCertificate(path, password, storageFlags));
}
public X509Certificate (byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags):this() {
LoadCertificateFromBlob(rawData, password, keyStorageFlags);
}
public virtual void Import(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags) {
Reset();
LoadCertificateFromBlob(rawData, password, keyStorageFlags);
}
private static StorePal FromBlobOrFile(byte[] rawData, string fileName, string password, X509KeyStorageFlags keyStorageFlags)
{
bool fromFile = fileName != null;
unsafe
{
fixed (byte* pRawData = rawData)
{
fixed (char* pFileName = fileName)
{
CRYPTOAPI_BLOB blob = new CRYPTOAPI_BLOB(fromFile ? 0 : rawData.Length, pRawData);
bool persistKeySet = (0 != (keyStorageFlags & X509KeyStorageFlags.PersistKeySet));
PfxCertStoreFlags certStoreFlags = MapKeyStorageFlags(keyStorageFlags);
void* pvObject = fromFile ? (void*)pFileName : (void*)&blob;
ContentType contentType;
SafeCertStoreHandle certStore;
if (!Interop.crypt32.CryptQueryObject(
fromFile ? CertQueryObjectType.CERT_QUERY_OBJECT_FILE : CertQueryObjectType.CERT_QUERY_OBJECT_BLOB,
pvObject,
StoreExpectedContentFlags,
ExpectedFormatTypeFlags.CERT_QUERY_FORMAT_FLAG_ALL,
0,
IntPtr.Zero,
out contentType,
IntPtr.Zero,
out certStore,
IntPtr.Zero,
IntPtr.Zero
))
{
throw Marshal.GetLastWin32Error().ToCryptographicException();
}
if (contentType == ContentType.CERT_QUERY_CONTENT_PFX)
{
certStore.Dispose();
if (fromFile)
{
rawData = File.ReadAllBytes(fileName);
}
fixed (byte* pRawData2 = rawData)
{
CRYPTOAPI_BLOB blob2 = new CRYPTOAPI_BLOB(rawData.Length, pRawData2);
certStore = Interop.crypt32.PFXImportCertStore(ref blob2, password, certStoreFlags);
if (certStore == null || certStore.IsInvalid)
throw Marshal.GetLastWin32Error().ToCryptographicException();
}
if (!persistKeySet)
{
//
// If the user did not want us to persist private keys, then we should loop through all
// the certificates in the collection and set our custom CERT_DELETE_KEYSET_PROP_ID property
// so the key container will be deleted when the cert contexts will go away.
//
SafeCertContextHandle pCertContext = null;
while (Interop.crypt32.CertEnumCertificatesInStore(certStore, ref pCertContext))
{
CRYPTOAPI_BLOB nullBlob = new CRYPTOAPI_BLOB(0, null);
if (!Interop.crypt32.CertSetCertificateContextProperty(pCertContext, CertContextPropId.CERT_DELETE_KEYSET_PROP_ID, CertSetPropertyFlags.CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG, &nullBlob))
throw Marshal.GetLastWin32Error().ToCryptographicException();
}
}
}
return new StorePal(certStore);
}
}
}
}
/// <summary>
/// Request certificate from the ACME server
/// </summary>
/// <param name="binding"></param>
/// <returns></returns>
public CertificateInfo RequestCertificate(Target binding)
{
// What are we going to get?
var identifiers = binding.GetHosts(false);
var friendlyName = FriendlyName(binding);
var pfxPassword = Properties.Settings.Default.PFXPassword;
var pfxFileInfo = new FileInfo(PfxFilePath(binding));
// Try using cached certificate first to avoid rate limiting during
// (initial?) deployment troubleshooting. Real certificate requests
// will only be done once per day maximum.
if (pfxFileInfo.Exists && pfxFileInfo.LastWriteTime > DateTime.Now.AddDays(-1))
{
try
{
var cached = new CertificateInfo()
{
Certificate = ReadForUse(pfxFileInfo, pfxPassword),
PfxFile = pfxFileInfo
};
var idn = new IdnMapping();
if (cached.SubjectName == identifiers.First() &&
cached.HostNames.Count == identifiers.Count &&
cached.HostNames.All(h => identifiers.Contains(idn.GetAscii(h))))
{
if (_options.ForceRenewal)
{
_log.Warning("Cached certificate available but not used with --forcerenewal. Use 'Renew specific' or 'Renew all' in the main menu to run unscheduled renewals without hitting rate limits.");
}
else
{
_log.Warning("Using cached certificate for {friendlyName}. To force issue of a new certificate within 24 hours, delete the .pfx file from the CertificatePath or run with the --forcerenewal switch. Be ware that you might run into rate limits doing so.", friendlyName);
return(cached);
}
}
}
catch
{
// File corrupt or invalid password?
_log.Warning("Unable to read from certificate cache");
}
}
using (var cp = CertificateProvider.GetProvider("BouncyCastle"))
{
// Generate the private key and CSR
var rsaPkp = GetRsaKeyParameters();
var rsaKeys = cp.GeneratePrivateKey(rsaPkp);
var csr = GetCsr(cp, identifiers, rsaKeys);
byte[] derRaw;
using (var bs = new MemoryStream())
{
cp.ExportCsr(csr, EncodingFormat.DER, bs);
derRaw = bs.ToArray();
}
var derB64U = JwsHelper.Base64UrlEncode(derRaw);
// Save request parameters to disk
using (var fs = new FileStream(GetPath(binding, "-gen-key.json"), FileMode.Create))
cp.SavePrivateKey(rsaKeys, fs);
using (var fs = new FileStream(GetPath(binding, "-key.pem"), FileMode.Create))
cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
using (var fs = new FileStream(GetPath(binding, "-gen-csr.json"), FileMode.Create))
cp.SaveCsr(csr, fs);
using (var fs = new FileStream(GetPath(binding, "-csr.pem"), FileMode.Create))
cp.ExportCsr(csr, EncodingFormat.PEM, fs);
// Request the certificate from the ACME server
_log.Information("Requesting certificate {friendlyName}", friendlyName);
var certificateRequest = _client.Acme.RequestCertificate(derB64U);
if (certificateRequest.StatusCode != HttpStatusCode.Created)
{
throw new Exception($"Request status {certificateRequest.StatusCode}");
}
// Main certicate and issuer certificate
Crt certificate;
Crt issuerCertificate;
// Certificate request was successful, save the certificate itself
var crtDerFile = GetPath(binding, $"-crt.der");
_log.Information("Saving certificate to {crtDerFile}", _certificatePath);
using (var file = File.Create(crtDerFile))
certificateRequest.SaveCertificate(file);
// Save certificate in PEM format too
var crtPemFile = GetPath(binding, $"-crt.pem");
using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
target = new FileStream(crtPemFile, FileMode.Create))
{
certificate = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(certificate, EncodingFormat.PEM, target);
}
// Get issuer certificate and save in DER and PEM formats
issuerCertificate = GetIssuerCertificate(certificateRequest, cp);
using (var target = new FileStream(GetPath(binding, "-crt.der", "ca-"), FileMode.Create))
cp.ExportCertificate(issuerCertificate, EncodingFormat.DER, target);
var issuerPemFile = GetPath(binding, "-crt.pem", "ca-");
using (var target = new FileStream(issuerPemFile, FileMode.Create))
cp.ExportCertificate(issuerCertificate, EncodingFormat.PEM, target);
// Save chain in PEM format
using (FileStream intermediate = new FileStream(issuerPemFile, FileMode.Open),
certificateStrean = new FileStream(crtPemFile, FileMode.Open),
chain = new FileStream(GetPath(binding, "-chain.pem"), FileMode.Create))
{
certificateStrean.CopyTo(chain);
intermediate.CopyTo(chain);
}
// All raw data has been saved, now generate the PFX file
using (FileStream target = new FileStream(pfxFileInfo.FullName, FileMode.Create))
{
try
{
cp.ExportArchive(rsaKeys,
new[] { certificate, issuerCertificate },
ArchiveFormat.PKCS12,
target,
pfxPassword);
}
catch (Exception ex)
{
_log.Error("Error exporting archive {@ex}", ex);
}
}
// Flags used for the internally cached certificate
X509KeyStorageFlags internalFlags =
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.Exportable;
// See http://paulstovell.com/blog/x509certificate2
try
{
// Convert Private Key to different CryptoProvider
_log.Verbose("Converting private key...");
var res = new X509Certificate2(pfxFileInfo.FullName, pfxPassword, internalFlags);
var privateKey = (RSACryptoServiceProvider)res.PrivateKey;
res.PrivateKey = Convert(privateKey);
res.FriendlyName = friendlyName;
File.WriteAllBytes(pfxFileInfo.FullName, res.Export(X509ContentType.Pfx, pfxPassword));
pfxFileInfo.Refresh();
}
catch (Exception ex)
{
// If we couldn't convert the private key that
// means we're left with a pfx generated with the
// 'wrong' Crypto provider therefor delete it to
// make sure it's retried on the next run.
_log.Warning("Error converting private key to Microsoft RSA SChannel Cryptographic Provider, which means it might not be usable for Exchange.");
_log.Verbose("{ex}", ex);
}
// Recreate X509Certificate2 with correct flags for Store/Install
return(new CertificateInfo()
{
Certificate = ReadForUse(pfxFileInfo, pfxPassword),
PfxFile = pfxFileInfo
});
}
}
internal X509Certificate2Impl GetNativeCertificate(
byte[] data, SafePasswordHandle password, X509KeyStorageFlags flags)
{
return(new X509CertificateImplBtls(data, password, flags));
}
internal static partial ILoaderPal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
byte[] fileBytes = File.ReadAllBytes(fileName);
return(FromBlob(fileBytes, password, keyStorageFlags));
}
public virtual void Import(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
{
throw new NotImplementedException("Import");
}
internal static partial ILoaderPal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
List <ICertificatePal>?certificateList = null;
AppleCertificatePal.TryDecodePem(
rawData,
(derData, contentType) =>
{
certificateList = certificateList ?? new List <ICertificatePal>();
certificateList.Add(AppleCertificatePal.FromDerBlob(derData, contentType, password, keyStorageFlags));
return(true);
});
if (certificateList != null)
{
return(new CertCollectionLoader(certificateList));
}
bool ephemeralSpecified = keyStorageFlags.HasFlag(X509KeyStorageFlags.EphemeralKeySet);
X509ContentType contentType = AppleCertificatePal.GetDerCertContentType(rawData);
if (contentType == X509ContentType.Pkcs7)
{
throw new CryptographicException(
SR.Cryptography_X509_PKCS7_Unsupported,
new PlatformNotSupportedException(SR.Cryptography_X509_PKCS7_Unsupported));
}
if (contentType == X509ContentType.Pkcs12)
{
ApplePkcs12Reader reader = new ApplePkcs12Reader(rawData);
try
{
reader.Decrypt(password, ephemeralSpecified);
return(new ApplePkcs12CertLoader(reader, password));
}
catch
{
reader.Dispose();
throw;
}
}
SafeCFArrayHandle certs = Interop.AppleCrypto.X509ImportCollection(
rawData,
contentType,
password);
using (certs)
{
long longCount = Interop.CoreFoundation.CFArrayGetCount(certs);
if (longCount > int.MaxValue)
{
throw new CryptographicException();
}
int count = (int)longCount;
// Apple returns things in the opposite order from Windows, so read backwards.
certificateList = new List <ICertificatePal>(count);
for (int i = count - 1; i >= 0; i--)
{
IntPtr handle = Interop.CoreFoundation.CFArrayGetValueAtIndex(certs, i);
if (handle != IntPtr.Zero)
{
ICertificatePal?certPal = AppleCertificatePal.FromHandle(handle, throwOnFail: false);
if (certPal != null)
{
certificateList.Add(certPal);
}
}
}
}
return(new CertCollectionLoader(certificateList));
}
public virtual void Import(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags)
{
throw new PlatformNotSupportedException(SR.NotSupported_ImmutableX509Certificate);
}
/// <summary>
/// Request certificate from Let's Encrypt
/// </summary>
/// <param name="binding"></param>
/// <returns></returns>
public X509Certificate2 RequestCertificate(Target binding)
{
// What are we going to get?
var identifiers = binding.GetHosts(false);
var fileName = FileNamePart(binding);
var friendlyName = FriendlyName(binding);
using (var cp = CertificateProvider.GetProvider("BouncyCastle"))
{
// Generate the private key and CSR
var rsaPkp = GetRsaKeyParameters();
var rsaKeys = cp.GeneratePrivateKey(rsaPkp);
var csr = GetCsr(cp, identifiers, rsaKeys);
byte[] derRaw;
using (var bs = new MemoryStream())
{
cp.ExportCsr(csr, EncodingFormat.DER, bs);
derRaw = bs.ToArray();
}
var derB64U = JwsHelper.Base64UrlEncode(derRaw);
// Save request parameters to disk
var keyGenFile = Path.Combine(_certificatePath, $"{fileName}-gen-key.json");
using (var fs = new FileStream(keyGenFile, FileMode.Create))
cp.SavePrivateKey(rsaKeys, fs);
var keyPemFile = Path.Combine(_certificatePath, $"{fileName}-key.pem");
using (var fs = new FileStream(keyPemFile, FileMode.Create))
cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
var csrGenFile = Path.Combine(_certificatePath, $"{fileName}-gen-csr.json");
using (var fs = new FileStream(csrGenFile, FileMode.Create))
cp.SaveCsr(csr, fs);
var csrPemFile = Path.Combine(_certificatePath, $"{fileName}-csr.pem");
using (var fs = new FileStream(csrPemFile, FileMode.Create))
cp.ExportCsr(csr, EncodingFormat.PEM, fs);
// Request the certificate from Let's Encrypt
_log.Information("Requesting certificate {friendlyName}", friendlyName);
var certificateRequest = _client.RequestCertificate(derB64U);
if (certificateRequest.StatusCode != HttpStatusCode.Created)
{
throw new Exception($"Request status {certificateRequest.StatusCode}");
}
// Main certicate and issuer certificate
Crt certificate;
Crt issuerCertificate;
// Certificate request was successful, save the certificate itself
var crtDerFile = Path.Combine(_certificatePath, $"{fileName}-crt.der");
_log.Information("Saving certificate to {crtDerFile}", _certificatePath);
using (var file = File.Create(crtDerFile))
certificateRequest.SaveCertificate(file);
// Save certificate in PEM format too
var crtPemFile = Path.Combine(_certificatePath, $"{fileName}-crt.pem");
using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
target = new FileStream(crtPemFile, FileMode.Create))
{
certificate = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(certificate, EncodingFormat.PEM, target);
}
// Get issuer certificate and save in DER and PEM formats
issuerCertificate = GetIssuerCertificate(certificateRequest, cp);
var issuerDerFile = Path.Combine(_certificatePath, $"ca-{fileName}-crt.der");
using (var target = new FileStream(issuerDerFile, FileMode.Create))
cp.ExportCertificate(issuerCertificate, EncodingFormat.DER, target);
var issuerPemFile = Path.Combine(_certificatePath, $"ca-{fileName}-crt.pem");
using (var target = new FileStream(issuerPemFile, FileMode.Create))
cp.ExportCertificate(issuerCertificate, EncodingFormat.PEM, target);
// Save chain in PEM format
var chainPemFile = Path.Combine(_certificatePath, $"{fileName}-chain.pem");
using (FileStream intermediate = new FileStream(issuerPemFile, FileMode.Open),
certificateStrean = new FileStream(crtPemFile, FileMode.Open),
chain = new FileStream(chainPemFile, FileMode.Create))
{
certificateStrean.CopyTo(chain);
intermediate.CopyTo(chain);
}
// All raw data has been saved, now generate the PFX file
var pfxFile = PfxFilePath(binding);
var pfxPassword = Properties.Settings.Default.PFXPassword;
using (FileStream target = new FileStream(pfxFile, FileMode.Create))
{
try
{
cp.ExportArchive(rsaKeys,
new[] { certificate, issuerCertificate },
ArchiveFormat.PKCS12,
target,
pfxPassword);
}
catch (Exception ex)
{
_log.Error("Error exporting archive {@ex}", ex);
}
}
X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
if (Properties.Settings.Default.PrivateKeyExportable)
{
_log.Debug("Set private key exportable");
flags |= X509KeyStorageFlags.Exportable;
}
// See http://paulstovell.com/blog/x509certificate2
var res = new X509Certificate2(pfxFile, pfxPassword, flags);
var privateKey = (RSACryptoServiceProvider)res.PrivateKey;
res.PrivateKey = Convert(privateKey);
res.FriendlyName = friendlyName;
File.WriteAllBytes(pfxFile, res.Export(X509ContentType.Pfx, pfxPassword));
return(res);
}
}
private static ICertificatePal FromBlobOrFile(ReadOnlySpan <byte> rawData, string?fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(!rawData.IsEmpty || fileName != null);
Debug.Assert(password != null);
bool loadFromFile = (fileName != null);
PfxCertStoreFlags pfxCertStoreFlags = MapKeyStorageFlags(keyStorageFlags);
bool deleteKeyContainer = false;
CertEncodingType msgAndCertEncodingType;
ContentType contentType;
FormatType formatType;
SafeCertStoreHandle? hCertStore = null;
SafeCryptMsgHandle? hCryptMsg = null;
SafeCertContextHandle?pCertContext = null;
try
{
unsafe
{
fixed(byte *pRawData = rawData)
{
fixed(char *pFileName = fileName)
{
CRYPTOAPI_BLOB certBlob = new CRYPTOAPI_BLOB(loadFromFile ? 0 : rawData.Length, pRawData);
CertQueryObjectType objectType = loadFromFile ? CertQueryObjectType.CERT_QUERY_OBJECT_FILE : CertQueryObjectType.CERT_QUERY_OBJECT_BLOB;
void *pvObject = loadFromFile ? (void *)pFileName : (void *)&certBlob;
bool success = Interop.crypt32.CryptQueryObject(
objectType,
pvObject,
X509ExpectedContentTypeFlags,
X509ExpectedFormatTypeFlags,
0,
out msgAndCertEncodingType,
out contentType,
out formatType,
out hCertStore,
out hCryptMsg,
out pCertContext
);
if (!success)
{
int hr = Marshal.GetHRForLastWin32Error();
throw hr.ToCryptographicException();
}
}
}
if (contentType == ContentType.CERT_QUERY_CONTENT_PKCS7_SIGNED || contentType == ContentType.CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED)
{
pCertContext = GetSignerInPKCS7Store(hCertStore, hCryptMsg);
}
else if (contentType == ContentType.CERT_QUERY_CONTENT_PFX)
{
if (loadFromFile)
{
rawData = File.ReadAllBytes(fileName !);
}
pCertContext = FilterPFXStore(rawData !, password, pfxCertStoreFlags);
// If PersistKeySet is set we don't delete the key, so that it persists.
// If EphemeralKeySet is set we don't delete the key, because there's no file, so it's a wasteful call.
const X509KeyStorageFlags DeleteUnless =
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.EphemeralKeySet;
deleteKeyContainer = ((keyStorageFlags & DeleteUnless) == 0);
}
CertificatePal pal = new CertificatePal(pCertContext, deleteKeyContainer);
pCertContext = null;
return(pal);
}
}
finally
{
if (hCertStore != null)
{
hCertStore.Dispose();
}
if (hCryptMsg != null)
{
hCryptMsg.Dispose();
}
if (pCertContext != null)
{
pCertContext.Dispose();
}
}
}
public virtual void Import(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
throw new PlatformNotSupportedException(SR.NotSupported_ImmutableX509Certificate);
}
public override X509Certificate2Impl Import(
byte[] data, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
return(Provider.GetNativeCertificate(data, password, keyStorageFlags));
}
public X509Certificate(byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
{
throw new NotImplementedException("X509Certificate(byte[], String, X509KeyStorageFlags)");
}
/// <summary>X509PfxToParam</summary>
/// <param name="certificateFilePath">X.509鍵(*.cer)</param>
/// <param name="password">string</param>
/// <param name="flg">X509KeyStorageFlags</param>
/// <returns>RSAParameters(公開鍵)</returns>
public static RSAParameters X509PfxToParam(
string certificateFilePath, string password,
X509KeyStorageFlags flg = X509KeyStorageFlags.DefaultKeySet)
{
return(RsaPublicKeyConverter.X509PfxToProvider(certificateFilePath, password, flg).ExportParameters(false));
}
public virtual void Import(byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
{
throw new NotImplementedException("Import");
}
internal static partial ILoaderPal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
ICertificatePal?singleCert;
bool ephemeralSpecified = keyStorageFlags.HasFlag(X509KeyStorageFlags.EphemeralKeySet);
if (OpenSslX509CertificateReader.TryReadX509Der(rawData, out singleCert) ||
OpenSslX509CertificateReader.TryReadX509Pem(rawData, out singleCert))
{
// The single X509 structure methods shouldn't return true and out null, only empty
// collections have that behavior.
Debug.Assert(singleCert != null);
return(SingleCertToLoaderPal(singleCert));
}
List <ICertificatePal>?certPals;
Exception?openSslException;
if (OpenSslPkcsFormatReader.TryReadPkcs7Der(rawData, out certPals) ||
OpenSslPkcsFormatReader.TryReadPkcs7Pem(rawData, out certPals) ||
OpenSslPkcsFormatReader.TryReadPkcs12(rawData, password, ephemeralSpecified, out certPals, out openSslException))
{
Debug.Assert(certPals != null);
return(ListToLoaderPal(certPals));
}
Debug.Assert(openSslException != null);
throw openSslException;
}
public X509Certificate2(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags)
{
Import(rawData, password, keyStorageFlags);
}
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
return(FromBlobOrFile(ReadOnlySpan <byte> .Empty, fileName, password, keyStorageFlags));
}
public static ICertificatePal FromBlob(byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
ICertificatePal cert;
Exception openSslException;
if (TryReadX509Der(rawData, out cert) ||
TryReadX509Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Der(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out cert, out openSslException))
{
if (cert == null)
{
// Empty collection, most likely.
throw new CryptographicException();
}
return(cert);
}
// Unsupported
Debug.Assert(openSslException != null);
throw openSslException;
}
/// <summary>
/// Create a new instance of OAuthAuthentication using a byte array for certificate data.
/// </summary>
/// <param name="clientId">The ClientId (Consumer Key) for MasterCard API.</param>
/// <param name="rawCertificateData">The raw certificate data for authenticating to MasterCard API via OAuth.</param>
/// <param name="alias">The key alias. This is not used internally so passing in null or an empty string is ok. NOTE: This may be required in the future.</param>
/// <param name="password">The private key password.</param>
/// <param name="keyStoreFlags">Any additional flags that need to be passed to <see cref="X509Certificate2"/>. Azure (App Service, Cloud Service, VM, etc.) requires that <see cref="X509KeyStorageFlags.MachineKeySet"/> is used.</param>
public OAuthAuthentication(String clientId, byte[] rawCertificateData, String alias, String password, X509KeyStorageFlags keyStoreFlags = X509KeyStorageFlags.DefaultKeySet)
{
cert = new X509Certificate2(rawCertificateData, password, keyStoreFlags | X509KeyStorageFlags.Exportable);
privateKey = cert.PrivateKey;
this.clientId = clientId;
encoder = new UTF8Encoding();
}
public X509Certificate (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags):this() {
#if FEATURE_LEGACYNETCF
if ((rawData != null) && (rawData.Length != 0)) {
#endif
LoadCertificateFromBlob(rawData, password, keyStorageFlags);
#if FEATURE_LEGACYNETCF
}
#endif
}
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
// If we can't open the file, fail right away.
using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb"))
{
Interop.Crypto.CheckValidOpenSslHandle(fileBio);
return(FromBio(fileBio, password));
}
}
public X509Certificate (string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags):this() {
LoadCertificateFromFile(fileName, password, keyStorageFlags);
}
public X509Certificate2(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags)
{
Import(fileName, password, keyStorageFlags);
}
public virtual void Import(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags) {
Reset();
LoadCertificateFromFile(fileName, password, keyStorageFlags);
}
public override void Import(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags)
{
Import(rawData, (string)null, keyStorageFlags);
}
private void LoadCertificateFromFile (string fileName, object password, X509KeyStorageFlags keyStorageFlags) {
if (fileName == null)
throw new ArgumentNullException("fileName");
Contract.EndContractBlock();
string fullPath = Path.GetFullPathInternal(fileName);
new FileIOPermission (FileIOPermissionAccess.Read, fullPath).Demand();
X509ContentType contentType = X509Utils.MapContentType(X509Utils._QueryCertFileType(fileName));
#if !FEATURE_CORECLR && !FEATURE_PAL
if (contentType == X509ContentType.Pkcs12 &&
(keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet) {
KeyContainerPermission kp = new KeyContainerPermission(KeyContainerPermissionFlags.Create);
kp.Demand();
}
#endif // !FEATURE_CORECLR && !FEATURE_PAL
uint dwFlags = X509Utils.MapKeyStorageFlags(keyStorageFlags);
IntPtr szPassword = IntPtr.Zero;
RuntimeHelpers.PrepareConstrainedRegions();
try {
szPassword = X509Utils.PasswordToHGlobalUni(password);
X509Utils._LoadCertFromFile(fileName,
szPassword,
dwFlags,
#if FEATURE_CORECLR
false,
#else // FEATURE_CORECLR
(keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == 0 ? false : true,
#endif // FEATURE_CORECLR else
ref m_safeCertContext);
}
finally {
if (szPassword != IntPtr.Zero)
Marshal.ZeroFreeGlobalAllocUnicode(szPassword);
}
}
public override void Import(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags)
{
byte[] rawData = File.ReadAllBytes(fileName);
Import(rawData, (string)null, keyStorageFlags);
}
