public static IStorePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { ICertificatePal singleCert; if (CertificatePal.TryReadX509Der(rawData, out singleCert) || CertificatePal.TryReadX509Pem(rawData, out singleCert)) { // The single X509 structure methods shouldn't return true and out null, only empty // collections have that behavior. Debug.Assert(singleCert != null); return SingleCertToStorePal(singleCert); } List<ICertificatePal> certPals; if (PkcsFormatReader.TryReadPkcs7Der(rawData, out certPals) || PkcsFormatReader.TryReadPkcs7Pem(rawData, out certPals) || PkcsFormatReader.TryReadPkcs12(rawData, password, out certPals)) { Debug.Assert(certPals != null); return ListToStorePal(certPals); } return null; }
public static void TestRawData(X509KeyStorageFlags keyStorageFlags) { byte[] expectedRawData = ( "308201e530820152a0030201020210d5b5bc1c458a558845" + "bff51cb4dff31c300906052b0e03021d05003011310f300d" + "060355040313064d794e616d65301e170d31303034303130" + "38303030305a170d3131303430313038303030305a301131" + "0f300d060355040313064d794e616d6530819f300d06092a" + "864886f70d010101050003818d0030818902818100b11e30" + "ea87424a371e30227e933ce6be0e65ff1c189d0d888ec8ff" + "13aa7b42b68056128322b21f2b6976609b62b6bc4cf2e55f" + "f5ae64e9b68c78a3c2dacc916a1bc7322dd353b32898675c" + "fb5b298b176d978b1f12313e3d865bc53465a11cca106870" + "a4b5d50a2c410938240e92b64902baea23eb093d9599e9e3" + "72e48336730203010001a346304430420603551d01043b30" + "39801024859ebf125e76af3f0d7979b4ac7a96a113301131" + "0f300d060355040313064d794e616d658210d5b5bc1c458a" + "558845bff51cb4dff31c300906052b0e03021d0500038181" + "009bf6e2cf830ed485b86d6b9e8dffdcd65efc7ec145cb93" + "48923710666791fcfa3ab59d689ffd7234b7872611c5c23e" + "5e0714531abadb5de492d2c736e1c929e648a65cc9eb63cd" + "84e57b5909dd5ddf5dbbba4a6498b9ca225b6e368b94913b" + "fc24de6b2bd9a26b192b957304b89531e902ffc91b54b237" + "bb228be8afcda26476").HexToByteArray(); using (var c = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags)) { byte[] rawData = c.RawData; Assert.Equal(expectedRawData, rawData); } }
public static unsafe ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { // If we can see a hyphen, assume it's PEM. Otherwise try DER-X509, then fall back to DER-PKCS12. SafeX509Handle cert; // PEM if (rawData[0] == '-') { using (SafeBioHandle bio = Interop.libcrypto.BIO_new(Interop.libcrypto.BIO_s_mem())) { Interop.libcrypto.CheckValidOpenSslHandle(bio); Interop.libcrypto.BIO_write(bio, rawData, rawData.Length); cert = Interop.libcrypto.PEM_read_bio_X509_AUX(bio, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); } Interop.libcrypto.CheckValidOpenSslHandle(cert); } // DER-X509 cert = Interop.libcrypto.OpenSslD2I((ptr, b, i) => Interop.libcrypto.d2i_X509(ptr, b, i), rawData, checkHandle: false); if (!cert.IsInvalid) { return new OpenSslX509CertificateReader(cert); } // DER-PKCS12 OpenSslPkcs12Reader pfx; if (OpenSslPkcs12Reader.TryRead(rawData, out pfx)) { using (pfx) { pfx.Decrypt(password); ICertificatePal first = null; foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates()) { // When requesting an X509Certificate2 from a PFX only the first entry is // returned. Other entries should be disposed. if (first == null) { first = certPal; } else { certPal.Dispose(); } } return first; } } // Unsupported throw Interop.libcrypto.CreateOpenSslCryptographicException(); }
public static void ImportPkcs12Bytes_Single(X509KeyStorageFlags keyStorageFlags) { using (ImportedCollection ic = Cert.Import(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags)) { X509Certificate2Collection cc2 = ic.Collection; int count = cc2.Count; Assert.Equal(1, count); } }
public X509Certificate(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { if (rawData == null || rawData.Length == 0) throw new ArgumentException(SR.Arg_EmptyOrNullArray, nameof(rawData)); ValidateKeyStorageFlags(keyStorageFlags); Pal = CertificatePal.FromBlob(rawData, password, keyStorageFlags); }
public X509Certificate(string fileName, string password, X509KeyStorageFlags keyStorageFlags) { if (fileName == null) throw new ArgumentNullException(nameof(fileName)); ValidateKeyStorageFlags(keyStorageFlags); Pal = CertificatePal.FromFile(fileName, password, keyStorageFlags); }
public X509Certificate(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { if (rawData == null || rawData.Length == 0) throw new ArgumentException(SR.Arg_EmptyOrNullArray, "rawData"); if ((keyStorageFlags & ~KeyStorageFlagsAll) != 0) throw new ArgumentException(SR.Argument_InvalidFlag, "keyStorageFlags"); Pal = CertificatePal.FromBlob(rawData, password, keyStorageFlags); }
public X509Certificate(string fileName, string password, X509KeyStorageFlags keyStorageFlags) { if (fileName == null) throw new ArgumentNullException("fileName"); if ((keyStorageFlags & ~KeyStorageFlagsAll) != 0) throw new ArgumentException(SR.Argument_InvalidFlag, "keyStorageFlags"); Pal = CertificatePal.FromFile(fileName, password, keyStorageFlags); }
public static IStorePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags) { using (SafeBioHandle bio = Interop.Crypto.BioNewFile(fileName, "rb")) { Interop.Crypto.CheckValidOpenSslHandle(bio); return FromBio(bio, password); } }
public static void ImportPkcs12Bytes_Chain(X509KeyStorageFlags keyStorageFlags) { using (ImportedCollection ic = Cert.Import(TestData.ChainPfxBytes, TestData.ChainPfxPassword, keyStorageFlags)) { X509Certificate2Collection certs = ic.Collection; int count = certs.Count; Assert.Equal(3, count); } }
public static ICertificatePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags) { // If we can't open the file, fail right away. using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb")) { Interop.Crypto.CheckValidOpenSslHandle(fileBio); return FromBio(fileBio, password); } }
public static void EnsurePrivateKeyPreferred(X509KeyStorageFlags keyStorageFlags) { using (var cert = new X509Certificate2(TestData.ChainPfxBytes, TestData.ChainPfxPassword, keyStorageFlags)) { // While checking cert.HasPrivateKey first is most matching of the test description, asserting // on the certificate's simple name will provide a more diagnosable failure. Assert.Equal("test.local", cert.GetNameInfo(X509NameType.SimpleName, false)); Assert.True(cert.HasPrivateKey, "cert.HasPrivateKey"); } }
public static X509Certificate2 GetCertificate(string filePath, string password, X509KeyStorageFlags flags) { try { return new X509Certificate2(filePath, password, flags); } catch (Exception) { throw; } }
internal static X509Certificate2Impl Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { var provider = MonoTlsProviderFactory.GetProvider (); if (provider.HasNativeCertificates) { var impl = provider.GetNativeCertificate (rawData, password, keyStorageFlags); return impl; } else { var impl = new X509Certificate2ImplMono (); impl.Import (rawData, password, keyStorageFlags); return impl; } }
public static void TestConstructor(X509KeyStorageFlags keyStorageFlags) { byte[] expectedThumbprint = "71cb4e2b02738ad44f8b382c93bd17ba665f9914".HexToByteArray(); using (var c = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags)) { string subject = c.Subject; Assert.Equal("CN=MyName", subject); byte[] thumbPrint = c.GetCertHash(); Assert.Equal(expectedThumbprint, thumbPrint); } }
public X509Certificate(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags) { if (rawData == null || rawData.Length == 0) throw new ArgumentException(SR.Arg_EmptyOrNullArray, nameof(rawData)); ValidateKeyStorageFlags(keyStorageFlags); using (var safePasswordHandle = new SafePasswordHandle(password)) { Pal = CertificatePal.FromBlob(rawData, safePasswordHandle, keyStorageFlags); } }
// this method maps a X509KeyStorageFlags enum to a combination of crypto API flags internal static uint MapKeyStorageFlags (X509KeyStorageFlags keyStorageFlags) { uint dwFlags = 0; if ((keyStorageFlags & X509KeyStorageFlags.UserKeySet) == X509KeyStorageFlags.UserKeySet) dwFlags |= CAPI.CRYPT_USER_KEYSET; else if ((keyStorageFlags & X509KeyStorageFlags.MachineKeySet) == X509KeyStorageFlags.MachineKeySet) dwFlags |= CAPI.CRYPT_MACHINE_KEYSET; if ((keyStorageFlags & X509KeyStorageFlags.Exportable) == X509KeyStorageFlags.Exportable) dwFlags |= CAPI.CRYPT_EXPORTABLE; if ((keyStorageFlags & X509KeyStorageFlags.UserProtected) == X509KeyStorageFlags.UserProtected) dwFlags |= CAPI.CRYPT_USER_PROTECTED; return dwFlags; }
public static IStorePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { OpenSslPkcs12Reader pfx; if (OpenSslPkcs12Reader.TryRead(rawData, out pfx)) { using (pfx) { return PfxToCollection(pfx, password); } } return null; }
public static IStorePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags) { using (SafeBioHandle fileBio = Interop.libcrypto.BIO_new_file(fileName, "rb")) { Interop.libcrypto.CheckValidOpenSslHandle(fileBio); OpenSslPkcs12Reader pfx; if (OpenSslPkcs12Reader.TryRead(fileBio, out pfx)) { using (pfx) { return PfxToCollection(pfx, password); } } } return null; }
internal void LoadCerts(MemoryX509Store certStore, X509KeyStorageFlags flags) { if (!File.Exists(this.FilePath)) { throw new FileNotFoundException("File does not exist", this.FilePath); } string ext = Path.GetExtension(this.FilePath) ?? string.Empty; switch (ext.ToLower()) { default: certStore.ImportKeyFile(this.FilePath, flags); break; case ".pfx": certStore.ImportKeyFile(FilePath, this.Password, flags); break; } }
public static void ImportPkcs12Bytes_Single_VerifyContents(X509KeyStorageFlags keyStorageFlags) { using (var pfxCer = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, Cert.EphemeralIfPossible)) { using (ImportedCollection ic = Cert.Import(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags)) { X509Certificate2Collection cc2 = ic.Collection; int count = cc2.Count; Assert.Equal(1, count); using (X509Certificate2 c = cc2[0]) { // pfxCer was loaded directly, cc2[0] was Imported, two distinct copies. Assert.NotSame(pfxCer, c); Assert.Equal(pfxCer, c); Assert.Equal(pfxCer.Thumbprint, c.Thumbprint); } } } }
public static ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { ICertificatePal cert; if (TryReadX509Der(rawData, out cert) || TryReadX509Pem(rawData, out cert) || PkcsFormatReader.TryReadPkcs7Der(rawData, out cert) || PkcsFormatReader.TryReadPkcs7Pem(rawData, out cert) || PkcsFormatReader.TryReadPkcs12(rawData, password, out cert)) { if (cert == null) { // Empty collection, most likely. throw new CryptographicException(); } return cert; } // Unsupported throw Interop.Crypto.CreateOpenSslCryptographicException(); }
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { Debug.Assert(password != null); byte[] fileBytes = System.IO.File.ReadAllBytes(fileName); return(FromBlob(fileBytes, password, keyStorageFlags)); }
/// <inheritdoc /> public X509Certificate2?LoadCertificate(string subjectName, X509KeyStorageFlags storageFlags) { string filePath = Path.Combine(getCertificatePath(false), subjectName + defaultCertificateFileExtension); return(loadCertificate(filePath, string.Empty, storageFlags)); }
public static ICertificatePal FromBlob( ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { Debug.Assert(password != null); X509ContentType contentType = X509Certificate2.GetCertContentType(rawData); if (contentType == X509ContentType.Pkcs7) { // In single mode for a PKCS#7 signed or signed-and-enveloped file we're supposed to return // the certificate which signed the PKCS#7 file. // // X509Certificate2Collection::Export(X509ContentType.Pkcs7) claims to be a signed PKCS#7, // but doesn't emit a signature block. So this is hard to test. // // TODO(2910): Figure out how to extract the signing certificate, when it's present. throw new CryptographicException(SR.Cryptography_X509_PKCS7_NoSigner); } if (contentType == X509ContentType.Pkcs12) { if ((keyStorageFlags & X509KeyStorageFlags.EphemeralKeySet) == X509KeyStorageFlags.EphemeralKeySet) { throw new PlatformNotSupportedException(SR.Cryptography_X509_NoEphemeralPfx); } bool exportable = (keyStorageFlags & X509KeyStorageFlags.Exportable) == X509KeyStorageFlags.Exportable; bool persist = (keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet; SafeKeychainHandle keychain = persist ? Interop.AppleCrypto.SecKeychainCopyDefault() : Interop.AppleCrypto.CreateTemporaryKeychain(); using (keychain) { return(ImportPkcs12(rawData, password, exportable, keychain)); } } SafeSecIdentityHandle identityHandle; SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate( rawData, contentType, SafePasswordHandle.InvalidHandle, SafeTemporaryKeychainHandle.InvalidHandle, exportable: true, out identityHandle); if (identityHandle.IsInvalid) { identityHandle.Dispose(); return(new AppleCertificatePal(certHandle)); } Debug.Fail("Non-PKCS12 import produced an identity handle"); identityHandle.Dispose(); certHandle.Dispose(); throw new CryptographicException(); }
internal override X509Certificate2Impl GetNativeCertificate( byte[] data, string password, X509KeyStorageFlags flags) { using (var handle = new SafePasswordHandle(password)) return(GetNativeCertificate(data, handle, flags)); }
public static ICertificatePal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { return(FromBlobOrFile(rawData, null, password, keyStorageFlags)); }
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { ICertificatePal?pal; // If we can't open the file, fail right away. using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb")) { Interop.Crypto.CheckValidOpenSslHandle(fileBio); pal = FromBio(fileBio); } if (pal == null) { PkcsFormatReader.TryReadPkcs12( File.ReadAllBytes(fileName), password, out pal, out Exception? exception); if (exception != null) { throw exception; } Debug.Assert(pal != null); } return(pal); }
/// <summary> /// Provides a similar API call to new X509Certificate(byte[],string,X509KeyStorageFlags) /// </summary> /// <param name="rawData">The bytes that represent the certificate</param> /// <param name="password">The certificate private password</param> /// <param name="keyStorageFlags">The certificate loading options</param> /// <param name="shouldValidatePfx">Flag to indicate if file should validated. Set to true if the rawData is retrieved from an untrusted source.</param> /// <returns>An instance of the X509Certificate</returns> public static X509Certificate2 NewX509Certificate2(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags, bool shouldValidatePfx) { string temporaryFileName = Path.GetTempFileName(); try { X509ContentType contentType = X509Certificate2.GetCertContentType(rawData); File.WriteAllBytes(temporaryFileName, rawData); return(new X509Certificate2(temporaryFileName, password, keyStorageFlags)); } finally { try { File.Delete(temporaryFileName); } catch (Exception) { // Not deleting the file is fine } } }
[System.Security.SecuritySafeCritical] // auto-generated private void LoadCertificateFromBlob (byte[] rawData, object password, X509KeyStorageFlags keyStorageFlags) { if (rawData == null || rawData.Length == 0) throw new ArgumentException(Environment.GetResourceString("Arg_EmptyOrNullArray"), "rawData"); Contract.EndContractBlock(); X509ContentType contentType = X509Utils.MapContentType(X509Utils._QueryCertBlobType(rawData)); #if !FEATURE_CORECLR && !FEATURE_PAL if (contentType == X509ContentType.Pkcs12 && (keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet) { KeyContainerPermission kp = new KeyContainerPermission(KeyContainerPermissionFlags.Create); kp.Demand(); } #endif // !FEATURE_CORECLR && !FEATURE_PAL uint dwFlags = X509Utils.MapKeyStorageFlags(keyStorageFlags); IntPtr szPassword = IntPtr.Zero; RuntimeHelpers.PrepareConstrainedRegions(); try { szPassword = X509Utils.PasswordToHGlobalUni(password); X509Utils._LoadCertFromBlob(rawData, szPassword, dwFlags, #if FEATURE_CORECLR false, #else // FEATURE_CORECLR (keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == 0 ? false : true, #endif // FEATURE_CORECLR else ref m_safeCertContext); } finally { if (szPassword != IntPtr.Zero) Marshal.ZeroFreeGlobalAllocUnicode(szPassword); } }
public X509Certificate2?LoadRootCertificate(string pathOrName, string password, X509KeyStorageFlags storageFlags) { string path = getRootCertificatePath(pathOrName); return(loadCertificate(path, password, storageFlags)); }
public X509Certificate (byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags):this() { LoadCertificateFromBlob(rawData, password, keyStorageFlags); }
public virtual void Import(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags) { Reset(); LoadCertificateFromBlob(rawData, password, keyStorageFlags); }
private static StorePal FromBlobOrFile(byte[] rawData, string fileName, string password, X509KeyStorageFlags keyStorageFlags) { bool fromFile = fileName != null; unsafe { fixed (byte* pRawData = rawData) { fixed (char* pFileName = fileName) { CRYPTOAPI_BLOB blob = new CRYPTOAPI_BLOB(fromFile ? 0 : rawData.Length, pRawData); bool persistKeySet = (0 != (keyStorageFlags & X509KeyStorageFlags.PersistKeySet)); PfxCertStoreFlags certStoreFlags = MapKeyStorageFlags(keyStorageFlags); void* pvObject = fromFile ? (void*)pFileName : (void*)&blob; ContentType contentType; SafeCertStoreHandle certStore; if (!Interop.crypt32.CryptQueryObject( fromFile ? CertQueryObjectType.CERT_QUERY_OBJECT_FILE : CertQueryObjectType.CERT_QUERY_OBJECT_BLOB, pvObject, StoreExpectedContentFlags, ExpectedFormatTypeFlags.CERT_QUERY_FORMAT_FLAG_ALL, 0, IntPtr.Zero, out contentType, IntPtr.Zero, out certStore, IntPtr.Zero, IntPtr.Zero )) { throw Marshal.GetLastWin32Error().ToCryptographicException(); } if (contentType == ContentType.CERT_QUERY_CONTENT_PFX) { certStore.Dispose(); if (fromFile) { rawData = File.ReadAllBytes(fileName); } fixed (byte* pRawData2 = rawData) { CRYPTOAPI_BLOB blob2 = new CRYPTOAPI_BLOB(rawData.Length, pRawData2); certStore = Interop.crypt32.PFXImportCertStore(ref blob2, password, certStoreFlags); if (certStore == null || certStore.IsInvalid) throw Marshal.GetLastWin32Error().ToCryptographicException(); } if (!persistKeySet) { // // If the user did not want us to persist private keys, then we should loop through all // the certificates in the collection and set our custom CERT_DELETE_KEYSET_PROP_ID property // so the key container will be deleted when the cert contexts will go away. // SafeCertContextHandle pCertContext = null; while (Interop.crypt32.CertEnumCertificatesInStore(certStore, ref pCertContext)) { CRYPTOAPI_BLOB nullBlob = new CRYPTOAPI_BLOB(0, null); if (!Interop.crypt32.CertSetCertificateContextProperty(pCertContext, CertContextPropId.CERT_DELETE_KEYSET_PROP_ID, CertSetPropertyFlags.CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG, &nullBlob)) throw Marshal.GetLastWin32Error().ToCryptographicException(); } } } return new StorePal(certStore); } } } }
/// <summary> /// Request certificate from the ACME server /// </summary> /// <param name="binding"></param> /// <returns></returns> public CertificateInfo RequestCertificate(Target binding) { // What are we going to get? var identifiers = binding.GetHosts(false); var friendlyName = FriendlyName(binding); var pfxPassword = Properties.Settings.Default.PFXPassword; var pfxFileInfo = new FileInfo(PfxFilePath(binding)); // Try using cached certificate first to avoid rate limiting during // (initial?) deployment troubleshooting. Real certificate requests // will only be done once per day maximum. if (pfxFileInfo.Exists && pfxFileInfo.LastWriteTime > DateTime.Now.AddDays(-1)) { try { var cached = new CertificateInfo() { Certificate = ReadForUse(pfxFileInfo, pfxPassword), PfxFile = pfxFileInfo }; var idn = new IdnMapping(); if (cached.SubjectName == identifiers.First() && cached.HostNames.Count == identifiers.Count && cached.HostNames.All(h => identifiers.Contains(idn.GetAscii(h)))) { if (_options.ForceRenewal) { _log.Warning("Cached certificate available but not used with --forcerenewal. Use 'Renew specific' or 'Renew all' in the main menu to run unscheduled renewals without hitting rate limits."); } else { _log.Warning("Using cached certificate for {friendlyName}. To force issue of a new certificate within 24 hours, delete the .pfx file from the CertificatePath or run with the --forcerenewal switch. Be ware that you might run into rate limits doing so.", friendlyName); return(cached); } } } catch { // File corrupt or invalid password? _log.Warning("Unable to read from certificate cache"); } } using (var cp = CertificateProvider.GetProvider("BouncyCastle")) { // Generate the private key and CSR var rsaPkp = GetRsaKeyParameters(); var rsaKeys = cp.GeneratePrivateKey(rsaPkp); var csr = GetCsr(cp, identifiers, rsaKeys); byte[] derRaw; using (var bs = new MemoryStream()) { cp.ExportCsr(csr, EncodingFormat.DER, bs); derRaw = bs.ToArray(); } var derB64U = JwsHelper.Base64UrlEncode(derRaw); // Save request parameters to disk using (var fs = new FileStream(GetPath(binding, "-gen-key.json"), FileMode.Create)) cp.SavePrivateKey(rsaKeys, fs); using (var fs = new FileStream(GetPath(binding, "-key.pem"), FileMode.Create)) cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs); using (var fs = new FileStream(GetPath(binding, "-gen-csr.json"), FileMode.Create)) cp.SaveCsr(csr, fs); using (var fs = new FileStream(GetPath(binding, "-csr.pem"), FileMode.Create)) cp.ExportCsr(csr, EncodingFormat.PEM, fs); // Request the certificate from the ACME server _log.Information("Requesting certificate {friendlyName}", friendlyName); var certificateRequest = _client.Acme.RequestCertificate(derB64U); if (certificateRequest.StatusCode != HttpStatusCode.Created) { throw new Exception($"Request status {certificateRequest.StatusCode}"); } // Main certicate and issuer certificate Crt certificate; Crt issuerCertificate; // Certificate request was successful, save the certificate itself var crtDerFile = GetPath(binding, $"-crt.der"); _log.Information("Saving certificate to {crtDerFile}", _certificatePath); using (var file = File.Create(crtDerFile)) certificateRequest.SaveCertificate(file); // Save certificate in PEM format too var crtPemFile = GetPath(binding, $"-crt.pem"); using (FileStream source = new FileStream(crtDerFile, FileMode.Open), target = new FileStream(crtPemFile, FileMode.Create)) { certificate = cp.ImportCertificate(EncodingFormat.DER, source); cp.ExportCertificate(certificate, EncodingFormat.PEM, target); } // Get issuer certificate and save in DER and PEM formats issuerCertificate = GetIssuerCertificate(certificateRequest, cp); using (var target = new FileStream(GetPath(binding, "-crt.der", "ca-"), FileMode.Create)) cp.ExportCertificate(issuerCertificate, EncodingFormat.DER, target); var issuerPemFile = GetPath(binding, "-crt.pem", "ca-"); using (var target = new FileStream(issuerPemFile, FileMode.Create)) cp.ExportCertificate(issuerCertificate, EncodingFormat.PEM, target); // Save chain in PEM format using (FileStream intermediate = new FileStream(issuerPemFile, FileMode.Open), certificateStrean = new FileStream(crtPemFile, FileMode.Open), chain = new FileStream(GetPath(binding, "-chain.pem"), FileMode.Create)) { certificateStrean.CopyTo(chain); intermediate.CopyTo(chain); } // All raw data has been saved, now generate the PFX file using (FileStream target = new FileStream(pfxFileInfo.FullName, FileMode.Create)) { try { cp.ExportArchive(rsaKeys, new[] { certificate, issuerCertificate }, ArchiveFormat.PKCS12, target, pfxPassword); } catch (Exception ex) { _log.Error("Error exporting archive {@ex}", ex); } } // Flags used for the internally cached certificate X509KeyStorageFlags internalFlags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable; // See http://paulstovell.com/blog/x509certificate2 try { // Convert Private Key to different CryptoProvider _log.Verbose("Converting private key..."); var res = new X509Certificate2(pfxFileInfo.FullName, pfxPassword, internalFlags); var privateKey = (RSACryptoServiceProvider)res.PrivateKey; res.PrivateKey = Convert(privateKey); res.FriendlyName = friendlyName; File.WriteAllBytes(pfxFileInfo.FullName, res.Export(X509ContentType.Pfx, pfxPassword)); pfxFileInfo.Refresh(); } catch (Exception ex) { // If we couldn't convert the private key that // means we're left with a pfx generated with the // 'wrong' Crypto provider therefor delete it to // make sure it's retried on the next run. _log.Warning("Error converting private key to Microsoft RSA SChannel Cryptographic Provider, which means it might not be usable for Exchange."); _log.Verbose("{ex}", ex); } // Recreate X509Certificate2 with correct flags for Store/Install return(new CertificateInfo() { Certificate = ReadForUse(pfxFileInfo, pfxPassword), PfxFile = pfxFileInfo }); } }
internal X509Certificate2Impl GetNativeCertificate( byte[] data, SafePasswordHandle password, X509KeyStorageFlags flags) { return(new X509CertificateImplBtls(data, password, flags)); }
internal static partial ILoaderPal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { Debug.Assert(password != null); byte[] fileBytes = File.ReadAllBytes(fileName); return(FromBlob(fileBytes, password, keyStorageFlags)); }
public virtual void Import(String fileName, String password, X509KeyStorageFlags keyStorageFlags) { throw new NotImplementedException("Import"); }
internal static partial ILoaderPal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { List <ICertificatePal>?certificateList = null; AppleCertificatePal.TryDecodePem( rawData, (derData, contentType) => { certificateList = certificateList ?? new List <ICertificatePal>(); certificateList.Add(AppleCertificatePal.FromDerBlob(derData, contentType, password, keyStorageFlags)); return(true); }); if (certificateList != null) { return(new CertCollectionLoader(certificateList)); } bool ephemeralSpecified = keyStorageFlags.HasFlag(X509KeyStorageFlags.EphemeralKeySet); X509ContentType contentType = AppleCertificatePal.GetDerCertContentType(rawData); if (contentType == X509ContentType.Pkcs7) { throw new CryptographicException( SR.Cryptography_X509_PKCS7_Unsupported, new PlatformNotSupportedException(SR.Cryptography_X509_PKCS7_Unsupported)); } if (contentType == X509ContentType.Pkcs12) { ApplePkcs12Reader reader = new ApplePkcs12Reader(rawData); try { reader.Decrypt(password, ephemeralSpecified); return(new ApplePkcs12CertLoader(reader, password)); } catch { reader.Dispose(); throw; } } SafeCFArrayHandle certs = Interop.AppleCrypto.X509ImportCollection( rawData, contentType, password); using (certs) { long longCount = Interop.CoreFoundation.CFArrayGetCount(certs); if (longCount > int.MaxValue) { throw new CryptographicException(); } int count = (int)longCount; // Apple returns things in the opposite order from Windows, so read backwards. certificateList = new List <ICertificatePal>(count); for (int i = count - 1; i >= 0; i--) { IntPtr handle = Interop.CoreFoundation.CFArrayGetValueAtIndex(certs, i); if (handle != IntPtr.Zero) { ICertificatePal?certPal = AppleCertificatePal.FromHandle(handle, throwOnFail: false); if (certPal != null) { certificateList.Add(certPal); } } } } return(new CertCollectionLoader(certificateList)); }
public virtual void Import(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags) { throw new PlatformNotSupportedException(SR.NotSupported_ImmutableX509Certificate); }
/// <summary> /// Request certificate from Let's Encrypt /// </summary> /// <param name="binding"></param> /// <returns></returns> public X509Certificate2 RequestCertificate(Target binding) { // What are we going to get? var identifiers = binding.GetHosts(false); var fileName = FileNamePart(binding); var friendlyName = FriendlyName(binding); using (var cp = CertificateProvider.GetProvider("BouncyCastle")) { // Generate the private key and CSR var rsaPkp = GetRsaKeyParameters(); var rsaKeys = cp.GeneratePrivateKey(rsaPkp); var csr = GetCsr(cp, identifiers, rsaKeys); byte[] derRaw; using (var bs = new MemoryStream()) { cp.ExportCsr(csr, EncodingFormat.DER, bs); derRaw = bs.ToArray(); } var derB64U = JwsHelper.Base64UrlEncode(derRaw); // Save request parameters to disk var keyGenFile = Path.Combine(_certificatePath, $"{fileName}-gen-key.json"); using (var fs = new FileStream(keyGenFile, FileMode.Create)) cp.SavePrivateKey(rsaKeys, fs); var keyPemFile = Path.Combine(_certificatePath, $"{fileName}-key.pem"); using (var fs = new FileStream(keyPemFile, FileMode.Create)) cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs); var csrGenFile = Path.Combine(_certificatePath, $"{fileName}-gen-csr.json"); using (var fs = new FileStream(csrGenFile, FileMode.Create)) cp.SaveCsr(csr, fs); var csrPemFile = Path.Combine(_certificatePath, $"{fileName}-csr.pem"); using (var fs = new FileStream(csrPemFile, FileMode.Create)) cp.ExportCsr(csr, EncodingFormat.PEM, fs); // Request the certificate from Let's Encrypt _log.Information("Requesting certificate {friendlyName}", friendlyName); var certificateRequest = _client.RequestCertificate(derB64U); if (certificateRequest.StatusCode != HttpStatusCode.Created) { throw new Exception($"Request status {certificateRequest.StatusCode}"); } // Main certicate and issuer certificate Crt certificate; Crt issuerCertificate; // Certificate request was successful, save the certificate itself var crtDerFile = Path.Combine(_certificatePath, $"{fileName}-crt.der"); _log.Information("Saving certificate to {crtDerFile}", _certificatePath); using (var file = File.Create(crtDerFile)) certificateRequest.SaveCertificate(file); // Save certificate in PEM format too var crtPemFile = Path.Combine(_certificatePath, $"{fileName}-crt.pem"); using (FileStream source = new FileStream(crtDerFile, FileMode.Open), target = new FileStream(crtPemFile, FileMode.Create)) { certificate = cp.ImportCertificate(EncodingFormat.DER, source); cp.ExportCertificate(certificate, EncodingFormat.PEM, target); } // Get issuer certificate and save in DER and PEM formats issuerCertificate = GetIssuerCertificate(certificateRequest, cp); var issuerDerFile = Path.Combine(_certificatePath, $"ca-{fileName}-crt.der"); using (var target = new FileStream(issuerDerFile, FileMode.Create)) cp.ExportCertificate(issuerCertificate, EncodingFormat.DER, target); var issuerPemFile = Path.Combine(_certificatePath, $"ca-{fileName}-crt.pem"); using (var target = new FileStream(issuerPemFile, FileMode.Create)) cp.ExportCertificate(issuerCertificate, EncodingFormat.PEM, target); // Save chain in PEM format var chainPemFile = Path.Combine(_certificatePath, $"{fileName}-chain.pem"); using (FileStream intermediate = new FileStream(issuerPemFile, FileMode.Open), certificateStrean = new FileStream(crtPemFile, FileMode.Open), chain = new FileStream(chainPemFile, FileMode.Create)) { certificateStrean.CopyTo(chain); intermediate.CopyTo(chain); } // All raw data has been saved, now generate the PFX file var pfxFile = PfxFilePath(binding); var pfxPassword = Properties.Settings.Default.PFXPassword; using (FileStream target = new FileStream(pfxFile, FileMode.Create)) { try { cp.ExportArchive(rsaKeys, new[] { certificate, issuerCertificate }, ArchiveFormat.PKCS12, target, pfxPassword); } catch (Exception ex) { _log.Error("Error exporting archive {@ex}", ex); } } X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet; if (Properties.Settings.Default.PrivateKeyExportable) { _log.Debug("Set private key exportable"); flags |= X509KeyStorageFlags.Exportable; } // See http://paulstovell.com/blog/x509certificate2 var res = new X509Certificate2(pfxFile, pfxPassword, flags); var privateKey = (RSACryptoServiceProvider)res.PrivateKey; res.PrivateKey = Convert(privateKey); res.FriendlyName = friendlyName; File.WriteAllBytes(pfxFile, res.Export(X509ContentType.Pfx, pfxPassword)); return(res); } }
private static ICertificatePal FromBlobOrFile(ReadOnlySpan <byte> rawData, string?fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { Debug.Assert(!rawData.IsEmpty || fileName != null); Debug.Assert(password != null); bool loadFromFile = (fileName != null); PfxCertStoreFlags pfxCertStoreFlags = MapKeyStorageFlags(keyStorageFlags); bool deleteKeyContainer = false; CertEncodingType msgAndCertEncodingType; ContentType contentType; FormatType formatType; SafeCertStoreHandle? hCertStore = null; SafeCryptMsgHandle? hCryptMsg = null; SafeCertContextHandle?pCertContext = null; try { unsafe { fixed(byte *pRawData = rawData) { fixed(char *pFileName = fileName) { CRYPTOAPI_BLOB certBlob = new CRYPTOAPI_BLOB(loadFromFile ? 0 : rawData.Length, pRawData); CertQueryObjectType objectType = loadFromFile ? CertQueryObjectType.CERT_QUERY_OBJECT_FILE : CertQueryObjectType.CERT_QUERY_OBJECT_BLOB; void *pvObject = loadFromFile ? (void *)pFileName : (void *)&certBlob; bool success = Interop.crypt32.CryptQueryObject( objectType, pvObject, X509ExpectedContentTypeFlags, X509ExpectedFormatTypeFlags, 0, out msgAndCertEncodingType, out contentType, out formatType, out hCertStore, out hCryptMsg, out pCertContext ); if (!success) { int hr = Marshal.GetHRForLastWin32Error(); throw hr.ToCryptographicException(); } } } if (contentType == ContentType.CERT_QUERY_CONTENT_PKCS7_SIGNED || contentType == ContentType.CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED) { pCertContext = GetSignerInPKCS7Store(hCertStore, hCryptMsg); } else if (contentType == ContentType.CERT_QUERY_CONTENT_PFX) { if (loadFromFile) { rawData = File.ReadAllBytes(fileName !); } pCertContext = FilterPFXStore(rawData !, password, pfxCertStoreFlags); // If PersistKeySet is set we don't delete the key, so that it persists. // If EphemeralKeySet is set we don't delete the key, because there's no file, so it's a wasteful call. const X509KeyStorageFlags DeleteUnless = X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.EphemeralKeySet; deleteKeyContainer = ((keyStorageFlags & DeleteUnless) == 0); } CertificatePal pal = new CertificatePal(pCertContext, deleteKeyContainer); pCertContext = null; return(pal); } } finally { if (hCertStore != null) { hCertStore.Dispose(); } if (hCryptMsg != null) { hCryptMsg.Dispose(); } if (pCertContext != null) { pCertContext.Dispose(); } } }
public virtual void Import(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags) { throw new PlatformNotSupportedException(SR.NotSupported_ImmutableX509Certificate); }
public override X509Certificate2Impl Import( byte[] data, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { return(Provider.GetNativeCertificate(data, password, keyStorageFlags)); }
public X509Certificate(byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) { throw new NotImplementedException("X509Certificate(byte[], String, X509KeyStorageFlags)"); }
/// <summary>X509PfxToParam</summary> /// <param name="certificateFilePath">X.509鍵(*.cer)</param> /// <param name="password">string</param> /// <param name="flg">X509KeyStorageFlags</param> /// <returns>RSAParameters(公開鍵)</returns> public static RSAParameters X509PfxToParam( string certificateFilePath, string password, X509KeyStorageFlags flg = X509KeyStorageFlags.DefaultKeySet) { return(RsaPublicKeyConverter.X509PfxToProvider(certificateFilePath, password, flg).ExportParameters(false)); }
public virtual void Import(byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) { throw new NotImplementedException("Import"); }
internal static partial ILoaderPal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { Debug.Assert(password != null); ICertificatePal?singleCert; bool ephemeralSpecified = keyStorageFlags.HasFlag(X509KeyStorageFlags.EphemeralKeySet); if (OpenSslX509CertificateReader.TryReadX509Der(rawData, out singleCert) || OpenSslX509CertificateReader.TryReadX509Pem(rawData, out singleCert)) { // The single X509 structure methods shouldn't return true and out null, only empty // collections have that behavior. Debug.Assert(singleCert != null); return(SingleCertToLoaderPal(singleCert)); } List <ICertificatePal>?certPals; Exception?openSslException; if (OpenSslPkcsFormatReader.TryReadPkcs7Der(rawData, out certPals) || OpenSslPkcsFormatReader.TryReadPkcs7Pem(rawData, out certPals) || OpenSslPkcsFormatReader.TryReadPkcs12(rawData, password, ephemeralSpecified, out certPals, out openSslException)) { Debug.Assert(certPals != null); return(ListToLoaderPal(certPals)); } Debug.Assert(openSslException != null); throw openSslException; }
public X509Certificate2(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags) { Import(rawData, password, keyStorageFlags); }
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { return(FromBlobOrFile(ReadOnlySpan <byte> .Empty, fileName, password, keyStorageFlags)); }
public static ICertificatePal FromBlob(byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { Debug.Assert(password != null); ICertificatePal cert; Exception openSslException; if (TryReadX509Der(rawData, out cert) || TryReadX509Pem(rawData, out cert) || PkcsFormatReader.TryReadPkcs7Der(rawData, out cert) || PkcsFormatReader.TryReadPkcs7Pem(rawData, out cert) || PkcsFormatReader.TryReadPkcs12(rawData, password, out cert, out openSslException)) { if (cert == null) { // Empty collection, most likely. throw new CryptographicException(); } return(cert); } // Unsupported Debug.Assert(openSslException != null); throw openSslException; }
/// <summary> /// Create a new instance of OAuthAuthentication using a byte array for certificate data. /// </summary> /// <param name="clientId">The ClientId (Consumer Key) for MasterCard API.</param> /// <param name="rawCertificateData">The raw certificate data for authenticating to MasterCard API via OAuth.</param> /// <param name="alias">The key alias. This is not used internally so passing in null or an empty string is ok. NOTE: This may be required in the future.</param> /// <param name="password">The private key password.</param> /// <param name="keyStoreFlags">Any additional flags that need to be passed to <see cref="X509Certificate2"/>. Azure (App Service, Cloud Service, VM, etc.) requires that <see cref="X509KeyStorageFlags.MachineKeySet"/> is used.</param> public OAuthAuthentication(String clientId, byte[] rawCertificateData, String alias, String password, X509KeyStorageFlags keyStoreFlags = X509KeyStorageFlags.DefaultKeySet) { cert = new X509Certificate2(rawCertificateData, password, keyStoreFlags | X509KeyStorageFlags.Exportable); privateKey = cert.PrivateKey; this.clientId = clientId; encoder = new UTF8Encoding(); }
public X509Certificate (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags):this() { #if FEATURE_LEGACYNETCF if ((rawData != null) && (rawData.Length != 0)) { #endif LoadCertificateFromBlob(rawData, password, keyStorageFlags); #if FEATURE_LEGACYNETCF } #endif }
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) { // If we can't open the file, fail right away. using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb")) { Interop.Crypto.CheckValidOpenSslHandle(fileBio); return(FromBio(fileBio, password)); } }
public X509Certificate (string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags):this() { LoadCertificateFromFile(fileName, password, keyStorageFlags); }
public X509Certificate2(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags) { Import(fileName, password, keyStorageFlags); }
public virtual void Import(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags) { Reset(); LoadCertificateFromFile(fileName, password, keyStorageFlags); }
public override void Import(byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags) { Import(rawData, (string)null, keyStorageFlags); }
private void LoadCertificateFromFile (string fileName, object password, X509KeyStorageFlags keyStorageFlags) { if (fileName == null) throw new ArgumentNullException("fileName"); Contract.EndContractBlock(); string fullPath = Path.GetFullPathInternal(fileName); new FileIOPermission (FileIOPermissionAccess.Read, fullPath).Demand(); X509ContentType contentType = X509Utils.MapContentType(X509Utils._QueryCertFileType(fileName)); #if !FEATURE_CORECLR && !FEATURE_PAL if (contentType == X509ContentType.Pkcs12 && (keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet) { KeyContainerPermission kp = new KeyContainerPermission(KeyContainerPermissionFlags.Create); kp.Demand(); } #endif // !FEATURE_CORECLR && !FEATURE_PAL uint dwFlags = X509Utils.MapKeyStorageFlags(keyStorageFlags); IntPtr szPassword = IntPtr.Zero; RuntimeHelpers.PrepareConstrainedRegions(); try { szPassword = X509Utils.PasswordToHGlobalUni(password); X509Utils._LoadCertFromFile(fileName, szPassword, dwFlags, #if FEATURE_CORECLR false, #else // FEATURE_CORECLR (keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == 0 ? false : true, #endif // FEATURE_CORECLR else ref m_safeCertContext); } finally { if (szPassword != IntPtr.Zero) Marshal.ZeroFreeGlobalAllocUnicode(szPassword); } }
public override void Import(string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags) { byte[] rawData = File.ReadAllBytes(fileName); Import(rawData, (string)null, keyStorageFlags); }