public X509Certificate2ImplMono(byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
switch (X509Certificate2.GetCertContentType(rawData))
{
case X509ContentType.Pkcs12:
_cert = ImportPkcs12(rawData, password);
break;
case X509ContentType.Cert:
case X509ContentType.Pkcs7:
_cert = new MX.X509Certificate(rawData);
break;
#if !MONOTOUCH_WATCH
case X509ContentType.Authenticode:
AuthenticodeDeformatter ad = new AuthenticodeDeformatter(rawData);
_cert = ad.SigningCertificate;
if (_cert == null)
{
goto default;
}
break;
#endif
default:
string msg = Locale.GetText("Unable to decode certificate.");
throw new CryptographicException(msg);
}
}
public override void Import(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
base.Import(rawData, password, keyStorageFlags);
if (password == null)
{
try {
_cert = new MX.X509Certificate(rawData);
}
catch (Exception e) {
try {
ImportPkcs12(rawData, null);
}
catch {
string msg = Locale.GetText("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException(msg, e);
}
}
}
else
{
// try PKCS#12
try {
ImportPkcs12(rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
_cert = new MX.X509Certificate(rawData);
}
}
}
// RFC2818 - HTTP Over TLS, Section 3.1
// http://www.ietf.org/rfc/rfc2818.txt
//
// 1. if present MUST use subjectAltName dNSName as identity
// 1.1. if multiples entries a match of any one is acceptable
// 1.2. wildcard * is acceptable
// 2. URI may be an IP address -> subjectAltName.iPAddress
// 2.1. exact match is required
// 3. Use of the most specific Common Name (CN=) in the Subject
// 3.1 Existing practice but DEPRECATED
static bool CheckServerIdentity(MSX.X509Certificate cert, string targetHost)
{
try {
MSX.X509Extension ext = cert.Extensions ["2.5.29.17"];
// 1. subjectAltName
if (ext != null)
{
SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension(ext);
// 1.1 - multiple dNSName
foreach (string dns in subjectAltName.DNSNames)
{
// 1.2 TODO - wildcard support
if (Match(targetHost, dns))
{
return(true);
}
}
// 2. ipAddress
foreach (string ip in subjectAltName.IPAddresses)
{
// 2.1. Exact match required
if (ip == targetHost)
{
return(true);
}
}
}
// 3. Common Name (CN=)
return(CheckDomainName(cert.SubjectName, targetHost));
} catch (Exception e) {
Console.Error.WriteLine("ERROR processing certificate: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
return(false);
}
}
X509Certificate2ImplMono(X509Certificate2ImplMono other)
{
_cert = other._cert;
if (other.intermediateCerts != null)
{
intermediateCerts = other.intermediateCerts.Clone();
}
}
private bool IsSignedWith(X509Certificate2 signed, AsymmetricAlgorithm pubkey)
{
if (pubkey == null)
{
return(false);
}
// Sadly X509Certificate2 doesn't expose the signature nor the tbs (to be signed) structure
MX.X509Certificate mx = signed.MonoCertificate;
return(mx.VerifySignature(pubkey));
}
public override void Reset()
{
_cert = null;
_publicKey = null;
if (intermediateCerts != null)
{
intermediateCerts.Dispose();
intermediateCerts = null;
}
}
private MX.X509Certificate ImportPkcs12(byte[] rawData, string password)
{
MX.PKCS12 pfx = null;
if (string.IsNullOrEmpty(password))
{
try {
// Support both unencrypted PKCS#12..
pfx = new MX.PKCS12(rawData, (string)null);
} catch {
// ..and PKCS#12 encrypted with an empty password
pfx = new MX.PKCS12(rawData, string.Empty);
}
}
else
{
pfx = new MX.PKCS12(rawData, password);
}
if (pfx.Certificates.Count == 0)
{
// no certificate was found
return(null);
}
else if (pfx.Keys.Count == 0)
{
// no key were found - pick the first certificate
return(pfx.Certificates [0]);
}
else
{
// find the certificate that match the first key
MX.X509Certificate cert = null;
var keypair = (pfx.Keys [0] as AsymmetricAlgorithm);
string pubkey = keypair.ToXmlString(false);
foreach (var c in pfx.Certificates)
{
if (((c.RSA != null) && (pubkey == c.RSA.ToXmlString(false))) ||
((c.DSA != null) && (pubkey == c.DSA.ToXmlString(false))))
{
cert = c;
break;
}
}
if (cert == null)
{
cert = pfx.Certificates [0]; // no match, pick first certificate without keys
}
else
{
cert.RSA = (keypair as RSA);
cert.DSA = (keypair as DSA);
}
return(cert);
}
}
internal X509ExtensionCollection(MX.X509Certificate cert)
{
_list = new ArrayList(cert.Extensions.Count);
if (cert.Extensions.Count == 0)
{
return;
}
foreach (MX.X509Extension ext in cert.Extensions)
{
bool critical = ext.Critical;
string oid = ext.Oid;
byte[] raw_data = null;
// extension data is embedded in an octet stream (4)
var value = ext.Value;
if ((value.Tag == 0x04) && (value.Count > 0))
{
raw_data = value [0].GetBytes();
}
X509Extension newt = null;
#if FULL_AOT_RUNTIME
// non-extensible
switch (oid)
{
case "2.5.29.14":
newt = new X509SubjectKeyIdentifierExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.15":
newt = new X509KeyUsageExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.19":
newt = new X509BasicConstraintsExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.37":
newt = new X509EnhancedKeyUsageExtension(new AsnEncodedData(oid, raw_data), critical);
break;
}
#else
object[] parameters = new object [2];
parameters [0] = new AsnEncodedData(oid, raw_data ?? Empty);
parameters [1] = critical;
newt = (X509Extension)CryptoConfig.CreateFromName(oid, parameters);
#endif
if (newt == null)
{
// not registred in CryptoConfig, using default
newt = new X509Extension(oid, raw_data ?? Empty, critical);
}
_list.Add(newt);
}
}
void MustFallback()
{
ThrowIfContextInvalid();
if (fallback != null)
{
return;
}
var mxCert = new MX.X509Certificate(RawData);
fallback = new X509Certificate2ImplMono(mxCert);
}
internal PublicKey(MSX.X509Certificate certificate)
{
// note: _key MUSTonly contains the public part of the key
bool export_required = true;
if (certificate.KeyAlgorithm == rsaOid)
{
// shortcut export/import in the case the private key isn't available
RSACryptoServiceProvider rcsp = (certificate.RSA as RSACryptoServiceProvider);
if ((rcsp != null) && rcsp.PublicOnly)
{
_key = certificate.RSA;
export_required = false;
}
else
{
RSAManaged rsam = (certificate.RSA as RSAManaged);
if ((rsam != null) && rsam.PublicOnly)
{
_key = certificate.RSA;
export_required = false;
}
}
if (export_required)
{
RSAParameters rsap = certificate.RSA.ExportParameters(false);
_key = RSA.Create();
(_key as RSA).ImportParameters(rsap);
}
}
else
{
// shortcut export/import in the case the private key isn't available
DSACryptoServiceProvider dcsp = (certificate.DSA as DSACryptoServiceProvider);
if ((dcsp != null) && dcsp.PublicOnly)
{
_key = certificate.DSA;
export_required = false;
}
// note: DSAManaged isn't available in Mono.Security due to a bug in Fx 1.x
if (export_required)
{
DSAParameters rsap = certificate.DSA.ExportParameters(false);
_key = DSA.Create();
(_key as DSA).ImportParameters(rsap);
}
}
_oid = new Oid(certificate.KeyAlgorithm);
_keyValue = new AsnEncodedData(_oid, certificate.PublicKey);
_params = new AsnEncodedData(_oid, certificate.KeyAlgorithmParameters ?? Empty);
}
public override void Reset()
{
_cert = null;
_archived = false;
_extensions = null;
_serial = null;
_publicKey = null;
issuer_name = null;
subject_name = null;
signature_algorithm = null;
}
public override void Reset()
{
_cert = null;
_archived = false;
_extensions = null;
_publicKey = null;
issuer_name = null;
subject_name = null;
signature_algorithm = null;
if (intermediateCerts != null)
{
intermediateCerts.Dispose();
intermediateCerts = null;
}
}
private void ImportPkcs12(byte[] rawData, string password)
{
MX.PKCS12 pfx = (password == null) ? new MX.PKCS12(rawData) : new MX.PKCS12(rawData, password);
if (pfx.Certificates.Count > 0)
{
_cert = pfx.Certificates [0];
}
else
{
_cert = null;
}
if (pfx.Keys.Count > 0)
{
_cert.RSA = (pfx.Keys [0] as RSA);
_cert.DSA = (pfx.Keys [0] as DSA);
}
}
public X509Certificate2ImplMono(byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
switch (X509Certificate2.GetCertContentType(rawData))
{
case X509ContentType.Pkcs12:
_cert = ImportPkcs12(rawData, password);
break;
case X509ContentType.Cert:
case X509ContentType.Pkcs7:
_cert = new MX.X509Certificate(rawData);
break;
default:
string msg = Locale.GetText("Unable to decode certificate.");
throw new CryptographicException(msg);
}
}
public override void Import(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
MX.X509Certificate cert = null;
if (password == null)
{
try {
cert = new MX.X509Certificate(rawData);
}
catch (Exception e) {
try {
cert = ImportPkcs12(rawData, null);
}
catch {
string msg = Locale.GetText("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException(msg, e);
}
}
}
else
{
// try PKCS#12
try {
cert = ImportPkcs12(rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
cert = new MX.X509Certificate(rawData);
}
}
// we do not have to fully re-decode the certificate since X509Certificate does not deal with keys
if (cert != null)
{
base.Import(cert.RawData, (string)null, keyStorageFlags);
_cert = cert; // becuase base call will call Reset!
}
}
// constructors
public X509Certificate2ImplMono()
{
_cert = null;
}
public X509Certificate2 (IntPtr handle) : base (handle)
{
_cert = new MX.X509Certificate (base.GetRawCertData ());
}
// constructors
public X509Certificate2()
{
_cert = null;
}
public X509Certificate2 (X509Certificate certificate)
: base (certificate)
{
_cert = new MX.X509Certificate (base.GetRawCertData ());
}
public override void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
MX.X509Certificate cert = null;
if (password == null) {
try {
cert = new MX.X509Certificate (rawData);
}
catch (Exception e) {
try {
cert = ImportPkcs12 (rawData, null);
}
catch {
string msg = Locale.GetText ("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException (msg, e);
}
}
} else {
// try PKCS#12
try {
cert = ImportPkcs12 (rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
cert = new MX.X509Certificate (rawData);
}
}
// we do not have to fully re-decode the certificate since X509Certificate does not deal with keys
if (cert != null) {
base.Import (cert.RawData, (string) null, keyStorageFlags);
_cert = cert; // becuase base call will call Reset!
}
}
public override void Reset ()
{
_cert = null;
_archived = false;
_extensions = null;
_serial = null;
_publicKey = null;
issuer_name = null;
subject_name = null;
signature_algorithm = null;
}
internal X509Certificate2ImplMono(MX.X509Certificate cert)
{
this._cert = cert;
}
// constructors
public X509Certificate2 ()
{
_cert = null;
}
public override void Reset ()
{
_cert = null;
_archived = false;
_extensions = null;
_serial = null;
_publicKey = null;
issuer_name = null;
subject_name = null;
signature_algorithm = null;
if (intermediateCerts != null) {
intermediateCerts.Dispose ();
intermediateCerts = null;
}
}
// RFC2818 - HTTP Over TLS, Section 3.1
// http://www.ietf.org/rfc/rfc2818.txt
//
// 1. if present MUST use subjectAltName dNSName as identity
// 1.1. if multiples entries a match of any one is acceptable
// 1.2. wildcard * is acceptable
// 2. URI may be an IP address -> subjectAltName.iPAddress
// 2.1. exact match is required
// 3. Use of the most specific Common Name (CN=) in the Subject
// 3.1 Existing practice but DEPRECATED
static bool CheckServerIdentity (X509Certificate2 cert, string targetHost)
{
try {
var mcert = new MSX.X509Certificate (cert.RawData);
MSX.X509Extension ext = mcert.Extensions ["2.5.29.17"];
// 1. subjectAltName
if (ext != null) {
SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension (ext);
// 1.1 - multiple dNSName
foreach (string dns in subjectAltName.DNSNames) {
// 1.2 TODO - wildcard support
if (Match (targetHost, dns))
return true;
}
// 2. ipAddress
foreach (string ip in subjectAltName.IPAddresses) {
// 2.1. Exact match required
if (ip == targetHost)
return true;
}
}
// 3. Common Name (CN=)
return CheckDomainName (mcert.SubjectName, targetHost);
} catch (Exception e) {
Console.Error.WriteLine ("ERROR processing certificate: {0}", e);
Console.Error.WriteLine ("Please, report this problem to the Mono team");
return false;
}
}
X509Certificate2ImplMono (X509Certificate2ImplMono other)
{
_cert = other._cert;
if (other.intermediateCerts != null)
intermediateCerts = other.intermediateCerts.Clone ();
}
// constructors
public X509Certificate2ImplMono ()
{
_cert = null;
}
private void ImportPkcs12 (byte[] rawData, string password)
{
MX.PKCS12 pfx = (password == null) ? new MX.PKCS12 (rawData) : new MX.PKCS12 (rawData, password);
if (pfx.Certificates.Count > 0) {
_cert = pfx.Certificates [0];
} else {
_cert = null;
}
if (pfx.Keys.Count > 0) {
_cert.RSA = (pfx.Keys [0] as RSA);
_cert.DSA = (pfx.Keys [0] as DSA);
}
}
public X509Certificate2(IntPtr handle) : base(handle)
{
_cert = new MX.X509Certificate(base.GetRawCertData());
}
public X509Certificate2ImplMono(MX.X509Certificate cert)
{
this._cert = cert;
}
public X509Certificate2(X509Certificate certificate)
: base(certificate)
{
_cert = new MX.X509Certificate(base.GetRawCertData());
}
internal X509Certificate2ImplMono (MX.X509Certificate cert)
{
this._cert = cert;
}
public override void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
MX.X509Certificate cert = null;
if (password == null) {
try {
cert = new MX.X509Certificate (rawData);
}
catch (Exception e) {
try {
cert = ImportPkcs12 (rawData, null);
}
catch {
string msg = Locale.GetText ("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException (msg, e);
}
}
} else {
// try PKCS#12
try {
cert = ImportPkcs12 (rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
cert = new MX.X509Certificate (rawData);
}
}
_cert = cert;
}