private Exception TryDecryptAgree(KeyAgreeRecipientInfo keyAgreeRecipientInfo, SafeProvOrNCryptKeyHandle hKey, CryptKeySpec keySpec, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore) { unsafe { KeyAgreeRecipientInfoPalWindows pal = (KeyAgreeRecipientInfoPalWindows)(keyAgreeRecipientInfo.Pal); return pal.WithCmsgCmsRecipientInfo<Exception>( delegate (CMSG_KEY_AGREE_RECIPIENT_INFO* pKeyAgreeRecipientInfo) { CMSG_CTRL_KEY_AGREE_DECRYPT_PARA decryptPara = default(CMSG_CTRL_KEY_AGREE_DECRYPT_PARA); decryptPara.cbSize = Marshal.SizeOf<CMSG_CTRL_KEY_AGREE_DECRYPT_PARA>(); decryptPara.hProv = hKey; decryptPara.dwKeySpec = keySpec; decryptPara.pKeyAgree = pKeyAgreeRecipientInfo; decryptPara.dwRecipientIndex = pal.Index; decryptPara.dwRecipientEncryptedKeyIndex = pal.SubIndex; CMsgKeyAgreeOriginatorChoice originatorChoice = pKeyAgreeRecipientInfo->dwOriginatorChoice; switch (originatorChoice) { case CMsgKeyAgreeOriginatorChoice.CMSG_KEY_AGREE_ORIGINATOR_CERT: { X509Certificate2Collection candidateCerts = new X509Certificate2Collection(); candidateCerts.AddRange(Helpers.GetStoreCertificates(StoreName.AddressBook, StoreLocation.CurrentUser, openExistingOnly: true)); candidateCerts.AddRange(Helpers.GetStoreCertificates(StoreName.AddressBook, StoreLocation.LocalMachine, openExistingOnly: true)); candidateCerts.AddRange(originatorCerts); candidateCerts.AddRange(extraStore); SubjectIdentifier originatorId = pKeyAgreeRecipientInfo->OriginatorCertId.ToSubjectIdentifier(); using (X509Certificate2 originatorCert = candidateCerts.TryFindMatchingCertificate(originatorId)) { if (originatorCert == null) return ErrorCode.CRYPT_E_NOT_FOUND.ToCryptographicException(); using (SafeCertContextHandle hCertContext = originatorCert.CreateCertContextHandle()) { CERT_CONTEXT* pOriginatorCertContext = hCertContext.DangerousGetCertContext(); decryptPara.OriginatorPublicKey = pOriginatorCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey; // Do not factor this call out of the switch statement as leaving this "using" block will free up // native memory that decryptPara points to. return TryExecuteDecryptAgree(ref decryptPara); } } } case CMsgKeyAgreeOriginatorChoice.CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY: { decryptPara.OriginatorPublicKey = pKeyAgreeRecipientInfo->OriginatorPublicKeyInfo.PublicKey; return TryExecuteDecryptAgree(ref decryptPara); } default: return new CryptographicException(SR.Format(SR.Cryptography_Cms_Invalid_Originator_Identifier_Choice, originatorChoice)); } }); } }
private void DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore) { switch (_lastCall) { case LastCall.Ctor: throw new InvalidOperationException(SR.Cryptography_Cms_MessageNotEncrypted); case LastCall.Encrypt: throw PkcsPal.Instance.CreateDecryptAfterEncryptException(); case LastCall.Decrypt: throw PkcsPal.Instance.CreateDecryptTwiceException(); case LastCall.Decode: break; // This is the expected state. default: Debug.Fail($"Unexpected _lastCall value: {_lastCall}"); throw new InvalidOperationException(); } extraStore = extraStore ?? new X509Certificate2Collection(); X509Certificate2Collection certs = new X509Certificate2Collection(); PkcsPal.Instance.AddCertsFromStoreForDecryption(certs); certs.AddRange(extraStore); X509Certificate2Collection originatorCerts = Certificates; ContentInfo newContentInfo = null; Exception exception = PkcsPal.Instance.CreateRecipientsNotFoundException(); foreach (RecipientInfo recipientInfo in recipientInfos) { X509Certificate2 cert = certs.TryFindMatchingCertificate(recipientInfo.RecipientIdentifier); if (cert == null) { exception = PkcsPal.Instance.CreateRecipientsNotFoundException(); continue; } newContentInfo = _decryptorPal.TryDecrypt(recipientInfo, cert, originatorCerts, extraStore, out exception); if (exception != null) continue; break; } if (exception != null) throw exception; ContentInfo = newContentInfo; // Desktop compat: Encode() after a Decrypt() returns you the same thing that ContentInfo.Content does. _encodedMessage = newContentInfo.Content.CloneByteArray(); _lastCall = LastCall.Decrypt; }