protected override void Dispose(bool disposing)
{
if (disposing && m_key != null)
{
m_key.Dispose();
}
}
protected CngKey GetPrivateKey(X509Certificate2 cert)
{
var rsakey = cert.GetRSAPrivateKey() as RSACng;
if (rsakey != null)
{
return(rsakey.Key);
}
CngKey cngkey = null;
try
{
var provider = new CngProvider(CSPName);
cngkey = CngKey.Open(KeyContainer, provider, CngKeyOpenOptions.MachineKey);
if (cngkey == null)
{
throw new InvalidOperationException(NuGetMSSignCommand.MSSignCommandNoCngKeyException);
}
if (cngkey.AlgorithmGroup != CngAlgorithmGroup.Rsa)
{
cngkey.Dispose();
throw new InvalidOperationException(NuGetMSSignCommand.MSSignCommandInvalidCngKeyException);
}
return(cngkey);
}
catch (CryptographicException)
{
cngkey?.Dispose();
throw new InvalidOperationException(NuGetMSSignCommand.MSSignCommandNoCngKeyException);
}
}
private static X509Certificate2 CreateSelfSignedCertificate(CngKey key, X500DistinguishedName subjectName)
{
using (SafeCertContextHandle selfSignedCertHandle = CreateSelfSignedCertificate(key,
true,
subjectName.RawData,
X509CertificateCreationOptions.None, // NONE
RsaSha1Oid,
DateTime.UtcNow,
DateTime.UtcNow.AddYears(1)))
{
X509Certificate2 certificate = null;
bool addedRef = false;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
selfSignedCertHandle.DangerousAddRef(ref addedRef);
certificate = new X509Certificate2(selfSignedCertHandle.DangerousGetHandle());
}
finally
{
if (addedRef)
{
selfSignedCertHandle.DangerousRelease();
}
}
key.Dispose();
return(certificate);
}
}
public static X509Certificate2 CreateSelfSignedCertificate(this CngKey key,
X509Certificates.X509CertificateCreationParameters creationParameters)
{
if (creationParameters == null)
{
throw new ArgumentNullException("creationParameters");
}
// If we are not being asked to hand ownership of the key over to the certificate, then we need
// ensure that we are running in a trusted context as we have no way to ensure that the caller
// will not force the key to be cleaned up and then continue to use the dangling handle left in
// the certificate.
if (!creationParameters.TakeOwnershipOfKey)
{
new PermissionSet(PermissionState.Unrestricted).Demand();
}
using (SafeCertContextHandle selfSignedCertHandle =
X509Native.CreateSelfSignedCertificate(key,
creationParameters.TakeOwnershipOfKey,
creationParameters.SubjectName.RawData,
creationParameters.CertificateCreationOptions,
X509Native.MapCertificateSignatureAlgorithm(creationParameters.SignatureAlgorithm),
creationParameters.StartTime,
creationParameters.EndTime,
creationParameters.ExtensionsNoDemand))
{
// We need to get the raw handle out of the safe handle because X509Certificate2 only
// exposes an IntPtr constructor. To do that we'll temporarially bump the ref count on
// the handle.
//
// X509Certificate2 will duplicate the handle value in the .ctor, so once we've created
// the certificate object, we can safely drop the ref count and dispose of our handle.
X509Certificate2 certificate = null;
bool addedRef = false;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
selfSignedCertHandle.DangerousAddRef(ref addedRef);
certificate = new X509Certificate2(selfSignedCertHandle.DangerousGetHandle());
}
finally
{
if (addedRef)
{
selfSignedCertHandle.DangerousRelease();
}
}
// If we passed ownership of the key to the certificate, than destroy the key
// now so that we don't continue to use it beyond the liftime of the cert.
if (creationParameters.TakeOwnershipOfKey)
{
key.Dispose();
}
return(certificate);
}
}
public void DisposeKey()
{
if (_lazyKey != null)
{
_lazyKey.Dispose();
_lazyKey = null;
}
}
/// <summary>
/// 使用私钥签名
/// </summary>
public static byte[] SignData(byte[] data, string keyName)
{
// 打开密钥
CngKey cngKey = CngKey.Open(keyName);
// 签名
ECDsaCng ecdsa = new ECDsaCng(cngKey);
byte[] signature = ecdsa.SignData(data);
ecdsa.Clear();
cngKey.Dispose();
return(signature);
}
/// <summary>
/// 使用公钥验证签名
/// </summary>
public static bool VerifyData(byte[] data, byte[] signature, byte[] publicKey)
{
bool verified = false;
// 导入公钥
CngKey cngKey = CngKey.Import(publicKey, CngKeyBlobFormat.EccPublicBlob);
// 验证签名
ECDsaCng ecdsa = new ECDsaCng(cngKey);
verified = ecdsa.VerifyData(data, signature);
ecdsa.Clear();
cngKey.Dispose();
return(verified);
}
private void ImportKeyBlob(byte[] rsaBlob, bool includePrivate)
{
CngKeyBlobFormat blobFormat = includePrivate ? s_rsaPrivateBlob : s_rsaPublicBlob;
CngKey newKey = CngKey.Import(rsaBlob, blobFormat);
try
{
newKey.ExportPolicy |= CngExportPolicies.AllowPlaintextExport;
Key = newKey;
}
catch
{
newKey.Dispose();
throw;
}
}
private void ImportKeyBlob(byte[] dsaBlob, bool includePrivate)
{
// Use generic blob type for multiple version support
CngKeyBlobFormat blobFormat = includePrivate ?
CngKeyBlobFormat.GenericPrivateBlob :
CngKeyBlobFormat.GenericPublicBlob;
CngKey newKey = CngKey.Import(dsaBlob, blobFormat);
try
{
newKey.ExportPolicy |= CngExportPolicies.AllowPlaintextExport;
Key = newKey;
}
catch
{
newKey.Dispose();
throw;
}
}
public static void ExportDoesNotCorruptPrivateKeyMethods()
{
string keyName = $"clrtest.{Guid.NewGuid():D}";
X509Store cuMy = new X509Store(StoreName.My, StoreLocation.CurrentUser);
cuMy.Open(OpenFlags.ReadWrite);
X509Certificate2 createdCert = null;
X509Certificate2 foundCert = null;
X509Certificate2 foundCert2 = null;
try
{
string commonName = nameof(ExportDoesNotCorruptPrivateKeyMethods);
string subject = $"CN={commonName},OU=.NET";
using (ImportedCollection toClean = new ImportedCollection(cuMy.Certificates))
{
X509Certificate2Collection coll = toClean.Collection;
using (ImportedCollection matches =
new ImportedCollection(coll.Find(X509FindType.FindBySubjectName, commonName, false)))
{
foreach (X509Certificate2 cert in matches.Collection)
{
cuMy.Remove(cert);
}
}
}
foreach (X509Certificate2 cert in cuMy.Certificates)
{
if (subject.Equals(cert.Subject))
{
cuMy.Remove(cert);
}
cert.Dispose();
}
CngKeyCreationParameters options = new CngKeyCreationParameters
{
ExportPolicy = CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport,
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, options))
using (RSACng rsaCng = new RSACng(key))
{
CertificateRequest certReq = new CertificateRequest(
subject,
rsaCng,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
DateTimeOffset now = DateTimeOffset.UtcNow.AddMinutes(-5);
createdCert = certReq.CreateSelfSigned(now, now.AddDays(1));
}
cuMy.Add(createdCert);
using (ImportedCollection toClean = new ImportedCollection(cuMy.Certificates))
{
X509Certificate2Collection matches = toClean.Collection.Find(
X509FindType.FindBySubjectName,
commonName,
validOnly: false);
Assert.Equal(1, matches.Count);
foundCert = matches[0];
}
Assert.False(HasEphemeralKey(foundCert));
foundCert.Export(X509ContentType.Pfx, "");
Assert.False(HasEphemeralKey(foundCert));
using (ImportedCollection toClean = new ImportedCollection(cuMy.Certificates))
{
X509Certificate2Collection matches = toClean.Collection.Find(
X509FindType.FindBySubjectName,
commonName,
validOnly: false);
Assert.Equal(1, matches.Count);
foundCert2 = matches[0];
}
Assert.False(HasEphemeralKey(foundCert2));
}
finally
{
if (createdCert != null)
{
cuMy.Remove(createdCert);
createdCert.Dispose();
}
cuMy.Dispose();
foundCert?.Dispose();
foundCert2?.Dispose();
try
{
CngKey key = CngKey.Open(keyName);
key.Delete();
key.Dispose();
}
catch (Exception)
{
}
}
bool HasEphemeralKey(X509Certificate2 c)
{
using (RSA key = c.GetRSAPrivateKey())
{
// This code is not defensive against the type changing, because it
// is in the source tree with the code that produces the value.
// Don't blind-cast like this in library or application code.
RSACng rsaCng = (RSACng)key;
return(rsaCng.Key.IsEphemeral);
}
}
}
public override void Dispose()
{
m_cng?.Dispose();
m_key?.Dispose();
}
public void Dispose()
{
_cngKey.Dispose();
}
internal void FreeKey()
{
Key.Dispose();
}