internal static AppleCertificatePal ImportPkcs12(UnixPkcs12Reader.CertAndKey certAndKey)
{
AppleCertificatePal pal = (AppleCertificatePal)certAndKey.Cert !;
if (certAndKey.Key != null)
{
AppleCertificateExporter exporter = new AppleCertificateExporter(new TempExportPal(pal), certAndKey.Key);
byte[] smallPfx = exporter.Export(X509ContentType.Pkcs12, s_passwordExportHandle) !;
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
smallPfx,
X509ContentType.Pkcs12,
s_passwordExportHandle,
out identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
certHandle.Dispose();
return(new AppleCertificatePal(identityHandle));
}
return(pal);
}
internal static ICertificatePal ImportPkcs12NonExportable(
AppleCertificatePal cert,
SafeSecKeyRefHandle privateKey,
SafePasswordHandle password,
SafeKeychainHandle keychain)
{
Pkcs12SmallExport exporter = new Pkcs12SmallExport(new TempExportPal(cert), privateKey);
byte[] smallPfx = exporter.Export(X509ContentType.Pkcs12, password) !;
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
smallPfx,
X509ContentType.Pkcs12,
password,
keychain,
exportable: false,
out identityHandle);
// On Windows and Linux if a PFX uses a LocalKeyId to bind the wrong key to a cert, the
// nonsensical object of "this cert, that key" is returned.
//
// On macOS, because we can't forge CFIdentityRefs without the keychain, we're subject to
// Apple's more stringent matching of a consistent keypair.
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
certHandle.Dispose();
return(new AppleCertificatePal(identityHandle));
}
public void Dispose()
{
_certHandle?.Dispose();
_identityHandle?.Dispose();
_certHandle = null;
_identityHandle = null;
}
public void Dispose()
{
_certHandle?.Dispose();
_identityHandle?.Dispose();
_privateKeyHolder?.Dispose();
_certHandle = null;
_identityHandle = null;
_privateKeyHolder = null;
}
public void Dispose()
{
_certHandle?.Dispose();
_identityHandle?.Dispose();
_certHandle = null !;
_identityHandle = null;
DisposeTempKeychain();
}
internal static ICertificatePal FromDerBlob(
ReadOnlySpan <byte> rawData,
X509ContentType contentType,
SafePasswordHandle password,
X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
bool ephemeralSpecified = keyStorageFlags.HasFlag(X509KeyStorageFlags.EphemeralKeySet);
if (contentType == X509ContentType.Pkcs7)
{
throw new CryptographicException(
SR.Cryptography_X509_PKCS7_Unsupported,
new PlatformNotSupportedException(SR.Cryptography_X509_PKCS7_Unsupported));
}
if (contentType == X509ContentType.Pkcs12)
{
if ((keyStorageFlags & X509KeyStorageFlags.Exportable) == X509KeyStorageFlags.Exportable)
{
throw new PlatformNotSupportedException(SR.Cryptography_X509_PKCS12_ExportableNotSupported);
}
if ((keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet)
{
throw new PlatformNotSupportedException(SR.Cryptography_X509_PKCS12_PersistKeySetNotSupported);
}
return(ImportPkcs12(rawData, password, ephemeralSpecified));
}
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
rawData,
contentType,
password,
out identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
Debug.Fail("Non-PKCS12 import produced an identity handle");
identityHandle.Dispose();
certHandle.Dispose();
throw new CryptographicException();
}
public void Dispose()
{
_certHandle?.Dispose();
_identityHandle?.Dispose();
_certHandle = null !;
_identityHandle = null;
SafeKeychainHandle?tempKeychain = Interlocked.Exchange(ref _tempKeychain, null);
if (tempKeychain != null)
{
tempKeychain.Dispose();
}
}
internal static ICertificatePal FromDerBlob(
ReadOnlySpan <byte> rawData,
X509ContentType contentType,
SafePasswordHandle password,
X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
bool ephemeralSpecified = keyStorageFlags.HasFlag(X509KeyStorageFlags.EphemeralKeySet);
if (contentType == X509ContentType.Pkcs7)
{
throw new CryptographicException(
SR.Cryptography_X509_PKCS7_Unsupported,
new PlatformNotSupportedException(SR.Cryptography_X509_PKCS7_Unsupported));
}
if (contentType == X509ContentType.Pkcs12)
{
// TODO:
// We ignore keyStorageFlags which is tracked in https://github.com/dotnet/runtime/issues/52434.
// The keys are always imported as ephemeral and never persisted. Exportability is ignored for
// the moment and it needs to be investigated how to map it to iOS keychain primitives.
return(ImportPkcs12(rawData, password, ephemeralSpecified));
}
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
rawData,
contentType,
password,
out identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
Debug.Fail("Non-PKCS12 import produced an identity handle");
identityHandle.Dispose();
certHandle.Dispose();
throw new CryptographicException();
}
protected override ICertificatePalCore ReadX509Der(ReadOnlyMemory <byte> data)
{
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
data.Span,
X509ContentType.Cert,
SafePasswordHandle.InvalidHandle,
out SafeSecIdentityHandle identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
Debug.Fail("Non-PKCS12 import produced an identity handle");
identityHandle.Dispose();
certHandle.Dispose();
throw new CryptographicException();
}
public static ICertificatePal FromBlob(
byte[] rawData,
SafePasswordHandle password,
X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
X509ContentType contentType = X509Certificate2.GetCertContentType(rawData);
if (contentType == X509ContentType.Pkcs7)
{
// In single mode for a PKCS#7 signed or signed-and-enveloped file we're supposed to return
// the certificate which signed the PKCS#7 file.
//
// X509Certificate2Collection::Export(X509ContentType.Pkcs7) claims to be a signed PKCS#7,
// but doesn't emit a signature block. So this is hard to test.
//
// TODO(2910): Figure out how to extract the signing certificate, when it's present.
throw new CryptographicException(SR.Cryptography_X509_PKCS7_NoSigner);
}
bool exportable = true;
SafeKeychainHandle keychain;
if (contentType == X509ContentType.Pkcs12)
{
if ((keyStorageFlags & X509KeyStorageFlags.EphemeralKeySet) == X509KeyStorageFlags.EphemeralKeySet)
{
throw new PlatformNotSupportedException(SR.Cryptography_X509_NoEphemeralPfx);
}
exportable = (keyStorageFlags & X509KeyStorageFlags.Exportable) == X509KeyStorageFlags.Exportable;
bool persist =
(keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet;
keychain = persist
? Interop.AppleCrypto.SecKeychainCopyDefault()
: Interop.AppleCrypto.CreateTemporaryKeychain();
}
else
{
keychain = SafeTemporaryKeychainHandle.InvalidHandle;
password = SafePasswordHandle.InvalidHandle;
}
using (keychain)
{
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
rawData,
contentType,
password,
keychain,
exportable,
out identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
if (contentType != X509ContentType.Pkcs12)
{
Debug.Fail("Non-PKCS12 import produced an identity handle");
identityHandle.Dispose();
certHandle.Dispose();
throw new CryptographicException();
}
Debug.Assert(certHandle.IsInvalid);
certHandle.Dispose();
return(new AppleCertificatePal(identityHandle));
}
}
public static ICertificatePal FromBlob(
ReadOnlySpan <byte> rawData,
SafePasswordHandle password,
X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
X509ContentType contentType = X509Certificate2.GetCertContentType(rawData);
if (contentType == X509ContentType.Pkcs7)
{
// In single mode for a PKCS#7 signed or signed-and-enveloped file we're supposed to return
// the certificate which signed the PKCS#7 file.
//
// X509Certificate2Collection::Export(X509ContentType.Pkcs7) claims to be a signed PKCS#7,
// but doesn't emit a signature block. So this is hard to test.
//
// TODO(2910): Figure out how to extract the signing certificate, when it's present.
throw new CryptographicException(SR.Cryptography_X509_PKCS7_NoSigner);
}
if (contentType == X509ContentType.Pkcs12)
{
if ((keyStorageFlags & X509KeyStorageFlags.EphemeralKeySet) == X509KeyStorageFlags.EphemeralKeySet)
{
throw new PlatformNotSupportedException(SR.Cryptography_X509_NoEphemeralPfx);
}
bool exportable = (keyStorageFlags & X509KeyStorageFlags.Exportable) == X509KeyStorageFlags.Exportable;
bool persist =
(keyStorageFlags & X509KeyStorageFlags.PersistKeySet) == X509KeyStorageFlags.PersistKeySet;
SafeKeychainHandle keychain = persist
? Interop.AppleCrypto.SecKeychainCopyDefault()
: Interop.AppleCrypto.CreateTemporaryKeychain();
using (keychain)
{
AppleCertificatePal ret = ImportPkcs12(rawData, password, exportable, keychain);
if (!persist)
{
// If we used temporary keychain we need to prevent deletion.
// on 10.15+ if keychain is unlinked, certain certificate operations may fail.
bool success = false;
keychain.DangerousAddRef(ref success);
if (success)
{
ret._tempKeychain = keychain;
}
}
return(ret);
}
}
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
rawData,
contentType,
SafePasswordHandle.InvalidHandle,
SafeTemporaryKeychainHandle.InvalidHandle,
exportable: true,
out identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
Debug.Fail("Non-PKCS12 import produced an identity handle");
identityHandle.Dispose();
certHandle.Dispose();
throw new CryptographicException();
}