internal static AppleCertificatePal ImportPkcs12(UnixPkcs12Reader.CertAndKey certAndKey)
{
AppleCertificatePal pal = (AppleCertificatePal)certAndKey.Cert !;
if (certAndKey.Key != null)
{
AppleCertificateExporter exporter = new AppleCertificateExporter(new TempExportPal(pal), certAndKey.Key);
byte[] smallPfx = exporter.Export(X509ContentType.Pkcs12, s_passwordExportHandle) !;
SafeSecIdentityHandle identityHandle;
SafeSecCertificateHandle certHandle = Interop.AppleCrypto.X509ImportCertificate(
smallPfx,
X509ContentType.Pkcs12,
s_passwordExportHandle,
out identityHandle);
if (identityHandle.IsInvalid)
{
identityHandle.Dispose();
return(new AppleCertificatePal(certHandle));
}
certHandle.Dispose();
return(new AppleCertificatePal(identityHandle));
}
return(pal);
}
private static ICertificatePal ReadPkcs12(ReadOnlySpan <byte> rawData, SafePasswordHandle password)
{
using (var reader = new AndroidPkcs12Reader(rawData))
{
reader.Decrypt(password);
UnixPkcs12Reader.CertAndKey certAndKey = reader.GetSingleCert();
AndroidCertificatePal pal = (AndroidCertificatePal)certAndKey.Cert !;
if (certAndKey.Key != null)
{
pal.SetPrivateKey(AndroidPkcs12Reader.GetPrivateKey(certAndKey.Key));
}
return(pal);
}
}
private static AppleCertificatePal ImportPkcs12(
ReadOnlySpan <byte> rawData,
SafePasswordHandle password,
bool exportable,
SafeKeychainHandle keychain)
{
using (ApplePkcs12Reader reader = new ApplePkcs12Reader(rawData))
{
reader.Decrypt(password, ephemeralSpecified: false);
UnixPkcs12Reader.CertAndKey certAndKey = reader.GetSingleCert();
AppleCertificatePal pal = (AppleCertificatePal)certAndKey.Cert !;
SafeSecKeyRefHandle?safeSecKeyRefHandle =
ApplePkcs12Reader.GetPrivateKey(certAndKey.Key);
AppleCertificatePal?newPal;
using (safeSecKeyRefHandle)
{
// SecItemImport doesn't seem to respect non-exportable import for PKCS#8,
// only PKCS#12.
//
// So, as part of reading this PKCS#12 we now need to write the minimum
// PKCS#12 in a normalized form, and ask the OS to import it.
if (!exportable && safeSecKeyRefHandle != null)
{
using (pal)
{
return(ImportPkcs12NonExportable(pal, safeSecKeyRefHandle, password, keychain));
}
}
newPal = pal.MoveToKeychain(keychain, safeSecKeyRefHandle);
if (newPal != null)
{
pal.Dispose();
}
}
// If no new PAL came back, it means we moved the cert, but had no private key.
return(newPal ?? pal);
}
}
private static bool TryReadPkcs12(
OpenSslPkcs12Reader pfx,
SafePasswordHandle password,
bool single,
bool ephemeralSpecified,
out ICertificatePal?readPal,
out List <ICertificatePal>?readCerts)
{
pfx.Decrypt(password, ephemeralSpecified);
if (single)
{
UnixPkcs12Reader.CertAndKey certAndKey = pfx.GetSingleCert();
OpenSslX509CertificateReader pal = (OpenSslX509CertificateReader)certAndKey.Cert !;
if (certAndKey.Key != null)
{
pal.SetPrivateKey(OpenSslPkcs12Reader.GetPrivateKey(certAndKey.Key));
}
readPal = pal;
readCerts = null;
return(true);
}
readPal = null;
List <ICertificatePal> certs = new List <ICertificatePal>(pfx.GetCertCount());
foreach (UnixPkcs12Reader.CertAndKey certAndKey in pfx.EnumerateAll())
{
OpenSslX509CertificateReader pal = (OpenSslX509CertificateReader)certAndKey.Cert !;
if (certAndKey.Key != null)
{
pal.SetPrivateKey(OpenSslPkcs12Reader.GetPrivateKey(certAndKey.Key));
}
certs.Add(pal);
}
readCerts = certs;
return(true);
}
