예제 #1
0
        public sealed override ContentInfo TryDecrypt(RecipientInfo recipientInfo, X509Certificate2 cert, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore, out Exception exception)
        {
            Debug.Assert(recipientInfo != null);
            Debug.Assert(cert != null);
            Debug.Assert(originatorCerts != null);
            Debug.Assert(extraStore != null);

            CryptKeySpec keySpec;

            exception = TryGetKeySpecForCertificate(cert, out keySpec);
            if (exception != null)
            {
                return(null);
            }

            // Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.)
            const bool Silent = false;
            // Note: Using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG rather than CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG
            // because wrapping an NCrypt wrapper over CAPI keys unconditionally causes some legacy features
            // (such as RC4 support) to break.
            const bool PreferNCrypt = false;

            using (SafeProvOrNCryptKeyHandle hKey = PkcsPalWindows.GetCertificatePrivateKey(cert, Silent, PreferNCrypt, out _, out exception))
            {
                if (hKey == null)
                {
                    return(null);
                }

                RecipientInfoType type = recipientInfo.Type;
                switch (type)
                {
                case RecipientInfoType.KeyTransport:
                    exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec);
                    break;

                case RecipientInfoType.KeyAgreement:
                    exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore);
                    break;

                default:
                    // Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than
                    // returning to the caller.
                    Debug.Fail($"Unexpected RecipientInfoType: {type}");
                    throw new NotSupportedException();
                }

                if (exception != null)
                {
                    return(null);
                }

                // If we got here, we successfully decrypted. Return the decrypted content.
                return(_hCryptMsg.GetContentInfo());
            }
        }
예제 #2
0
        public unsafe sealed override ContentInfo TryDecrypt(
            RecipientInfo recipientInfo,
            X509Certificate2 cert,
            AsymmetricAlgorithm privateKey,
            X509Certificate2Collection originatorCerts,
            X509Certificate2Collection extraStore,
            out Exception exception)
        {
            Debug.Assert((cert != null) ^ (privateKey != null));

            if (privateKey != null)
            {
                RSA key = privateKey as RSA;

                if (key == null)
                {
                    exception = new CryptographicException(SR.Cryptography_Cms_Ktri_RSARequired);
                    return(null);
                }

                ContentInfo contentInfo = _hCryptMsg.GetContentInfo();
                byte[]      cek         = AnyOS.ManagedPkcsPal.ManagedKeyTransPal.DecryptCekCore(
                    cert,
                    key,
                    recipientInfo.EncryptedKey,
                    recipientInfo.KeyEncryptionAlgorithm.Oid.Value,
                    out exception);

                // Pin CEK to prevent it from getting copied during heap compaction.
                fixed(byte *pinnedCek = cek)
                {
                    try
                    {
                        if (exception != null)
                        {
                            return(null);
                        }

                        return(AnyOS.ManagedPkcsPal.ManagedDecryptorPal.TryDecryptCore(
                                   cek,
                                   contentInfo.ContentType.Value,
                                   contentInfo.Content,
                                   _contentEncryptionAlgorithm,
                                   out exception));
                    }
                    finally
                    {
                        if (cek != null)
                        {
                            Array.Clear(cek, 0, cek.Length);
                        }
                    }
                }
            }

            Debug.Assert(recipientInfo != null);
            Debug.Assert(cert != null);
            Debug.Assert(originatorCerts != null);
            Debug.Assert(extraStore != null);

            CryptKeySpec keySpec;

            exception = TryGetKeySpecForCertificate(cert, out keySpec);
            if (exception != null)
            {
                return(null);
            }

            // Desktop compat: We pass false for "silent" here (thus allowing crypto providers to display UI.)
            const bool Silent = false;
            // Note: Using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG rather than CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG
            // because wrapping an NCrypt wrapper over CAPI keys unconditionally causes some legacy features
            // (such as RC4 support) to break.
            const bool PreferNCrypt = false;

            using (SafeProvOrNCryptKeyHandle hKey = PkcsPalWindows.GetCertificatePrivateKey(cert, Silent, PreferNCrypt, out _, out exception))
            {
                if (hKey == null)
                {
                    return(null);
                }

                RecipientInfoType type = recipientInfo.Type;
                switch (type)
                {
                case RecipientInfoType.KeyTransport:
                    exception = TryDecryptTrans((KeyTransRecipientInfo)recipientInfo, hKey, keySpec);
                    break;

                case RecipientInfoType.KeyAgreement:
                    exception = TryDecryptAgree((KeyAgreeRecipientInfo)recipientInfo, hKey, keySpec, originatorCerts, extraStore);
                    break;

                default:
                    // Since only the framework can construct RecipientInfo's, we're at fault if we get here. So it's okay to assert and throw rather than
                    // returning to the caller.
                    Debug.Fail($"Unexpected RecipientInfoType: {type}");
                    throw new NotSupportedException();
                }

                if (exception != null)
                {
                    return(null);
                }

                // If we got here, we successfully decrypted. Return the decrypted content.
                return(_hCryptMsg.GetContentInfo());
            }
        }