internal static SafeCspHandle AcquireCsp(string keyContainer,
string providerName,
ProviderType providerType,
CryptAcquireContextFlags flags)
{
Contract.Assert(keyContainer == null, "Key containers are not supported");
// Specifying both verify context (for an ephemeral key) and machine keyset (for a persisted machine key)
// does not make sense. Additionally, Widows is beginning to lock down against uses of MACHINE_KEYSET
// (for instance in the app container), even if verify context is present. Therefore, if we're using
// an ephemeral key, strip out MACHINE_KEYSET from the flags.
if (((flags & CryptAcquireContextFlags.VerifyContext) == CryptAcquireContextFlags.VerifyContext) &&
((flags & CryptAcquireContextFlags.MachineKeyset) == CryptAcquireContextFlags.MachineKeyset))
{
flags &= ~CryptAcquireContextFlags.MachineKeyset;
}
SafeCspHandle cspHandle = null;
if (!UnsafeNativeMethods.CryptAcquireContext(out cspHandle,
keyContainer,
providerName,
providerType,
flags))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
return(cspHandle);
}
internal static SafeCspHandle AcquireCsp(string keyContainer,
string providerName,
ProviderType providerType,
CryptAcquireContextFlags flags,
bool throwPlatformException)
{
Contract.Ensures(Contract.Result <SafeCspHandle>() != null &&
!Contract.Result <SafeCspHandle>().IsInvalid&&
!Contract.Result <SafeCspHandle>().IsClosed);
SafeCspHandle cspHandle = null;
if (!UnsafeNativeMethods.CryptAcquireContext(out cspHandle,
keyContainer,
providerName,
providerType,
flags))
{
// If the platform doesn't have the specified CSP, we'll either get a ProviderTypeNotDefined
// or a KeysetNotDefined error depending on the CAPI version.
int error = Marshal.GetLastWin32Error();
if (throwPlatformException && (error == (int)CapiNative.ErrorCode.ProviderTypeNotDefined ||
error == (int)CapiNative.ErrorCode.KeysetNotDefined))
{
throw new PlatformNotSupportedException(SR.GetString(SR.Cryptography_PlatformNotSupported));
}
else
{
throw new CryptographicException(error);
}
}
return(cspHandle);
}
public static void DeleteKeyContainer(SafeCertContextHandle pCertContext)
{
if (pCertContext.IsInvalid)
{
return;
}
int cb = 0;
bool containsPrivateKey = Interop.crypt32.CertGetCertificateContextProperty(pCertContext, CertContextPropId.CERT_KEY_PROV_INFO_PROP_ID, null, ref cb);
if (!containsPrivateKey)
{
return;
}
byte[] provInfoAsBytes = new byte[cb];
if (!Interop.crypt32.CertGetCertificateContextProperty(pCertContext, CertContextPropId.CERT_KEY_PROV_INFO_PROP_ID, provInfoAsBytes, ref cb))
{
return;
}
unsafe
{
fixed(byte *pProvInfoAsBytes = provInfoAsBytes)
{
CRYPT_KEY_PROV_INFO *pProvInfo = (CRYPT_KEY_PROV_INFO *)pProvInfoAsBytes;
string providerName = pwszToString((IntPtr)(pProvInfo->pwszProvName));
string keyContainerName = pwszToString((IntPtr)(pProvInfo->pwszContainerName));
if (pProvInfo->dwProvType == 0)
{
// dwProvType being 0 indicates that the key is stored in CNG.
// dwProvType being non-zero indicates that the key is stored in CAPI.
try
{
using (CngKey cngKey = CngKey.Open(keyContainerName, new CngProvider(providerName)))
{
cngKey.Delete();
}
}
catch (CryptographicException)
{
// While leaving the file on disk is undesirable, an inability to perform this cleanup
// should not manifest itself to a user.
}
}
else
{
CryptAcquireContextFlags flags = (pProvInfo->dwFlags & CryptAcquireContextFlags.CRYPT_MACHINE_KEYSET) | CryptAcquireContextFlags.CRYPT_DELETEKEYSET;
IntPtr hProv;
bool success = Interop.cryptoapi.CryptAcquireContext(out hProv, keyContainerName, providerName, pProvInfo->dwProvType, flags);
// Called CryptAcquireContext solely for the side effect of deleting the key containers. When called with these flags, no actual
// hProv is returned (so there's nothing to clean up.)
Debug.Assert(hProv == IntPtr.Zero);
}
}
}
}
public static extern bool CryptAcquireContext
(
[param: Out] out NCryptKeyOrCryptProviderSafeHandle phProv,
[param: In, MarshalAs(UnmanagedType.LPTStr)] string pszContainer,
[param: In, MarshalAs(UnmanagedType.LPTStr)] string pszProvider,
[param: In, MarshalAs(UnmanagedType.U4)] ProviderType dwProvType,
[param: In, MarshalAs(UnmanagedType.U4)] CryptAcquireContextFlags dwFlags
);
public static void DeleteKeyContainer(SafeCertContextHandle pCertContext)
{
if (pCertContext.IsInvalid)
{
return;
}
int cb = 0;
bool containsPrivateKey = Interop.crypt32.CertGetCertificateContextProperty(pCertContext, CertContextPropId.CERT_KEY_PROV_INFO_PROP_ID, null, ref cb);
if (!containsPrivateKey)
{
return;
}
byte[] provInfoAsBytes = new byte[cb];
if (!Interop.crypt32.CertGetCertificateContextProperty(pCertContext, CertContextPropId.CERT_KEY_PROV_INFO_PROP_ID, provInfoAsBytes, ref cb))
{
return;
}
unsafe
{
fixed(byte *pProvInfoAsBytes = provInfoAsBytes)
{
CRYPT_KEY_PROV_INFO *pProvInfo = (CRYPT_KEY_PROV_INFO *)pProvInfoAsBytes;
// For UWP the key was opened in a CNG-only context, so it can/should be deleted via CngKey.Delete.
// In all other contexts, the key was loaded into CAPI, so deleting it via CryptAcquireContext is
// the correct action.
#if NETNATIVE
string providerName = Marshal.PtrToStringUni((IntPtr)(pProvInfo->pwszProvName));
string keyContainerName = Marshal.PtrToStringUni((IntPtr)(pProvInfo->pwszContainerName));
try
{
using (CngKey cngKey = CngKey.Open(keyContainerName, new CngProvider(providerName)))
{
cngKey.Delete();
}
}
catch (CryptographicException)
{
// While leaving the file on disk is undesirable, an inability to perform this cleanup
// should not manifest itself to a user.
}
#else
CryptAcquireContextFlags flags = (pProvInfo->dwFlags & CryptAcquireContextFlags.CRYPT_MACHINE_KEYSET) | CryptAcquireContextFlags.CRYPT_DELETEKEYSET;
IntPtr hProv;
bool success = Interop.advapi32.CryptAcquireContext(out hProv, pProvInfo->pwszContainerName, pProvInfo->pwszProvName, pProvInfo->dwProvType, flags);
// Called CryptAcquireContext solely for the side effect of deleting the key containers. When called with these flags, no actual
// hProv is returned (so there's nothing to clean up.)
Debug.Assert(hProv == IntPtr.Zero);
#endif
}
}
}
public static extern bool CryptAcquireContext(
out IntPtr prov,
[MarshalAs(UnmanagedType.LPTStr)]
string container,
[MarshalAs(UnmanagedType.LPTStr)]
string provider,
[MarshalAs(UnmanagedType.U4)]
CryptProviderType provType,
[MarshalAs(UnmanagedType.U4)]
CryptAcquireContextFlags flags);
ProviderHandle GetProviderHandle(CryptAcquireContextFlags flags)
{
ProviderHandle providerHandle;
if (CryptAcquireContext(out providerHandle, Name, Provider.Name, Provider.ProviderType.Id, flags) == false)
{
throw new Win32Exception();
}
return(providerHandle);
}
public static void DeleteKeyContainer(SafeCertContextHandle pCertContext)
{
if (pCertContext.IsInvalid)
{
return;
}
int cb = 0;
bool containsPrivateKey = Interop.crypt32.CertGetCertificateContextProperty(pCertContext, CertContextPropId.CERT_KEY_PROV_INFO_PROP_ID, null, ref cb);
if (!containsPrivateKey)
{
return;
}
byte[] provInfoAsBytes = new byte[cb];
if (!Interop.crypt32.CertGetCertificateContextProperty(pCertContext, CertContextPropId.CERT_KEY_PROV_INFO_PROP_ID, provInfoAsBytes, ref cb))
{
return;
}
unsafe
{
fixed(byte *pProvInfoAsBytes = provInfoAsBytes)
{
CRYPT_KEY_PROV_INFO * pProvInfo = (CRYPT_KEY_PROV_INFO *)pProvInfoAsBytes;
CryptAcquireContextFlags flags = (pProvInfo->dwFlags & CryptAcquireContextFlags.CRYPT_MACHINE_KEYSET) | CryptAcquireContextFlags.CRYPT_DELETEKEYSET;
IntPtr hProv;
bool success = Interop.advapi32.CryptAcquireContext(out hProv, pProvInfo->pwszContainerName, pProvInfo->pwszProvName, pProvInfo->dwProvType, flags);
// Called CryptAcquireContext solely for the side effect of deleting the key containers. When called with these flags, no actual
// hProv is returned (so there's nothing to clean up.)
Debug.Assert(hProv == IntPtr.Zero);
}
}
}
public static extern bool CryptAcquireContext(out IntPtr psafeProvHandle,
[MarshalAs(UnmanagedType.LPWStr)] string pszContainer,
[MarshalAs(UnmanagedType.LPWStr)] string pszProvider,
int dwProvType, CryptAcquireContextFlags dwFlags);
public static extern bool CryptAcquireContext(
out IntPtr phProv,
string szContainer,
string szProvider,
int dwProvType,
CryptAcquireContextFlags dwFlags);
public static unsafe extern bool CryptAcquireContext(out IntPtr psafeProvHandle, char* pszContainer, char* pszProvider, int dwProvType, CryptAcquireContextFlags dwFlags);
private static void Main(string[] args)
{
SafeHCRYPTPROV hProv = null;
SafeHCRYPTKEY hPubKey = null;
string szCertificateName = default;
string szStoreName = default;
string szContainerName = default;
var dwOpenFlags = CertStoreFlags.CERT_SYSTEM_STORE_CURRENT_USER;
CryptAcquireContextFlags dwAcquireFlags = 0;
var dwKeySpec = CertKeySpec.AT_SIGNATURE;
ALG_ID AlgId;
if (args.Length != 8)
{
PrintUsage();
return;
}
try
{
// Determine hash algorithm
if (StringComparer.InvariantCultureIgnoreCase.Compare(args[0], "sha1") == 0)
{
AlgId = ALG_ID.CALG_SHA1;
}
else if (StringComparer.InvariantCultureIgnoreCase.Compare(args[0], "md5") == 0)
{
AlgId = ALG_ID.CALG_MD5;
}
else
{
PrintUsage();
return;
}
bool fSign;
if (StringComparer.InvariantCultureIgnoreCase.Compare(args[1], "/s") == 0)
{
fSign = true;
}
else if (StringComparer.InvariantCultureIgnoreCase.Compare(args[1], "/v") == 0)
{
fSign = false;
}
else
{
PrintUsage();
return;
}
var szFileToSign = args[2];
var szSigFile = args[3];
bool fUseCert;
// check to see if user wants to use a certificate
if (StringComparer.InvariantCultureIgnoreCase.Compare(args[4], "/cert") == 0)
{
fUseCert = true;
szCertificateName = args[5];
szStoreName = args[6];
// Determine if we have to use user or machine store
if (StringComparer.InvariantCultureIgnoreCase.Compare(args[7], "u") == 0)
{
dwOpenFlags = CertStoreFlags.CERT_SYSTEM_STORE_CURRENT_USER;
}
else if (StringComparer.InvariantCultureIgnoreCase.Compare(args[7], "m") == 0)
{
dwOpenFlags = CertStoreFlags.CERT_SYSTEM_STORE_LOCAL_MACHINE;
}
else
{
PrintUsage();
return;
}
}
else if (StringComparer.InvariantCultureIgnoreCase.Compare(args[4], "/key") == 0)
{
fUseCert = false;
szContainerName = args[5];
if (StringComparer.InvariantCultureIgnoreCase.Compare(args[6], "u") == 0)
{
dwAcquireFlags = 0;
}
else if (StringComparer.InvariantCultureIgnoreCase.Compare(args[6], "m") == 0)
{
dwAcquireFlags = CryptAcquireContextFlags.CRYPT_MACHINE_KEYSET;
}
else
{
PrintUsage();
return;
}
// Use exchange key or signature key
if (StringComparer.InvariantCultureIgnoreCase.Compare(args[7], "x") == 0)
{
dwKeySpec = CertKeySpec.AT_KEYEXCHANGE;
}
else if (StringComparer.InvariantCultureIgnoreCase.Compare(args[7], "s") == 0)
{
dwKeySpec = CertKeySpec.AT_SIGNATURE;
}
else
{
PrintUsage();
return;
}
}
else
{
PrintUsage();
return;
}
bool fResult;
if (fUseCert)
{
using var pCertContext = GetCertificateContextFromName(szCertificateName, szStoreName, dwOpenFlags);
if (pCertContext.IsInvalid)
{
throw new Exception();
}
fResult = GetRSAKeyFromCert(pCertContext, fSign, out hProv, out hPubKey, out dwKeySpec, out _);
if (!fResult)
{
throw new Exception();
}
}
else
{
fResult = GetRSAKeyFromContainer(szContainerName, dwAcquireFlags, dwKeySpec, out hProv, out hPubKey);
if (!fResult)
{
throw new Exception();
}
}
fResult = SignVerifyFile(hProv, hPubKey, dwKeySpec, AlgId, szFileToSign, szSigFile, fSign);
if (!fResult)
{
throw new Exception();
}
if (fSign)
{
MyPrintf(("File %s hashed and signed successfully!\n"), szFileToSign);
}
else
{
MyPrintf(("File %s verified successfully!\n"), szSigFile);
}
}
finally
{
// Clean up
}
}
public static extern bool CryptAcquireContext([Out] out SafeCspHandle phProv,
string pszContainer,
string pszProvider,
ProviderType dwProvType,
CryptAcquireContextFlags dwFlags);
static extern bool CryptAcquireContext(out ProviderHandle hProv, string pszContainer, string pszProvider, ProviderType.Ids dwProvType, CryptAcquireContextFlags dwFlags);
static ProviderHandle GetProviderHandle(string containerName, string providerName, ProviderType.Ids providerTypeId, CryptAcquireContextFlags acFlags)
{
ProviderHandle providerHandle;
if (CryptAcquireContext(out providerHandle, containerName, providerName, providerTypeId, acFlags) == false)
{
throw new Win32Exception();
}
return(providerHandle);
}
public static extern unsafe bool CryptAcquireContext(out IntPtr psafeProvHandle, char *pszContainer, char *pszProvider, int dwProvType, CryptAcquireContextFlags dwFlags);
internal static extern bool CryptAcquireContext([Out] out SafeCspHandle phProv,
string pszContainer,
string pszProvider,
ProviderType dwProvType,
CryptAcquireContextFlags dwFlags);
internal static SafeCspHandle AcquireCsp(string keyContainer, string providerName, ProviderType providerType, CryptAcquireContextFlags flags, bool throwPlatformException)
{
SafeCspHandle phProv = null;
if (UnsafeNativeMethods.CryptAcquireContext(out phProv, keyContainer, providerName, providerType, flags))
{
return(phProv);
}
int hr = Marshal.GetLastWin32Error();
if (!throwPlatformException || ((hr != -2146893801) && (hr != -2146893799)))
{
throw new CryptographicException(hr);
}
throw new PlatformNotSupportedException(System.SR.GetString("Cryptography_PlatformNotSupported"));
}
internal static SafeCspHandle AcquireCsp(string keyContainer,
string providerName,
ProviderType providerType,
CryptAcquireContextFlags flags) {
Contract.Assert(keyContainer == null, "Key containers are not supported");
// Specifying both verify context (for an ephemeral key) and machine keyset (for a persisted machine key)
// does not make sense. Additionally, Widows is beginning to lock down against uses of MACHINE_KEYSET
// (for instance in the app container), even if verify context is present. Therefore, if we're using
// an ephemeral key, strip out MACHINE_KEYSET from the flags.
if (((flags & CryptAcquireContextFlags.VerifyContext) == CryptAcquireContextFlags.VerifyContext) &&
((flags & CryptAcquireContextFlags.MachineKeyset) == CryptAcquireContextFlags.MachineKeyset)) {
flags &= ~CryptAcquireContextFlags.MachineKeyset;
}
SafeCspHandle cspHandle = null;
if (!UnsafeNativeMethods.CryptAcquireContext(out cspHandle,
keyContainer,
providerName,
providerType,
flags)) {
throw new CryptographicException(Marshal.GetLastWin32Error());
}
return cspHandle;
}
