public static void ReadCustomType()
{
byte[] input = (
"3033020103302E06092A864886F70D010701A021041F301D301B06092A864886" +
"F70D010701A00E040C300A3008060100A003040102").HexToByteArray();
Pkcs12Info info = Pkcs12Info.Decode(input, out _, skipCopy: true);
Assert.Equal(Pkcs12IntegrityMode.None, info.IntegrityMode);
ReadOnlyCollection <Pkcs12SafeContents> allContents = info.AuthenticatedSafe;
Assert.Equal(1, allContents.Count);
Pkcs12SafeContents contents = allContents[0];
Assert.Equal(Pkcs12ConfidentialityMode.None, contents.ConfidentialityMode);
List <Pkcs12SafeBag> bags = contents.GetBags().ToList();
Assert.Equal(1, bags.Count);
Pkcs12SafeBag bag = bags[0];
Assert.IsNotType <Pkcs12CertBag>(bag);
Assert.IsNotType <Pkcs12KeyBag>(bag);
Assert.IsNotType <Pkcs12SecretBag>(bag);
Assert.IsNotType <Pkcs12ShroudedKeyBag>(bag);
CustomBagType customBag = new CustomBagType(bag.EncodedBagValue);
Assert.Equal(2, customBag.Value);
}
public static void BuildWithFactoryReadDirect()
{
using (RSA rsa = RSA.Create())
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
Pkcs12KeyBag keyBag = contents.AddKeyUnencrypted(rsa);
using (RSA rsa2 = RSA.Create())
{
rsa2.ImportPkcs8PrivateKey(
keyBag.Pkcs8PrivateKey.Span,
out _);
byte[] sig = new byte[rsa.KeySize / 8];
Assert.True(rsa2.TrySignData(
keyBag.Pkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1,
out int sigLen));
Assert.Equal(sig.Length, sigLen);
Assert.True(rsa.VerifyData(
keyBag.Pkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1));
}
}
}
public static void BuildWithBytesFactoryReadDirect()
{
using (RSA rsa = RSA.Create())
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
byte[] encryptionKey = new byte[] { 1, 2, 3, 4, 5 };
Pkcs12ShroudedKeyBag keyBag = contents.AddShroudedKey(rsa, encryptionKey, s_pbkdf2Pbe);
using (RSA rsa2 = RSA.Create())
{
rsa2.ImportEncryptedPkcs8PrivateKey(
encryptionKey,
keyBag.EncryptedPkcs8PrivateKey.Span,
out _);
byte[] sig = new byte[rsa.KeySize / 8];
Assert.True(rsa2.TrySignData(
keyBag.EncryptedPkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1,
out int sigLen));
Assert.Equal(sig.Length, sigLen);
Assert.True(rsa.VerifyData(
keyBag.EncryptedPkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1));
}
}
}
public static void BuildWithEmptySafeContents(bool encrypted)
{
string pw = nameof(BuildWithEmptySafeContents);
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents empty = new Pkcs12SafeContents();
if (encrypted)
{
builder.AddSafeContentsEncrypted(empty, pw, s_win7Pbe);
}
else
{
builder.AddSafeContentsUnencrypted(empty);
}
builder.SealWithMac(pw, HashAlgorithmName.SHA1, 1);
byte[] pfxBytes = builder.Encode();
X509Certificate2Collection coll = new X509Certificate2Collection();
coll.Import(pfxBytes, pw, default);
Assert.Equal(0, coll.Count);
}
public static X509Certificate2 CreateCertificateWithPrivateKey(
X509Certificate2 certificate,
AsymmetricAlgorithm privateKey,
string password = null)
{
var builder = new Pkcs12Builder();
var contents = new Pkcs12SafeContents();
contents.AddCertificate(certificate);
contents.AddKeyUnencrypted(privateKey);
builder.AddSafeContentsUnencrypted(contents);
// OpenSSL requires the file to have a mac, without mac this will run on Windows but not on Linux
builder.SealWithMac(password, HashAlgorithmName.SHA256, 1);
var pkcs12bytes = builder.Encode();
if (string.IsNullOrEmpty(password))
{
var certificateOut = new X509Certificate2(pkcs12bytes);
return(certificateOut);
}
else
{
var certificateOut = new X509Certificate2(pkcs12bytes, password);
return(certificateOut);
}
}
public void TwoCerts_CrossedKeys()
{
string pw = nameof(SameCertTwice_NoKeys);
using (var cert = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, s_exportableImportFlags))
using (var cert2 = new X509Certificate2(TestData.MsCertificate))
using (RSA key = cert.GetRSAPrivateKey())
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents keyContents = new Pkcs12SafeContents();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeBag keyBag = keyContents.AddShroudedKey(key, pw, s_windowsPbe);
Pkcs12SafeBag certBag = certContents.AddCertificate(cert);
Pkcs12SafeBag certBag2 = certContents.AddCertificate(cert2);
keyBag.Attributes.Add(s_keyIdOne);
certBag2.Attributes.Add(s_keyIdOne);
AddContents(keyContents, builder, pw, encrypt: false);
AddContents(certContents, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
// Windows seems to be applying both the implicit match and the LocalKeyId match,
// so it detects two hits against the same key and fails.
ReadUnreadablePfx(
pfxBytes,
pw,
// NTE_BAD_DATA
-2146893819);
}
}
public void CertTwice_KeyOnce(bool addLocalKeyId)
{
string pw = nameof(CertTwice_KeyOnce);
using (var cert = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, s_exportableImportFlags))
using (RSA key = cert.GetRSAPrivateKey())
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents keyContents = new Pkcs12SafeContents();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeBag keyBag = keyContents.AddShroudedKey(key, pw, s_windowsPbe);
Pkcs12SafeBag certBag = certContents.AddCertificate(cert);
Pkcs12SafeBag certBag2 = certContents.AddCertificate(cert);
if (addLocalKeyId)
{
certBag.Attributes.Add(s_keyIdOne);
certBag2.Attributes.Add(s_keyIdOne);
keyBag.Attributes.Add(s_keyIdOne);
}
AddContents(keyContents, builder, pw, encrypt: false);
AddContents(certContents, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
ReadUnreadablePfx(
pfxBytes,
pw,
// NTE_BAD_DATA
-2146893819);
}
}
public void SameCertTwice_NoKeys(bool addLocalKeyId)
{
string pw = nameof(SameCertTwice_NoKeys);
using (var cert = new X509Certificate2(TestData.MsCertificate))
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeBag certBag = certContents.AddCertificate(cert);
Pkcs12SafeBag certBag2 = certContents.AddCertificate(cert);
if (addLocalKeyId)
{
certBag.Attributes.Add(s_keyIdOne);
certBag2.Attributes.Add(s_keyIdOne);
}
AddContents(certContents, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
ReadMultiPfx(
pfxBytes,
pw,
cert,
new[] { cert, cert });
}
}
public static void AddContentsAfterSealing()
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
contents.AddSecret(s_zeroOid, s_derNull);
Pkcs12Builder builder = new Pkcs12Builder();
builder.SealWithoutIntegrity();
Assert.Throws <InvalidOperationException>(
() => builder.AddSafeContentsUnencrypted(contents));
Assert.Throws <InvalidOperationException>(
() => builder.AddSafeContentsEncrypted(contents, Array.Empty <byte>(), s_pbkdf2Parameters));
Assert.Throws <InvalidOperationException>(
() => builder.AddSafeContentsEncrypted(contents, ReadOnlySpan <byte> .Empty, s_pbkdf2Parameters));
Assert.Throws <InvalidOperationException>(
() => builder.AddSafeContentsEncrypted(contents, string.Empty, s_pbkdf2Parameters));
Assert.Throws <InvalidOperationException>(
() => builder.AddSafeContentsEncrypted(contents, ReadOnlySpan <char> .Empty, s_pbkdf2Parameters));
}
public static void StartsInReadWriteNoConfidentialityMode()
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
Assert.Equal(Pkcs12ConfidentialityMode.None, contents.ConfidentialityMode);
Assert.False(contents.IsReadOnly);
}
public static void WriteOneCertNoKeys_Encrypted()
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
byte[] rawData;
using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.GetCertificate())
{
contents.AddCertificate(cert);
rawData = cert.RawData;
}
const string password = nameof(WriteOneCertNoKeys_NoEncryption);
Pkcs12Builder builder = new Pkcs12Builder();
builder.AddSafeContentsEncrypted(
contents,
password,
s_win7Pbe);
builder.SealWithMac(password, HashAlgorithmName.SHA1, 1024);
byte[] pfx = builder.Encode();
ImportedCollection coll =
ImportedCollection.Import(pfx, password, X509KeyStorageFlags.EphemeralKeySet);
using (coll)
{
Assert.Equal(1, coll.Collection.Count);
Assert.Equal(rawData, coll.Collection[0].RawData);
Assert.False(coll.Collection[0].HasPrivateKey, "coll.Collection[0].HasPrivateKey");
}
}
public void OneCert_TwentyKeys_NoMatches()
{
string pw = nameof(OneCert_NoKey_WithLocalKeyId);
using (var cert = new X509Certificate2(TestData.MsCertificate))
using (RSA rsa = RSA.Create(TestData.RsaBigExponentParams))
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeContents keyContents = new Pkcs12SafeContents();
Pkcs12CertBag certBag = certContents.AddCertificate(cert);
certBag.Attributes.Add(s_keyIdOne);
byte[] keyExport = rsa.ExportEncryptedPkcs8PrivateKey(pw, s_windowsPbe);
for (int i = 0; i < 20; i++)
{
Pkcs12SafeBag keyBag = new Pkcs12ShroudedKeyBag(keyExport, skipCopy: true);
keyContents.AddSafeBag(keyBag);
// Even with i=1 this won't match, because { 0x01 } != { 0x01, 0x00, 0x00, 0x00 } and
// { 0x01 } != { 0x00, 0x00, 0x00, 0x01 } (binary comparison, not "equivalence" comparison).
keyBag.Attributes.Add(new Pkcs9LocalKeyId(BitConverter.GetBytes(i)));
}
AddContents(keyContents, builder, pw, encrypt: false);
AddContents(certContents, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
ReadPfx(pfxBytes, pw, cert);
}
}
public static void BuildWithCharsFactoryReadDirect()
{
using (RSA rsa = RSA.Create())
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
Pkcs12ShroudedKeyBag keyBag = contents.AddShroudedKey(rsa, nameof(rsa), s_win7Pbe);
using (RSA rsa2 = RSA.Create())
{
rsa2.ImportEncryptedPkcs8PrivateKey(
(ReadOnlySpan <char>)nameof(rsa),
keyBag.EncryptedPkcs8PrivateKey.Span,
out _);
byte[] sig = new byte[rsa.KeySize / 8];
Assert.True(rsa2.TrySignData(
keyBag.EncryptedPkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1,
out int sigLen));
Assert.Equal(sig.Length, sigLen);
Assert.True(rsa.VerifyData(
keyBag.EncryptedPkcs8PrivateKey.Span,
sig,
HashAlgorithmName.MD5,
RSASignaturePadding.Pkcs1));
}
}
}
public static void EncryptEncryptedSafeContents()
{
Pkcs12Builder builder1 = new Pkcs12Builder();
Pkcs12Builder builder2 = new Pkcs12Builder();
Pkcs12SafeContents contents = new Pkcs12SafeContents();
contents.AddSecret(s_zeroOid, s_derNull);
builder1.AddSafeContentsEncrypted(contents, ReadOnlySpan <byte> .Empty, s_pbkdf2Parameters);
builder1.SealWithoutIntegrity();
byte[] encoded = builder1.Encode();
Pkcs12Info info = Pkcs12Info.Decode(encoded, out _, skipCopy: true);
Assert.Equal(Pkcs12IntegrityMode.None, info.IntegrityMode);
Assert.Equal(1, info.AuthenticatedSafe.Count);
AssertExtensions.Throws <ArgumentException>(
"safeContents",
() => builder2.AddSafeContentsEncrypted(
info.AuthenticatedSafe[0],
"nope",
s_pbkdf2Parameters));
AssertExtensions.Throws <ArgumentException>(
"safeContents",
() => builder2.AddSafeContentsEncrypted(
info.AuthenticatedSafe[0],
s_derNull.Span,
s_pbkdf2Parameters));
}
public static void CopyEncryptedSafeContents(bool withSpan)
{
Pkcs12Builder builder1 = new Pkcs12Builder();
Pkcs12Builder builder2 = new Pkcs12Builder();
Pkcs12SafeContents contents = new Pkcs12SafeContents();
contents.AddSecret(s_zeroOid, s_derNull);
if (withSpan)
{
builder1.AddSafeContentsEncrypted(contents, ReadOnlySpan <byte> .Empty, s_pbkdf2Parameters);
}
else
{
builder1.AddSafeContentsEncrypted(contents, (byte[])null, s_pbkdf2Parameters);
}
builder1.SealWithoutIntegrity();
byte[] encoded1 = builder1.Encode();
Pkcs12Info info = Pkcs12Info.Decode(encoded1, out _, skipCopy: true);
Assert.Equal(Pkcs12IntegrityMode.None, info.IntegrityMode);
Assert.Equal(1, info.AuthenticatedSafe.Count);
builder2.AddSafeContentsUnencrypted(info.AuthenticatedSafe[0]);
builder2.SealWithoutIntegrity();
byte[] encoded2 = builder2.Encode();
Assert.Equal(encoded1.ByteArrayToHex(), encoded2.ByteArrayToHex());
}
public static void AddCertificateDisallowedInReadOnly()
{
Pkcs12SafeContents contents = MakeReadonly(new Pkcs12SafeContents());
X509Certificate2 cert = new X509Certificate2(stackalloc byte[0]);
Assert.Throws <InvalidOperationException>(() => contents.AddCertificate(cert));
}
public static void ReadSerializedData(bool encryptSafe)
{
Pkcs12SafeContents container = new Pkcs12SafeContents();
Pkcs12SafeContents builtContents = new Pkcs12SafeContents();
builtContents.AddSecret(s_zeroOid, s_derNull);
builtContents.AddSecret(s_zeroOid, new byte[] { 4, 1, 2 }).Attributes.Add(
new Pkcs9LocalKeyId(s_derNull.Span));
builtContents.AddSecret(s_zeroOid, new byte[] { 4, 1, 3 });
container.AddNestedContents(builtContents);
Pkcs12Builder builder = new Pkcs12Builder();
if (encryptSafe)
{
builder.AddSafeContentsEncrypted(container, s_derNull.Span, s_pbkdf2Parameters);
}
else
{
builder.AddSafeContentsUnencrypted(container);
}
builder.SealWithoutIntegrity();
byte[] encoded = builder.Encode();
Pkcs12Info info = Pkcs12Info.Decode(encoded, out _, skipCopy: true);
Pkcs12SafeContents onlySafe = info.AuthenticatedSafe.Single();
if (encryptSafe)
{
onlySafe.Decrypt(s_derNull.Span);
}
Pkcs12SafeBag onlyBag = onlySafe.GetBags().Single();
Pkcs12SafeContentsBag safeContentsBag = Assert.IsType <Pkcs12SafeContentsBag>(onlyBag);
Pkcs12SafeContents readContents = safeContentsBag.SafeContents;
Assert.Equal(
Pkcs12ConfidentialityMode.None,
readContents.ConfidentialityMode);
Assert.True(readContents.IsReadOnly);
List <Pkcs12SafeBag> bags1 = builtContents.GetBags().ToList();
List <Pkcs12SafeBag> bags2 = readContents.GetBags().ToList();
Assert.Equal(bags1.Count, bags2.Count);
for (int i = 0; i < bags2.Count; i++)
{
byte[] encoded1 = bags1[i].Encode();
byte[] encoded2 = bags1[i].Encode();
Assert.True(encoded1.AsSpan().SequenceEqual(encoded2), $"Bag {i} encodes the same");
}
}
public static void AddBagDisallowedInReadOnly()
{
Pkcs12SafeContents contents = MakeReadonly(new Pkcs12SafeContents());
Pkcs12CertBag certBag = new Pkcs12CertBag(s_zeroOid, s_derNull);
Assert.True(contents.IsReadOnly);
Assert.Throws <InvalidOperationException>(() => contents.AddSafeBag(certBag));
}
public static void OidRequired()
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
AssertExtensions.Throws <ArgumentNullException>(
"secretType",
() => contents.AddSecret(null, ReadOnlyMemory <byte> .Empty));
}
public static void BadOidFails()
{
string payloadHex = "0403090807";
Pkcs12SafeContents contents = new Pkcs12SafeContents();
Assert.ThrowsAny <CryptographicException>(
() => contents.AddSecret(new Oid("Hi", "There"), payloadHex.HexToByteArray()));
}
public static void AddNestedContentsDisallowedInReadOnly()
{
Pkcs12SafeContents outerContents = MakeReadonly(new Pkcs12SafeContents());
Pkcs12SafeContents innerContents = new Pkcs12SafeContents();
Assert.Throws <InvalidOperationException>(
() => outerContents.AddNestedContents(innerContents));
}
public static void AddKeyUnencryptedDisallowedInReadOnly()
{
Pkcs12SafeContents contents = MakeReadonly(new Pkcs12SafeContents());
using (RSA rsa = RSA.Create())
{
Assert.Throws <InvalidOperationException>(() => contents.AddKeyUnencrypted(rsa));
}
}
public static void EncodeGrowsWhenNeeded()
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents contents = new Pkcs12SafeContents();
byte[] bigBuf = new byte[16 * 1024 + 4];
bigBuf[0] = 0x04;
bigBuf[1] = 0x82;
ref byte upper = ref bigBuf[2];
public void OneCert_ExtraKeyBadEncoding(bool badTag)
{
string pw = nameof(OneCert_ExtraKeyBadEncoding);
using (var cert = new X509Certificate2(TestData.MsCertificate))
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeContents keyContents = new Pkcs12SafeContents();
// SEQUENCE { INTEGER(1) } is not a valid RSAPrivateKey, it should be
// SEQUENCE { INTEGER(N), INTEGER(E), ... (D, P, Q, DP, DQ, QInv) }
// So the conclusion is "unexpected end of data"
byte[] badKeyBytes = { 0x30, 0x03, 0x02, 0x01, 0x01 };
// In "badTag" we make the INTEGER be OCTET STRING, triggering a different
// "uh, I can't read this..." error.
if (badTag)
{
badKeyBytes[2] = 0x04;
}
Pkcs8PrivateKeyInfo pk8 = new Pkcs8PrivateKeyInfo(
// The correct RSA OID.
new Oid("1.2.840.113549.1.1.1", null),
null,
badKeyBytes,
skipCopies: true);
// Note that neither the cert nor the key have a LocalKeyId attribute.
// The existence of this unreadable key is enough to abort the load on older Windows
keyContents.AddSafeBag(new Pkcs12ShroudedKeyBag(pk8.Encrypt(pw, s_windowsPbe)));
certContents.AddCertificate(cert);
AddContents(keyContents, builder, pw, encrypt: false);
AddContents(certContents, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
if (s_loaderFailsKeysEarly)
{
// CRYPT_E_ASN1_BADTAG or CRYPT_E_ASN1_EOD
int expectedWin32Error = badTag ? -2146881269 : -2146881278;
ReadUnreadablePfx(
pfxBytes,
pw,
expectedWin32Error);
}
else
{
ReadPfx(pfxBytes, pw, cert);
}
}
}
public static void AddShroudedKeyWithCharsDisallowedInReadOnly()
{
Pkcs12SafeContents contents = MakeReadonly(new Pkcs12SafeContents());
using (RSA rsa = RSA.Create())
{
Assert.Throws <InvalidOperationException>(
() => contents.AddShroudedKey(rsa, ReadOnlySpan <char> .Empty, s_pbeParameters));
}
}
public static void ReadOracleWallet(int trailingByteCount)
{
ReadOnlyMemory <byte> source = PadContents(Pkcs12Documents.SimpleOracleWallet, trailingByteCount);
Pkcs12Info info = Pkcs12Info.Decode(
source,
out int bytesRead,
skipCopy: true);
Assert.Equal(Pkcs12Documents.SimpleOracleWallet.Length, bytesRead);
Assert.Equal(Pkcs12IntegrityMode.Password, info.IntegrityMode);
Assert.False(info.VerifyMac(ReadOnlySpan <char> .Empty), "VerifyMac(no password)");
Assert.False(info.VerifyMac(""), "VerifyMac(empty password)");
Assert.True(info.VerifyMac(Pkcs12Documents.OracleWalletPassword), "VerifyMac(correct password)");
ReadOnlyCollection <Pkcs12SafeContents> authSafes = info.AuthenticatedSafe;
Assert.Equal(1, authSafes.Count);
Pkcs12SafeContents authSafe = authSafes[0];
Assert.Equal(Pkcs12ConfidentialityMode.Password, authSafe.ConfidentialityMode);
// Wrong password
Assert.ThrowsAny <CryptographicException>(() => authSafe.Decrypt(ReadOnlySpan <char> .Empty));
authSafe.Decrypt(Pkcs12Documents.OracleWalletPassword);
Assert.Equal(Pkcs12ConfidentialityMode.None, authSafe.ConfidentialityMode);
List <Pkcs12SafeBag> bags = authSafe.GetBags().ToList();
Assert.Equal(4, bags.Count);
CheckOracleSecretBag(
bags[0],
"oracle.security.client.connect_string1",
"a_prod_db",
"E6B652DD0000000400000000000000060000000300000000");
CheckOracleSecretBag(
bags[1],
"a@#3#@b", "{pwd_cred_type}@#4#@NEVER_EXPIRE@#5#@c@#111#@d",
"E6B652DD0000000400000000000000060000000200000000");
CheckOracleSecretBag(
bags[2],
"oracle.security.client.username1",
"a_test_user",
"E6B652DD0000000400000000000000060000000100000000");
CheckOracleSecretBag(
bags[3],
"oracle.security.client.password1",
"potatos are tasty",
"E6B652DD0000000400000000000000060000000000000000");
}
public static void EncryptPkcs12KdfWithBytes()
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
contents.AddSecret(s_zeroOid, s_derNull);
Pkcs12Builder builder = new Pkcs12Builder();
Assert.ThrowsAny <CryptographicException>(
() => builder.AddSafeContentsEncrypted(contents, s_derNull.Span, s_win7Pbe));
}
public static void DecryptThrowsWhenNotPasswordMode(bool forReadOnly)
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
if (forReadOnly)
{
contents = MakeReadonly(contents);
}
Assert.Equal(Pkcs12ConfidentialityMode.None, contents.ConfidentialityMode);
Assert.Throws <InvalidOperationException>(() => contents.Decrypt("test"));
}
public static void WriteOneCertWithKey_LikeWindows()
{
Pkcs12SafeContents safe1 = new Pkcs12SafeContents();
Pkcs12SafeContents safe2 = new Pkcs12SafeContents();
byte[] rawData;
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId(new byte[] { 1 });
const string password = nameof(WriteOneCertWithKey_LikeWindows);
using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey(true))
{
Pkcs12CertBag certBag = safe1.AddCertificate(cert);
certBag.Attributes.Add(localKeyId);
rawData = cert.RawData;
Pkcs12ShroudedKeyBag keyBag;
using (RSA rsa = cert.GetRSAPrivateKey())
{
keyBag = safe2.AddShroudedKey(
rsa,
password,
s_win7Pbe);
}
keyBag.Attributes.Add(localKeyId);
}
Pkcs12Builder builder = new Pkcs12Builder();
builder.AddSafeContentsEncrypted(
safe1,
password,
s_win7Pbe);
builder.AddSafeContentsUnencrypted(safe2);
builder.SealWithMac(password, HashAlgorithmName.SHA1, 2068);
byte[] pfx = builder.Encode();
ImportedCollection coll =
ImportedCollection.Import(pfx, password, X509KeyStorageFlags.EphemeralKeySet);
using (coll)
{
Assert.Equal(1, coll.Collection.Count);
Assert.Equal(rawData, coll.Collection[0].RawData);
Assert.True(coll.Collection[0].HasPrivateKey, "coll.Collection[0].HasPrivateKey");
}
}
public static void AddKeyUnencryptedDisallowsNull(bool forReadOnly)
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
if (forReadOnly)
{
contents = MakeReadonly(contents);
}
AssertExtensions.Throws <ArgumentNullException>(
"key",
() => contents.AddKeyUnencrypted(null));
}
