public static ILoaderPal FromBlob(byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
ICertificatePal singleCert;
if (CertificatePal.TryReadX509Der(rawData, out singleCert) ||
CertificatePal.TryReadX509Pem(rawData, out singleCert))
{
// The single X509 structure methods shouldn't return true and out null, only empty
// collections have that behavior.
Debug.Assert(singleCert != null);
return(SingleCertToLoaderPal(singleCert));
}
List <ICertificatePal> certPals;
if (PkcsFormatReader.TryReadPkcs7Der(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out certPals))
{
Debug.Assert(certPals != null);
return(ListToLoaderPal(certPals));
}
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
private static ILoaderPal FromBio(SafeBioHandle bio, SafePasswordHandle password)
{
int bioPosition = Interop.Crypto.BioTell(bio);
Debug.Assert(bioPosition >= 0);
ICertificatePal singleCert;
if (CertificatePal.TryReadX509Pem(bio, out singleCert))
{
return(SingleCertToLoaderPal(singleCert));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
if (CertificatePal.TryReadX509Der(bio, out singleCert))
{
return(SingleCertToLoaderPal(singleCert));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
List <ICertificatePal> certPals;
if (PkcsFormatReader.TryReadPkcs7Pem(bio, out certPals))
{
return(ListToLoaderPal(certPals));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
if (PkcsFormatReader.TryReadPkcs7Der(bio, out certPals))
{
return(ListToLoaderPal(certPals));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
if (PkcsFormatReader.TryReadPkcs12(bio, password, out certPals))
{
return(ListToLoaderPal(certPals));
}
// Since we aren't going to finish reading, leaving the buffer where it was when we got
// it seems better than leaving it in some arbitrary other position.
//
// But, before seeking back to start, save the Exception representing the last reported
// OpenSSL error in case the last BioSeek would change it.
Exception openSslException = Interop.Crypto.CreateOpenSslCryptographicException();
// Use BioSeek directly for the last seek attempt, because any failure here should instead
// report the already created (but not yet thrown) exception.
Interop.Crypto.BioSeek(bio, bioPosition);
throw openSslException;
}
public static ICertificatePal FromBlob(byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
ICertificatePal cert;
Exception openSslException;
if (TryReadX509Der(rawData, out cert) ||
TryReadX509Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Der(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out cert, out openSslException))
{
if (cert == null)
{
// Empty collection, most likely.
throw new CryptographicException();
}
return(cert);
}
// Unsupported
Debug.Assert(openSslException != null);
throw openSslException;
}
public static ICertificatePal FromFile(string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
ICertificatePal pal;
// If we can't open the file, fail right away.
using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb"))
{
Interop.Crypto.CheckValidOpenSslHandle(fileBio);
pal = FromBio(fileBio);
}
if (pal == null)
{
PkcsFormatReader.TryReadPkcs12(
File.ReadAllBytes(fileName),
password,
out pal,
out Exception exception);
if (exception != null)
{
throw exception;
}
Debug.Assert(pal != null);
}
return(pal);
}
public static ILoaderPal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
ICertificatePal?singleCert;
if (OpenSslX509CertificateReader.TryReadX509Der(rawData, out singleCert) ||
OpenSslX509CertificateReader.TryReadX509Pem(rawData, out singleCert))
{
// The single X509 structure methods shouldn't return true and out null, only empty
// collections have that behavior.
Debug.Assert(singleCert != null);
return(SingleCertToLoaderPal(singleCert));
}
List <ICertificatePal>?certPals;
Exception?openSslException;
if (PkcsFormatReader.TryReadPkcs7Der(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out certPals, out openSslException))
{
Debug.Assert(certPals != null);
return(ListToLoaderPal(certPals));
}
Debug.Assert(openSslException != null);
throw openSslException;
}
public X509ContentType GetCertContentType(byte[] rawData)
{
{
ICertificatePal certPal;
if (OpenSslX509CertificateReader.TryReadX509Der(rawData, out certPal) ||
OpenSslX509CertificateReader.TryReadX509Pem(rawData, out certPal))
{
certPal.Dispose();
return(X509ContentType.Cert);
}
}
if (PkcsFormatReader.IsPkcs7(rawData))
{
return(X509ContentType.Pkcs7);
}
{
OpenSslPkcs12Reader pfx;
if (OpenSslPkcs12Reader.TryRead(rawData, out pfx))
{
pfx.Dispose();
return(X509ContentType.Pkcs12);
}
}
// Unsupported format.
// Windows throws new CryptographicException(CRYPT_E_NO_MATCH)
throw new CryptographicException();
}
public static IStorePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
ICertificatePal singleCert;
if (CertificatePal.TryReadX509Der(rawData, out singleCert) ||
CertificatePal.TryReadX509Pem(rawData, out singleCert))
{
// The single X509 structure methods shouldn't return true and out null, only empty
// collections have that behavior.
Debug.Assert(singleCert != null);
return(SingleCertToStorePal(singleCert));
}
List <ICertificatePal> certPals;
if (PkcsFormatReader.TryReadPkcs7Der(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out certPals) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out certPals))
{
Debug.Assert(certPals != null);
return(ListToStorePal(certPals));
}
return(null);
}
private static ILoaderPal FromBio(SafeBioHandle bio, SafePasswordHandle password)
{
int bioPosition = Interop.Crypto.BioTell(bio);
Debug.Assert(bioPosition >= 0);
ICertificatePal singleCert;
if (CertificatePal.TryReadX509Pem(bio, out singleCert))
{
return(SingleCertToLoaderPal(singleCert));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
if (CertificatePal.TryReadX509Der(bio, out singleCert))
{
return(SingleCertToLoaderPal(singleCert));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
List <ICertificatePal> certPals;
if (PkcsFormatReader.TryReadPkcs7Pem(bio, out certPals))
{
return(ListToLoaderPal(certPals));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
if (PkcsFormatReader.TryReadPkcs7Der(bio, out certPals))
{
return(ListToLoaderPal(certPals));
}
// Rewind, try again.
CertificatePal.RewindBio(bio, bioPosition);
// Capture the exception so in case of failure, the call to BioSeek does not override it.
Exception openSslException;
if (PkcsFormatReader.TryReadPkcs12(bio, password, out certPals, out openSslException))
{
return(ListToLoaderPal(certPals));
}
// Since we aren't going to finish reading, leaving the buffer where it was when we got
// it seems better than leaving it in some arbitrary other position.
//
// Use BioSeek directly for the last seek attempt, because any failure here should instead
// report the already created (but not yet thrown) exception.
Interop.Crypto.BioSeek(bio, bioPosition);
Debug.Assert(openSslException != null);
throw openSslException;
}
public static ICertificatePal FromBlob(ReadOnlySpan <byte> rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
{
Debug.Assert(password != null);
ICertificatePal?cert;
Exception? openSslException;
bool ephemeralSpecified = keyStorageFlags.HasFlag(X509KeyStorageFlags.EphemeralKeySet);
if (TryReadX509Der(rawData, out cert) ||
TryReadX509Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Der(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, ephemeralSpecified, out cert, out openSslException))
{
if (cert == null)
{
// Empty collection, most likely.
throw new CryptographicException();
}
return(cert);
}
// Unsupported
Debug.Assert(openSslException != null);
throw openSslException;
}
public static ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
ICertificatePal cert;
if (TryReadX509Der(rawData, out cert) ||
TryReadX509Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Der(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs7Pem(rawData, out cert) ||
PkcsFormatReader.TryReadPkcs12(rawData, password, out cert))
{
if (cert == null)
{
// Empty collection, most likely.
throw new CryptographicException();
}
return(cert);
}
// Unsupported
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
private static ICertificatePal FromBio(SafeBioHandle bio)
{
int bioPosition = Interop.Crypto.BioTell(bio);
Debug.Assert(bioPosition >= 0);
ICertificatePal certPal;
if (TryReadX509Pem(bio, out certPal))
{
return(certPal);
}
// Rewind, try again.
RewindBio(bio, bioPosition);
if (TryReadX509Der(bio, out certPal))
{
return(certPal);
}
// Rewind, try again.
RewindBio(bio, bioPosition);
if (PkcsFormatReader.TryReadPkcs7Pem(bio, out certPal))
{
return(certPal);
}
// Rewind, try again.
RewindBio(bio, bioPosition);
if (PkcsFormatReader.TryReadPkcs7Der(bio, out certPal))
{
return(certPal);
}
return(null);
}
public X509ContentType GetCertContentType(string fileName)
{
// If we can't open the file, fail right away.
using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(fileName, "rb"))
{
Interop.Crypto.CheckValidOpenSslHandle(fileBio);
int bioPosition = Interop.Crypto.BioTell(fileBio);
Debug.Assert(bioPosition >= 0);
// X509ContentType.Cert
{
ICertificatePal certPal;
if (OpenSslX509CertificateReader.TryReadX509Der(fileBio, out certPal))
{
certPal.Dispose();
return(X509ContentType.Cert);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
if (OpenSslX509CertificateReader.TryReadX509Pem(fileBio, out certPal))
{
certPal.Dispose();
return(X509ContentType.Cert);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
}
// X509ContentType.Pkcs7
{
if (PkcsFormatReader.IsPkcs7Der(fileBio))
{
return(X509ContentType.Pkcs7);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
if (PkcsFormatReader.IsPkcs7Pem(fileBio))
{
return(X509ContentType.Pkcs7);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
}
// X509ContentType.Pkcs12 (aka PFX)
{
OpenSslPkcs12Reader pkcs12Reader;
if (OpenSslPkcs12Reader.TryRead(fileBio, out pkcs12Reader))
{
pkcs12Reader.Dispose();
return(X509ContentType.Pkcs12);
}
OpenSslX509CertificateReader.RewindBio(fileBio, bioPosition);
}
}
// Unsupported format.
// Windows throws new CryptographicException(CRYPT_E_NO_MATCH)
throw new CryptographicException();
}
