private Exception TryDecryptAgree(KeyAgreeRecipientInfo keyAgreeRecipientInfo, SafeProvOrNCryptKeyHandle hKey, CryptKeySpec keySpec, X509Certificate2Collection originatorCerts, X509Certificate2Collection extraStore)
{
unsafe
{
KeyAgreeRecipientInfoPalWindows pal = (KeyAgreeRecipientInfoPalWindows)(keyAgreeRecipientInfo.Pal);
return pal.WithCmsgCmsRecipientInfo<Exception>(
delegate (CMSG_KEY_AGREE_RECIPIENT_INFO* pKeyAgreeRecipientInfo)
{
CMSG_CTRL_KEY_AGREE_DECRYPT_PARA decryptPara = default(CMSG_CTRL_KEY_AGREE_DECRYPT_PARA);
decryptPara.cbSize = Marshal.SizeOf<CMSG_CTRL_KEY_AGREE_DECRYPT_PARA>();
decryptPara.hProv = hKey;
decryptPara.dwKeySpec = keySpec;
decryptPara.pKeyAgree = pKeyAgreeRecipientInfo;
decryptPara.dwRecipientIndex = pal.Index;
decryptPara.dwRecipientEncryptedKeyIndex = pal.SubIndex;
CMsgKeyAgreeOriginatorChoice originatorChoice = pKeyAgreeRecipientInfo->dwOriginatorChoice;
switch (originatorChoice)
{
case CMsgKeyAgreeOriginatorChoice.CMSG_KEY_AGREE_ORIGINATOR_CERT:
{
X509Certificate2Collection candidateCerts = new X509Certificate2Collection();
candidateCerts.AddRange(Helpers.GetStoreCertificates(StoreName.AddressBook, StoreLocation.CurrentUser, openExistingOnly: true));
candidateCerts.AddRange(Helpers.GetStoreCertificates(StoreName.AddressBook, StoreLocation.LocalMachine, openExistingOnly: true));
candidateCerts.AddRange(originatorCerts);
candidateCerts.AddRange(extraStore);
SubjectIdentifier originatorId = pKeyAgreeRecipientInfo->OriginatorCertId.ToSubjectIdentifier();
using (X509Certificate2 originatorCert = candidateCerts.TryFindMatchingCertificate(originatorId))
{
if (originatorCert == null)
return ErrorCode.CRYPT_E_NOT_FOUND.ToCryptographicException();
using (SafeCertContextHandle hCertContext = originatorCert.CreateCertContextHandle())
{
CERT_CONTEXT* pOriginatorCertContext = hCertContext.DangerousGetCertContext();
decryptPara.OriginatorPublicKey = pOriginatorCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey;
// Do not factor this call out of the switch statement as leaving this "using" block will free up
// native memory that decryptPara points to.
return TryExecuteDecryptAgree(ref decryptPara);
}
}
}
case CMsgKeyAgreeOriginatorChoice.CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY:
{
decryptPara.OriginatorPublicKey = pKeyAgreeRecipientInfo->OriginatorPublicKeyInfo.PublicKey;
return TryExecuteDecryptAgree(ref decryptPara);
}
default:
return new CryptographicException(SR.Format(SR.Cryptography_Cms_Invalid_Originator_Identifier_Choice, originatorChoice));
}
});
}
}
private void DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore)
{
switch (_lastCall)
{
case LastCall.Ctor:
throw new InvalidOperationException(SR.Cryptography_Cms_MessageNotEncrypted);
case LastCall.Encrypt:
throw PkcsPal.Instance.CreateDecryptAfterEncryptException();
case LastCall.Decrypt:
throw PkcsPal.Instance.CreateDecryptTwiceException();
case LastCall.Decode:
break; // This is the expected state.
default:
Debug.Fail($"Unexpected _lastCall value: {_lastCall}");
throw new InvalidOperationException();
}
extraStore = extraStore ?? new X509Certificate2Collection();
X509Certificate2Collection certs = new X509Certificate2Collection();
PkcsPal.Instance.AddCertsFromStoreForDecryption(certs);
certs.AddRange(extraStore);
X509Certificate2Collection originatorCerts = Certificates;
ContentInfo newContentInfo = null;
Exception exception = PkcsPal.Instance.CreateRecipientsNotFoundException();
foreach (RecipientInfo recipientInfo in recipientInfos)
{
X509Certificate2 cert = certs.TryFindMatchingCertificate(recipientInfo.RecipientIdentifier);
if (cert == null)
{
exception = PkcsPal.Instance.CreateRecipientsNotFoundException();
continue;
}
newContentInfo = _decryptorPal.TryDecrypt(recipientInfo, cert, originatorCerts, extraStore, out exception);
if (exception != null)
continue;
break;
}
if (exception != null)
throw exception;
ContentInfo = newContentInfo;
// Desktop compat: Encode() after a Decrypt() returns you the same thing that ContentInfo.Content does.
_encodedMessage = newContentInfo.Content.CloneByteArray();
_lastCall = LastCall.Decrypt;
}
