private static void CheckOracleSecretBag(
Pkcs12SafeBag safeBag,
string key,
string value,
string keyId)
{
Pkcs12SecretBag secretBag = Assert.IsType <Pkcs12SecretBag>(safeBag);
Assert.Equal("1.2.840.113549.1.16.12.12", secretBag.GetSecretType().Value);
Assert.Equal(
MakeOracleKeyValuePairHex(key, value),
secretBag.SecretValue.ByteArrayToHex());
CryptographicAttributeObjectCollection attrs = secretBag.Attributes;
Assert.Equal(1, attrs.Count);
CryptographicAttributeObject firstAttr = attrs[0];
Assert.Equal(Oids.LocalKeyId, firstAttr.Oid.Value);
Assert.Equal(1, firstAttr.Values.Count);
Pkcs9LocalKeyId localKeyId = Assert.IsType <Pkcs9LocalKeyId>(firstAttr.Values[0]);
Assert.Equal(keyId, localKeyId.KeyId.ByteArrayToHex());
}
public static void KeyIdFromRawData(string inputHex, string expectedHex)
{
var attr = new Pkcs9AttributeObject(Oids.LocalKeyId, inputHex.HexToByteArray());
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId();
localKeyId.CopyFrom(attr);
Assert.Equal(expectedHex, localKeyId.KeyId.ByteArrayToHex());
}
public static void KeyIdFromInvalidData(string invalidHex)
{
var attr = new Pkcs9AttributeObject(Oids.LocalKeyId, invalidHex.HexToByteArray());
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId();
localKeyId.CopyFrom(attr);
Assert.ThrowsAny <CryptographicException>(() => localKeyId.KeyId);
}
public static void WriteOneCertWithKey_LikeWindows()
{
Pkcs12SafeContents safe1 = new Pkcs12SafeContents();
Pkcs12SafeContents safe2 = new Pkcs12SafeContents();
byte[] rawData;
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId(new byte[] { 1 });
const string password = nameof(WriteOneCertWithKey_LikeWindows);
using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey(true))
{
Pkcs12CertBag certBag = safe1.AddCertificate(cert);
certBag.Attributes.Add(localKeyId);
rawData = cert.RawData;
Pkcs12ShroudedKeyBag keyBag;
using (RSA rsa = cert.GetRSAPrivateKey())
{
keyBag = safe2.AddShroudedKey(
rsa,
password,
s_win7Pbe);
}
keyBag.Attributes.Add(localKeyId);
}
Pkcs12Builder builder = new Pkcs12Builder();
builder.AddSafeContentsEncrypted(
safe1,
password,
s_win7Pbe);
builder.AddSafeContentsUnencrypted(safe2);
builder.SealWithMac(password, HashAlgorithmName.SHA1, 2068);
byte[] pfx = builder.Encode();
ImportedCollection coll =
ImportedCollection.Import(pfx, password, X509KeyStorageFlags.EphemeralKeySet);
using (coll)
{
Assert.Equal(1, coll.Collection.Count);
Assert.Equal(rawData, coll.Collection[0].RawData);
Assert.True(coll.Collection[0].HasPrivateKey, "coll.Collection[0].HasPrivateKey");
}
}
public static void KeyIdCtorAcceptsEmpty()
{
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId(ReadOnlySpan <byte> .Empty);
Assert.Equal(0, localKeyId.KeyId.Length);
Oid oid = localKeyId.Oid;
Assert.NotNull(oid);
Assert.Equal(Oids.LocalKeyId, oid.Value);
Assert.Equal("0400", localKeyId.RawData.ByteArrayToHex());
}
public static void DefaultCtor()
{
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId();
Assert.Equal(0, localKeyId.KeyId.Length);
Oid oid = localKeyId.Oid;
Assert.NotNull(oid);
Assert.Equal(Oids.LocalKeyId, oid.Value);
Assert.Null(localKeyId.RawData);
}
public static void DefaultCtor()
{
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId();
Assert.Throws <CryptographicException>(() => localKeyId.KeyId);
Oid oid = localKeyId.Oid;
Assert.NotNull(oid);
Assert.Equal(Oids.LocalKeyId, oid.Value);
Assert.Empty(localKeyId.RawData);
}
public void CertAndKeyTwice(bool addLocalKeyId, bool crossIdentifiers)
{
string pw = nameof(CertAndKeyTwice);
using (var cert = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, s_exportableImportFlags))
using (RSA key = cert.GetRSAPrivateKey())
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents keyContents = new Pkcs12SafeContents();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeBag key1 = keyContents.AddShroudedKey(key, pw, s_windowsPbe);
Pkcs12SafeBag key2 = keyContents.AddShroudedKey(key, pw, s_windowsPbe);
Pkcs12SafeBag cert1 = certContents.AddCertificate(cert);
Pkcs12SafeBag cert2 = certContents.AddCertificate(cert);
if (addLocalKeyId)
{
(crossIdentifiers ? key2 : key1).Attributes.Add(s_keyIdOne);
cert1.Attributes.Add(s_keyIdOne);
Pkcs9LocalKeyId id2 = new Pkcs9LocalKeyId(cert.GetCertHash());
(crossIdentifiers ? key1 : key2).Attributes.Add(id2);
cert2.Attributes.Add(id2);
}
AddContents(keyContents, builder, pw, encrypt: false);
AddContents(certContents, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
if (addLocalKeyId)
{
ReadMultiPfx(
pfxBytes,
pw,
cert,
new[] { cert, cert },
CheckKeyConsistency);
}
else
{
ReadUnreadablePfx(
pfxBytes,
pw,
// NTE_BAD_DATA
-2146893819);
}
}
}
public static void KeyIdCtorPreservesValue()
{
byte[] keyId = { 2, 3, 5, 7, 11, 13, 17, 19, 23 };
string keyIdHex = keyId.ByteArrayToHex();
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId(keyId);
Assert.Equal(keyIdHex, localKeyId.KeyId.ByteArrayToHex());
Oid oid = localKeyId.Oid;
Assert.NotNull(oid);
Assert.Equal(Oids.LocalKeyId, oid.Value);
Assert.Equal(
$"04{keyId.Length:X2}{keyIdHex}",
localKeyId.RawData.ByteArrayToHex());
}
public static void WriteOneCertWithKey_Encrypted_SameSafe()
{
Pkcs12SafeContents contents = new Pkcs12SafeContents();
byte[] rawData;
Pkcs9LocalKeyId localKeyId = new Pkcs9LocalKeyId(new byte[] { 1 });
using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey(true))
using (RSA certKey = cert.GetRSAPrivateKey())
using (RSA exportableKey = certKey.MakeExportable())
{
Pkcs12CertBag certBag = contents.AddCertificate(cert);
certBag.Attributes.Add(localKeyId);
rawData = cert.RawData;
Pkcs12KeyBag keyBag = contents.AddKeyUnencrypted(exportableKey);
keyBag.Attributes.Add(localKeyId);
}
const string password = nameof(WriteOneCertWithKey_Encrypted_SameSafe);
Pkcs12Builder builder = new Pkcs12Builder();
builder.AddSafeContentsEncrypted(
contents,
password,
s_win7Pbe);
builder.SealWithMac(password, HashAlgorithmName.SHA1, 1024);
byte[] pfx = builder.Encode();
ImportedCollection coll =
ImportedCollection.Import(pfx, password, X509KeyStorageFlags.EphemeralKeySet);
using (coll)
{
Assert.Equal(1, coll.Collection.Count);
Assert.Equal(rawData, coll.Collection[0].RawData);
Assert.True(coll.Collection[0].HasPrivateKey, "coll.Collection[0].HasPrivateKey");
}
}
public void CertAndKeyTwice_KeysUntagged()
{
string pw = nameof(CertAndKeyTwice);
using (var cert = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, s_exportableImportFlags))
using (RSA key = cert.GetRSAPrivateKey())
{
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents keyContents = new Pkcs12SafeContents();
Pkcs12SafeContents certContents = new Pkcs12SafeContents();
Pkcs12SafeBag key1 = keyContents.AddShroudedKey(key, pw, s_windowsPbe);
Pkcs12SafeBag key2 = keyContents.AddShroudedKey(key, pw, s_windowsPbe);
Pkcs12SafeBag cert1 = certContents.AddCertificate(cert);
Pkcs12SafeBag cert2 = certContents.AddCertificate(cert);
Pkcs9LocalKeyId id2 = new Pkcs9LocalKeyId(cert.GetCertHash());
Pkcs9LocalKeyId id3 = new Pkcs9LocalKeyId(BitConverter.GetBytes(3));
Pkcs9LocalKeyId id4 = new Pkcs9LocalKeyId(BitConverter.GetBytes(4));
cert1.Attributes.Add(s_keyIdOne);
cert2.Attributes.Add(id2);
key1.Attributes.Add(id3);
key2.Attributes.Add(id4);
AddContents(keyContents, builder, pw, encrypt: false);
AddContents(certContents, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
ReadUnreadablePfx(
pfxBytes,
pw,
// NTE_BAD_DATA
-2146893819);
}
}
public static void ReadIndefiniteEncodingNoMac(int trailingByteCount)
{
ReadOnlyMemory <byte> source = PadContents(Pkcs12Documents.IndefiniteEncodingNoMac, trailingByteCount);
Pkcs12Info info = Pkcs12Info.Decode(
source,
out int bytesRead,
skipCopy: true);
Assert.Equal(Pkcs12Documents.IndefiniteEncodingNoMac.Length, bytesRead);
Assert.Equal(Pkcs12IntegrityMode.None, info.IntegrityMode);
ReadOnlyCollection <Pkcs12SafeContents> safes = info.AuthenticatedSafe;
Assert.Equal(2, safes.Count);
Pkcs12SafeContents firstSafe = safes[0];
Pkcs12SafeContents secondSafe = safes[1];
Assert.Equal(Pkcs12ConfidentialityMode.None, firstSafe.ConfidentialityMode);
Assert.Equal(Pkcs12ConfidentialityMode.None, secondSafe.ConfidentialityMode);
Assert.True(firstSafe.IsReadOnly, "firstSafe.IsReadOnly");
Assert.True(secondSafe.IsReadOnly, "secondSafe.IsReadOnly");
Pkcs12SafeBag[] firstContents = firstSafe.GetBags().ToArray();
Pkcs12SafeBag[] secondContents = secondSafe.GetBags().ToArray();
Assert.Equal(1, firstContents.Length);
Assert.Equal(1, secondContents.Length);
Pkcs12KeyBag keyBag = Assert.IsType <Pkcs12KeyBag>(firstContents[0]);
Pkcs12CertBag certBag = Assert.IsType <Pkcs12CertBag>(secondContents[0]);
CryptographicAttributeObjectCollection keyBagAttrs = keyBag.Attributes;
CryptographicAttributeObjectCollection certBagAttrs = certBag.Attributes;
Assert.Equal(2, keyBagAttrs.Count);
Assert.Equal(2, certBagAttrs.Count);
Assert.Equal(Oids.FriendlyName, keyBagAttrs[0].Oid.Value);
Assert.Equal(1, keyBagAttrs[0].Values.Count);
Assert.Equal(Oids.LocalKeyId, keyBagAttrs[1].Oid.Value);
Assert.Equal(1, keyBagAttrs[1].Values.Count);
Pkcs9AttributeObject keyFriendlyName =
Assert.IsAssignableFrom <Pkcs9AttributeObject>(keyBagAttrs[0].Values[0]);
Pkcs9LocalKeyId keyKeyId = Assert.IsType <Pkcs9LocalKeyId>(keyBagAttrs[1].Values[0]);
Assert.Equal(Oids.FriendlyName, certBagAttrs[0].Oid.Value);
Assert.Equal(1, certBagAttrs[0].Values.Count);
Assert.Equal(Oids.LocalKeyId, certBagAttrs[1].Oid.Value);
Assert.Equal(1, certBagAttrs[1].Values.Count);
Pkcs9AttributeObject certFriendlyName =
Assert.IsAssignableFrom <Pkcs9AttributeObject>(certBagAttrs[0].Values[0]);
Pkcs9LocalKeyId certKeyId = Assert.IsType <Pkcs9LocalKeyId>(certBagAttrs[1].Values[0]);
// This PFX gave a friendlyName value of "cert" to both the key and the cert.
Assert.Equal("1E080063006500720074", keyFriendlyName.RawData.ByteArrayToHex());
Assert.Equal(keyFriendlyName.RawData, certFriendlyName.RawData);
// The private key (KeyBag) and the public key (CertBag) are matched from their keyId value.
Assert.Equal("0414EDF3D122CF623CF0CFC9CD226261E8415A83E630", keyKeyId.RawData.ByteArrayToHex());
Assert.Equal("EDF3D122CF623CF0CFC9CD226261E8415A83E630", keyKeyId.KeyId.ByteArrayToHex());
Assert.Equal(keyKeyId.RawData, certKeyId.RawData);
using (X509Certificate2 cert = certBag.GetCertificate())
using (RSA privateKey = RSA.Create())
using (RSA publicKey = cert.GetRSAPublicKey())
{
privateKey.ImportPkcs8PrivateKey(keyBag.Pkcs8PrivateKey.Span, out _);
Assert.Equal(
publicKey.ExportSubjectPublicKeyInfo().ByteArrayToHex(),
privateKey.ExportSubjectPublicKeyInfo().ByteArrayToHex());
}
}
public static void Test1()
{
var loader = (CertLoaderFromRawData)Certificates.RSAKeyTransferCapi1;
ReadOnlyMemory <byte> pfxData = loader.PfxData;
Pkcs12Info info = Pkcs12Info.Decode(pfxData, out int bytesConsumed);
Assert.Equal(pfxData.Length, bytesConsumed);
Assert.Equal(Pkcs12IntegrityMode.Password, info.IntegrityMode);
CheckMac(info, loader.Password);
ReadOnlyCollection <Pkcs12SafeContents> authSafe = info.AuthenticatedSafe;
Assert.Same(authSafe, info.AuthenticatedSafe);
Assert.Equal(2, authSafe.Count);
Assert.Equal(Pkcs12ConfidentialityMode.None, authSafe[0].ConfidentialityMode);
Assert.Equal(Pkcs12ConfidentialityMode.None, authSafe[1].ConfidentialityMode);
List <Pkcs12SafeBag> safe0Bags = new List <Pkcs12SafeBag>(authSafe[0].GetBags());
Assert.Equal(1, safe0Bags.Count);
Pkcs12ShroudedKeyBag shroudedKeyBag = Assert.IsType <Pkcs12ShroudedKeyBag>(safe0Bags[0]);
CryptographicAttributeObjectCollection keyBagAttrs = shroudedKeyBag.Attributes;
Assert.Same(keyBagAttrs, shroudedKeyBag.Attributes);
Assert.Equal(2, keyBagAttrs.Count);
Assert.Equal(Oids.LocalKeyId, keyBagAttrs[0].Oid.Value);
Assert.Equal(1, keyBagAttrs[0].Values.Count);
Pkcs9LocalKeyId keyKeyId = Assert.IsType <Pkcs9LocalKeyId>(keyBagAttrs[0].Values[0]);
Assert.Equal("1.3.6.1.4.1.311.17.1", keyBagAttrs[1].Oid.Value);
Assert.Equal(1, keyBagAttrs[1].Values.Count);
Pkcs9AttributeObject cspNameAttr = Assert.IsType <Pkcs9AttributeObject>(keyBagAttrs[1].Values[0]);
byte[] cspNameBytes = Encoding.BigEndianUnicode.GetBytes("Microsoft Strong Cryptographic Provider");
Assert.Equal(
$"1E{cspNameBytes.Length:X2}{cspNameBytes.ByteArrayToHex()}",
cspNameAttr.RawData.ByteArrayToHex());
List <Pkcs12SafeBag> safe1Bags = new List <Pkcs12SafeBag>(authSafe[1].GetBags());
Assert.Equal(1, safe0Bags.Count);
Assert.IsType <Pkcs12CertBag>(safe1Bags[0]);
Pkcs12CertBag certBag = (Pkcs12CertBag)safe1Bags[0];
Assert.True(certBag.IsX509Certificate, "certBag.IsX509Certificate");
Assert.InRange(certBag.EncodedCertificate.Length, loader.CerData.Length + 2, int.MaxValue);
CryptographicAttributeObjectCollection certBagAttrs = certBag.Attributes;
Assert.Same(certBagAttrs, certBag.Attributes);
Assert.Equal(1, certBagAttrs.Count);
Assert.Equal(Oids.LocalKeyId, certBagAttrs[0].Oid.Value);
Assert.Equal(1, certBagAttrs[0].Values.Count);
Pkcs9LocalKeyId certKeyId = Assert.IsType <Pkcs9LocalKeyId>(certBagAttrs[0].Values[0]);
Assert.Equal(keyKeyId.KeyId.ByteArrayToHex(), certKeyId.KeyId.ByteArrayToHex());
byte[] data = { 9, 8, 7, 6, 5, 4, 3, 2, 1 };
byte[] encrypted;
using (X509Certificate2 fromLoader = loader.GetCertificate())
using (X509Certificate2 fromBag = certBag.GetCertificate())
using (RSA loaderPub = fromLoader.GetRSAPublicKey())
{
Assert.Equal(fromLoader.RawData, fromBag.RawData);
encrypted = loaderPub.Encrypt(data, RSAEncryptionPadding.OaepSHA1);
}
int bytesRead;
using (RSA rsa = RSA.Create())
{
rsa.ImportEncryptedPkcs8PrivateKey(
loader.Password,
shroudedKeyBag.EncryptedPkcs8PrivateKey.Span,
out bytesRead);
byte[] dec = rsa.Decrypt(encrypted, RSAEncryptionPadding.OaepSHA1);
Assert.Equal(data, dec);
}
Assert.Equal(shroudedKeyBag.EncryptedPkcs8PrivateKey.Length, bytesRead);
}
public void TwoCerts_TwoKeys_ManySafeContentsValues(bool invertCertOrder, bool invertKeyOrder)
{
string pw = nameof(TwoCerts_TwoKeys_ManySafeContentsValues);
using (ImportedCollection ic = Cert.Import(TestData.MultiPrivateKeyPfx, null, s_exportableImportFlags))
{
X509Certificate2Collection certs = ic.Collection;
X509Certificate2 first = certs[0];
X509Certificate2 second = certs[1];
if (invertCertOrder)
{
X509Certificate2 tmp = first;
first = second;
second = tmp;
}
using (AsymmetricAlgorithm firstKey = first.GetRSAPrivateKey())
using (AsymmetricAlgorithm secondKey = second.GetRSAPrivateKey())
{
AsymmetricAlgorithm firstAdd = firstKey;
AsymmetricAlgorithm secondAdd = secondKey;
if (invertKeyOrder != invertCertOrder)
{
AsymmetricAlgorithm tmp = firstKey;
firstAdd = secondAdd;
secondAdd = tmp;
}
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents firstKeyContents = new Pkcs12SafeContents();
Pkcs12SafeContents secondKeyContents = new Pkcs12SafeContents();
Pkcs12SafeContents firstCertContents = new Pkcs12SafeContents();
Pkcs12SafeContents secondCertContents = new Pkcs12SafeContents();
Pkcs12SafeContents irrelevant = new Pkcs12SafeContents();
irrelevant.AddSecret(new Oid("0.0"), new byte[] { 0x05, 0x00 });
Pkcs12SafeBag firstAddedKeyBag = firstKeyContents.AddShroudedKey(firstAdd, pw, s_windowsPbe);
Pkcs12SafeBag secondAddedKeyBag = secondKeyContents.AddShroudedKey(secondAdd, pw, s_windowsPbe);
Pkcs12SafeBag firstCertBag = firstCertContents.AddCertificate(first);
Pkcs12SafeBag secondCertBag = secondCertContents.AddCertificate(second);
Pkcs12SafeBag firstKeyBag = firstAddedKeyBag;
Pkcs12SafeBag secondKeyBag = secondAddedKeyBag;
if (invertKeyOrder != invertCertOrder)
{
Pkcs12SafeBag tmp = firstKeyBag;
firstKeyBag = secondKeyBag;
secondKeyBag = tmp;
}
firstCertBag.Attributes.Add(s_keyIdOne);
firstKeyBag.Attributes.Add(s_keyIdOne);
Pkcs9LocalKeyId secondKeyId = new Pkcs9LocalKeyId(second.GetCertHash());
secondCertBag.Attributes.Add(secondKeyId);
secondKeyBag.Attributes.Add(secondKeyId);
// 2C, 1K, 1C, 2K
// With some non-participating contents values sprinkled in for good measure.
AddContents(irrelevant, builder, pw, encrypt: true);
AddContents(secondCertContents, builder, pw, encrypt: true);
AddContents(irrelevant, builder, pw, encrypt: false);
AddContents(firstKeyContents, builder, pw, encrypt: false);
AddContents(firstCertContents, builder, pw, encrypt: true);
AddContents(irrelevant, builder, pw, encrypt: false);
AddContents(secondKeyContents, builder, pw, encrypt: true);
AddContents(irrelevant, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
X509Certificate2[] expectedOrder = { first, second };
Action <X509Certificate2> followup = CheckKeyConsistency;
// For unknown reasons, CheckKeyConsistency on this test fails
// on Windows 7 with an Access Denied in all variations for
// Collections, and in invertCertOrder: true for Single.
//
// Obviously this hit some sort of weird corner case in the Win7
// loader, but it's not important to the test.
if (OperatingSystem.IsWindows() &&
!PlatformDetection.IsWindows8xOrLater)
{
followup = null;
}
ReadMultiPfx(
pfxBytes,
pw,
first,
expectedOrder,
followup);
}
}
}
