2 // X509CertificateImplBtls.cs
5 // Martin Baulig <martin.baulig@xamarin.com>
7 // Copyright (c) 2016 Xamarin Inc. (http://www.xamarin.com)
9 // Permission is hereby granted, free of charge, to any person obtaining a copy
10 // of this software and associated documentation files (the "Software"), to deal
11 // in the Software without restriction, including without limitation the rights
12 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
13 // copies of the Software, and to permit persons to whom the Software is
14 // furnished to do so, subject to the following conditions:
16 // The above copyright notice and this permission notice shall be included in
17 // all copies or substantial portions of the Software.
19 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
20 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
21 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
22 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
23 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
24 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
26 #if SECURITY_DEP && MONO_FEATURE_BTLS
27 #if MONO_SECURITY_ALIAS
28 extern alias MonoSecurity;
31 #if MONO_SECURITY_ALIAS
32 using MX = MonoSecurity::Mono.Security.X509;
34 using MX = Mono.Security.X509;
39 using System.Collections;
40 using System.Security;
41 using System.Security.Cryptography;
42 using System.Security.Cryptography.X509Certificates;
43 using Mono.Security.Cryptography;
47 class X509CertificateImplBtls : X509Certificate2Impl
50 MonoBtlsKey nativePrivateKey;
51 X500DistinguishedName subjectName;
52 X500DistinguishedName issuerName;
53 X509CertificateImplCollection intermediateCerts;
56 bool disallowFallback;
58 internal X509CertificateImplBtls (bool disallowFallback = false)
60 this.disallowFallback = disallowFallback;
63 internal X509CertificateImplBtls (MonoBtlsX509 x509, bool disallowFallback = false)
65 this.disallowFallback = disallowFallback;
66 this.x509 = x509.Copy ();
69 X509CertificateImplBtls (X509CertificateImplBtls other)
71 disallowFallback = other.disallowFallback;
72 x509 = other.x509 != null ? other.x509.Copy () : null;
73 nativePrivateKey = other.nativePrivateKey != null ? other.nativePrivateKey.Copy () : null;
74 fallback = other.fallback != null ? (X509Certificate2Impl)other.fallback.Clone () : null;
75 if (other.intermediateCerts != null)
76 intermediateCerts = other.intermediateCerts.Clone ();
79 internal X509CertificateImplBtls (byte[] data, MonoBtlsX509Format format, bool disallowFallback = false)
81 this.disallowFallback = disallowFallback;
82 x509 = MonoBtlsX509.LoadFromData (data, format);
85 public override bool IsValid {
86 get { return x509 != null && x509.IsValid; }
89 public override IntPtr Handle {
90 get { return x509.Handle.DangerousGetHandle (); }
93 public override IntPtr GetNativeAppleCertificate ()
98 internal MonoBtlsX509 X509 {
100 ThrowIfContextInvalid ();
105 internal MonoBtlsKey NativePrivateKey {
107 ThrowIfContextInvalid ();
108 if (nativePrivateKey == null && FallbackImpl.HasPrivateKey) {
109 var key = FallbackImpl.PrivateKey as RSA;
111 throw new NotSupportedException ("Currently only supports RSA private keys.");
112 nativePrivateKey = MonoBtlsKey.CreateFromRSAPrivateKey (key);
114 return nativePrivateKey;
118 public override X509CertificateImpl Clone ()
120 ThrowIfContextInvalid ();
121 return new X509CertificateImplBtls (this);
124 public override bool Equals (X509CertificateImpl other, out bool result)
126 var otherBoringImpl = other as X509CertificateImplBtls;
127 if (otherBoringImpl == null) {
132 result = MonoBtlsX509.Compare (X509, otherBoringImpl.X509) == 0;
136 protected override byte[] GetCertHash (bool lazy)
138 return X509.GetCertHash ();
141 public override byte[] GetRawCertData ()
143 return X509.GetRawData (MonoBtlsX509Format.DER);
146 public override string GetSubjectName (bool legacyV1Mode)
149 return SubjectName.Decode (X500DistinguishedNameFlags.None);
150 return SubjectName.Name;
153 public override string GetIssuerName (bool legacyV1Mode)
156 return IssuerName.Decode (X500DistinguishedNameFlags.None);
157 return IssuerName.Name;
160 public override DateTime GetValidFrom ()
162 return X509.GetNotBefore ().ToLocalTime ();
165 public override DateTime GetValidUntil ()
167 return X509.GetNotAfter ().ToLocalTime ();
170 public override byte[] GetPublicKey ()
172 return X509.GetPublicKeyData ();
175 public override byte[] GetSerialNumber ()
177 return X509.GetSerialNumber (true);
180 public override string GetKeyAlgorithm ()
182 return PublicKey.Oid.Value;
185 public override byte[] GetKeyAlgorithmParameters ()
187 return PublicKey.EncodedParameters.RawData;
190 public override byte[] Export (X509ContentType contentType, byte[] password)
192 ThrowIfContextInvalid ();
194 switch (contentType) {
195 case X509ContentType.Cert:
196 return GetRawCertData ();
197 case X509ContentType.Pfx: // this includes Pkcs12
199 throw new NotSupportedException ();
200 case X509ContentType.SerializedCert:
202 throw new NotSupportedException ();
204 string msg = Locale.GetText ("This certificate format '{0}' cannot be exported.", contentType);
205 throw new CryptographicException (msg);
209 internal override X509CertificateImplCollection IntermediateCertificates {
210 get { return intermediateCerts; }
213 public override string ToString (bool full)
215 ThrowIfContextInvalid ();
218 var summary = GetSubjectName (false);
219 return string.Format ("[X509Certificate: {0}]", summary);
222 string nl = Environment.NewLine;
223 StringBuilder sb = new StringBuilder ();
224 sb.AppendFormat ("[Subject]{0} {1}{0}{0}", nl, GetSubjectName (false));
226 sb.AppendFormat ("[Issuer]{0} {1}{0}{0}", nl, GetIssuerName (false));
227 sb.AppendFormat ("[Not Before]{0} {1}{0}{0}", nl, GetValidFrom ().ToLocalTime ());
228 sb.AppendFormat ("[Not After]{0} {1}{0}{0}", nl, GetValidUntil ().ToLocalTime ());
229 sb.AppendFormat ("[Thumbprint]{0} {1}{0}", nl, X509Helper.ToHexString (GetCertHash ()));
232 return sb.ToString ();
235 protected override void Dispose (bool disposing)
243 #region X509Certificate2Impl
245 X509Certificate2Impl fallback;
249 if (disallowFallback)
250 throw new InvalidOperationException ();
251 if (fallback != null)
253 fallback = X509Helper2.Import (GetRawCertData (), null, X509KeyStorageFlags.DefaultKeySet, true);
256 internal override X509Certificate2Impl FallbackImpl {
264 public override bool Archived {
266 ThrowIfContextInvalid ();
270 ThrowIfContextInvalid ();
275 public override X509ExtensionCollection Extensions {
276 get { return FallbackImpl.Extensions; }
279 public override bool HasPrivateKey {
280 get { return nativePrivateKey != null || FallbackImpl.HasPrivateKey; }
283 public override X500DistinguishedName IssuerName {
285 ThrowIfContextInvalid ();
286 if (issuerName == null) {
287 using (var xname = x509.GetIssuerName ()) {
288 var encoding = xname.GetRawData (false);
289 var canonEncoding = xname.GetRawData (true);
290 var name = MonoBtlsUtils.FormatName (xname, true, ", ", true);
291 issuerName = new X500DistinguishedName (encoding, canonEncoding, name);
298 public override AsymmetricAlgorithm PrivateKey {
300 if (nativePrivateKey == null || !nativePrivateKey.IsRsa)
301 return FallbackImpl.PrivateKey;
302 var bytes = nativePrivateKey.GetBytes (true);
303 return PKCS8.PrivateKeyInfo.DecodeRSA (bytes);
306 if (nativePrivateKey != null)
307 nativePrivateKey.Dispose ();
308 nativePrivateKey = null;
309 FallbackImpl.PrivateKey = value;
313 public override PublicKey PublicKey {
315 ThrowIfContextInvalid ();
316 if (publicKey == null) {
317 var keyAsn = X509.GetPublicKeyAsn1 ();
318 var keyParamAsn = X509.GetPublicKeyParameters ();
319 publicKey = new PublicKey (keyAsn.Oid, keyParamAsn, keyAsn);
325 public override Oid SignatureAlgorithm {
327 ThrowIfContextInvalid ();
328 return X509.GetSignatureAlgorithm ();
332 public override X500DistinguishedName SubjectName {
334 ThrowIfContextInvalid ();
335 if (subjectName == null) {
336 using (var xname = x509.GetSubjectName ()) {
337 var encoding = xname.GetRawData (false);
338 var canonEncoding = xname.GetRawData (true);
339 var name = MonoBtlsUtils.FormatName (xname, true, ", ", true);
340 subjectName = new X500DistinguishedName (encoding, canonEncoding, name);
347 public override int Version {
348 get { return X509.GetVersion (); }
351 public override string GetNameInfo (X509NameType nameType, bool forIssuer)
353 return FallbackImpl.GetNameInfo (nameType, forIssuer);
356 public override void Import (byte[] data, string password, X509KeyStorageFlags keyStorageFlags)
359 if (password == null) {
362 } catch (Exception e) {
364 ImportPkcs12 (data, null);
366 string msg = Locale.GetText ("Unable to decode certificate.");
367 // inner exception is the original (not second) exception
368 throw new CryptographicException (msg, e);
374 ImportPkcs12 (data, password);
375 } catch (Exception e) {
377 // it's possible to supply a (unrequired/unusued) password
381 string msg = Locale.GetText ("Unable to decode certificate.");
382 // inner exception is the original (not second) exception
383 throw new CryptographicException (msg, e);
389 void Import (byte[] data)
392 // Does it look like PEM?
393 if ((data.Length > 0) && (data [0] != 0x30))
394 x509 = MonoBtlsX509.LoadFromData (data, MonoBtlsX509Format.PEM);
396 x509 = MonoBtlsX509.LoadFromData (data, MonoBtlsX509Format.DER);
400 void ImportPkcs12 (byte[] data, string password)
402 using (var pkcs12 = new MonoBtlsPkcs12 ()) {
403 if (string.IsNullOrEmpty (password)) {
405 // Support both unencrypted PKCS#12..
406 pkcs12.Import (data, null);
408 // ..and PKCS#12 encrypted with an empty password
409 pkcs12.Import (data, string.Empty);
412 pkcs12.Import (data, password);
415 x509 = pkcs12.GetCertificate (0);
416 if (pkcs12.HasPrivateKey)
417 nativePrivateKey = pkcs12.GetPrivateKey ();
418 if (pkcs12.Count > 1) {
419 intermediateCerts = new X509CertificateImplCollection ();
420 for (int i = 0; i < pkcs12.Count; i++) {
421 using (var ic = pkcs12.GetCertificate (i)) {
422 if (MonoBtlsX509.Compare (ic, x509) == 0)
424 var impl = new X509CertificateImplBtls (ic, true);
425 intermediateCerts.Add (impl, true);
432 public override byte[] Export (X509ContentType contentType, string password)
434 ThrowIfContextInvalid ();
436 switch (contentType) {
437 case X509ContentType.Cert:
438 return GetRawCertData ();
439 case X509ContentType.Pfx: // this includes Pkcs12
440 return ExportPkcs12 (password);
441 case X509ContentType.SerializedCert:
443 throw new NotSupportedException ();
445 string msg = Locale.GetText ("This certificate format '{0}' cannot be exported.", contentType);
446 throw new CryptographicException (msg);
450 byte[] ExportPkcs12 (string password)
452 var pfx = new MX.PKCS12 ();
454 var attrs = new Hashtable ();
455 var localKeyId = new ArrayList ();
456 localKeyId.Add (new byte[] { 1, 0, 0, 0 });
457 attrs.Add (MX.PKCS9.localKeyId, localKeyId);
458 if (password != null)
459 pfx.Password = password;
460 pfx.AddCertificate (new MX.X509Certificate (GetRawCertData ()), attrs);
461 if (IntermediateCertificates != null) {
462 for (int i = 0; i < IntermediateCertificates.Count; i++)
463 pfx.AddCertificate (new MX.X509Certificate (IntermediateCertificates [i].GetRawCertData ()));
465 var privateKey = PrivateKey;
466 if (privateKey != null)
467 pfx.AddPkcs8ShroudedKeyBag (privateKey, attrs);
468 return pfx.GetBytes ();
474 public override bool Verify (X509Certificate2 thisCertificate)
476 using (var chain = new MonoBtlsX509Chain ()) {
477 chain.AddCertificate (x509.Copy ());
478 if (intermediateCerts != null) {
479 for (int i = 0; i < intermediateCerts.Count; i++) {
480 var intermediate = (X509CertificateImplBtls)intermediateCerts [i];
481 chain.AddCertificate (intermediate.x509.Copy ());
484 return MonoBtlsProvider.ValidateCertificate (chain, null);
488 public override void Reset ()
494 if (nativePrivateKey != null) {
495 nativePrivateKey.Dispose ();
496 nativePrivateKey = null;
502 intermediateCerts = null;
503 if (fallback != null)
projects / mono.git / blob