2 // X509Certificate2ImplMono
5 // Sebastien Pouliot <sebastien@xamarin.com>
6 // Martin Baulig <martin.baulig@xamarin.com>
8 // (C) 2003 Motus Technologies Inc. (http://www.motus.com)
9 // Copyright (C) 2004-2006 Novell Inc. (http://www.novell.com)
10 // Copyright (C) 2015-2016 Xamarin, Inc. (http://www.xamarin.com)
12 // Permission is hereby granted, free of charge, to any person obtaining
13 // a copy of this software and associated documentation files (the
14 // "Software"), to deal in the Software without restriction, including
15 // without limitation the rights to use, copy, modify, merge, publish,
16 // distribute, sublicense, and/or sell copies of the Software, and to
17 // permit persons to whom the Software is furnished to do so, subject to
18 // the following conditions:
20 // The above copyright notice and this permission notice shall be
21 // included in all copies or substantial portions of the Software.
23 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
27 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
28 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
34 #if MONO_SECURITY_ALIAS
35 extern alias MonoSecurity;
36 using MonoSecurity::Mono.Security;
37 using MonoSecurity::Mono.Security.Cryptography;
38 using MX = MonoSecurity::Mono.Security.X509;
41 using Mono.Security.Cryptography;
42 using MX = Mono.Security.X509;
47 using System.Collections;
49 namespace System.Security.Cryptography.X509Certificates
51 internal class X509Certificate2ImplMono : X509Certificate2Impl
54 X509ExtensionCollection _extensions;
57 X500DistinguishedName issuer_name;
58 X500DistinguishedName subject_name;
59 Oid signature_algorithm;
61 MX.X509Certificate _cert;
63 static string empty_error = Locale.GetText ("Certificate instance is empty.");
65 public override bool IsValid {
71 public override IntPtr Handle {
72 get { return IntPtr.Zero; }
75 internal X509Certificate2ImplMono (MX.X509Certificate cert)
80 public override X509CertificateImpl Clone ()
82 ThrowIfContextInvalid ();
83 return new X509Certificate2ImplMono (_cert);
86 #region Implemented X509CertificateImpl members
88 public override string GetIssuerName (bool legacyV1Mode)
90 ThrowIfContextInvalid ();
92 return _cert.IssuerName;
94 return MX.X501.ToString (_cert.GetIssuerName (), true, ", ", true);
97 public override string GetSubjectName (bool legacyV1Mode)
99 ThrowIfContextInvalid ();
101 return _cert.SubjectName;
103 return MX.X501.ToString (_cert.GetSubjectName (), true, ", ", true);
106 public override byte[] GetRawCertData ()
108 ThrowIfContextInvalid ();
109 return _cert.RawData;
112 protected override byte[] GetCertHash (bool lazy)
114 ThrowIfContextInvalid ();
115 SHA1 sha = SHA1.Create ();
116 return sha.ComputeHash (_cert.RawData);
119 public override DateTime GetValidFrom ()
121 ThrowIfContextInvalid ();
122 return _cert.ValidFrom;
125 public override DateTime GetValidUntil ()
127 ThrowIfContextInvalid ();
128 return _cert.ValidUntil;
131 public override bool Equals (X509CertificateImpl other, out bool result)
133 // Use default implementation
138 public override string GetKeyAlgorithm ()
140 ThrowIfContextInvalid ();
141 return _cert.KeyAlgorithm;
144 public override byte[] GetKeyAlgorithmParameters ()
146 ThrowIfContextInvalid ();
147 return _cert.KeyAlgorithmParameters;
150 public override byte[] GetPublicKey ()
152 ThrowIfContextInvalid ();
153 return _cert.PublicKey;
156 public override byte[] GetSerialNumber ()
158 ThrowIfContextInvalid ();
159 return _cert.SerialNumber;
162 public override byte[] Export (X509ContentType contentType, byte[] password)
164 ThrowIfContextInvalid ();
166 switch (contentType) {
167 case X509ContentType.Cert:
168 return GetRawCertData ();
169 case X509ContentType.Pfx: // this includes Pkcs12
171 throw new NotSupportedException ();
172 case X509ContentType.SerializedCert:
174 throw new NotSupportedException ();
176 string msg = Locale.GetText ("This certificate format '{0}' cannot be exported.", contentType);
177 throw new CryptographicException (msg);
185 public X509Certificate2ImplMono ()
192 public override bool Archived {
195 throw new CryptographicException (empty_error);
200 throw new CryptographicException (empty_error);
205 public override X509ExtensionCollection Extensions {
208 throw new CryptographicException (empty_error);
209 if (_extensions == null)
210 _extensions = new X509ExtensionCollection (_cert);
215 // FIXME - Could be more efficient
216 public override bool HasPrivateKey {
217 get { return PrivateKey != null; }
220 public override X500DistinguishedName IssuerName {
223 throw new CryptographicException (empty_error);
224 if (issuer_name == null)
225 issuer_name = new X500DistinguishedName (_cert.GetIssuerName ().GetBytes ());
230 public override AsymmetricAlgorithm PrivateKey {
233 throw new CryptographicException (empty_error);
235 if (_cert.RSA != null) {
236 RSACryptoServiceProvider rcsp = _cert.RSA as RSACryptoServiceProvider;
238 return rcsp.PublicOnly ? null : rcsp;
240 RSAManaged rsam = _cert.RSA as RSAManaged;
242 return rsam.PublicOnly ? null : rsam;
244 _cert.RSA.ExportParameters (true);
246 } else if (_cert.DSA != null) {
247 DSACryptoServiceProvider dcsp = _cert.DSA as DSACryptoServiceProvider;
249 return dcsp.PublicOnly ? null : dcsp;
251 _cert.DSA.ExportParameters (true);
261 throw new CryptographicException (empty_error);
263 // allow NULL so we can "forget" the key associated to the certificate
264 // e.g. in case we want to export it in another format (see bug #396620)
268 } else if (value is RSA)
269 _cert.RSA = (RSA) value;
270 else if (value is DSA)
271 _cert.DSA = (DSA) value;
273 throw new NotSupportedException ();
277 public override PublicKey PublicKey {
280 throw new CryptographicException (empty_error);
282 if (_publicKey == null) {
284 _publicKey = new PublicKey (_cert);
286 catch (Exception e) {
287 string msg = Locale.GetText ("Unable to decode public key.");
288 throw new CryptographicException (msg, e);
295 public override Oid SignatureAlgorithm {
298 throw new CryptographicException (empty_error);
300 if (signature_algorithm == null)
301 signature_algorithm = new Oid (_cert.SignatureAlgorithm);
302 return signature_algorithm;
306 public override X500DistinguishedName SubjectName {
309 throw new CryptographicException (empty_error);
311 if (subject_name == null)
312 subject_name = new X500DistinguishedName (_cert.GetSubjectName ().GetBytes ());
317 public override int Version {
320 throw new CryptographicException (empty_error);
321 return _cert.Version;
327 [MonoTODO ("always return String.Empty for UpnName, DnsFromAlternativeName and UrlName")]
328 public override string GetNameInfo (X509NameType nameType, bool forIssuer)
331 case X509NameType.SimpleName:
333 throw new CryptographicException (empty_error);
334 // return CN= or, if missing, the first part of the DN
335 ASN1 sn = forIssuer ? _cert.GetIssuerName () : _cert.GetSubjectName ();
336 ASN1 dn = Find (commonName, sn);
338 return GetValueAsString (dn);
341 ASN1 last_entry = sn [sn.Count - 1];
342 if (last_entry.Count == 0)
344 return GetValueAsString (last_entry [0]);
345 case X509NameType.EmailName:
346 // return the E= part of the DN (if present)
347 ASN1 e = Find (email, forIssuer ? _cert.GetIssuerName () : _cert.GetSubjectName ());
349 return GetValueAsString (e);
351 case X509NameType.UpnName:
352 // FIXME - must find/create test case
354 case X509NameType.DnsName:
355 // return the CN= part of the DN (if present)
356 ASN1 cn = Find (commonName, forIssuer ? _cert.GetIssuerName () : _cert.GetSubjectName ());
358 return GetValueAsString (cn);
360 case X509NameType.DnsFromAlternativeName:
361 // FIXME - must find/create test case
363 case X509NameType.UrlName:
364 // FIXME - must find/create test case
367 throw new ArgumentException ("nameType");
371 static byte[] commonName = { 0x55, 0x04, 0x03 };
372 static byte[] email = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01 };
374 private ASN1 Find (byte[] oid, ASN1 dn)
380 for (int i = 0; i < dn.Count; i++) {
382 for (int j = 0; j < set.Count; j++) {
387 ASN1 poid = pair [0];
391 if (poid.CompareValue (oid))
398 private string GetValueAsString (ASN1 pair)
403 ASN1 value = pair [1];
404 if ((value.Value == null) || (value.Length == 0))
407 if (value.Tag == 0x1E) {
409 StringBuilder sb = new StringBuilder ();
410 for (int j = 1; j < value.Value.Length; j += 2)
411 sb.Append ((char)value.Value [j]);
412 return sb.ToString ();
414 return Encoding.UTF8.GetString (value.Value);
418 private MX.X509Certificate ImportPkcs12 (byte[] rawData, string password)
420 MX.PKCS12 pfx = null;
421 if (string.IsNullOrEmpty (password)) {
423 // Support both unencrypted PKCS#12..
424 pfx = new MX.PKCS12 (rawData, (string)null);
426 // ..and PKCS#12 encrypted with an empty password
427 pfx = new MX.PKCS12 (rawData, string.Empty);
430 pfx = new MX.PKCS12 (rawData, password);
433 if (pfx.Certificates.Count == 0) {
434 // no certificate was found
436 } else if (pfx.Keys.Count == 0) {
437 // no key were found - pick the first certificate
438 return pfx.Certificates [0];
440 // find the certificate that match the first key
441 MX.X509Certificate cert = null;
442 var keypair = (pfx.Keys [0] as AsymmetricAlgorithm);
443 string pubkey = keypair.ToXmlString (false);
444 foreach (var c in pfx.Certificates) {
445 if (((c.RSA != null) && (pubkey == c.RSA.ToXmlString (false))) ||
446 ((c.DSA != null) && (pubkey == c.DSA.ToXmlString (false)))) {
452 cert = pfx.Certificates [0]; // no match, pick first certificate without keys
454 cert.RSA = (keypair as RSA);
455 cert.DSA = (keypair as DSA);
461 [MonoTODO ("missing KeyStorageFlags support")]
462 public override void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
464 MX.X509Certificate cert = null;
465 if (password == null) {
467 cert = new MX.X509Certificate (rawData);
469 catch (Exception e) {
471 cert = ImportPkcs12 (rawData, null);
474 string msg = Locale.GetText ("Unable to decode certificate.");
475 // inner exception is the original (not second) exception
476 throw new CryptographicException (msg, e);
482 cert = ImportPkcs12 (rawData, password);
485 // it's possible to supply a (unrequired/unusued) password
487 cert = new MX.X509Certificate (rawData);
493 [MonoTODO ("X509ContentType.SerializedCert is not supported")]
494 public override byte[] Export (X509ContentType contentType, string password)
497 throw new CryptographicException (empty_error);
499 switch (contentType) {
500 case X509ContentType.Cert:
501 return _cert.RawData;
502 case X509ContentType.Pfx: // this includes Pkcs12
503 return ExportPkcs12 (password);
504 case X509ContentType.SerializedCert:
506 throw new NotSupportedException ();
508 string msg = Locale.GetText ("This certificate format '{0}' cannot be exported.", contentType);
509 throw new CryptographicException (msg);
513 byte[] ExportPkcs12 (string password)
515 var pfx = new MX.PKCS12 ();
517 var attrs = new Hashtable ();
518 var localKeyId = new ArrayList ();
519 localKeyId.Add (new byte[] { 1, 0, 0, 0 });
520 attrs.Add (MX.PKCS9.localKeyId, localKeyId);
522 if (password != null)
523 pfx.Password = password;
524 pfx.AddCertificate (_cert, attrs);
525 var privateKey = PrivateKey;
526 if (privateKey != null)
527 pfx.AddPkcs8ShroudedKeyBag (privateKey, attrs);
528 return pfx.GetBytes ();
534 public override void Reset ()
543 signature_algorithm = null;
546 public override string ToString ()
549 return "System.Security.Cryptography.X509Certificates.X509Certificate2";
551 return ToString (true);
554 public override string ToString (bool verbose)
557 return "System.Security.Cryptography.X509Certificates.X509Certificate2";
559 string nl = Environment.NewLine;
560 StringBuilder sb = new StringBuilder ();
562 // the non-verbose X509Certificate2 == verbose X509Certificate
564 sb.AppendFormat ("[Subject]{0} {1}{0}{0}", nl, GetSubjectName (false));
565 sb.AppendFormat ("[Issuer]{0} {1}{0}{0}", nl, GetIssuerName (false));
566 sb.AppendFormat ("[Not Before]{0} {1}{0}{0}", nl, GetValidFrom ().ToLocalTime ());
567 sb.AppendFormat ("[Not After]{0} {1}{0}{0}", nl, GetValidUntil ().ToLocalTime ());
568 sb.AppendFormat ("[Thumbprint]{0} {1}{0}", nl, X509Helper.ToHexString (GetCertHash ()));
570 return sb.ToString ();
573 sb.AppendFormat ("[Version]{0} V{1}{0}{0}", nl, Version);
574 sb.AppendFormat ("[Subject]{0} {1}{0}{0}", nl, GetSubjectName (false));
575 sb.AppendFormat ("[Issuer]{0} {1}{0}{0}", nl, GetIssuerName (false));
576 sb.AppendFormat ("[Serial Number]{0} {1}{0}{0}", nl, GetSerialNumber ());
577 sb.AppendFormat ("[Not Before]{0} {1}{0}{0}", nl, GetValidFrom ().ToLocalTime ());
578 sb.AppendFormat ("[Not After]{0} {1}{0}{0}", nl, GetValidUntil ().ToLocalTime ());
579 sb.AppendFormat ("[Thumbprint]{0} {1}{0}", nl, X509Helper.ToHexString (GetCertHash ()));
580 sb.AppendFormat ("[Signature Algorithm]{0} {1}({2}){0}{0}", nl, SignatureAlgorithm.FriendlyName,
581 SignatureAlgorithm.Value);
583 AsymmetricAlgorithm key = PublicKey.Key;
584 sb.AppendFormat ("[Public Key]{0} Algorithm: ", nl);
590 sb.Append (key.ToString ());
591 sb.AppendFormat ("{0} Length: {1}{0} Key Blob: ", nl, key.KeySize);
592 AppendBuffer (sb, PublicKey.EncodedKeyValue.RawData);
593 sb.AppendFormat ("{0} Parameters: ", nl);
594 AppendBuffer (sb, PublicKey.EncodedParameters.RawData);
597 return sb.ToString ();
600 private static void AppendBuffer (StringBuilder sb, byte[] buffer)
604 for (int i=0; i < buffer.Length; i++) {
605 sb.Append (buffer [i].ToString ("x2"));
606 if (i < buffer.Length - 1)
611 [MonoTODO ("by default this depends on the incomplete X509Chain")]
612 public override bool Verify (X509Certificate2 thisCertificate)
615 throw new CryptographicException (empty_error);
617 X509Chain chain = X509Chain.Create ();
618 if (!chain.Build (thisCertificate))
620 // TODO - check chain and other stuff ???
626 private static byte[] signedData = new byte[] { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 };
628 [MonoTODO ("Detection limited to Cert, Pfx, Pkcs12, Pkcs7 and Unknown")]
629 public static X509ContentType GetCertContentType (byte[] rawData)
631 if ((rawData == null) || (rawData.Length == 0))
632 throw new ArgumentException ("rawData");
634 X509ContentType type = X509ContentType.Unknown;
636 ASN1 data = new ASN1 (rawData);
637 if (data.Tag != 0x30) {
638 string msg = Locale.GetText ("Unable to decode certificate.");
639 throw new CryptographicException (msg);
645 if (data.Count == 3) {
646 switch (data [0].Tag) {
648 // SEQUENCE / SEQUENCE / BITSTRING
649 if ((data [1].Tag == 0x30) && (data [2].Tag == 0x03))
650 type = X509ContentType.Cert;
653 // INTEGER / SEQUENCE / SEQUENCE
654 if ((data [1].Tag == 0x30) && (data [2].Tag == 0x30))
655 type = X509ContentType.Pkcs12;
656 // note: Pfx == Pkcs12
660 // check for PKCS#7 (count unknown but greater than 0)
661 // SEQUENCE / OID (signedData)
662 if ((data [0].Tag == 0x06) && data [0].CompareValue (signedData))
663 type = X509ContentType.Pkcs7;
665 catch (Exception e) {
666 string msg = Locale.GetText ("Unable to decode certificate.");
667 throw new CryptographicException (msg, e);
673 [MonoTODO ("Detection limited to Cert, Pfx, Pkcs12 and Unknown")]
674 public static X509ContentType GetCertContentType (string fileName)
676 if (fileName == null)
677 throw new ArgumentNullException ("fileName");
678 if (fileName.Length == 0)
679 throw new ArgumentException ("fileName");
681 byte[] data = File.ReadAllBytes (fileName);
682 return GetCertContentType (data);
685 // internal stuff because X509Certificate2 isn't complete enough
686 // (maybe X509Certificate3 will be better?)
688 internal MX.X509Certificate MonoCertificate {
689 get { return _cert; }