diff options
Diffstat (limited to 'Emby.Server.Implementations/Cryptography/PKCS12.cs')
| -rw-r--r-- | Emby.Server.Implementations/Cryptography/PKCS12.cs | 1934 |
1 files changed, 0 insertions, 1934 deletions
diff --git a/Emby.Server.Implementations/Cryptography/PKCS12.cs b/Emby.Server.Implementations/Cryptography/PKCS12.cs deleted file mode 100644 index 50f3776d9..000000000 --- a/Emby.Server.Implementations/Cryptography/PKCS12.cs +++ /dev/null @@ -1,1934 +0,0 @@ -// -// PKCS12.cs: PKCS 12 - Personal Information Exchange Syntax -// -// Author: -// Sebastien Pouliot <sebastien@xamarin.com> -// -// (C) 2003 Motus Technologies Inc. (http://www.motus.com) -// Copyright (C) 2004,2005,2006 Novell Inc. (http://www.novell.com) -// Copyright 2013 Xamarin Inc. (http://www.xamarin.com) -// -// Key derivation translated from Bouncy Castle JCE (http://www.bouncycastle.org/) -// See bouncycastle.txt for license. -// -// Permission is hereby granted, free of charge, to any person obtaining -// a copy of this software and associated documentation files (the -// "Software"), to deal in the Software without restriction, including -// without limitation the rights to use, copy, modify, merge, publish, -// distribute, sublicense, and/or sell copies of the Software, and to -// permit persons to whom the Software is furnished to do so, subject to -// the following conditions: -// -// The above copyright notice and this permission notice shall be -// included in all copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -// - -using System; -using System.Collections; -using System.IO; -using System.Security.Cryptography; -using System.Text; - -namespace Emby.Server.Core.Cryptography -{ - - public class PKCS5 { - - public const string pbeWithMD2AndDESCBC = "1.2.840.113549.1.5.1"; - public const string pbeWithMD5AndDESCBC = "1.2.840.113549.1.5.3"; - public const string pbeWithMD2AndRC2CBC = "1.2.840.113549.1.5.4"; - public const string pbeWithMD5AndRC2CBC = "1.2.840.113549.1.5.6"; - public const string pbeWithSHA1AndDESCBC = "1.2.840.113549.1.5.10"; - public const string pbeWithSHA1AndRC2CBC = "1.2.840.113549.1.5.11"; - - public PKCS5 () {} - } - - public class PKCS9 { - - public const string friendlyName = "1.2.840.113549.1.9.20"; - public const string localKeyId = "1.2.840.113549.1.9.21"; - - public PKCS9 () {} - } - - - internal class SafeBag { - private string _bagOID; - private ASN1 _asn1; - - public SafeBag(string bagOID, ASN1 asn1) { - _bagOID = bagOID; - _asn1 = asn1; - } - - public string BagOID { - get { return _bagOID; } - } - - public ASN1 ASN1 { - get { return _asn1; } - } - } - - - public class PKCS12 : ICloneable { - - public const string pbeWithSHAAnd128BitRC4 = "1.2.840.113549.1.12.1.1"; - public const string pbeWithSHAAnd40BitRC4 = "1.2.840.113549.1.12.1.2"; - public const string pbeWithSHAAnd3KeyTripleDESCBC = "1.2.840.113549.1.12.1.3"; - public const string pbeWithSHAAnd2KeyTripleDESCBC = "1.2.840.113549.1.12.1.4"; - public const string pbeWithSHAAnd128BitRC2CBC = "1.2.840.113549.1.12.1.5"; - public const string pbeWithSHAAnd40BitRC2CBC = "1.2.840.113549.1.12.1.6"; - - // bags - public const string keyBag = "1.2.840.113549.1.12.10.1.1"; - public const string pkcs8ShroudedKeyBag = "1.2.840.113549.1.12.10.1.2"; - public const string certBag = "1.2.840.113549.1.12.10.1.3"; - public const string crlBag = "1.2.840.113549.1.12.10.1.4"; - public const string secretBag = "1.2.840.113549.1.12.10.1.5"; - public const string safeContentsBag = "1.2.840.113549.1.12.10.1.6"; - - // types - public const string x509Certificate = "1.2.840.113549.1.9.22.1"; - public const string sdsiCertificate = "1.2.840.113549.1.9.22.2"; - public const string x509Crl = "1.2.840.113549.1.9.23.1"; - - // Adapted from BouncyCastle PKCS12ParametersGenerator.java - public class DeriveBytes { - - public enum Purpose { - Key, - IV, - MAC - } - - static private byte[] keyDiversifier = { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 }; - static private byte[] ivDiversifier = { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 }; - static private byte[] macDiversifier = { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 }; - - private string _hashName; - private int _iterations; - private byte[] _password; - private byte[] _salt; - - public DeriveBytes () {} - - public string HashName { - get { return _hashName; } - set { _hashName = value; } - } - - public int IterationCount { - get { return _iterations; } - set { _iterations = value; } - } - - public byte[] Password { - get { return (byte[]) _password.Clone (); } - set { - if (value == null) - _password = new byte [0]; - else - _password = (byte[]) value.Clone (); - } - } - - public byte[] Salt { - get { return (byte[]) _salt.Clone (); } - set { - if (value != null) - _salt = (byte[]) value.Clone (); - else - _salt = null; - } - } - - private void Adjust (byte[] a, int aOff, byte[] b) - { - int x = (b[b.Length - 1] & 0xff) + (a [aOff + b.Length - 1] & 0xff) + 1; - - a [aOff + b.Length - 1] = (byte) x; - x >>= 8; - - for (int i = b.Length - 2; i >= 0; i--) { - x += (b [i] & 0xff) + (a [aOff + i] & 0xff); - a [aOff + i] = (byte) x; - x >>= 8; - } - } - - private byte[] Derive (byte[] diversifier, int n) - { - HashAlgorithm digest = PKCS1.CreateFromName (_hashName); - int u = (digest.HashSize >> 3); // div 8 - int v = 64; - byte[] dKey = new byte [n]; - - byte[] S; - if ((_salt != null) && (_salt.Length != 0)) { - S = new byte[v * ((_salt.Length + v - 1) / v)]; - - for (int i = 0; i != S.Length; i++) { - S[i] = _salt[i % _salt.Length]; - } - } - else { - S = new byte[0]; - } - - byte[] P; - if ((_password != null) && (_password.Length != 0)) { - P = new byte[v * ((_password.Length + v - 1) / v)]; - - for (int i = 0; i != P.Length; i++) { - P[i] = _password[i % _password.Length]; - } - } - else { - P = new byte[0]; - } - - byte[] I = new byte [S.Length + P.Length]; - - Buffer.BlockCopy (S, 0, I, 0, S.Length); - Buffer.BlockCopy (P, 0, I, S.Length, P.Length); - - byte[] B = new byte[v]; - int c = (n + u - 1) / u; - - for (int i = 1; i <= c; i++) { - digest.TransformBlock (diversifier, 0, diversifier.Length, diversifier, 0); - digest.TransformFinalBlock (I, 0, I.Length); - byte[] A = digest.Hash; - digest.Initialize (); - for (int j = 1; j != _iterations; j++) { - A = digest.ComputeHash (A, 0, A.Length); - } - - for (int j = 0; j != B.Length; j++) { - B [j] = A [j % A.Length]; - } - - for (int j = 0; j != I.Length / v; j++) { - Adjust (I, j * v, B); - } - - if (i == c) { - Buffer.BlockCopy(A, 0, dKey, (i - 1) * u, dKey.Length - ((i - 1) * u)); - } - else { - Buffer.BlockCopy(A, 0, dKey, (i - 1) * u, A.Length); - } - } - - return dKey; - } - - public byte[] DeriveKey (int size) - { - return Derive (keyDiversifier, size); - } - - public byte[] DeriveIV (int size) - { - return Derive (ivDiversifier, size); - } - - public byte[] DeriveMAC (int size) - { - return Derive (macDiversifier, size); - } - } - - const int recommendedIterationCount = 2000; - - //private int _version; - private byte[] _password; - private ArrayList _keyBags; - private ArrayList _secretBags; - private X509CertificateCollection _certs; - private bool _keyBagsChanged; - private bool _secretBagsChanged; - private bool _certsChanged; - private int _iterations; - private ArrayList _safeBags; - private RandomNumberGenerator _rng; - - // constructors - - public PKCS12 () - { - _iterations = recommendedIterationCount; - _keyBags = new ArrayList (); - _secretBags = new ArrayList (); - _certs = new X509CertificateCollection (); - _keyBagsChanged = false; - _secretBagsChanged = false; - _certsChanged = false; - _safeBags = new ArrayList (); - } - - public PKCS12 (byte[] data) - : this () - { - Password = null; - Decode (data); - } - - /* - * PFX ::= SEQUENCE { - * version INTEGER {v3(3)}(v3,...), - * authSafe ContentInfo, - * macData MacData OPTIONAL - * } - * - * MacData ::= SEQUENCE { - * mac DigestInfo, - * macSalt OCTET STRING, - * iterations INTEGER DEFAULT 1 - * -- Note: The default is for historical reasons and its use is deprecated. A higher - * -- value, like 1024 is recommended. - * } - * - * SafeContents ::= SEQUENCE OF SafeBag - * - * SafeBag ::= SEQUENCE { - * bagId BAG-TYPE.&id ({PKCS12BagSet}), - * bagValue [0] EXPLICIT BAG-TYPE.&Type({PKCS12BagSet}{@bagId}), - * bagAttributes SET OF PKCS12Attribute OPTIONAL - * } - */ - public PKCS12 (byte[] data, string password) - : this () - { - Password = password; - Decode (data); - } - - public PKCS12 (byte[] data, byte[] password) - : this () - { - _password = password; - Decode (data); - } - - private void Decode (byte[] data) - { - ASN1 pfx = new ASN1 (data); - if (pfx.Tag != 0x30) - throw new ArgumentException ("invalid data"); - - ASN1 version = pfx [0]; - if (version.Tag != 0x02) - throw new ArgumentException ("invalid PFX version"); - //_version = version.Value [0]; - - PKCS7.ContentInfo authSafe = new PKCS7.ContentInfo (pfx [1]); - if (authSafe.ContentType != PKCS7.Oid.data) - throw new ArgumentException ("invalid authenticated safe"); - - // now that we know it's a PKCS#12 file, check the (optional) MAC - // before decoding anything else in the file - if (pfx.Count > 2) { - ASN1 macData = pfx [2]; - if (macData.Tag != 0x30) - throw new ArgumentException ("invalid MAC"); - - ASN1 mac = macData [0]; - if (mac.Tag != 0x30) - throw new ArgumentException ("invalid MAC"); - ASN1 macAlgorithm = mac [0]; - string macOid = ASN1Convert.ToOid (macAlgorithm [0]); - if (macOid != "1.3.14.3.2.26") - throw new ArgumentException ("unsupported HMAC"); - byte[] macValue = mac [1].Value; - - ASN1 macSalt = macData [1]; - if (macSalt.Tag != 0x04) - throw new ArgumentException ("missing MAC salt"); - - _iterations = 1; // default value - if (macData.Count > 2) { - ASN1 iters = macData [2]; - if (iters.Tag != 0x02) - throw new ArgumentException ("invalid MAC iteration"); - _iterations = ASN1Convert.ToInt32 (iters); - } - - byte[] authSafeData = authSafe.Content [0].Value; - byte[] calculatedMac = MAC (_password, macSalt.Value, _iterations, authSafeData); - if (!Compare (macValue, calculatedMac)) { - byte[] nullPassword = {0, 0}; - calculatedMac = MAC(nullPassword, macSalt.Value, _iterations, authSafeData); - if (!Compare (macValue, calculatedMac)) - throw new CryptographicException ("Invalid MAC - file may have been tampe red!"); - _password = nullPassword; - } - } - - // we now returns to our original presentation - PFX - ASN1 authenticatedSafe = new ASN1 (authSafe.Content [0].Value); - for (int i=0; i < authenticatedSafe.Count; i++) { - PKCS7.ContentInfo ci = new PKCS7.ContentInfo (authenticatedSafe [i]); - switch (ci.ContentType) { - case PKCS7.Oid.data: - // unencrypted (by PKCS#12) - ASN1 safeContents = new ASN1 (ci.Content [0].Value); - for (int j=0; j < safeContents.Count; j++) { - ASN1 safeBag = safeContents [j]; - ReadSafeBag (safeBag); - } - break; - case PKCS7.Oid.encryptedData: - // password encrypted - PKCS7.EncryptedData ed = new PKCS7.EncryptedData (ci.Content [0]); - ASN1 decrypted = new ASN1 (Decrypt (ed)); - for (int j=0; j < decrypted.Count; j++) { - ASN1 safeBag = decrypted [j]; - ReadSafeBag (safeBag); - } - break; - case PKCS7.Oid.envelopedData: - // public key encrypted - throw new NotImplementedException ("public key encrypted"); - default: - throw new ArgumentException ("unknown authenticatedSafe"); - } - } - } - - ~PKCS12 () - { - if (_password != null) { - Array.Clear (_password, 0, _password.Length); - } - _password = null; - } - - // properties - - public string Password { - set { - // Clear old password. - if (_password != null) - Array.Clear (_password, 0, _password.Length); - _password = null; - if (value != null) { - if (value.Length > 0) { - int size = value.Length; - int nul = 0; - if (size < MaximumPasswordLength) { - // if not present, add space for a NULL (0x00) character - if (value[size - 1] != 0x00) - nul = 1; - } else { - size = MaximumPasswordLength; - } - _password = new byte[(size + nul) << 1]; // double for unicode - Encoding.BigEndianUnicode.GetBytes (value, 0, size, _password, 0); - } else { - // double-byte (Unicode) NULL (0x00) - see bug #79617 - _password = new byte[2]; - } - } - } - } - - public int IterationCount { - get { return _iterations; } - set { _iterations = value; } - } - - public ArrayList Keys { - get { - if (_keyBagsChanged) { - _keyBags.Clear (); - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (keyBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (bagValue.Value); - byte[] privateKey = pki.PrivateKey; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - _keyBags.Add (PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p)); - break; - case 0x30: - _keyBags.Add (PKCS8.PrivateKeyInfo.DecodeRSA (privateKey)); - break; - default: - break; - } - Array.Clear (privateKey, 0, privateKey.Length); - - } else if (sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - PKCS8.EncryptedPrivateKeyInfo epki = new PKCS8.EncryptedPrivateKeyInfo (bagValue.Value); - byte[] decrypted = Decrypt (epki.Algorithm, epki.Salt, epki.IterationCount, epki.EncryptedData); - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (decrypted); - byte[] privateKey = pki.PrivateKey; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - _keyBags.Add (PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p)); - break; - case 0x30: - _keyBags.Add (PKCS8.PrivateKeyInfo.DecodeRSA (privateKey)); - break; - default: - break; - } - Array.Clear (privateKey, 0, privateKey.Length); - Array.Clear (decrypted, 0, decrypted.Length); - } - } - _keyBagsChanged = false; - } - return ArrayList.ReadOnly(_keyBags); - } - } - - public ArrayList Secrets { - get { - if (_secretBagsChanged) { - _secretBags.Clear (); - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (secretBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - byte[] secret = bagValue.Value; - _secretBags.Add(secret); - } - } - _secretBagsChanged = false; - } - return ArrayList.ReadOnly(_secretBags); - } - } - - public X509CertificateCollection Certificates { - get { - if (_certsChanged) { - _certs.Clear (); - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (certBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - PKCS7.ContentInfo cert = new PKCS7.ContentInfo (bagValue.Value); - _certs.Add (new X509Certificate (cert.Content [0].Value)); - } - } - _certsChanged = false; - } - return _certs; - } - } - - internal RandomNumberGenerator RNG { - get { - if (_rng == null) - _rng = RandomNumberGenerator.Create (); - return _rng; - } - } - - // private methods - - private bool Compare (byte[] expected, byte[] actual) - { - bool compare = false; - if (expected.Length == actual.Length) { - for (int i=0; i < expected.Length; i++) { - if (expected [i] != actual [i]) - return false; - } - compare = true; - } - return compare; - } - - private SymmetricAlgorithm GetSymmetricAlgorithm (string algorithmOid, byte[] salt, int iterationCount) - { - string algorithm = null; - int keyLength = 8; // 64 bits (default) - int ivLength = 8; // 64 bits (default) - - PKCS12.DeriveBytes pd = new PKCS12.DeriveBytes (); - pd.Password = _password; - pd.Salt = salt; - pd.IterationCount = iterationCount; - - switch (algorithmOid) { - case PKCS5.pbeWithMD2AndDESCBC: // no unit test available - pd.HashName = "MD2"; - algorithm = "DES"; - break; - case PKCS5.pbeWithMD5AndDESCBC: // no unit test available - pd.HashName = "MD5"; - algorithm = "DES"; - break; - case PKCS5.pbeWithMD2AndRC2CBC: // no unit test available - // TODO - RC2-CBC-Parameter (PKCS5) - // if missing default to 32 bits !!! - pd.HashName = "MD2"; - algorithm = "RC2"; - keyLength = 4; // default - break; - case PKCS5.pbeWithMD5AndRC2CBC: // no unit test available - // TODO - RC2-CBC-Parameter (PKCS5) - // if missing default to 32 bits !!! - pd.HashName = "MD5"; - algorithm = "RC2"; - keyLength = 4; // default - break; - case PKCS5.pbeWithSHA1AndDESCBC: // no unit test available - pd.HashName = "SHA1"; - algorithm = "DES"; - break; - case PKCS5.pbeWithSHA1AndRC2CBC: // no unit test available - // TODO - RC2-CBC-Parameter (PKCS5) - // if missing default to 32 bits !!! - pd.HashName = "SHA1"; - algorithm = "RC2"; - keyLength = 4; // default - break; - case PKCS12.pbeWithSHAAnd128BitRC4: // no unit test available - pd.HashName = "SHA1"; - algorithm = "RC4"; - keyLength = 16; - ivLength = 0; // N/A - break; - case PKCS12.pbeWithSHAAnd40BitRC4: // no unit test available - pd.HashName = "SHA1"; - algorithm = "RC4"; - keyLength = 5; - ivLength = 0; // N/A - break; - case PKCS12.pbeWithSHAAnd3KeyTripleDESCBC: - pd.HashName = "SHA1"; - algorithm = "TripleDES"; - keyLength = 24; - break; - case PKCS12.pbeWithSHAAnd2KeyTripleDESCBC: // no unit test available - pd.HashName = "SHA1"; - algorithm = "TripleDES"; - keyLength = 16; - break; - case PKCS12.pbeWithSHAAnd128BitRC2CBC: // no unit test available - pd.HashName = "SHA1"; - algorithm = "RC2"; - keyLength = 16; - break; - case PKCS12.pbeWithSHAAnd40BitRC2CBC: - pd.HashName = "SHA1"; - algorithm = "RC2"; - keyLength = 5; - break; - default: - throw new NotSupportedException ("unknown oid " + algorithm); - } - - SymmetricAlgorithm sa = null; - sa = SymmetricAlgorithm.Create(algorithm); - sa.Key = pd.DeriveKey (keyLength); - // IV required only for block ciphers (not stream ciphers) - if (ivLength > 0) { - sa.IV = pd.DeriveIV (ivLength); - sa.Mode = CipherMode.CBC; - } - return sa; - } - - public byte[] Decrypt (string algorithmOid, byte[] salt, int iterationCount, byte[] encryptedData) - { - SymmetricAlgorithm sa = null; - byte[] result = null; - try { - sa = GetSymmetricAlgorithm (algorithmOid, salt, iterationCount); - ICryptoTransform ct = sa.CreateDecryptor (); - result = ct.TransformFinalBlock (encryptedData, 0, encryptedData.Length); - } - finally { - if (sa != null) - sa.Clear (); - } - return result; - } - - public byte[] Decrypt (PKCS7.EncryptedData ed) - { - return Decrypt (ed.EncryptionAlgorithm.ContentType, - ed.EncryptionAlgorithm.Content [0].Value, - ASN1Convert.ToInt32 (ed.EncryptionAlgorithm.Content [1]), - ed.EncryptedContent); - } - - public byte[] Encrypt (string algorithmOid, byte[] salt, int iterationCount, byte[] data) - { - byte[] result = null; - using (SymmetricAlgorithm sa = GetSymmetricAlgorithm (algorithmOid, salt, iterationCount)) { - ICryptoTransform ct = sa.CreateEncryptor (); - result = ct.TransformFinalBlock (data, 0, data.Length); - } - return result; - } - - private DSAParameters GetExistingParameters (out bool found) - { - foreach (X509Certificate cert in Certificates) { - // FIXME: that won't work if parts of the parameters are missing - if (cert.KeyAlgorithmParameters != null) { - DSA dsa = cert.DSA; - if (dsa != null) { - found = true; - return dsa.ExportParameters (false); - } - } - } - found = false; - return new DSAParameters (); - } - - private void AddPrivateKey (PKCS8.PrivateKeyInfo pki) - { - byte[] privateKey = pki.PrivateKey; - switch (privateKey [0]) { - case 0x02: - bool found; - DSAParameters p = GetExistingParameters (out found); - if (found) { - _keyBags.Add (PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p)); - } - break; - case 0x30: - _keyBags.Add (PKCS8.PrivateKeyInfo.DecodeRSA (privateKey)); - break; - default: - Array.Clear (privateKey, 0, privateKey.Length); - throw new CryptographicException ("Unknown private key format"); - } - Array.Clear (privateKey, 0, privateKey.Length); - } - - private void ReadSafeBag (ASN1 safeBag) - { - if (safeBag.Tag != 0x30) - throw new ArgumentException ("invalid safeBag"); - - ASN1 bagId = safeBag [0]; - if (bagId.Tag != 0x06) - throw new ArgumentException ("invalid safeBag id"); - - ASN1 bagValue = safeBag [1]; - string oid = ASN1Convert.ToOid (bagId); - switch (oid) { - case keyBag: - // NEED UNIT TEST - AddPrivateKey (new PKCS8.PrivateKeyInfo (bagValue.Value)); - break; - case pkcs8ShroudedKeyBag: - PKCS8.EncryptedPrivateKeyInfo epki = new PKCS8.EncryptedPrivateKeyInfo (bagValue.Value); - byte[] decrypted = Decrypt (epki.Algorithm, epki.Salt, epki.IterationCount, epki.EncryptedData); - AddPrivateKey (new PKCS8.PrivateKeyInfo (decrypted)); - Array.Clear (decrypted, 0, decrypted.Length); - break; - case certBag: - PKCS7.ContentInfo cert = new PKCS7.ContentInfo (bagValue.Value); - if (cert.ContentType != x509Certificate) - throw new NotSupportedException ("unsupport certificate type"); - X509Certificate x509 = new X509Certificate (cert.Content [0].Value); - _certs.Add (x509); - break; - case crlBag: - // TODO - break; - case secretBag: - byte[] secret = bagValue.Value; - _secretBags.Add(secret); - break; - case safeContentsBag: - // TODO - ? recurse ? - break; - default: - throw new ArgumentException ("unknown safeBag oid"); - } - - if (safeBag.Count > 2) { - ASN1 bagAttributes = safeBag [2]; - if (bagAttributes.Tag != 0x31) - throw new ArgumentException ("invalid safeBag attributes id"); - - for (int i = 0; i < bagAttributes.Count; i++) { - ASN1 pkcs12Attribute = bagAttributes[i]; - - if (pkcs12Attribute.Tag != 0x30) - throw new ArgumentException ("invalid PKCS12 attributes id"); - - ASN1 attrId = pkcs12Attribute [0]; - if (attrId.Tag != 0x06) - throw new ArgumentException ("invalid attribute id"); - - string attrOid = ASN1Convert.ToOid (attrId); - - ASN1 attrValues = pkcs12Attribute[1]; - for (int j = 0; j < attrValues.Count; j++) { - ASN1 attrValue = attrValues[j]; - - switch (attrOid) { - case PKCS9.friendlyName: - if (attrValue.Tag != 0x1e) - throw new ArgumentException ("invalid attribute value id"); - break; - case PKCS9.localKeyId: - if (attrValue.Tag != 0x04) - throw new ArgumentException ("invalid attribute value id"); - break; - default: - // Unknown OID -- don't check Tag - break; - } - } - } - } - - _safeBags.Add (new SafeBag(oid, safeBag)); - } - - private ASN1 Pkcs8ShroudedKeyBagSafeBag (AsymmetricAlgorithm aa, IDictionary attributes) - { - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (); - if (aa is RSA) { - pki.Algorithm = "1.2.840.113549.1.1.1"; - pki.PrivateKey = PKCS8.PrivateKeyInfo.Encode ((RSA)aa); - } - else if (aa is DSA) { - pki.Algorithm = null; - pki.PrivateKey = PKCS8.PrivateKeyInfo.Encode ((DSA)aa); - } - else - throw new CryptographicException ("Unknown asymmetric algorithm {0}", aa.ToString ()); - - PKCS8.EncryptedPrivateKeyInfo epki = new PKCS8.EncryptedPrivateKeyInfo (); - epki.Algorithm = pbeWithSHAAnd3KeyTripleDESCBC; - epki.IterationCount = _iterations; - epki.EncryptedData = Encrypt (pbeWithSHAAnd3KeyTripleDESCBC, epki.Salt, _iterations, pki.GetBytes ()); - - ASN1 safeBag = new ASN1 (0x30); - safeBag.Add (ASN1Convert.FromOid (pkcs8ShroudedKeyBag)); - ASN1 bagValue = new ASN1 (0xA0); - bagValue.Add (new ASN1 (epki.GetBytes ())); - safeBag.Add (bagValue); - - if (attributes != null) { - ASN1 bagAttributes = new ASN1 (0x31); - IDictionaryEnumerator de = attributes.GetEnumerator (); - - while (de.MoveNext ()) { - string oid = (string)de.Key; - switch (oid) { - case PKCS9.friendlyName: - ArrayList names = (ArrayList)de.Value; - if (names.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.friendlyName)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] name in names) { - ASN1 attrValue = new ASN1 (0x1e); - attrValue.Value = name; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - case PKCS9.localKeyId: - ArrayList keys = (ArrayList)de.Value; - if (keys.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.localKeyId)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] key in keys) { - ASN1 attrValue = new ASN1 (0x04); - attrValue.Value = key; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - default: - break; - } - } - - if (bagAttributes.Count > 0) { - safeBag.Add (bagAttributes); - } - } - - return safeBag; - } - - private ASN1 KeyBagSafeBag (AsymmetricAlgorithm aa, IDictionary attributes) - { - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (); - if (aa is RSA) { - pki.Algorithm = "1.2.840.113549.1.1.1"; - pki.PrivateKey = PKCS8.PrivateKeyInfo.Encode ((RSA)aa); - } - else if (aa is DSA) { - pki.Algorithm = null; - pki.PrivateKey = PKCS8.PrivateKeyInfo.Encode ((DSA)aa); - } - else - throw new CryptographicException ("Unknown asymmetric algorithm {0}", aa.ToString ()); - - ASN1 safeBag = new ASN1 (0x30); - safeBag.Add (ASN1Convert.FromOid (keyBag)); - ASN1 bagValue = new ASN1 (0xA0); - bagValue.Add (new ASN1 (pki.GetBytes ())); - safeBag.Add (bagValue); - - if (attributes != null) { - ASN1 bagAttributes = new ASN1 (0x31); - IDictionaryEnumerator de = attributes.GetEnumerator (); - - while (de.MoveNext ()) { - string oid = (string)de.Key; - switch (oid) { - case PKCS9.friendlyName: - ArrayList names = (ArrayList)de.Value; - if (names.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.friendlyName)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] name in names) { - ASN1 attrValue = new ASN1 (0x1e); - attrValue.Value = name; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - case PKCS9.localKeyId: - ArrayList keys = (ArrayList)de.Value; - if (keys.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.localKeyId)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] key in keys) { - ASN1 attrValue = new ASN1 (0x04); - attrValue.Value = key; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - default: - break; - } - } - - if (bagAttributes.Count > 0) { - safeBag.Add (bagAttributes); - } - } - - return safeBag; - } - - private ASN1 SecretBagSafeBag (byte[] secret, IDictionary attributes) - { - ASN1 safeBag = new ASN1 (0x30); - safeBag.Add (ASN1Convert.FromOid (secretBag)); - ASN1 bagValue = new ASN1 (0x80, secret); - safeBag.Add (bagValue); - - if (attributes != null) { - ASN1 bagAttributes = new ASN1 (0x31); - IDictionaryEnumerator de = attributes.GetEnumerator (); - - while (de.MoveNext ()) { - string oid = (string)de.Key; - switch (oid) { - case PKCS9.friendlyName: - ArrayList names = (ArrayList)de.Value; - if (names.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.friendlyName)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] name in names) { - ASN1 attrValue = new ASN1 (0x1e); - attrValue.Value = name; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - case PKCS9.localKeyId: - ArrayList keys = (ArrayList)de.Value; - if (keys.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.localKeyId)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] key in keys) { - ASN1 attrValue = new ASN1 (0x04); - attrValue.Value = key; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - default: - break; - } - } - - if (bagAttributes.Count > 0) { - safeBag.Add (bagAttributes); - } - } - - return safeBag; - } - - private ASN1 CertificateSafeBag (X509Certificate x509, IDictionary attributes) - { - ASN1 encapsulatedCertificate = new ASN1 (0x04, x509.RawData); - - PKCS7.ContentInfo ci = new PKCS7.ContentInfo (); - ci.ContentType = x509Certificate; - ci.Content.Add (encapsulatedCertificate); - - ASN1 bagValue = new ASN1 (0xA0); - bagValue.Add (ci.ASN1); - - ASN1 safeBag = new ASN1 (0x30); - safeBag.Add (ASN1Convert.FromOid (certBag)); - safeBag.Add (bagValue); - - if (attributes != null) { - ASN1 bagAttributes = new ASN1 (0x31); - IDictionaryEnumerator de = attributes.GetEnumerator (); - - while (de.MoveNext ()) { - string oid = (string)de.Key; - switch (oid) { - case PKCS9.friendlyName: - ArrayList names = (ArrayList)de.Value; - if (names.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.friendlyName)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] name in names) { - ASN1 attrValue = new ASN1 (0x1e); - attrValue.Value = name; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - case PKCS9.localKeyId: - ArrayList keys = (ArrayList)de.Value; - if (keys.Count > 0) { - ASN1 pkcs12Attribute = new ASN1 (0x30); - pkcs12Attribute.Add (ASN1Convert.FromOid (PKCS9.localKeyId)); - ASN1 attrValues = new ASN1 (0x31); - foreach (byte[] key in keys) { - ASN1 attrValue = new ASN1 (0x04); - attrValue.Value = key; - attrValues.Add (attrValue); - } - pkcs12Attribute.Add (attrValues); - bagAttributes.Add (pkcs12Attribute); - } - break; - default: - break; - } - } - - if (bagAttributes.Count > 0) { - safeBag.Add (bagAttributes); - } - } - - return safeBag; - } - - private byte[] MAC (byte[] password, byte[] salt, int iterations, byte[] data) - { - PKCS12.DeriveBytes pd = new PKCS12.DeriveBytes (); - pd.HashName = "SHA1"; - pd.Password = password; - pd.Salt = salt; - pd.IterationCount = iterations; - - HMACSHA1 hmac = (HMACSHA1) HMACSHA1.Create (); - hmac.Key = pd.DeriveMAC (20); - return hmac.ComputeHash (data, 0, data.Length); - } - - /* - * SafeContents ::= SEQUENCE OF SafeBag - * - * SafeBag ::= SEQUENCE { - * bagId BAG-TYPE.&id ({PKCS12BagSet}), - * bagValue [0] EXPLICIT BAG-TYPE.&Type({PKCS12BagSet}{@bagId}), - * bagAttributes SET OF PKCS12Attribute OPTIONAL - * } - */ - public byte[] GetBytes () - { - // TODO (incomplete) - ASN1 safeBagSequence = new ASN1 (0x30); - - // Sync Safe Bag list since X509CertificateCollection may be updated - ArrayList scs = new ArrayList (); - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (certBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - PKCS7.ContentInfo cert = new PKCS7.ContentInfo (bagValue.Value); - scs.Add (new X509Certificate (cert.Content [0].Value)); - } - } - - ArrayList addcerts = new ArrayList (); - ArrayList removecerts = new ArrayList (); - - foreach (X509Certificate c in Certificates) { - bool found = false; - - foreach (X509Certificate lc in scs) { - if (Compare (c.RawData, lc.RawData)) { - found = true; - } - } - - if (!found) { - addcerts.Add (c); - } - } - foreach (X509Certificate c in scs) { - bool found = false; - - foreach (X509Certificate lc in Certificates) { - if (Compare (c.RawData, lc.RawData)) { - found = true; - } - } - - if (!found) { - removecerts.Add (c); - } - } - - foreach (X509Certificate c in removecerts) { - RemoveCertificate (c); - } - - foreach (X509Certificate c in addcerts) { - AddCertificate (c); - } - // Sync done - - if (_safeBags.Count > 0) { - ASN1 certsSafeBag = new ASN1 (0x30); - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (certBag)) { - certsSafeBag.Add (sb.ASN1); - } - } - - if (certsSafeBag.Count > 0) { - PKCS7.ContentInfo contentInfo = EncryptedContentInfo (certsSafeBag, pbeWithSHAAnd3KeyTripleDESCBC); - safeBagSequence.Add (contentInfo.ASN1); - } - } - - if (_safeBags.Count > 0) { - ASN1 safeContents = new ASN1 (0x30); - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (keyBag) || - sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - safeContents.Add (sb.ASN1); - } - } - if (safeContents.Count > 0) { - ASN1 content = new ASN1 (0xA0); - content.Add (new ASN1 (0x04, safeContents.GetBytes ())); - - PKCS7.ContentInfo keyBag = new PKCS7.ContentInfo (PKCS7.Oid.data); - keyBag.Content = content; - safeBagSequence.Add (keyBag.ASN1); - } - } - - // Doing SecretBags separately in case we want to change their encryption independently. - if (_safeBags.Count > 0) { - ASN1 secretsSafeBag = new ASN1 (0x30); - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (secretBag)) { - secretsSafeBag.Add (sb.ASN1); - } - } - - if (secretsSafeBag.Count > 0) { - PKCS7.ContentInfo contentInfo = EncryptedContentInfo (secretsSafeBag, pbeWithSHAAnd3KeyTripleDESCBC); - safeBagSequence.Add (contentInfo.ASN1); - } - } - - - ASN1 encapsulates = new ASN1 (0x04, safeBagSequence.GetBytes ()); - ASN1 ci = new ASN1 (0xA0); - ci.Add (encapsulates); - PKCS7.ContentInfo authSafe = new PKCS7.ContentInfo (PKCS7.Oid.data); - authSafe.Content = ci; - - ASN1 macData = new ASN1 (0x30); - if (_password != null) { - // only for password based encryption - byte[] salt = new byte [20]; - RNG.GetBytes (salt); - byte[] macValue = MAC (_password, salt, _iterations, authSafe.Content [0].Value); - ASN1 oidSeq = new ASN1 (0x30); - oidSeq.Add (ASN1Convert.FromOid ("1.3.14.3.2.26")); // SHA1 - oidSeq.Add (new ASN1 (0x05)); - - ASN1 mac = new ASN1 (0x30); - mac.Add (oidSeq); - mac.Add (new ASN1 (0x04, macValue)); - - macData.Add (mac); - macData.Add (new ASN1 (0x04, salt)); - macData.Add (ASN1Convert.FromInt32 (_iterations)); - } - - ASN1 version = new ASN1 (0x02, new byte [1] { 0x03 }); - - ASN1 pfx = new ASN1 (0x30); - pfx.Add (version); - pfx.Add (authSafe.ASN1); - if (macData.Count > 0) { - // only for password based encryption - pfx.Add (macData); - } - - return pfx.GetBytes (); - } - - // Creates an encrypted PKCS#7 ContentInfo with safeBags as its SafeContents. Used in GetBytes(), above. - private PKCS7.ContentInfo EncryptedContentInfo(ASN1 safeBags, string algorithmOid) - { - byte[] salt = new byte [8]; - RNG.GetBytes (salt); - - ASN1 seqParams = new ASN1 (0x30); - seqParams.Add (new ASN1 (0x04, salt)); - seqParams.Add (ASN1Convert.FromInt32 (_iterations)); - - ASN1 seqPbe = new ASN1 (0x30); - seqPbe.Add (ASN1Convert.FromOid (algorithmOid)); - seqPbe.Add (seqParams); - - byte[] encrypted = Encrypt (algorithmOid, salt, _iterations, safeBags.GetBytes ()); - ASN1 encryptedContent = new ASN1 (0x80, encrypted); - - ASN1 seq = new ASN1 (0x30); - seq.Add (ASN1Convert.FromOid (PKCS7.Oid.data)); - seq.Add (seqPbe); - seq.Add (encryptedContent); - - ASN1 version = new ASN1 (0x02, new byte [1] { 0x00 }); - ASN1 encData = new ASN1 (0x30); - encData.Add (version); - encData.Add (seq); - - ASN1 finalContent = new ASN1 (0xA0); - finalContent.Add (encData); - - PKCS7.ContentInfo bag = new PKCS7.ContentInfo (PKCS7.Oid.encryptedData); - bag.Content = finalContent; - return bag; - } - - public void AddCertificate (X509Certificate cert) - { - AddCertificate (cert, null); - } - - public void AddCertificate (X509Certificate cert, IDictionary attributes) - { - bool found = false; - - for (int i = 0; !found && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (certBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - PKCS7.ContentInfo crt = new PKCS7.ContentInfo (bagValue.Value); - X509Certificate c = new X509Certificate (crt.Content [0].Value); - if (Compare (cert.RawData, c.RawData)) { - found = true; - } - } - } - - if (!found) { - _safeBags.Add (new SafeBag (certBag, CertificateSafeBag (cert, attributes))); - _certsChanged = true; - } - } - - public void RemoveCertificate (X509Certificate cert) - { - RemoveCertificate (cert, null); - } - - public void RemoveCertificate (X509Certificate cert, IDictionary attrs) - { - int certIndex = -1; - - for (int i = 0; certIndex == -1 && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (certBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - PKCS7.ContentInfo crt = new PKCS7.ContentInfo (bagValue.Value); - X509Certificate c = new X509Certificate (crt.Content [0].Value); - if (Compare (cert.RawData, c.RawData)) { - if (attrs != null) { - if (safeBag.Count == 3) { - ASN1 bagAttributes = safeBag [2]; - int bagAttributesFound = 0; - for (int j = 0; j < bagAttributes.Count; j++) { - ASN1 pkcs12Attribute = bagAttributes [j]; - ASN1 attrId = pkcs12Attribute [0]; - string ao = ASN1Convert.ToOid (attrId); - ArrayList dattrValues = (ArrayList)attrs [ao]; - - if (dattrValues != null) { - ASN1 attrValues = pkcs12Attribute [1]; - - if (dattrValues.Count == attrValues.Count) { - int attrValuesFound = 0; - for (int k = 0; k < attrValues.Count; k++) { - ASN1 attrValue = attrValues [k]; - byte[] value = (byte[])dattrValues [k]; - - if (Compare (value, attrValue.Value)) { - attrValuesFound += 1; - } - } - if (attrValuesFound == attrValues.Count) { - bagAttributesFound += 1; - } - } - } - } - if (bagAttributesFound == bagAttributes.Count) { - certIndex = i; - } - } - } else { - certIndex = i; - } - } - } - } - - if (certIndex != -1) { - _safeBags.RemoveAt (certIndex); - _certsChanged = true; - } - } - - private bool CompareAsymmetricAlgorithm (AsymmetricAlgorithm a1, AsymmetricAlgorithm a2) - { - // fast path - if (a1.KeySize != a2.KeySize) - return false; - // compare public keys - if they match we can assume the private match too - return (a1.ToXmlString (false) == a2.ToXmlString (false)); - } - - public void AddPkcs8ShroudedKeyBag (AsymmetricAlgorithm aa) - { - AddPkcs8ShroudedKeyBag (aa, null); - } - - public void AddPkcs8ShroudedKeyBag (AsymmetricAlgorithm aa, IDictionary attributes) - { - bool found = false; - - for (int i = 0; !found && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - ASN1 bagValue = sb.ASN1 [1]; - PKCS8.EncryptedPrivateKeyInfo epki = new PKCS8.EncryptedPrivateKeyInfo (bagValue.Value); - byte[] decrypted = Decrypt (epki.Algorithm, epki.Salt, epki.IterationCount, epki.EncryptedData); - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (decrypted); - byte[] privateKey = pki.PrivateKey; - - AsymmetricAlgorithm saa = null; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - saa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - saa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - Array.Clear (decrypted, 0, decrypted.Length); - Array.Clear (privateKey, 0, privateKey.Length); - throw new CryptographicException ("Unknown private key format"); - } - - Array.Clear (decrypted, 0, decrypted.Length); - Array.Clear (privateKey, 0, privateKey.Length); - - if (CompareAsymmetricAlgorithm (aa , saa)) { - found = true; - } - } - } - - if (!found) { - _safeBags.Add (new SafeBag (pkcs8ShroudedKeyBag, Pkcs8ShroudedKeyBagSafeBag (aa, attributes))); - _keyBagsChanged = true; - } - } - - public void RemovePkcs8ShroudedKeyBag (AsymmetricAlgorithm aa) - { - int aaIndex = -1; - - for (int i = 0; aaIndex == -1 && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - ASN1 bagValue = sb.ASN1 [1]; - PKCS8.EncryptedPrivateKeyInfo epki = new PKCS8.EncryptedPrivateKeyInfo (bagValue.Value); - byte[] decrypted = Decrypt (epki.Algorithm, epki.Salt, epki.IterationCount, epki.EncryptedData); - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (decrypted); - byte[] privateKey = pki.PrivateKey; - - AsymmetricAlgorithm saa = null; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - saa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - saa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - Array.Clear (decrypted, 0, decrypted.Length); - Array.Clear (privateKey, 0, privateKey.Length); - throw new CryptographicException ("Unknown private key format"); - } - - Array.Clear (decrypted, 0, decrypted.Length); - Array.Clear (privateKey, 0, privateKey.Length); - - if (CompareAsymmetricAlgorithm (aa, saa)) { - aaIndex = i; - } - } - } - - if (aaIndex != -1) { - _safeBags.RemoveAt (aaIndex); - _keyBagsChanged = true; - } - } - - public void AddKeyBag (AsymmetricAlgorithm aa) - { - AddKeyBag (aa, null); - } - - public void AddKeyBag (AsymmetricAlgorithm aa, IDictionary attributes) - { - bool found = false; - - for (int i = 0; !found && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (keyBag)) { - ASN1 bagValue = sb.ASN1 [1]; - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (bagValue.Value); - byte[] privateKey = pki.PrivateKey; - - AsymmetricAlgorithm saa = null; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - saa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - saa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - Array.Clear (privateKey, 0, privateKey.Length); - throw new CryptographicException ("Unknown private key format"); - } - - Array.Clear (privateKey, 0, privateKey.Length); - - if (CompareAsymmetricAlgorithm (aa, saa)) { - found = true; - } - } - } - - if (!found) { - _safeBags.Add (new SafeBag (keyBag, KeyBagSafeBag (aa, attributes))); - _keyBagsChanged = true; - } - } - - public void RemoveKeyBag (AsymmetricAlgorithm aa) - { - int aaIndex = -1; - - for (int i = 0; aaIndex == -1 && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (keyBag)) { - ASN1 bagValue = sb.ASN1 [1]; - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (bagValue.Value); - byte[] privateKey = pki.PrivateKey; - - AsymmetricAlgorithm saa = null; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - saa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - saa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - Array.Clear (privateKey, 0, privateKey.Length); - throw new CryptographicException ("Unknown private key format"); - } - - Array.Clear (privateKey, 0, privateKey.Length); - - if (CompareAsymmetricAlgorithm (aa, saa)) { - aaIndex = i; - } - } - } - - if (aaIndex != -1) { - _safeBags.RemoveAt (aaIndex); - _keyBagsChanged = true; - } - } - - public void AddSecretBag (byte[] secret) - { - AddSecretBag (secret, null); - } - - public void AddSecretBag (byte[] secret, IDictionary attributes) - { - bool found = false; - - for (int i = 0; !found && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (secretBag)) { - ASN1 bagValue = sb.ASN1 [1]; - byte[] ssecret = bagValue.Value; - - if (Compare (secret, ssecret)) { - found = true; - } - } - } - - if (!found) { - _safeBags.Add (new SafeBag (secretBag, SecretBagSafeBag (secret, attributes))); - _secretBagsChanged = true; - } - } - - public void RemoveSecretBag (byte[] secret) - { - int sIndex = -1; - - for (int i = 0; sIndex == -1 && i < _safeBags.Count; i++) { - SafeBag sb = (SafeBag)_safeBags [i]; - - if (sb.BagOID.Equals (secretBag)) { - ASN1 bagValue = sb.ASN1 [1]; - byte[] ssecret = bagValue.Value; - - if (Compare (secret, ssecret)) { - sIndex = i; - } - } - } - - if (sIndex != -1) { - _safeBags.RemoveAt (sIndex); - _secretBagsChanged = true; - } - } - - public AsymmetricAlgorithm GetAsymmetricAlgorithm (IDictionary attrs) - { - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (keyBag) || sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - ASN1 safeBag = sb.ASN1; - - if (safeBag.Count == 3) { - ASN1 bagAttributes = safeBag [2]; - - int bagAttributesFound = 0; - for (int i = 0; i < bagAttributes.Count; i++) { - ASN1 pkcs12Attribute = bagAttributes [i]; - ASN1 attrId = pkcs12Attribute [0]; - string ao = ASN1Convert.ToOid (attrId); - ArrayList dattrValues = (ArrayList)attrs [ao]; - - if (dattrValues != null) { - ASN1 attrValues = pkcs12Attribute [1]; - - if (dattrValues.Count == attrValues.Count) { - int attrValuesFound = 0; - for (int j = 0; j < attrValues.Count; j++) { - ASN1 attrValue = attrValues [j]; - byte[] value = (byte[])dattrValues [j]; - - if (Compare (value, attrValue.Value)) { - attrValuesFound += 1; - } - } - if (attrValuesFound == attrValues.Count) { - bagAttributesFound += 1; - } - } - } - } - if (bagAttributesFound == bagAttributes.Count) { - ASN1 bagValue = safeBag [1]; - AsymmetricAlgorithm aa = null; - if (sb.BagOID.Equals (keyBag)) { - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (bagValue.Value); - byte[] privateKey = pki.PrivateKey; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - aa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - aa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - break; - } - Array.Clear (privateKey, 0, privateKey.Length); - } else if (sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - PKCS8.EncryptedPrivateKeyInfo epki = new PKCS8.EncryptedPrivateKeyInfo (bagValue.Value); - byte[] decrypted = Decrypt (epki.Algorithm, epki.Salt, epki.IterationCount, epki.EncryptedData); - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (decrypted); - byte[] privateKey = pki.PrivateKey; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - aa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - aa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - break; - } - Array.Clear (privateKey, 0, privateKey.Length); - Array.Clear (decrypted, 0, decrypted.Length); - } - return aa; - } - } - } - } - - return null; - } - - public byte[] GetSecret (IDictionary attrs) - { - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (secretBag)) { - ASN1 safeBag = sb.ASN1; - - if (safeBag.Count == 3) { - ASN1 bagAttributes = safeBag [2]; - - int bagAttributesFound = 0; - for (int i = 0; i < bagAttributes.Count; i++) { - ASN1 pkcs12Attribute = bagAttributes [i]; - ASN1 attrId = pkcs12Attribute [0]; - string ao = ASN1Convert.ToOid (attrId); - ArrayList dattrValues = (ArrayList)attrs [ao]; - - if (dattrValues != null) { - ASN1 attrValues = pkcs12Attribute [1]; - - if (dattrValues.Count == attrValues.Count) { - int attrValuesFound = 0; - for (int j = 0; j < attrValues.Count; j++) { - ASN1 attrValue = attrValues [j]; - byte[] value = (byte[])dattrValues [j]; - - if (Compare (value, attrValue.Value)) { - attrValuesFound += 1; - } - } - if (attrValuesFound == attrValues.Count) { - bagAttributesFound += 1; - } - } - } - } - if (bagAttributesFound == bagAttributes.Count) { - ASN1 bagValue = safeBag [1]; - return bagValue.Value; - } - } - } - } - - return null; - } - - public X509Certificate GetCertificate (IDictionary attrs) - { - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (certBag)) { - ASN1 safeBag = sb.ASN1; - - if (safeBag.Count == 3) { - ASN1 bagAttributes = safeBag [2]; - - int bagAttributesFound = 0; - for (int i = 0; i < bagAttributes.Count; i++) { - ASN1 pkcs12Attribute = bagAttributes [i]; - ASN1 attrId = pkcs12Attribute [0]; - string ao = ASN1Convert.ToOid (attrId); - ArrayList dattrValues = (ArrayList)attrs [ao]; - - if (dattrValues != null) { - ASN1 attrValues = pkcs12Attribute [1]; - - if (dattrValues.Count == attrValues.Count) { - int attrValuesFound = 0; - for (int j = 0; j < attrValues.Count; j++) { - ASN1 attrValue = attrValues [j]; - byte[] value = (byte[])dattrValues [j]; - - if (Compare (value, attrValue.Value)) { - attrValuesFound += 1; - } - } - if (attrValuesFound == attrValues.Count) { - bagAttributesFound += 1; - } - } - } - } - if (bagAttributesFound == bagAttributes.Count) { - ASN1 bagValue = safeBag [1]; - PKCS7.ContentInfo crt = new PKCS7.ContentInfo (bagValue.Value); - return new X509Certificate (crt.Content [0].Value); - } - } - } - } - - return null; - } - - public IDictionary GetAttributes (AsymmetricAlgorithm aa) - { - IDictionary result = new Hashtable (); - - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (keyBag) || sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - ASN1 safeBag = sb.ASN1; - - ASN1 bagValue = safeBag [1]; - AsymmetricAlgorithm saa = null; - if (sb.BagOID.Equals (keyBag)) { - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (bagValue.Value); - byte[] privateKey = pki.PrivateKey; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - saa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - saa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - break; - } - Array.Clear (privateKey, 0, privateKey.Length); - } else if (sb.BagOID.Equals (pkcs8ShroudedKeyBag)) { - PKCS8.EncryptedPrivateKeyInfo epki = new PKCS8.EncryptedPrivateKeyInfo (bagValue.Value); - byte[] decrypted = Decrypt (epki.Algorithm, epki.Salt, epki.IterationCount, epki.EncryptedData); - PKCS8.PrivateKeyInfo pki = new PKCS8.PrivateKeyInfo (decrypted); - byte[] privateKey = pki.PrivateKey; - switch (privateKey [0]) { - case 0x02: - DSAParameters p = new DSAParameters (); // FIXME - saa = PKCS8.PrivateKeyInfo.DecodeDSA (privateKey, p); - break; - case 0x30: - saa = PKCS8.PrivateKeyInfo.DecodeRSA (privateKey); - break; - default: - break; - } - Array.Clear (privateKey, 0, privateKey.Length); - Array.Clear (decrypted, 0, decrypted.Length); - } - - if (saa != null && CompareAsymmetricAlgorithm (saa, aa)) { - if (safeBag.Count == 3) { - ASN1 bagAttributes = safeBag [2]; - - for (int i = 0; i < bagAttributes.Count; i++) { - ASN1 pkcs12Attribute = bagAttributes [i]; - ASN1 attrId = pkcs12Attribute [0]; - string aOid = ASN1Convert.ToOid (attrId); - ArrayList aValues = new ArrayList (); - - ASN1 attrValues = pkcs12Attribute [1]; - - for (int j = 0; j < attrValues.Count; j++) { - ASN1 attrValue = attrValues [j]; - aValues.Add (attrValue.Value); - } - result.Add (aOid, aValues); - } - } - } - } - } - - return result; - } - - public IDictionary GetAttributes (X509Certificate cert) - { - IDictionary result = new Hashtable (); - - foreach (SafeBag sb in _safeBags) { - if (sb.BagOID.Equals (certBag)) { - ASN1 safeBag = sb.ASN1; - ASN1 bagValue = safeBag [1]; - PKCS7.ContentInfo crt = new PKCS7.ContentInfo (bagValue.Value); - X509Certificate xc = new X509Certificate (crt.Content [0].Value); - - if (Compare (cert.RawData, xc.RawData)) { - if (safeBag.Count == 3) { - ASN1 bagAttributes = safeBag [2]; - - for (int i = 0; i < bagAttributes.Count; i++) { - ASN1 pkcs12Attribute = bagAttributes [i]; - ASN1 attrId = pkcs12Attribute [0]; - - string aOid = ASN1Convert.ToOid (attrId); - ArrayList aValues = new ArrayList (); - - ASN1 attrValues = pkcs12Attribute [1]; - - for (int j = 0; j < attrValues.Count; j++) { - ASN1 attrValue = attrValues [j]; - aValues.Add (attrValue.Value); - } - result.Add (aOid, aValues); - } - } - } - } - } - - return result; - } - - public void SaveToFile (string filename) - { - if (filename == null) - throw new ArgumentNullException ("filename"); - - using (FileStream fs = File.Create (filename)) { - byte[] data = GetBytes (); - fs.Write (data, 0, data.Length); - } - } - - public object Clone () - { - PKCS12 clone = null; - if (_password != null) { - clone = new PKCS12 (GetBytes (), Encoding.BigEndianUnicode.GetString (_password)); - } else { - clone = new PKCS12 (GetBytes ()); - } - clone.IterationCount = this.IterationCount; - - return clone; - } - - // static - - public const int CryptoApiPasswordLimit = 32; - - static private int password_max_length = Int32.MaxValue; - - // static properties - - // MS CryptoAPI limits the password to a maximum of 31 characters - // other implementations, like OpenSSL, have no such limitation. - // Setting a maximum value will truncate the password length to - // ensure compatibility with MS's PFXImportCertStore API. - static public int MaximumPasswordLength { - get { return password_max_length; } - set { - if (value < CryptoApiPasswordLimit) { - string msg = string.Format ("Maximum password length cannot be less than {0}.", CryptoApiPasswordLimit); - throw new ArgumentOutOfRangeException (msg); - } - password_max_length = value; - } - } - } -} |