Imported Upstream version 5.18.0.142

Former-commit-id: 7467d4b717762eeaf652d77f1486dd11ffb1ff1f

mcs/class/System/Mono.Btls/MonoBtlsContext.cs

@@ -35,6 +35,7 @@ using System.Threading.Tasks;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Authentication;
 using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
 
 #if MONO_SECURITY_ALIAS
 using MonoSecurity::Mono.Security.Interface;
@@ -76,11 +77,13 @@ namespace Mono.Btls
 				return (X509CertificateImplBtls)impl.Clone ();
 
 			var password = Guid.NewGuid ().ToString ();
-			var buffer = certificate.Export (X509ContentType.Pfx, password);
+			using (var handle = new SafePasswordHandle (password)) {
+				var buffer = certificate.Export (X509ContentType.Pfx, password);
 
-			impl = new X509CertificateImplBtls ();
-			impl.Import (buffer, password, X509KeyStorageFlags.DefaultKeySet);
-			return impl;
+				impl = new X509CertificateImplBtls ();
+				impl.Import (buffer, handle, X509KeyStorageFlags.DefaultKeySet);
+				return impl;
+			}
 		}
 
 		new public MonoBtlsProvider Provider {

mcs/class/System/Mono.Btls/MonoBtlsObject.cs

@@ -26,6 +26,7 @@
 #if SECURITY_DEP && MONO_FEATURE_BTLS
 using System;
 using System.Threading;
+using System.Security.Cryptography;
 using System.Runtime.InteropServices;
 using System.Runtime.CompilerServices;
 
@@ -90,11 +91,10 @@ namespace Mono.Btls
 		{
 			if (!ok) {
 				if (callerName != null)
-					throw new MonoBtlsException ("{0}.{1} failed.", GetType ().Name, callerName);
+					throw new CryptographicException ($"`{GetType ().Name}.{callerName}` failed.");
 				else
-					throw new MonoBtlsException ();
+					throw new CryptographicException ();
 			}
-
 		}
 
 		protected void CheckError (int ret, [CallerMemberName] string callerName = null)
@@ -110,10 +110,10 @@ namespace Mono.Btls
 
 			string message;
 			if (callerName != null)
-				message = string.Format ("Caught unhandled exception in {0}.{1}.", GetType ().Name, callerName);
+				message = $"Caught unhandled exception in `{GetType ().Name}.{callerName}`.";
 			else
-				message = string.Format ("Caught unhandled exception.");
-			throw new MonoBtlsException (message, error);
+				message = "Caught unhandled exception.";
+			throw new CryptographicException (message, error);
 		}
 
 		[DllImport (BTLS_DYLIB)]

mcs/class/System/Mono.Btls/MonoBtlsPkcs12.cs

@@ -29,6 +29,7 @@ using System.IO;
 using System.Security.Cryptography.X509Certificates;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
 
 namespace Mono.Btls
 {
@@ -68,7 +69,7 @@ namespace Mono.Btls
 		extern static int mono_btls_pkcs12_add_cert (IntPtr chain, IntPtr x509);
 
 		[DllImport (BTLS_DYLIB)]
-		extern unsafe static int mono_btls_pkcs12_import (IntPtr chain, void* data, int len, IntPtr password);
+		extern unsafe static int mono_btls_pkcs12_import (IntPtr chain, void* data, int len, SafePasswordHandle password);
 
 		[DllImport (BTLS_DYLIB)]
 		extern static int mono_btls_pkcs12_has_private_key (IntPtr pkcs12);
@@ -108,20 +109,12 @@ namespace Mono.Btls
 				x509.Handle.DangerousGetHandle ());
 		}
 
-		public unsafe void Import (byte[] buffer, string password)
+		public unsafe void Import (byte[] buffer, SafePasswordHandle password)
 		{
-			var passptr = IntPtr.Zero;
-			fixed (void* ptr = buffer)
-			try {
-				if (password != null)
-					passptr = Marshal.StringToHGlobalAnsi (password);
+			fixed (void* ptr = buffer) {
 				var ret = mono_btls_pkcs12_import (
-					Handle.DangerousGetHandle (), ptr,
-					buffer.Length, passptr);
+					Handle.DangerousGetHandle (), ptr, buffer.Length, password);
 				CheckError (ret);
-			} finally {
-				if (passptr != IntPtr.Zero)
-					Marshal.FreeHGlobal (passptr);
 			}
 		}
 

mcs/class/System/Mono.Btls/MonoBtlsProvider.cs

@@ -36,6 +36,7 @@ using System.Net.Security;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Authentication;
+using Microsoft.Win32.SafeHandles;
 
 #if MONO_SECURITY_ALIAS
 using MonoSecurity::Mono.Security.Interface;
@@ -106,9 +107,8 @@ namespace Mono.Btls
 		internal override X509Certificate2Impl GetNativeCertificate (
 			byte[] data, string password, X509KeyStorageFlags flags)
 		{
-			var impl = new X509CertificateImplBtls (false);
-			impl.Import (data, password, flags);
-			return impl;
+			using (var handle = new SafePasswordHandle (password))
+				return GetNativeCertificate (data, handle, flags);
 		}
 
 		internal override X509Certificate2Impl GetNativeCertificate (
@@ -122,6 +122,14 @@ namespace Mono.Btls
 			return new X509CertificateImplBtls (data, MonoBtlsX509Format.DER, false);
 		}
 
+		internal X509Certificate2Impl GetNativeCertificate (
+			byte[] data, SafePasswordHandle password, X509KeyStorageFlags flags)
+		{
+			var impl = new X509CertificateImplBtls (false);
+			impl.Import (data, password, flags);
+			return impl;
+		}
+
 		internal static MonoBtlsX509VerifyParam GetVerifyParam (MonoTlsSettings settings, string targetHost, bool serverMode)
 		{
 			MonoBtlsX509VerifyParam param;
@@ -428,8 +436,9 @@ namespace Mono.Btls
 
 		public static X509Certificate2 CreateCertificate2 (byte[] data, string password, bool disallowFallback = false)
 		{
-			using (var impl = new X509CertificateImplBtls (disallowFallback)) {
-				impl.Import (data, password, X509KeyStorageFlags.DefaultKeySet);
+			using (var impl = new X509CertificateImplBtls (disallowFallback))
+			using (var handle = new SafePasswordHandle (password)) {
+				impl.Import (data, handle, X509KeyStorageFlags.DefaultKeySet);
 				return new X509Certificate2 (impl);
 			}
 		}

mcs/class/System/Mono.Btls/MonoBtlsUtils.cs

@@ -112,6 +112,9 @@ namespace Mono.Btls
 			case MonoBtlsX509NameEntryType.Initial:
 				sb.Append ("I=");
 				break;
+			case MonoBtlsX509NameEntryType.SerialNumber:
+				sb.Append ("SERIALNUMBER=");
+				break;
 			default:
 				// unknown OID
 				sb.Append ("OID.");     // NOTE: Not present as RFC2253

mcs/class/System/Mono.Btls/X509CertificateImplBtls.cs

@@ -23,7 +23,7 @@
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
-#if SECURITY_DEP && MONO_FEATURE_BTLS
+#if MONO_FEATURE_BTLS
 #if MONO_SECURITY_ALIAS
 extern alias MonoSecurity;
 #endif
@@ -40,7 +40,9 @@ using System.Collections;
 using System.Security;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
+using System.Runtime.InteropServices;
 using Mono.Security.Cryptography;
+using Microsoft.Win32.SafeHandles;
 
 namespace Mono.Btls
 {
@@ -133,105 +135,34 @@ namespace Mono.Btls
 			return true;
 		}
 
-		protected override byte[] GetCertHash (bool lazy)
-		{
-			return X509.GetCertHash ();
-		}
+		public override byte[] Thumbprint => X509.GetCertHash ();
 
-		public override byte[] GetRawCertData ()
-		{
-			return X509.GetRawData (MonoBtlsX509Format.DER);
-		}
+		public override byte[] RawData => X509.GetRawData (MonoBtlsX509Format.DER);
 
-		public override string GetSubjectName (bool legacyV1Mode)
-		{
-			if (legacyV1Mode)
-				return SubjectName.Decode (X500DistinguishedNameFlags.None);
-			return SubjectName.Name;
-		}
+		public override string Subject => SubjectName.Name;
 
-		public override string GetIssuerName (bool legacyV1Mode)
-		{
-			if (legacyV1Mode)
-				return IssuerName.Decode (X500DistinguishedNameFlags.None);
-			return IssuerName.Name;
-		}
+		public override string Issuer => IssuerName.Name;
 
-		public override DateTime GetValidFrom ()
-		{
-			return X509.GetNotBefore ().ToLocalTime ();
-		}
+		public override string LegacySubject => SubjectName.Decode (X500DistinguishedNameFlags.None);
 
-		public override DateTime GetValidUntil ()
-		{
-			return X509.GetNotAfter ().ToLocalTime ();
-		}
+		public override string LegacyIssuer => IssuerName.Decode (X500DistinguishedNameFlags.None);
 
-		public override byte[] GetPublicKey ()
-		{
-			return X509.GetPublicKeyData ();
-		}
+		public override DateTime NotBefore => X509.GetNotBefore ().ToLocalTime ();
 
-		public override byte[] GetSerialNumber ()
-		{
-			return X509.GetSerialNumber (true);
-		}
+		public override DateTime NotAfter => X509.GetNotAfter ().ToLocalTime ();
 
-		public override string GetKeyAlgorithm ()
-		{
-			return PublicKey.Oid.Value;
-		}
+		public override byte[] PublicKeyValue => X509.GetPublicKeyData ();
 
-		public override byte[] GetKeyAlgorithmParameters ()
-		{
-			return PublicKey.EncodedParameters.RawData;
-		}
+		public override byte[] SerialNumber => X509.GetSerialNumber (true);
 
-		public override byte[] Export (X509ContentType contentType, byte[] password)
-		{
-			ThrowIfContextInvalid ();
+		public override string KeyAlgorithm => PublicKey.Oid.Value;
 
-			switch (contentType) {
-			case X509ContentType.Cert:
-				return GetRawCertData ();
-			case X509ContentType.Pfx: // this includes Pkcs12
-				// TODO
-				throw new NotSupportedException ();
-			case X509ContentType.SerializedCert:
-				// TODO
-				throw new NotSupportedException ();
-			default:
-				string msg = Locale.GetText ("This certificate format '{0}' cannot be exported.", contentType);
-				throw new CryptographicException (msg);
-			}
-		}
+		public override byte[] KeyAlgorithmParameters => PublicKey.EncodedParameters.RawData;
 
 		internal override X509CertificateImplCollection IntermediateCertificates {
 			get { return intermediateCerts; }
 		}
 
-		public override string ToString (bool full)
-		{
-			ThrowIfContextInvalid ();
-
-			if (!full) {
-				var summary = GetSubjectName (false);
-				return string.Format ("[X509Certificate: {0}]", summary);
-			}
-
-			string nl = Environment.NewLine;
-			StringBuilder sb = new StringBuilder ();
-			sb.AppendFormat ("[Subject]{0}  {1}{0}{0}", nl, GetSubjectName (false));
-
-			sb.AppendFormat ("[Issuer]{0}  {1}{0}{0}", nl, GetIssuerName (false));
-			sb.AppendFormat ("[Not Before]{0}  {1}{0}{0}", nl, GetValidFrom ().ToLocalTime ());
-			sb.AppendFormat ("[Not After]{0}  {1}{0}{0}", nl, GetValidUntil ().ToLocalTime ());
-			sb.AppendFormat ("[Thumbprint]{0}  {1}{0}", nl, X509Helper.ToHexString (GetCertHash ()));
-
-			sb.Append (nl);
-			return sb.ToString ();
-		}
-
 		protected override void Dispose (bool disposing)
 		{
 			if (x509 != null) {
@@ -250,7 +181,9 @@ namespace Mono.Btls
 				throw new InvalidOperationException ();
 			if (fallback != null)
 				return;
-			fallback = X509Helper2.Import (GetRawCertData (), null, X509KeyStorageFlags.DefaultKeySet, true);
+			fallback = SystemDependencyProvider.Instance.CertificateProvider.Import (
+				RawData, null, X509KeyStorageFlags.DefaultKeySet,
+				CertificateImportFlags.DisableNativeBackend);
 		}
 
 		internal override X509Certificate2Impl FallbackImpl {
@@ -353,10 +286,10 @@ namespace Mono.Btls
 			return FallbackImpl.GetNameInfo (nameType, forIssuer);
 		}
 
-		public override void Import (byte[] data, string password, X509KeyStorageFlags keyStorageFlags)
+		public override void Import (byte[] data, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
 		{
 			Reset ();
-			if (password == null) {
+			if (password == null || password.IsInvalid) {
 				try {
 					Import (data);
 				} catch (Exception e) {
@@ -397,16 +330,17 @@ namespace Mono.Btls
 			}
 		}
 
-		void ImportPkcs12 (byte[] data, string password)
+		void ImportPkcs12 (byte[] data, SafePasswordHandle password)
 		{
 			using (var pkcs12 = new MonoBtlsPkcs12 ()) {
-				if (string.IsNullOrEmpty (password)) {
+				if (password == null || password.IsInvalid) {
 					try {
 						// Support both unencrypted PKCS#12..
 						pkcs12.Import (data, null);
 					} catch {
 						// ..and PKCS#12 encrypted with an empty password
-						pkcs12.Import (data, string.Empty);
+						using (var empty = new SafePasswordHandle (string.Empty))
+							pkcs12.Import (data, empty);
 					}
 				} else {
 					pkcs12.Import (data, password);
@@ -429,13 +363,13 @@ namespace Mono.Btls
 			}
 		}
 
-		public override byte[] Export (X509ContentType contentType, string password)
+		public override byte[] Export (X509ContentType contentType, SafePasswordHandle password)
 		{
 			ThrowIfContextInvalid ();
 
 			switch (contentType) {
 			case X509ContentType.Cert:
-				return GetRawCertData ();
+				return RawData;
 			case X509ContentType.Pfx: // this includes Pkcs12
 				return ExportPkcs12 (password);
 			case X509ContentType.SerializedCert:
@@ -447,6 +381,14 @@ namespace Mono.Btls
 			}
 		}
 
+		byte[] ExportPkcs12 (SafePasswordHandle password)
+		{
+			if (password == null || password.IsInvalid)
+				return ExportPkcs12 ((string)null);
+			var passwordString = password.Mono_DangerousGetString ();
+			return ExportPkcs12 (passwordString);
+		}
+
 		byte[] ExportPkcs12 (string password)
 		{
 			var pfx = new MX.PKCS12 ();
@@ -457,10 +399,10 @@ namespace Mono.Btls
 				attrs.Add (MX.PKCS9.localKeyId, localKeyId);
 				if (password != null)
 					pfx.Password = password;
-				pfx.AddCertificate (new MX.X509Certificate (GetRawCertData ()), attrs);
+				pfx.AddCertificate (new MX.X509Certificate (RawData), attrs);
 				if (IntermediateCertificates != null) {
 					for (int i = 0; i < IntermediateCertificates.Count; i++)
-						pfx.AddCertificate (new MX.X509Certificate (IntermediateCertificates [i].GetRawCertData ()));
+						pfx.AddCertificate (new MX.X509Certificate (IntermediateCertificates [i].RawData));
 				}
 				var privateKey = PrivateKey;
 				if (privateKey != null)

mcs/class/System/Mono.Btls/X509PalImpl.Btls.cs

@@ -0,0 +1,74 @@
+//
+// X509PalImpl.Btls.cs
+//
+// Author:
+//       Martin Baulig <mabaul@microsoft.com>
+//
+// Copyright (c) 2018 Xamarin, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#if MONO_FEATURE_BTLS
+#if MONO_SECURITY_ALIAS
+extern alias MonoSecurity;
+#endif
+
+#if MONO_SECURITY_ALIAS
+using MonoSecurity::Mono.Security.Interface;
+#else
+using Mono.Security.Interface;
+#endif
+
+using System;
+using System.IO;
+using System.Text;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Win32.SafeHandles;
+
+namespace Mono.Btls
+{
+	class X509PalImplBtls : X509PalImpl
+	{
+		public X509PalImplBtls (MonoTlsProvider provider)
+		{
+			Provider = (MonoBtlsProvider)provider;
+		}
+
+		MonoBtlsProvider Provider {
+			get;
+		}
+
+		public override X509CertificateImpl Import (byte[] data)
+		{
+			return Provider.GetNativeCertificate (data, null, X509KeyStorageFlags.DefaultKeySet);
+		}
+
+		public override X509Certificate2Impl Import (
+			byte[] data, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
+		{
+			return Provider.GetNativeCertificate (data, password, keyStorageFlags);
+		}
+
+		public override X509Certificate2Impl Import (X509Certificate cert)
+		{
+			return Provider.GetNativeCertificate (cert);
+		}
+	}
+}
+#endif