Imported Upstream version 5.18.0.142

Former-commit-id: 7467d4b717762eeaf652d77f1486dd11ffb1ff1f
2018-10-09 08:20:59 +00:00
parent e52655b4dc
commit 0abdbe5a7d
1547 changed files with 93792 additions and 47893 deletions
--- a/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2.cs
+++ b/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2.cs
@@ -42,6 +42,8 @@ using System.IO;
 using System.Text;
 using System.Collections;
 using System.Runtime.Serialization;
+using Microsoft.Win32.SafeHandles;
+using Mono;

 namespace System.Security.Cryptography.X509Certificates {

@@ -51,7 +53,7 @@ namespace System.Security.Cryptography.X509Certificates {
 		new internal X509Certificate2Impl Impl {
 			get {
 				var impl2 = base.Impl as X509Certificate2Impl;
-				X509Helper2.ThrowIfContextInvalid (impl2);
+				X509Helper.ThrowIfContextInvalid (impl2);
 				return impl2;
 			}
 		}
@@ -120,7 +122,7 @@ namespace System.Security.Cryptography.X509Certificates {
 		}

 		public X509Certificate2 (X509Certificate certificate) 
-			: base (X509Helper2.Import (certificate))
+			: base (SystemDependencyProvider.Instance.CertificateProvider.Import (certificate))
 		{
 		}

@@ -146,11 +148,11 @@ namespace System.Security.Cryptography.X509Certificates {

 		public string FriendlyName {
 			get {
-				ThrowIfContextInvalid ();
+				ThrowIfInvalid ();
 				return friendlyName;
 			}
 			set {
-				ThrowIfContextInvalid ();
+				ThrowIfInvalid ();
 				friendlyName = value;
 			}
 		}
@@ -164,11 +166,11 @@ namespace System.Security.Cryptography.X509Certificates {
 		} 

 		public DateTime NotAfter {
-			get { return Impl.GetValidUntil ().ToLocalTime (); }
+			get { return Impl.NotAfter.ToLocalTime (); }
 		}

 		public DateTime NotBefore {
-			get { return Impl.GetValidFrom ().ToLocalTime (); }
+			get { return Impl.NotBefore.ToLocalTime (); }
 		}

 		public AsymmetricAlgorithm PrivateKey {
@@ -220,14 +222,20 @@ namespace System.Security.Cryptography.X509Certificates {
 		[MonoTODO ("missing KeyStorageFlags support")]
 		public override void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
 		{
-			var impl = X509Helper2.Import (rawData, password, keyStorageFlags);
-			ImportHandle (impl);
+			Reset ();
+			using (var handle = new SafePasswordHandle (password)) {
+				var impl = SystemDependencyProvider.Instance.CertificateProvider.Import (rawData, handle, keyStorageFlags);
+				ImportHandle (impl);
+			}
 		}

-		[MonoTODO ("SecureString is incomplete")]
 		public override void Import (byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags)
 		{
-			Import (rawData, (string) null, keyStorageFlags);
+			Reset ();
+			using (var handle = new SafePasswordHandle (password)) {
+				var impl = SystemDependencyProvider.Instance.CertificateProvider.Import (rawData, handle, keyStorageFlags);
+				ImportHandle (impl);
+			}
 		}

 		public override void Import (string fileName) 
@@ -247,13 +255,16 @@ namespace System.Security.Cryptography.X509Certificates {
 		public override void Import (string fileName, SecureString password, X509KeyStorageFlags keyStorageFlags) 
 		{
 			byte[] rawData = File.ReadAllBytes (fileName);
-			Import (rawData, (string)null, keyStorageFlags);
+			Import (rawData, password, keyStorageFlags);
 		}

 		[MonoTODO ("X509ContentType.SerializedCert is not supported")]
 		public override byte[] Export (X509ContentType contentType, string password)
 		{
-			return Impl.Export (contentType, password);
+			X509Helper.ThrowIfContextInvalid (Impl);
+			using (var handle = new SafePasswordHandle (password)) {
+				return Impl.Export (contentType, handle);
+			}
 		}

 		public override void Reset () 
@@ -328,49 +339,43 @@ namespace System.Security.Cryptography.X509Certificates {

 		private static byte[] signedData = new byte[] { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 };

-		[MonoTODO ("Detection limited to Cert, Pfx, Pkcs12, Pkcs7 and Unknown")]
+		[MonoTODO ("Detection limited to Cert, Pfx/Pkcs12, Pkcs7 and Unknown")]
 		public static X509ContentType GetCertContentType (byte[] rawData)
 		{
 			if ((rawData == null) || (rawData.Length == 0))
 				throw new ArgumentException ("rawData");

-			X509ContentType type = X509ContentType.Unknown;
-			try {
-				ASN1 data = new ASN1 (rawData);
-				if (data.Tag != 0x30) {
-					string msg = Locale.GetText ("Unable to decode certificate.");
-					throw new CryptographicException (msg);
-				}
+			if (rawData[0] == 0x30) {
+				// ASN.1 SEQUENCE
+				try {
+					ASN1 data = new ASN1 (rawData);

-				if (data.Count == 0)
-					return type;
+					// SEQUENCE / SEQUENCE / BITSTRING
+					if (data.Count == 3 && data [0].Tag == 0x30 && data [1].Tag == 0x30 && data [2].Tag == 0x03)
+						return X509ContentType.Cert;

-				if (data.Count == 3) {
-					switch (data [0].Tag) {
-					case 0x30:
-						// SEQUENCE / SEQUENCE / BITSTRING
-						if ((data [1].Tag == 0x30) && (data [2].Tag == 0x03))
-							type = X509ContentType.Cert;
-						break;
-					case 0x02:
-						// INTEGER / SEQUENCE / SEQUENCE
-						if ((data [1].Tag == 0x30) && (data [2].Tag == 0x30))
-							type = X509ContentType.Pkcs12;
-						// note: Pfx == Pkcs12
-						break;
-					}
+					// INTEGER / SEQUENCE / SEQUENCE
+					if (data.Count == 3 && data [0].Tag == 0x02 && data [1].Tag == 0x30 && data [2].Tag == 0x30)
+						return X509ContentType.Pkcs12; // note: Pfx == Pkcs12
+
+					// check for PKCS#7 (count unknown but greater than 0)
+					// SEQUENCE / OID (signedData)
+					if (data.Count > 0 && data [0].Tag == 0x06 && data [0].CompareValue (signedData))
+						return X509ContentType.Pkcs7;
+					
+					return X509ContentType.Unknown;
 				}
-				// check for PKCS#7 (count unknown but greater than 0)
-				// SEQUENCE / OID (signedData)
-				if ((data [0].Tag == 0x06) && data [0].CompareValue (signedData))
-					type = X509ContentType.Pkcs7;
-			}
-			catch (Exception e) {
-				string msg = Locale.GetText ("Unable to decode certificate.");
-				throw new CryptographicException (msg, e);
+				catch (Exception) {
+					return X509ContentType.Unknown;
+				}
+			} else {
+				string pem = Encoding.ASCII.GetString (rawData);
+				int start = pem.IndexOf ("-----BEGIN CERTIFICATE-----");
+				if (start >= 0)
+					return X509ContentType.Cert;
 			}

-			return type;
+			return X509ContentType.Unknown;
 		}

 		[MonoTODO ("Detection limited to Cert, Pfx, Pkcs12 and Unknown")]
--- a/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2Collection.cs
+++ b/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2Collection.cs
@@ -33,6 +33,7 @@

 using System.Collections;
 using System.Globalization;
+using Mono.Security;

 namespace System.Security.Cryptography.X509Certificates {

@@ -146,6 +147,17 @@ namespace System.Security.Cryptography.X509Certificates {

 		static string[] newline_split = new string[] { Environment.NewLine };
 		
+		private string GetKeyIdentifier (X509Certificate2 x) 
+		{
+			// if present in certificate return value of the SubjectKeyIdentifier
+			X509SubjectKeyIdentifierExtension ski = (x.Extensions ["2.5.29.14"] as X509SubjectKeyIdentifierExtension);
+			if (ski == null) {
+				// if not then we must calculate the SubjectKeyIdentifier ourselve
+				ski = new X509SubjectKeyIdentifierExtension (x.PublicKey, X509SubjectKeyIdentifierHashAlgorithm.CapiSha1, false);
+			}
+			return ski.SubjectKeyIdentifier;
+		}
+
 		[MonoTODO ("Does not support X509FindType.FindByTemplateName, FindByApplicationPolicy and FindByCertificatePolicy")]
 		public X509Certificate2Collection Find (X509FindType findType, object findValue, bool validOnly) 
 		{
@@ -261,10 +273,7 @@ namespace System.Security.Cryptography.X509Certificates {
 					// TODO - find a valid test case
 					break;
 				case X509FindType.FindBySubjectKeyIdentifier:
-					X509SubjectKeyIdentifierExtension ski = (x.Extensions ["2.5.29.14"] as X509SubjectKeyIdentifierExtension);
-					if (ski != null) {
-						value_match = (String.Compare (str, ski.SubjectKeyIdentifier, true, cinv) == 0);
-					}
+					value_match = (String.Compare (str, GetKeyIdentifier (x), true, cinv) == 0);
 					break;
 				case X509FindType.FindByApplicationPolicy:
 					// note: include when no extensions are present (even if v3)
--- a/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2Impl.cs
+++ b/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2Impl.cs
@@ -25,12 +25,12 @@
 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 //
+using Microsoft.Win32.SafeHandles;
+
 namespace System.Security.Cryptography.X509Certificates
 {
 	internal abstract class X509Certificate2Impl : X509CertificateImpl
 	{
-#if SECURITY_DEP
-
 		public abstract bool Archived {
 			get; set;
 		}
@@ -77,14 +77,10 @@ namespace System.Security.Cryptography.X509Certificates

 		public abstract string GetNameInfo (X509NameType nameType, bool forIssuer);

-		public abstract void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags);
-
-		public abstract byte[] Export (X509ContentType contentType, string password);
+		public abstract void Import (byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags);

 		public abstract bool Verify (X509Certificate2 thisCertificate);

 		public abstract void Reset ();
-
-#endif
 	}
 }
--- a/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2ImplMono.cs
+++ b/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2ImplMono.cs
@@ -29,8 +29,6 @@
 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 //

-#if SECURITY_DEP
-
 #if MONO_SECURITY_ALIAS
 extern alias MonoSecurity;
 using MonoSecurity::Mono.Security;
@@ -45,6 +43,8 @@ using MX = Mono.Security.X509;
 using System.IO;
 using System.Text;
 using System.Collections;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;

 namespace System.Security.Cryptography.X509Certificates
 {
@@ -77,7 +77,7 @@ namespace System.Security.Cryptography.X509Certificates
 			return IntPtr.Zero;
 		}

-		X509Certificate2ImplMono (MX.X509Certificate cert)
+		public X509Certificate2ImplMono (MX.X509Certificate cert)
 		{
 			this._cert = cert;
 		}
@@ -95,50 +95,37 @@ namespace System.Security.Cryptography.X509Certificates
 			return new X509Certificate2ImplMono (this);
 		}

-#region Implemented X509CertificateImpl members
-
-		public override string GetIssuerName (bool legacyV1Mode)
-		{
-			ThrowIfContextInvalid ();
-			if (legacyV1Mode)
-				return _cert.IssuerName;
-			else
-				return MX.X501.ToString (_cert.GetIssuerName (), true, ", ", true);
+		MX.X509Certificate Cert {
+			get {
+				ThrowIfContextInvalid ();
+				return _cert;
+			}
 		}

-		public override string GetSubjectName (bool legacyV1Mode)
-		{
-			ThrowIfContextInvalid ();
-			if (legacyV1Mode)
-				return _cert.SubjectName;
-			else
-				return MX.X501.ToString (_cert.GetSubjectName (), true, ", ", true);
+
+		#region Implemented X509CertificateImpl members
+
+		public override string Issuer => MX.X501.ToString (Cert.GetIssuerName (), true, ", ", true);
+
+		public override string Subject => MX.X501.ToString (Cert.GetSubjectName (), true, ", ", true);
+
+		public override string LegacyIssuer => Cert.IssuerName;
+
+		public override string LegacySubject => Cert.SubjectName;
+
+		public override byte[] RawData => Cert.RawData;
+
+		public override byte[] Thumbprint {
+			get {
+				ThrowIfContextInvalid ();
+				SHA1 sha = SHA1.Create ();
+				return sha.ComputeHash (_cert.RawData);
+			}
 		}

-		public override byte[] GetRawCertData ()
-		{
-			ThrowIfContextInvalid ();
-			return _cert.RawData;
-		}
+		public override DateTime NotBefore => Cert.ValidFrom.ToLocalTime ();

-		protected override byte[] GetCertHash (bool lazy)
-		{
-			ThrowIfContextInvalid ();
-			SHA1 sha = SHA1.Create ();
-			return sha.ComputeHash (_cert.RawData);
-		}
-
-		public override DateTime GetValidFrom ()
-		{
-			ThrowIfContextInvalid ();
-			return _cert.ValidFrom;
-		}
-
-		public override DateTime GetValidUntil ()
-		{
-			ThrowIfContextInvalid ();
-			return _cert.ValidUntil;
-		}
+		public override DateTime NotAfter => Cert.ValidUntil.ToLocalTime ();

 		public override bool Equals (X509CertificateImpl other, out bool result)
 		{
@@ -147,46 +134,18 @@ namespace System.Security.Cryptography.X509Certificates
 			return false;
 		}

-		public override string GetKeyAlgorithm () 
-		{
-			ThrowIfContextInvalid ();
-			return _cert.KeyAlgorithm;
-		}
+		public override string KeyAlgorithm => Cert.KeyAlgorithm;

-		public override byte[] GetKeyAlgorithmParameters () 
-		{
-			ThrowIfContextInvalid ();
-			return _cert.KeyAlgorithmParameters;
-		}
+		public override byte[] KeyAlgorithmParameters => Cert.KeyAlgorithmParameters ?? throw new CryptographicException ();

-		public override byte[] GetPublicKey ()
-		{
-			ThrowIfContextInvalid ();
-			return _cert.PublicKey;
-		}
+		public override byte[] PublicKeyValue => Cert.PublicKey;

-		public override byte[] GetSerialNumber ()
-		{
-			ThrowIfContextInvalid ();
-			return _cert.SerialNumber;
-		}
-
-		public override byte[] Export (X509ContentType contentType, byte[] password)
-		{
-			ThrowIfContextInvalid ();
-
-			switch (contentType) {
-			case X509ContentType.Cert:
-				return GetRawCertData ();
-			case X509ContentType.Pfx: // this includes Pkcs12
-				// TODO
-				throw new NotSupportedException ();
-			case X509ContentType.SerializedCert:
-				// TODO
-				throw new NotSupportedException ();
-			default:
-				string msg = Locale.GetText ("This certificate format '{0}' cannot be exported.", contentType);
-				throw new CryptographicException (msg);
+		public override byte[] SerialNumber {
+			get {
+				ThrowIfContextInvalid ();
+				var serial = Cert.SerialNumber;
+				Array.Reverse (serial);
+				return serial;
 			}
 		}

@@ -237,7 +196,7 @@ namespace System.Security.Cryptography.X509Certificates
 					issuer_name = new X500DistinguishedName (_cert.GetIssuerName ().GetBytes ());
 				return issuer_name;
 			}
-		} 
+		}

 		public override AsymmetricAlgorithm PrivateKey {
 			get {
@@ -248,25 +207,24 @@ namespace System.Security.Cryptography.X509Certificates
 						if (rcsp.PublicOnly)
 							return null;
 						var key = new RSACryptoServiceProvider ();
-						key.ImportParameters (_cert.RSA.ExportParameters(true));
+						key.ImportParameters (_cert.RSA.ExportParameters (true));
 						return key;
 					}
 					if (_cert.RSA is RSAManaged rsam) {
 						if (rsam.PublicOnly)
 							return null;
 						var key = new RSAManaged ();
-						key.ImportParameters (_cert.RSA.ExportParameters(true));
+						key.ImportParameters (_cert.RSA.ExportParameters (true));
 						return key;
 					}
 					if (_cert.DSA is DSACryptoServiceProvider dcsp) {
 						if (dcsp.PublicOnly)
 							return null;
-						var key = new DSACryptoServiceProvider();
-						key.ImportParameters(_cert.DSA.ExportParameters(true));
+						var key = new DSACryptoServiceProvider ();
+						key.ImportParameters (_cert.DSA.ExportParameters (true));
 						return key;
 					}
-				}
-				catch {
+				} catch {
 				}
 				return null;
 			}
@@ -279,25 +237,24 @@ namespace System.Security.Cryptography.X509Certificates
 				if (value == null) {
 					_cert.RSA = null;
 					_cert.DSA = null;
-				} else 	if (value is RSA)
-					_cert.RSA = (RSA) value;
+				} else if (value is RSA)
+					_cert.RSA = (RSA)value;
 				else if (value is DSA)
-					_cert.DSA = (DSA) value;
+					_cert.DSA = (DSA)value;
 				else
 					throw new NotSupportedException ();
 			}
-		} 
+		}

 		public override PublicKey PublicKey {
-			get { 
+			get {
 				if (_cert == null)
 					throw new CryptographicException (empty_error);

 				if (_publicKey == null) {
 					try {
 						_publicKey = new PublicKey (_cert);
-					}
-					catch (Exception e) {
+					} catch (Exception e) {
 						string msg = Locale.GetText ("Unable to decode public key.");
 						throw new CryptographicException (msg, e);
 					}
@@ -315,7 +272,7 @@ namespace System.Security.Cryptography.X509Certificates
 					signature_algorithm = new Oid (_cert.SignatureAlgorithm);
 				return signature_algorithm;
 			}
-		} 
+		}

 		public override X500DistinguishedName SubjectName {
 			get {
@@ -326,7 +283,7 @@ namespace System.Security.Cryptography.X509Certificates
 					subject_name = new X500DistinguishedName (_cert.GetSubjectName ().GetBytes ());
 				return subject_name;
 			}
-		} 
+		}

 		public override int Version {
 			get {
@@ -339,7 +296,7 @@ namespace System.Security.Cryptography.X509Certificates
 		// methods

 		[MonoTODO ("always return String.Empty for UpnName, DnsFromAlternativeName and UrlName")]
-		public override string GetNameInfo (X509NameType nameType, bool forIssuer) 
+		public override string GetNameInfo (X509NameType nameType, bool forIssuer)
 		{
 			switch (nameType) {
 			case X509NameType.SimpleName:
@@ -352,10 +309,10 @@ namespace System.Security.Cryptography.X509Certificates
 					return GetValueAsString (dn);
 				if (sn.Count == 0)
 					return String.Empty;
-				ASN1 last_entry = sn [sn.Count - 1];
+				ASN1 last_entry = sn[sn.Count - 1];
 				if (last_entry.Count == 0)
 					return String.Empty;
-				return GetValueAsString (last_entry [0]);
+				return GetValueAsString (last_entry[0]);
 			case X509NameType.EmailName:
 				// return the E= part of the DN (if present)
 				ASN1 e = Find (email, forIssuer ? _cert.GetIssuerName () : _cert.GetSubjectName ());
@@ -392,13 +349,13 @@ namespace System.Security.Cryptography.X509Certificates

 			// process SET
 			for (int i = 0; i < dn.Count; i++) {
-				ASN1 set = dn [i];
+				ASN1 set = dn[i];
 				for (int j = 0; j < set.Count; j++) {
-					ASN1 pair = set [j];
+					ASN1 pair = set[j];
 					if (pair.Count != 2)
 						continue;

-					ASN1 poid = pair [0];
+					ASN1 poid = pair[0];
 					if (poid == null)
 						continue;

@@ -414,7 +371,7 @@ namespace System.Security.Cryptography.X509Certificates
 			if (pair.Count != 2)
 				return String.Empty;

-			ASN1 value = pair [1];
+			ASN1 value = pair[1];
 			if ((value.Value == null) || (value.Length == 0))
 				return String.Empty;

@@ -422,14 +379,22 @@ namespace System.Security.Cryptography.X509Certificates
 				// BMPSTRING
 				StringBuilder sb = new StringBuilder ();
 				for (int j = 1; j < value.Value.Length; j += 2)
-					sb.Append ((char)value.Value [j]);
+					sb.Append ((char)value.Value[j]);
 				return sb.ToString ();
 			} else {
 				return Encoding.UTF8.GetString (value.Value);
 			}
 		}

-		private MX.X509Certificate ImportPkcs12 (byte[] rawData, string password)
+		MX.X509Certificate ImportPkcs12 (byte[] rawData, SafePasswordHandle password)
+		{
+			if (password == null || password.IsInvalid)
+				return ImportPkcs12 (rawData, (string)null);
+			var passwordString = password.Mono_DangerousGetString ();
+			return ImportPkcs12 (rawData, passwordString);
+		}
+
+		MX.X509Certificate ImportPkcs12 (byte[] rawData, string password)
 		{
 			MX.PKCS12 pfx = null;
 			if (string.IsNullOrEmpty (password)) {
@@ -482,40 +447,28 @@ namespace System.Security.Cryptography.X509Certificates
 		}

 		[MonoTODO ("missing KeyStorageFlags support")]
-		public override void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
+		public override void Import (byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
 		{
 			Reset ();
-			MX.X509Certificate cert = null;
-			if (password == null) {
-				try {
-					cert = new MX.X509Certificate (rawData);
-				}
-				catch (Exception e) {
-					try {
-						cert = ImportPkcs12 (rawData, null);
-					}
-					catch {
-						string msg = Locale.GetText ("Unable to decode certificate.");
-						// inner exception is the original (not second) exception
-						throw new CryptographicException (msg, e);
-					}
-				}
-			} else {
-				// try PKCS#12
-				try {
-					cert = ImportPkcs12 (rawData, password);
-				}
-				catch {
-					// it's possible to supply a (unrequired/unusued) password
-					// fix bug #79028
-					cert = new MX.X509Certificate (rawData);
-				}
+
+			switch (X509Certificate2.GetCertContentType (rawData)) {
+				case X509ContentType.Pkcs12:
+					_cert = ImportPkcs12 (rawData, password);
+					break;
+
+				case X509ContentType.Cert:
+				case X509ContentType.Pkcs7:
+					_cert = new MX.X509Certificate (rawData);
+					break;
+
+				default:
+					string msg = Locale.GetText ("Unable to decode certificate.");
+					throw new CryptographicException (msg);
 			}
-			_cert = cert;
 		}

 		[MonoTODO ("X509ContentType.SerializedCert is not supported")]
-		public override byte[] Export (X509ContentType contentType, string password)
+		public override byte[] Export (X509ContentType contentType, SafePasswordHandle password)
 		{
 			if (_cert == null)
 				throw new CryptographicException (empty_error);
@@ -534,6 +487,14 @@ namespace System.Security.Cryptography.X509Certificates
 			}
 		}

+		byte[] ExportPkcs12 (SafePasswordHandle password)
+		{
+			if (password == null || password.IsInvalid)
+				return ExportPkcs12 ((string)null);
+			var passwordString = password.Mono_DangerousGetString ();
+			return ExportPkcs12 (passwordString);
+		}
+
 		byte[] ExportPkcs12 (string password)
 		{
 			var pfx = new MX.PKCS12 ();
@@ -570,71 +531,6 @@ namespace System.Security.Cryptography.X509Certificates
 			}
 		}

-		public override string ToString ()
-		{
-			if (_cert == null)
-				return "System.Security.Cryptography.X509Certificates.X509Certificate2";
-
-			return ToString (true);
-		}
-
-		public override string ToString (bool verbose)
-		{
-			if (_cert == null)
-				return "System.Security.Cryptography.X509Certificates.X509Certificate2";
-
-			string nl = Environment.NewLine;
-			StringBuilder sb = new StringBuilder ();
-
-			// the non-verbose X509Certificate2 == verbose X509Certificate
-			if (!verbose) {
-				sb.AppendFormat ("[Subject]{0}  {1}{0}{0}", nl, GetSubjectName (false));
-				sb.AppendFormat ("[Issuer]{0}  {1}{0}{0}", nl, GetIssuerName (false));
-				sb.AppendFormat ("[Not Before]{0}  {1}{0}{0}", nl, GetValidFrom ().ToLocalTime ());
-				sb.AppendFormat ("[Not After]{0}  {1}{0}{0}", nl, GetValidUntil ().ToLocalTime ());
-				sb.AppendFormat ("[Thumbprint]{0}  {1}{0}", nl, X509Helper.ToHexString (GetCertHash ()));
-				sb.Append (nl);
-				return sb.ToString ();
-			}
-
-			sb.AppendFormat ("[Version]{0}  V{1}{0}{0}", nl, Version);
-			sb.AppendFormat ("[Subject]{0}  {1}{0}{0}", nl, GetSubjectName (false));
-			sb.AppendFormat ("[Issuer]{0}  {1}{0}{0}", nl, GetIssuerName (false));
-			sb.AppendFormat ("[Serial Number]{0}  {1}{0}{0}", nl, GetSerialNumber ());
-			sb.AppendFormat ("[Not Before]{0}  {1}{0}{0}", nl, GetValidFrom ().ToLocalTime ());
-			sb.AppendFormat ("[Not After]{0}  {1}{0}{0}", nl, GetValidUntil ().ToLocalTime ());
-			sb.AppendFormat ("[Thumbprint]{0}  {1}{0}", nl, X509Helper.ToHexString (GetCertHash ()));
-			sb.AppendFormat ("[Signature Algorithm]{0}  {1}({2}){0}{0}", nl, SignatureAlgorithm.FriendlyName, 
-				SignatureAlgorithm.Value);
-
-			AsymmetricAlgorithm key = PublicKey.Key;
-			sb.AppendFormat ("[Public Key]{0}  Algorithm: ", nl);
-			if (key is RSA)
-				sb.Append ("RSA");
-			else if (key is DSA)
-				sb.Append ("DSA");
-			else
-				sb.Append (key.ToString ());
-			sb.AppendFormat ("{0}  Length: {1}{0}  Key Blob: ", nl, key.KeySize);
-			AppendBuffer (sb, PublicKey.EncodedKeyValue.RawData);
-			sb.AppendFormat ("{0}  Parameters: ", nl);
-			AppendBuffer (sb, PublicKey.EncodedParameters.RawData);
-			sb.Append (nl);
-
-			return sb.ToString ();
-		}
-
-		private static void AppendBuffer (StringBuilder sb, byte[] buffer)
-		{
-			if (buffer == null)
-				return;
-			for (int i=0; i < buffer.Length; i++) {
-				sb.Append (buffer [i].ToString ("x2"));
-				if (i < buffer.Length - 1)
-					sb.Append (" ");
-			}
-		}
-
 		[MonoTODO ("by default this depends on the incomplete X509Chain")]
 		public override bool Verify (X509Certificate2 thisCertificate)
 		{
@@ -725,5 +621,3 @@ namespace System.Security.Cryptography.X509Certificates
 		}
 	}
 }
-
-#endif
--- a/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Helper2.cs
+++ b/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Helper2.cs
@@ -26,143 +26,28 @@
 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 //

-#if SECURITY_DEP
 #if MONO_SECURITY_ALIAS
 extern alias MonoSecurity;
 #endif

 #if MONO_SECURITY_ALIAS
-using MonoSecurity::Mono.Security.Interface;
 using MX = MonoSecurity::Mono.Security.X509;
 #else
-#if MONO_FEATURE_BTLS
-using Mono.Security.Interface;
-#endif
 using MX = Mono.Security.X509;
 #endif

 #if MONO_FEATURE_BTLS
 using Mono.Btls;
 #endif
-#endif

 using System.IO;
 using System.Text;
+using Mono;

 namespace System.Security.Cryptography.X509Certificates
 {
 	internal static class X509Helper2
 	{
-		internal static long GetSubjectNameHash (X509Certificate certificate)
-		{
-			return GetSubjectNameHash (certificate.Impl);
-		}
-
-		internal static long GetSubjectNameHash (X509CertificateImpl impl)
-		{
-#if SECURITY_DEP
-			using (var x509 = GetNativeInstance (impl))
-				return GetSubjectNameHash (x509);
-#else
-			throw new NotSupportedException ();
-#endif
-		}
-
-		internal static void ExportAsPEM (X509Certificate certificate, Stream stream, bool includeHumanReadableForm)
-		{
-			ExportAsPEM (certificate.Impl, stream, includeHumanReadableForm);
-		}
-
-		internal static void ExportAsPEM (X509CertificateImpl impl, Stream stream, bool includeHumanReadableForm)
-		{
-#if SECURITY_DEP
-			using (var x509 = GetNativeInstance (impl))
-				ExportAsPEM (x509, stream, includeHumanReadableForm);
-#else
-			throw new NotSupportedException ();
-#endif
-		}
-
-#if SECURITY_DEP
-		internal static void Initialize ()
-		{
-			X509Helper.InstallNativeHelper (new MyNativeHelper ());
-		}
-
-		internal static void ThrowIfContextInvalid (X509CertificateImpl impl)
-		{
-			X509Helper.ThrowIfContextInvalid (impl);
-		}
-
-#if !MONO_FEATURE_BTLS
-		static X509Certificate GetNativeInstance (X509CertificateImpl impl)
-		{
-			throw new PlatformNotSupportedException ();
-		}
-#else
-		static MonoBtlsX509 GetNativeInstance (X509CertificateImpl impl)
-		{
-			ThrowIfContextInvalid (impl);
-			var btlsImpl = impl as X509CertificateImplBtls;
-			if (btlsImpl != null)
-				return btlsImpl.X509.Copy ();
-			else
-				return MonoBtlsX509.LoadFromData (impl.GetRawCertData (), MonoBtlsX509Format.DER);
-		}
-
-		internal static long GetSubjectNameHash (MonoBtlsX509 x509)
-		{
-			using (var subject = x509.GetSubjectName ())
-				return subject.GetHash ();
-		}
-
-		internal static void ExportAsPEM (MonoBtlsX509 x509, Stream stream, bool includeHumanReadableForm)
-		{
-			using (var bio = MonoBtlsBio.CreateMonoStream (stream)) {
-				x509.ExportAsPEM (bio, includeHumanReadableForm);
-			}
-		}
-#endif // !MONO_FEATURE_BTLS
-
-		internal static X509Certificate2Impl Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags, bool disableProvider = false)
-		{
-			if (rawData == null || rawData.Length == 0)
-				return null;
-
-#if MONO_FEATURE_BTLS
-			if (!disableProvider) {
-				var provider = MonoTlsProviderFactory.GetProvider ();
-				if (provider.HasNativeCertificates) {
-					var impl = provider.GetNativeCertificate (rawData, password, keyStorageFlags);
-					return impl;
-				}
-			}
-#endif // MONO_FEATURE_BTLS
-			var impl2 = new X509Certificate2ImplMono ();
-			impl2.Import (rawData, password, keyStorageFlags);
-			return impl2;
-		}
-
-		internal static X509Certificate2Impl Import (X509Certificate cert, bool disableProvider = false)
-		{
-			if (cert.Impl == null)
-				return null;
-
-#if MONO_FEATURE_BTLS
-			if (!disableProvider) {
-				var provider = MonoTlsProviderFactory.GetProvider ();
-				if (provider.HasNativeCertificates) {
-					var impl = provider.GetNativeCertificate (cert);
-					return impl;
-				}
-			}
-#endif // MONO_FEATURE_BTLS
-			var impl2 = cert.Impl as X509Certificate2Impl;
-			if (impl2 != null)
-				return (X509Certificate2Impl)impl2.Clone ();
-			return Import (cert.GetRawCertData (), null, X509KeyStorageFlags.DefaultKeySet);
-		}
-
 		/*
 		 * This is used by X509ChainImplMono
 		 * 
@@ -175,13 +60,15 @@ namespace System.Security.Cryptography.X509Certificates
 		[MonoTODO ("Investigate replacement; see comments in source.")]
 		internal static MX.X509Certificate GetMonoCertificate (X509Certificate2 certificate)
 		{
-			var impl2 = certificate.Impl as X509Certificate2Impl;
-			if (impl2 == null)
-				impl2 = Import (certificate, true);
-			var fallbackImpl = impl2.FallbackImpl as X509Certificate2ImplMono;
-			if (fallbackImpl == null)
-				throw new NotSupportedException ();
-			return fallbackImpl.MonoCertificate;
+			if (certificate.Impl is X509Certificate2ImplMono monoImpl)
+				return monoImpl.MonoCertificate;
+			if (certificate.Impl is X509Certificate2Impl impl2 && impl2.FallbackImpl is X509Certificate2ImplMono fallbackImpl)
+				return fallbackImpl.MonoCertificate;
+
+			var impl = SystemDependencyProvider.Instance.CertificateProvider.Import (certificate, CertificateImportFlags.DisableNativeBackend);
+			if (impl is X509Certificate2ImplMono fallbackImpl2)
+				return fallbackImpl2.MonoCertificate;
+			throw new NotSupportedException ();
 		}

 		internal static X509ChainImpl CreateChainImpl (bool useMachineContext)
@@ -205,18 +92,41 @@ namespace System.Security.Cryptography.X509Certificates
 			return new CryptographicException (Locale.GetText ("Chain instance is empty."));
 		}

-		class MyNativeHelper : INativeCertificateHelper
+		[Obsolete ("This is only used by Mono.Security's X509Store and will be replaced shortly.")]
+		internal static long GetSubjectNameHash (X509Certificate certificate)
 		{
-			public X509CertificateImpl Import (
-				byte[] data, string password, X509KeyStorageFlags flags)
-			{
-				return X509Helper2.Import (data, password, flags);
-			}
+#if MONO_FEATURE_BTLS
+			X509Helper.ThrowIfContextInvalid (certificate.Impl);
+			using (var x509 = GetNativeInstance (certificate.Impl))
+			using (var subject = x509.GetSubjectName ())
+				return subject.GetHash ();
+#else
+			throw new PlatformNotSupportedException ();
+#endif
+		}

-			public X509CertificateImpl Import (X509Certificate cert)
-			{
-				return X509Helper2.Import (cert);
-			}
+		[Obsolete ("This is only used by Mono.Security's X509Store and will be replaced shortly.")]
+		internal static void ExportAsPEM (X509Certificate certificate, Stream stream, bool includeHumanReadableForm)
+		{
+#if MONO_FEATURE_BTLS
+			X509Helper.ThrowIfContextInvalid (certificate.Impl);
+			using (var x509 = GetNativeInstance (certificate.Impl))
+			using (var bio = MonoBtlsBio.CreateMonoStream (stream))
+				x509.ExportAsPEM (bio, includeHumanReadableForm);
+#else
+			throw new PlatformNotSupportedException ();
+#endif
+		}
+
+#if MONO_FEATURE_BTLS
+		static MonoBtlsX509 GetNativeInstance (X509CertificateImpl impl)
+		{
+			X509Helper.ThrowIfContextInvalid (impl);
+			var btlsImpl = impl as X509CertificateImplBtls;
+			if (btlsImpl != null)
+				return btlsImpl.X509.Copy ();
+			else
+				return MonoBtlsX509.LoadFromData (impl.RawData, MonoBtlsX509Format.DER);
 		}
 #endif
 	}