270395db27
Former-commit-id: 8969ac411e933f8c8203fa18878df70bb80cfba4
451 lines
12 KiB
C#
451 lines
12 KiB
C#
//
|
|
// Certificate.cs: Implements the managed SecCertificate wrapper.
|
|
//
|
|
// Authors:
|
|
// Miguel de Icaza
|
|
// Sebastien Pouliot <sebastien@xamarin.com>
|
|
//
|
|
// Copyright 2010 Novell, Inc
|
|
// Copyright 2012-2013 Xamarin Inc.
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
// a copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
// the following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be
|
|
// included in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
|
|
#if SECURITY_DEP && MONO_FEATURE_APPLETLS
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Runtime.InteropServices;
|
|
using System.Security.Cryptography.X509Certificates;
|
|
using Mono.Net;
|
|
|
|
using ObjCRuntime;
|
|
|
|
namespace Mono.AppleTls {
|
|
|
|
partial class SecCertificate : INativeObject, IDisposable {
|
|
internal IntPtr handle;
|
|
|
|
internal SecCertificate (IntPtr handle, bool owns = false)
|
|
{
|
|
if (handle == IntPtr.Zero)
|
|
throw new Exception ("Invalid handle");
|
|
|
|
this.handle = handle;
|
|
if (!owns)
|
|
CFObject.CFRetain (handle);
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary, EntryPoint="SecCertificateGetTypeID")]
|
|
public extern static IntPtr GetTypeID ();
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
extern static IntPtr SecCertificateCreateWithData (IntPtr allocator, IntPtr cfData);
|
|
|
|
public SecCertificate (X509Certificate certificate)
|
|
{
|
|
if (certificate == null)
|
|
throw new ArgumentNullException ("certificate");
|
|
|
|
handle = certificate.Impl.GetNativeAppleCertificate ();
|
|
if (handle != IntPtr.Zero) {
|
|
CFObject.CFRetain (handle);
|
|
return;
|
|
}
|
|
|
|
using (CFData cert = CFData.FromData (certificate.GetRawCertData ())) {
|
|
Initialize (cert);
|
|
}
|
|
}
|
|
|
|
internal SecCertificate (X509CertificateImpl impl)
|
|
{
|
|
handle = impl.GetNativeAppleCertificate ();
|
|
if (handle != IntPtr.Zero) {
|
|
CFObject.CFRetain (handle);
|
|
return;
|
|
}
|
|
|
|
using (CFData cert = CFData.FromData (impl.GetRawCertData ())) {
|
|
Initialize (cert);
|
|
}
|
|
}
|
|
|
|
void Initialize (CFData data)
|
|
{
|
|
handle = SecCertificateCreateWithData (IntPtr.Zero, data.Handle);
|
|
if (handle == IntPtr.Zero)
|
|
throw new ArgumentException ("Not a valid DER-encoded X.509 certificate");
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
extern static IntPtr SecCertificateCopySubjectSummary (IntPtr cert);
|
|
|
|
public string SubjectSummary {
|
|
get {
|
|
if (handle == IntPtr.Zero)
|
|
throw new ObjectDisposedException ("SecCertificate");
|
|
|
|
IntPtr subjectSummaryHandle = IntPtr.Zero;
|
|
try {
|
|
subjectSummaryHandle = SecCertificateCopySubjectSummary (handle);
|
|
CFString subjectSummary = CFString.AsString (subjectSummaryHandle);
|
|
return subjectSummary;
|
|
}
|
|
finally {
|
|
if (subjectSummaryHandle != IntPtr.Zero)
|
|
CFObject.CFRelease (subjectSummaryHandle);
|
|
}
|
|
}
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
extern static /* CFDataRef */ IntPtr SecCertificateCopyData (/* SecCertificateRef */ IntPtr cert);
|
|
|
|
public CFData DerData {
|
|
get {
|
|
if (handle == IntPtr.Zero)
|
|
throw new ObjectDisposedException ("SecCertificate");
|
|
|
|
IntPtr data = SecCertificateCopyData (handle);
|
|
if (data == IntPtr.Zero)
|
|
throw new ArgumentException ("Not a valid certificate");
|
|
return new CFData (data, true);
|
|
}
|
|
}
|
|
|
|
public X509Certificate ToX509Certificate ()
|
|
{
|
|
if (handle == IntPtr.Zero)
|
|
throw new ObjectDisposedException ("SecCertificate");
|
|
|
|
return new X509Certificate (handle);
|
|
}
|
|
|
|
internal static bool Equals (SecCertificate first, SecCertificate second)
|
|
{
|
|
/*
|
|
* This is a little bit expensive, but unfortunately there is no better API to compare two
|
|
* SecCertificateRef's for equality.
|
|
*/
|
|
if (first == null)
|
|
throw new ArgumentNullException ("first");
|
|
if (second == null)
|
|
throw new ArgumentNullException ("second");
|
|
if (first.Handle == second.Handle)
|
|
return true;
|
|
|
|
using (var firstData = first.DerData)
|
|
using (var secondData = second.DerData) {
|
|
if (firstData.Handle == secondData.Handle)
|
|
return true;
|
|
|
|
if (firstData.Length != secondData.Length)
|
|
return false;
|
|
IntPtr length = (IntPtr)firstData.Length;
|
|
for (long i = 0; i < (long)length; i++) {
|
|
if (firstData [i] != secondData [i])
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
}
|
|
|
|
~SecCertificate ()
|
|
{
|
|
Dispose (false);
|
|
}
|
|
|
|
public IntPtr Handle {
|
|
get {
|
|
return handle;
|
|
}
|
|
}
|
|
|
|
public void Dispose ()
|
|
{
|
|
Dispose (true);
|
|
GC.SuppressFinalize (this);
|
|
}
|
|
|
|
protected virtual void Dispose (bool disposing)
|
|
{
|
|
if (handle != IntPtr.Zero){
|
|
CFObject.CFRelease (handle);
|
|
handle = IntPtr.Zero;
|
|
}
|
|
}
|
|
}
|
|
|
|
partial class SecIdentity : INativeObject, IDisposable {
|
|
|
|
static readonly CFString ImportExportPassphase;
|
|
static readonly CFString ImportItemIdentity;
|
|
static readonly CFString ImportExportAccess;
|
|
static readonly CFString ImportExportKeychain;
|
|
|
|
static SecIdentity ()
|
|
{
|
|
var handle = CFObject.dlopen (AppleTlsContext.SecurityLibrary, 0);
|
|
if (handle == IntPtr.Zero)
|
|
return;
|
|
|
|
try {
|
|
ImportExportPassphase = CFObject.GetStringConstant (handle, "kSecImportExportPassphrase");
|
|
ImportItemIdentity = CFObject.GetStringConstant (handle, "kSecImportItemIdentity");
|
|
ImportExportAccess = CFObject.GetStringConstant (handle, "kSecImportExportAccess");
|
|
ImportExportKeychain = CFObject.GetStringConstant (handle, "kSecImportExportKeychain");
|
|
} finally {
|
|
CFObject.dlclose (handle);
|
|
}
|
|
}
|
|
|
|
internal IntPtr handle;
|
|
|
|
internal SecIdentity (IntPtr handle, bool owns = false)
|
|
{
|
|
this.handle = handle;
|
|
if (!owns)
|
|
CFObject.CFRetain (handle);
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary, EntryPoint="SecIdentityGetTypeID")]
|
|
public extern static IntPtr GetTypeID ();
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
extern static /* OSStatus */ SecStatusCode SecIdentityCopyCertificate (/* SecIdentityRef */ IntPtr identityRef, /* SecCertificateRef* */ out IntPtr certificateRef);
|
|
|
|
public SecCertificate Certificate {
|
|
get {
|
|
if (handle == IntPtr.Zero)
|
|
throw new ObjectDisposedException ("SecIdentity");
|
|
IntPtr cert;
|
|
SecStatusCode result = SecIdentityCopyCertificate (handle, out cert);
|
|
if (result != SecStatusCode.Success)
|
|
throw new InvalidOperationException (result.ToString ());
|
|
return new SecCertificate (cert, true);
|
|
}
|
|
}
|
|
|
|
internal class ImportOptions
|
|
{
|
|
#if !MONOTOUCH
|
|
public SecAccess Access {
|
|
get; set;
|
|
}
|
|
public SecKeyChain KeyChain {
|
|
get; set;
|
|
}
|
|
#endif
|
|
}
|
|
|
|
static CFDictionary CreateImportOptions (CFString password, ImportOptions options = null)
|
|
{
|
|
if (options == null)
|
|
return CFDictionary.FromObjectAndKey (password.Handle, ImportExportPassphase.Handle);
|
|
|
|
var items = new List<Tuple<IntPtr, IntPtr>> ();
|
|
items.Add (new Tuple<IntPtr, IntPtr> (ImportExportPassphase.Handle, password.Handle));
|
|
|
|
#if !MONOTOUCH
|
|
if (options.KeyChain != null)
|
|
items.Add (new Tuple<IntPtr, IntPtr> (ImportExportKeychain.Handle, options.KeyChain.Handle));
|
|
if (options.Access != null)
|
|
items.Add (new Tuple<IntPtr, IntPtr> (ImportExportAccess.Handle, options.Access.Handle));
|
|
#endif
|
|
|
|
return CFDictionary.FromKeysAndObjects (items);
|
|
}
|
|
|
|
public static SecIdentity Import (byte[] data, string password, ImportOptions options = null)
|
|
{
|
|
if (data == null)
|
|
throw new ArgumentNullException ("data");
|
|
if (string.IsNullOrEmpty (password)) // SecPKCS12Import() doesn't allow empty passwords.
|
|
throw new ArgumentException ("password");
|
|
using (var pwstring = CFString.Create (password))
|
|
using (var optionDict = CreateImportOptions (pwstring, options)) {
|
|
CFDictionary [] array;
|
|
SecStatusCode result = SecImportExport.ImportPkcs12 (data, optionDict, out array);
|
|
if (result != SecStatusCode.Success)
|
|
throw new InvalidOperationException (result.ToString ());
|
|
|
|
return new SecIdentity (array [0].GetValue (ImportItemIdentity.Handle));
|
|
}
|
|
}
|
|
|
|
public static SecIdentity Import (X509Certificate2 certificate, ImportOptions options = null)
|
|
{
|
|
if (certificate == null)
|
|
throw new ArgumentNullException ("certificate");
|
|
if (!certificate.HasPrivateKey)
|
|
throw new InvalidOperationException ("Need X509Certificate2 with a private key.");
|
|
|
|
/*
|
|
* SecPSK12Import does not allow any empty passwords, so let's generate
|
|
* a semi-random one here.
|
|
*/
|
|
var password = Guid.NewGuid ().ToString ();
|
|
var pkcs12 = certificate.Export (X509ContentType.Pfx, password);
|
|
return Import (pkcs12, password, options);
|
|
}
|
|
|
|
~SecIdentity ()
|
|
{
|
|
Dispose (false);
|
|
}
|
|
|
|
public IntPtr Handle {
|
|
get {
|
|
return handle;
|
|
}
|
|
}
|
|
|
|
public void Dispose ()
|
|
{
|
|
Dispose (true);
|
|
GC.SuppressFinalize (this);
|
|
}
|
|
|
|
protected virtual void Dispose (bool disposing)
|
|
{
|
|
if (handle != IntPtr.Zero){
|
|
CFObject.CFRelease (handle);
|
|
handle = IntPtr.Zero;
|
|
}
|
|
}
|
|
}
|
|
|
|
partial class SecKey : INativeObject, IDisposable {
|
|
internal IntPtr handle;
|
|
internal IntPtr owner;
|
|
|
|
public SecKey (IntPtr handle, bool owns = false)
|
|
{
|
|
this.handle = handle;
|
|
if (!owns)
|
|
CFObject.CFRetain (handle);
|
|
}
|
|
|
|
/*
|
|
* SecItemImport() returns a SecArrayRef. We need to free the array, not the items inside it.
|
|
*
|
|
*/
|
|
internal SecKey (IntPtr handle, IntPtr owner)
|
|
{
|
|
this.handle = handle;
|
|
this.owner = owner;
|
|
CFObject.CFRetain (owner);
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary, EntryPoint="SecKeyGetTypeID")]
|
|
public extern static IntPtr GetTypeID ();
|
|
|
|
~SecKey ()
|
|
{
|
|
Dispose (false);
|
|
}
|
|
|
|
public IntPtr Handle {
|
|
get {
|
|
return handle;
|
|
}
|
|
}
|
|
|
|
public void Dispose ()
|
|
{
|
|
Dispose (true);
|
|
GC.SuppressFinalize (this);
|
|
}
|
|
|
|
protected virtual void Dispose (bool disposing)
|
|
{
|
|
if (owner != IntPtr.Zero) {
|
|
CFObject.CFRelease (owner);
|
|
owner = handle = IntPtr.Zero;
|
|
} else if (handle != IntPtr.Zero) {
|
|
CFObject.CFRelease (handle);
|
|
handle = IntPtr.Zero;
|
|
}
|
|
}
|
|
}
|
|
|
|
#if !MONOTOUCH
|
|
class SecAccess : INativeObject, IDisposable {
|
|
internal IntPtr handle;
|
|
|
|
public SecAccess (IntPtr handle, bool owns = false)
|
|
{
|
|
this.handle = handle;
|
|
if (!owns)
|
|
CFObject.CFRetain (handle);
|
|
}
|
|
|
|
~SecAccess ()
|
|
{
|
|
Dispose (false);
|
|
}
|
|
|
|
public IntPtr Handle {
|
|
get {
|
|
return handle;
|
|
}
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
extern static /* OSStatus */ SecStatusCode SecAccessCreate (/* CFStringRef */ IntPtr descriptor, /* CFArrayRef */ IntPtr trustedList, /* SecAccessRef _Nullable * */ out IntPtr accessRef);
|
|
|
|
public static SecAccess Create (string descriptor)
|
|
{
|
|
var descriptorHandle = CFString.Create (descriptor);
|
|
if (descriptorHandle == null)
|
|
throw new InvalidOperationException ();
|
|
|
|
try {
|
|
IntPtr accessRef;
|
|
var result = SecAccessCreate (descriptorHandle.Handle, IntPtr.Zero, out accessRef);
|
|
if (result != SecStatusCode.Success)
|
|
throw new InvalidOperationException (result.ToString ());
|
|
|
|
return new SecAccess (accessRef, true);
|
|
} finally {
|
|
descriptorHandle.Dispose ();
|
|
}
|
|
}
|
|
|
|
public void Dispose ()
|
|
{
|
|
Dispose (true);
|
|
GC.SuppressFinalize (this);
|
|
}
|
|
|
|
protected virtual void Dispose (bool disposing)
|
|
{
|
|
if (handle != IntPtr.Zero) {
|
|
CFObject.CFRelease (handle);
|
|
handle = IntPtr.Zero;
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
}
|
|
#endif
|