1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
|
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
namespace System.IdentityModel
{
using Microsoft.Win32.SafeHandles;
using System.ComponentModel;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Runtime.CompilerServices;
using System.Runtime.Versioning;
using System.Runtime.ConstrainedExecution;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using FILETIME = System.Runtime.InteropServices.ComTypes.FILETIME;
[SuppressUnmanagedCodeSecurity]
static class CAPI
{
internal const string CRYPT32 = "crypt32.dll";
internal const string BCRYPT = "bcrypt.dll";
internal const string SubjectKeyIdentifierOid = "2.5.29.14";
internal const int S_OK = 0;
internal const int S_FALSE = 1;
internal const string szOID_CRL_DIST_POINTS = "2.5.29.31";
internal const string szOID_AUTHORITY_INFO_ACCESS = "1.3.6.1.5.5.7.1.1";
//internal const uint CERT_STORE_NO_CRYPT_RELEASE_FLAG = 0x00000001;
//internal const uint CERT_STORE_SET_LOCALIZED_NAME_FLAG = 0x00000002;
//internal const uint CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG = 0x00000004;
//internal const uint CERT_STORE_DELETE_FLAG = 0x00000010;
//internal const uint CERT_STORE_SHARE_STORE_FLAG = 0x00000040;
//internal const uint CERT_STORE_SHARE_CONTEXT_FLAG = 0x00000080;
//internal const uint CERT_STORE_MANIFOLD_FLAG = 0x00000100;
internal const uint CERT_STORE_ENUM_ARCHIVED_FLAG = 0x00000200;
//internal const uint CERT_STORE_UPDATE_KEYID_FLAG = 0x00000400;
//internal const uint CERT_STORE_BACKUP_RESTORE_FLAG = 0x00000800;
internal const uint CERT_STORE_READONLY_FLAG = 0x00008000;
internal const uint CERT_STORE_OPEN_EXISTING_FLAG = 0x00004000;
internal const uint CERT_STORE_CREATE_NEW_FLAG = 0x00002000;
internal const uint CERT_STORE_MAXIMUM_ALLOWED_FLAG = 0x00001000;
internal const uint CERT_STORE_ADD_ALWAYS = 4;
internal const uint CERT_CHAIN_POLICY_BASE = 1;
internal const uint CERT_CHAIN_POLICY_NT_AUTH = 6;
internal const uint X509_ASN_ENCODING = 0x00000001;
internal const uint PKCS_7_ASN_ENCODING = 0x00010000;
internal const uint CERT_STORE_PROV_MEMORY = 2;
internal const uint CERT_STORE_PROV_SYSTEM = 10;
internal const uint CERT_SYSTEM_STORE_CURRENT_USER_ID = 1;
internal const uint CERT_SYSTEM_STORE_LOCAL_MACHINE_ID = 2;
internal const uint CERT_SYSTEM_STORE_LOCATION_SHIFT = 16;
internal const uint CERT_SYSTEM_STORE_CURRENT_USER = ((int)CERT_SYSTEM_STORE_CURRENT_USER_ID << (int)CERT_SYSTEM_STORE_LOCATION_SHIFT);
internal const uint CERT_SYSTEM_STORE_LOCAL_MACHINE = ((int)CERT_SYSTEM_STORE_LOCAL_MACHINE_ID << (int)CERT_SYSTEM_STORE_LOCATION_SHIFT);
//internal const uint CERT_INFO_VERSION_FLAG = 1;
//internal const uint CERT_INFO_SERIAL_NUMBER_FLAG = 2;
//internal const uint CERT_INFO_SIGNATURE_ALGORITHM_FLAG = 3;
internal const uint CERT_INFO_ISSUER_FLAG = 4;
//internal const uint CERT_INFO_NOT_BEFORE_FLAG = 5;
//internal const uint CERT_INFO_NOT_AFTER_FLAG = 6;
internal const uint CERT_INFO_SUBJECT_FLAG = 7;
//internal const uint CERT_INFO_SUBJECT_PUBLIC_KEY_INFO_FLAG = 8;
//internal const uint CERT_INFO_ISSUER_UNIQUE_ID_FLAG = 9;
//internal const uint CERT_INFO_SUBJECT_UNIQUE_ID_FLAG = 10;
//internal const uint CERT_INFO_EXTENSION_FLAG = 11;
//internal const uint CERT_COMPARE_MASK = 0xFFFF;
internal const uint CERT_COMPARE_SHIFT = 16;
internal const uint CERT_COMPARE_ANY = 0;
internal const uint CERT_COMPARE_SHA1_HASH = 1;
//internal const uint CERT_COMPARE_NAME = 2;
//internal const uint CERT_COMPARE_ATTR = 3;
//internal const uint CERT_COMPARE_MD5_HASH = 4;
//internal const uint CERT_COMPARE_PROPERTY = 5;
//internal const uint CERT_COMPARE_PUBLIC_KEY = 6;
//internal const uint CERT_COMPARE_HASH = CERT_COMPARE_SHA1_HASH;
internal const uint CERT_COMPARE_NAME_STR_A = 7;
internal const uint CERT_COMPARE_NAME_STR_W = 8;
//internal const uint CERT_COMPARE_KEY_SPEC = 9;
//internal const uint CERT_COMPARE_ENHKEY_USAGE = 10;
//internal const uint CERT_COMPARE_CTL_USAGE = CERT_COMPARE_ENHKEY_USAGE;
//internal const uint CERT_COMPARE_SUBJECT_CERT = 11;
//internal const uint CERT_COMPARE_ISSUER_OF = 12;
//internal const uint CERT_COMPARE_EXISTING = 13;
//internal const uint CERT_COMPARE_SIGNATURE_HASH = 14;
//internal const uint CERT_COMPARE_KEY_IDENTIFIER = 15;
//internal const uint CERT_COMPARE_CERT_ID = 16;
//internal const uint CERT_COMPARE_CROSS_CERT_DIST_POINTS = 17;
//internal const uint CERT_COMPARE_PUBKEY_MD5_HASH = 18;
internal const uint CERT_FIND_ANY = ((int)CERT_COMPARE_ANY << (int)CERT_COMPARE_SHIFT);
internal const uint CERT_FIND_SHA1_HASH = ((int)CERT_COMPARE_SHA1_HASH << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_MD5_HASH = ((int)CERT_COMPARE_MD5_HASH << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_SIGNATURE_HASH = ((int)CERT_COMPARE_SIGNATURE_HASH << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_KEY_IDENTIFIER = ((int)CERT_COMPARE_KEY_IDENTIFIER << (int)CERT_COMPARE_SHIFT);
internal const uint CERT_FIND_HASH = CERT_FIND_SHA1_HASH;
//internal const uint CERT_FIND_PROPERTY = ((int)CERT_COMPARE_PROPERTY << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_PUBLIC_KEY = ((int)CERT_COMPARE_PUBLIC_KEY << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_SUBJECT_NAME = ((int)CERT_COMPARE_NAME << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_SUBJECT_FLAG);
//internal const uint CERT_FIND_SUBJECT_ATTR = ((int)CERT_COMPARE_ATTR << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_SUBJECT_FLAG);
//internal const uint CERT_FIND_ISSUER_NAME = ((int)CERT_COMPARE_NAME << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_ISSUER_FLAG);
//internal const uint CERT_FIND_ISSUER_ATTR = ((int)CERT_COMPARE_ATTR << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_ISSUER_FLAG);
internal const uint CERT_FIND_SUBJECT_STR_A = ((int)CERT_COMPARE_NAME_STR_A << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_SUBJECT_FLAG);
internal const uint CERT_FIND_SUBJECT_STR_W = ((int)CERT_COMPARE_NAME_STR_W << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_SUBJECT_FLAG);
internal const uint CERT_FIND_SUBJECT_STR = CERT_FIND_SUBJECT_STR_W;
internal const uint CERT_FIND_ISSUER_STR_A = ((int)CERT_COMPARE_NAME_STR_A << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_ISSUER_FLAG);
internal const uint CERT_FIND_ISSUER_STR_W = ((int)CERT_COMPARE_NAME_STR_W << (int)CERT_COMPARE_SHIFT | (int)CERT_INFO_ISSUER_FLAG);
internal const uint CERT_FIND_ISSUER_STR = CERT_FIND_ISSUER_STR_W;
//internal const uint CERT_FIND_KEY_SPEC = ((int)CERT_COMPARE_KEY_SPEC << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_ENHKEY_USAGE = ((int)CERT_COMPARE_ENHKEY_USAGE << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_CTL_USAGE = CERT_FIND_ENHKEY_USAGE;
//internal const uint CERT_FIND_SUBJECT_CERT = ((int)CERT_COMPARE_SUBJECT_CERT << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_ISSUER_OF = ((int)CERT_COMPARE_ISSUER_OF << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_EXISTING = ((int)CERT_COMPARE_EXISTING << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_CERT_ID = ((int)CERT_COMPARE_CERT_ID << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_CROSS_CERT_DIST_POINTS = ((int)CERT_COMPARE_CROSS_CERT_DIST_POINTS << (int)CERT_COMPARE_SHIFT);
//internal const uint CERT_FIND_PUBKEY_MD5_HASH = ((int)CERT_COMPARE_PUBKEY_MD5_HASH << (int)CERT_COMPARE_SHIFT);
// Common chain policy flags.
internal const uint CERT_CHAIN_REVOCATION_CHECK_END_CERT = 0x10000000;
internal const uint CERT_CHAIN_REVOCATION_CHECK_CHAIN = 0x20000000;
internal const uint CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT = 0x40000000;
internal const uint CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY = 0x80000000;
internal const uint CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT = 0x08000000;
// Chain verification flag (not available in X509VerificationFlags).
internal const uint CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG = 0x00001000;
// Default usage match type is AND with value zero
internal const uint USAGE_MATCH_TYPE_AND = 0x00000000;
internal const uint USAGE_MATCH_TYPE_OR = 0x00000001;
// CertGetCertificateChain chain engine handles.
internal const uint HCCE_CURRENT_USER = 0x0;
internal const uint HCCE_LOCAL_MACHINE = 0x1;
// Vista Peer Trust
internal const uint CERT_TRUST_IS_PEER_TRUSTED = 0x00000800;
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CERT_CONTEXT
{
internal uint dwCertEncodingType;
internal IntPtr pbCertEncoded;
internal uint cbCertEncoded;
internal IntPtr pCertInfo;
internal IntPtr hCertStore;
};
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CRYPTOAPI_BLOB
{
internal uint cbData;
internal IntPtr pbData;
static internal int Size = Marshal.SizeOf(typeof(CRYPTOAPI_BLOB));
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CERT_ENHKEY_USAGE
{
internal uint cUsageIdentifier;
internal IntPtr rgpszUsageIdentifier; // LPSTR*
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CERT_USAGE_MATCH
{
internal uint dwType;
internal CERT_ENHKEY_USAGE Usage;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CERT_CHAIN_PARA
{
internal uint cbSize;
internal CERT_USAGE_MATCH RequestedUsage;
internal CERT_USAGE_MATCH RequestedIssuancePolicy;
internal uint dwUrlRetrievalTimeout; // milliseconds
internal bool fCheckRevocationFreshnessTime;
internal uint dwRevocationFreshnessTime;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CERT_CHAIN_POLICY_PARA
{
internal CERT_CHAIN_POLICY_PARA(int size)
{
cbSize = (uint)size;
dwFlags = 0;
pvExtraPolicyPara = IntPtr.Zero;
}
internal uint cbSize;
internal uint dwFlags;
internal IntPtr pvExtraPolicyPara;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CERT_CHAIN_POLICY_STATUS
{
internal CERT_CHAIN_POLICY_STATUS(int size)
{
cbSize = (uint)size;
dwError = 0;
lChainIndex = IntPtr.Zero;
lElementIndex = IntPtr.Zero;
pvExtraPolicyStatus = IntPtr.Zero;
}
internal uint cbSize;
internal uint dwError;
internal IntPtr lChainIndex;
internal IntPtr lElementIndex;
internal IntPtr pvExtraPolicyStatus;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct CERT_CHAIN_CONTEXT
{
internal CERT_CHAIN_CONTEXT(int size)
{
cbSize = (uint)size;
dwErrorStatus = 0;
dwInfoStatus = 0;
cChain = 0;
rgpChain = IntPtr.Zero;
cLowerQualityChainContext = 0;
rgpLowerQualityChainContext = IntPtr.Zero;
fHasRevocationFreshnessTime = 0;
dwRevocationFreshnessTime = 0;
}
internal uint cbSize;
internal uint dwErrorStatus; // serialized CERT_TRUST_STATUS
internal uint dwInfoStatus; // serialized CERT_TRUST_STATUS
internal uint cChain;
internal IntPtr rgpChain; // PCERT_SIMPLE_CHAIN*
internal uint cLowerQualityChainContext;
internal IntPtr rgpLowerQualityChainContext; // PCCERT_CHAIN_CONTEXT*
internal uint fHasRevocationFreshnessTime; // Note that we declare the field as a uint here since we are manipulating
// the structure manually and a bool is only 1 byte in the managed world.
internal uint dwRevocationFreshnessTime; // seconds
}
[DllImport(CAPI.CRYPT32, CharSet = CharSet.Unicode, SetLastError = true)]
internal static extern SafeCertContextHandle CertCreateCertificateContext(
[In] uint dwCertEncodingType,
[In] IntPtr pbCertEncoded,
[In] uint cbCertEncoded
);
// A new store is created if one did not exist. The function fails if the store already exists if dwFlags is set to CERT_STORE_CREATE_NEW_FLAG .
[DllImport(CAPI.CRYPT32, CharSet = CharSet.Unicode, SetLastError = true)]
[ResourceExposure(ResourceScope.None)]
internal static extern SafeCertStoreHandle CertOpenStore(
[In] IntPtr lpszStoreProvider,
[In] uint dwMsgAndCertEncodingType,
[In] IntPtr hCryptProv,
[In] uint dwFlags,
[In] string pvPara // we want this always as a Unicode string.
);
[DllImport(CAPI.CRYPT32, SetLastError = true)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
[ResourceExposure(ResourceScope.None)]
internal static extern bool CertCloseStore(
[In] IntPtr hCertStore,
[In] uint dwFlags
);
[DllImport(CAPI.CRYPT32, SetLastError = true)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
[ResourceExposure( ResourceScope.None )]
internal static extern bool CertFreeCertificateContext(
[In] IntPtr pCertContext
);
[DllImport(CAPI.CRYPT32, SetLastError = true)]
[ResourceExposure( ResourceScope.None )]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
internal static extern SafeCertContextHandle CertFindCertificateInStore(
[In] SafeCertStoreHandle hCertStore,
[In] uint dwCertEncodingType,
[In] uint dwFindFlags,
[In] uint dwFindType,
[In] SafeHGlobalHandle pvFindPara,
[In] SafeCertContextHandle pPrevCertContext
);
[DllImport(CRYPT32, CharSet = CharSet.Auto, SetLastError = true)]
[ResourceConsumption( ResourceScope.Machine, ResourceScope.Machine)]
[ResourceExposure( ResourceScope.None )]
internal extern static bool CertAddCertificateLinkToStore(
[In] SafeCertStoreHandle hCertStore,
[In] IntPtr pCertContext,
[In] uint dwAddDisposition,
[In, Out] SafeCertContextHandle ppStoreContext
);
[DllImport(CRYPT32, CharSet = CharSet.Auto, SetLastError = true)]
[ResourceExposure( ResourceScope.None )]
[ResourceConsumption( ResourceScope.Machine, ResourceScope.Machine )]
internal static extern bool CertGetCertificateChain(
[In] IntPtr hChainEngine,
[In] IntPtr pCertContext,
[In] ref FILETIME pTime,
[In] SafeCertStoreHandle hAdditionalStore,
[In] ref CERT_CHAIN_PARA pChainPara,
[In] uint dwFlags,
[In] IntPtr pvReserved,
[Out] out SafeCertChainHandle ppChainContext
);
[DllImport(CRYPT32, CharSet = CharSet.Auto, SetLastError = true)]
[ResourceExposure( ResourceScope.None )]
internal extern static bool CertVerifyCertificateChainPolicy(
[In] IntPtr pszPolicyOID,
[In] SafeCertChainHandle pChainContext,
[In] ref CERT_CHAIN_POLICY_PARA pPolicyPara,
[In, Out] ref CERT_CHAIN_POLICY_STATUS pPolicyStatus);
[DllImport(CRYPT32, SetLastError = true)]
[ResourceExposure( ResourceScope.None )]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
internal extern static void CertFreeCertificateChain(IntPtr handle);
// On Vista and higher, check the value of the machine FIPS policy
[DllImport(BCRYPT, SetLastError = true)]
[ResourceExposure( ResourceScope.None )]
internal static extern int BCryptGetFipsAlgorithmMode(
[MarshalAs(UnmanagedType.U1), Out] out bool pfEnabled
);
}
#pragma warning disable 618 // have not moved to the v4 security model yet
[SecurityCritical(SecurityCriticalScope.Everything)]
#pragma warning restore 618
class SafeCertStoreHandle : SafeHandleZeroOrMinusOneIsInvalid
{
SafeCertStoreHandle() : base(true) { }
// 0 is an Invalid Handle
SafeCertStoreHandle(IntPtr handle)
: base(true)
{
SetHandle(handle);
}
public static SafeCertStoreHandle InvalidHandle
{
get { return new SafeCertStoreHandle(IntPtr.Zero); }
}
protected override bool ReleaseHandle()
{
// PreSharp Bug: Call 'Marshal.GetLastWin32Error' or 'Marshal.GetHRForLastWin32Error' before any other interop call.
#pragma warning suppress 56523 // We are not interested in throwing an exception here if CloseHandle fails.
return CAPI.CertCloseStore(handle, 0);
}
}
#pragma warning disable 618 // have not moved to the v4 security model yet
[SecurityCritical(SecurityCriticalScope.Everything)]
#pragma warning restore 618
class SafeCertContextHandle : SafeHandleZeroOrMinusOneIsInvalid
{
SafeCertContextHandle() : base(true) { }
// 0 is an Invalid Handle
SafeCertContextHandle(IntPtr handle)
: base(true)
{
SetHandle(handle);
}
internal static SafeCertContextHandle InvalidHandle
{
get { return new SafeCertContextHandle(IntPtr.Zero); }
}
protected override bool ReleaseHandle()
{
// PreSharp Bug: Call 'Marshal.GetLastWin32Error' or 'Marshal.GetHRForLastWin32Error' before any other interop call.
#pragma warning suppress 56523 // We are not interested in throwing an exception here if CloseHandle fails.
return CAPI.CertFreeCertificateContext(handle);
}
}
#pragma warning disable 618 // have not moved to the v4 security model yet
[SecurityCritical(SecurityCriticalScope.Everything)]
#pragma warning restore 618
class SafeCertChainHandle : SafeHandleZeroOrMinusOneIsInvalid
{
SafeCertChainHandle() : base(true) { }
SafeCertChainHandle(IntPtr handle)
: base(true)
{
SetHandle(handle);
}
internal static SafeCertChainHandle InvalidHandle
{
get { return new SafeCertChainHandle(IntPtr.Zero); }
}
protected override bool ReleaseHandle()
{
// PreSharp Bug: Call 'Marshal.GetLastWin32Error' or 'Marshal.GetHRForLastWin32Error' before any other interop call.
#pragma warning suppress 56523 // We are not interested in throwing an exception here if CloseHandle fails.
CAPI.CertFreeCertificateChain(handle);
return true;
}
}
}
|
