From f24eb8a73e5776cf086dccb72737621f12232d39 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Tue, 8 Oct 2024 10:53:41 -0400 Subject: [PATCH] Use the managed codec for basic constraints and remove entire X.509 extension PAL --- .../Interop.X509Ext.cs | 9 --- .../src/System.Security.Cryptography.csproj | 9 +-- .../Cryptography/X509Certificates/IX509Pal.cs | 4 -- ...acyBasicConstraintsDecoder.NotSupported.cs | 24 +++++++ .../LegacyBasicConstraintsDecoder.Windows.cs | 35 ++++++++++ .../ManagedX509ExtensionProcessor.cs | 57 --------------- .../X509Certificates/OpenSslX509Encoder.cs | 19 +---- .../X509BasicConstraintsExtension.cs | 53 +++++++++++++- .../X509Certificates/X509Certificate2.cs | 2 +- .../X509Certificates/X509Pal.Android.cs | 2 +- .../X509Certificates/X509Pal.Apple.ECKey.cs | 2 +- .../X509Pal.Apple.X500Name.cs | 2 +- .../X509Pal.Windows.CustomExtensions.cs | 70 ------------------- .../X509Certificates/X509Pal.iOS.cs | 2 +- .../X509Certificates/X509Pal.macOS.cs | 2 +- .../entrypoints.c | 1 - .../opensslshim.h | 4 -- .../pal_x509ext.c | 45 ------------ .../pal_x509ext.h | 15 ---- 19 files changed, 121 insertions(+), 236 deletions(-) create mode 100644 src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.NotSupported.cs create mode 100644 src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.Windows.cs delete mode 100644 src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ManagedX509ExtensionProcessor.cs delete mode 100644 src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Windows.CustomExtensions.cs diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs index 397f95a31baa7..6012d65fdeb3a 100644 --- a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs +++ b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Ext.cs @@ -21,14 +21,5 @@ internal static partial SafeX509ExtensionHandle X509ExtensionCreateByObj( [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_X509V3ExtPrint")] [return: MarshalAs(UnmanagedType.Bool)] internal static partial bool X509V3ExtPrint(SafeBioHandle buf, SafeX509ExtensionHandle ext); - - [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_DecodeX509BasicConstraints2Extension")] - [return: MarshalAs(UnmanagedType.Bool)] - internal static partial bool DecodeX509BasicConstraints2Extension( - byte[] encoded, - int encodedLength, - [MarshalAs(UnmanagedType.Bool)] out bool certificateAuthority, - [MarshalAs(UnmanagedType.Bool)] out bool hasPathLengthConstraint, - out int pathLengthConstraint); } } diff --git a/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj b/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj index c609292d4059f..ad075113cf7d2 100644 --- a/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj +++ b/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj @@ -692,6 +692,7 @@ + @@ -906,8 +907,8 @@ + - @@ -1052,8 +1053,8 @@ + - @@ -1183,8 +1184,8 @@ + - @@ -1784,6 +1785,7 @@ + @@ -1793,7 +1795,6 @@ - diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs index d19f6e900bb0f..991986bd0eab1 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/IX509Pal.cs @@ -13,9 +13,5 @@ internal interface IX509Pal string X500DistinguishedNameFormat(byte[] encodedDistinguishedName, bool multiLine); X509ContentType GetCertContentType(ReadOnlySpan rawData); X509ContentType GetCertContentType(string fileName); - bool SupportsLegacyBasicConstraintsExtension { get; } - byte[] EncodeX509BasicConstraints2Extension(bool certificateAuthority, bool hasPathLengthConstraint, int pathLengthConstraint); - void DecodeX509BasicConstraintsExtension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint); - void DecodeX509BasicConstraints2Extension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint); } } diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.NotSupported.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.NotSupported.cs new file mode 100644 index 0000000000000..09fcfae607aa8 --- /dev/null +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.NotSupported.cs @@ -0,0 +1,24 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +namespace System.Security.Cryptography.X509Certificates +{ + internal static class LegacyBasicConstraintsDecoder + { + internal static bool IsSupported => false; + + internal static void DecodeX509BasicConstraintsExtension( + byte[] encoded, + out bool certificateAuthority, + out bool hasPathLengthConstraint, + out int pathLengthConstraint) + { + // No RFC nor ITU document describes the layout of the 2.5.29.10 structure, + // and OpenSSL doesn't have a decoder for it, either. + // + // Since it was never published as a standard (2.5.29.19 replaced it before publication) + // there shouldn't be too many people upset that we can't decode it for them on Unix. + throw new PlatformNotSupportedException(SR.NotSupported_LegacyBasicConstraints); + } + } +} diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.Windows.cs new file mode 100644 index 0000000000000..a1331df3f3381 --- /dev/null +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LegacyBasicConstraintsDecoder.Windows.cs @@ -0,0 +1,35 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +using System.Diagnostics; +using System.Runtime.InteropServices; +using Internal.Cryptography; + +namespace System.Security.Cryptography.X509Certificates +{ + internal static class LegacyBasicConstraintsDecoder + { + internal static bool IsSupported => true; + + internal static void DecodeX509BasicConstraintsExtension( + byte[] encoded, + out bool certificateAuthority, + out bool hasPathLengthConstraint, + out int pathLengthConstraint) + { + unsafe + { + (certificateAuthority, hasPathLengthConstraint, pathLengthConstraint) = encoded.DecodeObject( + CryptDecodeObjectStructType.X509_BASIC_CONSTRAINTS, + static delegate (void* pvDecoded, int cbDecoded) + { + Debug.Assert(cbDecoded >= sizeof(CERT_BASIC_CONSTRAINTS_INFO)); + CERT_BASIC_CONSTRAINTS_INFO* pBasicConstraints = (CERT_BASIC_CONSTRAINTS_INFO*)pvDecoded; + return ((Marshal.ReadByte(pBasicConstraints->SubjectType.pbData) & CERT_BASIC_CONSTRAINTS_INFO.CERT_CA_SUBJECT_FLAG) != 0, + pBasicConstraints->fPathLenConstraint != 0, + pBasicConstraints->dwPathLenConstraint); + }); + } + } + } +} diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ManagedX509ExtensionProcessor.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ManagedX509ExtensionProcessor.cs deleted file mode 100644 index 561cb039cfaec..0000000000000 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ManagedX509ExtensionProcessor.cs +++ /dev/null @@ -1,57 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. - -using System.Diagnostics; -using System.Formats.Asn1; -using System.Security.Cryptography.Asn1; -using System.Security.Cryptography.X509Certificates.Asn1; - -namespace System.Security.Cryptography.X509Certificates -{ - internal class ManagedX509ExtensionProcessor - { - public virtual byte[] EncodeX509BasicConstraints2Extension( - bool certificateAuthority, - bool hasPathLengthConstraint, - int pathLengthConstraint) - { - BasicConstraintsAsn constraints = default; - - constraints.CA = certificateAuthority; - if (hasPathLengthConstraint) - constraints.PathLengthConstraint = pathLengthConstraint; - - AsnWriter writer = new AsnWriter(AsnEncodingRules.DER); - constraints.Encode(writer); - return writer.Encode(); - } - - public virtual bool SupportsLegacyBasicConstraintsExtension => false; - - public virtual void DecodeX509BasicConstraintsExtension( - byte[] encoded, - out bool certificateAuthority, - out bool hasPathLengthConstraint, - out int pathLengthConstraint) - { - // No RFC nor ITU document describes the layout of the 2.5.29.10 structure, - // and OpenSSL doesn't have a decoder for it, either. - // - // Since it was never published as a standard (2.5.29.19 replaced it before publication) - // there shouldn't be too many people upset that we can't decode it for them on Unix. - throw new PlatformNotSupportedException(SR.NotSupported_LegacyBasicConstraints); - } - - public virtual void DecodeX509BasicConstraints2Extension( - byte[] encoded, - out bool certificateAuthority, - out bool hasPathLengthConstraint, - out int pathLengthConstraint) - { - BasicConstraintsAsn constraints = BasicConstraintsAsn.Decode(encoded, AsnEncodingRules.BER); - certificateAuthority = constraints.CA; - hasPathLengthConstraint = constraints.PathLengthConstraint.HasValue; - pathLengthConstraint = constraints.PathLengthConstraint.GetValueOrDefault(); - } - } -} diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs index fd2a8cef7c0c6..8966b760df1f0 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509Encoder.cs @@ -9,7 +9,7 @@ namespace System.Security.Cryptography.X509Certificates { - internal sealed class OpenSslX509Encoder : ManagedX509ExtensionProcessor, IX509Pal + internal sealed class OpenSslX509Encoder : IX509Pal { public ECDsa DecodeECDsaPublicKey(ICertificatePal? certificatePal) { @@ -152,23 +152,6 @@ public X509ContentType GetCertContentType(string fileName) throw new CryptographicException(); } - public override void DecodeX509BasicConstraints2Extension( - byte[] encoded, - out bool certificateAuthority, - out bool hasPathLengthConstraint, - out int pathLengthConstraint) - { - if (!Interop.Crypto.DecodeX509BasicConstraints2Extension( - encoded, - encoded.Length, - out certificateAuthority, - out hasPathLengthConstraint, - out pathLengthConstraint)) - { - throw Interop.Crypto.CreateOpenSslCryptographicException(); - } - } - private static RSAOpenSsl BuildRsaPublicKey(byte[] encodedData) { var rsa = new RSAOpenSsl(); diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs index d092d06b9d07c..e1e6b91c2455c 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509BasicConstraintsExtension.cs @@ -1,6 +1,9 @@ // Licensed to the .NET Foundation under one or more agreements. // The .NET Foundation licenses this file to you under the MIT license. +using System.Formats.Asn1; +using System.Security.Cryptography.X509Certificates.Asn1; + namespace System.Security.Cryptography.X509Certificates { public sealed class X509BasicConstraintsExtension : X509Extension @@ -111,19 +114,63 @@ private static byte[] EncodeExtension(bool certificateAuthority, bool hasPathLen ArgumentOutOfRangeException.ThrowIfNegative(pathLengthConstraint); } - return X509Pal.Instance.EncodeX509BasicConstraints2Extension(certificateAuthority, hasPathLengthConstraint, pathLengthConstraint); + return EncodeX509BasicConstraints2Extension(certificateAuthority, hasPathLengthConstraint, pathLengthConstraint); } private void DecodeExtension() { if (Oid!.Value == Oids.BasicConstraints) - X509Pal.Instance.DecodeX509BasicConstraintsExtension(RawData, out _certificateAuthority, out _hasPathLenConstraint, out _pathLenConstraint); + { + LegacyBasicConstraintsDecoder.DecodeX509BasicConstraintsExtension( + RawData, + out _certificateAuthority, + out _hasPathLenConstraint, + out _pathLenConstraint); + } else - X509Pal.Instance.DecodeX509BasicConstraints2Extension(RawData, out _certificateAuthority, out _hasPathLenConstraint, out _pathLenConstraint); + { + DecodeX509BasicConstraints2Extension( + RawData, + out _certificateAuthority, + out _hasPathLenConstraint, + out _pathLenConstraint); + } _decoded = true; } + private static byte[] EncodeX509BasicConstraints2Extension( + bool certificateAuthority, + bool hasPathLengthConstraint, + int pathLengthConstraint) + { + BasicConstraintsAsn constraints = default; + + constraints.CA = certificateAuthority; + + if (hasPathLengthConstraint) + { + constraints.PathLengthConstraint = pathLengthConstraint; + } + + // Largest possible encoded extension is 11 bytes when pathLenConstraint is int.MaxValue. + AsnWriter writer = new AsnWriter(AsnEncodingRules.DER, initialCapacity: 11); + constraints.Encode(writer); + return writer.Encode(); + } + + private static void DecodeX509BasicConstraints2Extension( + byte[] encoded, + out bool certificateAuthority, + out bool hasPathLengthConstraint, + out int pathLengthConstraint) + { + BasicConstraintsAsn constraints = BasicConstraintsAsn.Decode(encoded, AsnEncodingRules.BER); + certificateAuthority = constraints.CA; + hasPathLengthConstraint = constraints.PathLengthConstraint.HasValue; + pathLengthConstraint = constraints.PathLengthConstraint.GetValueOrDefault(); + } + private bool _certificateAuthority; private bool _hasPathLenConstraint; private int _pathLenConstraint; diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs index ea56200fd74ba..7fc6beb3fe5a1 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs @@ -1496,7 +1496,7 @@ private static X509Certificate2 ExtractKeyFromEncryptedPem( internal static X509Extension? CreateCustomExtensionIfAny(string? oidValue) => oidValue switch { - Oids.BasicConstraints => X509Pal.Instance.SupportsLegacyBasicConstraintsExtension ? new X509BasicConstraintsExtension() : null, + Oids.BasicConstraints => LegacyBasicConstraintsDecoder.IsSupported ? new X509BasicConstraintsExtension() : null, Oids.BasicConstraints2 => new X509BasicConstraintsExtension(), Oids.KeyUsage => new X509KeyUsageExtension(), Oids.EnhancedKeyUsage => new X509EnhancedKeyUsageExtension(), diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs index 608ee19b85579..f836a62ab7e89 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Android.cs @@ -18,7 +18,7 @@ private static partial IX509Pal BuildSingleton() return new AndroidX509Pal(); } - private sealed partial class AndroidX509Pal : ManagedX509ExtensionProcessor, IX509Pal + private sealed partial class AndroidX509Pal : IX509Pal { public ECDsa DecodeECDsaPublicKey(ICertificatePal? certificatePal) { diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs index 8d1696721b1a4..01627dfdb2ddf 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.ECKey.cs @@ -7,7 +7,7 @@ namespace System.Security.Cryptography.X509Certificates { internal partial class X509Pal { - private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal + private sealed partial class AppleX509Pal : IX509Pal { public ECDsa DecodeECDsaPublicKey(ICertificatePal? certificatePal) { diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs index b5fe1db657533..50153c8fee03a 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Apple.X500Name.cs @@ -5,7 +5,7 @@ namespace System.Security.Cryptography.X509Certificates { internal partial class X509Pal { - private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal + private sealed partial class AppleX509Pal : IX509Pal { public string X500DistinguishedNameDecode(byte[] encodedDistinguishedName, X500DistinguishedNameFlags flag) { diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Windows.CustomExtensions.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Windows.CustomExtensions.cs deleted file mode 100644 index e731b31c9aae7..0000000000000 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.Windows.CustomExtensions.cs +++ /dev/null @@ -1,70 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. - -using System.Diagnostics; -using System.Runtime.InteropServices; -using Internal.Cryptography; - -namespace System.Security.Cryptography.X509Certificates -{ - /// - /// A singleton class that encapsulates the native implementation of various X509 services. (Implementing this as a singleton makes it - /// easier to split the class into abstract and implementation classes if desired.) - /// - internal sealed partial class X509Pal : IX509Pal - { - public bool SupportsLegacyBasicConstraintsExtension - { - get { return true; } - } - - public byte[] EncodeX509BasicConstraints2Extension(bool certificateAuthority, bool hasPathLengthConstraint, int pathLengthConstraint) - { - unsafe - { - CERT_BASIC_CONSTRAINTS2_INFO constraintsInfo = new CERT_BASIC_CONSTRAINTS2_INFO() - { - fCA = certificateAuthority ? 1 : 0, - fPathLenConstraint = hasPathLengthConstraint ? 1 : 0, - dwPathLenConstraint = pathLengthConstraint, - }; - - return Interop.crypt32.EncodeObject(Oids.BasicConstraints2, &constraintsInfo); - } - } - - public void DecodeX509BasicConstraintsExtension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint) - { - unsafe - { - (certificateAuthority, hasPathLengthConstraint, pathLengthConstraint) = encoded.DecodeObject( - CryptDecodeObjectStructType.X509_BASIC_CONSTRAINTS, - static delegate (void* pvDecoded, int cbDecoded) - { - Debug.Assert(cbDecoded >= sizeof(CERT_BASIC_CONSTRAINTS_INFO)); - CERT_BASIC_CONSTRAINTS_INFO* pBasicConstraints = (CERT_BASIC_CONSTRAINTS_INFO*)pvDecoded; - return ((Marshal.ReadByte(pBasicConstraints->SubjectType.pbData) & CERT_BASIC_CONSTRAINTS_INFO.CERT_CA_SUBJECT_FLAG) != 0, - pBasicConstraints->fPathLenConstraint != 0, - pBasicConstraints->dwPathLenConstraint); - }); - } - } - - public void DecodeX509BasicConstraints2Extension(byte[] encoded, out bool certificateAuthority, out bool hasPathLengthConstraint, out int pathLengthConstraint) - { - unsafe - { - (certificateAuthority, hasPathLengthConstraint, pathLengthConstraint) = encoded.DecodeObject( - CryptDecodeObjectStructType.X509_BASIC_CONSTRAINTS2, - static delegate (void* pvDecoded, int cbDecoded) - { - Debug.Assert(cbDecoded >= sizeof(CERT_BASIC_CONSTRAINTS2_INFO)); - CERT_BASIC_CONSTRAINTS2_INFO* pBasicConstraints2 = (CERT_BASIC_CONSTRAINTS2_INFO*)pvDecoded; - return (pBasicConstraints2->fCA != 0, - pBasicConstraints2->fPathLenConstraint != 0, - pBasicConstraints2->dwPathLenConstraint); - }); - } - } - } -} diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs index 76ac0eaec4209..4b2a317f08c7e 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.iOS.cs @@ -13,7 +13,7 @@ private static partial IX509Pal BuildSingleton() return new AppleX509Pal(); } - private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal + private sealed partial class AppleX509Pal : IX509Pal { public AsymmetricAlgorithm DecodePublicKey(Oid oid, byte[] encodedKeyValue, byte[] encodedParameters, ICertificatePal? certificatePal) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs index c154551bcde3e..78d28c984c99f 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Pal.macOS.cs @@ -17,7 +17,7 @@ private static partial IX509Pal BuildSingleton() return new AppleX509Pal(); } - private sealed partial class AppleX509Pal : ManagedX509ExtensionProcessor, IX509Pal + private sealed partial class AppleX509Pal : IX509Pal { public AsymmetricAlgorithm DecodePublicKey(Oid oid, byte[] encodedKeyValue, byte[] encodedParameters, ICertificatePal? certificatePal) diff --git a/src/native/libs/System.Security.Cryptography.Native/entrypoints.c b/src/native/libs/System.Security.Cryptography.Native/entrypoints.c index d41e1944250f2..329d0932ecf72 100644 --- a/src/native/libs/System.Security.Cryptography.Native/entrypoints.c +++ b/src/native/libs/System.Security.Cryptography.Native/entrypoints.c @@ -57,7 +57,6 @@ static const Entry s_cryptoNative[] = DllImportEntry(CryptoNative_DecodePkcs8PrivateKey) DllImportEntry(CryptoNative_DecodeSubjectPublicKeyInfo) DllImportEntry(CryptoNative_DecodeX509) - DllImportEntry(CryptoNative_DecodeX509BasicConstraints2Extension) DllImportEntry(CryptoNative_DecodeX509Crl) DllImportEntry(CryptoNative_DsaDestroy) DllImportEntry(CryptoNative_DsaGenerateKey) diff --git a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h index 4c6b176f1de74..b5b9de2392863 100644 --- a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +++ b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h @@ -259,7 +259,6 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(ASN1_TIME_set) \ FALLBACK_FUNCTION(ASN1_TIME_to_tm) \ REQUIRED_FUNCTION(ASN1_TIME_free) \ - REQUIRED_FUNCTION(BASIC_CONSTRAINTS_free) \ REQUIRED_FUNCTION(BIO_ctrl) \ REQUIRED_FUNCTION(BIO_ctrl_pending) \ REQUIRED_FUNCTION(BIO_free) \ @@ -298,7 +297,6 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(CRYPTO_malloc) \ LEGACY_FUNCTION(CRYPTO_num_locks) \ LEGACY_FUNCTION(CRYPTO_set_locking_callback) \ - REQUIRED_FUNCTION(d2i_BASIC_CONSTRAINTS) \ REQUIRED_FUNCTION(d2i_OCSP_RESPONSE) \ REQUIRED_FUNCTION(d2i_PKCS12_fp) \ REQUIRED_FUNCTION(d2i_PKCS7) \ @@ -807,7 +805,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define ASN1_TIME_new ASN1_TIME_new_ptr #define ASN1_TIME_set ASN1_TIME_set_ptr #define ASN1_TIME_to_tm ASN1_TIME_to_tm_ptr -#define BASIC_CONSTRAINTS_free BASIC_CONSTRAINTS_free_ptr #define BIO_ctrl BIO_ctrl_ptr #define BIO_ctrl_pending BIO_ctrl_pending_ptr #define BIO_free BIO_free_ptr @@ -846,7 +843,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define CRYPTO_malloc CRYPTO_malloc_ptr #define CRYPTO_num_locks CRYPTO_num_locks_ptr #define CRYPTO_set_locking_callback CRYPTO_set_locking_callback_ptr -#define d2i_BASIC_CONSTRAINTS d2i_BASIC_CONSTRAINTS_ptr #define d2i_OCSP_RESPONSE d2i_OCSP_RESPONSE_ptr #define d2i_PKCS12_fp d2i_PKCS12_fp_ptr #define d2i_PKCS7 d2i_PKCS7_ptr diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c index fc9d8818f5d0d..d05e3c866a30a 100644 --- a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c +++ b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.c @@ -26,48 +26,3 @@ int32_t CryptoNative_X509V3ExtPrint(BIO* out, X509_EXTENSION* ext) ERR_clear_error(); return X509V3_EXT_print(out, ext, X509V3_EXT_DEFAULT, /*indent*/ 0); } - -int32_t CryptoNative_DecodeX509BasicConstraints2Extension(const uint8_t* encoded, - int32_t encodedLength, - int32_t* certificateAuthority, - int32_t* hasPathLengthConstraint, - int32_t* pathLengthConstraint) -{ - if (!certificateAuthority || !hasPathLengthConstraint || !pathLengthConstraint) - { - return false; - } - - *certificateAuthority = false; - *hasPathLengthConstraint = false; - *pathLengthConstraint = 0; - int32_t result = false; - - ERR_clear_error(); - - BASIC_CONSTRAINTS* constraints = d2i_BASIC_CONSTRAINTS(NULL, &encoded, encodedLength); - if (constraints) - { - *certificateAuthority = constraints->ca != 0; - - if (constraints->pathlen != NULL) - { - *hasPathLengthConstraint = true; - long pathLength = ASN1_INTEGER_get(constraints->pathlen); - - // pathLengthConstraint needs to be in the Int32 range - assert(pathLength <= INT32_MAX); - *pathLengthConstraint = (int32_t)pathLength; - } - else - { - *hasPathLengthConstraint = false; - *pathLengthConstraint = 0; - } - - BASIC_CONSTRAINTS_free(constraints); - result = true; - } - - return result; -} diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h index 0da81f9d124cd..0b686ab01439f 100644 --- a/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h +++ b/src/native/libs/System.Security.Cryptography.Native/pal_x509ext.h @@ -32,18 +32,3 @@ Shims the X509V3_EXT_print method. Returns 1 on success, otherwise 0 if there was an error. */ PALEXPORT int32_t CryptoNative_X509V3ExtPrint(BIO* out, X509_EXTENSION* ext); - -/* -Decodes the X509 BASIC_CONSTRAINTS information and fills the out variables: -1. bool certificateAuthority -2. bool hasPathLengthConstraint -3. int32_t pathLengthConstraint - -Returns 1 if the BASIC_CONSTRAINTS information was successfully decoded, -otherwise 0. -*/ -PALEXPORT int32_t CryptoNative_DecodeX509BasicConstraints2Extension(const uint8_t* encoded, - int32_t encodedLength, - int32_t* certificateAuthority, - int32_t* hasPathLengthConstraint, - int32_t* pathLengthConstraint);