Merge pull request dotnet/corefx#2912 from bartonjs/unix_pkcs7

Add support for importing PKCS7 files as X509Certificate2Collections.

Commit migrated from dotnet/corefx@36969f1

Author: bartonjs

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Crypto.cs

@@ -66,13 +66,23 @@ internal static partial class Crypto
         [DllImport(Libraries.CryptoNative)]
         internal static extern int GetX509StackFieldCount(SafeX509StackHandle stack);
 
+        [DllImport(Libraries.CryptoNative)]
+        internal static extern int GetX509StackFieldCount(SafeSharedX509StackHandle stack);
+
         /// <summary>
         /// Gets a pointer to a certificate within a STACK_OF(X509). This pointer will later
         /// be freed, so it should be cloned via new X509Certificate2(IntPtr)
         /// </summary>
         [DllImport(Libraries.CryptoNative)]
         internal static extern IntPtr GetX509StackField(SafeX509StackHandle stack, int loc);
 
+        /// <summary>
+        /// Gets a pointer to a certificate within a STACK_OF(X509). This pointer will later
+        /// be freed, so it should be cloned via new X509Certificate2(IntPtr)
+        /// </summary>
+        [DllImport(Libraries.CryptoNative)]
+        internal static extern IntPtr GetX509StackField(SafeSharedX509StackHandle stack, int loc);
+
         [DllImport(Libraries.CryptoNative)]
         [return: MarshalAs(UnmanagedType.Bool)]
         internal static extern bool PushX509StackField(SafeX509StackHandle stack, SafeX509Handle x509);
@@ -86,6 +96,9 @@ internal static partial class Crypto
         [DllImport(Libraries.CryptoNative)]
         internal static extern int UpRefEvpPkey(SafeEvpPkeyHandle handle);
 
+        [DllImport(Libraries.CryptoNative)]
+        private static extern int GetPkcs7Certificates(SafePkcs7Handle p7, out SafeSharedX509StackHandle certs);
+
         [DllImport(Libraries.CryptoNative)]
         private static extern int SetX509ChainVerifyTime(
             SafeX509StoreCtxHandle ctx,
@@ -141,6 +154,27 @@ internal static void SetX509ChainVerifyTime(SafeX509StoreCtxHandle ctx, DateTime
             }
         }
 
+        internal static SafeSharedX509StackHandle GetPkcs7Certificates(SafePkcs7Handle p7)
+        {
+            if (p7 == null || p7.IsInvalid)
+            {
+                return SafeSharedX509StackHandle.InvalidHandle;
+            }
+
+            SafeSharedX509StackHandle certs;
+            int result = GetPkcs7Certificates(p7, out certs);
+
+            if (result != 1)
+            {
+                throw Interop.libcrypto.CreateOpenSslCryptographicException();
+            }
+
+            // Track the parent relationship for the interior pointer so lifetime is well-managed.
+            certs.SetParent(p7);
+
+            return certs;
+        }
+
         private static byte[] GetDynamicBuffer<THandle>(NegativeSizeReadMethod<THandle> method, THandle handle)
         {
             int negativeSize = method(handle, null, 0);

src/libraries/Common/src/Interop/Unix/libcrypto/Interop.Pkcs7.cs

@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+using Microsoft.Win32.SafeHandles;
+
+internal static partial class Interop
+{
+    internal static partial class libcrypto
+    {
+        [DllImport(Libraries.LibCrypto)]
+        internal static extern SafePkcs7Handle PEM_read_bio_PKCS7(SafeBioHandle bp, IntPtr xZero, IntPtr cbZero, IntPtr uZero);
+
+        [DllImport(Libraries.LibCrypto)]
+        internal static unsafe extern SafePkcs7Handle d2i_PKCS7(IntPtr zero, byte** ppin, int len);
+
+        [DllImport(Libraries.LibCrypto)]
+        internal static extern SafePkcs7Handle d2i_PKCS7_bio(SafeBioHandle bp, IntPtr pp7Zero);
+
+        [DllImport(Libraries.LibCrypto)]
+        internal static extern void PKCS7_free(IntPtr p12);
+    }
+}

src/libraries/Common/src/Microsoft/Win32/SafeHandles/SafePkcs7Handle.Unix.cs

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.Win32.SafeHandles
+{
+    internal sealed class SafePkcs7Handle : SafeHandle
+    {
+        private SafePkcs7Handle() :
+            base(IntPtr.Zero, ownsHandle: true)
+        {
+        }
+
+        protected override bool ReleaseHandle()
+        {
+            Interop.libcrypto.PKCS7_free(handle);
+            SetHandle(IntPtr.Zero);
+            return true;
+        }
+
+        public override bool IsInvalid
+        {
+            get { return handle == IntPtr.Zero; }
+        }
+    }
+}

src/libraries/Common/src/Microsoft/Win32/SafeHandles/SafeX509Handles.Unix.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
 using System;
+using System.Diagnostics;
 using System.Security;
 using System.Runtime.InteropServices;
 
@@ -92,4 +93,53 @@ public override bool IsInvalid
             get { return handle == IntPtr.Zero; }
         }
     }
+
+    /// <summary>
+    /// Represents access to a STACK_OF(X509)* which is a member of a structure tracked
+    /// by another SafeHandle.
+    /// </summary>
+    [SecurityCritical]
+    internal sealed class SafeSharedX509StackHandle : SafeHandle
+    {
+        internal static readonly SafeSharedX509StackHandle InvalidHandle = new SafeSharedX509StackHandle();
+        private SafeHandle _parent;
+
+        private SafeSharedX509StackHandle() :
+            base(IntPtr.Zero, ownsHandle: true)
+        {
+        }
+
+        protected override bool ReleaseHandle()
+        {
+            SafeHandle parent = _parent;
+
+            if (parent != null)
+            {
+                parent.DangerousRelease();
+            }
+
+            _parent = null;
+            SetHandle(IntPtr.Zero);
+            return true;
+        }
+
+        public override bool IsInvalid
+        {
+            get
+            {
+                // If handle is 0, we're invalid.
+                // If we have a _parent and they're invalid, we're invalid.
+                return handle == IntPtr.Zero || (_parent != null && _parent.IsInvalid);
+            }
+        }
+
+        internal void SetParent(SafeHandle parent)
+        {
+            bool addedRef = false;
+            parent.DangerousAddRef(ref addedRef);
+            Debug.Assert(addedRef);
+
+            _parent = parent;
+        }
+    }
 }

src/libraries/Native/System.Security.Cryptography.Native/openssl.c

@@ -918,6 +918,41 @@ UpRefEvpPkey(
     return CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
 }
 
+/*
+Function:
+GetPkcs7Certificates
+
+Used by System.Security.Cryptography.X509Certificates' CertificatePal when
+reading the contents of a PKCS#7 file or blob.
+
+Return values:
+0 on NULL inputs, or a PKCS#7 file whose layout is not understood
+1 when the file format is understood, and *certs is assigned to the
+certificate contents of the structure.
+*/
+int
+GetPkcs7Certificates(
+    PKCS7* p7,
+    STACK_OF(X509)** certs)
+{
+    if (!p7 || !certs)
+    {
+        return 0;
+    }
+
+    switch (OBJ_obj2nid(p7->type))
+    {
+        case NID_pkcs7_signed:
+            *certs = p7->d.sign->cert;
+            return 1;
+        case NID_pkcs7_signedAndEnveloped:
+            *certs = p7->d.signed_and_enveloped->cert;
+            return 1;
+    }
+
+    return 0;
+}
+
 // Lock used to make sure EnsureopenSslInitialized itself is thread safe
 static pthread_mutex_t g_initLock = PTHREAD_MUTEX_INITIALIZER;