Add support for reading PFX in X509Certificate2 and X509Certificate2Collection on Unix.

At this stage HasPrivateKey properties on Unix still returns false, that is still coming.

Author: bartonjs

src/Common/src/Interop/Unix/libcrypto/Interop.EvpPkey.Rsa.cs

@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System.Runtime.InteropServices;
+
+using Microsoft.Win32.SafeHandles;
+
+internal static partial class Interop
+{
+    internal static partial class libcrypto
+    {
+        [DllImport(Libraries.LibCrypto)]
+        internal static extern SafeRsaHandle EVP_PKEY_get1_RSA(SafeEvpPkeyHandle pkey);
+    }
+}

src/Common/src/Interop/Unix/libcrypto/Interop.EvpPkey.cs

@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+internal static partial class Interop
+{
+    internal static partial class libcrypto
+    {
+        [DllImport(Libraries.LibCrypto)]
+        internal static extern void EVP_PKEY_free(IntPtr pkey);
+    }
+}

src/Common/src/Interop/Unix/libcrypto/Interop.Pkcs12.cs

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+using Microsoft.Win32.SafeHandles;
+
+internal static partial class Interop
+{
+    internal static partial class libcrypto
+    {
+        [DllImport(Libraries.LibCrypto)]
+        internal static unsafe extern SafePkcs12Handle d2i_PKCS12(IntPtr zero, byte** ppin, int len);
+
+        [DllImport(Libraries.LibCrypto)]
+        internal static extern SafePkcs12Handle d2i_PKCS12_bio(SafeBioHandle bio, IntPtr zero);
+
+        [DllImport(Libraries.LibCrypto)]
+        internal static extern void PKCS12_free(IntPtr p12);
+        
+        [DllImport(Libraries.CryptoInterop, CharSet = CharSet.Ansi)]
+        [return: MarshalAs(UnmanagedType.Bool)]
+        internal static extern bool PKCS12_parse(SafePkcs12Handle p12, string pass, out SafeEvpPkeyHandle pkey, out SafeX509Handle cert, out SafeX509StackHandle ca);
+    }
+}

src/Common/src/Interop/Unix/libcrypto/Interop.d2i.cs

@@ -14,7 +14,7 @@ internal static partial class libcrypto
 
         internal unsafe delegate int I2DFunc<in THandle>(THandle handle, byte** @out);
 
-        internal static unsafe THandle OpenSslD2I<THandle>(D2IFunc<THandle> d2i, byte[] data)
+        internal static unsafe THandle OpenSslD2I<THandle>(D2IFunc<THandle> d2i, byte[] data, bool checkHandle=true)
             where THandle : SafeHandle
         {
             // The OpenSSL d2i_* functions are set up for cascaded calls, so they increment *ppData while reading.
@@ -27,7 +27,10 @@ internal static unsafe THandle OpenSslD2I<THandle>(D2IFunc<THandle> d2i, byte[]
 
                 THandle handle = d2i(IntPtr.Zero, ppData, data.Length);
 
-                CheckValidOpenSslHandle(handle);
+                if (checkHandle)
+                {
+                    CheckValidOpenSslHandle(handle);
+                }
 
                 return handle;
             }

src/Common/src/Microsoft/Win32/SafeHandles/SafeEvpPkeyHandle.Unix.cs

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.Win32.SafeHandles
+{
+    internal sealed class SafeEvpPkeyHandle : SafeHandle
+    {
+        private SafeEvpPkeyHandle() :
+            base(IntPtr.Zero, ownsHandle: true)
+        {
+        }
+
+        protected override bool ReleaseHandle()
+        {
+            Interop.libcrypto.EVP_PKEY_free(handle);
+            SetHandle(IntPtr.Zero);
+            return true;
+        }
+
+        public override bool IsInvalid
+        {
+            get { return handle == IntPtr.Zero; }
+        }
+    }
+}

src/Common/src/Microsoft/Win32/SafeHandles/SafePkcs12Handle.Unix.cs

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.Win32.SafeHandles
+{
+    internal sealed class SafePkcs12Handle : SafeHandle
+    {
+        private SafePkcs12Handle() :
+            base(IntPtr.Zero, ownsHandle: true)
+        {
+        }
+
+        protected override bool ReleaseHandle()
+        {
+            Interop.libcrypto.PKCS12_free(handle);
+            SetHandle(IntPtr.Zero);
+            return true;
+        }
+
+        public override bool IsInvalid
+        {
+            get { return handle == IntPtr.Zero; }
+        }
+    }
+}

src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/CertificatePal.cs

@@ -2,7 +2,9 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
 using System;
+using System.Diagnostics;
 using System.Security.Cryptography.X509Certificates;
+using Microsoft.Win32.SafeHandles;
 
 namespace Internal.Cryptography.Pal
 {
@@ -16,9 +18,64 @@ public static ICertificatePal FromHandle(IntPtr handle)
             return new OpenSslX509CertificateReader(Interop.libcrypto.X509_dup(handle));
         }
 
-        public static ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
+        public static unsafe ICertificatePal FromBlob(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
         {
-            return new OpenSslX509CertificateReader(rawData);
+            // If we can see a hyphen, assume it's PEM.  Otherwise try DER-X509, then fall back to DER-PKCS12.
+            SafeX509Handle cert;
+
+            // PEM
+            if (rawData[0] == '-')
+            {
+                using (SafeBioHandle bio = Interop.libcrypto.BIO_new(Interop.libcrypto.BIO_s_mem()))
+                {
+                    Interop.libcrypto.CheckValidOpenSslHandle(bio);
+
+                    Interop.libcrypto.BIO_write(bio, rawData, rawData.Length);
+                    cert = Interop.libcrypto.PEM_read_bio_X509_AUX(bio, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
+                }
+
+                Interop.libcrypto.CheckValidOpenSslHandle(cert);
+            }
+
+            // DER-X509
+            cert = Interop.libcrypto.OpenSslD2I((ptr, b, i) => Interop.libcrypto.d2i_X509(ptr, b, i), rawData, checkHandle: false);
+
+            if (!cert.IsInvalid)
+            {
+                return new OpenSslX509CertificateReader(cert);
+            }
+
+            // DER-PKCS12
+            OpenSslPkcs12Reader pfx;
+
+            if (OpenSslPkcs12Reader.TryRead(rawData, out pfx))
+            {
+                using (pfx)
+                {
+                    pfx.Decrypt(password);
+
+                    ICertificatePal first = null;
+
+                    foreach (OpenSslX509CertificateReader certPal in pfx.ReadCertificates())
+                    {
+                        // When requesting an X509Certificate2 from a PFX only the first entry is
+                        // returned.  Other entries should be disposed.
+                        if (first == null)
+                        {
+                            first = certPal;
+                        }
+                        else
+                        {
+                            certPal.Dispose();
+                        }
+                    }
+
+                    return first;
+                }
+            }
+
+            // Unsupported
+            throw Interop.libcrypto.CreateOpenSslCryptographicException();
         }
 
         public static ICertificatePal FromFile(string fileName, string password, X509KeyStorageFlags keyStorageFlags)

src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslPkcs12Reader.cs

@@ -0,0 +1,129 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Collections.Generic;
+
+using Microsoft.Win32.SafeHandles;
+
+namespace Internal.Cryptography.Pal
+{
+    internal sealed class OpenSslPkcs12Reader : IDisposable
+    {
+        private readonly SafePkcs12Handle _pkcs12Handle;
+        private SafeEvpPkeyHandle _evpPkeyHandle;
+        private SafeX509Handle _x509Handle;
+        private SafeX509StackHandle _caStackHandle;
+
+        private OpenSslPkcs12Reader(SafePkcs12Handle pkcs12Handle)
+        {
+            _pkcs12Handle = pkcs12Handle;
+        }
+
+        public unsafe static bool TryRead(byte[] data, out OpenSslPkcs12Reader pkcs12Reader)
+        {
+            SafePkcs12Handle handle = Interop.libcrypto.OpenSslD2I(
+                (ptr, b, i) => Interop.libcrypto.d2i_PKCS12(ptr, b, i),
+                data,
+                checkHandle: false);
+
+            if (!handle.IsInvalid)
+            {
+                pkcs12Reader = new OpenSslPkcs12Reader(handle);
+                return true;
+            }
+
+            pkcs12Reader = null;
+            return false;
+        }
+
+        public static bool TryRead(SafeBioHandle fileBio, out OpenSslPkcs12Reader pkcs12Reader)
+        {
+            SafePkcs12Handle p12 = Interop.libcrypto.d2i_PKCS12_bio(fileBio, IntPtr.Zero);
+
+            if (!p12.IsInvalid)
+            {
+                pkcs12Reader = new OpenSslPkcs12Reader(p12);
+                return true;
+            }
+
+            pkcs12Reader = null;
+            return false;
+        }
+
+        public void Dispose()
+        {
+            if (_caStackHandle != null)
+            {
+                _caStackHandle.Dispose();
+                _caStackHandle = null;
+            }
+
+            if (_x509Handle != null)
+            {
+                _x509Handle.Dispose();
+                _x509Handle = null;
+            }
+
+            if (_evpPkeyHandle != null)
+            {
+                _evpPkeyHandle.Dispose();
+                _evpPkeyHandle = null;
+            }
+
+            if (_pkcs12Handle != null)
+            {
+                _pkcs12Handle.Dispose();
+            }
+        }
+
+        public void Decrypt(string password)
+        {
+            bool parsed = Interop.libcrypto.PKCS12_parse(
+                _pkcs12Handle,
+                password,
+                out _evpPkeyHandle,
+                out _x509Handle,
+                out _caStackHandle);
+
+            if (!parsed)
+            {
+                throw Interop.libcrypto.CreateOpenSslCryptographicException();
+            }
+        }
+
+        public List<OpenSslX509CertificateReader> ReadCertificates()
+        {
+            var certs = new List<OpenSslX509CertificateReader>();
+
+            if (_caStackHandle != null && !_caStackHandle.IsInvalid)
+            {
+                int caCertCount = Interop.NativeCrypto.GetX509StackFieldCount(_caStackHandle);
+
+                for (int i = 0; i < caCertCount; i++)
+                {
+                    IntPtr certPtr = Interop.NativeCrypto.GetX509StackField(_caStackHandle, i);
+
+                    if (certPtr != IntPtr.Zero)
+                    {
+                        // The STACK_OF(X509) still needs to be cleaned up, so duplicate the handle out of it.
+                        certs.Add(new OpenSslX509CertificateReader(Interop.libcrypto.X509_dup(certPtr)));
+                    }
+                }
+            }
+
+            if (_x509Handle != null && !_x509Handle.IsInvalid)
+            {
+                // The certificate and (if applicable) private key handles will be given over
+                // to the OpenSslX509CertificateReader, and the fields here are thus nulled out to
+                // prevent double-Dispose.
+                OpenSslX509CertificateReader reader = new OpenSslX509CertificateReader(_x509Handle);
+                _x509Handle = null;
+
+                certs.Add(reader);
+            }
+
+            return certs;
+        }
+    }
+}

src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslX509CertificateReader.cs

@@ -35,41 +35,6 @@ internal OpenSslX509CertificateReader(SafeX509Handle handle)
             _cert = handle;
         }
 
-        internal unsafe OpenSslX509CertificateReader(byte[] data)
-        {
-            SafeX509Handle cert;
-
-            // If the first byte is a hyphen then this is likely PEM-encoded,
-            // otherwise it's DER-encoded (or not a certificate).
-            if (data[0] == '-')
-            {
-                using (SafeBioHandle bio = Interop.libcrypto.BIO_new(Interop.libcrypto.BIO_s_mem()))
-                {
-                    Interop.libcrypto.CheckValidOpenSslHandle(bio);
-
-                    Interop.libcrypto.BIO_write(bio, data, data.Length);
-                    cert = Interop.libcrypto.PEM_read_bio_X509_AUX(bio, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
-                }
-            }
-            else
-            {
-                cert = Interop.libcrypto.OpenSslD2I(Interop.libcrypto.d2i_X509, data);
-            }
-
-            Interop.libcrypto.CheckValidOpenSslHandle(cert);
-
-            // X509_check_purpose has the effect of populating the sha1_hash value,
-            // and other "initialize" type things.
-            bool init = Interop.libcrypto.X509_check_purpose(cert, -1, 0);
-
-            if (!init)
-            {
-                throw Interop.libcrypto.CreateOpenSslCryptographicException();
-            }
-
-            _cert = cert;
-        }
-
         public bool HasPrivateKey
         {
             get { return false; }