System.Security.Cryptography.Pkcs

Decodes the provided data as a CMS/PKCS#7 EnvelopedData message.

The data to decode. The parameter was not successfully decoded.

Gets or sets the RSA signature padding to use.

The RSA signature padding to use.

Initializes a new instance of the CmsSigner class with a specified signer certificate, subject identifier type, private key object, and RSA signature padding.

One of the enumeration values that specifies the scheme to use for identifying which signing certificate was used. The certificate whose private key will be used to sign a message. The private key object to use when signing the message. The RSA signature padding to use.

Create a CertBag for a specified certificate type and encoding.

The identifier for the certificate type The encoded value No validation is done to ensure that the value is correct for the indicated . Note that for X.509 public-key certificates the correct encoding for a CertBag value is to wrap the DER-encoded certificate in an OCTET STRING.

Create a timestamp request using a pre-computed hash value.

The pre-computed hash value to be timestamped. The Object Identifier (OID) for the hash algorithm which produced . The Object Identifier (OID) for a timestamp policy the Timestamp Authority (TSA) should use, or null to express no preference. An optional nonce (number used once) to uniquely identify this request to pair it with the response. The value is interpreted as an unsigned big-endian integer and may be normalized to the encoding format. Indicates whether the Timestamp Authority (TSA) must (true) or must not (false) include the signing certificate in the issued timestamp token. RFC3161 extensions to present with the request. An representing the chosen values.

Get a SignedCms representation of the RFC3161 Timestamp Token.

The SignedCms representation of the RFC3161 Timestamp Token. Successive calls to this method return the same object. The SignedCms class is mutable, but changes to that object are not reflected in the object which produced it. The value from calling can be interpreted again as an via another call to .

Represents the timestamp token information class defined in RFC3161 as TSTInfo.

Initializes a new instance of the class with the specified parameters.

An OID representing the TSA's policy under which the response was produced. A hash algorithm OID of the data to be timestamped. A hash value of the data to be timestamped. An integer assigned by the TSA to the . The timestamp encoded in the token. The accuracy with which is compared. Also see . to ensure that every timestamp token from the same TSA can always be ordered based on the , regardless of the accuracy; to make indicate when token has been created by the TSA. The nonce associated with this timestamp token. Using a nonce always allows to detect replays, and hence its use is recommended. The hint in the TSA name identification. The actual identification of the entity that signed the response will always occur through the use of the certificate identifier. The extension values associated with the timestamp. If , , or are present in the , then the same value should be used. If is not provided, then the accuracy may be available through other means such as i.e. . ASN.1 corrupted data.

Gets the version of the timestamp token.

The version of the timestamp token.

Gets an OID representing the TSA's policy under which the response was produced.

An OID representing the TSA's policy under which the response was produced.

Gets an OID of the hash algorithm.

An OID of the hash algorithm.

Gets the data representing the message hash.

The data representing the message hash.

Gets an integer assigned by the TSA to the .

An integer assigned by the TSA to the .

Gets the timestamp encoded in the token.

The timestamp encoded in the token.

Gets the accuracy with which is compared.

The accuracy with which is compared.

Gets a value indicating if every timestamp token from the same TSA can always be ordered based on the , regardless of the accuracy; If , indicates when the token has been created by the TSA.

A value indicating if every timestamp token from the same TSA can always be ordered based on the .

Gets the nonce associated with this timestamp token.

The nonce associated with this timestamp token.

Gets a value indicating whether there are any extensions associated with this timestamp token.

A value indicating whether there are any extensions associated with this timestamp token.

Gets the data representing the hint in the TSA name identification.

The data representing the hint in the TSA name identification. The actual identification of the entity that signed the response will always occur through the use of the certificate identifier (ESSCertID Attribute) inside a SigningCertificate attribute which is part of the signer info.

Gets the extension values associated with the timestamp.

The extension values associated with the timestamp.

Encodes this object into a TSTInfo value

The encoded TSTInfo value.

Attempts to encode this object as a TSTInfo value, writing the result into the provided buffer.

The destination buffer. When this method returns , contains the bytes written to the buffer. if the operation succeeded; if the buffer size was insufficient.

Decodes an encoded TSTInfo value.

The input or source buffer. When this method returns , the decoded data. When this method returns , the value is , meaning the data could not be decoded. The number of bytes used for decoding. if the operation succeeded; otherwise.

SafeHandle representing HCRYPTHASH handle

Safe handle representing a HCRYPTKEY

Since we need to delete the key handle before the provider is released we need to actually hold a pointer to a CRYPT_KEY_CTX unmanaged structure whose destructor decrements a refCount. Only when the provider refCount is 0 it is deleted. This way, we loose a race in the critical finalization of the key handle and provider handle. This also applies to hash handles, which point to a CRYPT_HASH_CTX. Those structures are defined in COMCryptography.h

Safehandle representing HCRYPTPROV

Map from an ASCII char to its hex value, e.g. arr['b'] == 11. 0xFF means it's not a hex digit.

The `{0}` string cannot be empty or null.

Only single dimensional arrays are supported for the requested action.

The destination is too small to hold the encoded value.

Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.

The OID value was invalid.

Value was invalid.

The RSA padding must be Pkcs1 or Pss.

Index was out of range. Must be non-negative and less than the size of the collection.

Index was out of range. Must be non-negative and less than or equal to the size of the collection.

Positive number required.

The KDF for algorithm '{0}' requires a char-based password input.

The hash value is not correct.

Invalid signature.

Could not determine signature algorithm for the signer certificate.

The certificate chain is incomplete, the self-signed root authority could not be determined.

Invalid originator identifier choice {0} found in decoded CMS.

The subject identifier type {0} is not valid.

Invalid cryptographic message type.

SignerInfo digest algorithm '{0}' is not valid for signature algorithm '{1}'.

The Date property is not available for none KID key agree recipient.

The CMS message is not encrypted.

The CMS message is not signed.

The cryptographic message does not contain an expected authenticated attribute.

Only one level of counter-signatures are supported on this platform.

The recipients collection is empty. You must specify at least one recipient. This platform does not implement the certificate picker UI.

No signer certificate was provided. This platform does not implement the certificate picker UI.

No signer certificate was provided.

The signed cryptographic message does not have a signer for the specified signer index.

The enveloped-data message does not contain the specified recipient.

The recipient type '{0}' is not supported for encryption or decryption on this platform.

Cannot create CMS signature for empty content.

CmsSigner has to be the first signer with NoSignature.

Cannot find the original signer.

A certificate with a private key is required.

An RSA key is required to decrypt for a RecipientInfo with a KeyTransport recipient type.

An RSA certificate is required for a CmsRecipient when used with RSAEncryptionPadding.

Certificate trust could not be established. The first reported error is: {0}

Unknown algorithm '{0}'.

Unable to determine the type of key handle from this keyspec {0}.

The certificate is not valid for the requested usage.

Key is not a valid public or private key.

This operation is not valid on an encrypted or enveloped Pkcs12SafeContents.

The Pkcs12CertBag contents are not an X.509 certificate.

The Pkcs12Builder can no longer be modified because one of the Seal methods was already invoked.

One of the Seal methods must be invoked on the Pkcs12Builder before invoking an Encode method.

Cannot enumerate the contents of an encrypted or enveloped Pkcs12SafeContents.

New Pkcs12SafeBag values cannot be added to a Pkcs12SafeContents that was read from existing data.

This decryption operation applies to 'Pkcs12ConfidentialityMode.{0}', but the target object is in 'Pkcs12ConfidentialityMode.{1}'.

This verification operation applies to 'Pkcs12IntegrityMode.{0}', but the target object is in 'Pkcs12IntegrityMode.{1}'.

Invalid signature parameters.

The EncryptedPrivateKeyInfo structure was decoded but was not successfully interpreted, the password may be incorrect.

The parameter should be a PKCS 9 attribute.

Cannot add multiple PKCS 9 signing time attributes.

PSS parameters were not present.

This platform requires that the PSS hash algorithm ({0}) match the data digest algorithm ({1}).

This platform does not support the MGF hash algorithm ({0}) being different from the signature hash algorithm ({1}).

Mask generation function '{0}' is not supported by this platform.

PSS salt size {0} is not supported by this platform with hash algorithm {1}.

The response from the timestamping server did not match the request nonce.

The response from the timestamping server was not understood.

The timestamping server did not grant the request. The request status is '{0}' with failure info '{1}'.

The timestamping request required the TSA certificate in the response, but it was not found.

The timestamping request required the TSA certificate not be included in the response, but certificates were present.

Duplicate items are not allowed in the collection.

AsnEncodedData element in the collection has wrong Oid value: expected = '{0}', actual = '{1}'.

System.Security.Cryptography.Pkcs is only supported on Windows platforms.

Algorithm '{0}' is not supported on this platform.

ASN1 corrupted data.

The string contains a character not in the 7 bit ASCII character set.

The algorithm identified by '{0}' is unknown, not valid for the requested usage, or was not handled.

'{0}' is not a known hash algorithm.

Attribute not found.

Certificate not found.

Certificate already present in the collection.

The key in the enveloped message is not valid or could not be decoded.

PKCS12 (PFX) without a supplied password has exceeded maximum allowed iterations. See https://go.microsoft.com/fwlink/?linkid=2233907 for more information.

There was a problem with the PKCS12 (PFX) without a supplied password. See https://go.microsoft.com/fwlink/?linkid=2233907 for more information.

Attribute used to indicate a source generator should create a function for marshalling arguments instead of relying on the runtime to generate an equivalent marshalling function at run-time.

This attribute is meaningless if the source generator associated with it is not enabled. The current built-in source generator only supports C# and only supplies an implementation when applied to static, partial, non-generic methods.

Initializes a new instance of the .

Name of the library containing the import.

Gets the name of the library containing the import.

Gets or sets the name of the entry point to be called.

Gets or sets how to marshal string arguments to the method.

If this field is set to a value other than , must not be specified.

Gets or sets the used to control how string arguments to the method are marshalled.

If this field is specified, must not be specified or must be set to .

Gets or sets whether the callee sets an error (SetLastError on Windows or errno on other platforms) before returning from the attributed method.

Specifies how strings should be marshalled for generated p/invokes

Indicates the user is suppling a specific marshaller in .

Use the platform-provided UTF-8 marshaller.

Use the platform-provided UTF-16 marshaller.

Return the managed representation of the recipients. .NET Framework compat: Unlike the desktop, we compute this once and then latch it. Since both RecipientInfo and RecipientInfoCollection are immutable objects, this should be a safe optimization to make.

Attempt to decrypt the CMS using the specified "cert". If successful, return the ContentInfo that contains the decrypted content. If unsuccessful, return null and set "exception" to a valid Exception object. Do not throw the exception as EnvelopedCms will want to continue decryption attempts against other recipients. Only if all the recipients fail to decrypt will then EnvelopedCms throw the exception from the last failed attempt.

This is not just a convenience wrapper for Array.Resize(). In DEBUG builds, it forces the array to move in memory even if no resize is needed. This should be used by helper methods that do anything of the form "call a native api once to get the estimated size, call it again to get the data and return the data in a byte[] array." Sometimes, that data consist of a native data structure containing pointers to other parts of the block. Using such a helper to retrieve such a block results in an intermittent AV. By using this helper, you make that AV repro every time.

.NET Framework compat: We do not complain about multiple matches. Just take the first one and ignore the rest.

Asserts on bad or non-canonicalized input. Input must come from trusted sources. Subject Key Identifier is string-ized as an upper case hex string. This format is part of the public api behavior and cannot be changed.

Asserts on bad or non-canonicalized input. Input must come from trusted sources. Serial number is string-ized as a reversed upper case hex string. This format is part of the public api behavior and cannot be changed.

Asserts on bad input. Input must come from trusted sources.

Asserts on bad input. Input must come from trusted sources.

Useful helper for "upgrading" well-known CMS attributes to type-specific objects such as Pkcs9DocumentName, Pkcs9DocumentDescription, etc.

Encrypt and encode a CMS. Return value is the RFC-compliant representation of the CMS that can be transmitted "on the wire."

Decode an encoded CMS. Call RecipientInfos on the returned pal object to get the recipients. Call TryDecrypt() on the returned pal object to attempt a decrypt for a single recipient.

Implements the ContentInfo.GetContentType() behavior.

EnvelopedCms.Decrypt() looks for qualifying certs from the "MY" store (as well as any "extraStore" passed to Decrypt()). This method encapsulates exactly what a particular OS considers to be "the MY store."

If EnvelopedCms.Decrypt() fails to find any matching certs for any recipients, it throws CryptographicException(CRYPT_E_RECIPIENT_NOT_FOUND) on Windows. This method encapsulates what other OS's decide to throw in this situation.

If you call RecipientInfos after an Encrypt(), the framework throws CryptographicException(CRYPT_E_INVALID_MSG_TYPE) on Windows. This method encapsulates what other OS's decide to throw in this situation.

If you call Decrypt() after an Encrypt(), the framework throws CryptographicException(CRYPT_E_INVALID_MSG_TYPE) on Windows. This method encapsulates what other OS's decide to throw in this situation.

If you call Decrypt() after a Encrypt(), the framework throws CryptographicException(CRYPT_E_INVALID_MSG_TYPE) on Windows. This method encapsulates what other OS's decide to throw in this situation.

Retrieve the certificate's subject key identifier value.

Retrieve a private key object for the certificate to use with signing.

Retrieve a private key object for the certificate to use with decryption.

Get the one instance of PkcsPal.

Returns the inner content of the CMS. Special case: If the CMS is an enveloped CMS that has been decrypted and the inner content type is Oids.Pkcs7Data, the returned content bytes are the decoded octet bytes, rather than the encoding of those bytes. This is a documented convenience behavior of CryptMsgGetParam(CMSG_CONTENT_PARAM) that apparently got baked into the behavior of the managed EnvelopedCms class.

Returns (AlgId)(-1) if oid is unknown.

Provides a cache for special instances of SafeHandles.

Specifies the type of SafeHandle.

Gets a cached, invalid handle. As the instance is cached, it should either never be Disposed or it should override to prevent disposal when the instance represents an invalid handle: returns .

Gets whether the specified handle is invalid handle.

The handle to compare. true if is invalid handle; otherwise, false.

Returns a string message for the specified Win32 error code.

Result codes from NCrypt APIs