Skip to content

Commit 211e8db

Browse files
PranavSenthilnathanPranavSenthilnathan
authored
Dispose all resources used in CmsSignature (#115666)
1 parent 60dd616 commit 211e8db

File tree

5 files changed

+246
-211
lines changed

5 files changed

+246
-211
lines changed

src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.DSA.cs

Lines changed: 75 additions & 68 deletions
Original file line numberDiff line numberDiff line change
@@ -71,31 +71,34 @@ internal override bool VerifySignature(
7171
return false;
7272
}
7373

74-
DSAParameters dsaParameters = dsa.ExportParameters(false);
75-
int bufSize = 2 * dsaParameters.Q!.Length;
74+
using (dsa)
75+
{
76+
DSAParameters dsaParameters = dsa.ExportParameters(false);
77+
int bufSize = 2 * dsaParameters.Q!.Length;
7678

7779
#if NET || NETSTANDARD2_1
78-
byte[] rented = CryptoPool.Rent(bufSize);
79-
Span<byte> ieee = new Span<byte>(rented, 0, bufSize);
80+
byte[] rented = CryptoPool.Rent(bufSize);
81+
Span<byte> ieee = new Span<byte>(rented, 0, bufSize);
8082

81-
try
82-
{
83+
try
84+
{
8385
#else
84-
byte[] ieee = new byte[bufSize];
86+
byte[] ieee = new byte[bufSize];
8587
#endif
86-
if (!DsaDerToIeee(signature, ieee))
87-
{
88-
return false;
89-
}
88+
if (!DsaDerToIeee(signature, ieee))
89+
{
90+
return false;
91+
}
9092

91-
return dsa.VerifySignature(valueHash, ieee);
93+
return dsa.VerifySignature(valueHash, ieee);
9294
#if NET || NETSTANDARD2_1
93-
}
94-
finally
95-
{
96-
CryptoPool.Return(rented, bufSize);
97-
}
95+
}
96+
finally
97+
{
98+
CryptoPool.Return(rented, bufSize);
99+
}
98100
#endif
101+
}
99102
}
100103

101104
protected override bool Sign(
@@ -115,71 +118,75 @@ protected override bool Sign(
115118
Debug.Assert(Helpers.IsDSASupported);
116119
signatureParameters = null;
117120

118-
// If there's no private key, fall back to the public key for a "no private key" exception.
119-
DSA? dsa = key as DSA ??
120-
PkcsPal.Instance.GetPrivateKeyForSigning<DSA>(certificate, silent) ??
121-
certificate.GetDSAPublicKey();
122-
123-
if (dsa == null)
121+
using (GetSigningKey(key, certificate, silent, DSACertificateExtensions.GetDSAPublicKey, out DSA? dsa))
124122
{
125-
signatureAlgorithm = null;
126-
signatureValue = null;
127-
return false;
128-
}
123+
if (dsa == null)
124+
{
125+
signatureAlgorithm = null;
126+
signatureValue = null;
127+
return false;
128+
}
129129

130-
string? oidValue =
131-
hashAlgorithmOid switch
130+
string? oidValue =
131+
hashAlgorithmOid switch
132+
{
133+
Oids.Sha1 => Oids.DsaWithSha1,
134+
Oids.Sha256 => Oids.DsaWithSha256,
135+
Oids.Sha384 => Oids.DsaWithSha384,
136+
Oids.Sha512 => Oids.DsaWithSha512,
137+
_ => null
138+
};
139+
140+
if (oidValue == null)
132141
{
133-
Oids.Sha1 => Oids.DsaWithSha1,
134-
Oids.Sha256 => Oids.DsaWithSha256,
135-
Oids.Sha384 => Oids.DsaWithSha384,
136-
Oids.Sha512 => Oids.DsaWithSha512,
137-
_ => null
138-
};
139-
140-
if (oidValue == null)
141-
{
142-
signatureAlgorithm = null;
143-
signatureValue = null;
144-
return false;
145-
}
142+
signatureAlgorithm = null;
143+
signatureValue = null;
144+
return false;
145+
}
146146

147-
signatureAlgorithm = oidValue;
147+
signatureAlgorithm = oidValue;
148148

149149
#if NET || NETSTANDARD2_1
150-
// The Q size cannot be bigger than the KeySize.
151-
byte[] rented = CryptoPool.Rent(dsa.KeySize / 8);
152-
int bytesWritten = 0;
150+
// The Q size cannot be bigger than the KeySize.
151+
byte[] rented = CryptoPool.Rent(dsa.KeySize / 8);
152+
int bytesWritten = 0;
153153

154-
try
155-
{
156-
if (dsa.TryCreateSignature(dataHash, rented, out bytesWritten))
154+
try
157155
{
158-
var signature = new ReadOnlySpan<byte>(rented, 0, bytesWritten);
159-
160-
if (key != null && !certificate.GetDSAPublicKey()!.VerifySignature(dataHash, signature))
156+
if (dsa.TryCreateSignature(dataHash, rented, out bytesWritten))
161157
{
162-
// key did not match certificate
163-
signatureValue = null;
164-
return false;
158+
var signature = new ReadOnlySpan<byte>(rented, 0, bytesWritten);
159+
160+
if (key != null)
161+
{
162+
using (DSA certKey = certificate.GetDSAPublicKey()!)
163+
{
164+
if (!certKey.VerifySignature(dataHash, signature))
165+
{
166+
// key did not match certificate
167+
signatureValue = null;
168+
return false;
169+
}
170+
}
171+
}
172+
173+
signatureValue = DsaIeeeToDer(signature);
174+
return true;
165175
}
166-
167-
signatureValue = DsaIeeeToDer(signature);
168-
return true;
169176
}
170-
}
171-
finally
172-
{
173-
CryptoPool.Return(rented, bytesWritten);
174-
}
177+
finally
178+
{
179+
CryptoPool.Return(rented, bytesWritten);
180+
}
175181

176-
signatureValue = null;
177-
return false;
182+
signatureValue = null;
183+
return false;
178184
#else
179-
byte[] signature = dsa.CreateSignature(dataHash);
180-
signatureValue = DsaIeeeToDer(new ReadOnlySpan<byte>(signature));
181-
return true;
185+
byte[] signature = dsa.CreateSignature(dataHash);
186+
signatureValue = DsaIeeeToDer(new ReadOnlySpan<byte>(signature));
187+
return true;
182188
#endif
189+
}
183190
}
184191
}
185192
}

src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.ECDsa.cs

Lines changed: 89 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -71,36 +71,39 @@ internal override bool VerifySignature(
7171
return false;
7272
}
7373

74-
int bufSize;
75-
checked
74+
using (key)
7675
{
77-
// fieldSize = ceil(KeySizeBits / 8);
78-
int fieldSize = (key.KeySize + 7) / 8;
79-
bufSize = 2 * fieldSize;
80-
}
76+
int bufSize;
77+
checked
78+
{
79+
// fieldSize = ceil(KeySizeBits / 8);
80+
int fieldSize = (key.KeySize + 7) / 8;
81+
bufSize = 2 * fieldSize;
82+
}
8183

8284
#if NET || NETSTANDARD2_1
83-
byte[] rented = CryptoPool.Rent(bufSize);
84-
Span<byte> ieee = new Span<byte>(rented, 0, bufSize);
85+
byte[] rented = CryptoPool.Rent(bufSize);
86+
Span<byte> ieee = new Span<byte>(rented, 0, bufSize);
8587

86-
try
87-
{
88+
try
89+
{
8890
#else
89-
byte[] ieee = new byte[bufSize];
91+
byte[] ieee = new byte[bufSize];
9092
#endif
91-
if (!DsaDerToIeee(signature, ieee))
92-
{
93-
return false;
94-
}
93+
if (!DsaDerToIeee(signature, ieee))
94+
{
95+
return false;
96+
}
9597

96-
return key.VerifyHash(valueHash, ieee);
98+
return key.VerifyHash(valueHash, ieee);
9799
#if NET || NETSTANDARD2_1
98-
}
99-
finally
100-
{
101-
CryptoPool.Return(rented, bufSize);
102-
}
100+
}
101+
finally
102+
{
103+
CryptoPool.Return(rented, bufSize);
104+
}
103105
#endif
106+
}
104107
}
105108

106109
protected override bool Sign(
@@ -111,92 +114,96 @@ protected override bool Sign(
111114
#endif
112115
string? hashAlgorithmOid,
113116
X509Certificate2 certificate,
114-
object? certKey,
117+
object? privateKey,
115118
bool silent,
116119
[NotNullWhen(true)] out string? signatureAlgorithm,
117120
[NotNullWhen(true)] out byte[]? signatureValue,
118121
out byte[]? signatureParameters)
119122
{
120123
signatureParameters = null;
121-
// If there's no private key, fall back to the public key for a "no private key" exception.
122-
ECDsa? key = certKey as ECDsa ??
123-
PkcsPal.Instance.GetPrivateKeyForSigning<ECDsa>(certificate, silent) ??
124-
certificate.GetECDsaPublicKey();
125-
126-
if (key == null)
124+
using (GetSigningKey(privateKey, certificate, silent, ECDsaCertificateExtensions.GetECDsaPublicKey, out ECDsa? key))
127125
{
128-
signatureAlgorithm = null;
129-
signatureValue = null;
130-
return false;
131-
}
132-
133-
string? oidValue =
134-
hashAlgorithmOid switch
126+
if (key == null)
135127
{
136-
Oids.Sha1 => Oids.ECDsaWithSha1,
137-
Oids.Sha256 => Oids.ECDsaWithSha256,
138-
Oids.Sha384 => Oids.ECDsaWithSha384,
139-
Oids.Sha512 => Oids.ECDsaWithSha512,
128+
signatureAlgorithm = null;
129+
signatureValue = null;
130+
return false;
131+
}
132+
133+
string? oidValue =
134+
hashAlgorithmOid switch
135+
{
136+
Oids.Sha1 => Oids.ECDsaWithSha1,
137+
Oids.Sha256 => Oids.ECDsaWithSha256,
138+
Oids.Sha384 => Oids.ECDsaWithSha384,
139+
Oids.Sha512 => Oids.ECDsaWithSha512,
140140
#if NET8_0_OR_GREATER
141-
Oids.Sha3_256 => Oids.ECDsaWithSha3_256,
142-
Oids.Sha3_384 => Oids.ECDsaWithSha3_384,
143-
Oids.Sha3_512 => Oids.ECDsaWithSha3_512,
141+
Oids.Sha3_256 => Oids.ECDsaWithSha3_256,
142+
Oids.Sha3_384 => Oids.ECDsaWithSha3_384,
143+
Oids.Sha3_512 => Oids.ECDsaWithSha3_512,
144144
#endif
145-
_ => null,
146-
};
145+
_ => null,
146+
};
147147

148-
if (oidValue == null)
149-
{
150-
signatureAlgorithm = null;
151-
signatureValue = null;
152-
return false;
153-
}
148+
if (oidValue == null)
149+
{
150+
signatureAlgorithm = null;
151+
signatureValue = null;
152+
return false;
153+
}
154154

155-
signatureAlgorithm = oidValue;
155+
signatureAlgorithm = oidValue;
156156

157157
#if NET || NETSTANDARD2_1
158-
int bufSize;
159-
checked
160-
{
161-
// fieldSize = ceil(KeySizeBits / 8);
162-
int fieldSize = (key.KeySize + 7) / 8;
163-
bufSize = 2 * fieldSize;
164-
}
158+
int bufSize;
159+
checked
160+
{
161+
// fieldSize = ceil(KeySizeBits / 8);
162+
int fieldSize = (key.KeySize + 7) / 8;
163+
bufSize = 2 * fieldSize;
164+
}
165165

166-
byte[] rented = CryptoPool.Rent(bufSize);
167-
int bytesWritten = 0;
166+
byte[] rented = CryptoPool.Rent(bufSize);
167+
int bytesWritten = 0;
168168

169-
try
170-
{
171-
if (key.TrySignHash(dataHash, rented, out bytesWritten))
169+
try
172170
{
173-
var signedHash = new ReadOnlySpan<byte>(rented, 0, bytesWritten);
174-
175-
if (key != null && !certificate.GetECDsaPublicKey()!.VerifyHash(dataHash, signedHash))
171+
if (key.TrySignHash(dataHash, rented, out bytesWritten))
176172
{
177-
// key did not match certificate
178-
signatureValue = null;
179-
return false;
173+
var signedHash = new ReadOnlySpan<byte>(rented, 0, bytesWritten);
174+
175+
if (key != null)
176+
{
177+
using (ECDsa certKey = certificate.GetECDsaPublicKey()!)
178+
{
179+
if (!certKey.VerifyHash(dataHash, signedHash))
180+
{
181+
// key did not match certificate
182+
signatureValue = null;
183+
return false;
184+
}
185+
}
186+
}
187+
188+
signatureValue = DsaIeeeToDer(signedHash);
189+
return true;
180190
}
181-
182-
signatureValue = DsaIeeeToDer(signedHash);
183-
return true;
184191
}
185-
}
186-
finally
187-
{
188-
CryptoPool.Return(rented, bytesWritten);
189-
}
192+
finally
193+
{
194+
CryptoPool.Return(rented, bytesWritten);
195+
}
190196
#endif
191197

192-
signatureValue = DsaIeeeToDer(key.SignHash(
198+
signatureValue = DsaIeeeToDer(key.SignHash(
193199
#if NET || NETSTANDARD2_1
194-
dataHash.ToArray()
200+
dataHash.ToArray()
195201
#else
196-
dataHash
202+
dataHash
197203
#endif
198-
));
199-
return true;
204+
));
205+
return true;
206+
}
200207
}
201208
}
202209
}

0 commit comments

Comments
 (0)