Fixed WindowsSecureMimeContext to work with domain-bound certificates

Added X509CertificateExtensions.GetSubjectDnsNames()

Author: jstedfast

MimeKit/Cryptography/WindowsSecureMimeContext.cs

@@ -26,6 +26,7 @@
 
 using System;
 using System.IO;
+using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Collections.Generic;
@@ -174,7 +175,10 @@ public override bool CanEncrypt (MailboxAddress mailbox, CancellationToken cance
 		protected virtual X509Certificate2 GetRecipientCertificate (MailboxAddress mailbox)
 		{
 			var storeNames = new [] { StoreName.AddressBook, StoreName.My, StoreName.TrustedPeople };
+			var mailboxDomain = MailboxAddress.IdnMapping.Encode (mailbox.Domain);
+			var mailboxAddress = mailbox.GetAddress (true);
 			var secure = mailbox as SecureMailboxAddress;
+			X509Certificate2 domainCertificate = null;
 			var now = DateTime.UtcNow;
 
 			foreach (var storeName in storeNames) {
@@ -197,8 +201,22 @@ protected virtual X509Certificate2 GetRecipientCertificate (MailboxAddress mailb
 						} else {
 							var address = certificate.GetNameInfo (X509NameType.EmailName, false);
 
-							if (!address.Equals (mailbox.Address, StringComparison.InvariantCultureIgnoreCase))
+							if (!string.IsNullOrEmpty (address))
+								address = MailboxAddress.EncodeAddrspec (address);
+
+							if (!address.Equals (mailboxAddress, StringComparison.OrdinalIgnoreCase)) {
+								// Fall back to matching the domain...
+								if (domainCertificate == null) {
+									var domains = certificate.GetSubjectDnsNames (true);
+
+									if (domains.Any (domain => domain.Equals (mailboxDomain, StringComparison.OrdinalIgnoreCase))) {
+										// Cache this certificate. We will only use this if we do not find an exact match based on the full email address.
+										domainCertificate = certificate;
+									}
+								}
+
 								continue;
+							}
 						}
 
 						return certificate;
@@ -208,7 +226,7 @@ protected virtual X509Certificate2 GetRecipientCertificate (MailboxAddress mailb
 				}
 			}
 
-			return null;
+			return domainCertificate;
 		}
 
 		/// <summary>
@@ -318,8 +336,11 @@ static RealCmsRecipientCollection GetCmsRecipients (CmsRecipientCollection recip
 		/// <param name="mailbox">The signer's mailbox address.</param>
 		protected virtual X509Certificate2 GetSignerCertificate (MailboxAddress mailbox)
 		{
+			var mailboxDomain = MailboxAddress.IdnMapping.Encode (mailbox.Domain);
+			var mailboxAddress = mailbox.GetAddress (true);
 			var store = new X509Store (StoreName.My, StoreLocation);
 			var secure = mailbox as SecureMailboxAddress;
+			X509Certificate2 domainCertificate = null;
 			var now = DateTime.UtcNow;
 
 			store.Open (OpenFlags.ReadOnly);
@@ -342,8 +363,22 @@ protected virtual X509Certificate2 GetSignerCertificate (MailboxAddress mailbox)
 					} else {
 						var address = certificate.GetNameInfo (X509NameType.EmailName, false);
 
-						if (!address.Equals (mailbox.Address, StringComparison.InvariantCultureIgnoreCase))
+						if (!string.IsNullOrEmpty (address))
+							address = MailboxAddress.EncodeAddrspec (address);
+
+						if (!address.Equals (mailboxAddress, StringComparison.OrdinalIgnoreCase)) {
+							// Fall back to matching the domain...
+							if (domainCertificate == null) {
+								var domains = certificate.GetSubjectDnsNames (true);
+
+								if (domains.Any (domain => domain.Equals (mailboxDomain, StringComparison.OrdinalIgnoreCase))) {
+									// Cache this certificate. We will only use this if we do not find an exact match based on the full email address.
+									domainCertificate = certificate;
+								}
+							}
+
 							continue;
+						}
 					}
 
 					return certificate;
@@ -352,7 +387,7 @@ protected virtual X509Certificate2 GetSignerCertificate (MailboxAddress mailbox)
 				store.Close ();
 			}
 
-			return null;
+			return domainCertificate;
 		}
 
 		AsnEncodedData GetSecureMimeCapabilities ()

MimeKit/Cryptography/X509Certificate2Extensions.cs

@@ -37,6 +37,7 @@
 
 using X509Certificate = Org.BouncyCastle.X509.X509Certificate;
 using X509Certificate2 = System.Security.Cryptography.X509Certificates.X509Certificate2;
+using X509Extension = System.Security.Cryptography.X509Certificates.X509Extension;
 
 namespace MimeKit.Cryptography {
 	/// <summary>
@@ -101,6 +102,73 @@ public static PublicKeyAlgorithm GetPublicKeyAlgorithm (this X509Certificate2 ce
 			}
 		}
 
+		static string[] GetSubjectAlternativeNames (X509Certificate2 certificate, int tagNo)
+		{
+			X509Extension alt = null;
+
+			foreach (var extension in certificate.Extensions) {
+				if (extension.Oid.Value == X509Extensions.SubjectAlternativeName.Id) {
+					alt = extension;
+					break;
+				}
+			}
+
+			if (alt == null)
+				return Array.Empty<string> ();
+
+			using (var memory = new MemoryStream (alt.RawData, false)) {
+				var seq = Asn1Sequence.GetInstance (Asn1Object.FromByteArray (alt.RawData));
+				var names = new string[seq.Count];
+				int count = 0;
+
+				foreach (Asn1Encodable encodable in seq) {
+					var name = GeneralName.GetInstance (encodable);
+					if (name.TagNo == tagNo)
+						names[count++] = ((IAsn1String) name.Name).GetString ();
+				}
+
+				if (count == 0)
+					return Array.Empty<string> ();
+
+				if (count < names.Length)
+					Array.Resize (ref names, count);
+
+				return names;
+			}
+		}
+
+		/// <summary>
+		/// Get the subject domain names of the certificate.
+		/// </summary>
+		/// <remarks>
+		/// <para>Gets the subject DNS names of the certificate.</para>
+		/// <para>Some S/MIME certificates are domain-bound instead of being bound to a
+		/// particular email address.</para>
+		/// </remarks>
+		/// <returns>The subject DNS names.</returns>
+		/// <param name="certificate">The certificate.</param>
+		/// <param name="idnEncode">If set to <c>true</c>, international domain names will be IDN encoded.</param>
+		/// <exception cref="System.ArgumentNullException">
+		/// <paramref name="certificate"/> is <see langword="null"/>.
+		/// </exception>
+		public static string[] GetSubjectDnsNames (this X509Certificate2 certificate, bool idnEncode = false)
+		{
+			if (certificate == null)
+				throw new ArgumentNullException (nameof (certificate));
+
+			var domains = GetSubjectAlternativeNames (certificate, GeneralName.DnsName);
+
+			if (idnEncode) {
+				for (int i = 0; i < domains.Length; i++)
+					domains[i] = MailboxAddress.IdnMapping.Encode (domains[i]);
+			} else {
+				for (int i = 0; i < domains.Length; i++)
+					domains[i] = MailboxAddress.IdnMapping.Decode (domains[i]);
+			}
+
+			return domains;
+		}
+
 		static EncryptionAlgorithm[] DecodeEncryptionAlgorithms (byte[] rawData)
 		{
 			using (var memory = new MemoryStream (rawData, false)) {

UnitTests/Cryptography/ApplicationPkcs7MimeTests.cs

@@ -468,6 +468,70 @@ public async Task TestEncryptMailboxesAsync ()
 			}
 		}
 
+		[Test]
+		public void TestEncryptDnsNames ()
+		{
+			var certificate = SecureMimeTestsBase.DomainCertificate;
+
+			foreach (var domain in certificate.DnsNames) {
+				var entity = new TextPart ("plain") { Text = "This is some text..." };
+				var mailbox = new MailboxAddress ("MimeKit UnitTests", "mimekit@" + domain);
+				var mailboxes = new[] { mailbox };
+
+				using (var ctx = CreateContext ()) {
+					ApplicationPkcs7Mime encrypted;
+					MimeEntity decrypted;
+					TextPart text;
+
+					ctx.Import (certificate.FileName, "no.secret");
+
+					encrypted = ApplicationPkcs7Mime.Encrypt (mailboxes, entity);
+					decrypted = encrypted.Decrypt (ctx);
+					Assert.That (decrypted, Is.InstanceOf<TextPart> (), "Decrypted from Encrypt(mailboxes, entity)");
+					text = (TextPart) decrypted;
+					Assert.That (text.Text, Is.EqualTo (entity.Text), "Decrypted text");
+
+					encrypted = ApplicationPkcs7Mime.Encrypt (ctx, mailboxes, entity);
+					decrypted = encrypted.Decrypt (ctx);
+					Assert.That (decrypted, Is.InstanceOf<TextPart> (), "Encrypt(ctx, mailboxes, entity)");
+					text = (TextPart) decrypted;
+					Assert.That (text.Text, Is.EqualTo (entity.Text), "Decrypted text");
+				}
+			}
+		}
+
+		[Test]
+		public async Task TestEncryptDnsNamesAsync ()
+		{
+			var certificate = SecureMimeTestsBase.DomainCertificate;
+
+			foreach (var domain in certificate.DnsNames) {
+				var entity = new TextPart ("plain") { Text = "This is some text..." };
+				var mailbox = new MailboxAddress ("MimeKit UnitTests", "mimekit@" + domain);
+				var mailboxes = new[] { mailbox };
+
+				using (var ctx = CreateContext ()) {
+					ApplicationPkcs7Mime encrypted;
+					MimeEntity decrypted;
+					TextPart text;
+
+					await ctx.ImportAsync (certificate.FileName, "no.secret").ConfigureAwait (false);
+
+					encrypted = await ApplicationPkcs7Mime.EncryptAsync (mailboxes, entity).ConfigureAwait (false);
+					decrypted = await encrypted.DecryptAsync (ctx).ConfigureAwait (false);
+					Assert.That (decrypted, Is.InstanceOf<TextPart> (), "Decrypted from EncryptAsync(mailboxes, entity)");
+					text = (TextPart) decrypted;
+					Assert.That (text.Text, Is.EqualTo (entity.Text), "Decrypted text");
+
+					encrypted = await ApplicationPkcs7Mime.EncryptAsync (ctx, mailboxes, entity).ConfigureAwait (false);
+					decrypted = await encrypted.DecryptAsync (ctx).ConfigureAwait (false);
+					Assert.That (decrypted, Is.InstanceOf<TextPart> (), "EncryptAsync(ctx, mailboxes, entity)");
+					text = (TextPart) decrypted;
+					Assert.That (text.Text, Is.EqualTo (entity.Text), "Decrypted text");
+				}
+			}
+		}
+
 		void AssertSignResults (SMimeCertificate certificate, SecureMimeContext ctx, ApplicationPkcs7Mime signed, TextPart entity)
 		{
 			var signatures = signed.Verify (ctx, out var encapsulated);
@@ -578,6 +642,42 @@ public async Task TestSignMailboxAsync ()
 			}
 		}
 
+		[Test]
+		public void TestSignDnsNames ()
+		{
+			var certificate = SecureMimeTestsBase.DomainCertificate;
+
+			using (var ctx = CreateContext ()) {
+				ImportAll (ctx);
+
+				foreach (var domain in certificate.DnsNames) {
+					var mailbox = new MailboxAddress ("MimeKit UnitTests", "mimekit@" + domain);
+					var entity = new TextPart ("plain") { Text = "This is some text..." };
+
+					var signed = ApplicationPkcs7Mime.Sign (ctx, mailbox, DigestAlgorithm.Sha224, entity);
+					AssertSignResults (certificate, ctx, signed, entity);
+				}
+			}
+		}
+
+		[Test]
+		public async Task TestSignDnsNamesAsync ()
+		{
+			var certificate = SecureMimeTestsBase.DomainCertificate;
+
+			using (var ctx = CreateContext ()) {
+				await ImportAllAsync (ctx).ConfigureAwait (false);
+
+				foreach (var domain in certificate.DnsNames) {
+					var mailbox = new MailboxAddress ("MimeKit UnitTests", "mimekit@" + domain);
+					var entity = new TextPart ("plain") { Text = "This is some text..." };
+
+					var signed = await ApplicationPkcs7Mime.SignAsync (ctx, mailbox, DigestAlgorithm.Sha224, entity).ConfigureAwait (false);
+					AssertSignResults (certificate, ctx, signed, entity);
+				}
+			}
+		}
+
 		void AssertSignAndEncryptResults (SMimeCertificate certificate, SecureMimeContext ctx, ApplicationPkcs7Mime encrypted, TextPart entity)
 		{
 			var decrypted = encrypted.Decrypt (ctx);
@@ -753,6 +853,44 @@ public async Task TestSignAndEncryptMailboxesAsync ()
 				}
 			}
 		}
+
+		[Test]
+		public void TestSignAndEncryptDnsNames ()
+		{
+			var certificate = SecureMimeTestsBase.DomainCertificate;
+
+			using (var ctx = CreateContext ()) {
+				ImportAll (ctx);
+
+				foreach (var domain in certificate.DnsNames) {
+					var mailbox = new MailboxAddress ("MimeKit UnitTests", "mimekit@" + domain);
+					var entity = new TextPart ("plain") { Text = "This is some text..." };
+					var recipients = new MailboxAddress[] { mailbox };
+
+					var encrypted = ApplicationPkcs7Mime.SignAndEncrypt (mailbox, DigestAlgorithm.Sha224, recipients, entity);
+					AssertSignAndEncryptResults (certificate, ctx, encrypted, entity);
+				}
+			}
+		}
+
+		[Test]
+		public async Task TestSignAndEncryptDnsNamesAsync ()
+		{
+			var certificate = SecureMimeTestsBase.DomainCertificate;
+
+			using (var ctx = CreateContext ()) {
+				await ImportAllAsync (ctx).ConfigureAwait (false);
+
+				foreach (var domain in certificate.DnsNames) {
+					var mailbox = new MailboxAddress ("MimeKit UnitTests", "mimekit@" + domain);
+					var entity = new TextPart ("plain") { Text = "This is some text..." };
+					var recipients = new MailboxAddress[] { mailbox };
+
+					var encrypted = await ApplicationPkcs7Mime.SignAndEncryptAsync (mailbox, DigestAlgorithm.Sha224, recipients, entity).ConfigureAwait (false);
+					await AssertSignAndEncryptResultsAsync (certificate, ctx, encrypted, entity).ConfigureAwait (false);
+				}
+			}
+		}
 	}
 
 	[TestFixture]

UnitTests/Cryptography/CertificateExtensionTests.cs

@@ -119,6 +119,12 @@ public void TestGetSubjectDnsNames ()
 				Assert.That (dnsNames.Length, Is.EqualTo (expectedDnsNames.Length), "SubjectDnsNames.Length");
 				for (int i = 0; i < dnsNames.Length; i++)
 					Assert.That (dnsNames[i], Is.EqualTo (expectedDnsNames[i]), $"SubjectDnsNames[{i}]");
+
+				dnsNames = certificate2.GetSubjectDnsNames ();
+
+				Assert.That (dnsNames.Length, Is.EqualTo (expectedDnsNames.Length), "SubjectDnsNames.Length #2");
+				for (int i = 0; i < dnsNames.Length; i++)
+					Assert.That (dnsNames[i], Is.EqualTo (expectedDnsNames[i]), $"SubjectDnsNames[{i}] #2");
 			}
 		}
 	}