Microsoft.Bcl.Cryptography
NIST SP 800-108 HMAC CTR Key-Based Key Derivation (KBKDF)
This implements NIST SP 800-108 HMAC in counter mode. The implemented KDF assumes the form of
PRF (KI, [i]2 || Label || 0x00 || Context || [L]2) where [i]2 and [L]2 are encoded as
unsigned 32-bit integers, big endian.
All members of this class are thread safe. If the instance is disposed of while other threads are using
the instance, those threads will either receive an or produce a valid
derived key.
Initializes a new instance of using a specified key and HMAC algorithm.
The key-derivation key.
The HMAC algorithm.
has a which is .
has a which is empty.
is not a known or supported hash algorithm.
The current platform does not have a supported implementation of HMAC.
Initializes a new instance of using a specified key and HMAC algorithm.
The key-derivation key.
The HMAC algorithm.
has a which is .
-or-
is .
has a which is empty.
is not a known or supported hash algorithm.
The current platform does not have a supported implementation of HMAC.
Derives a key of a specified length.
The key-derivation key.
The HMAC algorithm.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
is .
-or-
is .
-or-
is .
-or-
has a which is .
has a which is empty.
is negative or larger than the maximum number of bytes
that can be derived.
is not a known or supported hash algorithm.
The current platform does not have a supported implementation of HMAC.
Derives a key of a specified length.
The key-derivation key.
The HMAC algorithm.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
is .
-or-
is .
-or-
is .
-or-
has a which is .
has a which is empty.
is negative or larger than the maximum number of bytes
that can be derived.
is not a known or supported hash algorithm.
or contains text that cannot be converted to UTF-8.
and will be converted to bytes using the UTF-8 encoding.
for other encodings, perform the conversion using the desired encoding and use an overload which accepts the
label and context as a sequence of bytes.
The current platform does not have a supported implementation of HMAC.
Derives a key of a specified length.
The key-derivation key.
The HMAC algorithm.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
has a which is .
has a which is empty.
is negative or larger than the maximum number of bytes
that can be derived.
is not a known or supported hash algorithm.
The current platform does not have a supported implementation of HMAC.
Fills a buffer with a derived key.
The key-derivation key.
The HMAC algorithm.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The buffer which will receive the derived key.
has a which is .
has a which is empty.
is larger than the maximum number of bytes that can be derived.
is not a known or supported hash algorithm.
The current platform does not have a supported implementation of HMAC.
Derives a key of a specified length.
The key-derivation key.
The HMAC algorithm.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
has a which is .
has a which is empty.
is negative or larger than the maximum number of bytes
that can be derived.
is not a known or supported hash algorithm.
or contains text that cannot be converted to UTF-8.
The current platform does not have a supported implementation of HMAC.
and will be converted to bytes using the UTF-8 encoding.
for other encodings, perform the conversion using the desired encoding and use an overload which accepts the
label and context as a sequence of bytes.
Fills a buffer with a derived key.
The key-derivation key.
The HMAC algorithm.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The buffer which will receive the derived key.
has a which is .
has a which is empty.
is larger than the maximum number of bytes that can be derived.
is not a known or supported hash algorithm.
or contains text that cannot be converted to UTF-8.
The current platform does not have a supported implementation of HMAC.
and will be converted to bytes using the UTF-8 encoding.
for other encodings, perform the conversion using the desired encoding and use an overload which accepts the
label and context as a sequence of bytes.
Derives a key of a specified length.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
is .
-or-
is .
is negative or larger than the maximum number of bytes
that can be derived.
Derives a key of a specified length.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
is negative or larger than the maximum number of bytes
that can be derived.
Fills a buffer with a derived key.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The buffer which will receive the derived key.
is .
-or-
is .
is larger than the maximum number of bytes that can be derived.
Derives a key of a specified length.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
is negative or larger than the maximum number of bytes
that can be derived.
or contains text that cannot be converted to UTF-8.
and will be converted to bytes using the UTF-8 encoding.
for other encodings, perform the conversion using the desired encoding and use an overload which accepts the
label and context as a sequence of bytes.
Fills a buffer with a derived key.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The buffer which will receive the derived key.
is larger than the maximum number of bytes that can be derived.
or contains text that cannot be converted to UTF-8.
and will be converted to bytes using the UTF-8 encoding.
for other encodings, perform the conversion using the desired encoding and use an overload which accepts the
label and context as a sequence of bytes.
Derives a key of a specified length.
The label that identifies the purpose for the derived key.
The context containing information related to the derived key.
The length of the derived key, in bytes.
An array containing the derived key.
is .
-or-
is .
is negative or larger than the maximum number of bytes
that can be derived.
or contains text that cannot be converted to UTF-8.
and will be converted to bytes using the UTF-8 encoding.
for other encodings, perform the conversion using the desired encoding and use an overload which accepts the
label and context as a sequence of bytes.
Releases all resources used by the current instance of .
Represents a set of constraints to apply when loading PKCS#12/PFX contents.
Gets a shared reference to the default loader limits.
The singleton instance returned from this property is equivalent to an
instance produced via the default constructor, except the properties
prohibit reassignment. As with the default constructor, the individual
property values may change over time.
A shared reference to the default loader limits.
Gets a shared reference to loader limits that indicate no
filtering or restrictions of the contents should be applied
before sending them to the underlying system loader.
A shared reference to loader limits that indicate no
filtering or restrictions of the contents should be applied
before sending them to the underlying system loader.
The system loader may have its own limits where only part
of the contents are respected, or where the load is rejected.
Using this set of limits only affects the .NET layer of filtering.
The class checks for reference
equality to this property to determine if filtering should be bypassed.
Making a new Pkcs12LoaderLimits value that has all of the same property
values may give different results for certain inputs.
Initializes a new instance of the class
with default values.
The default values for each property on a default instance of this class
are chosen as a compromise between maximizing compatibility and minimizing
"nuisance" work. The defaults for any given property may vary over time.
Initializes a new instance of the class
by copying the values from another instance.
The instance to copy the values from.
is .
Gets a value indicating whether the instance is read-only.
if the instance is read-only; otherwise, .
Makes the instance read-only.
Gets or sets the iteration limit for the MAC calculation.
The iteration limit for the MAC calculation, or for no limit.
Gets or sets the iteration limit for the individual Key Derivation Function (KDF) calculations.
The iteration limit for the individual Key Derivation Function (KDF) calculations,
or for no limit.
Gets or sets the total iteration limit for the Key Derivation Function (KDF) calculations.
The total iteration limit for the Key Derivation Function (KDF) calculations,
or for no limit.
Gets or sets the maximum number of keys permitted.
The maximum number of keys permitted, or for no maximum.
Gets or sets the maximum number of certificates permitted.
The maximum number of certificates permitted, or for no maximum.
Gets or sets a value indicating whether to preserve the storage provider.
to respect the storage provider identifier for a
private key; to ignore the storage provider
information and use the system defaults.
The default is .
Storage Provider values from the PFX are only processed on the
Microsoft Windows family of operating systems.
This property has no effect on non-Windows systems.
Gets or sets a value indicating whether to preserve the key name.
to respect the key name identifier for a
private key; to ignore the key name
information and use a randomly generated identifier.
The default is .
Key name identifier values from the PFX are only processed on the
Microsoft Windows family of operating systems.
This property has no effect on non-Windows systems.
Gets or sets a value indicating whether to preserve the certificate alias,
also known as the friendly name.
to respect the alias for a
certificate; to ignore the alias
information.
The default is .
Certificate alias values from the PFX are only processed on the
Microsoft Windows family of operating systems.
This property has no effect on non-Windows systems.
Gets or sets a value indicating whether to preserve unknown attributes.
to keep any attributes of a certificate or
private key that are not described by another property on this type intact
when invoking the system PKCS#12/PFX loader;
to remove the unknown attributes prior to invoking
the system loader.
The default is .
Gets or sets a value indicating whether to ignore private keys.
to skip loading private keys;
to load both certificates and private keys.
The default is .
Gets or sets a value indicating whether to ignore encrypted authentication safes.
to skip over encrypted PFX AuthSafe values;
to decrypt encrypted PFX AuthSafe values to process their
contents.
The default is .
Gets or sets a value indicating whether duplicate attributes are permitted.
to permit duplicate attributes;
to fail loading when duplicate attributes are found.
The default is .
The exception that is thrown when importing a PKCS#12/PFX has failed
due to violating a specified limit.
Initializes a new instance of the
class.
The name of the property representing the limit that was exceeded.
Loads a single X.509 certificate from , in either the PEM
or DER encoding.
The data to load.
The certificate loaded from .
The data did not load as a valid X.509 certificate.
This method only loads plain certificates, which are identified as
by
Loads a single X.509 certificate from , in either the PEM
or DER encoding.
The data to load.
The certificate loaded from .
is .
The data did not load as a valid X.509 certificate.
This method only loads plain certificates, which are identified as
by
Loads a single X.509 certificate (in either the PEM or DER encoding)
from the specified file.
The path of the file to open.
The loaded certificate.
is .
The data did not load as a valid X.509 certificate.
An error occurred while loading the specified file.
This method only loads plain certificates, which are identified as
by
Loads the provided data as a PKCS#12 PFX and extracts a certificate.
The data to load.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
The loaded certificate.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
A PKCS#12/PFX can contain multiple certificates.
Using the ordering that the certificates appear in the results of
,
this method returns the first
certificate where is
.
If no certificates have associated private keys, then the first
certificate is returned.
If the PKCS#12/PFX contains no certificates, a
is thrown.
Loads the provided data as a PKCS#12 PFX and extracts a certificate.
The data to load.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
The loaded certificate.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
A PKCS#12/PFX can contain multiple certificates.
Using the ordering that the certificates appear in the results of
,
this method returns the first
certificate where is
.
If no certificates have associated private keys, then the first
certificate is returned.
If the PKCS#12/PFX contains no certificates, a
is thrown.
Opens the specified file, reads the contents as a PKCS#12 PFX and extracts a certificate.
The path of the file to open.
The loaded certificate.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
The loaded certificate.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
An error occurred while loading the specified file.
A PKCS#12/PFX can contain multiple certificates.
Using the ordering that the certificates appear in the results of
,
this method returns the first
certificate where is
.
If no certificates have associated private keys, then the first
certificate is returned.
If the PKCS#12/PFX contains no certificates, a
is thrown.
Opens the specified file, reads the contents as a PKCS#12 PFX and extracts a certificate.
The path of the file to open.
The loaded certificate.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
The loaded certificate.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
An error occurred while loading the specified file.
A PKCS#12/PFX can contain multiple certificates.
Using the ordering that the certificates appear in the results of
,
this method returns the first
certificate where is
.
If no certificates have associated private keys, then the first
certificate is returned.
If the PKCS#12/PFX contains no certificates, a
is thrown.
Loads the provided data as a PKCS#12 PFX and returns a collection of
all of the certificates therein.
The data to load.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
A collection of the certificates loaded from the input.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
Loads the provided data as a PKCS#12 PFX and returns a collection of
all of the certificates therein.
The data to load.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
A collection of the certificates loaded from the input.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
Opens the specified file, reads the contents as a PKCS#12 PFX and extracts a certificate.
Loads the provided data as a PKCS#12 PFX and returns a collection of
all of the certificates therein.
The path of the file to open.
The loaded certificate.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
The loaded certificate.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
An error occurred while loading the specified file.
Opens the specified file, reads the contents as a PKCS#12 PFX and extracts a certificate.
Loads the provided data as a PKCS#12 PFX and returns a collection of
all of the certificates therein.
The path of the file to open.
The loaded certificate.
The password to decrypt the contents of the PFX.
A bitwise combination of the enumeration values that control where and how to
import the private key associated with the returned certificate.
Limits to apply when loading the PFX. A value, the default,
is equivalent to .
The loaded certificate.
is .
contains a value, or combination of values,
that is not valid.
contains a value that is not valid for the
current platform.
The PKCS#12/PFX violated one or more constraints of .
An error occurred while loading the PKCS#12/PFX.
An error occurred while loading the specified file.
Provides support for computing a hash or HMAC value incrementally across several segments.
Get the name of the algorithm being performed.
Append the entire contents of to the data already processed in the hash or HMAC.
The data to process.
is null.
The object has already been disposed.
Append bytes of , starting at ,
to the data already processed in the hash or HMAC.
The data to process.
The offset into the byte array from which to begin using data.
The number of bytes in the array to use as data.
is null.
is out of range. This parameter requires a non-negative number.
is out of range. This parameter requires a non-negative number less than
the value of .
is greater than
. - .
The object has already been disposed.
Retrieve the hash or HMAC for the data accumulated from prior calls to
, and return to the state the object
was in at construction.
The computed hash or HMAC.
The object has already been disposed.
Release all resources used by the current instance of the
class.
Create an for the algorithm specified by .
The name of the hash algorithm to perform.
An instance ready to compute the hash algorithm specified
by .
. is null, or
the empty string.
is not a known hash algorithm.
Create an for the Hash-based Message Authentication Code (HMAC)
algorithm utilizing the hash algorithm specified by , and a
key specified by .
The name of the hash algorithm to perform within the HMAC.
The secret key for the HMAC. The key can be any length, but a key longer than the output size
of the hash algorithm specified by will be hashed (using the
algorithm specified by ) to derive a correctly-sized key. Therefore,
the recommended size of the secret key is the output size of the hash specified by
.
An instance ready to compute the hash algorithm specified
by .
. is null, or
the empty string.
is not a known hash algorithm.
Attribute used to indicate a source generator should create a function for marshalling
arguments instead of relying on the runtime to generate an equivalent marshalling function at run-time.
This attribute is meaningless if the source generator associated with it is not enabled.
The current built-in source generator only supports C# and only supplies an implementation when
applied to static, partial, non-generic methods.
Initializes a new instance of the .
Name of the library containing the import.
Gets the name of the library containing the import.
Gets or sets the name of the entry point to be called.
Gets or sets how to marshal string arguments to the method.
If this field is set to a value other than ,
must not be specified.
Gets or sets the used to control how string arguments to the method are marshalled.
If this field is specified, must not be specified
or must be set to .
Gets or sets whether the callee sets an error (SetLastError on Windows or errno
on other platforms) before returning from the attributed method.
Specifies how strings should be marshalled for generated p/invokes
Indicates the user is supplying a specific marshaller in .
Use the platform-provided UTF-8 marshaller.
Use the platform-provided UTF-16 marshaller.
Base type for all platform-specific API attributes.
Records the platform that the project targeted.
Records the operating system (and minimum version) that supports an API. Multiple attributes can be
applied to indicate support on multiple operating systems.
Callers can apply a
or use guards to prevent calls to APIs on unsupported operating systems.
A given platform should only be specified once.
Marks APIs that were removed in a given operating system version.
Primarily used by OS bindings to indicate APIs that are only available in
earlier versions.
Marks APIs that were obsoleted in a given operating system version.
Primarily used by OS bindings to indicate APIs that should not be used anymore.
Annotates a custom guard field, property or method with a supported platform name and optional version.
Multiple attributes can be applied to indicate guard for multiple supported platforms.
Callers can apply a to a field, property or method
and use that field, property or method in a conditional or assert statements in order to safely call platform specific APIs.
The type of the field or property should be boolean, the method return type should be boolean in order to be used as platform guard.
Annotates the custom guard field, property or method with an unsupported platform name and optional version.
Multiple attributes can be applied to indicate guard for multiple unsupported platforms.
Callers can apply a to a field, property or method
and use that field, property or method in a conditional or assert statements as a guard to safely call APIs unsupported on those platforms.
The type of the field or property should be boolean, the method return type should be boolean in order to be used as platform guard.
Error occurred during a cryptographic operation.
Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
Value was invalid.
{0} ('{1}') must be a non-negative and non-zero value.
Non-negative number required.
The number of bytes requested is too large. The number of bytes produced by SP800108HmacCounterKdf cannot exceed 536,870,911 bytes.
The value cannot be an empty string.
The KDF for algorithm '{0}' requires a char-based password input.
Algorithm '{0}' is not supported on this platform.
ASN1 corrupted data.
The hash algorithm name cannot be null or empty.
Key is not a valid public or private key.
The certificate data cannot be read with the provided password, the password may be incorrect.
The provided PFX data contains no certificates.
The EncryptedPrivateKeyInfo structure was decoded but was not successfully interpreted, the password may be incorrect.
The algorithm identified by '{0}' is unknown, not valid for the requested usage, or was not handled.
'{0}' is not a known hash algorithm.
The PKCS#12/PFX violated the '{0}' limit.
This Pkcs12LoaderLimits object has been made read-only and can no longer be modified.
Specifies that null is allowed as an input even if the corresponding type disallows it.
Specifies that null is disallowed as an input even if the corresponding type allows it.
Specifies that an output may be null even if the corresponding type disallows it.
Specifies that an output will not be null even if the corresponding type allows it. Specifies that an input argument was not null when the call returns.
Specifies that when a method returns , the parameter may be null even if the corresponding type disallows it.
Initializes the attribute with the specified return value condition.
The return value condition. If the method returns this value, the associated parameter may be null.
Gets the return value condition.
Specifies that when a method returns , the parameter will not be null even if the corresponding type allows it.
Initializes the attribute with the specified return value condition.
The return value condition. If the method returns this value, the associated parameter will not be null.
Gets the return value condition.
Specifies that the output will be non-null if the named parameter is non-null.
Initializes the attribute with the associated parameter name.
The associated parameter name. The output will be non-null if the argument to the parameter specified is non-null.
Gets the associated parameter name.
Applied to a method that will never return under any circumstance.
Specifies that the method will not return if the associated Boolean parameter is passed the specified value.
Initializes the attribute with the specified parameter value.
The condition parameter value. Code after the method will be considered unreachable by diagnostics if the argument to
the associated parameter matches this value.
Gets the condition parameter value.
Specifies that the method or property will ensure that the listed field and property members have not-null values.
Initializes the attribute with a field or property member.
The field or property member that is promised to be not-null.
Initializes the attribute with the list of field and property members.
The list of field and property members that are promised to be not-null.
Gets field or property member names.
Specifies that the method or property will ensure that the listed field and property members have not-null values when returning with the specified return value condition.
Initializes the attribute with the specified return value condition and a field or property member.
The return value condition. If the method returns this value, the associated field or property member will not be null.
The field or property member that is promised to be not-null.
Initializes the attribute with the specified return value condition and list of field and property members.
The return value condition. If the method returns this value, the associated field and property members will not be null.
The list of field and property members that are promised to be not-null.
Gets the return value condition.
Gets field or property member names.
SafeHandle for the HCERTSTORE handle defined by crypt32.
Base class for safe handles representing NULL-based pointers.
Provides a cache for special instances of SafeHandles.
Specifies the type of SafeHandle.
Gets a cached, invalid handle. As the instance is cached, it should either never be Disposed
or it should override to prevent disposal when the
instance represents an invalid handle: returns .
Gets whether the specified handle is invalid handle.
The handle to compare.
true if is invalid handle; otherwise, false.
Wrap a string- or SecureString-based object. A null value indicates IntPtr.Zero should be used.
This is used to track if a password was explicitly provided.
A null/empty password is a valid password.
Append "value" to the data already in blob.
Append "value" to the data already in blob.
Append "value" in big Endian format to the data already in blob.
Peel off the next "count" bytes in blob and return them in a byte array.
Peel off the next "count" bytes in blob and return them in a byte array.
Magic numbers identifying blob types
Well known key blob types
The BCRYPT_RSAKEY_BLOB structure is used as a header for an RSA public key or private key BLOB in memory.
The BCRYPT_DSA_KEY_BLOB structure is used as a v1 header for a DSA public key or private key BLOB in memory.
The BCRYPT_DSA_KEY_BLOB structure is used as a v2 header for a DSA public key or private key BLOB in memory.
The BCRYPT_ECCKEY_BLOB structure is used as a header for an ECC public key or private key BLOB in memory.
Represents the type of curve.
Represents the algorithm that was used with Seed to generate A and B.
Used as a header to curve parameters including the public and potentially private key.
NCrypt or BCrypt buffer descriptors
BCrypt buffer
The version of BCryptBuffer
Contains a set of generic CNG buffers.
The version of BCRYPT_ECC_PARAMETER_HEADER
Used as a header to curve parameters.
Returns a string message for the specified Win32 error code.