internal StrongNameSignatureInformation(AsymmetricAlgorithm publicKey)
{
Debug.Assert(publicKey != null, "publicKey != null");
m_verificationResult = SignatureVerificationResult.Valid;
m_publicKey = publicKey;
}
internal AuthenticodeSignatureInformation(X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer, X509Chain signatureChain, TimestampInformation timestamp)
{
this.m_verificationResult = (SignatureVerificationResult)signer.dwError;
this.m_hashAlgorithmId = signer.algHash;
if (signer.pwszDescription != IntPtr.Zero)
{
this.m_description = Marshal.PtrToStringUni(signer.pwszDescription);
}
if (signer.pwszDescriptionUrl != IntPtr.Zero)
{
Uri.TryCreate(Marshal.PtrToStringUni(signer.pwszDescriptionUrl), UriKind.RelativeOrAbsolute, out this.m_descriptionUrl);
}
this.m_signatureChain = signatureChain;
if ((timestamp != null) && (timestamp.VerificationResult != SignatureVerificationResult.MissingSignature))
{
if (timestamp.IsValid)
{
this.m_timestamp = timestamp;
}
else
{
this.m_verificationResult = SignatureVerificationResult.InvalidTimestamp;
}
}
else
{
this.m_timestamp = null;
}
}
private StrongNameSignatureInformation VerifyStrongNameSignature(XmlElement signatureNode)
{
AsymmetricAlgorithm algorithm;
if (!base.CheckSignatureReturningKey(out algorithm))
{
return(new StrongNameSignatureInformation(SignatureVerificationResult.BadDigest));
}
SignatureVerificationResult error = VerifyStrongNameSignatureId(signatureNode);
if (error != SignatureVerificationResult.Valid)
{
return(new StrongNameSignatureInformation(error));
}
SignatureVerificationResult result2 = VerifyStrongNameSignatureTransforms(base.Signature.SignedInfo);
if (result2 != SignatureVerificationResult.Valid)
{
return(new StrongNameSignatureInformation(result2));
}
if (!CompareBytes(this.CalculateManifestPublicKeyToken(), CalculateSignerPublicKeyToken(algorithm)))
{
return(new StrongNameSignatureInformation(SignatureVerificationResult.PublicKeyTokenMismatch));
}
return(new StrongNameSignatureInformation(algorithm));
}
internal AuthenticodeSignatureInformation(X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer,
X509Chain signatureChain,
TimestampInformation timestamp) {
m_verificationResult = (SignatureVerificationResult)signer.dwError;
m_hashAlgorithmId = signer.algHash;
if (signer.pwszDescription != IntPtr.Zero) {
m_description = Marshal.PtrToStringUni(signer.pwszDescription);
}
if (signer.pwszDescriptionUrl != IntPtr.Zero) {
string descriptionUrl = Marshal.PtrToStringUni(signer.pwszDescriptionUrl);
Uri.TryCreate(descriptionUrl, UriKind.RelativeOrAbsolute, out m_descriptionUrl);
}
m_signatureChain = signatureChain;
// If there was a timestamp, and it was not valid we need to invalidate the entire Authenticode
// signature as well, since we cannot assume that the signature would have verified without
// the timestamp.
if (timestamp != null && timestamp.VerificationResult != SignatureVerificationResult.MissingSignature) {
if (timestamp.IsValid) {
m_timestamp = timestamp;
}
else {
m_verificationResult = SignatureVerificationResult.InvalidTimestamp;
}
}
else {
m_timestamp = null;
}
}
internal TimestampInformation(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO timestamper) {
m_hashAlgorithmId = timestamper.algHash;
m_verificationResult = (SignatureVerificationResult)timestamper.dwError;
ulong filetime = ((ulong)((uint)timestamper.ftTimestamp.dwHighDateTime) << 32) |
(ulong)((uint)timestamper.ftTimestamp.dwLowDateTime);
m_timestamp = DateTime.FromFileTimeUtc((long)filetime);
if (timestamper.pChainContext != IntPtr.Zero) {
m_timestampChain = new X509Chain(timestamper.pChainContext);
}
}
internal TimestampInformation(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO timestamper)
{
this.m_hashAlgorithmId = timestamper.algHash;
this.m_verificationResult = (SignatureVerificationResult)timestamper.dwError;
ulong num = (((ulong)timestamper.ftTimestamp.dwHighDateTime) << 0x20) | ((ulong)timestamper.ftTimestamp.dwLowDateTime);
this.m_timestamp = DateTime.FromFileTimeUtc((long)num);
if (timestamper.pChainContext != IntPtr.Zero)
{
this.m_timestampChain = new X509Chain(timestamper.pChainContext);
}
}
internal static int HResultForVerificationResult(SignatureVerificationResult verificationResult)
{
switch (verificationResult)
{
case SignatureVerificationResult.AssemblyIdentityMismatch:
case SignatureVerificationResult.PublicKeyTokenMismatch:
case SignatureVerificationResult.PublisherMismatch:
return(-2146762749);
case SignatureVerificationResult.ContainingSignatureInvalid:
return(-2146869232);
}
return((int)verificationResult);
}
public static bool VerifyReceivedMessage(MessageToReceive messageToReceive)
{
SignatureVerificationResult signatureVerificationResult = Verify(
messageToReceive.legacyAddress,
messageToReceive.message,
messageToReceive.signature
);
if (signatureVerificationResult == SignatureVerificationResult.SignatureIsValid)
{
return(true);
}
return(false);
}
/// <summary>
/// Map a verification result to a matching HRESULT
/// </summary>
internal static int HResultForVerificationResult(SignatureVerificationResult verificationResult)
{
switch (verificationResult)
{
case SignatureVerificationResult.AssemblyIdentityMismatch:
case SignatureVerificationResult.PublicKeyTokenMismatch:
case SignatureVerificationResult.PublisherMismatch:
return((int)SignatureVerificationResult.BadSignatureFormat);
case SignatureVerificationResult.ContainingSignatureInvalid:
return((int)SignatureVerificationResult.BadDigest);
default:
return((int)verificationResult);
}
}
/// <summary>
/// Verify the strong name signature has a valid format and applies to this manifest
/// </summary>
private StrongNameSignatureInformation VerifyStrongNameSignature(XmlElement signatureNode)
{
Debug.Assert(signatureNode != null, "signatureNode != null");
// Verify that the signature is valid
AsymmetricAlgorithm key;
if (!CheckSignatureReturningKey(out key))
{
return(new StrongNameSignatureInformation(SignatureVerificationResult.BadDigest));
}
// ensure there is an ID element, and it is the strong name id
SignatureVerificationResult strongNameId = VerifyStrongNameSignatureId(signatureNode);
if (strongNameId != SignatureVerificationResult.Valid)
{
return(new StrongNameSignatureInformation(strongNameId));
}
// Verify that the transforms are the ones we expect.
Debug.Assert(Signature != null && Signature.SignedInfo != null,
"XML signature must be verified before getting SN details");
SignatureVerificationResult transformsValid = VerifyStrongNameSignatureTransforms(Signature.SignedInfo);
if (transformsValid != SignatureVerificationResult.Valid)
{
return(new StrongNameSignatureInformation(transformsValid));
}
// ensure the public key token in the manifest identity matches the public key token of the signing
// strong name key
if (!CompareBytes(CalculateManifestPublicKeyToken(), CalculateSignerPublicKeyToken(key)))
{
return(new StrongNameSignatureInformation(SignatureVerificationResult.PublicKeyTokenMismatch));
}
return(new StrongNameSignatureInformation(key));
}
internal AuthenticodeSignatureInformation(X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer,
X509Chain signatureChain,
TimestampInformation timestamp)
{
m_verificationResult = (SignatureVerificationResult)signer.dwError;
m_hashAlgorithmId = signer.algHash;
if (signer.pwszDescription != IntPtr.Zero)
{
m_description = Marshal.PtrToStringUni(signer.pwszDescription);
}
if (signer.pwszDescriptionUrl != IntPtr.Zero)
{
string descriptionUrl = Marshal.PtrToStringUni(signer.pwszDescriptionUrl);
Uri.TryCreate(descriptionUrl, UriKind.RelativeOrAbsolute, out m_descriptionUrl);
}
m_signatureChain = signatureChain;
// If there was a timestamp, and it was not valid we need to invalidate the entire Authenticode
// signature as well, since we cannot assume that the signature would have verified without
// the timestamp.
if (timestamp != null && timestamp.VerificationResult != SignatureVerificationResult.MissingSignature)
{
if (timestamp.IsValid)
{
m_timestamp = timestamp;
}
else
{
m_verificationResult = SignatureVerificationResult.InvalidTimestamp;
}
}
else
{
m_timestamp = null;
}
}
private AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode,
X509RevocationFlag revocationFlag,
X509RevocationMode revocationMode)
{
Debug.Assert(signatureNode != null, "signatureNode != null");
// See if there is an Authenticode signature on the manifest
XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license",
m_namespaceManager) as XmlElement;
if (licenseNode == null)
{
return(null);
}
// Make sure that the signature is for this manifest
SignatureVerificationResult identityVerification = VerifyAuthenticodeSignatureIdentity(licenseNode);
if (identityVerification != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(identityVerification));
}
SignatureVerificationResult hashVerification = VerifyAuthenticodeExpectedHash(licenseNode);
if (hashVerification != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(hashVerification));
}
// Verify the signature, extracting information about it
AuthenticodeSignatureInformation authenticodeSignature = null;
X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO();
signer.cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO));
X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO timestamper = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO();
timestamper.cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO));
RuntimeHelpers.PrepareConstrainedRegions();
try {
byte[] licenseXml = Encoding.UTF8.GetBytes(licenseNode.OuterXml);
X509Native.AxlVerificationFlags verificationFlags = MapRevocationFlags(revocationFlag,
revocationMode);
unsafe
{
fixed(byte *pLicenseXml = licenseXml)
{
// Safe since we're verifying the size of this buffer is correct
CapiNative.CRYPTOAPI_BLOB xmlBlob = new CapiNative.CRYPTOAPI_BLOB();
xmlBlob.cbData = licenseXml.Length;
xmlBlob.pbData = new IntPtr(pLicenseXml);
int hrVerify = X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref xmlBlob,
verificationFlags,
ref signer,
ref timestamper);
if (hrVerify == (int)SignatureVerificationResult.MissingSignature)
{
return(new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature));
}
}
}
X509Chain signatureChain = BuildSignatureChain(signer,
licenseNode,
revocationFlag,
revocationMode);
TimestampInformation timestamp = GetTimestampInformation(timestamper,
licenseNode);
authenticodeSignature = new AuthenticodeSignatureInformation(signer,
signatureChain,
timestamp);
}
finally {
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref signer);
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref timestamper);
}
// Verify the signing certificate matches the expected publisher
Debug.Assert(authenticodeSignature != null, "authenticodeSignature != null");
if (authenticodeSignature.SigningCertificate == null)
{
return(new AuthenticodeSignatureInformation(authenticodeSignature.VerificationResult));
}
SignatureVerificationResult publisherMatch = VerifyAuthenticodePublisher(authenticodeSignature.SigningCertificate);
if (publisherMatch != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(publisherMatch));
}
return(authenticodeSignature);
}
internal TimestampInformation(SignatureVerificationResult error)
{
Debug.Assert(error != SignatureVerificationResult.Valid, "error != SignatureVerificationResult.Valid");
m_verificationResult = error;
}
private unsafe AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode, X509RevocationFlag revocationFlag, X509RevocationMode revocationMode)
{
XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license", this.m_namespaceManager) as XmlElement;
if (licenseNode == null)
{
return(null);
}
SignatureVerificationResult error = this.VerifyAuthenticodeSignatureIdentity(licenseNode);
if (error != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(error));
}
SignatureVerificationResult result2 = this.VerifyAuthenticodeExpectedHash(licenseNode);
if (result2 != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(result2));
}
AuthenticodeSignatureInformation information = null;
X509Native.AXL_AUTHENTICODE_SIGNER_INFO pSignerInfo = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO {
cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO))
};
X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO pTimestamperInfo = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO {
cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO))
};
RuntimeHelpers.PrepareConstrainedRegions();
try
{
byte[] bytes = Encoding.UTF8.GetBytes(licenseNode.OuterXml);
X509Native.AxlVerificationFlags dwFlags = MapRevocationFlags(revocationFlag, revocationMode);
try
{
fixed(byte *numRef = bytes)
{
CapiNative.CRYPTOAPI_BLOB pLicenseBlob = new CapiNative.CRYPTOAPI_BLOB {
cbData = bytes.Length,
pbData = new IntPtr((void *)numRef)
};
if (X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref pLicenseBlob, dwFlags, ref pSignerInfo, ref pTimestamperInfo) == -2146762496)
{
return(new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature));
}
}
}
finally
{
numRef = null;
}
X509Chain signatureChain = this.BuildSignatureChain(pSignerInfo, licenseNode, revocationFlag, revocationMode);
TimestampInformation timestampInformation = this.GetTimestampInformation(pTimestamperInfo, licenseNode);
information = new AuthenticodeSignatureInformation(pSignerInfo, signatureChain, timestampInformation);
}
finally
{
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref pSignerInfo);
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref pTimestamperInfo);
}
if (information.SigningCertificate == null)
{
return(new AuthenticodeSignatureInformation(information.VerificationResult));
}
SignatureVerificationResult result3 = this.VerifyAuthenticodePublisher(information.SigningCertificate);
if (result3 != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(result3));
}
return(information);
}
internal TimestampInformation(SignatureVerificationResult error) {
Debug.Assert(error != SignatureVerificationResult.Valid, "error != SignatureVerificationResult.Valid");
m_verificationResult = error;
}
public override SignatureVerificationResult VerifySignature(string path, string parent)
{
return(SignatureVerificationResult.UnsupportedFileTypeResult(path, parent));
}
/// <summary>
/// Create an Authenticode signature information for a signature which is not valid
/// </summary>
internal AuthenticodeSignatureInformation(SignatureVerificationResult error) {
Debug.Assert(error != SignatureVerificationResult.Valid);
m_verificationResult = error;
}
internal StrongNameSignatureInformation(SignatureVerificationResult error)
{
Debug.Assert(error != SignatureVerificationResult.Valid, "error != SignatureVerificationResult.Valid");
m_verificationResult = error;
}
internal StrongNameSignatureInformation(AsymmetricAlgorithm publicKey)
{
this.m_verificationResult = SignatureVerificationResult.Valid;
this.m_publicKey = publicKey;
}
internal StrongNameSignatureInformation(SignatureVerificationResult error)
{
this.m_verificationResult = error;
}
internal StrongNameSignatureInformation(AsymmetricAlgorithm publicKey) {
Debug.Assert(publicKey != null, "publicKey != null");
m_verificationResult = SignatureVerificationResult.Valid;
m_publicKey = publicKey;
}
internal AuthenticodeSignatureInformation(SignatureVerificationResult error)
{
this.m_verificationResult = error;
}
/// <summary>
/// Create an Authenticode signature information for a signature which is not valid
/// </summary>
internal AuthenticodeSignatureInformation(SignatureVerificationResult error)
{
Debug.Assert(error != SignatureVerificationResult.Valid);
m_verificationResult = error;
}
internal TimestampInformation(SignatureVerificationResult error)
{
this.m_verificationResult = error;
}
internal StrongNameSignatureInformation(SignatureVerificationResult error) {
Debug.Assert(error != SignatureVerificationResult.Valid, "error != SignatureVerificationResult.Valid");
m_verificationResult = error;
}