private unsafe void Verify(X509Certificate2Collection extraStore, X509Certificate2 certificate, bool verifySignatureOnly)
{
checked {
// We need to find out if DSS parameters inheritance is necessary. If so, we need to
// first build the chain to cause CAPI to inherit and set the parameters in the
// CERT_PUBKEY_ALG_PARA_PROP_ID extended property. Once we have the parameters in
// the property, we then need to retrieve a copy and point to it in the CERT_INFO
// structure.
SafeLocalAllocHandle pbParameters = SafeLocalAllocHandle.InvalidHandle;
CAPI.CERT_CONTEXT pCertContext = (CAPI.CERT_CONTEXT)Marshal.PtrToStructure(X509Utils.GetCertContext(certificate).DangerousGetHandle(), typeof(CAPI.CERT_CONTEXT));
// Point to SubjectPublicKeyInfo field inside the CERT_INFO structure.
IntPtr pSubjectPublicKeyInfo = new IntPtr((long)pCertContext.pCertInfo + (long)Marshal.OffsetOf(typeof(CAPI.CERT_INFO), "SubjectPublicKeyInfo"));
// Point to Algorithm field inside the SubjectPublicKeyInfo field.
IntPtr pAlgorithm = new IntPtr((long)pSubjectPublicKeyInfo + (long)Marshal.OffsetOf(typeof(CAPI.CERT_PUBLIC_KEY_INFO), "Algorithm"));
// Point to Parameters field inside the Algorithm field.
IntPtr pParameters = new IntPtr((long)pAlgorithm + (long)Marshal.OffsetOf(typeof(CAPI.CRYPT_ALGORITHM_IDENTIFIER), "Parameters"));
// Retrieve the pszObjId pointer.
IntPtr pObjId = Marshal.ReadIntPtr(pAlgorithm);
// Translate the OID to AlgId value.
CAPI.CRYPT_OID_INFO pOIDInfo = CAPI.CryptFindOIDInfo(CAPI.CRYPT_OID_INFO_OID_KEY, pObjId, CAPI.CRYPT_PUBKEY_ALG_OID_GROUP_ID);
// Is this DSS?
if (pOIDInfo.Algid == CAPI.CALG_DSS_SIGN)
{
bool inheritParameters = false;
// This is DSS, so inherit the parameters if necessary.
IntPtr pcbData = new IntPtr((long)pParameters + (long)Marshal.OffsetOf(typeof(CAPI.CRYPTOAPI_BLOB), "cbData"));
IntPtr ppbData = new IntPtr((long)pParameters + (long)Marshal.OffsetOf(typeof(CAPI.CRYPTOAPI_BLOB), "pbData"));
if (Marshal.ReadInt32(pcbData) == 0)
{
inheritParameters = true;
}
else
{
// Need to inherit if NULL pbData or *pbData is 0x05 (NULL ASN tag).
if (Marshal.ReadIntPtr(ppbData) == IntPtr.Zero)
{
inheritParameters = true;
}
else
{
IntPtr pbData = Marshal.ReadIntPtr(ppbData);
if ((uint)Marshal.ReadInt32(pbData) == CAPI.ASN_TAG_NULL)
{
inheritParameters = true;
}
}
}
// Do we need to copy inherited DSS parameters?
if (inheritParameters)
{
// Build the chain to force CAPI to propagate the parameters to
// CERT_PUBKEY_ALG_PARA_PROP_ID extended property.
SafeCertChainHandle pChainContext = SafeCertChainHandle.InvalidHandle;
X509Utils.BuildChain(new IntPtr(CAPI.HCCE_CURRENT_USER),
X509Utils.GetCertContext(certificate),
null,
null,
null,
X509RevocationMode.NoCheck,
X509RevocationFlag.ExcludeRoot,
DateTime.Now,
new TimeSpan(0, 0, 0), // default
ref pChainContext);
pChainContext.Dispose();
// The parameter is inherited in the extended property, but not copied
// to CERT_INFO, so we need to do it ourselves.
uint cbParameters = 0;
if (!CAPI.CAPISafe.CertGetCertificateContextProperty(X509Utils.GetCertContext(certificate),
CAPI.CERT_PUBKEY_ALG_PARA_PROP_ID,
pbParameters,
ref cbParameters))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
if (cbParameters > 0)
{
pbParameters = CAPI.LocalAlloc(CAPI.LPTR, new IntPtr(cbParameters));
if (!CAPI.CAPISafe.CertGetCertificateContextProperty(X509Utils.GetCertContext(certificate),
CAPI.CERT_PUBKEY_ALG_PARA_PROP_ID,
pbParameters,
ref cbParameters))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
Marshal.WriteInt32(pcbData, (int)cbParameters);
Marshal.WriteIntPtr(ppbData, pbParameters.DangerousGetHandle());
}
}
}
// Is this counter signer?
if (m_parentSignerInfo == null)
{
// Just plain signer.
if (!CAPI.CryptMsgControl(m_signedCms.GetCryptMsgHandle(),
0,
CAPI.CMSG_CTRL_VERIFY_SIGNATURE,
pCertContext.pCertInfo))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
}
else
{
// Counter signer, so need to first find parent signer's index.
int index = -1;
int lastWin32Error = 0;
// Since we allow the same signer to sign more than once,
// we must than try all signatures of the same signer.
while (true)
{
try {
// Find index of parent signer.
index = PkcsUtils.GetSignerIndex(m_signedCms.GetCryptMsgHandle(), m_parentSignerInfo, index + 1);
}
catch (CryptographicException) {
// Did we ever find a signature of the same signer?
if (lastWin32Error == 0)
{
// No. So we just re-throw, which is most likely CAPI.CRYPT_E_SIGNER_NOT_FOUND.
throw;
}
else
{
// Yes. Throw previous error, which is most likely CAPI.NTE_BAD_SIGNATURE.
throw new CryptographicException(lastWin32Error);
}
}
// Now get the parent encoded singer info.
uint cbParentEncodedSignerInfo = 0;
SafeLocalAllocHandle pbParentEncodedSignerInfo = SafeLocalAllocHandle.InvalidHandle;
PkcsUtils.GetParam(m_signedCms.GetCryptMsgHandle(),
CAPI.CMSG_ENCODED_SIGNER,
(uint)index,
out pbParentEncodedSignerInfo,
out cbParentEncodedSignerInfo);
// Try next signer if we can't get parent of this signer.
if (cbParentEncodedSignerInfo == 0)
{
lastWin32Error = CAPI.CRYPT_E_NO_SIGNER;
continue;
}
fixed(byte *pbEncodedSignerInfo = m_encodedSignerInfo)
{
if (!CAPI.CAPISafe.CryptMsgVerifyCountersignatureEncoded(IntPtr.Zero,
CAPI.X509_ASN_ENCODING | CAPI.PKCS_7_ASN_ENCODING,
pbParentEncodedSignerInfo.DangerousGetHandle(),
cbParentEncodedSignerInfo,
new IntPtr(pbEncodedSignerInfo),
(uint)m_encodedSignerInfo.Length,
pCertContext.pCertInfo))
{
// Cache the error, and try next signer.
lastWin32Error = Marshal.GetLastWin32Error();
continue;
}
}
// Keep alive.
pbParentEncodedSignerInfo.Dispose();
// The signature is successfully verified.
break;
}
}
// Verfiy the cert if requested.
if (!verifySignatureOnly)
{
int hr = VerifyCertificate(certificate, extraStore);
if (hr != CAPI.S_OK)
{
throw new CryptographicException(hr);
}
}
// Keep alive.
pbParameters.Dispose();
}
}