// in case we just want to timestamp the file
public bool Timestamp(string fileName)
{
try
{
AuthenticodeDeformatter def = new AuthenticodeDeformatter(fileName);
byte[] signature = def.Signature;
if (signature != null)
{
Open(fileName);
PKCS7.ContentInfo ci = new PKCS7.ContentInfo(signature);
pkcs7 = new PKCS7.SignedData(ci.Content);
byte[] response = Timestamp(pkcs7.SignerInfo.Signature);
ASN1 ts = new ASN1(Convert.FromBase64String(Encoding.ASCII.GetString(response)));
// insert new certificates and countersignature into the original signature
ASN1 asn = new ASN1(signature);
ASN1 content = asn.Element(1, 0xA0);
if (content == null)
{
return(false);
}
ASN1 signedData = content.Element(0, 0x30);
if (signedData == null)
{
return(false);
}
// add the supplied certificates inside our signature
ASN1 certificates = signedData.Element(3, 0xA0);
if (certificates == null)
{
certificates = new ASN1(0xA0);
signedData.Add(certificates);
}
for (int i = 0; i < ts[1][0][3].Count; i++)
{
certificates.Add(ts[1][0][3][i]);
}
// add an unauthentified attribute to our signature
ASN1 signerInfoSet = signedData[signedData.Count - 1];
ASN1 signerInfo = signerInfoSet[0];
ASN1 unauthenticated = signerInfo[signerInfo.Count - 1];
if (unauthenticated.Tag != 0xA1)
{
unauthenticated = new ASN1(0xA1);
signerInfo.Add(unauthenticated);
}
unauthenticated.Add(Attribute(countersignature, ts[1][0][4][0]));
return(Save(fileName, asn.GetBytes()));
}
}
catch (Exception e)
{
Console.WriteLine(e);
}
return(false);
}
/// <summary>
///
/// </summary>
/// <param name="nonAssemblies">a list of PE files that aren't in an assembly</param>
/// <returns></returns>
internal bool VerifyNonAssemblies(IEnumerable<String> nonAssemblies)
{
bool ret = true;
foreach (String fileName in nonAssemblies)
{
try
{
var authenticodeFileHandler = new AuthenticodeDeformatter(fileName);
if (authenticodeFileHandler.Certificates.Count < 1)
{
ret = false;
Console.WriteLine(fileName + " is not properly signed.");
}
}
catch (IOException e)
{
ret = false;
Console.WriteLine(e.Message);
}
}
return ret;
}
public bool Timestamp(string fileName)
{
try
{
AuthenticodeDeformatter authenticodeDeformatter = new AuthenticodeDeformatter(fileName);
byte[] signature = authenticodeDeformatter.Signature;
if (signature != null)
{
base.Open(fileName);
PKCS7.ContentInfo contentInfo = new PKCS7.ContentInfo(signature);
this.pkcs7 = new PKCS7.SignedData(contentInfo.Content);
byte[] bytes = this.Timestamp(this.pkcs7.SignerInfo.Signature);
ASN1 asn = new ASN1(Convert.FromBase64String(Encoding.ASCII.GetString(bytes)));
ASN1 asn2 = new ASN1(signature);
ASN1 asn3 = asn2.Element(1, 160);
if (asn3 == null)
{
return(false);
}
ASN1 asn4 = asn3.Element(0, 48);
if (asn4 == null)
{
return(false);
}
ASN1 asn5 = asn4.Element(3, 160);
if (asn5 == null)
{
asn5 = new ASN1(160);
asn4.Add(asn5);
}
for (int i = 0; i < asn[1][0][3].Count; i++)
{
asn5.Add(asn[1][0][3][i]);
}
ASN1 asn6 = asn4[asn4.Count - 1];
ASN1 asn7 = asn6[0];
ASN1 asn8 = asn7[asn7.Count - 1];
if (asn8.Tag != 161)
{
asn8 = new ASN1(161);
asn7.Add(asn8);
}
asn8.Add(this.Attribute("1.2.840.113549.1.9.6", asn[1][0][4][0]));
return(this.Save(fileName, asn2.GetBytes()));
}
}
catch (Exception value)
{
Console.WriteLine(value);
}
return(false);
}
public bool Timestamp(string fileName)
{
try
{
AuthenticodeDeformatter authenticodeDeformatter = new AuthenticodeDeformatter(fileName);
byte[] signature = authenticodeDeformatter.Signature;
if (signature != null)
{
Open(fileName);
PKCS7.ContentInfo contentInfo = new PKCS7.ContentInfo(signature);
pkcs7 = new PKCS7.SignedData(contentInfo.Content);
byte[] bytes = Timestamp(pkcs7.SignerInfo.Signature);
ASN1 aSN = new ASN1(Convert.FromBase64String(Encoding.ASCII.GetString(bytes)));
ASN1 aSN2 = new ASN1(signature);
ASN1 aSN3 = aSN2.Element(1, 160);
if (aSN3 == null)
{
return(false);
}
ASN1 aSN4 = aSN3.Element(0, 48);
if (aSN4 == null)
{
return(false);
}
ASN1 aSN5 = aSN4.Element(3, 160);
if (aSN5 == null)
{
aSN5 = new ASN1(160);
aSN4.Add(aSN5);
}
for (int i = 0; i < aSN[1][0][3].Count; i++)
{
aSN5.Add(aSN[1][0][3][i]);
}
ASN1 aSN6 = aSN4[aSN4.Count - 1];
ASN1 aSN7 = aSN6[0];
ASN1 aSN8 = aSN7[aSN7.Count - 1];
if (aSN8.Tag != 161)
{
aSN8 = new ASN1(161);
aSN7.Add(aSN8);
}
aSN8.Add(Attribute("1.2.840.113549.1.9.6", aSN[1][0][4][0]));
return(Save(fileName, aSN2.GetBytes()));
}
}
catch (Exception value)
{
Console.WriteLine(value);
}
return(false);
}
internal override bool VerifyAssemblies(IEnumerable<string> assemblies)
{
bool ret = true;
PKCS12 pkcs = null;
//first open pfxfile
try
{
if (password == null)
{
pkcs = PKCS12.LoadFromFile(pfxFile);
}
else
{
pkcs = PKCS12.LoadFromFile(pfxFile, password);
}
}
catch
{
Console.WriteLine("Something went wrong when you tried to open the PKCS file");
return false;
}
var codeSigningCert = pkcs.FindCodeSigningCert();
byte[] pubKey = codeSigningCert.PublicKey;
var expiryDate = codeSigningCert.ValidUntil;
foreach (string s in assemblies)
{
try
{
var authenticodeDeformatter = new AuthenticodeDeformatter(Path.GetFullPath(s));
var fileCert = authenticodeDeformatter.SigningCertificate;
//var test = new ASN1(fileCert.PublicKey);
if (fileCert == null || !pubKey.SequenceEqual(fileCert.PublicKey) || expiryDate != fileCert.ValidUntil)
{
ret = false;
Console.WriteLine("The file " + s + " was not signed with the same certificate that was passed in." );
}
}
catch (Exception e)
{
ret = false;
Console.WriteLine(e.Message);
}
}
return ret;
}
public static X509Certificate CreateFromSignedFile (string filename)
{
try {
AuthenticodeDeformatter a = new AuthenticodeDeformatter (filename);
if (a.SigningCertificate != null) {
return new X509Certificate (a.SigningCertificate.RawData);
}
}
catch (SecurityException) {
// don't wrap SecurityException into a COMException
throw;
}
catch (Exception e) {
string msg = Locale.GetText ("Couldn't extract digital signature from {0}.", filename);
throw new COMException (msg, e);
}
throw new CryptographicException (Locale.GetText ("{0} isn't signed.", filename));
}
public void VerifyUnsignedAssembly ()
{
string filename = Assembly.GetExecutingAssembly ().Location;
AuthenticodeDeformatter ad = new AuthenticodeDeformatter (filename);
// no digital signature
Assert.AreEqual (1, ad.Reason, "Reason");
Assert.IsNull (ad.Hash, "Hash");
Assert.AreEqual (DateTime.MinValue, ad.Timestamp, "Timestamp");
Assert.IsNull (ad.Certificates, "Certificates");
Assert.IsNull (ad.SigningCertificate, "SigningCertificate");
}
public void VerifySignedAssembly ()
{
string filename = WriteFile ();
AuthenticodeDeformatter ad = new AuthenticodeDeformatter (filename);
// note: it's a valid signed PE file - but it doesn't
// mean it's root is trusted on the current system
Assert.IsTrue (((ad.Reason == 0) || (ad.Reason == 6)), "Reason");
Assert.AreEqual ("35-A5-21-3B-FC-FE-FA-40-97-AA-BB-DE-3B-52-15-6F", BitConverter.ToString (ad.Hash), "Hash");
Assert.AreEqual (632011370700000000, ad.Timestamp.ToUniversalTime ().Ticks, "Timestamp");
Assert.AreEqual (4, ad.Certificates.Count, "#Certificates");
Assert.AreEqual ("C=ZA, S=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA, [email protected]", ad.SigningCertificate.IssuerName, "IssuerName");
Assert.AreEqual ("C=CA, S=Quebec, L=Quebec, O=Motus Technologies Inc., OU=Secure Application Development, CN=Motus Technologies Inc.", ad.SigningCertificate.SubjectName, "SubjectName");
}
static internal Evidence GetDefaultHostEvidence (Assembly a)
{
Evidence e = new Evidence ();
string aname = a.EscapedCodeBase;
// by default all assembly have the Zone, Url and Hash evidences
e.AddHost (Zone.CreateFromUrl (aname));
e.AddHost (new Url (aname));
e.AddHost (new Hash (a));
// non local files (e.g. http://) also get a Site evidence
if (String.Compare ("FILE://", 0, aname, 0, 7, true, CultureInfo.InvariantCulture) != 0) {
e.AddHost (Site.CreateFromUrl (aname));
}
// strongnamed assemblies gets a StrongName evidence
AssemblyName an = a.GetName ();
byte[] pk = an.GetPublicKey ();
if ((pk != null) && (pk.Length > 0)) {
StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob (pk);
e.AddHost (new StrongName (blob, an.Name, an.Version));
}
// Authenticode(r) signed assemblies get a Publisher evidence
if (IsAuthenticodePresent (a)) {
// Note: The certificate is part of the evidences even if it is not trusted!
// so we can't call X509Certificate.CreateFromSignedFile
AuthenticodeDeformatter ad = new AuthenticodeDeformatter (a.Location);
if (ad.SigningCertificate != null) {
X509Certificate x509 = new X509Certificate (ad.SigningCertificate.RawData);
if (x509.GetHashCode () != 0) {
e.AddHost (new Publisher (x509));
}
}
}
// assemblies loaded from the GAC also get a Gac evidence (new in Fx 2.0)
if (a.GlobalAssemblyCache) {
e.AddHost (new GacInstalled ());
}
// the current HostSecurityManager may add/remove some evidence
AppDomainManager dommgr = AppDomain.CurrentDomain.DomainManager;
if (dommgr != null) {
if ((dommgr.HostSecurityManager.Flags & HostSecurityManagerOptions.HostAssemblyEvidence) ==
HostSecurityManagerOptions.HostAssemblyEvidence) {
e = dommgr.HostSecurityManager.ProvideAssemblyEvidence (a, e);
}
}
return e;
}
// static methods
static public int Check (string fileName, bool quiet, bool verbose)
{
AuthenticodeDeformatter a = new AuthenticodeDeformatter (fileName);
// debug
/* FileStream fs = File.Open (fileName + ".sig", FileMode.Create, FileAccess.Write);
fs.Write (a.Signature, 0, a.Signature.Length);
fs.Close ();*/
// get something shorter to display
fileName = Path.GetFileName (fileName);
if (verbose) {
Console.WriteLine ("Verifying file {0} for Authenticode(tm) signatures...{1}", fileName, Environment.NewLine);
}
if (a.Timestamp == DateTime.MinValue) {
// signature only valid if the certificate is valid
Console.WriteLine ("WARNING! {0} is not timestamped!", fileName);
}
else if (verbose) {
Console.WriteLine ("INFO! {0} was timestamped on {1}", fileName, a.Timestamp);
}
if (a.Reason > 0) {
string msg = null;
// FAILURES
switch (a.Reason) {
case 1:
msg = "doesn't contain a digital signature";
break;
case 2:
msg = "digital signature is invalid";
break;
case 3:
msg = "countersignature (timestamp) is invalid";
break;
case 4:
msg = "timestamp is outside certificate validity";
break;
case 5:
msg = "use an unsupported hash algorithm. Verification is impossible";
break;
case 6:
msg = "signature can't be traced back to a trusted root";
break;
case 7:
msg = "couldn't find the certificate that signed the file";
break;
case 8:
msg = "certificate is expired and no timestamp is present";
break;
default:
msg = "unknown error";
break;
}
Console.WriteLine ("ERROR! {0} {1}!{2}", fileName, msg, Environment.NewLine);
return 1;
}
Console.WriteLine ("SUCCESS: {0} signature is valid{1}and can be traced back to a trusted root!{2}", fileName, Environment.NewLine, Environment.NewLine);
return 0;
}
public static X509Certificate CreateFromSignedFile (string filename)
{
try {
AuthenticodeDeformatter a = new AuthenticodeDeformatter (filename);
if (a.SigningCertificate != null) {
#if !NET_2_0
// before 2.0 the signing certificate is returned only if the signature is valid
if (a.Reason != 0) {
string msg = String.Format (Locale.GetText (
"Invalid digital signature on {0}, reason #{1}."),
filename, a.Reason);
throw new COMException (msg);
}
#endif
return new X509Certificate (a.SigningCertificate.RawData);
}
}
catch (SecurityException) {
// don't wrap SecurityException into a COMException
throw;
}
#if !NET_2_0
catch (COMException) {
// don't wrap COMException into a COMException
throw;
}
#endif
catch (Exception e) {
string msg = Locale.GetText ("Couldn't extract digital signature from {0}.", filename);
throw new COMException (msg, e);
}
#if NET_2_0
throw new CryptographicException (Locale.GetText ("{0} isn't signed.", filename));
#else
// if no signature is present return an empty certificate
byte[] cert = null; // must not confuse compiler about null ;)
return new X509Certificate (cert);
#endif
}
// in case we just want to timestamp the file
public bool Timestamp (string fileName)
{
try {
AuthenticodeDeformatter def = new AuthenticodeDeformatter (fileName);
byte[] signature = def.Signature;
if (signature != null) {
Open (fileName);
PKCS7.ContentInfo ci = new PKCS7.ContentInfo (signature);
pkcs7 = new PKCS7.SignedData (ci.Content);
byte[] response = Timestamp (pkcs7.SignerInfo.Signature);
ASN1 ts = new ASN1 (Convert.FromBase64String (Encoding.ASCII.GetString (response)));
// insert new certificates and countersignature into the original signature
ASN1 asn = new ASN1 (signature);
ASN1 content = asn.Element (1, 0xA0);
if (content == null)
return false;
ASN1 signedData = content.Element (0, 0x30);
if (signedData == null)
return false;
// add the supplied certificates inside our signature
ASN1 certificates = signedData.Element (3, 0xA0);
if (certificates == null) {
certificates = new ASN1 (0xA0);
signedData.Add (certificates);
}
for (int i = 0; i < ts[1][0][3].Count; i++) {
certificates.Add (ts[1][0][3][i]);
}
// add an unauthentified attribute to our signature
ASN1 signerInfoSet = signedData[signedData.Count - 1];
ASN1 signerInfo = signerInfoSet[0];
ASN1 unauthenticated = signerInfo[signerInfo.Count - 1];
if (unauthenticated.Tag != 0xA1) {
unauthenticated = new ASN1 (0xA1);
signerInfo.Add (unauthenticated);
}
unauthenticated.Add (Attribute (countersignature, ts[1][0][4][0]));
return Save (fileName, asn.GetBytes ());
}
}
catch (Exception e) {
Console.WriteLine (e);
}
return false;
}
