private static void ProcessSignerInfo(SignedCmiManifest2 signedManifest, out bool distrustedPublisher, out bool noCertificate)
{
Debug.Assert(signedManifest != null);
Debug.Assert(signedManifest.AuthenticodeSignerInfo != null);
const int TRUST_E_REVOKED = unchecked((int)0x80092010);
distrustedPublisher = false;
noCertificate = false;
//
// AuthenticodeSignerInfo can be null if the manifest is only strong name signed
// but not authenticode signed. This can happen when the strong name
// signature is invalid.
//
int error = signedManifest.AuthenticodeSignerInfo.ErrorCode;
if (error == Win32.TRUST_E_EXPLICIT_DISTRUST || error == TRUST_E_REVOKED)
{
distrustedPublisher = true;
return;
}
if (error == Win32.TRUST_E_SUBJECT_NOT_TRUSTED)
{
// Certificate is valid but publisher is not in trusted list
return;
}
// No certificate is equivalent to strong name signing only - run app only with user consent
noCertificate = true;
return;
}
private static bool AnalyzeCertificate(ParsedData parsedData, MemoryStream ms, out bool distrustedPublisher, out bool trustedPublisher, out bool noCertificate)
{
Debug.Assert(parsedData != null);
Debug.Assert(ms != null);
distrustedPublisher = false;
trustedPublisher = false;
noCertificate = false;
SignedCmiManifest2 signedManifest = null;
XmlDocument deploymentManifestXmlDom = null;
try
{
deploymentManifestXmlDom = new XmlDocument();
deploymentManifestXmlDom.PreserveWhitespace = true;
deploymentManifestXmlDom.Load(ms);
signedManifest = new SignedCmiManifest2(deploymentManifestXmlDom, true);
signedManifest.Verify(CmiManifestVerifyFlags.None);
}
catch (Exception e)
{
if (!(e is CryptographicException))
{
return false;
}
if (signedManifest.StrongNameSignerInfo != null && signedManifest.StrongNameSignerInfo.ErrorCode != Win32.TRUST_E_BAD_DIGEST) {
if (signedManifest.AuthenticodeSignerInfo == null)
{
return false;
}
ProcessSignerInfo(signedManifest, out distrustedPublisher, out noCertificate);
return true;
}
// try SHA1
try
{
signedManifest = new SignedCmiManifest2(deploymentManifestXmlDom, false);
signedManifest.Verify(CmiManifestVerifyFlags.None);
}
catch (Exception ex)
{
if (!(ex is CryptographicException))
{
return false;
}
if (signedManifest.AuthenticodeSignerInfo != null)
{
ProcessSignerInfo(signedManifest, out distrustedPublisher, out noCertificate);
return true;
}
return false;
}
}
finally
{
if (signedManifest != null &&
signedManifest.AuthenticodeSignerInfo != null &&
signedManifest.AuthenticodeSignerInfo.SignerChain != null)
{
parsedData.Certificate = signedManifest.AuthenticodeSignerInfo.SignerChain.ChainElements[0].Certificate;
parsedData.AuthenticodedPublisher = parsedData.Certificate.GetNameInfo(X509NameType.SimpleName, false);
}
}
if (signedManifest == null || signedManifest.AuthenticodeSignerInfo == null)
{
noCertificate = true;
}
else
{
trustedPublisher = true;
}
return true;
}
private static void SignFileInternal(X509Certificate2 cert, Uri timestampUrl, string path, bool targetFrameworkSupportsSha256, System.Resources.ResourceManager resources)
{
if (cert == null)
throw new ArgumentNullException("cert");
if (String.IsNullOrEmpty(path))
throw new ArgumentNullException("path");
if (!File.Exists(path))
throw new FileNotFoundException(String.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), path), path);
bool useSha256 = UseSha256Algorithm(cert) && targetFrameworkSupportsSha256;
if (PathUtil.IsPEFile(path))
{
if (IsCertInStore(cert))
SignPEFile(cert, timestampUrl, path, resources, useSha256);
else
throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore"));
}
else
{
if (cert.PrivateKey == null)
throw new InvalidOperationException(resources.GetString("SignFile.CertMissingPrivateKey"));
if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider))
throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed"));
try
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
XmlReaderSettings xrSettings = new XmlReaderSettings();
xrSettings.DtdProcessing = DtdProcessing.Ignore;
using (XmlReader xr = XmlReader.Create(path, xrSettings))
{
doc.Load(xr);
}
SignedCmiManifest2 manifest = new SignedCmiManifest2(doc, useSha256);
RSACryptoServiceProvider csp;
if (useSha256)
{
csp = SignedCmiManifest2.GetFixedRSACryptoServiceProvider(cert.PrivateKey as RSACryptoServiceProvider, useSha256);
}
else
{
csp = cert.PrivateKey as RSACryptoServiceProvider;
}
CmiManifestSigner2 signer = new CmiManifestSigner2(csp, cert, useSha256);
if (timestampUrl == null)
manifest.Sign(signer);
else
manifest.Sign(signer, timestampUrl.ToString());
doc.Save(path);
}
catch (Exception ex)
{
int exceptionHR = System.Runtime.InteropServices.Marshal.GetHRForException(ex);
if (exceptionHR == -2147012889 || exceptionHR == -2147012867)
{
throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), ex);
}
throw new ApplicationException(ex.Message, ex);
}
}
}
