internal AuthenticodeSignatureInformation(X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer, X509Chain signatureChain, TimestampInformation timestamp)
 {
     this.m_verificationResult = (SignatureVerificationResult)signer.dwError;
     this.m_hashAlgorithmId    = signer.algHash;
     if (signer.pwszDescription != IntPtr.Zero)
     {
         this.m_description = Marshal.PtrToStringUni(signer.pwszDescription);
     }
     if (signer.pwszDescriptionUrl != IntPtr.Zero)
     {
         Uri.TryCreate(Marshal.PtrToStringUni(signer.pwszDescriptionUrl), UriKind.RelativeOrAbsolute, out this.m_descriptionUrl);
     }
     this.m_signatureChain = signatureChain;
     if ((timestamp != null) && (timestamp.VerificationResult != SignatureVerificationResult.MissingSignature))
     {
         if (timestamp.IsValid)
         {
             this.m_timestamp = timestamp;
         }
         else
         {
             this.m_verificationResult = SignatureVerificationResult.InvalidTimestamp;
         }
     }
     else
     {
         this.m_timestamp = null;
     }
 }
        internal AuthenticodeSignatureInformation(X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer,
                                                  X509Chain signatureChain,
                                                  TimestampInformation timestamp)
        {
            m_verificationResult = (SignatureVerificationResult)signer.dwError;
            m_hashAlgorithmId    = signer.algHash;

            if (signer.pwszDescription != IntPtr.Zero)
            {
                m_description = Marshal.PtrToStringUni(signer.pwszDescription);
            }
            if (signer.pwszDescriptionUrl != IntPtr.Zero)
            {
                string descriptionUrl = Marshal.PtrToStringUni(signer.pwszDescriptionUrl);
                Uri.TryCreate(descriptionUrl, UriKind.RelativeOrAbsolute, out m_descriptionUrl);
            }

            m_signatureChain = signatureChain;

            // If there was a timestamp, and it was not valid we need to invalidate the entire Authenticode
            // signature as well, since we cannot assume that the signature would have verified without
            // the timestamp.
            if (timestamp != null && timestamp.VerificationResult != SignatureVerificationResult.MissingSignature)
            {
                if (timestamp.IsValid)
                {
                    m_timestamp = timestamp;
                }
                else
                {
                    m_verificationResult = SignatureVerificationResult.InvalidTimestamp;
                }
            }
            else
            {
                m_timestamp = null;
            }
        }
Example #3
0
 public static extern int CertVerifyAuthenticodeLicense(ref CapiNative.CRYPTOAPI_BLOB pLicenseBlob, X509Native.AxlVerificationFlags dwFlags, [In, Out] ref X509Native.AXL_AUTHENTICODE_SIGNER_INFO pSignerInfo, [In, Out] ref X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO pTimestamperInfo);
Example #4
0
 public static extern int CertFreeAuthenticodeSignerInfo(ref X509Native.AXL_AUTHENTICODE_SIGNER_INFO pSignerInfo);
        private AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode,
                                                                             X509RevocationFlag revocationFlag,
                                                                             X509RevocationMode revocationMode) {
            Debug.Assert(signatureNode != null, "signatureNode != null");

            // See if there is an Authenticode signature on the manifest
            XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license",
                                                                     m_namespaceManager) as XmlElement;
            if (licenseNode == null) {
                return null;
            }

            // Make sure that the signature is for this manifest
            SignatureVerificationResult identityVerification = VerifyAuthenticodeSignatureIdentity(licenseNode);
            if (identityVerification != SignatureVerificationResult.Valid) {
                return new AuthenticodeSignatureInformation(identityVerification);
            }

            SignatureVerificationResult hashVerification = VerifyAuthenticodeExpectedHash(licenseNode);
            if (hashVerification != SignatureVerificationResult.Valid) {
                return new AuthenticodeSignatureInformation(hashVerification);
            }

            // Verify the signature, extracting information about it
            AuthenticodeSignatureInformation authenticodeSignature = null;

            X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO();
            signer.cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO));

            X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO timestamper = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO();
            timestamper.cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO));

            RuntimeHelpers.PrepareConstrainedRegions();
            try {
                byte[] licenseXml = Encoding.UTF8.GetBytes(licenseNode.OuterXml);
                X509Native.AxlVerificationFlags verificationFlags = MapRevocationFlags(revocationFlag,
                                                                                       revocationMode);

                unsafe {
                    fixed (byte* pLicenseXml = licenseXml) {
                        // Safe since we're verifying the size of this buffer is correct
                        CapiNative.CRYPTOAPI_BLOB xmlBlob = new CapiNative.CRYPTOAPI_BLOB();
                        xmlBlob.cbData = licenseXml.Length;
                        xmlBlob.pbData = new IntPtr(pLicenseXml);

                        int hrVerify = X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref xmlBlob,
                                                                                                    verificationFlags,
                                                                                                    ref signer,
                                                                                                    ref timestamper);

                        if (hrVerify == (int)SignatureVerificationResult.MissingSignature) {
                            return new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature);
                        }
                    }
                }

                X509Chain signatureChain = BuildSignatureChain(signer,
                                                               licenseNode,
                                                               revocationFlag,
                                                               revocationMode);

                TimestampInformation timestamp = GetTimestampInformation(timestamper,
                                                                         licenseNode);

                authenticodeSignature = new AuthenticodeSignatureInformation(signer,
                                                                             signatureChain,
                                                                             timestamp);
            }
            finally {
                X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref signer);
                X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref timestamper);
            }

            // Verify the signing certificate matches the expected publisher
            Debug.Assert(authenticodeSignature != null, "authenticodeSignature != null");
            if (authenticodeSignature.SigningCertificate == null) {
                return new AuthenticodeSignatureInformation(authenticodeSignature.VerificationResult);
            }

            SignatureVerificationResult publisherMatch = VerifyAuthenticodePublisher(authenticodeSignature.SigningCertificate);
            if (publisherMatch != SignatureVerificationResult.Valid) {
                return new AuthenticodeSignatureInformation(publisherMatch);
            }

            return authenticodeSignature;
        }
 private unsafe AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode, X509RevocationFlag revocationFlag, X509RevocationMode revocationMode)
 {
     XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license", this.m_namespaceManager) as XmlElement;
     if (licenseNode == null)
     {
         return null;
     }
     SignatureVerificationResult error = this.VerifyAuthenticodeSignatureIdentity(licenseNode);
     if (error != SignatureVerificationResult.Valid)
     {
         return new AuthenticodeSignatureInformation(error);
     }
     SignatureVerificationResult result2 = this.VerifyAuthenticodeExpectedHash(licenseNode);
     if (result2 != SignatureVerificationResult.Valid)
     {
         return new AuthenticodeSignatureInformation(result2);
     }
     AuthenticodeSignatureInformation information = null;
     X509Native.AXL_AUTHENTICODE_SIGNER_INFO pSignerInfo = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO {
         cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO))
     };
     X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO pTimestamperInfo = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO {
         cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO))
     };
     RuntimeHelpers.PrepareConstrainedRegions();
     try
     {
         byte[] bytes = Encoding.UTF8.GetBytes(licenseNode.OuterXml);
         X509Native.AxlVerificationFlags dwFlags = MapRevocationFlags(revocationFlag, revocationMode);
         try
         {
             fixed (byte* numRef = bytes)
             {
                 CapiNative.CRYPTOAPI_BLOB pLicenseBlob = new CapiNative.CRYPTOAPI_BLOB {
                     cbData = bytes.Length,
                     pbData = new IntPtr((void*) numRef)
                 };
                 if (X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref pLicenseBlob, dwFlags, ref pSignerInfo, ref pTimestamperInfo) == -2146762496)
                 {
                     return new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature);
                 }
             }
         }
         finally
         {
             numRef = null;
         }
         X509Chain signatureChain = this.BuildSignatureChain(pSignerInfo, licenseNode, revocationFlag, revocationMode);
         TimestampInformation timestampInformation = this.GetTimestampInformation(pTimestamperInfo, licenseNode);
         information = new AuthenticodeSignatureInformation(pSignerInfo, signatureChain, timestampInformation);
     }
     finally
     {
         X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref pSignerInfo);
         X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref pTimestamperInfo);
     }
     if (information.SigningCertificate == null)
     {
         return new AuthenticodeSignatureInformation(information.VerificationResult);
     }
     SignatureVerificationResult result3 = this.VerifyAuthenticodePublisher(information.SigningCertificate);
     if (result3 != SignatureVerificationResult.Valid)
     {
         return new AuthenticodeSignatureInformation(result3);
     }
     return information;
 }