internal static RSA EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)
{
Fx.Assert(certificate != null, "certificate != null");
// Reject no private key
if (!certificate.HasPrivateKey)
{
#pragma warning suppress 56526 // no validation necessary for value.Thumbprint
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.ID1001, certificate.Thumbprint)));
}
// Check for accessibility of private key
RSA rsa;
try
{
if (LocalAppContextSwitches.DisableCngCertificates)
{
rsa = certificate.PrivateKey as RSA;
}
else
{
rsa = CngLightup.GetRSAPrivateKey(certificate);
}
}
catch (CryptographicException e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.ID1039, certificate.Thumbprint), e));
}
if (rsa == null)
{
#pragma warning suppress 56526 // no validation necessary for value.Thumbprint
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.ID1002, certificate.Thumbprint)));
}
return(rsa);
}
private static void SignFileInternal(X509Certificate2 cert, Uri timestampUrl, string path, bool targetFrameworkSupportsSha256, System.Resources.ResourceManager resources)
{
if (cert == null)
{
throw new ArgumentNullException(nameof(cert));
}
if (String.IsNullOrEmpty(path))
{
throw new ArgumentNullException(nameof(path));
}
if (!FileSystems.Default.FileExists(path))
{
throw new FileNotFoundException(String.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), path), path);
}
bool useSha256 = UseSha256Algorithm(cert) && targetFrameworkSupportsSha256;
if (PathUtil.IsPEFile(path))
{
if (IsCertInStore(cert))
{
SignPEFile(cert, timestampUrl, path, resources, useSha256);
}
else
{
throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore"));
}
}
else
{
using (RSA rsa = CngLightup.GetRSAPrivateKey(cert))
{
if (rsa == null)
{
throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed"));
}
try
{
var doc = new XmlDocument {
PreserveWhitespace = true
};
var xrSettings = new XmlReaderSettings {
DtdProcessing = DtdProcessing.Ignore
};
using (XmlReader xr = XmlReader.Create(path, xrSettings))
{
doc.Load(xr);
}
var manifest = new SignedCmiManifest2(doc, useSha256);
CmiManifestSigner2 signer;
if (useSha256 && rsa is RSACryptoServiceProvider)
{
RSACryptoServiceProvider csp = SignedCmiManifest2.GetFixedRSACryptoServiceProvider(rsa as RSACryptoServiceProvider, useSha256);
signer = new CmiManifestSigner2(csp, cert, useSha256);
}
else
{
signer = new CmiManifestSigner2(rsa, cert, useSha256);
}
if (timestampUrl == null)
{
manifest.Sign(signer);
}
else
{
manifest.Sign(signer, timestampUrl.ToString());
}
doc.Save(path);
}
catch (Exception ex)
{
int exceptionHR = Marshal.GetHRForException(ex);
if (exceptionHR == -2147012889 || exceptionHR == -2147012867)
{
throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), ex);
}
throw new ApplicationException(ex.Message, ex);
}
}
}
}
public static RSA GetRSAPrivateKey(this X509Certificate2 certificate)
{
return(CngLightup.GetRSAPrivateKey(certificate));
}
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, string timeStampUrl, bool useSha256)
{
// Make sure it is RSA, as this is the only one Fusion will support.
RSA rsaPrivateKey = CngLightup.GetRSAPrivateKey(signer.Certificate);
if (rsaPrivateKey == null)
{
throw new NotSupportedException();
}
// Setup up XMLDSIG engine.
ManifestSignedXml2 signedXml = new ManifestSignedXml2(licenseDom);
// only needs to change the provider type when RSACryptoServiceProvider is used
var rsaCsp = rsaPrivateKey is RSACryptoServiceProvider?
GetFixedRSACryptoServiceProvider(rsaPrivateKey as RSACryptoServiceProvider, useSha256) : rsaPrivateKey;
signedXml.SigningKey = rsaCsp;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
if (signer.UseSha256)
{
signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri;
}
else
{
signedXml.SignedInfo.SignatureMethod = Sha1SignatureMethodUri;
}
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(rsaCsp));
signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption));
// Add the enveloped reference.
Reference reference = new Reference();
reference.Uri = "";
if (signer.UseSha256)
{
reference.DigestMethod = Sha256DigestMethod;
}
else
{
reference.DigestMethod = Sha1DigestMethod;
}
// Add an enveloped and an Exc-C14N transform.
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
#if (false) // BUGBUG: LTA transform complaining about issuer node not found.
reference.AddTransform(new XmlLicenseTransform());
#endif
reference.AddTransform(new XmlDsigExcC14NTransform());
// Add the reference.
signedXml.AddReference(reference);
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature");
// Insert the signature node under the issuer element.
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement;
issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true));
// Time stamp it if requested.
if (timeStampUrl != null && timeStampUrl.Length != 0)
{
TimestampSignedLicenseDom(licenseDom, timeStampUrl);
}
// Wrap it inside a RelData element.
licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" +
MSRelNamespaceUri + "\">" +
licenseDom.OuterXml + "</msrel:RelData>";
}