public static ManifestSignatureInformationCollection VerifySignature(ActivationContext application, ManifestKinds manifests, X509RevocationFlag revocationFlag, X509RevocationMode revocationMode)
{
if (application == null)
{
throw new ArgumentNullException("application");
}
if ((revocationFlag < X509RevocationFlag.EndCertificateOnly) || (X509RevocationFlag.ExcludeRoot < revocationFlag))
{
throw new ArgumentOutOfRangeException("revocationFlag");
}
if ((revocationMode < X509RevocationMode.NoCheck) || (X509RevocationMode.Offline < revocationMode))
{
throw new ArgumentOutOfRangeException("revocationMode");
}
List <ManifestSignatureInformation> signatureInformation = new List <ManifestSignatureInformation>();
if ((manifests & ManifestKinds.Deployment) == ManifestKinds.Deployment)
{
ManifestSignedXml xml = new ManifestSignedXml(GetManifestXml(application, ManifestKinds.Deployment), ManifestKinds.Deployment);
signatureInformation.Add(xml.VerifySignature(revocationFlag, revocationMode));
}
if ((manifests & ManifestKinds.Application) == ManifestKinds.Application)
{
ManifestSignedXml xml2 = new ManifestSignedXml(GetManifestXml(application, ManifestKinds.Application), ManifestKinds.Application);
signatureInformation.Add(xml2.VerifySignature(revocationFlag, revocationMode));
}
return(new ManifestSignatureInformationCollection(signatureInformation));
}
public static ManifestSignatureInformationCollection VerifySignature(ActivationContext application,
ManifestKinds manifests,
X509RevocationFlag revocationFlag,
X509RevocationMode revocationMode)
{
if (application == null)
{
throw new ArgumentNullException("application");
}
if (revocationFlag < X509RevocationFlag.EndCertificateOnly || X509RevocationFlag.ExcludeRoot < revocationFlag)
{
throw new ArgumentOutOfRangeException("revocationFlag");
}
if (revocationMode < X509RevocationMode.NoCheck || X509RevocationMode.Offline < revocationMode)
{
throw new ArgumentOutOfRangeException("revocationMode");
}
List <ManifestSignatureInformation> signatures = new List <ManifestSignatureInformation>();
if ((manifests & ManifestKinds.Deployment) == ManifestKinds.Deployment)
{
XmlDocument deploymentManifest = GetManifestXml(application, ManifestKinds.Deployment);
ManifestSignedXml deploymentSignature = new ManifestSignedXml(deploymentManifest,
ManifestKinds.Deployment);
signatures.Add(deploymentSignature.VerifySignature(revocationFlag, revocationMode));
}
if ((manifests & ManifestKinds.Application) == ManifestKinds.Application)
{
XmlDocument applicationManifest = GetManifestXml(application, ManifestKinds.Application);
ManifestSignedXml applicationSignature = new ManifestSignedXml(applicationManifest,
ManifestKinds.Application);
signatures.Add(applicationSignature.VerifySignature(revocationFlag, revocationMode));
}
return(new ManifestSignatureInformationCollection(signatures));
}
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner signer, string timeStampUrl)
{
// Make sure it is RSA, as this is the only one Fusion will support.
if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider))
{
throw new NotSupportedException();
}
// Setup up XMLDSIG engine.
ManifestSignedXml signedXml = new ManifestSignedXml(licenseDom);
signedXml.SigningKey = signer.Certificate.PrivateKey;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(signer.Certificate.PublicKey.Key as RSA));
signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption));
// Add the enveloped reference.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped and an Exc-C14N transform.
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform(new XmlDsigExcC14NTransform());
// Add the reference.
signedXml.AddReference(reference);
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature");
// Insert the signature node under the issuer element.
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement;
issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true));
// Time stamp it if requested.
if (timeStampUrl != null && timeStampUrl.Length != 0)
{
TimestampSignedLicenseDom(licenseDom, timeStampUrl);
}
// Wrap it inside a RelData element.
licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" +
MSRelNamespaceUri + "\">" +
licenseDom.OuterXml + "</msrel:RelData>";
}
// throw cryptographic exception for any verification errors.
internal void Verify(CmiManifestVerifyFlags verifyFlags)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable);
nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
XmlElement signatureNode = _manifestDom.SelectSingleNode("//ds:Signature", nsm) as XmlElement;
if (signatureNode == null)
{
throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE);
}
// Make sure it is indeed SN signature, and it is an enveloped signature.
string snIdName = "Id";
if (!signatureNode.HasAttribute(snIdName))
{
snIdName = "id";
if (!signatureNode.HasAttribute(snIdName))
{
snIdName = "ID";
if (!signatureNode.HasAttribute(snIdName))
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
}
}
string snIdValue = signatureNode.GetAttribute(snIdName);
if (snIdValue == null ||
String.Compare(snIdValue, "StrongNameSignature", StringComparison.Ordinal) != 0)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Make sure it is indeed an enveloped signature.
bool oldFormat = false;
bool validFormat = false;
XmlNodeList referenceNodes = signatureNode.SelectNodes("ds:SignedInfo/ds:Reference", nsm);
foreach (XmlNode referenceNode in referenceNodes)
{
XmlElement reference = referenceNode as XmlElement;
if (reference != null && reference.HasAttribute("URI"))
{
string uriValue = reference.GetAttribute("URI");
if (uriValue != null)
{
// We expect URI="" (empty URI value which means to hash the entire document).
if (uriValue.Length == 0)
{
XmlNode transformsNode = reference.SelectSingleNode("ds:Transforms", nsm);
if (transformsNode == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Make sure the transforms are what we expected.
XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm);
if (transforms.Count < 2)
{
// We expect at least:
// <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
// <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
bool c14 = false;
bool enveloped = false;
for (int i = 0; i < transforms.Count; i++)
{
XmlElement transform = transforms[i] as XmlElement;
string algorithm = transform.GetAttribute("Algorithm");
if (algorithm == null)
{
break;
}
else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0)
{
c14 = true;
if (enveloped)
{
validFormat = true;
break;
}
}
else if (String.Compare(algorithm, SignedXml.XmlDsigEnvelopedSignatureTransformUrl, StringComparison.Ordinal) != 0)
{
enveloped = true;
if (c14)
{
validFormat = true;
break;
}
}
}
}
else if (String.Compare(uriValue, "#StrongNameKeyInfo", StringComparison.Ordinal) == 0)
{
oldFormat = true;
XmlNode transformsNode = referenceNode.SelectSingleNode("ds:Transforms", nsm);
if (transformsNode == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Make sure the transforms are what we expected.
XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm);
if (transforms.Count < 1)
{
// We expect at least:
// <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
for (int i = 0; i < transforms.Count; i++)
{
XmlElement transform = transforms[i] as XmlElement;
string algorithm = transform.GetAttribute("Algorithm");
if (algorithm == null)
{
break;
}
else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0)
{
validFormat = true;
break;
}
}
}
}
}
}
if (!validFormat)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// It is the DSig we want, now make sure the public key matches the token.
string publicKeyToken = VerifyPublicKeyToken();
// OK. We found the SN signature with matching public key token, so
// instantiate the SN signer info property.
_strongNameSignerInfo = new CmiStrongNameSignerInfo(Win32.TRUST_E_FAIL, publicKeyToken);
// Now verify the SN signature, and Authenticode license if available.
ManifestSignedXml signedXml = new ManifestSignedXml(_manifestDom, true);
signedXml.LoadXml(signatureNode);
AsymmetricAlgorithm key = null;
bool dsigValid = signedXml.CheckSignatureReturningKey(out key);
_strongNameSignerInfo.PublicKey = key;
if (!dsigValid)
{
_strongNameSignerInfo.ErrorCode = Win32.TRUST_E_BAD_DIGEST;
throw new CryptographicException(Win32.TRUST_E_BAD_DIGEST);
}
// Verify license as well if requested.
if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) != CmiManifestVerifyFlags.StrongNameOnly)
{
VerifyLicense(verifyFlags, oldFormat);
}
}
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner signer)
{
RSA snKey = signer.StrongNameKey as RSA;
// Make sure it is RSA, as this is the only one Fusion will support.
if (snKey == null)
{
throw new NotSupportedException();
}
// Setup namespace manager.
XmlNamespaceManager nsm = new XmlNamespaceManager(manifestDom.NameTable);
nsm.AddNamespace("asm", AssemblyNamespaceUri);
// Get to root element.
XmlElement signatureParent = manifestDom.SelectSingleNode("asm:assembly", nsm) as XmlElement;
if (signatureParent == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Setup up XMLDSIG engine.
ManifestSignedXml signedXml = new ManifestSignedXml(signatureParent);
signedXml.SigningKey = signer.StrongNameKey;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(snKey));
if (licenseDom != null)
{
signedXml.KeyInfo.AddClause(new KeyInfoNode(licenseDom.DocumentElement));
}
signedXml.KeyInfo.Id = "StrongNameKeyInfo";
// Add the enveloped reference.
Reference enveloped = new Reference();
enveloped.Uri = "";
// Add an enveloped then Exc-C14N transform.
enveloped.AddTransform(new XmlDsigEnvelopedSignatureTransform());
enveloped.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(enveloped);
#if (false) // DSIE: New format does not sign KeyInfo.
// Add the key info reference.
Reference strongNameKeyInfo = new Reference();
strongNameKeyInfo.Uri = "#StrongNameKeyInfo";
strongNameKeyInfo.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(strongNameKeyInfo);
#endif
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "StrongNameSignature");
// Insert the signature now.
signatureParent.AppendChild(xmlDigitalSignature);
}
