private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner signer, string timeStampUrl)
{
if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider))
{
throw new NotSupportedException();
}
ManifestSignedXml manifestSignedXml = new ManifestSignedXml(licenseDom);
manifestSignedXml.SigningKey = signer.Certificate.PrivateKey;
manifestSignedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new RSAKeyValue(signer.Certificate.PublicKey.Key as RSA));
manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new KeyInfoX509Data((X509Certificate)signer.Certificate, signer.IncludeOption));
Reference reference = new Reference();
reference.Uri = "";
reference.AddTransform((Transform) new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform((Transform) new XmlDsigExcC14NTransform());
manifestSignedXml.AddReference(reference);
manifestSignedXml.ComputeSignature();
XmlElement xml = manifestSignedXml.GetXml();
xml.SetAttribute("Id", "AuthenticodeSignature");
XmlNamespaceManager nsmgr = new XmlNamespaceManager(licenseDom.NameTable);
nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS");
(licenseDom.SelectSingleNode("r:license/r:issuer", nsmgr) as XmlElement).AppendChild(licenseDom.ImportNode((XmlNode)xml, true));
if (timeStampUrl != null && timeStampUrl.Length != 0)
{
SignedCmiManifest.TimestampSignedLicenseDom(licenseDom, timeStampUrl);
}
licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"http://schemas.microsoft.com/windows/rel/2005/reldata\">" + licenseDom.OuterXml + "</msrel:RelData>";
}
private static XmlDocument CreateLicenseDom(CmiManifestSigner signer, XmlElement principal, byte[] hash)
{
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.PreserveWhitespace = true;
xmlDocument.LoadXml("<r:license xmlns:r=\"urn:mpeg:mpeg21:2003:01-REL-R-NS\" xmlns:as=\"http://schemas.microsoft.com/windows/pki/2005/Authenticode\"><r:grant><as:ManifestInformation><as:assemblyIdentity /></as:ManifestInformation><as:SignedBy/><as:AuthenticodePublisher><as:X509SubjectName>CN=dummy</as:X509SubjectName></as:AuthenticodePublisher></r:grant><r:issuer></r:issuer></r:license>");
XmlNamespaceManager nsmgr = new XmlNamespaceManager(xmlDocument.NameTable);
nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS");
nsmgr.AddNamespace("as", "http://schemas.microsoft.com/windows/pki/2005/Authenticode");
XmlElement xmlElement1 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsmgr) as XmlElement;
xmlElement1.RemoveAllAttributes();
foreach (XmlAttribute attribute in (XmlNamedNodeMap)principal.Attributes)
{
xmlElement1.SetAttribute(attribute.Name, attribute.Value);
}
XmlElement xmlElement2 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsmgr) as XmlElement;
xmlElement2.SetAttribute("Hash", hash.Length == 0 ? "" : SignedCmiManifest.BytesToHexString(hash, 0, hash.Length));
xmlElement2.SetAttribute("Description", signer.Description == null ? "" : signer.Description);
xmlElement2.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl);
(xmlDocument.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsmgr) as XmlElement).InnerText = signer.Certificate.SubjectName.Name;
return(xmlDocument);
}
public static void SignFile(X509Certificate2 cert, Uri timestampUrl, string path)
{
ResourceManager resources = new ResourceManager("Microsoft.Build.Tasks.Deployment.ManifestUtilities.Strings", typeof(SecurityUtilities).Module.Assembly);
if (cert == null)
{
throw new ArgumentNullException("cert");
}
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException("path");
}
if (!File.Exists(path))
{
throw new FileNotFoundException(string.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), new object[] { path }), path);
}
if (PathUtil.IsPEFile(path))
{
if (!IsCertInStore(cert))
{
throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore"));
}
SignPEFile(cert, timestampUrl, path, resources);
}
else
{
if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider))
{
throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed"));
}
try
{
XmlDocument manifestDom = new XmlDocument {
PreserveWhitespace = true
};
manifestDom.Load(path);
System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom);
System.Deployment.Internal.CodeSigning.CmiManifestSigner signer = new System.Deployment.Internal.CodeSigning.CmiManifestSigner(cert.PrivateKey, cert);
if (timestampUrl == null)
{
manifest.Sign(signer);
}
else
{
manifest.Sign(signer, timestampUrl.ToString());
}
manifestDom.Save(path);
}
catch (Exception exception)
{
int hRForException = Marshal.GetHRForException(exception);
if ((hRForException != -2147012889) && (hRForException != -2147012867))
{
throw new ApplicationException(exception.Message, exception);
}
throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), exception);
}
}
}
internal void Sign(CmiManifestSigner signer, string timeStampUrl)
{
this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null;
this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null;
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
SignedCmiManifest.RemoveExistingSignature(this.m_manifestDom);
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == CmiManifestSignerFlag.None)
{
SignedCmiManifest.ReplacePublicKeyToken(this.m_manifestDom, signer.StrongNameKey);
}
XmlDocument licenseDom = (XmlDocument)null;
if (signer.Certificate != null)
{
SignedCmiManifest.InsertPublisherIdentity(this.m_manifestDom, signer.Certificate);
licenseDom = SignedCmiManifest.CreateLicenseDom(signer, this.ExtractPrincipalFromManifest(), SignedCmiManifest.ComputeHashFromManifest(this.m_manifestDom));
SignedCmiManifest.AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl);
}
SignedCmiManifest.StrongNameSignManifestDom(this.m_manifestDom, licenseDom, signer);
}
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner signer, string timeStampUrl)
{
// Make sure it is RSA, as this is the only one Fusion will support.
if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider))
{
throw new NotSupportedException();
}
// Setup up XMLDSIG engine.
ManifestSignedXml signedXml = new ManifestSignedXml(licenseDom);
signedXml.SigningKey = signer.Certificate.PrivateKey;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(signer.Certificate.PublicKey.Key as RSA));
signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption));
// Add the enveloped reference.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped and an Exc-C14N transform.
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform(new XmlDsigExcC14NTransform());
// Add the reference.
signedXml.AddReference(reference);
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature");
// Insert the signature node under the issuer element.
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement;
issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true));
// Time stamp it if requested.
if (timeStampUrl != null && timeStampUrl.Length != 0)
{
TimestampSignedLicenseDom(licenseDom, timeStampUrl);
}
// Wrap it inside a RelData element.
licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" +
MSRelNamespaceUri + "\">" +
licenseDom.OuterXml + "</msrel:RelData>";
}
private static XmlDocument CreateLicenseDom(CmiManifestSigner signer, XmlElement principal, byte[] hash)
{
XmlDocument licenseDom = new XmlDocument();
licenseDom.PreserveWhitespace = true;
licenseDom.LoadXml(licenseTemplate);
XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable);
nsm.AddNamespace("r", LicenseNamespaceUri);
nsm.AddNamespace("as", AuthenticodeNamespaceUri);
XmlElement assemblyIdentityNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsm) as XmlElement;
assemblyIdentityNode.RemoveAllAttributes();
foreach (XmlAttribute attribute in principal.Attributes)
{
assemblyIdentityNode.SetAttribute(attribute.Name, attribute.Value);
}
XmlElement manifestInformationNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsm) as XmlElement;
manifestInformationNode.SetAttribute("Hash", hash.Length == 0 ? "" : BytesToHexString(hash, 0, hash.Length));
manifestInformationNode.SetAttribute("Description", signer.Description == null ? "" : signer.Description);
manifestInformationNode.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl);
XmlElement authenticodePublisherNode = licenseDom.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement;
authenticodePublisherNode.InnerText = signer.Certificate.SubjectName.Name;
return licenseDom;
}
internal void Sign(CmiManifestSigner signer, string timeStampUrl)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
// Signer cannot be null.
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
// Remove existing SN signature.
RemoveExistingSignature(_manifestDom);
// Replace public key token in assemblyIdentity if requested.
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0)
{
ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey);
}
// No cert means don't Authenticode sign and timestamp.
XmlDocument licenseDom = null;
if (signer.Certificate != null)
{
// Yes. We will Authenticode sign, so first insert <publisherIdentity />
// element, if necessary.
InsertPublisherIdentity(_manifestDom, signer.Certificate);
// Now create the license DOM, and then sign it.
licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom));
AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl);
}
StrongNameSignManifestDom(_manifestDom, licenseDom, signer);
}
internal void Sign(CmiManifestSigner signer)
{
Sign(signer, null);
}
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner signer)
{
RSA snKey = signer.StrongNameKey as RSA;
// Make sure it is RSA, as this is the only one Fusion will support.
if (snKey == null)
{
throw new NotSupportedException();
}
// Setup namespace manager.
XmlNamespaceManager nsm = new XmlNamespaceManager(manifestDom.NameTable);
nsm.AddNamespace("asm", AssemblyNamespaceUri);
// Get to root element.
XmlElement signatureParent = manifestDom.SelectSingleNode("asm:assembly", nsm) as XmlElement;
if (signatureParent == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Setup up XMLDSIG engine.
ManifestSignedXml signedXml = new ManifestSignedXml(signatureParent);
signedXml.SigningKey = signer.StrongNameKey;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
// Add the key information.
signedXml.KeyInfo.AddClause(new RSAKeyValue(snKey));
if (licenseDom != null)
{
signedXml.KeyInfo.AddClause(new KeyInfoNode(licenseDom.DocumentElement));
}
signedXml.KeyInfo.Id = "StrongNameKeyInfo";
// Add the enveloped reference.
Reference enveloped = new Reference();
enveloped.Uri = "";
// Add an enveloped then Exc-C14N transform.
enveloped.AddTransform(new XmlDsigEnvelopedSignatureTransform());
enveloped.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(enveloped);
#if (false) // DSIE: New format does not sign KeyInfo.
// Add the key info reference.
Reference strongNameKeyInfo = new Reference();
strongNameKeyInfo.Uri = "#StrongNameKeyInfo";
strongNameKeyInfo.AddTransform(new XmlDsigExcC14NTransform());
signedXml.AddReference(strongNameKeyInfo);
#endif
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation
XmlElement xmlDigitalSignature = signedXml.GetXml();
xmlDigitalSignature.SetAttribute("Id", "StrongNameSignature");
// Insert the signature now.
signatureParent.AppendChild(xmlDigitalSignature);
}
internal void Sign(CmiManifestSigner signer)
{
this.Sign(signer, (string)null);
}
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner signer)
{
RSA strongNameKey = signer.StrongNameKey as RSA;
if (strongNameKey == null)
{
throw new NotSupportedException();
}
XmlNamespaceManager nsmgr = new XmlNamespaceManager(manifestDom.NameTable);
nsmgr.AddNamespace("asm", "urn:schemas-microsoft-com:asm.v1");
XmlElement elem = manifestDom.SelectSingleNode("asm:assembly", nsmgr) as XmlElement;
if (elem == null)
{
throw new CryptographicException(-2146762749);
}
ManifestSignedXml manifestSignedXml = new ManifestSignedXml(elem);
manifestSignedXml.SigningKey = signer.StrongNameKey;
manifestSignedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new RSAKeyValue(strongNameKey));
if (licenseDom != null)
{
manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new KeyInfoNode(licenseDom.DocumentElement));
}
manifestSignedXml.KeyInfo.Id = "StrongNameKeyInfo";
Reference reference = new Reference();
reference.Uri = "";
reference.AddTransform((Transform) new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform((Transform) new XmlDsigExcC14NTransform());
manifestSignedXml.AddReference(reference);
manifestSignedXml.ComputeSignature();
XmlElement xml = manifestSignedXml.GetXml();
xml.SetAttribute("Id", "StrongNameSignature");
elem.AppendChild((XmlNode)xml);
}
public static void SignFile(X509Certificate2 cert, Uri timestampUrl, string path)
{
ResourceManager resources = new ResourceManager("Microsoft.Build.Tasks.Deployment.ManifestUtilities.Strings", typeof(SecurityUtilities).Module.Assembly);
if (cert == null)
{
throw new ArgumentNullException("cert");
}
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException("path");
}
if (!File.Exists(path))
{
throw new FileNotFoundException(string.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), new object[] { path }), path);
}
if (PathUtil.IsPEFile(path))
{
if (!IsCertInStore(cert))
{
throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore"));
}
SignPEFile(cert, timestampUrl, path, resources);
}
else
{
if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider))
{
throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed"));
}
try
{
XmlDocument manifestDom = new XmlDocument {
PreserveWhitespace = true
};
manifestDom.Load(path);
System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom);
System.Deployment.Internal.CodeSigning.CmiManifestSigner signer = new System.Deployment.Internal.CodeSigning.CmiManifestSigner(cert.PrivateKey, cert);
if (timestampUrl == null)
{
manifest.Sign(signer);
}
else
{
manifest.Sign(signer, timestampUrl.ToString());
}
manifestDom.Save(path);
}
catch (Exception exception)
{
int hRForException = Marshal.GetHRForException(exception);
if ((hRForException != -2147012889) && (hRForException != -2147012867))
{
throw new ApplicationException(exception.Message, exception);
}
throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), exception);
}
}
}
