/// <summary>
/// Verify the signature of the manifest
/// </summary>
public ManifestSignatureInformation VerifySignature(X509RevocationFlag revocationFlag,
X509RevocationMode revocationMode)
{
XmlElement signatureNode = m_manifestXml.SelectSingleNode("//ds:Signature", m_namespaceManager) as XmlElement;
if (signatureNode == null)
{
return(new ManifestSignatureInformation(m_manifest, null, null));
}
LoadXml(signatureNode);
StrongNameSignatureInformation strongName = VerifyStrongNameSignature(signatureNode);
// Since the Authenticode signature is wrapped in the strong name signature, we do not want to
// give a valid AuthenticodeSignatureInformation object for an Authenticode signature which is
// contained within a strong name signature with an invalid hash value.
AuthenticodeSignatureInformation authenticode = null;
if (strongName.VerificationResult != SignatureVerificationResult.BadDigest)
{
authenticode = VerifyAuthenticodeSignature(signatureNode, revocationFlag, revocationMode);
}
else
{
authenticode = new AuthenticodeSignatureInformation(SignatureVerificationResult.ContainingSignatureInvalid);
}
return(new ManifestSignatureInformation(m_manifest, strongName, authenticode));
}
internal ManifestSignatureInformation(ManifestKinds manifest,
StrongNameSignatureInformation strongNameSignature,
AuthenticodeSignatureInformation authenticodeSignature)
{
Debug.Assert(manifest == ManifestKinds.Application || manifest == ManifestKinds.Deployment, "Invalid manifest for signature information");
m_manifest = manifest;
m_strongNameSignature = strongNameSignature;
m_authenticodeSignature = authenticodeSignature;
}
public ManifestSignatureInformation VerifySignature(X509RevocationFlag revocationFlag, X509RevocationMode revocationMode)
{
XmlElement element = this.m_manifestXml.SelectSingleNode("//ds:Signature", this.m_namespaceManager) as XmlElement;
if (element == null)
{
return(new ManifestSignatureInformation(this.m_manifest, null, null));
}
base.LoadXml(element);
StrongNameSignatureInformation strongNameSignature = this.VerifyStrongNameSignature(element);
AuthenticodeSignatureInformation authenticodeSignature = null;
if (strongNameSignature.VerificationResult != SignatureVerificationResult.BadDigest)
{
authenticodeSignature = this.VerifyAuthenticodeSignature(element, revocationFlag, revocationMode);
}
else
{
authenticodeSignature = new AuthenticodeSignatureInformation(SignatureVerificationResult.ContainingSignatureInvalid);
}
return(new ManifestSignatureInformation(this.m_manifest, strongNameSignature, authenticodeSignature));
}
private AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode,
X509RevocationFlag revocationFlag,
X509RevocationMode revocationMode)
{
Debug.Assert(signatureNode != null, "signatureNode != null");
// See if there is an Authenticode signature on the manifest
XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license",
m_namespaceManager) as XmlElement;
if (licenseNode == null)
{
return(null);
}
// Make sure that the signature is for this manifest
SignatureVerificationResult identityVerification = VerifyAuthenticodeSignatureIdentity(licenseNode);
if (identityVerification != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(identityVerification));
}
SignatureVerificationResult hashVerification = VerifyAuthenticodeExpectedHash(licenseNode);
if (hashVerification != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(hashVerification));
}
// Verify the signature, extracting information about it
AuthenticodeSignatureInformation authenticodeSignature = null;
X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO();
signer.cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO));
X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO timestamper = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO();
timestamper.cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO));
RuntimeHelpers.PrepareConstrainedRegions();
try {
byte[] licenseXml = Encoding.UTF8.GetBytes(licenseNode.OuterXml);
X509Native.AxlVerificationFlags verificationFlags = MapRevocationFlags(revocationFlag,
revocationMode);
unsafe
{
fixed(byte *pLicenseXml = licenseXml)
{
// Safe since we're verifying the size of this buffer is correct
CapiNative.CRYPTOAPI_BLOB xmlBlob = new CapiNative.CRYPTOAPI_BLOB();
xmlBlob.cbData = licenseXml.Length;
xmlBlob.pbData = new IntPtr(pLicenseXml);
int hrVerify = X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref xmlBlob,
verificationFlags,
ref signer,
ref timestamper);
if (hrVerify == (int)SignatureVerificationResult.MissingSignature)
{
return(new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature));
}
}
}
X509Chain signatureChain = BuildSignatureChain(signer,
licenseNode,
revocationFlag,
revocationMode);
TimestampInformation timestamp = GetTimestampInformation(timestamper,
licenseNode);
authenticodeSignature = new AuthenticodeSignatureInformation(signer,
signatureChain,
timestamp);
}
finally {
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref signer);
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref timestamper);
}
// Verify the signing certificate matches the expected publisher
Debug.Assert(authenticodeSignature != null, "authenticodeSignature != null");
if (authenticodeSignature.SigningCertificate == null)
{
return(new AuthenticodeSignatureInformation(authenticodeSignature.VerificationResult));
}
SignatureVerificationResult publisherMatch = VerifyAuthenticodePublisher(authenticodeSignature.SigningCertificate);
if (publisherMatch != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(publisherMatch));
}
return(authenticodeSignature);
}
internal ManifestSignatureInformation(ManifestKinds manifest, StrongNameSignatureInformation strongNameSignature, AuthenticodeSignatureInformation authenticodeSignature)
{
this.m_manifest = manifest;
this.m_strongNameSignature = strongNameSignature;
this.m_authenticodeSignature = authenticodeSignature;
}
private unsafe AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode, X509RevocationFlag revocationFlag, X509RevocationMode revocationMode)
{
XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license", this.m_namespaceManager) as XmlElement;
if (licenseNode == null)
{
return(null);
}
SignatureVerificationResult error = this.VerifyAuthenticodeSignatureIdentity(licenseNode);
if (error != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(error));
}
SignatureVerificationResult result2 = this.VerifyAuthenticodeExpectedHash(licenseNode);
if (result2 != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(result2));
}
AuthenticodeSignatureInformation information = null;
X509Native.AXL_AUTHENTICODE_SIGNER_INFO pSignerInfo = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO {
cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO))
};
X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO pTimestamperInfo = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO {
cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO))
};
RuntimeHelpers.PrepareConstrainedRegions();
try
{
byte[] bytes = Encoding.UTF8.GetBytes(licenseNode.OuterXml);
X509Native.AxlVerificationFlags dwFlags = MapRevocationFlags(revocationFlag, revocationMode);
try
{
fixed(byte *numRef = bytes)
{
CapiNative.CRYPTOAPI_BLOB pLicenseBlob = new CapiNative.CRYPTOAPI_BLOB {
cbData = bytes.Length,
pbData = new IntPtr((void *)numRef)
};
if (X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref pLicenseBlob, dwFlags, ref pSignerInfo, ref pTimestamperInfo) == -2146762496)
{
return(new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature));
}
}
}
finally
{
numRef = null;
}
X509Chain signatureChain = this.BuildSignatureChain(pSignerInfo, licenseNode, revocationFlag, revocationMode);
TimestampInformation timestampInformation = this.GetTimestampInformation(pTimestamperInfo, licenseNode);
information = new AuthenticodeSignatureInformation(pSignerInfo, signatureChain, timestampInformation);
}
finally
{
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref pSignerInfo);
X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref pTimestamperInfo);
}
if (information.SigningCertificate == null)
{
return(new AuthenticodeSignatureInformation(information.VerificationResult));
}
SignatureVerificationResult result3 = this.VerifyAuthenticodePublisher(information.SigningCertificate);
if (result3 != SignatureVerificationResult.Valid)
{
return(new AuthenticodeSignatureInformation(result3));
}
return(information);
}
