private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner signer, string timeStampUrl) { if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider)) { throw new NotSupportedException(); } ManifestSignedXml manifestSignedXml = new ManifestSignedXml(licenseDom); manifestSignedXml.SigningKey = signer.Certificate.PrivateKey; manifestSignedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#"; manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new RSAKeyValue(signer.Certificate.PublicKey.Key as RSA)); manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new KeyInfoX509Data((X509Certificate)signer.Certificate, signer.IncludeOption)); Reference reference = new Reference(); reference.Uri = ""; reference.AddTransform((Transform) new XmlDsigEnvelopedSignatureTransform()); reference.AddTransform((Transform) new XmlDsigExcC14NTransform()); manifestSignedXml.AddReference(reference); manifestSignedXml.ComputeSignature(); XmlElement xml = manifestSignedXml.GetXml(); xml.SetAttribute("Id", "AuthenticodeSignature"); XmlNamespaceManager nsmgr = new XmlNamespaceManager(licenseDom.NameTable); nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS"); (licenseDom.SelectSingleNode("r:license/r:issuer", nsmgr) as XmlElement).AppendChild(licenseDom.ImportNode((XmlNode)xml, true)); if (timeStampUrl != null && timeStampUrl.Length != 0) { SignedCmiManifest.TimestampSignedLicenseDom(licenseDom, timeStampUrl); } licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"http://schemas.microsoft.com/windows/rel/2005/reldata\">" + licenseDom.OuterXml + "</msrel:RelData>"; }
private static XmlDocument CreateLicenseDom(CmiManifestSigner signer, XmlElement principal, byte[] hash) { XmlDocument xmlDocument = new XmlDocument(); xmlDocument.PreserveWhitespace = true; xmlDocument.LoadXml("<r:license xmlns:r=\"urn:mpeg:mpeg21:2003:01-REL-R-NS\" xmlns:as=\"http://schemas.microsoft.com/windows/pki/2005/Authenticode\"><r:grant><as:ManifestInformation><as:assemblyIdentity /></as:ManifestInformation><as:SignedBy/><as:AuthenticodePublisher><as:X509SubjectName>CN=dummy</as:X509SubjectName></as:AuthenticodePublisher></r:grant><r:issuer></r:issuer></r:license>"); XmlNamespaceManager nsmgr = new XmlNamespaceManager(xmlDocument.NameTable); nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS"); nsmgr.AddNamespace("as", "http://schemas.microsoft.com/windows/pki/2005/Authenticode"); XmlElement xmlElement1 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsmgr) as XmlElement; xmlElement1.RemoveAllAttributes(); foreach (XmlAttribute attribute in (XmlNamedNodeMap)principal.Attributes) { xmlElement1.SetAttribute(attribute.Name, attribute.Value); } XmlElement xmlElement2 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsmgr) as XmlElement; xmlElement2.SetAttribute("Hash", hash.Length == 0 ? "" : SignedCmiManifest.BytesToHexString(hash, 0, hash.Length)); xmlElement2.SetAttribute("Description", signer.Description == null ? "" : signer.Description); xmlElement2.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl); (xmlDocument.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsmgr) as XmlElement).InnerText = signer.Certificate.SubjectName.Name; return(xmlDocument); }
public static void SignFile(X509Certificate2 cert, Uri timestampUrl, string path) { ResourceManager resources = new ResourceManager("Microsoft.Build.Tasks.Deployment.ManifestUtilities.Strings", typeof(SecurityUtilities).Module.Assembly); if (cert == null) { throw new ArgumentNullException("cert"); } if (string.IsNullOrEmpty(path)) { throw new ArgumentNullException("path"); } if (!File.Exists(path)) { throw new FileNotFoundException(string.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), new object[] { path }), path); } if (PathUtil.IsPEFile(path)) { if (!IsCertInStore(cert)) { throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore")); } SignPEFile(cert, timestampUrl, path, resources); } else { if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider)) { throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed")); } try { XmlDocument manifestDom = new XmlDocument { PreserveWhitespace = true }; manifestDom.Load(path); System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom); System.Deployment.Internal.CodeSigning.CmiManifestSigner signer = new System.Deployment.Internal.CodeSigning.CmiManifestSigner(cert.PrivateKey, cert); if (timestampUrl == null) { manifest.Sign(signer); } else { manifest.Sign(signer, timestampUrl.ToString()); } manifestDom.Save(path); } catch (Exception exception) { int hRForException = Marshal.GetHRForException(exception); if ((hRForException != -2147012889) && (hRForException != -2147012867)) { throw new ApplicationException(exception.Message, exception); } throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), exception); } } }
internal void Sign(CmiManifestSigner signer, string timeStampUrl) { this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null; this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null; if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } SignedCmiManifest.RemoveExistingSignature(this.m_manifestDom); if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == CmiManifestSignerFlag.None) { SignedCmiManifest.ReplacePublicKeyToken(this.m_manifestDom, signer.StrongNameKey); } XmlDocument licenseDom = (XmlDocument)null; if (signer.Certificate != null) { SignedCmiManifest.InsertPublisherIdentity(this.m_manifestDom, signer.Certificate); licenseDom = SignedCmiManifest.CreateLicenseDom(signer, this.ExtractPrincipalFromManifest(), SignedCmiManifest.ComputeHashFromManifest(this.m_manifestDom)); SignedCmiManifest.AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl); } SignedCmiManifest.StrongNameSignManifestDom(this.m_manifestDom, licenseDom, signer); }
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner signer, string timeStampUrl) { // Make sure it is RSA, as this is the only one Fusion will support. if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider)) { throw new NotSupportedException(); } // Setup up XMLDSIG engine. ManifestSignedXml signedXml = new ManifestSignedXml(licenseDom); signedXml.SigningKey = signer.Certificate.PrivateKey; signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; // Add the key information. signedXml.KeyInfo.AddClause(new RSAKeyValue(signer.Certificate.PublicKey.Key as RSA)); signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption)); // Add the enveloped reference. Reference reference = new Reference(); reference.Uri = ""; // Add an enveloped and an Exc-C14N transform. reference.AddTransform(new XmlDsigEnvelopedSignatureTransform()); reference.AddTransform(new XmlDsigExcC14NTransform()); // Add the reference. signedXml.AddReference(reference); // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature"); // Insert the signature node under the issuer element. XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable); nsm.AddNamespace("r", LicenseNamespaceUri); XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement; issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true)); // Time stamp it if requested. if (timeStampUrl != null && timeStampUrl.Length != 0) { TimestampSignedLicenseDom(licenseDom, timeStampUrl); } // Wrap it inside a RelData element. licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" + MSRelNamespaceUri + "\">" + licenseDom.OuterXml + "</msrel:RelData>"; }
private static XmlDocument CreateLicenseDom(CmiManifestSigner signer, XmlElement principal, byte[] hash) { XmlDocument licenseDom = new XmlDocument(); licenseDom.PreserveWhitespace = true; licenseDom.LoadXml(licenseTemplate); XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable); nsm.AddNamespace("r", LicenseNamespaceUri); nsm.AddNamespace("as", AuthenticodeNamespaceUri); XmlElement assemblyIdentityNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsm) as XmlElement; assemblyIdentityNode.RemoveAllAttributes(); foreach (XmlAttribute attribute in principal.Attributes) { assemblyIdentityNode.SetAttribute(attribute.Name, attribute.Value); } XmlElement manifestInformationNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsm) as XmlElement; manifestInformationNode.SetAttribute("Hash", hash.Length == 0 ? "" : BytesToHexString(hash, 0, hash.Length)); manifestInformationNode.SetAttribute("Description", signer.Description == null ? "" : signer.Description); manifestInformationNode.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl); XmlElement authenticodePublisherNode = licenseDom.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement; authenticodePublisherNode.InnerText = signer.Certificate.SubjectName.Name; return licenseDom; }
internal void Sign(CmiManifestSigner signer, string timeStampUrl) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; // Signer cannot be null. if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } // Remove existing SN signature. RemoveExistingSignature(_manifestDom); // Replace public key token in assemblyIdentity if requested. if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0) { ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey); } // No cert means don't Authenticode sign and timestamp. XmlDocument licenseDom = null; if (signer.Certificate != null) { // Yes. We will Authenticode sign, so first insert <publisherIdentity /> // element, if necessary. InsertPublisherIdentity(_manifestDom, signer.Certificate); // Now create the license DOM, and then sign it. licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom)); AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl); } StrongNameSignManifestDom(_manifestDom, licenseDom, signer); }
internal void Sign(CmiManifestSigner signer) { Sign(signer, null); }
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner signer) { RSA snKey = signer.StrongNameKey as RSA; // Make sure it is RSA, as this is the only one Fusion will support. if (snKey == null) { throw new NotSupportedException(); } // Setup namespace manager. XmlNamespaceManager nsm = new XmlNamespaceManager(manifestDom.NameTable); nsm.AddNamespace("asm", AssemblyNamespaceUri); // Get to root element. XmlElement signatureParent = manifestDom.SelectSingleNode("asm:assembly", nsm) as XmlElement; if (signatureParent == null) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // Setup up XMLDSIG engine. ManifestSignedXml signedXml = new ManifestSignedXml(signatureParent); signedXml.SigningKey = signer.StrongNameKey; signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; // Add the key information. signedXml.KeyInfo.AddClause(new RSAKeyValue(snKey)); if (licenseDom != null) { signedXml.KeyInfo.AddClause(new KeyInfoNode(licenseDom.DocumentElement)); } signedXml.KeyInfo.Id = "StrongNameKeyInfo"; // Add the enveloped reference. Reference enveloped = new Reference(); enveloped.Uri = ""; // Add an enveloped then Exc-C14N transform. enveloped.AddTransform(new XmlDsigEnvelopedSignatureTransform()); enveloped.AddTransform(new XmlDsigExcC14NTransform()); signedXml.AddReference(enveloped); #if (false) // DSIE: New format does not sign KeyInfo. // Add the key info reference. Reference strongNameKeyInfo = new Reference(); strongNameKeyInfo.Uri = "#StrongNameKeyInfo"; strongNameKeyInfo.AddTransform(new XmlDsigExcC14NTransform()); signedXml.AddReference(strongNameKeyInfo); #endif // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDigitalSignature.SetAttribute("Id", "StrongNameSignature"); // Insert the signature now. signatureParent.AppendChild(xmlDigitalSignature); }
internal void Sign(CmiManifestSigner signer) { this.Sign(signer, (string)null); }
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner signer) { RSA strongNameKey = signer.StrongNameKey as RSA; if (strongNameKey == null) { throw new NotSupportedException(); } XmlNamespaceManager nsmgr = new XmlNamespaceManager(manifestDom.NameTable); nsmgr.AddNamespace("asm", "urn:schemas-microsoft-com:asm.v1"); XmlElement elem = manifestDom.SelectSingleNode("asm:assembly", nsmgr) as XmlElement; if (elem == null) { throw new CryptographicException(-2146762749); } ManifestSignedXml manifestSignedXml = new ManifestSignedXml(elem); manifestSignedXml.SigningKey = signer.StrongNameKey; manifestSignedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#"; manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new RSAKeyValue(strongNameKey)); if (licenseDom != null) { manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new KeyInfoNode(licenseDom.DocumentElement)); } manifestSignedXml.KeyInfo.Id = "StrongNameKeyInfo"; Reference reference = new Reference(); reference.Uri = ""; reference.AddTransform((Transform) new XmlDsigEnvelopedSignatureTransform()); reference.AddTransform((Transform) new XmlDsigExcC14NTransform()); manifestSignedXml.AddReference(reference); manifestSignedXml.ComputeSignature(); XmlElement xml = manifestSignedXml.GetXml(); xml.SetAttribute("Id", "StrongNameSignature"); elem.AppendChild((XmlNode)xml); }