private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner signer, string timeStampUrl) { if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider)) { throw new NotSupportedException(); } ManifestSignedXml manifestSignedXml = new ManifestSignedXml(licenseDom); manifestSignedXml.SigningKey = signer.Certificate.PrivateKey; manifestSignedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#"; manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new RSAKeyValue(signer.Certificate.PublicKey.Key as RSA)); manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new KeyInfoX509Data((X509Certificate)signer.Certificate, signer.IncludeOption)); Reference reference = new Reference(); reference.Uri = ""; reference.AddTransform((Transform) new XmlDsigEnvelopedSignatureTransform()); reference.AddTransform((Transform) new XmlDsigExcC14NTransform()); manifestSignedXml.AddReference(reference); manifestSignedXml.ComputeSignature(); XmlElement xml = manifestSignedXml.GetXml(); xml.SetAttribute("Id", "AuthenticodeSignature"); XmlNamespaceManager nsmgr = new XmlNamespaceManager(licenseDom.NameTable); nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS"); (licenseDom.SelectSingleNode("r:license/r:issuer", nsmgr) as XmlElement).AppendChild(licenseDom.ImportNode((XmlNode)xml, true)); if (timeStampUrl != null && timeStampUrl.Length != 0) { SignedCmiManifest.TimestampSignedLicenseDom(licenseDom, timeStampUrl); } licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"http://schemas.microsoft.com/windows/rel/2005/reldata\">" + licenseDom.OuterXml + "</msrel:RelData>"; }
private static XmlDocument CreateLicenseDom(CmiManifestSigner signer, XmlElement principal, byte[] hash) { XmlDocument xmlDocument = new XmlDocument(); xmlDocument.PreserveWhitespace = true; xmlDocument.LoadXml("<r:license xmlns:r=\"urn:mpeg:mpeg21:2003:01-REL-R-NS\" xmlns:as=\"http://schemas.microsoft.com/windows/pki/2005/Authenticode\"><r:grant><as:ManifestInformation><as:assemblyIdentity /></as:ManifestInformation><as:SignedBy/><as:AuthenticodePublisher><as:X509SubjectName>CN=dummy</as:X509SubjectName></as:AuthenticodePublisher></r:grant><r:issuer></r:issuer></r:license>"); XmlNamespaceManager nsmgr = new XmlNamespaceManager(xmlDocument.NameTable); nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS"); nsmgr.AddNamespace("as", "http://schemas.microsoft.com/windows/pki/2005/Authenticode"); XmlElement xmlElement1 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsmgr) as XmlElement; xmlElement1.RemoveAllAttributes(); foreach (XmlAttribute attribute in (XmlNamedNodeMap)principal.Attributes) { xmlElement1.SetAttribute(attribute.Name, attribute.Value); } XmlElement xmlElement2 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsmgr) as XmlElement; xmlElement2.SetAttribute("Hash", hash.Length == 0 ? "" : SignedCmiManifest.BytesToHexString(hash, 0, hash.Length)); xmlElement2.SetAttribute("Description", signer.Description == null ? "" : signer.Description); xmlElement2.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl); (xmlDocument.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsmgr) as XmlElement).InnerText = signer.Certificate.SubjectName.Name; return(xmlDocument); }
public static void SignFile(X509Certificate2 cert, Uri timestampUrl, string path) { ResourceManager resources = new ResourceManager("Microsoft.Build.Tasks.Deployment.ManifestUtilities.Strings", typeof(SecurityUtilities).Module.Assembly); if (cert == null) { throw new ArgumentNullException("cert"); } if (string.IsNullOrEmpty(path)) { throw new ArgumentNullException("path"); } if (!File.Exists(path)) { throw new FileNotFoundException(string.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), new object[] { path }), path); } if (PathUtil.IsPEFile(path)) { if (!IsCertInStore(cert)) { throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore")); } SignPEFile(cert, timestampUrl, path, resources); } else { if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider)) { throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed")); } try { XmlDocument manifestDom = new XmlDocument { PreserveWhitespace = true }; manifestDom.Load(path); System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom); System.Deployment.Internal.CodeSigning.CmiManifestSigner signer = new System.Deployment.Internal.CodeSigning.CmiManifestSigner(cert.PrivateKey, cert); if (timestampUrl == null) { manifest.Sign(signer); } else { manifest.Sign(signer, timestampUrl.ToString()); } manifestDom.Save(path); } catch (Exception exception) { int hRForException = Marshal.GetHRForException(exception); if ((hRForException != -2147012889) && (hRForException != -2147012867)) { throw new ApplicationException(exception.Message, exception); } throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), exception); } } }
private static bool AnalyzeCertificate(ParsedData parsedData, MemoryStream ms, out bool distrustedPublisher, out bool trustedPublisher, out bool noCertificate) { distrustedPublisher = false; trustedPublisher = false; noCertificate = false; System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = null; try { XmlDocument manifestDom = new XmlDocument { PreserveWhitespace = true }; manifestDom.Load(ms); manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom); manifest.Verify(System.Deployment.Internal.CodeSigning.CmiManifestVerifyFlags.None); } catch (Exception exception) { if (!(exception is CryptographicException) || (manifest.AuthenticodeSignerInfo == null)) { return(false); } int errorCode = manifest.AuthenticodeSignerInfo.ErrorCode; switch (errorCode) { case -2146762479: case -2146885616: distrustedPublisher = true; return(true); } if (errorCode != -2146762748) { noCertificate = true; } return(true); } finally { if (((manifest != null) && (manifest.AuthenticodeSignerInfo != null)) && (manifest.AuthenticodeSignerInfo.SignerChain != null)) { parsedData.Certificate = manifest.AuthenticodeSignerInfo.SignerChain.ChainElements[0].Certificate; parsedData.AuthenticodedPublisher = parsedData.Certificate.GetNameInfo(X509NameType.SimpleName, false); } } if ((manifest == null) || (manifest.AuthenticodeSignerInfo == null)) { noCertificate = true; } else { trustedPublisher = true; } return(true); }
private static bool AnalyzeCertificate(ParsedData parsedData, MemoryStream ms, out bool distrustedPublisher, out bool trustedPublisher, out bool noCertificate) { distrustedPublisher = false; trustedPublisher = false; noCertificate = false; System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = null; try { XmlDocument manifestDom = new XmlDocument { PreserveWhitespace = true }; manifestDom.Load(ms); manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom); manifest.Verify(System.Deployment.Internal.CodeSigning.CmiManifestVerifyFlags.None); } catch (Exception exception) { if (!(exception is CryptographicException) || (manifest.AuthenticodeSignerInfo == null)) { return false; } int errorCode = manifest.AuthenticodeSignerInfo.ErrorCode; switch (errorCode) { case -2146762479: case -2146885616: distrustedPublisher = true; return true; } if (errorCode != -2146762748) { noCertificate = true; } return true; } finally { if (((manifest != null) && (manifest.AuthenticodeSignerInfo != null)) && (manifest.AuthenticodeSignerInfo.SignerChain != null)) { parsedData.Certificate = manifest.AuthenticodeSignerInfo.SignerChain.ChainElements[0].Certificate; parsedData.AuthenticodedPublisher = parsedData.Certificate.GetNameInfo(X509NameType.SimpleName, false); } } if ((manifest == null) || (manifest.AuthenticodeSignerInfo == null)) { noCertificate = true; } else { trustedPublisher = true; } return true; }
private unsafe string VerifyPublicKeyToken() { XmlNamespaceManager nsmgr = new XmlNamespaceManager(this.m_manifestDom.NameTable); nsmgr.AddNamespace("asm", "urn:schemas-microsoft-com:asm.v1"); nsmgr.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#"); XmlElement xmlElement1 = this.m_manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/ds:KeyValue/ds:RSAKeyValue/ds:Modulus", nsmgr) as XmlElement; XmlElement xmlElement2 = this.m_manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/ds:KeyValue/ds:RSAKeyValue/ds:Exponent", nsmgr) as XmlElement; if (xmlElement1 == null || xmlElement2 == null) { throw new CryptographicException(-2146762749); } byte[] bytes1 = Encoding.UTF8.GetBytes(xmlElement1.InnerXml); byte[] bytes2 = Encoding.UTF8.GetBytes(xmlElement2.InnerXml); string publicKeyToken1 = SignedCmiManifest.GetPublicKeyToken(this.m_manifestDom); byte[] bytes3 = SignedCmiManifest.HexStringToBytes(publicKeyToken1); byte[] bytes4; fixed(byte *numPtr1 = bytes1) fixed(byte *numPtr2 = bytes2) { Win32.CRYPT_DATA_BLOB pModulusBlob = new Win32.CRYPT_DATA_BLOB(); Win32.CRYPT_DATA_BLOB pExponentBlob = new Win32.CRYPT_DATA_BLOB(); IntPtr ppwszPublicKeyToken = new IntPtr(); pModulusBlob.cbData = (uint)bytes1.Length; pModulusBlob.pbData = new IntPtr((void *)numPtr1); pExponentBlob.cbData = (uint)bytes2.Length; pExponentBlob.pbData = new IntPtr((void *)numPtr2); int publicKeyToken2 = Win32._AxlRSAKeyValueToPublicKeyToken(ref pModulusBlob, ref pExponentBlob, out ppwszPublicKeyToken); if (publicKeyToken2 != 0) { throw new CryptographicException(publicKeyToken2); } bytes4 = SignedCmiManifest.HexStringToBytes(Marshal.PtrToStringUni(ppwszPublicKeyToken)); Win32.HeapFree(Win32.GetProcessHeap(), 0U, ppwszPublicKeyToken); } if (bytes3.Length == 0 || bytes3.Length != bytes4.Length) { throw new CryptographicException(-2146762485); } for (int index = 0; index < bytes3.Length; ++index) { if ((int)bytes3[index] != (int)bytes4[index]) { throw new CryptographicException(-2146762485); } } return(publicKeyToken1); }
private static byte[] HexStringToBytes(string hexString) { uint num = (uint)hexString.Length / 2U; byte[] numArray = new byte[(int)num]; int index1 = hexString.Length - 2; for (int index2 = 0; (long)index2 < (long)num; ++index2) { numArray[index2] = (byte)((uint)SignedCmiManifest.HexToByte(hexString[index1]) << 4 | (uint)SignedCmiManifest.HexToByte(hexString[index1 + 1])); index1 -= 2; } return(numArray); }
internal void Sign(CmiManifestSigner signer, string timeStampUrl) { this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null; this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null; if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } SignedCmiManifest.RemoveExistingSignature(this.m_manifestDom); if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == CmiManifestSignerFlag.None) { SignedCmiManifest.ReplacePublicKeyToken(this.m_manifestDom, signer.StrongNameKey); } XmlDocument licenseDom = (XmlDocument)null; if (signer.Certificate != null) { SignedCmiManifest.InsertPublisherIdentity(this.m_manifestDom, signer.Certificate); licenseDom = SignedCmiManifest.CreateLicenseDom(signer, this.ExtractPrincipalFromManifest(), SignedCmiManifest.ComputeHashFromManifest(this.m_manifestDom)); SignedCmiManifest.AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl); } SignedCmiManifest.StrongNameSignManifestDom(this.m_manifestDom, licenseDom, signer); }
private static byte[] ComputeHashFromManifest(XmlDocument manifestDom) { return(SignedCmiManifest.ComputeHashFromManifest(manifestDom, false)); }
private void VerifyHash(XmlNamespaceManager nsm) { new XmlDocument().PreserveWhitespace = true; XmlDocument manifestDom = (XmlDocument)this.m_manifestDom.Clone(); XmlElement xmlElement1 = manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license/r:grant/as:ManifestInformation", nsm) as XmlElement; if (xmlElement1 == null) { throw new CryptographicException(-2146762749); } if (!xmlElement1.HasAttribute("Hash")) { throw new CryptographicException(-2146762749); } string attribute = xmlElement1.GetAttribute("Hash"); if (attribute == null || attribute.Length == 0) { throw new CryptographicException(-2146762749); } XmlElement xmlElement2 = manifestDom.SelectSingleNode("asm:assembly/ds:Signature", nsm) as XmlElement; if (xmlElement2 == null) { throw new CryptographicException(-2146762749); } xmlElement2.ParentNode.RemoveChild((XmlNode)xmlElement2); byte[] bytes = SignedCmiManifest.HexStringToBytes(xmlElement1.GetAttribute("Hash")); byte[] hashFromManifest1 = SignedCmiManifest.ComputeHashFromManifest(manifestDom); if (bytes.Length == 0 || bytes.Length != hashFromManifest1.Length) { byte[] hashFromManifest2 = SignedCmiManifest.ComputeHashFromManifest(manifestDom, true); if (bytes.Length == 0 || bytes.Length != hashFromManifest2.Length) { throw new CryptographicException(-2146869232); } for (int index = 0; index < bytes.Length; ++index) { if ((int)bytes[index] != (int)hashFromManifest2[index]) { throw new CryptographicException(-2146869232); } } } for (int index = 0; index < bytes.Length; ++index) { if ((int)bytes[index] != (int)hashFromManifest1[index]) { byte[] hashFromManifest2 = SignedCmiManifest.ComputeHashFromManifest(manifestDom, true); if (bytes.Length == 0 || bytes.Length != hashFromManifest2.Length) { throw new CryptographicException(-2146869232); } for (index = 0; index < bytes.Length; ++index) { if ((int)bytes[index] != (int)hashFromManifest2[index]) { throw new CryptographicException(-2146869232); } } } } }
internal static CertificateStatus AnalyzeManifestCertificate(string manifestPath) { Logger.AddMethodCall("AnalyzeManifestCertificate called."); CertificateStatus unknownCertificateStatus = CertificateStatus.UnknownCertificateStatus; System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = null; try { XmlDocument manifestDom = new XmlDocument { PreserveWhitespace = true }; manifestDom.Load(manifestPath); manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom); manifest.Verify(System.Deployment.Internal.CodeSigning.CmiManifestVerifyFlags.None); if ((manifest == null) || (manifest.AuthenticodeSignerInfo == null)) { unknownCertificateStatus = CertificateStatus.NoCertificate; } else { unknownCertificateStatus = CertificateStatus.TrustedPublisher; } } catch (Exception exception) { if (ExceptionUtility.IsHardException(exception)) { throw; } if ((exception is CryptographicException) && (manifest.AuthenticodeSignerInfo != null)) { switch (manifest.AuthenticodeSignerInfo.ErrorCode) { case -2146762479: unknownCertificateStatus = CertificateStatus.DistrustedPublisher; goto Label_0094; case -2146885616: unknownCertificateStatus = CertificateStatus.RevokedCertificate; goto Label_0094; case -2146762748: unknownCertificateStatus = CertificateStatus.AuthenticodedNotInTrustedList; goto Label_0094; } unknownCertificateStatus = CertificateStatus.NoCertificate; } Label_0094: Logger.AddInternalState("Exception thrown : " + exception.GetType().ToString() + ":" + exception.Message); } Logger.AddInternalState("Certificate Status=" + unknownCertificateStatus.ToString()); return unknownCertificateStatus; }