private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner signer, string timeStampUrl)
{
if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider))
{
throw new NotSupportedException();
}
ManifestSignedXml manifestSignedXml = new ManifestSignedXml(licenseDom);
manifestSignedXml.SigningKey = signer.Certificate.PrivateKey;
manifestSignedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new RSAKeyValue(signer.Certificate.PublicKey.Key as RSA));
manifestSignedXml.KeyInfo.AddClause((KeyInfoClause) new KeyInfoX509Data((X509Certificate)signer.Certificate, signer.IncludeOption));
Reference reference = new Reference();
reference.Uri = "";
reference.AddTransform((Transform) new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform((Transform) new XmlDsigExcC14NTransform());
manifestSignedXml.AddReference(reference);
manifestSignedXml.ComputeSignature();
XmlElement xml = manifestSignedXml.GetXml();
xml.SetAttribute("Id", "AuthenticodeSignature");
XmlNamespaceManager nsmgr = new XmlNamespaceManager(licenseDom.NameTable);
nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS");
(licenseDom.SelectSingleNode("r:license/r:issuer", nsmgr) as XmlElement).AppendChild(licenseDom.ImportNode((XmlNode)xml, true));
if (timeStampUrl != null && timeStampUrl.Length != 0)
{
SignedCmiManifest.TimestampSignedLicenseDom(licenseDom, timeStampUrl);
}
licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"http://schemas.microsoft.com/windows/rel/2005/reldata\">" + licenseDom.OuterXml + "</msrel:RelData>";
}
private static XmlDocument CreateLicenseDom(CmiManifestSigner signer, XmlElement principal, byte[] hash)
{
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.PreserveWhitespace = true;
xmlDocument.LoadXml("<r:license xmlns:r=\"urn:mpeg:mpeg21:2003:01-REL-R-NS\" xmlns:as=\"http://schemas.microsoft.com/windows/pki/2005/Authenticode\"><r:grant><as:ManifestInformation><as:assemblyIdentity /></as:ManifestInformation><as:SignedBy/><as:AuthenticodePublisher><as:X509SubjectName>CN=dummy</as:X509SubjectName></as:AuthenticodePublisher></r:grant><r:issuer></r:issuer></r:license>");
XmlNamespaceManager nsmgr = new XmlNamespaceManager(xmlDocument.NameTable);
nsmgr.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS");
nsmgr.AddNamespace("as", "http://schemas.microsoft.com/windows/pki/2005/Authenticode");
XmlElement xmlElement1 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsmgr) as XmlElement;
xmlElement1.RemoveAllAttributes();
foreach (XmlAttribute attribute in (XmlNamedNodeMap)principal.Attributes)
{
xmlElement1.SetAttribute(attribute.Name, attribute.Value);
}
XmlElement xmlElement2 = xmlDocument.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsmgr) as XmlElement;
xmlElement2.SetAttribute("Hash", hash.Length == 0 ? "" : SignedCmiManifest.BytesToHexString(hash, 0, hash.Length));
xmlElement2.SetAttribute("Description", signer.Description == null ? "" : signer.Description);
xmlElement2.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl);
(xmlDocument.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsmgr) as XmlElement).InnerText = signer.Certificate.SubjectName.Name;
return(xmlDocument);
}
public static void SignFile(X509Certificate2 cert, Uri timestampUrl, string path)
{
ResourceManager resources = new ResourceManager("Microsoft.Build.Tasks.Deployment.ManifestUtilities.Strings", typeof(SecurityUtilities).Module.Assembly);
if (cert == null)
{
throw new ArgumentNullException("cert");
}
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException("path");
}
if (!File.Exists(path))
{
throw new FileNotFoundException(string.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), new object[] { path }), path);
}
if (PathUtil.IsPEFile(path))
{
if (!IsCertInStore(cert))
{
throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore"));
}
SignPEFile(cert, timestampUrl, path, resources);
}
else
{
if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider))
{
throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed"));
}
try
{
XmlDocument manifestDom = new XmlDocument {
PreserveWhitespace = true
};
manifestDom.Load(path);
System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom);
System.Deployment.Internal.CodeSigning.CmiManifestSigner signer = new System.Deployment.Internal.CodeSigning.CmiManifestSigner(cert.PrivateKey, cert);
if (timestampUrl == null)
{
manifest.Sign(signer);
}
else
{
manifest.Sign(signer, timestampUrl.ToString());
}
manifestDom.Save(path);
}
catch (Exception exception)
{
int hRForException = Marshal.GetHRForException(exception);
if ((hRForException != -2147012889) && (hRForException != -2147012867))
{
throw new ApplicationException(exception.Message, exception);
}
throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), exception);
}
}
}
private static bool AnalyzeCertificate(ParsedData parsedData, MemoryStream ms, out bool distrustedPublisher, out bool trustedPublisher, out bool noCertificate)
{
distrustedPublisher = false;
trustedPublisher = false;
noCertificate = false;
System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = null;
try
{
XmlDocument manifestDom = new XmlDocument {
PreserveWhitespace = true
};
manifestDom.Load(ms);
manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom);
manifest.Verify(System.Deployment.Internal.CodeSigning.CmiManifestVerifyFlags.None);
}
catch (Exception exception)
{
if (!(exception is CryptographicException) || (manifest.AuthenticodeSignerInfo == null))
{
return(false);
}
int errorCode = manifest.AuthenticodeSignerInfo.ErrorCode;
switch (errorCode)
{
case -2146762479:
case -2146885616:
distrustedPublisher = true;
return(true);
}
if (errorCode != -2146762748)
{
noCertificate = true;
}
return(true);
}
finally
{
if (((manifest != null) && (manifest.AuthenticodeSignerInfo != null)) && (manifest.AuthenticodeSignerInfo.SignerChain != null))
{
parsedData.Certificate = manifest.AuthenticodeSignerInfo.SignerChain.ChainElements[0].Certificate;
parsedData.AuthenticodedPublisher = parsedData.Certificate.GetNameInfo(X509NameType.SimpleName, false);
}
}
if ((manifest == null) || (manifest.AuthenticodeSignerInfo == null))
{
noCertificate = true;
}
else
{
trustedPublisher = true;
}
return(true);
}
private static bool AnalyzeCertificate(ParsedData parsedData, MemoryStream ms, out bool distrustedPublisher, out bool trustedPublisher, out bool noCertificate)
{
distrustedPublisher = false;
trustedPublisher = false;
noCertificate = false;
System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = null;
try
{
XmlDocument manifestDom = new XmlDocument {
PreserveWhitespace = true
};
manifestDom.Load(ms);
manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom);
manifest.Verify(System.Deployment.Internal.CodeSigning.CmiManifestVerifyFlags.None);
}
catch (Exception exception)
{
if (!(exception is CryptographicException) || (manifest.AuthenticodeSignerInfo == null))
{
return false;
}
int errorCode = manifest.AuthenticodeSignerInfo.ErrorCode;
switch (errorCode)
{
case -2146762479:
case -2146885616:
distrustedPublisher = true;
return true;
}
if (errorCode != -2146762748)
{
noCertificate = true;
}
return true;
}
finally
{
if (((manifest != null) && (manifest.AuthenticodeSignerInfo != null)) && (manifest.AuthenticodeSignerInfo.SignerChain != null))
{
parsedData.Certificate = manifest.AuthenticodeSignerInfo.SignerChain.ChainElements[0].Certificate;
parsedData.AuthenticodedPublisher = parsedData.Certificate.GetNameInfo(X509NameType.SimpleName, false);
}
}
if ((manifest == null) || (manifest.AuthenticodeSignerInfo == null))
{
noCertificate = true;
}
else
{
trustedPublisher = true;
}
return true;
}
private unsafe string VerifyPublicKeyToken()
{
XmlNamespaceManager nsmgr = new XmlNamespaceManager(this.m_manifestDom.NameTable);
nsmgr.AddNamespace("asm", "urn:schemas-microsoft-com:asm.v1");
nsmgr.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
XmlElement xmlElement1 = this.m_manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/ds:KeyValue/ds:RSAKeyValue/ds:Modulus", nsmgr) as XmlElement;
XmlElement xmlElement2 = this.m_manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/ds:KeyValue/ds:RSAKeyValue/ds:Exponent", nsmgr) as XmlElement;
if (xmlElement1 == null || xmlElement2 == null)
{
throw new CryptographicException(-2146762749);
}
byte[] bytes1 = Encoding.UTF8.GetBytes(xmlElement1.InnerXml);
byte[] bytes2 = Encoding.UTF8.GetBytes(xmlElement2.InnerXml);
string publicKeyToken1 = SignedCmiManifest.GetPublicKeyToken(this.m_manifestDom);
byte[] bytes3 = SignedCmiManifest.HexStringToBytes(publicKeyToken1);
byte[] bytes4;
fixed(byte *numPtr1 = bytes1)
fixed(byte *numPtr2 = bytes2)
{
Win32.CRYPT_DATA_BLOB pModulusBlob = new Win32.CRYPT_DATA_BLOB();
Win32.CRYPT_DATA_BLOB pExponentBlob = new Win32.CRYPT_DATA_BLOB();
IntPtr ppwszPublicKeyToken = new IntPtr();
pModulusBlob.cbData = (uint)bytes1.Length;
pModulusBlob.pbData = new IntPtr((void *)numPtr1);
pExponentBlob.cbData = (uint)bytes2.Length;
pExponentBlob.pbData = new IntPtr((void *)numPtr2);
int publicKeyToken2 = Win32._AxlRSAKeyValueToPublicKeyToken(ref pModulusBlob, ref pExponentBlob, out ppwszPublicKeyToken);
if (publicKeyToken2 != 0)
{
throw new CryptographicException(publicKeyToken2);
}
bytes4 = SignedCmiManifest.HexStringToBytes(Marshal.PtrToStringUni(ppwszPublicKeyToken));
Win32.HeapFree(Win32.GetProcessHeap(), 0U, ppwszPublicKeyToken);
}
if (bytes3.Length == 0 || bytes3.Length != bytes4.Length)
{
throw new CryptographicException(-2146762485);
}
for (int index = 0; index < bytes3.Length; ++index)
{
if ((int)bytes3[index] != (int)bytes4[index])
{
throw new CryptographicException(-2146762485);
}
}
return(publicKeyToken1);
}
private static byte[] HexStringToBytes(string hexString)
{
uint num = (uint)hexString.Length / 2U;
byte[] numArray = new byte[(int)num];
int index1 = hexString.Length - 2;
for (int index2 = 0; (long)index2 < (long)num; ++index2)
{
numArray[index2] = (byte)((uint)SignedCmiManifest.HexToByte(hexString[index1]) << 4 | (uint)SignedCmiManifest.HexToByte(hexString[index1 + 1]));
index1 -= 2;
}
return(numArray);
}
internal void Sign(CmiManifestSigner signer, string timeStampUrl)
{
this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null;
this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null;
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
SignedCmiManifest.RemoveExistingSignature(this.m_manifestDom);
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == CmiManifestSignerFlag.None)
{
SignedCmiManifest.ReplacePublicKeyToken(this.m_manifestDom, signer.StrongNameKey);
}
XmlDocument licenseDom = (XmlDocument)null;
if (signer.Certificate != null)
{
SignedCmiManifest.InsertPublisherIdentity(this.m_manifestDom, signer.Certificate);
licenseDom = SignedCmiManifest.CreateLicenseDom(signer, this.ExtractPrincipalFromManifest(), SignedCmiManifest.ComputeHashFromManifest(this.m_manifestDom));
SignedCmiManifest.AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl);
}
SignedCmiManifest.StrongNameSignManifestDom(this.m_manifestDom, licenseDom, signer);
}
private static byte[] ComputeHashFromManifest(XmlDocument manifestDom)
{
return(SignedCmiManifest.ComputeHashFromManifest(manifestDom, false));
}
private void VerifyHash(XmlNamespaceManager nsm)
{
new XmlDocument().PreserveWhitespace = true;
XmlDocument manifestDom = (XmlDocument)this.m_manifestDom.Clone();
XmlElement xmlElement1 = manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license/r:grant/as:ManifestInformation", nsm) as XmlElement;
if (xmlElement1 == null)
{
throw new CryptographicException(-2146762749);
}
if (!xmlElement1.HasAttribute("Hash"))
{
throw new CryptographicException(-2146762749);
}
string attribute = xmlElement1.GetAttribute("Hash");
if (attribute == null || attribute.Length == 0)
{
throw new CryptographicException(-2146762749);
}
XmlElement xmlElement2 = manifestDom.SelectSingleNode("asm:assembly/ds:Signature", nsm) as XmlElement;
if (xmlElement2 == null)
{
throw new CryptographicException(-2146762749);
}
xmlElement2.ParentNode.RemoveChild((XmlNode)xmlElement2);
byte[] bytes = SignedCmiManifest.HexStringToBytes(xmlElement1.GetAttribute("Hash"));
byte[] hashFromManifest1 = SignedCmiManifest.ComputeHashFromManifest(manifestDom);
if (bytes.Length == 0 || bytes.Length != hashFromManifest1.Length)
{
byte[] hashFromManifest2 = SignedCmiManifest.ComputeHashFromManifest(manifestDom, true);
if (bytes.Length == 0 || bytes.Length != hashFromManifest2.Length)
{
throw new CryptographicException(-2146869232);
}
for (int index = 0; index < bytes.Length; ++index)
{
if ((int)bytes[index] != (int)hashFromManifest2[index])
{
throw new CryptographicException(-2146869232);
}
}
}
for (int index = 0; index < bytes.Length; ++index)
{
if ((int)bytes[index] != (int)hashFromManifest1[index])
{
byte[] hashFromManifest2 = SignedCmiManifest.ComputeHashFromManifest(manifestDom, true);
if (bytes.Length == 0 || bytes.Length != hashFromManifest2.Length)
{
throw new CryptographicException(-2146869232);
}
for (index = 0; index < bytes.Length; ++index)
{
if ((int)bytes[index] != (int)hashFromManifest2[index])
{
throw new CryptographicException(-2146869232);
}
}
}
}
}
public static void SignFile(X509Certificate2 cert, Uri timestampUrl, string path)
{
ResourceManager resources = new ResourceManager("Microsoft.Build.Tasks.Deployment.ManifestUtilities.Strings", typeof(SecurityUtilities).Module.Assembly);
if (cert == null)
{
throw new ArgumentNullException("cert");
}
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException("path");
}
if (!File.Exists(path))
{
throw new FileNotFoundException(string.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), new object[] { path }), path);
}
if (PathUtil.IsPEFile(path))
{
if (!IsCertInStore(cert))
{
throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore"));
}
SignPEFile(cert, timestampUrl, path, resources);
}
else
{
if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider))
{
throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed"));
}
try
{
XmlDocument manifestDom = new XmlDocument {
PreserveWhitespace = true
};
manifestDom.Load(path);
System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom);
System.Deployment.Internal.CodeSigning.CmiManifestSigner signer = new System.Deployment.Internal.CodeSigning.CmiManifestSigner(cert.PrivateKey, cert);
if (timestampUrl == null)
{
manifest.Sign(signer);
}
else
{
manifest.Sign(signer, timestampUrl.ToString());
}
manifestDom.Save(path);
}
catch (Exception exception)
{
int hRForException = Marshal.GetHRForException(exception);
if ((hRForException != -2147012889) && (hRForException != -2147012867))
{
throw new ApplicationException(exception.Message, exception);
}
throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), exception);
}
}
}
internal static CertificateStatus AnalyzeManifestCertificate(string manifestPath)
{
Logger.AddMethodCall("AnalyzeManifestCertificate called.");
CertificateStatus unknownCertificateStatus = CertificateStatus.UnknownCertificateStatus;
System.Deployment.Internal.CodeSigning.SignedCmiManifest manifest = null;
try
{
XmlDocument manifestDom = new XmlDocument {
PreserveWhitespace = true
};
manifestDom.Load(manifestPath);
manifest = new System.Deployment.Internal.CodeSigning.SignedCmiManifest(manifestDom);
manifest.Verify(System.Deployment.Internal.CodeSigning.CmiManifestVerifyFlags.None);
if ((manifest == null) || (manifest.AuthenticodeSignerInfo == null))
{
unknownCertificateStatus = CertificateStatus.NoCertificate;
}
else
{
unknownCertificateStatus = CertificateStatus.TrustedPublisher;
}
}
catch (Exception exception)
{
if (ExceptionUtility.IsHardException(exception))
{
throw;
}
if ((exception is CryptographicException) && (manifest.AuthenticodeSignerInfo != null))
{
switch (manifest.AuthenticodeSignerInfo.ErrorCode)
{
case -2146762479:
unknownCertificateStatus = CertificateStatus.DistrustedPublisher;
goto Label_0094;
case -2146885616:
unknownCertificateStatus = CertificateStatus.RevokedCertificate;
goto Label_0094;
case -2146762748:
unknownCertificateStatus = CertificateStatus.AuthenticodedNotInTrustedList;
goto Label_0094;
}
unknownCertificateStatus = CertificateStatus.NoCertificate;
}
Label_0094:
Logger.AddInternalState("Exception thrown : " + exception.GetType().ToString() + ":" + exception.Message);
}
Logger.AddInternalState("Certificate Status=" + unknownCertificateStatus.ToString());
return unknownCertificateStatus;
}
