private static void ProcessSignerInfo(SignedCmiManifest2 signedManifest, out bool distrustedPublisher, out bool noCertificate) { Debug.Assert(signedManifest != null); Debug.Assert(signedManifest.AuthenticodeSignerInfo != null); const int TRUST_E_REVOKED = unchecked((int)0x80092010); distrustedPublisher = false; noCertificate = false; // // AuthenticodeSignerInfo can be null if the manifest is only strong name signed // but not authenticode signed. This can happen when the strong name // signature is invalid. // int error = signedManifest.AuthenticodeSignerInfo.ErrorCode; if (error == Win32.TRUST_E_EXPLICIT_DISTRUST || error == TRUST_E_REVOKED) { distrustedPublisher = true; return; } if (error == Win32.TRUST_E_SUBJECT_NOT_TRUSTED) { // Certificate is valid but publisher is not in trusted list return; } // No certificate is equivalent to strong name signing only - run app only with user consent noCertificate = true; return; }
private static bool AnalyzeCertificate(ParsedData parsedData, MemoryStream ms, out bool distrustedPublisher, out bool trustedPublisher, out bool noCertificate) { Debug.Assert(parsedData != null); Debug.Assert(ms != null); distrustedPublisher = false; trustedPublisher = false; noCertificate = false; SignedCmiManifest2 signedManifest = null; XmlDocument deploymentManifestXmlDom = null; try { deploymentManifestXmlDom = new XmlDocument(); deploymentManifestXmlDom.PreserveWhitespace = true; deploymentManifestXmlDom.Load(ms); signedManifest = new SignedCmiManifest2(deploymentManifestXmlDom, true); signedManifest.Verify(CmiManifestVerifyFlags.None); } catch (Exception e) { if (!(e is CryptographicException)) { return false; } if (signedManifest.StrongNameSignerInfo != null && signedManifest.StrongNameSignerInfo.ErrorCode != Win32.TRUST_E_BAD_DIGEST) { if (signedManifest.AuthenticodeSignerInfo == null) { return false; } ProcessSignerInfo(signedManifest, out distrustedPublisher, out noCertificate); return true; } // try SHA1 try { signedManifest = new SignedCmiManifest2(deploymentManifestXmlDom, false); signedManifest.Verify(CmiManifestVerifyFlags.None); } catch (Exception ex) { if (!(ex is CryptographicException)) { return false; } if (signedManifest.AuthenticodeSignerInfo != null) { ProcessSignerInfo(signedManifest, out distrustedPublisher, out noCertificate); return true; } return false; } } finally { if (signedManifest != null && signedManifest.AuthenticodeSignerInfo != null && signedManifest.AuthenticodeSignerInfo.SignerChain != null) { parsedData.Certificate = signedManifest.AuthenticodeSignerInfo.SignerChain.ChainElements[0].Certificate; parsedData.AuthenticodedPublisher = parsedData.Certificate.GetNameInfo(X509NameType.SimpleName, false); } } if (signedManifest == null || signedManifest.AuthenticodeSignerInfo == null) { noCertificate = true; } else { trustedPublisher = true; } return true; }
private static void SignFileInternal(X509Certificate2 cert, Uri timestampUrl, string path, bool targetFrameworkSupportsSha256, System.Resources.ResourceManager resources) { if (cert == null) throw new ArgumentNullException("cert"); if (String.IsNullOrEmpty(path)) throw new ArgumentNullException("path"); if (!File.Exists(path)) throw new FileNotFoundException(String.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), path), path); bool useSha256 = UseSha256Algorithm(cert) && targetFrameworkSupportsSha256; if (PathUtil.IsPEFile(path)) { if (IsCertInStore(cert)) SignPEFile(cert, timestampUrl, path, resources, useSha256); else throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore")); } else { if (cert.PrivateKey == null) throw new InvalidOperationException(resources.GetString("SignFile.CertMissingPrivateKey")); if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider)) throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed")); try { XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; XmlReaderSettings xrSettings = new XmlReaderSettings(); xrSettings.DtdProcessing = DtdProcessing.Ignore; using (XmlReader xr = XmlReader.Create(path, xrSettings)) { doc.Load(xr); } SignedCmiManifest2 manifest = new SignedCmiManifest2(doc, useSha256); RSACryptoServiceProvider csp; if (useSha256) { csp = SignedCmiManifest2.GetFixedRSACryptoServiceProvider(cert.PrivateKey as RSACryptoServiceProvider, useSha256); } else { csp = cert.PrivateKey as RSACryptoServiceProvider; } CmiManifestSigner2 signer = new CmiManifestSigner2(csp, cert, useSha256); if (timestampUrl == null) manifest.Sign(signer); else manifest.Sign(signer, timestampUrl.ToString()); doc.Save(path); } catch (Exception ex) { int exceptionHR = System.Runtime.InteropServices.Marshal.GetHRForException(ex); if (exceptionHR == -2147012889 || exceptionHR == -2147012867) { throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), ex); } throw new ApplicationException(ex.Message, ex); } } }