private unsafe void VerifyLicense(CmiManifestVerifyFlags verifyFlags, bool oldFormat)
{
XmlNamespaceManager namespaceManager = new XmlNamespaceManager(this.m_manifestDom.NameTable);
namespaceManager.AddNamespace("asm", "urn:schemas-microsoft-com:asm.v1");
namespaceManager.AddNamespace("asm2", "urn:schemas-microsoft-com:asm.v2");
namespaceManager.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
namespaceManager.AddNamespace("msrel", "http://schemas.microsoft.com/windows/rel/2005/reldata");
namespaceManager.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS");
namespaceManager.AddNamespace("as", "http://schemas.microsoft.com/windows/pki/2005/Authenticode");
XmlElement xmlElement = this.m_manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license", namespaceManager) as XmlElement;
if (xmlElement == null)
{
return;
}
this.VerifyAssemblyIdentity(namespaceManager);
this.m_authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(-2146762485);
byte[] bytes = Encoding.UTF8.GetBytes(xmlElement.OuterXml);
fixed(byte *numPtr = bytes)
{
Win32.AXL_SIGNER_INFO pSignerInfo = new Win32.AXL_SIGNER_INFO();
pSignerInfo.cbSize = (uint)Marshal.SizeOf(typeof(Win32.AXL_SIGNER_INFO));
Win32.AXL_TIMESTAMPER_INFO pTimestamperInfo = new Win32.AXL_TIMESTAMPER_INFO();
pTimestamperInfo.cbSize = (uint)Marshal.SizeOf(typeof(Win32.AXL_TIMESTAMPER_INFO));
Win32.CRYPT_DATA_BLOB pLicenseBlob = new Win32.CRYPT_DATA_BLOB();
IntPtr num = new IntPtr((void *)numPtr);
pLicenseBlob.cbData = (uint)bytes.Length;
pLicenseBlob.pbData = num;
int hr = Win32.CertVerifyAuthenticodeLicense(ref pLicenseBlob, (uint)verifyFlags, out pSignerInfo, out pTimestamperInfo);
if (-2146762496 != (int)pSignerInfo.dwError)
{
this.m_authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(pSignerInfo, pTimestamperInfo);
}
Win32.CertFreeAuthenticodeSignerInfo(ref pSignerInfo);
Win32.CertFreeAuthenticodeTimestamperInfo(ref pTimestamperInfo);
if (hr != 0)
{
throw new CryptographicException(hr);
}
}
if (oldFormat)
{
return;
}
this.VerifyPublisherIdentity(namespaceManager);
}
internal void Sign(CmiManifestSigner signer, string timeStampUrl)
{
this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null;
this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null;
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
SignedCmiManifest.RemoveExistingSignature(this.m_manifestDom);
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == CmiManifestSignerFlag.None)
{
SignedCmiManifest.ReplacePublicKeyToken(this.m_manifestDom, signer.StrongNameKey);
}
XmlDocument licenseDom = (XmlDocument)null;
if (signer.Certificate != null)
{
SignedCmiManifest.InsertPublisherIdentity(this.m_manifestDom, signer.Certificate);
licenseDom = SignedCmiManifest.CreateLicenseDom(signer, this.ExtractPrincipalFromManifest(), SignedCmiManifest.ComputeHashFromManifest(this.m_manifestDom));
SignedCmiManifest.AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl);
}
SignedCmiManifest.StrongNameSignManifestDom(this.m_manifestDom, licenseDom, signer);
}
internal void Sign(CmiManifestSigner2 signer, string timeStampUrl)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
// Signer cannot be null.
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
// Remove existing SN signature.
RemoveExistingSignature(_manifestDom);
// Replace public key token in assemblyIdentity if requested.
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0)
{
ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey, _useSha256);
}
// No cert means don't Authenticode sign and timestamp.
XmlDocument licenseDom = null;
if (signer.Certificate != null)
{
// Yes. We will Authenticode sign, so first insert <publisherIdentity />
// element, if necessary.
InsertPublisherIdentity(_manifestDom, signer.Certificate);
// Now create the license DOM, and then sign it.
licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom, _useSha256));
AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl, _useSha256);
}
StrongNameSignManifestDom(_manifestDom, licenseDom, signer, _useSha256);
}
//
// Privates.
//
private void VerifyLicense(CmiManifestVerifyFlags verifyFlags, bool oldFormat)
{
XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable);
nsm.AddNamespace("asm", AssemblyNamespaceUri);
nsm.AddNamespace("asm2", AssemblyV2NamespaceUri);
nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
nsm.AddNamespace("msrel", MSRelNamespaceUri);
nsm.AddNamespace("r", LicenseNamespaceUri);
nsm.AddNamespace("as", AuthenticodeNamespaceUri);
// We are done if no license.
XmlElement licenseNode = _manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license", nsm) as XmlElement;
if (licenseNode == null)
{
return;
}
// Make sure this license is for this manifest.
VerifyAssemblyIdentity(nsm);
// Found a license, so instantiate signer info property.
_authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(Win32.TRUST_E_FAIL);
unsafe
{
byte[] licenseXml = Encoding.UTF8.GetBytes(licenseNode.OuterXml);
fixed (byte* pbLicense = licenseXml)
{
Win32.AXL_SIGNER_INFO signerInfo = new Win32.AXL_SIGNER_INFO();
signerInfo.cbSize = (uint)Marshal.SizeOf<Win32.AXL_SIGNER_INFO>();
Win32.AXL_TIMESTAMPER_INFO timestamperInfo = new Win32.AXL_TIMESTAMPER_INFO();
timestamperInfo.cbSize = (uint)Marshal.SizeOf<Win32.AXL_TIMESTAMPER_INFO>();
Win32.CRYPT_DATA_BLOB licenseBlob = new Win32.CRYPT_DATA_BLOB();
IntPtr pvLicense = new IntPtr(pbLicense);
licenseBlob.cbData = (uint)licenseXml.Length;
licenseBlob.pbData = pvLicense;
int hr = Win32.CertVerifyAuthenticodeLicense(ref licenseBlob, (uint)verifyFlags, ref signerInfo, ref timestamperInfo);
if (Win32.TRUST_E_NOSIGNATURE != (int)signerInfo.dwError)
{
_authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(signerInfo, timestamperInfo);
}
Win32.CertFreeAuthenticodeSignerInfo(ref signerInfo);
Win32.CertFreeAuthenticodeTimestamperInfo(ref timestamperInfo);
if (hr != Win32.S_OK)
{
throw new CryptographicException(hr);
}
}
}
if (!oldFormat)
// Make sure we have the intended Authenticode signer.
VerifyPublisherIdentity(nsm);
}
// throw cryptographic exception for any verification errors.
internal void Verify(CmiManifestVerifyFlags verifyFlags)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable);
nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
XmlElement signatureNode = _manifestDom.SelectSingleNode("//ds:Signature", nsm) as XmlElement;
if (signatureNode == null)
{
throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE);
}
// Make sure it is indeed SN signature, and it is an enveloped signature.
string snIdName = "Id";
if (!signatureNode.HasAttribute(snIdName))
{
snIdName = "id";
if (!signatureNode.HasAttribute(snIdName))
{
snIdName = "ID";
if (!signatureNode.HasAttribute(snIdName))
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
}
}
string snIdValue = signatureNode.GetAttribute(snIdName);
if (snIdValue == null ||
String.Compare(snIdValue, "StrongNameSignature", StringComparison.Ordinal) != 0)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Make sure it is indeed an enveloped signature.
bool oldFormat = false;
bool validFormat = false;
XmlNodeList referenceNodes = signatureNode.SelectNodes("ds:SignedInfo/ds:Reference", nsm);
foreach (XmlNode referenceNode in referenceNodes)
{
XmlElement reference = referenceNode as XmlElement;
if (reference != null && reference.HasAttribute("URI"))
{
string uriValue = reference.GetAttribute("URI");
if (uriValue != null)
{
// We expect URI="" (empty URI value which means to hash the entire document).
if (uriValue.Length == 0)
{
XmlNode transformsNode = reference.SelectSingleNode("ds:Transforms", nsm);
if (transformsNode == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Make sure the transforms are what we expected.
XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm);
if (transforms.Count < 2)
{
// We expect at least:
// <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
// <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
bool c14 = false;
bool enveloped = false;
for (int i = 0; i < transforms.Count; i++)
{
XmlElement transform = transforms[i] as XmlElement;
string algorithm = transform.GetAttribute("Algorithm");
if (algorithm == null)
{
break;
}
else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0)
{
c14 = true;
if (enveloped)
{
validFormat = true;
break;
}
}
else if (String.Compare(algorithm, SignedXml.XmlDsigEnvelopedSignatureTransformUrl, StringComparison.Ordinal) != 0)
{
enveloped = true;
if (c14)
{
validFormat = true;
break;
}
}
}
}
else if (String.Compare(uriValue, "#StrongNameKeyInfo", StringComparison.Ordinal) == 0)
{
oldFormat = true;
XmlNode transformsNode = referenceNode.SelectSingleNode("ds:Transforms", nsm);
if (transformsNode == null)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// Make sure the transforms are what we expected.
XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm);
if (transforms.Count < 1)
{
// We expect at least:
// <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
for (int i = 0; i < transforms.Count; i++)
{
XmlElement transform = transforms[i] as XmlElement;
string algorithm = transform.GetAttribute("Algorithm");
if (algorithm == null)
{
break;
}
else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0)
{
validFormat = true;
break;
}
}
}
}
}
}
if (!validFormat)
{
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
// It is the DSig we want, now make sure the public key matches the token.
string publicKeyToken = VerifyPublicKeyToken();
// OK. We found the SN signature with matching public key token, so
// instantiate the SN signer info property.
_strongNameSignerInfo = new CmiStrongNameSignerInfo(Win32.TRUST_E_FAIL, publicKeyToken);
// Now verify the SN signature, and Authenticode license if available.
ManifestSignedXml signedXml = new ManifestSignedXml(_manifestDom, true);
signedXml.LoadXml(signatureNode);
AsymmetricAlgorithm key = null;
bool dsigValid = signedXml.CheckSignatureReturningKey(out key);
_strongNameSignerInfo.PublicKey = key;
if (!dsigValid)
{
_strongNameSignerInfo.ErrorCode = Win32.TRUST_E_BAD_DIGEST;
throw new CryptographicException(Win32.TRUST_E_BAD_DIGEST);
}
// Verify license as well if requested.
if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) != CmiManifestVerifyFlags.StrongNameOnly)
{
VerifyLicense(verifyFlags, oldFormat);
}
}
internal void Sign(CmiManifestSigner signer, string timeStampUrl)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
// Signer cannot be null.
if (signer == null || signer.StrongNameKey == null)
{
throw new ArgumentNullException("signer");
}
// Remove existing SN signature.
RemoveExistingSignature(_manifestDom);
// Replace public key token in assemblyIdentity if requested.
if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0)
{
ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey);
}
// No cert means don't Authenticode sign and timestamp.
XmlDocument licenseDom = null;
if (signer.Certificate != null)
{
// Yes. We will Authenticode sign, so first insert <publisherIdentity />
// element, if necessary.
InsertPublisherIdentity(_manifestDom, signer.Certificate);
// Now create the license DOM, and then sign it.
licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom));
AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl);
}
StrongNameSignManifestDom(_manifestDom, licenseDom, signer);
}
internal void Verify(CmiManifestVerifyFlags verifyFlags)
{
this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null;
this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null;
XmlNamespaceManager nsmgr = new XmlNamespaceManager(this.m_manifestDom.NameTable);
nsmgr.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
XmlElement xmlElement1 = this.m_manifestDom.SelectSingleNode("//ds:Signature", nsmgr) as XmlElement;
if (xmlElement1 == null)
{
throw new CryptographicException(-2146762496);
}
string name = "Id";
if (!xmlElement1.HasAttribute(name))
{
name = "id";
if (!xmlElement1.HasAttribute(name))
{
name = "ID";
if (!xmlElement1.HasAttribute(name))
{
throw new CryptographicException(-2146762749);
}
}
}
string attribute1 = xmlElement1.GetAttribute(name);
if (attribute1 == null || string.Compare(attribute1, "StrongNameSignature", StringComparison.Ordinal) != 0)
{
throw new CryptographicException(-2146762749);
}
bool oldFormat = false;
bool flag1 = false;
foreach (XmlNode selectNode in xmlElement1.SelectNodes("ds:SignedInfo/ds:Reference", nsmgr))
{
XmlElement xmlElement2 = selectNode as XmlElement;
if (xmlElement2 != null && xmlElement2.HasAttribute("URI"))
{
string attribute2 = xmlElement2.GetAttribute("URI");
if (attribute2 != null)
{
if (attribute2.Length == 0)
{
XmlNode xmlNode = xmlElement2.SelectSingleNode("ds:Transforms", nsmgr);
if (xmlNode == null)
{
throw new CryptographicException(-2146762749);
}
XmlNodeList xmlNodeList = xmlNode.SelectNodes("ds:Transform", nsmgr);
if (xmlNodeList.Count < 2)
{
throw new CryptographicException(-2146762749);
}
bool flag2 = false;
bool flag3 = false;
for (int index = 0; index < xmlNodeList.Count; ++index)
{
string attribute3 = (xmlNodeList[index] as XmlElement).GetAttribute("Algorithm");
if (attribute3 != null)
{
if (string.Compare(attribute3, "http://www.w3.org/2001/10/xml-exc-c14n#", StringComparison.Ordinal) != 0)
{
flag2 = true;
if (flag3)
{
flag1 = true;
break;
}
}
else if (string.Compare(attribute3, "http://www.w3.org/2000/09/xmldsig#enveloped-signature", StringComparison.Ordinal) != 0)
{
flag3 = true;
if (flag2)
{
flag1 = true;
break;
}
}
}
else
{
break;
}
}
}
else if (string.Compare(attribute2, "#StrongNameKeyInfo", StringComparison.Ordinal) == 0)
{
oldFormat = true;
XmlNode xmlNode = selectNode.SelectSingleNode("ds:Transforms", nsmgr);
if (xmlNode == null)
{
throw new CryptographicException(-2146762749);
}
XmlNodeList xmlNodeList = xmlNode.SelectNodes("ds:Transform", nsmgr);
if (xmlNodeList.Count < 1)
{
throw new CryptographicException(-2146762749);
}
for (int index = 0; index < xmlNodeList.Count; ++index)
{
string attribute3 = (xmlNodeList[index] as XmlElement).GetAttribute("Algorithm");
if (attribute3 != null)
{
if (string.Compare(attribute3, "http://www.w3.org/2001/10/xml-exc-c14n#", StringComparison.Ordinal) != 0)
{
flag1 = true;
break;
}
}
else
{
break;
}
}
}
}
}
}
if (!flag1)
{
throw new CryptographicException(-2146762749);
}
this.m_strongNameSignerInfo = new CmiStrongNameSignerInfo(-2146762485, this.VerifyPublicKeyToken());
ManifestSignedXml manifestSignedXml = new ManifestSignedXml(this.m_manifestDom, true);
manifestSignedXml.LoadXml(xmlElement1);
AsymmetricAlgorithm signingKey = (AsymmetricAlgorithm)null;
bool flag4 = manifestSignedXml.CheckSignatureReturningKey(out signingKey);
this.m_strongNameSignerInfo.PublicKey = signingKey;
if (!flag4)
{
this.m_strongNameSignerInfo.ErrorCode = -2146869232;
throw new CryptographicException(-2146869232);
}
if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) == CmiManifestVerifyFlags.StrongNameOnly)
{
return;
}
this.VerifyLicense(verifyFlags, oldFormat);
}
// can be used with sha1 or sha2
// logic is copied from the "isolation library" in NDP\iso_whid\ds\security\cryptoapi\pkisign\msaxlapi\mansign.cpp
private void VerifyLicenseNew(CmiManifestVerifyFlags verifyFlags, bool oldFormat)
{
XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable);
nsm.AddNamespace("asm", AssemblyNamespaceUri);
nsm.AddNamespace("asm2", AssemblyV2NamespaceUri);
nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
nsm.AddNamespace("msrel", MSRelNamespaceUri);
nsm.AddNamespace("r", LicenseNamespaceUri);
nsm.AddNamespace("as", AuthenticodeNamespaceUri);
// We are done if no license.
XmlElement licenseNode = _manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license", nsm) as XmlElement;
if (licenseNode == null)
{
return;
}
// Make sure this license is for this manifest.
VerifyAssemblyIdentity(nsm);
// Found a license, so instantiate signer info property.
_authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(Win32.TRUST_E_FAIL);
// Find the license's signature
XmlElement signatureNode = licenseNode.SelectSingleNode("//r:issuer/ds:Signature", nsm) as XmlElement;
if (signatureNode == null)
{
throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE);
}
// Make sure it is indeed an Authenticode signature, and it is an enveloped signature.
// Then make sure the transforms are valid.
VerifySignatureForm(signatureNode, "AuthenticodeSignature", nsm);
// Now read the enveloped license signature.
XmlDocument licenseDom = new XmlDocument();
licenseDom.LoadXml(licenseNode.OuterXml);
signatureNode = licenseDom.SelectSingleNode("//r:issuer/ds:Signature", nsm) as XmlElement;
ManifestSignedXml2 signedXml = new ManifestSignedXml2(licenseDom);
signedXml.LoadXml(signatureNode);
if (_useSha256)
{
signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri;
}
// Check the signature
if (!signedXml.CheckSignature())
{
_authenticodeSignerInfo = null;
throw new CryptographicException(Win32.TRUST_E_CERT_SIGNATURE);
}
X509Certificate2 signingCertificate = GetSigningCertificate(signedXml, nsm);
// First make sure certificate is not explicitly disallowed.
X509Store store = new X509Store(StoreName.Disallowed, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection storedCertificates = null;
try
{
storedCertificates = (X509Certificate2Collection)store.Certificates;
if (storedCertificates == null)
{
_authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_FAIL;
throw new CryptographicException(Win32.TRUST_E_FAIL);
}
if (storedCertificates.Contains(signingCertificate))
{
_authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_EXPLICIT_DISTRUST;
throw new CryptographicException(Win32.TRUST_E_EXPLICIT_DISTRUST);
}
}
finally
{
store.Close();
}
// prepare information for the TrustManager to display
string hash;
string description;
string url;
if (!GetManifestInformation(licenseNode, nsm, out hash, out description, out url))
{
_authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_SUBJECT_FORM_UNKNOWN;
throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN);
}
_authenticodeSignerInfo.Hash = hash;
_authenticodeSignerInfo.Description = description;
_authenticodeSignerInfo.DescriptionUrl = url;
// read the timestamp from the manifest
DateTime verificationTime;
bool isTimestamped = VerifySignatureTimestamp(signatureNode, nsm, out verificationTime);
bool isLifetimeSigning = false;
if (isTimestamped)
{
isLifetimeSigning = ((verifyFlags & CmiManifestVerifyFlags.LifetimeSigning) == CmiManifestVerifyFlags.LifetimeSigning);
if (!isLifetimeSigning)
{
isLifetimeSigning = GetLifetimeSigning(signingCertificate);
}
}
// Retrieve the Authenticode policy settings from registry.
uint policies = GetAuthenticodePolicies();
X509Chain chain = new X509Chain(); // use the current user profile
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
if ((CmiManifestVerifyFlags.RevocationCheckEndCertOnly & verifyFlags) == CmiManifestVerifyFlags.RevocationCheckEndCertOnly)
{
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
}
else if ((CmiManifestVerifyFlags.RevocationCheckEntireChain & verifyFlags) == CmiManifestVerifyFlags.RevocationCheckEntireChain)
{
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
}
else if (((CmiManifestVerifyFlags.RevocationNoCheck & verifyFlags) == CmiManifestVerifyFlags.RevocationNoCheck) ||
((Win32.WTPF_IGNOREREVOKATION & policies) == Win32.WTPF_IGNOREREVOKATION))
{
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
}
chain.ChainPolicy.VerificationTime = verificationTime; // local time
if (isTimestamped && isLifetimeSigning)
{
chain.ChainPolicy.ApplicationPolicy.Add(new Oid(Win32.szOID_KP_LIFETIME_SIGNING));
}
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag; // don't ignore anything
bool chainIsValid = chain.Build(signingCertificate);
if (!chainIsValid)
{
#if DEBUG
X509ChainStatus[] statuses = chain.ChainStatus;
foreach (X509ChainStatus status in statuses)
{
System.Diagnostics.Debug.WriteLine("flag = " + status.Status + " " + status.StatusInformation);
}
#endif
AuthenticodeSignerInfo.ErrorCode = Win32.TRUST_E_SUBJECT_NOT_TRUSTED;
throw new CryptographicException(Win32.TRUST_E_SUBJECT_NOT_TRUSTED);
}
// package information for the trust manager
_authenticodeSignerInfo.SignerChain = chain;
store = new X509Store(StoreName.TrustedPublisher, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
try
{
storedCertificates = (X509Certificate2Collection)store.Certificates;
if (storedCertificates == null)
{
_authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_FAIL;
throw new CryptographicException(Win32.TRUST_E_FAIL);
}
if (!storedCertificates.Contains(signingCertificate))
{
AuthenticodeSignerInfo.ErrorCode = Win32.TRUST_E_SUBJECT_NOT_TRUSTED;
throw new CryptographicException(Win32.TRUST_E_SUBJECT_NOT_TRUSTED);
}
}
finally
{
store.Close();
}
// Verify Certificate publisher name
XmlElement subjectNode = licenseNode.SelectSingleNode("r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement;
if (subjectNode == null || String.Compare(signingCertificate.Subject, subjectNode.InnerText, StringComparison.Ordinal) != 0)
{
AuthenticodeSignerInfo.ErrorCode = Win32.TRUST_E_CERT_SIGNATURE;
throw new CryptographicException(Win32.TRUST_E_CERT_SIGNATURE);
}
if (!oldFormat)
// Make sure we have the intended Authenticode signer.
VerifyPublisherIdentity(nsm);
}
// throw cryptographic exception for any verification errors.
internal void Verify(CmiManifestVerifyFlags verifyFlags)
{
// Reset signer infos.
_strongNameSignerInfo = null;
_authenticodeSignerInfo = null;
XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable);
nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
XmlElement signatureNode = _manifestDom.SelectSingleNode("//ds:Signature", nsm) as XmlElement;
if (signatureNode == null)
{
throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE);
}
// Make sure it is indeed SN signature, and it is an enveloped signature.
bool oldFormat = VerifySignatureForm(signatureNode, "StrongNameSignature", nsm);
// It is the DSig we want, now make sure the public key matches the token.
string publicKeyToken = VerifyPublicKeyToken();
// OK. We found the SN signature with matching public key token, so
// instantiate the SN signer info property.
_strongNameSignerInfo = new CmiStrongNameSignerInfo(Win32.TRUST_E_FAIL, publicKeyToken);
// Now verify the SN signature, and Authenticode license if available.
ManifestSignedXml2 signedXml = new ManifestSignedXml2(_manifestDom, true);
signedXml.LoadXml(signatureNode);
if (_useSha256)
{
signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri;
}
AsymmetricAlgorithm key = null;
bool dsigValid = signedXml.CheckSignatureReturningKey(out key);
_strongNameSignerInfo.PublicKey = key;
if (!dsigValid)
{
_strongNameSignerInfo.ErrorCode = Win32.TRUST_E_BAD_DIGEST;
throw new CryptographicException(Win32.TRUST_E_BAD_DIGEST);
}
// Verify license as well if requested.
if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) != CmiManifestVerifyFlags.StrongNameOnly)
{
if (_useSha256)
{
VerifyLicenseNew(verifyFlags, oldFormat);
}
else
{
VerifyLicense(verifyFlags, oldFormat);
}
}
}
