private static XmlDocument CreateLicenseDom(CmiManifestSigner2 signer, XmlElement principal, byte[] hash) { XmlDocument licenseDom = new XmlDocument(); licenseDom.PreserveWhitespace = true; // CA3057: DoNotUseLoadXml. Suppressed since the xml being loaded is a constant defined in this file. licenseDom.LoadXml(licenseTemplate); XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable); nsm.AddNamespace("r", LicenseNamespaceUri); nsm.AddNamespace("as", AuthenticodeNamespaceUri); XmlElement assemblyIdentityNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsm) as XmlElement; assemblyIdentityNode.RemoveAllAttributes(); foreach (XmlAttribute attribute in principal.Attributes) { assemblyIdentityNode.SetAttribute(attribute.Name, attribute.Value); } XmlElement manifestInformationNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsm) as XmlElement; manifestInformationNode.SetAttribute("Hash", hash.Length == 0 ? "" : BytesToHexString(hash, 0, hash.Length)); manifestInformationNode.SetAttribute("Description", signer.Description == null ? "" : signer.Description); manifestInformationNode.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl); XmlElement authenticodePublisherNode = licenseDom.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement; authenticodePublisherNode.InnerText = signer.Certificate.SubjectName.Name; return(licenseDom); }
internal void Sign(CmiManifestSigner2 signer, string timeStampUrl) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; // Signer cannot be null. if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } // Remove existing SN signature. RemoveExistingSignature(_manifestDom); // Replace public key token in assemblyIdentity if requested. if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0) { ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey, _useSha256); } // No cert means don't Authenticode sign and timestamp. XmlDocument licenseDom = null; if (signer.Certificate != null) { // Yes. We will Authenticode sign, so first insert <publisherIdentity /> // element, if necessary. InsertPublisherIdentity(_manifestDom, signer.Certificate); // Now create the license DOM, and then sign it. licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom, _useSha256)); AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl, _useSha256); } StrongNameSignManifestDom(_manifestDom, licenseDom, signer, _useSha256); }
private static void SignFileInternal(X509Certificate2 cert, Uri timestampUrl, string path, bool targetFrameworkSupportsSha256, System.Resources.ResourceManager resources) { if (cert == null) throw new ArgumentNullException("cert"); if (String.IsNullOrEmpty(path)) throw new ArgumentNullException("path"); if (!File.Exists(path)) throw new FileNotFoundException(String.Format(CultureInfo.InvariantCulture, resources.GetString("SecurityUtil.SignTargetNotFound"), path), path); bool useSha256 = UseSha256Algorithm(cert) && targetFrameworkSupportsSha256; if (PathUtil.IsPEFile(path)) { if (IsCertInStore(cert)) SignPEFile(cert, timestampUrl, path, resources, useSha256); else throw new InvalidOperationException(resources.GetString("SignFile.CertNotInStore")); } else { if (cert.PrivateKey == null) throw new InvalidOperationException(resources.GetString("SignFile.CertMissingPrivateKey")); if (cert.PrivateKey.GetType() != typeof(RSACryptoServiceProvider)) throw new ApplicationException(resources.GetString("SecurityUtil.OnlyRSACertsAreAllowed")); try { XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; XmlReaderSettings xrSettings = new XmlReaderSettings(); xrSettings.DtdProcessing = DtdProcessing.Ignore; using (XmlReader xr = XmlReader.Create(path, xrSettings)) { doc.Load(xr); } SignedCmiManifest2 manifest = new SignedCmiManifest2(doc, useSha256); RSACryptoServiceProvider csp; if (useSha256) { csp = SignedCmiManifest2.GetFixedRSACryptoServiceProvider(cert.PrivateKey as RSACryptoServiceProvider, useSha256); } else { csp = cert.PrivateKey as RSACryptoServiceProvider; } CmiManifestSigner2 signer = new CmiManifestSigner2(csp, cert, useSha256); if (timestampUrl == null) manifest.Sign(signer); else manifest.Sign(signer, timestampUrl.ToString()); doc.Save(path); } catch (Exception ex) { int exceptionHR = System.Runtime.InteropServices.Marshal.GetHRForException(ex); if (exceptionHR == -2147012889 || exceptionHR == -2147012867) { throw new ApplicationException(resources.GetString("SecurityUtil.TimestampUrlNotFound"), ex); } throw new ApplicationException(ex.Message, ex); } } }
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner2 signer, bool useSha256) { RSA snKey = signer.StrongNameKey as RSA; // Make sure it is RSA, as this is the only one Fusion will support. if (snKey == null) { throw new NotSupportedException(); } // Setup namespace manager. XmlNamespaceManager nsm = new XmlNamespaceManager(manifestDom.NameTable); nsm.AddNamespace("asm", AssemblyNamespaceUri); // Get to root element. XmlElement signatureParent = manifestDom.SelectSingleNode("asm:assembly", nsm) as XmlElement; if (signatureParent == null) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } if (signer.StrongNameKey.GetType() != typeof(RSACryptoServiceProvider)) { throw new NotSupportedException(); } // Setup up XMLDSIG engine. ManifestSignedXml2 signedXml = new ManifestSignedXml2(signatureParent); signedXml.SigningKey = GetFixedRSACryptoServiceProvider(signer.StrongNameKey as RSACryptoServiceProvider, useSha256); signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; if (signer.UseSha256) signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri; // Add the key information. signedXml.KeyInfo.AddClause(new RSAKeyValue(snKey)); if (licenseDom != null) { signedXml.KeyInfo.AddClause(new KeyInfoNode(licenseDom.DocumentElement)); } signedXml.KeyInfo.Id = "StrongNameKeyInfo"; // Add the enveloped reference. Reference enveloped = new Reference(); enveloped.Uri = ""; if (signer.UseSha256) enveloped.DigestMethod = Sha256DigestMethod; // Add an enveloped then Exc-C14N transform. enveloped.AddTransform(new XmlDsigEnvelopedSignatureTransform()); enveloped.AddTransform(new XmlDsigExcC14NTransform()); signedXml.AddReference(enveloped); #if (false) // DSIE: New format does not sign KeyInfo. // Add the key info reference. Reference strongNameKeyInfo = new Reference(); strongNameKeyInfo.Uri = "#StrongNameKeyInfo"; strongNameKeyInfo.AddTransform(new XmlDsigExcC14NTransform()); signedXml.AddReference(strongNameKeyInfo); #endif // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDigitalSignature.SetAttribute("Id", "StrongNameSignature"); // Insert the signature now. signatureParent.AppendChild(xmlDigitalSignature); }
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, string timeStampUrl, bool useSha256) { // Make sure it is RSA, as this is the only one Fusion will support. if (signer.Certificate.PublicKey.Key.GetType() != typeof(RSACryptoServiceProvider)) { throw new NotSupportedException(); } if (signer.Certificate.PrivateKey.GetType() != typeof(RSACryptoServiceProvider)) { throw new NotSupportedException(); } // Setup up XMLDSIG engine. ManifestSignedXml2 signedXml = new ManifestSignedXml2(licenseDom); signedXml.SigningKey = GetFixedRSACryptoServiceProvider(signer.Certificate.PrivateKey as RSACryptoServiceProvider, useSha256); signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; if (signer.UseSha256) signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri; // Add the key information. signedXml.KeyInfo.AddClause(new RSAKeyValue(GetFixedRSACryptoServiceProvider(signer.Certificate.PrivateKey as RSACryptoServiceProvider, useSha256) as RSA)); signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption)); // Add the enveloped reference. Reference reference = new Reference(); reference.Uri = ""; if (signer.UseSha256) reference.DigestMethod = Sha256DigestMethod; // Add an enveloped and an Exc-C14N transform. reference.AddTransform(new XmlDsigEnvelopedSignatureTransform()); #if (false) // BUGBUG: LTA transform complaining about issuer node not found. reference.AddTransform(new XmlLicenseTransform()); #endif reference.AddTransform(new XmlDsigExcC14NTransform()); // Add the reference. signedXml.AddReference(reference); // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature"); // Insert the signature node under the issuer element. XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable); nsm.AddNamespace("r", LicenseNamespaceUri); XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement; issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true)); // Time stamp it if requested. if (timeStampUrl != null && timeStampUrl.Length != 0) { TimestampSignedLicenseDom(licenseDom, timeStampUrl); } // Wrap it inside a RelData element. licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" + MSRelNamespaceUri + "\">" + licenseDom.OuterXml + "</msrel:RelData>"; }
private static XmlDocument CreateLicenseDom(CmiManifestSigner2 signer, XmlElement principal, byte[] hash) { XmlDocument licenseDom = new XmlDocument(); licenseDom.PreserveWhitespace = true; licenseDom.LoadXml(licenseTemplate); XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable); nsm.AddNamespace("r", LicenseNamespaceUri); nsm.AddNamespace("as", AuthenticodeNamespaceUri); XmlElement assemblyIdentityNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation/as:assemblyIdentity", nsm) as XmlElement; assemblyIdentityNode.RemoveAllAttributes(); foreach (XmlAttribute attribute in principal.Attributes) { assemblyIdentityNode.SetAttribute(attribute.Name, attribute.Value); } XmlElement manifestInformationNode = licenseDom.SelectSingleNode("r:license/r:grant/as:ManifestInformation", nsm) as XmlElement; manifestInformationNode.SetAttribute("Hash", hash.Length == 0 ? "" : BytesToHexString(hash, 0, hash.Length)); manifestInformationNode.SetAttribute("Description", signer.Description == null ? "" : signer.Description); manifestInformationNode.SetAttribute("Url", signer.DescriptionUrl == null ? "" : signer.DescriptionUrl); XmlElement authenticodePublisherNode = licenseDom.SelectSingleNode("r:license/r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement; authenticodePublisherNode.InnerText = signer.Certificate.SubjectName.Name; return licenseDom; }
internal void Sign(CmiManifestSigner2 signer, string timeStampUrl) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; // Signer cannot be null. if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } // Remove existing SN signature. RemoveExistingSignature(_manifestDom); // Replace public key token in assemblyIdentity if requested. if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0) { ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey, _useSha256); } // No cert means don't Authenticode sign and timestamp. XmlDocument licenseDom = null; if (signer.Certificate != null) { // Yes. We will Authenticode sign, so first insert <publisherIdentity /> // element, if necessary. InsertPublisherIdentity(_manifestDom, signer.Certificate); // Now create the license DOM, and then sign it. licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom, _useSha256)); AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl, _useSha256); } StrongNameSignManifestDom(_manifestDom, licenseDom, signer, _useSha256); }
internal void Sign(CmiManifestSigner2 signer) { Sign(signer, null); }
private static void StrongNameSignManifestDom(XmlDocument manifestDom, XmlDocument licenseDom, CmiManifestSigner2 signer, bool useSha256) { RSA snKey = signer.StrongNameKey as RSA; // Make sure it is RSA, as this is the only one Fusion will support. if (snKey == null) { throw new NotSupportedException(); } // Setup namespace manager. XmlNamespaceManager nsm = new XmlNamespaceManager(manifestDom.NameTable); nsm.AddNamespace("asm", AssemblyNamespaceUri); // Get to root element. XmlElement signatureParent = manifestDom.SelectSingleNode("asm:assembly", nsm) as XmlElement; if (signatureParent == null) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } if (!(signer.StrongNameKey is RSA)) { throw new NotSupportedException(); } // Setup up XMLDSIG engine. ManifestSignedXml2 signedXml = new ManifestSignedXml2(signatureParent); if (signer.StrongNameKey is RSACryptoServiceProvider) { signedXml.SigningKey = GetFixedRSACryptoServiceProvider(signer.StrongNameKey as RSACryptoServiceProvider, useSha256); } else { signedXml.SigningKey = signer.StrongNameKey; } signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; if (signer.UseSha256) { signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri; } else { signedXml.SignedInfo.SignatureMethod = Sha1SignatureMethodUri; } // Add the key information. signedXml.KeyInfo.AddClause(new RSAKeyValue(snKey)); if (licenseDom != null) { signedXml.KeyInfo.AddClause(new KeyInfoNode(licenseDom.DocumentElement)); } signedXml.KeyInfo.Id = "StrongNameKeyInfo"; // Add the enveloped reference. Reference enveloped = new Reference(); enveloped.Uri = ""; if (signer.UseSha256) { enveloped.DigestMethod = Sha256DigestMethod; } else { enveloped.DigestMethod = Sha1DigestMethod; } // Add an enveloped then Exc-C14N transform. enveloped.AddTransform(new XmlDsigEnvelopedSignatureTransform()); enveloped.AddTransform(new XmlDsigExcC14NTransform()); signedXml.AddReference(enveloped); #if (false) // DSIE: New format does not sign KeyInfo. // Add the key info reference. Reference strongNameKeyInfo = new Reference(); strongNameKeyInfo.Uri = "#StrongNameKeyInfo"; strongNameKeyInfo.AddTransform(new XmlDsigExcC14NTransform()); signedXml.AddReference(strongNameKeyInfo); #endif // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDigitalSignature.SetAttribute("Id", "StrongNameSignature"); // Insert the signature now. signatureParent.AppendChild(xmlDigitalSignature); }
private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, string timeStampUrl, bool useSha256) { // Make sure it is RSA, as this is the only one Fusion will support. RSA rsaPrivateKey = CngLightup.GetRSAPrivateKey(signer.Certificate); if (rsaPrivateKey == null) { throw new NotSupportedException(); } // Setup up XMLDSIG engine. ManifestSignedXml2 signedXml = new ManifestSignedXml2(licenseDom); // only needs to change the provider type when RSACryptoServiceProvider is used var rsaCsp = rsaPrivateKey is RSACryptoServiceProvider? GetFixedRSACryptoServiceProvider(rsaPrivateKey as RSACryptoServiceProvider, useSha256) : rsaPrivateKey; signedXml.SigningKey = rsaCsp; signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; if (signer.UseSha256) { signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri; } else { signedXml.SignedInfo.SignatureMethod = Sha1SignatureMethodUri; } // Add the key information. signedXml.KeyInfo.AddClause(new RSAKeyValue(rsaCsp)); signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signer.Certificate, signer.IncludeOption)); // Add the enveloped reference. Reference reference = new Reference(); reference.Uri = ""; if (signer.UseSha256) { reference.DigestMethod = Sha256DigestMethod; } else { reference.DigestMethod = Sha1DigestMethod; } // Add an enveloped and an Exc-C14N transform. reference.AddTransform(new XmlDsigEnvelopedSignatureTransform()); #if (false) // BUGBUG: LTA transform complaining about issuer node not found. reference.AddTransform(new XmlLicenseTransform()); #endif reference.AddTransform(new XmlDsigExcC14NTransform()); // Add the reference. signedXml.AddReference(reference); // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDigitalSignature.SetAttribute("Id", "AuthenticodeSignature"); // Insert the signature node under the issuer element. XmlNamespaceManager nsm = new XmlNamespaceManager(licenseDom.NameTable); nsm.AddNamespace("r", LicenseNamespaceUri); XmlElement issuerNode = licenseDom.SelectSingleNode("r:license/r:issuer", nsm) as XmlElement; issuerNode.AppendChild(licenseDom.ImportNode(xmlDigitalSignature, true)); // Time stamp it if requested. if (timeStampUrl != null && timeStampUrl.Length != 0) { TimestampSignedLicenseDom(licenseDom, timeStampUrl); } // Wrap it inside a RelData element. licenseDom.DocumentElement.ParentNode.InnerXml = "<msrel:RelData xmlns:msrel=\"" + MSRelNamespaceUri + "\">" + licenseDom.OuterXml + "</msrel:RelData>"; }
internal void Sign(CmiManifestSigner2 signer) { Sign(signer, null); }