private unsafe void VerifyLicense(CmiManifestVerifyFlags verifyFlags, bool oldFormat) { XmlNamespaceManager namespaceManager = new XmlNamespaceManager(this.m_manifestDom.NameTable); namespaceManager.AddNamespace("asm", "urn:schemas-microsoft-com:asm.v1"); namespaceManager.AddNamespace("asm2", "urn:schemas-microsoft-com:asm.v2"); namespaceManager.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#"); namespaceManager.AddNamespace("msrel", "http://schemas.microsoft.com/windows/rel/2005/reldata"); namespaceManager.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS"); namespaceManager.AddNamespace("as", "http://schemas.microsoft.com/windows/pki/2005/Authenticode"); XmlElement xmlElement = this.m_manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license", namespaceManager) as XmlElement; if (xmlElement == null) { return; } this.VerifyAssemblyIdentity(namespaceManager); this.m_authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(-2146762485); byte[] bytes = Encoding.UTF8.GetBytes(xmlElement.OuterXml); fixed(byte *numPtr = bytes) { Win32.AXL_SIGNER_INFO pSignerInfo = new Win32.AXL_SIGNER_INFO(); pSignerInfo.cbSize = (uint)Marshal.SizeOf(typeof(Win32.AXL_SIGNER_INFO)); Win32.AXL_TIMESTAMPER_INFO pTimestamperInfo = new Win32.AXL_TIMESTAMPER_INFO(); pTimestamperInfo.cbSize = (uint)Marshal.SizeOf(typeof(Win32.AXL_TIMESTAMPER_INFO)); Win32.CRYPT_DATA_BLOB pLicenseBlob = new Win32.CRYPT_DATA_BLOB(); IntPtr num = new IntPtr((void *)numPtr); pLicenseBlob.cbData = (uint)bytes.Length; pLicenseBlob.pbData = num; int hr = Win32.CertVerifyAuthenticodeLicense(ref pLicenseBlob, (uint)verifyFlags, out pSignerInfo, out pTimestamperInfo); if (-2146762496 != (int)pSignerInfo.dwError) { this.m_authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(pSignerInfo, pTimestamperInfo); } Win32.CertFreeAuthenticodeSignerInfo(ref pSignerInfo); Win32.CertFreeAuthenticodeTimestamperInfo(ref pTimestamperInfo); if (hr != 0) { throw new CryptographicException(hr); } } if (oldFormat) { return; } this.VerifyPublisherIdentity(namespaceManager); }
// // Privates. // private void VerifyLicense(CmiManifestVerifyFlags verifyFlags, bool oldFormat) { XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable); nsm.AddNamespace("asm", AssemblyNamespaceUri); nsm.AddNamespace("asm2", AssemblyV2NamespaceUri); nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); nsm.AddNamespace("msrel", MSRelNamespaceUri); nsm.AddNamespace("r", LicenseNamespaceUri); nsm.AddNamespace("as", AuthenticodeNamespaceUri); // We are done if no license. XmlElement licenseNode = _manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license", nsm) as XmlElement; if (licenseNode == null) { return; } // Make sure this license is for this manifest. VerifyAssemblyIdentity(nsm); // Found a license, so instantiate signer info property. _authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(Win32.TRUST_E_FAIL); unsafe { byte[] licenseXml = Encoding.UTF8.GetBytes(licenseNode.OuterXml); fixed (byte* pbLicense = licenseXml) { Win32.AXL_SIGNER_INFO signerInfo = new Win32.AXL_SIGNER_INFO(); signerInfo.cbSize = (uint)Marshal.SizeOf<Win32.AXL_SIGNER_INFO>(); Win32.AXL_TIMESTAMPER_INFO timestamperInfo = new Win32.AXL_TIMESTAMPER_INFO(); timestamperInfo.cbSize = (uint)Marshal.SizeOf<Win32.AXL_TIMESTAMPER_INFO>(); Win32.CRYPT_DATA_BLOB licenseBlob = new Win32.CRYPT_DATA_BLOB(); IntPtr pvLicense = new IntPtr(pbLicense); licenseBlob.cbData = (uint)licenseXml.Length; licenseBlob.pbData = pvLicense; int hr = Win32.CertVerifyAuthenticodeLicense(ref licenseBlob, (uint)verifyFlags, ref signerInfo, ref timestamperInfo); if (Win32.TRUST_E_NOSIGNATURE != (int)signerInfo.dwError) { _authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(signerInfo, timestamperInfo); } Win32.CertFreeAuthenticodeSignerInfo(ref signerInfo); Win32.CertFreeAuthenticodeTimestamperInfo(ref timestamperInfo); if (hr != Win32.S_OK) { throw new CryptographicException(hr); } } } if (!oldFormat) // Make sure we have the intended Authenticode signer. VerifyPublisherIdentity(nsm); }
// throw cryptographic exception for any verification errors. internal void Verify(CmiManifestVerifyFlags verifyFlags) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable); nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); XmlElement signatureNode = _manifestDom.SelectSingleNode("//ds:Signature", nsm) as XmlElement; if (signatureNode == null) { throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE); } // Make sure it is indeed SN signature, and it is an enveloped signature. string snIdName = "Id"; if (!signatureNode.HasAttribute(snIdName)) { snIdName = "id"; if (!signatureNode.HasAttribute(snIdName)) { snIdName = "ID"; if (!signatureNode.HasAttribute(snIdName)) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } } } string snIdValue = signatureNode.GetAttribute(snIdName); if (snIdValue == null || String.Compare(snIdValue, "StrongNameSignature", StringComparison.Ordinal) != 0) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // Make sure it is indeed an enveloped signature. bool oldFormat = false; bool validFormat = false; XmlNodeList referenceNodes = signatureNode.SelectNodes("ds:SignedInfo/ds:Reference", nsm); foreach (XmlNode referenceNode in referenceNodes) { XmlElement reference = referenceNode as XmlElement; if (reference != null && reference.HasAttribute("URI")) { string uriValue = reference.GetAttribute("URI"); if (uriValue != null) { // We expect URI="" (empty URI value which means to hash the entire document). if (uriValue.Length == 0) { XmlNode transformsNode = reference.SelectSingleNode("ds:Transforms", nsm); if (transformsNode == null) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // Make sure the transforms are what we expected. XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm); if (transforms.Count < 2) { // We expect at least: // <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> // <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } bool c14 = false; bool enveloped = false; for (int i = 0; i < transforms.Count; i++) { XmlElement transform = transforms[i] as XmlElement; string algorithm = transform.GetAttribute("Algorithm"); if (algorithm == null) { break; } else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0) { c14 = true; if (enveloped) { validFormat = true; break; } } else if (String.Compare(algorithm, SignedXml.XmlDsigEnvelopedSignatureTransformUrl, StringComparison.Ordinal) != 0) { enveloped = true; if (c14) { validFormat = true; break; } } } } else if (String.Compare(uriValue, "#StrongNameKeyInfo", StringComparison.Ordinal) == 0) { oldFormat = true; XmlNode transformsNode = referenceNode.SelectSingleNode("ds:Transforms", nsm); if (transformsNode == null) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // Make sure the transforms are what we expected. XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm); if (transforms.Count < 1) { // We expect at least: // <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } for (int i = 0; i < transforms.Count; i++) { XmlElement transform = transforms[i] as XmlElement; string algorithm = transform.GetAttribute("Algorithm"); if (algorithm == null) { break; } else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0) { validFormat = true; break; } } } } } } if (!validFormat) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // It is the DSig we want, now make sure the public key matches the token. string publicKeyToken = VerifyPublicKeyToken(); // OK. We found the SN signature with matching public key token, so // instantiate the SN signer info property. _strongNameSignerInfo = new CmiStrongNameSignerInfo(Win32.TRUST_E_FAIL, publicKeyToken); // Now verify the SN signature, and Authenticode license if available. ManifestSignedXml signedXml = new ManifestSignedXml(_manifestDom, true); signedXml.LoadXml(signatureNode); AsymmetricAlgorithm key = null; bool dsigValid = signedXml.CheckSignatureReturningKey(out key); _strongNameSignerInfo.PublicKey = key; if (!dsigValid) { _strongNameSignerInfo.ErrorCode = Win32.TRUST_E_BAD_DIGEST; throw new CryptographicException(Win32.TRUST_E_BAD_DIGEST); } // Verify license as well if requested. if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) != CmiManifestVerifyFlags.StrongNameOnly) { VerifyLicense(verifyFlags, oldFormat); } }
internal void Verify(CmiManifestVerifyFlags verifyFlags) { this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null; this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null; XmlNamespaceManager nsmgr = new XmlNamespaceManager(this.m_manifestDom.NameTable); nsmgr.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#"); XmlElement xmlElement1 = this.m_manifestDom.SelectSingleNode("//ds:Signature", nsmgr) as XmlElement; if (xmlElement1 == null) { throw new CryptographicException(-2146762496); } string name = "Id"; if (!xmlElement1.HasAttribute(name)) { name = "id"; if (!xmlElement1.HasAttribute(name)) { name = "ID"; if (!xmlElement1.HasAttribute(name)) { throw new CryptographicException(-2146762749); } } } string attribute1 = xmlElement1.GetAttribute(name); if (attribute1 == null || string.Compare(attribute1, "StrongNameSignature", StringComparison.Ordinal) != 0) { throw new CryptographicException(-2146762749); } bool oldFormat = false; bool flag1 = false; foreach (XmlNode selectNode in xmlElement1.SelectNodes("ds:SignedInfo/ds:Reference", nsmgr)) { XmlElement xmlElement2 = selectNode as XmlElement; if (xmlElement2 != null && xmlElement2.HasAttribute("URI")) { string attribute2 = xmlElement2.GetAttribute("URI"); if (attribute2 != null) { if (attribute2.Length == 0) { XmlNode xmlNode = xmlElement2.SelectSingleNode("ds:Transforms", nsmgr); if (xmlNode == null) { throw new CryptographicException(-2146762749); } XmlNodeList xmlNodeList = xmlNode.SelectNodes("ds:Transform", nsmgr); if (xmlNodeList.Count < 2) { throw new CryptographicException(-2146762749); } bool flag2 = false; bool flag3 = false; for (int index = 0; index < xmlNodeList.Count; ++index) { string attribute3 = (xmlNodeList[index] as XmlElement).GetAttribute("Algorithm"); if (attribute3 != null) { if (string.Compare(attribute3, "http://www.w3.org/2001/10/xml-exc-c14n#", StringComparison.Ordinal) != 0) { flag2 = true; if (flag3) { flag1 = true; break; } } else if (string.Compare(attribute3, "http://www.w3.org/2000/09/xmldsig#enveloped-signature", StringComparison.Ordinal) != 0) { flag3 = true; if (flag2) { flag1 = true; break; } } } else { break; } } } else if (string.Compare(attribute2, "#StrongNameKeyInfo", StringComparison.Ordinal) == 0) { oldFormat = true; XmlNode xmlNode = selectNode.SelectSingleNode("ds:Transforms", nsmgr); if (xmlNode == null) { throw new CryptographicException(-2146762749); } XmlNodeList xmlNodeList = xmlNode.SelectNodes("ds:Transform", nsmgr); if (xmlNodeList.Count < 1) { throw new CryptographicException(-2146762749); } for (int index = 0; index < xmlNodeList.Count; ++index) { string attribute3 = (xmlNodeList[index] as XmlElement).GetAttribute("Algorithm"); if (attribute3 != null) { if (string.Compare(attribute3, "http://www.w3.org/2001/10/xml-exc-c14n#", StringComparison.Ordinal) != 0) { flag1 = true; break; } } else { break; } } } } } } if (!flag1) { throw new CryptographicException(-2146762749); } this.m_strongNameSignerInfo = new CmiStrongNameSignerInfo(-2146762485, this.VerifyPublicKeyToken()); ManifestSignedXml manifestSignedXml = new ManifestSignedXml(this.m_manifestDom, true); manifestSignedXml.LoadXml(xmlElement1); AsymmetricAlgorithm signingKey = (AsymmetricAlgorithm)null; bool flag4 = manifestSignedXml.CheckSignatureReturningKey(out signingKey); this.m_strongNameSignerInfo.PublicKey = signingKey; if (!flag4) { this.m_strongNameSignerInfo.ErrorCode = -2146869232; throw new CryptographicException(-2146869232); } if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) == CmiManifestVerifyFlags.StrongNameOnly) { return; } this.VerifyLicense(verifyFlags, oldFormat); }
// can be used with sha1 or sha2 // logic is copied from the "isolation library" in NDP\iso_whid\ds\security\cryptoapi\pkisign\msaxlapi\mansign.cpp private void VerifyLicenseNew(CmiManifestVerifyFlags verifyFlags, bool oldFormat) { XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable); nsm.AddNamespace("asm", AssemblyNamespaceUri); nsm.AddNamespace("asm2", AssemblyV2NamespaceUri); nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); nsm.AddNamespace("msrel", MSRelNamespaceUri); nsm.AddNamespace("r", LicenseNamespaceUri); nsm.AddNamespace("as", AuthenticodeNamespaceUri); // We are done if no license. XmlElement licenseNode = _manifestDom.SelectSingleNode("asm:assembly/ds:Signature/ds:KeyInfo/msrel:RelData/r:license", nsm) as XmlElement; if (licenseNode == null) { return; } // Make sure this license is for this manifest. VerifyAssemblyIdentity(nsm); // Found a license, so instantiate signer info property. _authenticodeSignerInfo = new CmiAuthenticodeSignerInfo(Win32.TRUST_E_FAIL); // Find the license's signature XmlElement signatureNode = licenseNode.SelectSingleNode("//r:issuer/ds:Signature", nsm) as XmlElement; if (signatureNode == null) { throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE); } // Make sure it is indeed an Authenticode signature, and it is an enveloped signature. // Then make sure the transforms are valid. VerifySignatureForm(signatureNode, "AuthenticodeSignature", nsm); // Now read the enveloped license signature. XmlDocument licenseDom = new XmlDocument(); licenseDom.LoadXml(licenseNode.OuterXml); signatureNode = licenseDom.SelectSingleNode("//r:issuer/ds:Signature", nsm) as XmlElement; ManifestSignedXml2 signedXml = new ManifestSignedXml2(licenseDom); signedXml.LoadXml(signatureNode); if (_useSha256) { signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri; } // Check the signature if (!signedXml.CheckSignature()) { _authenticodeSignerInfo = null; throw new CryptographicException(Win32.TRUST_E_CERT_SIGNATURE); } X509Certificate2 signingCertificate = GetSigningCertificate(signedXml, nsm); // First make sure certificate is not explicitly disallowed. X509Store store = new X509Store(StoreName.Disallowed, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); X509Certificate2Collection storedCertificates = null; try { storedCertificates = (X509Certificate2Collection)store.Certificates; if (storedCertificates == null) { _authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_FAIL; throw new CryptographicException(Win32.TRUST_E_FAIL); } if (storedCertificates.Contains(signingCertificate)) { _authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_EXPLICIT_DISTRUST; throw new CryptographicException(Win32.TRUST_E_EXPLICIT_DISTRUST); } } finally { store.Close(); } // prepare information for the TrustManager to display string hash; string description; string url; if (!GetManifestInformation(licenseNode, nsm, out hash, out description, out url)) { _authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_SUBJECT_FORM_UNKNOWN; throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } _authenticodeSignerInfo.Hash = hash; _authenticodeSignerInfo.Description = description; _authenticodeSignerInfo.DescriptionUrl = url; // read the timestamp from the manifest DateTime verificationTime; bool isTimestamped = VerifySignatureTimestamp(signatureNode, nsm, out verificationTime); bool isLifetimeSigning = false; if (isTimestamped) { isLifetimeSigning = ((verifyFlags & CmiManifestVerifyFlags.LifetimeSigning) == CmiManifestVerifyFlags.LifetimeSigning); if (!isLifetimeSigning) { isLifetimeSigning = GetLifetimeSigning(signingCertificate); } } // Retrieve the Authenticode policy settings from registry. uint policies = GetAuthenticodePolicies(); X509Chain chain = new X509Chain(); // use the current user profile chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot; chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; if ((CmiManifestVerifyFlags.RevocationCheckEndCertOnly & verifyFlags) == CmiManifestVerifyFlags.RevocationCheckEndCertOnly) { chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly; } else if ((CmiManifestVerifyFlags.RevocationCheckEntireChain & verifyFlags) == CmiManifestVerifyFlags.RevocationCheckEntireChain) { chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; } else if (((CmiManifestVerifyFlags.RevocationNoCheck & verifyFlags) == CmiManifestVerifyFlags.RevocationNoCheck) || ((Win32.WTPF_IGNOREREVOKATION & policies) == Win32.WTPF_IGNOREREVOKATION)) { chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; } chain.ChainPolicy.VerificationTime = verificationTime; // local time if (isTimestamped && isLifetimeSigning) { chain.ChainPolicy.ApplicationPolicy.Add(new Oid(Win32.szOID_KP_LIFETIME_SIGNING)); } chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag; // don't ignore anything bool chainIsValid = chain.Build(signingCertificate); if (!chainIsValid) { #if DEBUG X509ChainStatus[] statuses = chain.ChainStatus; foreach (X509ChainStatus status in statuses) { System.Diagnostics.Debug.WriteLine("flag = " + status.Status + " " + status.StatusInformation); } #endif AuthenticodeSignerInfo.ErrorCode = Win32.TRUST_E_SUBJECT_NOT_TRUSTED; throw new CryptographicException(Win32.TRUST_E_SUBJECT_NOT_TRUSTED); } // package information for the trust manager _authenticodeSignerInfo.SignerChain = chain; store = new X509Store(StoreName.TrustedPublisher, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); try { storedCertificates = (X509Certificate2Collection)store.Certificates; if (storedCertificates == null) { _authenticodeSignerInfo.ErrorCode = Win32.TRUST_E_FAIL; throw new CryptographicException(Win32.TRUST_E_FAIL); } if (!storedCertificates.Contains(signingCertificate)) { AuthenticodeSignerInfo.ErrorCode = Win32.TRUST_E_SUBJECT_NOT_TRUSTED; throw new CryptographicException(Win32.TRUST_E_SUBJECT_NOT_TRUSTED); } } finally { store.Close(); } // Verify Certificate publisher name XmlElement subjectNode = licenseNode.SelectSingleNode("r:grant/as:AuthenticodePublisher/as:X509SubjectName", nsm) as XmlElement; if (subjectNode == null || String.Compare(signingCertificate.Subject, subjectNode.InnerText, StringComparison.Ordinal) != 0) { AuthenticodeSignerInfo.ErrorCode = Win32.TRUST_E_CERT_SIGNATURE; throw new CryptographicException(Win32.TRUST_E_CERT_SIGNATURE); } if (!oldFormat) // Make sure we have the intended Authenticode signer. VerifyPublisherIdentity(nsm); }
// throw cryptographic exception for any verification errors. internal void Verify(CmiManifestVerifyFlags verifyFlags) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable); nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); XmlElement signatureNode = _manifestDom.SelectSingleNode("//ds:Signature", nsm) as XmlElement; if (signatureNode == null) { throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE); } // Make sure it is indeed SN signature, and it is an enveloped signature. bool oldFormat = VerifySignatureForm(signatureNode, "StrongNameSignature", nsm); // It is the DSig we want, now make sure the public key matches the token. string publicKeyToken = VerifyPublicKeyToken(); // OK. We found the SN signature with matching public key token, so // instantiate the SN signer info property. _strongNameSignerInfo = new CmiStrongNameSignerInfo(Win32.TRUST_E_FAIL, publicKeyToken); // Now verify the SN signature, and Authenticode license if available. ManifestSignedXml2 signedXml = new ManifestSignedXml2(_manifestDom, true); signedXml.LoadXml(signatureNode); if (_useSha256) { signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri; } AsymmetricAlgorithm key = null; bool dsigValid = signedXml.CheckSignatureReturningKey(out key); _strongNameSignerInfo.PublicKey = key; if (!dsigValid) { _strongNameSignerInfo.ErrorCode = Win32.TRUST_E_BAD_DIGEST; throw new CryptographicException(Win32.TRUST_E_BAD_DIGEST); } // Verify license as well if requested. if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) != CmiManifestVerifyFlags.StrongNameOnly) { if (_useSha256) { VerifyLicenseNew(verifyFlags, oldFormat); } else { VerifyLicense(verifyFlags, oldFormat); } } }