internal void Sign(CmiManifestSigner signer, string timeStampUrl) { this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null; this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null; if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } SignedCmiManifest.RemoveExistingSignature(this.m_manifestDom); if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == CmiManifestSignerFlag.None) { SignedCmiManifest.ReplacePublicKeyToken(this.m_manifestDom, signer.StrongNameKey); } XmlDocument licenseDom = (XmlDocument)null; if (signer.Certificate != null) { SignedCmiManifest.InsertPublisherIdentity(this.m_manifestDom, signer.Certificate); licenseDom = SignedCmiManifest.CreateLicenseDom(signer, this.ExtractPrincipalFromManifest(), SignedCmiManifest.ComputeHashFromManifest(this.m_manifestDom)); SignedCmiManifest.AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl); } SignedCmiManifest.StrongNameSignManifestDom(this.m_manifestDom, licenseDom, signer); }
internal void Sign(CmiManifestSigner2 signer, string timeStampUrl) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; // Signer cannot be null. if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } // Remove existing SN signature. RemoveExistingSignature(_manifestDom); // Replace public key token in assemblyIdentity if requested. if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0) { ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey, _useSha256); } // No cert means don't Authenticode sign and timestamp. XmlDocument licenseDom = null; if (signer.Certificate != null) { // Yes. We will Authenticode sign, so first insert <publisherIdentity /> // element, if necessary. InsertPublisherIdentity(_manifestDom, signer.Certificate); // Now create the license DOM, and then sign it. licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom, _useSha256)); AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl, _useSha256); } StrongNameSignManifestDom(_manifestDom, licenseDom, signer, _useSha256); }
// throw cryptographic exception for any verification errors. internal void Verify(CmiManifestVerifyFlags verifyFlags) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable); nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); XmlElement signatureNode = _manifestDom.SelectSingleNode("//ds:Signature", nsm) as XmlElement; if (signatureNode == null) { throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE); } // Make sure it is indeed SN signature, and it is an enveloped signature. string snIdName = "Id"; if (!signatureNode.HasAttribute(snIdName)) { snIdName = "id"; if (!signatureNode.HasAttribute(snIdName)) { snIdName = "ID"; if (!signatureNode.HasAttribute(snIdName)) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } } } string snIdValue = signatureNode.GetAttribute(snIdName); if (snIdValue == null || String.Compare(snIdValue, "StrongNameSignature", StringComparison.Ordinal) != 0) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // Make sure it is indeed an enveloped signature. bool oldFormat = false; bool validFormat = false; XmlNodeList referenceNodes = signatureNode.SelectNodes("ds:SignedInfo/ds:Reference", nsm); foreach (XmlNode referenceNode in referenceNodes) { XmlElement reference = referenceNode as XmlElement; if (reference != null && reference.HasAttribute("URI")) { string uriValue = reference.GetAttribute("URI"); if (uriValue != null) { // We expect URI="" (empty URI value which means to hash the entire document). if (uriValue.Length == 0) { XmlNode transformsNode = reference.SelectSingleNode("ds:Transforms", nsm); if (transformsNode == null) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // Make sure the transforms are what we expected. XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm); if (transforms.Count < 2) { // We expect at least: // <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> // <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } bool c14 = false; bool enveloped = false; for (int i = 0; i < transforms.Count; i++) { XmlElement transform = transforms[i] as XmlElement; string algorithm = transform.GetAttribute("Algorithm"); if (algorithm == null) { break; } else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0) { c14 = true; if (enveloped) { validFormat = true; break; } } else if (String.Compare(algorithm, SignedXml.XmlDsigEnvelopedSignatureTransformUrl, StringComparison.Ordinal) != 0) { enveloped = true; if (c14) { validFormat = true; break; } } } } else if (String.Compare(uriValue, "#StrongNameKeyInfo", StringComparison.Ordinal) == 0) { oldFormat = true; XmlNode transformsNode = referenceNode.SelectSingleNode("ds:Transforms", nsm); if (transformsNode == null) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // Make sure the transforms are what we expected. XmlNodeList transforms = transformsNode.SelectNodes("ds:Transform", nsm); if (transforms.Count < 1) { // We expect at least: // <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } for (int i = 0; i < transforms.Count; i++) { XmlElement transform = transforms[i] as XmlElement; string algorithm = transform.GetAttribute("Algorithm"); if (algorithm == null) { break; } else if (String.Compare(algorithm, SignedXml.XmlDsigExcC14NTransformUrl, StringComparison.Ordinal) != 0) { validFormat = true; break; } } } } } } if (!validFormat) { throw new CryptographicException(Win32.TRUST_E_SUBJECT_FORM_UNKNOWN); } // It is the DSig we want, now make sure the public key matches the token. string publicKeyToken = VerifyPublicKeyToken(); // OK. We found the SN signature with matching public key token, so // instantiate the SN signer info property. _strongNameSignerInfo = new CmiStrongNameSignerInfo(Win32.TRUST_E_FAIL, publicKeyToken); // Now verify the SN signature, and Authenticode license if available. ManifestSignedXml signedXml = new ManifestSignedXml(_manifestDom, true); signedXml.LoadXml(signatureNode); AsymmetricAlgorithm key = null; bool dsigValid = signedXml.CheckSignatureReturningKey(out key); _strongNameSignerInfo.PublicKey = key; if (!dsigValid) { _strongNameSignerInfo.ErrorCode = Win32.TRUST_E_BAD_DIGEST; throw new CryptographicException(Win32.TRUST_E_BAD_DIGEST); } // Verify license as well if requested. if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) != CmiManifestVerifyFlags.StrongNameOnly) { VerifyLicense(verifyFlags, oldFormat); } }
internal void Sign(CmiManifestSigner signer, string timeStampUrl) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; // Signer cannot be null. if (signer == null || signer.StrongNameKey == null) { throw new ArgumentNullException("signer"); } // Remove existing SN signature. RemoveExistingSignature(_manifestDom); // Replace public key token in assemblyIdentity if requested. if ((signer.Flag & CmiManifestSignerFlag.DontReplacePublicKeyToken) == 0) { ReplacePublicKeyToken(_manifestDom, signer.StrongNameKey); } // No cert means don't Authenticode sign and timestamp. XmlDocument licenseDom = null; if (signer.Certificate != null) { // Yes. We will Authenticode sign, so first insert <publisherIdentity /> // element, if necessary. InsertPublisherIdentity(_manifestDom, signer.Certificate); // Now create the license DOM, and then sign it. licenseDom = CreateLicenseDom(signer, ExtractPrincipalFromManifest(), ComputeHashFromManifest(_manifestDom)); AuthenticodeSignLicenseDom(licenseDom, signer, timeStampUrl); } StrongNameSignManifestDom(_manifestDom, licenseDom, signer); }
internal void Verify(CmiManifestVerifyFlags verifyFlags) { this.m_strongNameSignerInfo = (CmiStrongNameSignerInfo)null; this.m_authenticodeSignerInfo = (CmiAuthenticodeSignerInfo)null; XmlNamespaceManager nsmgr = new XmlNamespaceManager(this.m_manifestDom.NameTable); nsmgr.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#"); XmlElement xmlElement1 = this.m_manifestDom.SelectSingleNode("//ds:Signature", nsmgr) as XmlElement; if (xmlElement1 == null) { throw new CryptographicException(-2146762496); } string name = "Id"; if (!xmlElement1.HasAttribute(name)) { name = "id"; if (!xmlElement1.HasAttribute(name)) { name = "ID"; if (!xmlElement1.HasAttribute(name)) { throw new CryptographicException(-2146762749); } } } string attribute1 = xmlElement1.GetAttribute(name); if (attribute1 == null || string.Compare(attribute1, "StrongNameSignature", StringComparison.Ordinal) != 0) { throw new CryptographicException(-2146762749); } bool oldFormat = false; bool flag1 = false; foreach (XmlNode selectNode in xmlElement1.SelectNodes("ds:SignedInfo/ds:Reference", nsmgr)) { XmlElement xmlElement2 = selectNode as XmlElement; if (xmlElement2 != null && xmlElement2.HasAttribute("URI")) { string attribute2 = xmlElement2.GetAttribute("URI"); if (attribute2 != null) { if (attribute2.Length == 0) { XmlNode xmlNode = xmlElement2.SelectSingleNode("ds:Transforms", nsmgr); if (xmlNode == null) { throw new CryptographicException(-2146762749); } XmlNodeList xmlNodeList = xmlNode.SelectNodes("ds:Transform", nsmgr); if (xmlNodeList.Count < 2) { throw new CryptographicException(-2146762749); } bool flag2 = false; bool flag3 = false; for (int index = 0; index < xmlNodeList.Count; ++index) { string attribute3 = (xmlNodeList[index] as XmlElement).GetAttribute("Algorithm"); if (attribute3 != null) { if (string.Compare(attribute3, "http://www.w3.org/2001/10/xml-exc-c14n#", StringComparison.Ordinal) != 0) { flag2 = true; if (flag3) { flag1 = true; break; } } else if (string.Compare(attribute3, "http://www.w3.org/2000/09/xmldsig#enveloped-signature", StringComparison.Ordinal) != 0) { flag3 = true; if (flag2) { flag1 = true; break; } } } else { break; } } } else if (string.Compare(attribute2, "#StrongNameKeyInfo", StringComparison.Ordinal) == 0) { oldFormat = true; XmlNode xmlNode = selectNode.SelectSingleNode("ds:Transforms", nsmgr); if (xmlNode == null) { throw new CryptographicException(-2146762749); } XmlNodeList xmlNodeList = xmlNode.SelectNodes("ds:Transform", nsmgr); if (xmlNodeList.Count < 1) { throw new CryptographicException(-2146762749); } for (int index = 0; index < xmlNodeList.Count; ++index) { string attribute3 = (xmlNodeList[index] as XmlElement).GetAttribute("Algorithm"); if (attribute3 != null) { if (string.Compare(attribute3, "http://www.w3.org/2001/10/xml-exc-c14n#", StringComparison.Ordinal) != 0) { flag1 = true; break; } } else { break; } } } } } } if (!flag1) { throw new CryptographicException(-2146762749); } this.m_strongNameSignerInfo = new CmiStrongNameSignerInfo(-2146762485, this.VerifyPublicKeyToken()); ManifestSignedXml manifestSignedXml = new ManifestSignedXml(this.m_manifestDom, true); manifestSignedXml.LoadXml(xmlElement1); AsymmetricAlgorithm signingKey = (AsymmetricAlgorithm)null; bool flag4 = manifestSignedXml.CheckSignatureReturningKey(out signingKey); this.m_strongNameSignerInfo.PublicKey = signingKey; if (!flag4) { this.m_strongNameSignerInfo.ErrorCode = -2146869232; throw new CryptographicException(-2146869232); } if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) == CmiManifestVerifyFlags.StrongNameOnly) { return; } this.VerifyLicense(verifyFlags, oldFormat); }
// throw cryptographic exception for any verification errors. internal void Verify(CmiManifestVerifyFlags verifyFlags) { // Reset signer infos. _strongNameSignerInfo = null; _authenticodeSignerInfo = null; XmlNamespaceManager nsm = new XmlNamespaceManager(_manifestDom.NameTable); nsm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); XmlElement signatureNode = _manifestDom.SelectSingleNode("//ds:Signature", nsm) as XmlElement; if (signatureNode == null) { throw new CryptographicException(Win32.TRUST_E_NOSIGNATURE); } // Make sure it is indeed SN signature, and it is an enveloped signature. bool oldFormat = VerifySignatureForm(signatureNode, "StrongNameSignature", nsm); // It is the DSig we want, now make sure the public key matches the token. string publicKeyToken = VerifyPublicKeyToken(); // OK. We found the SN signature with matching public key token, so // instantiate the SN signer info property. _strongNameSignerInfo = new CmiStrongNameSignerInfo(Win32.TRUST_E_FAIL, publicKeyToken); // Now verify the SN signature, and Authenticode license if available. ManifestSignedXml2 signedXml = new ManifestSignedXml2(_manifestDom, true); signedXml.LoadXml(signatureNode); if (_useSha256) { signedXml.SignedInfo.SignatureMethod = Sha256SignatureMethodUri; } AsymmetricAlgorithm key = null; bool dsigValid = signedXml.CheckSignatureReturningKey(out key); _strongNameSignerInfo.PublicKey = key; if (!dsigValid) { _strongNameSignerInfo.ErrorCode = Win32.TRUST_E_BAD_DIGEST; throw new CryptographicException(Win32.TRUST_E_BAD_DIGEST); } // Verify license as well if requested. if ((verifyFlags & CmiManifestVerifyFlags.StrongNameOnly) != CmiManifestVerifyFlags.StrongNameOnly) { if (_useSha256) { VerifyLicenseNew(verifyFlags, oldFormat); } else { VerifyLicense(verifyFlags, oldFormat); } } }