internal ManifestSignatureInformation(ManifestKinds manifest, StrongNameSignatureInformation strongNameSignature, AuthenticodeSignatureInformation authenticodeSignature) { this.m_manifest = manifest; this.m_strongNameSignature = strongNameSignature; this.m_authenticodeSignature = authenticodeSignature; }
/// <summary> /// Verify the signature of the manifest /// </summary> public ManifestSignatureInformation VerifySignature(X509RevocationFlag revocationFlag, X509RevocationMode revocationMode) { XmlElement signatureNode = m_manifestXml.SelectSingleNode("//ds:Signature", m_namespaceManager) as XmlElement; if (signatureNode == null) { return new ManifestSignatureInformation(m_manifest, null, null); } LoadXml(signatureNode); StrongNameSignatureInformation strongName = VerifyStrongNameSignature(signatureNode); // Since the Authenticode signature is wrapped in the strong name signature, we do not want to // give a valid AuthenticodeSignatureInformation object for an Authenticode signature which is // contained within a strong name signature with an invalid hash value. AuthenticodeSignatureInformation authenticode = null; if (strongName.VerificationResult != SignatureVerificationResult.BadDigest) { authenticode = VerifyAuthenticodeSignature(signatureNode, revocationFlag, revocationMode); } else { authenticode = new AuthenticodeSignatureInformation(SignatureVerificationResult.ContainingSignatureInvalid); } return new ManifestSignatureInformation(m_manifest, strongName, authenticode); }
public ManifestSignatureInformation VerifySignature(X509RevocationFlag revocationFlag, X509RevocationMode revocationMode) { XmlElement element = this.m_manifestXml.SelectSingleNode("//ds:Signature", this.m_namespaceManager) as XmlElement; if (element == null) { return new ManifestSignatureInformation(this.m_manifest, null, null); } base.LoadXml(element); StrongNameSignatureInformation strongNameSignature = this.VerifyStrongNameSignature(element); AuthenticodeSignatureInformation authenticodeSignature = null; if (strongNameSignature.VerificationResult != SignatureVerificationResult.BadDigest) { authenticodeSignature = this.VerifyAuthenticodeSignature(element, revocationFlag, revocationMode); } else { authenticodeSignature = new AuthenticodeSignatureInformation(SignatureVerificationResult.ContainingSignatureInvalid); } return new ManifestSignatureInformation(this.m_manifest, strongNameSignature, authenticodeSignature); }
private AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode, X509RevocationFlag revocationFlag, X509RevocationMode revocationMode) { Debug.Assert(signatureNode != null, "signatureNode != null"); // See if there is an Authenticode signature on the manifest XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license", m_namespaceManager) as XmlElement; if (licenseNode == null) { return null; } // Make sure that the signature is for this manifest SignatureVerificationResult identityVerification = VerifyAuthenticodeSignatureIdentity(licenseNode); if (identityVerification != SignatureVerificationResult.Valid) { return new AuthenticodeSignatureInformation(identityVerification); } SignatureVerificationResult hashVerification = VerifyAuthenticodeExpectedHash(licenseNode); if (hashVerification != SignatureVerificationResult.Valid) { return new AuthenticodeSignatureInformation(hashVerification); } // Verify the signature, extracting information about it AuthenticodeSignatureInformation authenticodeSignature = null; X509Native.AXL_AUTHENTICODE_SIGNER_INFO signer = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO(); signer.cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO)); X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO timestamper = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO(); timestamper.cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO)); RuntimeHelpers.PrepareConstrainedRegions(); try { byte[] licenseXml = Encoding.UTF8.GetBytes(licenseNode.OuterXml); X509Native.AxlVerificationFlags verificationFlags = MapRevocationFlags(revocationFlag, revocationMode); unsafe { fixed (byte* pLicenseXml = licenseXml) { // Safe since we're verifying the size of this buffer is correct CapiNative.CRYPTOAPI_BLOB xmlBlob = new CapiNative.CRYPTOAPI_BLOB(); xmlBlob.cbData = licenseXml.Length; xmlBlob.pbData = new IntPtr(pLicenseXml); int hrVerify = X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref xmlBlob, verificationFlags, ref signer, ref timestamper); if (hrVerify == (int)SignatureVerificationResult.MissingSignature) { return new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature); } } } X509Chain signatureChain = BuildSignatureChain(signer, licenseNode, revocationFlag, revocationMode); TimestampInformation timestamp = GetTimestampInformation(timestamper, licenseNode); authenticodeSignature = new AuthenticodeSignatureInformation(signer, signatureChain, timestamp); } finally { X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref signer); X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref timestamper); } // Verify the signing certificate matches the expected publisher Debug.Assert(authenticodeSignature != null, "authenticodeSignature != null"); if (authenticodeSignature.SigningCertificate == null) { return new AuthenticodeSignatureInformation(authenticodeSignature.VerificationResult); } SignatureVerificationResult publisherMatch = VerifyAuthenticodePublisher(authenticodeSignature.SigningCertificate); if (publisherMatch != SignatureVerificationResult.Valid) { return new AuthenticodeSignatureInformation(publisherMatch); } return authenticodeSignature; }
private unsafe AuthenticodeSignatureInformation VerifyAuthenticodeSignature(XmlElement signatureNode, X509RevocationFlag revocationFlag, X509RevocationMode revocationMode) { XmlElement licenseNode = signatureNode.SelectSingleNode("ds:KeyInfo/msrel:RelData/r:license", this.m_namespaceManager) as XmlElement; if (licenseNode == null) { return null; } SignatureVerificationResult error = this.VerifyAuthenticodeSignatureIdentity(licenseNode); if (error != SignatureVerificationResult.Valid) { return new AuthenticodeSignatureInformation(error); } SignatureVerificationResult result2 = this.VerifyAuthenticodeExpectedHash(licenseNode); if (result2 != SignatureVerificationResult.Valid) { return new AuthenticodeSignatureInformation(result2); } AuthenticodeSignatureInformation information = null; X509Native.AXL_AUTHENTICODE_SIGNER_INFO pSignerInfo = new X509Native.AXL_AUTHENTICODE_SIGNER_INFO { cbSize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_SIGNER_INFO)) }; X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO pTimestamperInfo = new X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO { cbsize = Marshal.SizeOf(typeof(X509Native.AXL_AUTHENTICODE_TIMESTAMPER_INFO)) }; RuntimeHelpers.PrepareConstrainedRegions(); try { byte[] bytes = Encoding.UTF8.GetBytes(licenseNode.OuterXml); X509Native.AxlVerificationFlags dwFlags = MapRevocationFlags(revocationFlag, revocationMode); try { fixed (byte* numRef = bytes) { CapiNative.CRYPTOAPI_BLOB pLicenseBlob = new CapiNative.CRYPTOAPI_BLOB { cbData = bytes.Length, pbData = new IntPtr((void*) numRef) }; if (X509Native.UnsafeNativeMethods.CertVerifyAuthenticodeLicense(ref pLicenseBlob, dwFlags, ref pSignerInfo, ref pTimestamperInfo) == -2146762496) { return new AuthenticodeSignatureInformation(SignatureVerificationResult.MissingSignature); } } } finally { numRef = null; } X509Chain signatureChain = this.BuildSignatureChain(pSignerInfo, licenseNode, revocationFlag, revocationMode); TimestampInformation timestampInformation = this.GetTimestampInformation(pTimestamperInfo, licenseNode); information = new AuthenticodeSignatureInformation(pSignerInfo, signatureChain, timestampInformation); } finally { X509Native.UnsafeNativeMethods.CertFreeAuthenticodeSignerInfo(ref pSignerInfo); X509Native.UnsafeNativeMethods.CertFreeAuthenticodeTimestamperInfo(ref pTimestamperInfo); } if (information.SigningCertificate == null) { return new AuthenticodeSignatureInformation(information.VerificationResult); } SignatureVerificationResult result3 = this.VerifyAuthenticodePublisher(information.SigningCertificate); if (result3 != SignatureVerificationResult.Valid) { return new AuthenticodeSignatureInformation(result3); } return information; }