Skip to content

Add missing timestamper cert to the newer catalog signing APIs #4061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mirichmo merged 2 commits into from
Jun 27, 2017
Merged

Add missing timestamper cert to the newer catalog signing APIs #4061

mirichmo merged 2 commits into from
Jun 27, 2017

Conversation

@PaulHigin
Copy link
Contributor

@PaulHigin PaulHigin commented Jun 20, 2017
edited
Loading

This fixes Issue #4060

Code to obtain the file signature time stamp cert was missing from the newer catalog signing APIs, with the result that Get-AuthenticodeSignature would not include the time stamp cert in the Signature object.

Fix is to refactor and use the older API code for obtaining this.

I didn't add a test for this because no catalog signing tests are in GitHub yet and porting them will be a separate work item.

@PaulHigin PaulHigin added WG-Cmdlets general cmdlet issues Issue-Bug Issue has been identified as a bug in the product OS-Windows labels Jun 20, 2017
@PaulHigin PaulHigin added this to the 6.0.0-Pending milestone Jun 20, 2017
@mirichmo mirichmo requested a review from LeeHolmes June 20, 2017 22:56
@mirichmo mirichmo assigned mirichmo and unassigned LeeHolmes Jun 20, 2017
@PaulHigin PaulHigin requested a review from TravisEz13 June 21, 2017 18:40
TravisEz13
TravisEz13 reviewed Jun 22, 2017
View reviewed changes
src/System.Management.Automation/security/Authenticode.cs
}
}

Diagnostics.Assert(((error == 0) && (signature != null)) || (error != 0), "GetSignatureFromWintrustData: general crypto failure");
Copy link
Member

@TravisEz13 TravisEz13 Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question about this case, will sync offline

@PaulHigin PaulHigin changed the title Fixed missing functionality to add timestamper cert for the newer catalog signing APIs Add missing timestamper cert to the newer catalog signing APIs Jun 22, 2017
@PaulHigin PaulHigin requested a review from daxian-dbw June 22, 2017 21:32
daxian-dbw
daxian-dbw reviewed Jun 22, 2017
View reviewed changes
src/System.Management.Automation/security/Authenticode.cs Outdated
}

[ArchitectureSensitive]
private static bool TryGetProviderSigner(IntPtr wvtStateData, ref IntPtr pProvSigner, ref X509Certificate2 timestamperCert)
Copy link
Member

@daxian-dbw daxian-dbw Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to me both pProvSigner and timestamperCert are better to be an out parameter instead of a ref parameter.

daxian-dbw
daxian-dbw reviewed Jun 22, 2017
View reviewed changes
src/System.Management.Automation/security/Authenticode.cs
else
{
signature = new Signature(filename, error, cert);
}
Copy link
Member

@daxian-dbw daxian-dbw Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once the parameters pProvSigner and timestamperCert are changed to out parameters, you can use the new language feature in C# for out parameters:

if (int.TryParse(input, out int result))
    WriteLine(result);
else
    WriteLine("Could not parse input");

So this code block can be rewritten to:

if (TryGetProviderSigner(phStateData, out IntPtr pProvSigner, out X509Certificate2 timestamperCert) && timestamperCert != null)
{
    signature = new Signature(filename, error, cert, timestamperCert);
}
else
{
    signature = new Signature(filename, error, cert);
}

daxian-dbw
daxian-dbw reviewed Jun 22, 2017
View reviewed changes
src/System.Management.Automation/security/Authenticode.cs Outdated
X509Certificate2 signerCert = null;
IntPtr pProvSigner = IntPtr.Zero;
X509Certificate2 timestamperCert = null;
if (TryGetProviderSigner(wtd.hWVTStateData, ref pProvSigner, ref timestamperCert))
Copy link
Member

@daxian-dbw daxian-dbw Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. Once change to out parameters, you can use the new feature in C# to make the code cleaner.

Copy link
Contributor Author

@PaulHigin PaulHigin Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea. Will change.

@mirichmo mirichmo mentioned this pull request Jun 23, 2017
Closed
@mirichmo
Copy link
Member

mirichmo commented Jun 23, 2017

I created issue #4087 to document the lack of tests

@PaulHigin
Copy link
Contributor Author

PaulHigin commented Jun 27, 2017

@mirichmo Is there anything preventing this from being merged? I also need to port this to internal branches. Thanks!

@mirichmo mirichmo merged commit 2ee9705 into PowerShell:master Jun 27, 2017
@PaulHigin PaulHigin deleted the GetAuthSigFix branch June 27, 2017 22:02
@PaulHigin PaulHigin mentioned this pull request Jul 11, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daxian-dbw daxian-dbw daxian-dbw approved these changes

@TravisEz13 TravisEz13 TravisEz13 approved these changes

@LeeHolmes LeeHolmes Awaiting requested review from LeeHolmes

Assignees

@mirichmo mirichmo

Labels

Issue-Bug Issue has been identified as a bug in the product OS-Windows WG-Cmdlets general cmdlet issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@PaulHigin @mirichmo @daxian-dbw @TravisEz13 @msftclas @LeeHolmes