Skip to content

Add missing timestamper cert to the newer catalog signing APIs #4061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mirichmo merged 2 commits into from
Jun 27, 2017
Merged

Add missing timestamper cert to the newer catalog signing APIs #4061

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
34b34ff
Fixed missing functionality to add timestamper cert for the newer cat…
PaulHigin Jun 20, 2017
0c663b4
Code review changes
PaulHigin Jun 22, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 69 additions & 46 deletions src/System.Management.Automation/security/Authenticode.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,10 +363,21 @@ private static Signature GetSignatureFromCatalog(string filename)
DWORD error = GetErrorFromSignatureState(sigInfo.nSignatureState);

X509Certificate2 cert = null;

if (ppCertContext != IntPtr.Zero)
{
cert = new X509Certificate2(ppCertContext);
signature = new Signature(filename, error, cert);

// Get the time stamper certificate if available
TryGetProviderSigner(phStateData, out IntPtr pProvSigner, out X509Certificate2 timestamperCert);
if (timestamperCert != null)
{
signature = new Signature(filename, error, cert, timestamperCert);
}
else
{
signature = new Signature(filename, error, cert);
}
Copy link
Member

@daxian-dbw daxian-dbw Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once the parameters pProvSigner and timestamperCert are changed to out parameters, you can use the new language feature in C# for out parameters:

if (int.TryParse(input, out int result))
    WriteLine(result);
else
    WriteLine("Could not parse input");

So this code block can be rewritten to:

if (TryGetProviderSigner(phStateData, out IntPtr pProvSigner, out X509Certificate2 timestamperCert) && timestamperCert != null)
{
    signature = new Signature(filename, error, cert, timestamperCert);
}
else
{
    signature = new Signature(filename, error, cert);
}


switch (sigInfo.nSignatureType)
{
Expand Down Expand Up @@ -578,70 +589,82 @@ private static Signature GetSignatureFromWintrustData(
DWORD error,
NativeMethods.WINTRUST_DATA wtd)
{
s_tracer.WriteLine("GetSignatureFromWintrustData: error: {0}", error);

Signature signature = null;
X509Certificate2 signerCert = null;
X509Certificate2 timestamperCert = null;
if (TryGetProviderSigner(wtd.hWVTStateData, out IntPtr pProvSigner, out X509Certificate2 timestamperCert))
{
//
// get cert of the signer
//
X509Certificate2 signerCert = GetCertFromChain(pProvSigner);

s_tracer.WriteLine("GetSignatureFromWintrustData: error: {0}", error);
if (signerCert != null)
{
if (timestamperCert != null)
{
signature = new Signature(filePath,
error,
signerCert,
timestamperCert);
}
else
{
signature = new Signature(filePath,
error,
signerCert);
}

signature.SignatureType = SignatureType.Authenticode;
}
}

Diagnostics.Assert(((error == 0) && (signature != null)) || (error != 0), "GetSignatureFromWintrustData: general crypto failure");
Copy link
Member

@TravisEz13 TravisEz13 Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question about this case, will sync offline


if ((signature == null) && (error != 0))
{
signature = new Signature(filePath, error);
}

return signature;
}

[ArchitectureSensitive]
private static bool TryGetProviderSigner(IntPtr wvtStateData, out IntPtr pProvSigner, out X509Certificate2 timestamperCert)
{
pProvSigner = IntPtr.Zero;
timestamperCert = null;

// The GetLastWin32Error of this is checked, but PreSharp doesn't seem to be
// able to see that.
#pragma warning disable 56523
IntPtr pProvData =
NativeMethods.WTHelperProvDataFromStateData(wtd.hWVTStateData);
NativeMethods.WTHelperProvDataFromStateData(wvtStateData);
#pragma warning enable 56523

if (pProvData != IntPtr.Zero)
{
IntPtr pProvSigner =
pProvSigner =
NativeMethods.WTHelperGetProvSignerFromChain(pProvData, 0, 0, 0);

if (pProvSigner != IntPtr.Zero)
{
//
// get cert of the signer
//
signerCert = GetCertFromChain(pProvSigner);

if (signerCert != null)
NativeMethods.CRYPT_PROVIDER_SGNR provSigner =
(NativeMethods.CRYPT_PROVIDER_SGNR)
ClrFacade.PtrToStructure<NativeMethods.CRYPT_PROVIDER_SGNR>(pProvSigner);
if (provSigner.csCounterSigners == 1)
{
NativeMethods.CRYPT_PROVIDER_SGNR provSigner =
(NativeMethods.CRYPT_PROVIDER_SGNR)
ClrFacade.PtrToStructure<NativeMethods.CRYPT_PROVIDER_SGNR>(pProvSigner);
if (provSigner.csCounterSigners == 1)
{
//
// time stamper cert available
//
timestamperCert = GetCertFromChain(provSigner.pasCounterSigners);
}

if (timestamperCert != null)
{
signature = new Signature(filePath,
error,
signerCert,
timestamperCert);
}
else
{
signature = new Signature(filePath,
error,
signerCert);
}

signature.SignatureType = SignatureType.Authenticode;
//
// time stamper cert available
//
timestamperCert = GetCertFromChain(provSigner.pasCounterSigners);
}
}
}

Diagnostics.Assert(((error == 0) && (signature != null)) || (error != 0), "GetSignatureFromWintrustData: general crypto failure");

if ((signature == null) && (error != 0))
{
signature = new Signature(filePath, error);
return true;
}
}

return signature;
return false;
}

[ArchitectureSensitive]
Expand Down