c# - How to Programmatically Code-Sign an executable with a PFX (Bouncy Castle or Otherwise) -



c# - How to Programmatically Code-Sign an executable with a PFX (Bouncy Castle or Otherwise) -

i trying determine best method code-signing executable using bouncy castle, managed code, or un-managed code c#. since capicom deprecated, imagine 1 of signersign methods mssign32.dll best way go if needs done unmanaged.

this reply (http://stackoverflow.com/a/3952235/722078) seems close, produces .p7m file, which, while appearing right size, not run correctly (obviously renamed .exe before running).

the solution given question-asker here (api/library replace signtool.exe) seemed promising , managed, tom canham mentions in comments below, "it appears signing enveloped messages. authenticode -- code-signing signtool -- different, why exe doesn't run after signing." receive same error tom when sign using either question-asker's solution or referenced bouncy castle solution.

the alternative have not attempted yet given here (http://stackoverflow.com/a/6429860/722078), , while looks promising, not positive uses "authenticode" code-signing opposed "enveloped message" code-signing. reply has benefit of not using capicom interop methods deprecated, imagine study on results using method today. if best option, out there speak differences between signersign, signersignex, , signersignex2 functions exported mssign32.dll? have read signersignex2 should used windows 8 , higher...

long story short, replicate ability of signtool.exe sign executable given .exe file, .pfx file, , password so:

signtool sign /f cert.pfx /p password application.exe

i looking best alternative programmatically code-sign executable (pe if matters) using authenticode signing, , prefer utilize bouncy castle or managed code if possible, although utilize unmanaged if works , not deprecated.

thanks!

as far can tell, signsigner , signsignerex available of windows xp, oldest operating scheme care support. because not need worry windows app store publication, reply limited signsigner , signsignerex, although import signsignerex2 similar signsignerex, , wouldn't expect cause problems.

the next class allows sign executable .pfx calling:

signwithcert(string apppath, string certpath, string certpassword, string timestampurl);

it allows sign executable certificate key store calling:

signwiththumbprint(string apppath, string thumbprint, string timestampurl);

if want sign using cert installed key store, may need update findcertbythumbprint(string thumbprint) check more key stores care check. 99.5% of time, our customers sign .pfx , not thumbprint.

for sake of illustration, signwithcert() utilizes signersignex , signertimestampex, while signwiththumbprint() utilizes signersign , signertimestamp.

they're interchanged. signersignex , signertimestampex give signer_context pointer , allow modify behavior of functions dwflags argument (if you're signing portable executable). valid flag options listed @ here. basically, if pass 0x0 dwflags signersignex, output identical using signersign. in case, imagine i'll using signersign because don't believe need pointer signer context conceivable reason.

anyway, here class. first time posting code here, hope haven't broken in formatting.

the code works expected, , executable runs fine , signed, binary output of signature block differs binary output of signtool.exe (in test, timestamp used neither tool). attribute fact signtool.exe appears utilize capicom signing , uses mssign32.dll, in all, pretty pleased in initial set of tests.

the error handling needs improvement.

thanks gregs , out there who's posted code samples previously.

here's relevant stuff. update block comments , improvements when chance so.

update 1: added improve error handling , comments, along reformatting of thumbprint in findcertbythumbprint(string thumbprint) allow cert found on windows 8 , windows 10 (public preview). oses wouldn't homecoming match when spaces left in thumbprint, fixing them before searching.

using system; using system.runtime.interopservices; using system.security.cryptography; using system.security.cryptography.x509certificates; namespace utilities { internal static class signtool { #region structures [structlayoutattribute(layoutkind.sequential)] struct signer_subject_info { public uint cbsize; public intptr pdwindex; public uint dwsubjectchoice; public subjectchoiceunion union1; [structlayoutattribute(layoutkind.explicit)] internal struct subjectchoiceunion { [fieldoffsetattribute(0)] public system.intptr psignerfileinfo; [fieldoffsetattribute(0)] public system.intptr psignerblobinfo; }; } [structlayoutattribute(layoutkind.sequential)] struct signer_cert { public uint cbsize; public uint dwcertchoice; public signercertunion union1; [structlayoutattribute(layoutkind.explicit)] internal struct signercertunion { [fieldoffsetattribute(0)] public intptr pwszspcfile; [fieldoffsetattribute(0)] public intptr pcertstoreinfo; [fieldoffsetattribute(0)] public intptr pspcchaininfo; }; public intptr hwnd; } [structlayoutattribute(layoutkind.sequential)] struct signer_signature_info { public uint cbsize; public uint algidhash; // alg_id public uint dwattrchoice; public intptr pattrauthcode; public intptr psauthenticated; // pcrypt_attributes public intptr psunauthenticated; // pcrypt_attributes } [structlayoutattribute(layoutkind.sequential)] struct signer_file_info { public uint cbsize; public intptr pwszfilename; public intptr hfile; } [structlayoutattribute(layoutkind.sequential)] struct signer_cert_store_info { public uint cbsize; public intptr psigningcert; // cert_context public uint dwcertpolicy; public intptr hcertstore; } [structlayoutattribute(layoutkind.sequential)] struct signer_context { public uint cbsize; public uint cbblob; public intptr pbblob; } [structlayoutattribute(layoutkind.sequential)] struct signer_provider_info { public uint cbsize; public intptr pwszprovidername; public uint dwprovidertype; public uint dwkeyspec; public uint dwpvkchoice; public signerproviderunion union1; [structlayoutattribute(layoutkind.explicit)] internal struct signerproviderunion { [fieldoffsetattribute(0)] public intptr pwszpvkfilename; [fieldoffsetattribute(0)] public intptr pwszkeycontainer; }; } #endregion #region imports [dllimport("mssign32.dll", charset = charset.unicode, setlasterror = true)] private static extern int signersign( intptr psubjectinfo, // signer_subject_info intptr psignercert, // signer_cert intptr psignatureinfo, // signer_signature_info intptr pproviderinfo, // signer_provider_info string pwszhttptimestamp, // lpcwstr intptr psrequest, // pcrypt_attributes intptr psipdata // lpvoid ); [dllimport("mssign32.dll", charset = charset.unicode, setlasterror = true)] private static extern int signersignex( uint dwflags, // dword intptr psubjectinfo, // signer_subject_info intptr psignercert, // signer_cert intptr psignatureinfo, // signer_signature_info intptr pproviderinfo, // signer_provider_info string pwszhttptimestamp, // lpcwstr intptr psrequest, // pcrypt_attributes intptr psipdata, // lpvoid out signer_context ppsignercontext // signer_context ); [dllimport("mssign32.dll", charset = charset.unicode, setlasterror = true)] private static extern int signertimestamp( intptr psubjectinfo, // signer_subject_info string pwszhttptimestamp, // lpcwstr intptr psrequest, // pcrypt_attributes intptr psipdata // lpvoid ); [dllimport("mssign32.dll", charset = charset.unicode, setlasterror = true)] private static extern int signertimestampex( uint dwflags, // dword intptr psubjectinfo, // signer_subject_info string pwszhttptimestamp, // lpcwstr intptr psrequest, // pcrypt_attributes intptr psipdata, // lpvoid out signer_context ppsignercontext // signer_context ); [dllimport("crypt32.dll", entrypoint = "certcreatecertificatecontext", setlasterror = true, charset = charset.unicode, exactspelling = false, callingconvention = callingconvention.stdcall)] private static extern intptr certcreatecertificatecontext( int dwcertencodingtype, byte[] pbcertencoded, int cbcertencoded); #endregion #region public methods // phone call signersignex , signertimestampex given .pfx public static void signwithcert(string apppath, string certpath, string certpassword, string timestampurl) { intptr psignercert = intptr.zero; intptr psubjectinfo = intptr.zero; intptr psignatureinfo = intptr.zero; intptr pproviderinfo = intptr.zero; seek { // grab x509certificate .pfx file. x509certificate2 cert = new x509certificate2(certpath, certpassword); psignercert = createsignercert(cert); psubjectinfo = createsignersubjectinfo(apppath); psignatureinfo = createsignersignatureinfo(); pproviderinfo = getproviderinfo(cert); signer_context signercontext; signcode(0x0, psubjectinfo, psignercert, psignatureinfo, pproviderinfo, out signercontext); // effort timestamp if we've got timestampurl. if (!string.isnullorempty(timestampurl)) { timestampsignedcode(0x0, psubjectinfo, timestampurl, out signercontext); } } grab (cryptographicexception ce) { string exception; // useful information? switch (marshal.gethrforexception(ce)) { case -2146885623: exception = string.format(@"an error occurred while attempting load signing certificate. ""{0}"" not appear contain valid certificate.", certpath); break; case -2147024810: exception = string.format(@"an error occurred while attempting load signing certificate. specified password incorrect."); break; default: exception = string.format(@"an error occurred while attempting load signing certificate. {0}", ce.message); break; } } grab (exception e) { // useful information? string exception = e.message; } { if (psignercert != intptr.zero) { marshal.destroystructure(psignercert, typeof(signer_cert)); } if (psubjectinfo != intptr.zero) { marshal.destroystructure(psubjectinfo, typeof(signer_subject_info)); } if (psignatureinfo != intptr.zero) { marshal.destroystructure(psignatureinfo, typeof(signer_signature_info)); } if (pproviderinfo != intptr.zero) { marshal.destroystructure(psignatureinfo, typeof(signer_provider_info)); } } } // phone call signersign , signertimestamp given thumbprint. public static void signwiththumbprint(string apppath, string thumbprint, string timestampurl) { intptr psignercert = intptr.zero; intptr psubjectinfo = intptr.zero; intptr psignatureinfo = intptr.zero; intptr pproviderinfo = intptr.zero; seek { psignercert = createsignercert(thumbprint); psubjectinfo = createsignersubjectinfo(apppath); psignatureinfo = createsignersignatureinfo(); signcode(psubjectinfo, psignercert, psignatureinfo, pproviderinfo); // effort timestamp if we've got timestampurl. if (!string.isnullorempty(timestampurl)) { timestampsignedcode(psubjectinfo, timestampurl); } } grab (cryptographicexception ce) { // useful information? string exception = string.format(@"an error occurred while attempting load signing certificate. {0}", ce.message); } grab (exception e) { // useful information? string exception = e.message; } { if (psignercert != intptr.zero) { marshal.destroystructure(psignercert, typeof(signer_cert)); } if (psubjectinfo != intptr.zero) { marshal.destroystructure(psubjectinfo, typeof(signer_subject_info)); } if (psignatureinfo != intptr.zero) { marshal.destroystructure(psignatureinfo, typeof(signer_signature_info)); } } } #endregion #region private methods private static intptr createsignersubjectinfo(string pathtoassembly) { signer_subject_info info = new signer_subject_info { cbsize = (uint)marshal.sizeof(typeof(signer_subject_info)), pdwindex = marshal.allochglobal(marshal.sizeof(typeof(uint))) }; var index = 0; marshal.structuretoptr(index, info.pdwindex, false); info.dwsubjectchoice = 0x1; //signer_subject_file intptr assemblyfileptr = marshal.stringtohglobaluni(pathtoassembly); signer_file_info fileinfo = new signer_file_info { cbsize = (uint)marshal.sizeof(typeof(signer_file_info)), pwszfilename = assemblyfileptr, hfile = intptr.zero }; info.union1 = new signer_subject_info.subjectchoiceunion { psignerfileinfo = marshal.allochglobal(marshal.sizeof(typeof(signer_file_info))) }; marshal.structuretoptr(fileinfo, info.union1.psignerfileinfo, false); intptr psubjectinfo = marshal.allochglobal(marshal.sizeof(info)); marshal.structuretoptr(info, psubjectinfo, false); homecoming psubjectinfo; } private static x509certificate2 findcertbythumbprint(string thumbprint) { seek { // remove spaces convert upper. windows 10 (preview) , windows 8 not homecoming cert // unless perfect match no spaces , uppercase characters. string thumbprintfixed = thumbprint.replace(" ", string.empty).toupperinvariant(); // check mutual store locations corresponding code-signing cert. x509store[] stores = new x509store[4] { new x509store(storename.my, storelocation.currentuser), new x509store(storename.my, storelocation.localmachine), new x509store(storename.trustedpublisher, storelocation.currentuser), new x509store(storename.trustedpublisher, storelocation.localmachine) }; foreach (x509store store in stores) { store.open(openflags.readonly); // find cert! x509certificate2collection certs = store.certificates.find(x509findtype.findbythumbprint, thumbprintfixed, false); store.close(); // if didn't find cert, seek next store. if (certs.count < 1) { continue; } // homecoming cert (first 1 if there more 1 identical cert in collection). homecoming certs[0]; } // no cert found. homecoming null. throw new exception(string.format(@"a certificate matching thumbprint: ""{0}"" not found. create sure valid certificate matching provided thumbprint installed.", thumbprint)); } grab (exception e) { throw new exception(string.format("{0}", e.message)); } } private static intptr createsignercert(x509certificate2 cert) { signer_cert signercert = new signer_cert { cbsize = (uint)marshal.sizeof(typeof(signer_cert)), dwcertchoice = 0x2, union1 = new signer_cert.signercertunion { pcertstoreinfo = marshal.allochglobal(marshal.sizeof(typeof(signer_cert_store_info))) }, hwnd = intptr.zero }; const int x509_asn_encoding = 0x00000001; const int pkcs_7_asn_encoding = 0x00010000; intptr pcertcontext = certcreatecertificatecontext( x509_asn_encoding | pkcs_7_asn_encoding, cert.getrawcertdata(), cert.getrawcertdata().length); signer_cert_store_info certstoreinfo = new signer_cert_store_info { cbsize = (uint)marshal.sizeof(typeof(signer_cert_store_info)), psigningcert = pcertcontext, dwcertpolicy = 0x2, // signer_cert_policy_chain hcertstore = intptr.zero }; marshal.structuretoptr(certstoreinfo, signercert.union1.pcertstoreinfo, false); intptr psignercert = marshal.allochglobal(marshal.sizeof(signercert)); marshal.structuretoptr(signercert, psignercert, false); homecoming psignercert; } private static intptr createsignercert(string thumbprint) { signer_cert signercert = new signer_cert { cbsize = (uint)marshal.sizeof(typeof(signer_cert)), dwcertchoice = 0x2, union1 = new signer_cert.signercertunion { pcertstoreinfo = marshal.allochglobal(marshal.sizeof(typeof(signer_cert_store_info))) }, hwnd = intptr.zero }; const int x509_asn_encoding = 0x00000001; const int pkcs_7_asn_encoding = 0x00010000; x509certificate2 cert = findcertbythumbprint(thumbprint); intptr pcertcontext = certcreatecertificatecontext( x509_asn_encoding | pkcs_7_asn_encoding, cert.getrawcertdata(), cert.getrawcertdata().length); signer_cert_store_info certstoreinfo = new signer_cert_store_info { cbsize = (uint)marshal.sizeof(typeof(signer_cert_store_info)), psigningcert = pcertcontext, dwcertpolicy = 0x2, // signer_cert_policy_chain hcertstore = intptr.zero }; marshal.structuretoptr(certstoreinfo, signercert.union1.pcertstoreinfo, false); intptr psignercert = marshal.allochglobal(marshal.sizeof(signercert)); marshal.structuretoptr(signercert, psignercert, false); homecoming psignercert; } private static intptr createsignersignatureinfo() { signer_signature_info signatureinfo = new signer_signature_info { cbsize = (uint)marshal.sizeof(typeof(signer_signature_info)), algidhash = 0x00008004, // calg_sha1 dwattrchoice = 0x0, // signer_no_attr pattrauthcode = intptr.zero, psauthenticated = intptr.zero, psunauthenticated = intptr.zero }; intptr psignatureinfo = marshal.allochglobal(marshal.sizeof(signatureinfo)); marshal.structuretoptr(signatureinfo, psignatureinfo, false); homecoming psignatureinfo; } private static intptr getproviderinfo(x509certificate2 cert) { if (cert == null || !cert.hasprivatekey) { homecoming intptr.zero; } icspasymmetricalgorithm key = (icspasymmetricalgorithm)cert.privatekey; const int pvk_type_keycontainer = 2; if (key == null) { homecoming intptr.zero; } signer_provider_info providerinfo = new signer_provider_info { cbsize = (uint)marshal.sizeof(typeof(signer_provider_info)), pwszprovidername = marshal.stringtohglobaluni(key.cspkeycontainerinfo.providername), dwprovidertype = (uint)key.cspkeycontainerinfo.providertype, dwpvkchoice = pvk_type_keycontainer, union1 = new signer_provider_info.signerproviderunion { pwszkeycontainer = marshal.stringtohglobaluni(key.cspkeycontainerinfo.keycontainername) }, }; intptr pproviderinfo = marshal.allochglobal(marshal.sizeof(providerinfo)); marshal.structuretoptr(providerinfo, pproviderinfo, false); homecoming pproviderinfo; } // utilize signersign private static void signcode(intptr psubjectinfo, intptr psignercert, intptr psignatureinfo, intptr pproviderinfo) { int hresult = signersign( psubjectinfo, psignercert, psignatureinfo, pproviderinfo, null, intptr.zero, intptr.zero ); if (hresult != 0) { // see if can useful. jury's still out on one. marshal.throwexceptionforhr(marshal.gethrforlastwin32error()); } } // utilize signersignex private static void signcode(uint dwflags, intptr psubjectinfo, intptr psignercert, intptr psignatureinfo, intptr pproviderinfo, out signer_context signercontext) { int hresult = signersignex( dwflags, psubjectinfo, psignercert, psignatureinfo, pproviderinfo, null, intptr.zero, intptr.zero, out signercontext ); if (hresult != 0) { // see if can useful. jury's still out on one. marshal.throwexceptionforhr(marshal.gethrforlastwin32error()); } } // utilize signertimestamp private static void timestampsignedcode(intptr psubjectinfo, string timestampurl) { int hresult = signertimestamp( psubjectinfo, timestampurl, intptr.zero, intptr.zero ); if (hresult != 0) { // can't useful gethrforlastwin32error, let's throw our own. //marshal.throwexceptionforhr(marshal.gethrforlastwin32error()); throw new exception(string.format(@"""{0}"" not used @ time. if necessary, check timestampurl, net connection, , seek again.", timestampurl)); } } // utilize signertimestampex private static void timestampsignedcode(uint dwflags, intptr psubjectinfo, string timestampurl, out signer_context signercontext) { int hresult = signertimestampex( dwflags, psubjectinfo, timestampurl, intptr.zero, intptr.zero, out signercontext ); if (hresult != 0) { // can't useful gethrforlastwin32error, let's throw our own. //marshal.throwexceptionforhr(marshal.gethrforlastwin32error()); throw new exception(string.format(@"""{0}"" not used @ time. if necessary, check timestampurl, net connection, , seek again.", timestampurl)); } } #endregion } }

c# .net bouncycastle capicom

Comments

Post a Comment

Popular posts from this blog

Delphi change the assembly code of a running process -

Delphi change the assembly code of a running process - i'm trying alter address 00741fa5 has push test.009e721c . alter push test.009e71c8 . procedure callback; asm force $9e71c8 end; procedure tform2.btn1click(sender: tobject); var ppid :dword; pprocess : cardinal; begin getwindowthreadprocessid(findwindow(nil,pchar('test')), @ppid); pprocess := openprocess(process_all_access, false, ppid); injectasm(pprocess, $741fa5, 10, integer(@callback), 0); end; here injectasm function (with error checking) function injectasm(process: longword; injectaddress, injectsize, codeaddress, codesize : integer): pointer; var csize, rsize : integer; replaced : array of byte; jmp : array [0..4] of byte; jmpaddress : integer; nopv : byte; : integer; nbr: ulong_ptr; begin //injectsize must equal or greater 5, because need space our //(far) jmp wwxxyyzz instruction //if there's no space, inject in place of few instructions if injectsize ...
Read more

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) -

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) - hello have problem hibernate , jackson. have 2 pojos @entity @table(name = "users") public class user implements serializable { static final long serialversionuid = 4235637833262722256l; @id @generatedvalue private int id; @column(name = "creation_date") private date creationdate; @column(name = "first_name") private string firstname; @column(name = "last_name") private string lastname; @version @column(name = "version") private int version; @column(name = "e_mail") private string email; @column(name = "enabled") private boolean enabled; @column(name = "login") private string login; @column(name = "password") private string password; @jsonmanagedreference("role") @onetomany(mappedby = "user", cascade = cascadetype.all,fetch = fetchtyp...
Read more

C++ 11 "class" keyword -

C++ 11 "class" keyword - i've started using c++ 11 little bit more , have few questions on special uses of class keyword. know it's used declare class, there's 2 instances have seen don't understand: method<class t>(); and class class_name *var; why precede typename keyword class in first example, , keyword pointer in sec example? that known elaborated type specifier , necessary when class name "shadowed" or "hidden" , need explicit. class t { }; // love of god don't t t; t t2; if compiler smart, give these warnings: main.cpp:15:5: error: must utilize 'class' tag refer type 't' in scope t t2; ^ class main.cpp:14:7: note: class 't' hidden non-type declaration of 't' here t t; ^ if class not defined, deed forwards declaration. for example: template <typename t> void method() { using type = typename t::value_type; } method...
Read more