Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove interop code as much as possible #164

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Remove interop code as much as possible #164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
054423a
Remove interop code as much as possible
virzak Jul 5, 2022
fbee71e
Integrate win32metadata 51.0.33-preview
virzak May 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 5 additions & 9 deletions src/AzureSign.Core/AlgorithmTranslator.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,16 @@ public static uint HashAlgorithmToAlgId(HashAlgorithmName hashAlgorithmName)
throw new NotSupportedException("The algorithm specified is not supported.");
}

public static ReadOnlySpan<byte> HashAlgorithmToOidAsciiTerminated(HashAlgorithmName hashAlgorithmName)
public static string HashAlgorithmToOidAsciiTerminated(HashAlgorithmName hashAlgorithmName)
{
if (hashAlgorithmName.Name == HashAlgorithmName.SHA1.Name)
//1.3.14.3.2.26
return new byte[] { 0x31, 0x2e, 0x33, 0x2e, 0x31, 0x34, 0x2e, 0x33, 0x2e, 0x32, 0x2e, 0x32, 0x36, 0x00 };
return "1.3.14.3.2.26\0";
if (hashAlgorithmName.Name == HashAlgorithmName.SHA256.Name)
//2.16.840.1.101.3.4.2.1
return new byte[] { 0x32, 0x2e, 0x31, 0x36, 0x2e, 0x38, 0x34, 0x30, 0x2e, 0x31, 0x2e, 0x31, 0x30, 0x31, 0x2e, 0x33, 0x2e, 0x34, 0x2e, 0x32, 0x2e, 0x31, 0x00 };
return "2.16.840.1.101.3.4.2.1\0";
if (hashAlgorithmName.Name == HashAlgorithmName.SHA384.Name)
//2.16.840.1.101.3.4.2.2
return new byte[] { 0x32, 0x2e, 0x31, 0x36, 0x2e, 0x38, 0x34, 0x30, 0x2e, 0x31, 0x2e, 0x31, 0x30, 0x31, 0x2e, 0x33, 0x2e, 0x34, 0x2e, 0x32, 0x2e, 0x32, 0x00 };
return "2.16.840.1.101.3.4.2.2\0";
if (hashAlgorithmName.Name == HashAlgorithmName.SHA512.Name)
//2.16.840.1.101.3.4.2.3
return new byte[] { 0x32, 0x2e, 0x31, 0x36, 0x2e, 0x38, 0x34, 0x30, 0x2e, 0x31, 0x2e, 0x31, 0x30, 0x31, 0x2e, 0x33, 0x2e, 0x34, 0x2e, 0x32, 0x2e, 0x33, 0x00 };
return "2.16.840.1.101.3.4.2.3\0";
throw new NotSupportedException("The algorithm specified is not supported.");
}
}
Expand Down
169 changes: 105 additions & 64 deletions src/AzureSign.Core/AuthenticodeKeyVaultSigner.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
using AzureSign.Core.Interop;
using static Windows.Win32.PInvoke;
using Windows.Win32.Security.Cryptography;
using AzureSign.Core.Interop;
using Microsoft.Extensions.Logging;
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

using Windows.Win32.Foundation;

namespace AzureSign.Core
{
/// <summary>
Expand Down Expand Up @@ -85,74 +88,114 @@ static char[] NullTerminate(ReadOnlySpan<char> str)
return result;
}

SignerSignEx3Flags flags = SignerSignEx3Flags.SIGN_CALLBACK_UNDOCUMENTED;
SIGNER_SIGN_FLAGS flags = SIGNER_SIGN_FLAGS.SPC_DIGEST_SIGN_FLAG;

if (pageHashing == true)
{
flags |= SignerSignEx3Flags.SPC_INC_PE_PAGE_HASHES_FLAG;
flags |= SIGNER_SIGN_FLAGS.SPC_INC_PE_PAGE_HASHES_FLAG;
}
else if (pageHashing == false)
{
flags |= SignerSignEx3Flags.SPC_EXC_PE_PAGE_HASHES_FLAG;
flags |= SIGNER_SIGN_FLAGS.SPC_EXC_PE_PAGE_HASHES_FLAG;
}

SignerSignTimeStampFlags timeStampFlags;
ReadOnlySpan<byte> timestampAlgorithmOid;
SIGNER_TIMESTAMP_FLAGS timeStampFlags;
string? timestampAlgorithmOid = null;
string? timestampUrl;

switch (_timeStampConfiguration.Type)
{
case TimeStampType.Authenticode:
timeStampFlags = SignerSignTimeStampFlags.SIGNER_TIMESTAMP_AUTHENTICODE;
timestampAlgorithmOid = default;
timeStampFlags = SIGNER_TIMESTAMP_FLAGS.SIGNER_TIMESTAMP_AUTHENTICODE;
timestampUrl = _timeStampConfiguration.Url;
break;
case TimeStampType.RFC3161:
timeStampFlags = SignerSignTimeStampFlags.SIGNER_TIMESTAMP_RFC3161;
timeStampFlags = SIGNER_TIMESTAMP_FLAGS.SIGNER_TIMESTAMP_RFC3161;
timestampAlgorithmOid = AlgorithmTranslator.HashAlgorithmToOidAsciiTerminated(_timeStampConfiguration.DigestAlgorithm);
timestampUrl = _timeStampConfiguration.Url;
break;
default:
timeStampFlags = default;
timestampAlgorithmOid = default;
timestampUrl = null;
break;
}

fixed (byte* pTimestampAlgorithm = timestampAlgorithmOid)
fixed (char* pTimestampUrl = timestampUrl)
fixed (char* pPath = NullTerminate(path))
fixed (char* pDescription = NullTerminate(description))
fixed (char* pDescriptionUrl = NullTerminate(descriptionUrl))
{
var fileInfo = new SIGNER_FILE_INFO(pPath, default);
var fileInfo = new SIGNER_FILE_INFO()
{
cbSize = (uint)Marshal.SizeOf<SIGNER_FILE_INFO>(),
hFile = default,
pwszFileName = pPath,
};
var subjectIndex = 0u;
var signerSubjectInfoUnion = new SIGNER_SUBJECT_INFO_UNION(&fileInfo);
var subjectInfo = new SIGNER_SUBJECT_INFO(&subjectIndex, SignerSubjectInfoUnionChoice.SIGNER_SUBJECT_FILE, signerSubjectInfoUnion);
var authCodeStructure = new SIGNER_ATTR_AUTHCODE(pDescription, pDescriptionUrl);
var storeInfo = new SIGNER_CERT_STORE_INFO(
dwCertPolicy: SignerCertStoreInfoFlags.SIGNER_CERT_POLICY_CHAIN,
hCertStore: _certificateStore.Handle,
pSigningCert: _signingCertificate.Handle
);
var signerCert = new SIGNER_CERT(
dwCertChoice: SignerCertChoice.SIGNER_CERT_STORE,
union: new SIGNER_CERT_UNION(&storeInfo)
);
var signatureInfo = new SIGNER_SIGNATURE_INFO(
algidHash: AlgorithmTranslator.HashAlgorithmToAlgId(_fileDigestAlgorithm),
psAuthenticated: IntPtr.Zero,
psUnauthenticated: IntPtr.Zero,
dwAttrChoice: SignerSignatureInfoAttrChoice.SIGNER_AUTHCODE_ATTR,
attrAuthUnion: new SIGNER_SIGNATURE_INFO_UNION(&authCodeStructure)
);
var subjectInfo = new SIGNER_SUBJECT_INFO
{
cbSize = (uint)Marshal.SizeOf<SIGNER_SUBJECT_INFO>(),
pdwIndex = &subjectIndex,
dwSubjectChoice = SIGNER_SUBJECT_CHOICE.SIGNER_SUBJECT_FILE,
Anonymous = new() { pSignerFileInfo = &fileInfo }
};
var authCodeStructure = new SIGNER_ATTR_AUTHCODE
{
cbSize = (uint)Marshal.SizeOf<SIGNER_ATTR_AUTHCODE>(),
fCommercial = false,
fIndividual = false,
pwszName = pDescription,
pwszInfo = pDescriptionUrl,

};

var storeInfo = new SIGNER_CERT_STORE_INFO
{
cbSize = (uint)Marshal.SizeOf<SIGNER_CERT_STORE_INFO>(),
dwCertPolicy = SIGNER_CERT_POLICY.SIGNER_CERT_POLICY_CHAIN,
hCertStore = _certificateStore.Handle,
pSigningCert = (CERT_CONTEXT*)_signingCertificate.Handle
};

var signerCert = new SIGNER_CERT()
{
cbSize = (uint)Marshal.SizeOf<SIGNER_CERT>(),
dwCertChoice = SIGNER_CERT_CHOICE.SIGNER_CERT_STORE,
Anonymous = new() { pCertStoreInfo = &storeInfo },
};

var signatureInfo = new SIGNER_SIGNATURE_INFO
{
cbSize = (uint)Marshal.SizeOf<SIGNER_SIGNATURE_INFO>(),
algidHash = AlgorithmTranslator.HashAlgorithmToAlgId(_fileDigestAlgorithm),
psAuthenticated = null,
psUnauthenticated = null,
dwAttrChoice = SIGNER_SIGNATURE_ATTRIBUTE_CHOICE.SIGNER_AUTHCODE_ATTR,
Anonymous = new() { pAttrAuthcode = &authCodeStructure }
};

var callbackPtr = Marshal.GetFunctionPointerForDelegate(_signCallback);
var signCallbackInfo = new SIGN_INFO(callbackPtr);
var signCallbackInfo = new SIGNER_DIGEST_SIGN_INFO
{
cbSize = 24,
Anonymous = new()
{
pfnAuthenticodeDigestSign =
(delegate* unmanaged[Stdcall]<
CERT_CONTEXT*,
CRYPT_INTEGER_BLOB*,
uint,
byte*,
uint,
CRYPT_INTEGER_BLOB*, HRESULT>)
callbackPtr
},
};

logger?.LogTrace("Getting SIP Data");
var sipKind = SipExtensionFactory.GetSipKind(path);
void* sipData = (void*)0;
IntPtr context = IntPtr.Zero;
SIGNER_CONTEXT* pContext = null;

switch (sipKind)
{
Expand All @@ -161,35 +204,34 @@ static char[] NullTerminate(ReadOnlySpan<char> str)
SIGNER_SIGN_EX3_PARAMS parameters;
clientData.pSignerParams = &parameters;
sipData = &clientData;
flags &= ~SignerSignEx3Flags.SPC_INC_PE_PAGE_HASHES_FLAG;
flags |= SignerSignEx3Flags.SPC_EXC_PE_PAGE_HASHES_FLAG;
FillAppxExtension(ref clientData, flags, timeStampFlags, &subjectInfo, &signerCert, &signatureInfo, &context, pTimestampUrl, pTimestampAlgorithm, &signCallbackInfo);
flags &= ~SIGNER_SIGN_FLAGS.SPC_INC_PE_PAGE_HASHES_FLAG;
flags |= SIGNER_SIGN_FLAGS.SPC_EXC_PE_PAGE_HASHES_FLAG;
FillAppxExtension(ref clientData, flags, timeStampFlags, &subjectInfo, &signerCert, &signatureInfo, pContext, pTimestampUrl, timestampAlgorithmOid, &signCallbackInfo);
break;
}

logger?.LogTrace("Calling SignerSignEx3");
var result = mssign32.SignerSignEx3
logger?.LogTrace("Calling SignerSignEx3");
var result = SignerSignEx3
(
flags,
&subjectInfo,
&signerCert,
&signatureInfo,
IntPtr.Zero,
subjectInfo,
signerCert,
signatureInfo,
null,
timeStampFlags,
pTimestampAlgorithm,
pTimestampUrl,
IntPtr.Zero,
timestampAlgorithmOid,
timestampUrl,
null,
sipData,
&context,
IntPtr.Zero,
&signCallbackInfo,
IntPtr.Zero
out pContext,
null,
signCallbackInfo
);
if (result == 0 && context != IntPtr.Zero)
if (result == HRESULT.S_OK && pContext != null)
{
Debug.Assert(mssign32.SignerFreeSignerContext(context) == 0);
Debug.Assert(SignerFreeSignerContext(pContext) == HRESULT.S_OK);
}
if (result == 0 && sipKind == SipKind.Appx)
if (result == HRESULT.S_OK && sipKind == SipKind.Appx)
{
var state = ((APPX_SIP_CLIENT_DATA*)sipData)->pAppxSipState;
if (state != IntPtr.Zero)
Expand All @@ -208,18 +250,17 @@ public void Dispose()
{
_chain.Dispose();
_certificateStore.Close();
}
}

private unsafe int SignCallback(
IntPtr pCertContext,
IntPtr pvExtra,
uint algId,
byte[] pDigestToSign,
uint dwDigestToSign,
ref CRYPTOAPI_BLOB blob
ref CRYPT_INTEGER_BLOB blob
)
{
const int E_INVALIDARG = unchecked((int)0x80070057);
byte[] digest;
switch (_signingAlgorithm)
{
Expand All @@ -230,26 +271,26 @@ ref CRYPTOAPI_BLOB blob
digest = ecdsa.SignHash(pDigestToSign);
break;
default:
return E_INVALIDARG;
return HRESULT.E_INVALIDARG;
}
var resultPtr = Marshal.AllocHGlobal(digest.Length);
Marshal.Copy(digest, 0, resultPtr, digest.Length);
blob.pbData = resultPtr;
blob.pbData = (byte*)resultPtr;
blob.cbData = (uint)digest.Length;
return 0;
return HRESULT.S_OK;
}

private static unsafe void FillAppxExtension(
ref APPX_SIP_CLIENT_DATA clientData,
SignerSignEx3Flags flags,
SignerSignTimeStampFlags timestampFlags,
SIGNER_SIGN_FLAGS flags,
SIGNER_TIMESTAMP_FLAGS timestampFlags,
SIGNER_SUBJECT_INFO* signerSubjectInfo,
SIGNER_CERT* signerCert,
SIGNER_SIGNATURE_INFO* signatureInfo,
IntPtr* signerContext,
SIGNER_CONTEXT* signerContext,
char* timestampUrl,
byte* timestampOid,
SIGN_INFO* signInfo
string? timestampOid,
SIGNER_DIGEST_SIGN_INFO* signInfo
)
{
clientData.pSignerParams->dwFlags = flags;
Expand Down
2 changes: 2 additions & 0 deletions src/AzureSign.Core/AzureSign.Core.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@

<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Logging" Version="6.0.0" />
<PackageReference Include="Microsoft.Windows.CsWin32" Version="0.2.229-beta" PrivateAssets="All" IncludeAssets="runtime; build; native; contentfiles; analyzers; buildtransitive" />
<PackageReference Include="Microsoft.Windows.SDK.Win32Metadata" Version="51.0.33-preview" />
<PackageReference Include="MinVer" Version="4.2.0">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
Expand Down
89 changes: 0 additions & 89 deletions src/AzureSign.Core/Interop/crypt32.cs
View file
Open in desktop

This file was deleted.

Loading