Rely only on Authenticode to avoid possible signature hack

Belphemur · Belphemur · commit 2723a8604210 · 2020-04-03T19:54:39.000-04:00
Fixes #415
diff --git a/.idea/.idea.SoundSwitch/.idea/contentModel.xml b/.idea/.idea.SoundSwitch/.idea/contentModel.xml
diff --git a/SoundSwitch/Framework/Updater/SignatureChecker.cs b/SoundSwitch/Framework/Updater/SignatureChecker.cs
@@ -12,38 +12,32 @@
 * GNU General Public License for more details.
 ********************************************************************/
 
+using System;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
+using AuthenticodeExaminer;
 
 namespace SoundSwitch.Framework.Updater
 {
     public static class SignatureChecker
     {
+        private static string _certumSubject = "E=soundswitch@aaflalo.me, CN=\"Open Source Developer, Antoine Aflalo\", O=Open Source Developer, S=Quebec, C=CA";
 
-        private static string _publicKey = "3082020A0282020100C9EAE3B1E873CE4F55AE1319171EED0B6B9D62DA5BC505BE864A98DC7C70C8B0AB2AD75644FB0E32176196F40A73CC2D1709F9F8C1FDF87732661D02C0C1F94956A57FA20A84408FA26BB46F59D581137257D3804EFBFA6B63CF7DF0F94E1060137FBC278D38EBCE304B9D73DF5D412DFF5BA2457130DD091C7059F73B3FC236BDB2F0A43DCD2F79843096D100CD7FFD35C282AE2AC0F716006EEB37BA832DF9758B7C2E1DCFC9D533472F01833E1C7AB46550B4C33D63A490E14FB5E3DDD1C505F590724FCA714E45DFE005CA52DBDF4272E54A3D27CDF4C0E08B4C991F48C77166197A44F1DB1A81C3D89E47F67E74C4265663BDC1332E438559EEB61056E57759F7A3D6576D6E9186C923E629B88D0C558C43ADA0C7CFB79E29993768CA9B6E81BACE389380E367E46C8E28077DA2C1FD02C50CF541ADBF05C170A13AFA80F66E8C7775D741C8D4F20FB990B934B9668BBE791F72367DB5D12E072BC692DAFDCF49327962B3E7904107EF3AA975C8524B3EB9F6F61E2B94F30292847559DD8A235DA7FF88F7F0B3CFF21D5BFD7452580FC8E24780C7EAB0E2B37791844522561392BA0F268641D25BF98E4EAA492B7563A1714505FEEDE82A560774A55E1C7D69B91328184607C3867E2E27D00E417CF6B8BC8B3A3B21CC1E775F7B655C39541342D492071AFBE5E2B89A136055429EA0A5E1C762AA5DE75A2625F78C4CD50203010001";
-        private static string _serialNumber = "942A37BCA9A9889442F6710533CB5548";
         /// <summary>
         /// Does the given file have the right signature
         /// </summary>
         /// <param name="filename"></param>
         /// <returns></returns>
         public static bool IsValid(string filename)
         {
-            var certificate = X509Certificate.CreateFromSignedFile(filename);
-            return IsSelfSigned(certificate) || IsCertumSigned(certificate);
+            return IsCertumSigned(filename);
         }
 
-        private static bool IsCertumSigned(X509Certificate certificate)
+        private static bool IsCertumSigned(string filename)
         {
-            return certificate.Issuer.Contains("Certum")
-                   && certificate.Subject.Contains("Antoine Aflalo")
-                   && certificate.Subject.Contains("soundswitch");
-        }
-
-        private static bool IsSelfSigned(X509Certificate certificate)
-        {
-            return certificate.GetPublicKeyString() == _publicKey
-                   && certificate.Issuer.Contains("CN=aaflalo.me")
-                   && certificate.GetSerialNumberString() == _serialNumber;
+            var inspector = new FileInspector(filename);
+            return inspector.Validate() == SignatureCheckResult.Valid
+                   && inspector.GetSignatures().FirstOrDefault(signature => signature.SigningCertificate.Subject == _certumSubject) != null;
         }
     }
 }
diff --git a/SoundSwitch/SoundSwitch.csproj b/SoundSwitch/SoundSwitch.csproj
@@ -130,6 +130,10 @@
   <PropertyGroup />
   <ItemGroup>
     <Reference Include="Accessibility" />
+    <Reference Include="AuthenticodeExaminer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null">
+      <HintPath>..\packages\AuthenticodeExaminer.0.3.0\lib\net461\AuthenticodeExaminer.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="Microsoft.CSharp" />
     <Reference Include="Microsoft.WindowsAPICodePack, Version=1.1.3.3, Culture=neutral, PublicKeyToken=8985beaab7ea3f04, processorArchitecture=MSIL">
       <HintPath>..\packages\Microsoft-WindowsAPICodePack-Core.1.1.3.3\lib\net452\Microsoft.WindowsAPICodePack.dll</HintPath>
@@ -179,6 +183,7 @@
     <Reference Include="System.IO.Compression.FileSystem" />
     <Reference Include="System.Runtime.Caching" />
     <Reference Include="System.Runtime.Remoting" />
+    <Reference Include="System.Security" />
     <Reference Include="System.Windows.Forms" />
     <Reference Include="System.Xml" />
     <Reference Include="System.Xml.Linq" />
diff --git a/SoundSwitch/packages.config b/SoundSwitch/packages.config
@@ -1,5 +1,6 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
 <packages>
+  <package id="AuthenticodeExaminer" version="0.3.0" targetFramework="net472" />
   <package id="Microsoft-WindowsAPICodePack-Core" version="1.1.3.3" targetFramework="net47" />
   <package id="NAudio" version="1.9.0" targetFramework="net472" />
   <package id="Newtonsoft.Json" version="12.0.3" targetFramework="net472" />

Original file line number	Diff line number	Diff line change
`@@ -12,38 +12,32 @@`
`12`	`12`	`* GNU General Public License for more details.`
`13`	`13`	`********************************************************************/`
`14`	`14`
	`15`	`+using System;`
	`16`	`+using System.Linq;`
`15`	`17`	`using System.Security.Cryptography.X509Certificates;`
	`18`	`+using AuthenticodeExaminer;`
`16`	`19`
`17`	`20`	`namespace SoundSwitch.Framework.Updater`
`18`	`21`	`{`
`19`	`22`	`public static class SignatureChecker`
`20`	`23`	`{`
	`24`	`+ private static string _certumSubject = "[email protected], CN=\"Open Source Developer, Antoine Aflalo\", O=Open Source Developer, S=Quebec, C=CA";`
`21`	`25`
`22`		- private static string _publicKey = "3082020A0282020100C9EAE3B1E873CE4F55AE1319171EED0B6B9D62DA5BC505BE864A98DC7C70C8B0AB2AD75644FB0E32176196F40A73CC2D1709F9F8C1FDF87732661D02C0C1F94956A57FA20A84408FA26BB46F59D581137257D3804EFBFA6B63CF7DF0F94E1060137FBC278D38EBCE304B9D73DF5D412DFF5BA2457130DD091C7059F73B3FC236BDB2F0A43DCD2F79843096D100CD7FFD35C282AE2AC0F716006EEB37BA832DF9758B7C2E1DCFC9D533472F01833E1C7AB46550B4C33D63A490E14FB5E3DDD1C505F590724FCA714E45DFE005CA52DBDF4272E54A3D27CDF4C0E08B4C991F48C77166197A44F1DB1A81C3D89E47F67E74C4265663BDC1332E438559EEB61056E57759F7A3D6576D6E9186C923E629B88D0C558C43ADA0C7CFB79E29993768CA9B6E81BACE389380E367E46C8E28077DA2C1FD02C50CF541ADBF05C170A13AFA80F66E8C7775D741C8D4F20FB990B934B9668BBE791F72367DB5D12E072BC692DAFDCF49327962B3E7904107EF3AA975C8524B3EB9F6F61E2B94F30292847559DD8A235DA7FF88F7F0B3CFF21D5BFD7452580FC8E24780C7EAB0E2B37791844522561392BA0F268641D25BF98E4EAA492B7563A1714505FEEDE82A560774A55E1C7D69B91328184607C3867E2E27D00E417CF6B8BC8B3A3B21CC1E775F7B655C39541342D492071AFBE5E2B89A136055429EA0A5E1C762AA5DE75A2625F78C4CD50203010001";
`23`		`- private static string _serialNumber = "942A37BCA9A9889442F6710533CB5548";`
`24`	`26`	`/// <summary>`
`25`	`27`	`/// Does the given file have the right signature`
`26`	`28`	`/// </summary>`
`27`	`29`	`/// <param name="filename"></param>`
`28`	`30`	`/// <returns></returns>`
`29`	`31`	`public static bool IsValid(string filename)`
`30`	`32`	`{`
`31`		`- var certificate = X509Certificate.CreateFromSignedFile(filename);`
`32`		`- return IsSelfSigned(certificate) \|\| IsCertumSigned(certificate);`
	`33`	`+ return IsCertumSigned(filename);`
`33`	`34`	`}`
`34`	`35`
`35`		`- private static bool IsCertumSigned(X509Certificate certificate)`
	`36`	`+ private static bool IsCertumSigned(string filename)`
`36`	`37`	`{`
`37`		`- return certificate.Issuer.Contains("Certum")`
`38`		`- && certificate.Subject.Contains("Antoine Aflalo")`
`39`		`- && certificate.Subject.Contains("soundswitch");`
`40`		`- }`
`41`		`-`
`42`		`- private static bool IsSelfSigned(X509Certificate certificate)`
`43`		`- {`
`44`		`- return certificate.GetPublicKeyString() == _publicKey`
`45`		`- && certificate.Issuer.Contains("CN=aaflalo.me")`
`46`		`- && certificate.GetSerialNumberString() == _serialNumber;`
	`38`	`+ var inspector = new FileInspector(filename);`
	`39`	`+ return inspector.Validate() == SignatureCheckResult.Valid`
	`40`	`+ && inspector.GetSignatures().FirstOrDefault(signature => signature.SigningCertificate.Subject == _certumSubject) != null;`
`47`	`41`	`}`
`48`	`42`	`}`
`49`	`43`	`}`