C#如何获取.dll或.exe文件数字签名者证书信息,即使证书已过期? [英] C# How to get .dll or .exe files digital signer certificate info even the certificate expired?
问题描述
我正在使用C#检查一些exe或dll文件数字证书.
I'm using C# check some exe or dll file digital certificate.
Assembly asm = Assembly.LoadFrom(assembly);
Module module = asm.GetModules().First();
System.Security.Cryptography.X509Certificates.X509Certificate certificate = module.GetSignerCertificate();
// it will null if the certificate time expired
if (null != certificate)
{
if (certificate.Subject.Contains("Company Name"))
Console.Write("success");
else
Console.Write("invalid");
}
else
{
Console.Write("failed");
}
但是现在的问题是:如果证书时间到期,或者是因为将本地时间修改为证书时间之后,则代码为 module.GetSignerCertificate()始终为 null .
But now problem is : If the certificate time is expired, or because modify local time to after certificate time the code module.GetSignerCertificate() always get null.
因为我只想检查程序集是否具有数字证书和公司名称,而不是检查时间,所以有什么方法可以使用其他方法检查它还是不让它为空?
Because I just want check the assembly has digital certificate and company name, not check the time, So Is there any way can check it use other way or not let it null?
推荐答案
该模块未正确签名.签名正确的模块包括时间戳.验证规则指示证书在签名时(在时间戳记时)应该已经有效.在 https://stackoverflow.com/a/3428386/105929 上阅读此答案以获取更多详细信息.
The module is incorrectly signed. A properly signed module includes the timestamp when the module was signed. The validation rule dictates that the certificate should had been valid at the moment of signing (this, at the timestamp). Read this answer here https://stackoverflow.com/a/3428386/105929 for more details.
如果这是您自己的模块,那么最好的操作是修改您的发布签名,以在签名中包含时间戳.阅读时间戳认证码签名了解操作的操作方式(时间戳涉及证书CA提供的URL服务).另请阅读
If this is your own module, then the best action is to modify your release sign-off to include a timestamp in the signature. Read Time Stamping Authenticode Signatures to understand how to do it (time stamping involves a URL service provided by your certificate CA). Also read Everything you need to know about Authenticode Code Signing.
关于您的问题:如果您查看 模块.cs 参考代码,您会看到该实现是本机的,并且您无法对其进行修改:
As to your question: if you look at module.cs reference code, you'll see that the implementation is native and not much you can do about it to modify it:
[System.Security.SecurityCritical] // auto-generated
[ResourceExposure(ResourceScope.None)]
[DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
[SuppressUnmanagedCodeSecurity]
static private extern void GetSignerCertificate(RuntimeModule module, ObjectHandleOnStack retData);
You could instead use the signtool.exe verify command, afaik it has options to display all certificates, including expired ones on modules lacking a proper timestamp.
模块正确.因为在它过期之前,它可以很好地使用.不为空.它过期后,还是我更改了系统时间.它将为空
The module is correct. Because before it expired, it can use very well. not get null. after it expired, or I change my system time. it will get null
很容易证明这是不正确的.在您的计算机上找到一个旧的正确签名的程序集,该程序集由认真的供应商分发,他们知道自己在做什么.例如.我在我的机器上找到了此文件: c:\ Program Files(x86)\ Microsoft SQL Server \ 100 \ Setup Bootstrap \ Release \ x64 \ Microsoft.AnalysisServices.DLL .查看数字签名属性:
This can easily be proven to be incorrect. Find an old correctly signed assembly on your machine, one distributed by a serious vendor that knows what is doing. Eg. I found this on my machine: c:\Program Files (x86)\Microsoft SQL Server\100\Setup Bootstrap\Release\x64\Microsoft.AnalysisServices.DLL. Look at the Digital Signature properties:
请注意签名时间戳(20110922)和证书有效期(20120521).
Do note the signature timestamp (20110922) and the certificate expiration (20120521).
编写一个小应用程序以使用CLR API获得证书:
Write a small app to get the cert using CLR API:
static void Main(string[] args)
{
Assembly asm = Assembly.LoadFile(@"c:\Program Files (x86)\Microsoft SQL Server\100\Setup Bootstrap\Release\x64\Microsoft.AnalysisServices.DLL");
Module m = asm.GetModules()[0];
var cert = m.GetSignerCertificate();
Console.WriteLine("{0}", cert);
}
是否找到了证书?是的.证书过期了吗?是的.是否使用时间戳图对模块进行了正确签名?是的.
Is the certificate found? Yes. Is the certificate expired? Yes. Is the module properly signed, using a timestmap? Yes.
QED
这篇关于C#如何获取.dll或.exe文件数字签名者证书信息,即使证书已过期?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
