SHA2 chain validation.

vcsjones · vcsjones · commit ada54b4ad06d · 2016-04-13T18:17:35.000-04:00
Validates that the chain uses SHA2 EE and intermediate certificates. This does not fully validate the chain, such as the EKU, etc. This will instead be done as part of WinVerifyTrustEx in a later check. Fixes #2.
diff --git a/AuthenticodeLint/AuthenticodeLint.csproj b/AuthenticodeLint/AuthenticodeLint.csproj
@@ -69,7 +69,9 @@
     <Compile Include="Rules\RuleResult.cs" />
     <Compile Include="Rules\Sha1PrimarySignatureRule.cs" />
     <Compile Include="Rules\Sha2SignatureExistsRule.cs" />
+    <Compile Include="Rules\SigningCertificateDigestAlgorithmRule.cs" />
     <Compile Include="Rules\TimestampedRule.cs" />
+    <Compile Include="Signature.cs" />
     <Compile Include="SignatureExtractor.cs" />
     <Compile Include="Graph.cs" />
     <Compile Include="SignerInfoExtensions.cs" />
diff --git a/AuthenticodeLint/CheckEngine.cs b/AuthenticodeLint/CheckEngine.cs
@@ -1,8 +1,5 @@
 ﻿using System.Collections.Generic;
 using AuthenticodeLint.Rules;
-using System.Security.Cryptography.Pkcs;
-using System;
-using System.IO;
 
 namespace AuthenticodeLint
 {
@@ -24,11 +21,12 @@ public IReadOnlyList<IAuthenticodeRule> GetRules()
                 new NoWeakFileDigestAlgorithmsRule(),
                 new TimestampedRule(),
                 new PublisherInformationPresentRule(),
-                new PublisherInformationUrlHttpsRule()
+                new PublisherInformationUrlHttpsRule(),
+                new SigningCertificateDigestAlgorithmRule()
             };
         }
 
-        public RuleEngineResult RunAllRules(string file, Graph<SignerInfo> signatures, List<IRuleResultCollector> collectors, HashSet<int> suppressedRuleIDs, bool verbose)
+        public RuleEngineResult RunAllRules(string file, Graph<Signature> signatures, List<IRuleResultCollector> collectors, HashSet<int> suppressedRuleIDs, bool verbose)
         {
 
             var rules = GetRules();
diff --git a/AuthenticodeLint/KnownOids.cs b/AuthenticodeLint/KnownOids.cs
@@ -1,19 +1,33 @@
-﻿namespace AuthenticodeLint
+﻿using System.Security.Cryptography;
+
+namespace AuthenticodeLint
 {
     internal static class KnownOids
     {
-        public static string SHA1 { get; } = "1.3.14.3.2.26";
-        public static string SHA256 { get; } = "2.16.840.1.101.3.4.2.1";
-        public static string SHA384 { get; } = "2.16.840.1.101.3.4.2.2";
-        public static string SHA512 { get; } = "2.16.840.1.101.3.4.2.3";
-        public static string MD5 { get; } = "1.2.840.113549.2.5";
-        public static string MD4 { get; } = "1.2.840.113549.2.4";
-        public static string MD2 { get; } = "1.2.840.113549.2.2";
+        public const string SHA1 = "1.3.14.3.2.26";
+        public const string SHA256 = "2.16.840.1.101.3.4.2.1";
+        public const string SHA384 = "2.16.840.1.101.3.4.2.2";
+        public const string SHA512 = "2.16.840.1.101.3.4.2.3";
+        public const string MD5 = "1.2.840.113549.2.5";
+        public const string MD4 = "1.2.840.113549.2.4";
+        public const string MD2 = "1.2.840.113549.2.2";
+
+        public const string Rfc3161CounterSignature = "1.3.6.1.4.1.311.3.3.1";
+        public const string AuthenticodeCounterSignature = "1.2.840.113549.1.9.6";
+        public const string MessageDigest = "1.2.840.113549.1.9.4";
+        public const string OpusInfo  = "1.3.6.1.4.1.311.2.1.12";
+        public const string CodeSigning = "1.3.6.1.5.5.7.3.3";
 
 
-        public static string Rfc3161CounterSignature { get; } = "1.3.6.1.4.1.311.3.3.1";
-        public static string AuthenticodeCounterSignature { get; } = "1.2.840.113549.1.9.6";
-        public static string MessageDigest { get; } = "1.2.840.113549.1.9.4";
-        public static string OpusInfo { get; } = "1.3.6.1.4.1.311.2.1.12";
+        public const string md5RSA = "1.2.840.113549.1.1.4";
+        public const string sha1DSA = "1.2.840.10040.4.3";
+        public const string sha1RSA = "1.2.840.113549.1.1.5";
+        public const string sha256RSA = "1.2.840.113549.1.1.11";
+        public const string sha384RSA = "1.2.840.113549.1.1.12";
+        public const string sha512RSA = "1.2.840.113549.1.1.13";
+        public const string sha1ECDSA = "1.2.840.10045.4.1";
+        public const string sha256ECDSA = "1.2.840.10045.4.3.2";
+        public const string sha384ECDSA = "1.2.840.10045.4.3.3";
+        public const string sha512ECDSA = "1.2.840.10045.4.3.4";
     }
 }
diff --git a/AuthenticodeLint/Rules/IAuthenticodeRule.cs b/AuthenticodeLint/Rules/IAuthenticodeRule.cs
@@ -1,14 +1,10 @@
-﻿using System.Collections.Generic;
-using System.IO;
-using System.Security.Cryptography.Pkcs;
-
-namespace AuthenticodeLint.Rules
+﻿namespace AuthenticodeLint.Rules
 {
     public interface IAuthenticodeRule
     {
         int RuleId { get; }
         string ShortDescription { get; }
         string RuleName { get; }
-        RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter);
+        RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter);
     }
 }
diff --git a/AuthenticodeLint/Rules/NoWeakFileDigestAlgorithmsRule.cs b/AuthenticodeLint/Rules/NoWeakFileDigestAlgorithmsRule.cs
@@ -1,6 +1,4 @@
-﻿using System.Security.Cryptography.Pkcs;
-
-namespace AuthenticodeLint.Rules
+﻿namespace AuthenticodeLint.Rules
 {
     public class NoWeakFileDigestAlgorithmsRule : IAuthenticodeRule
     {
@@ -10,25 +8,26 @@ public class NoWeakFileDigestAlgorithmsRule : IAuthenticodeRule
 
         public string ShortDescription { get; } = "Checks for weak file digest algorithms.";
 
-        public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)
+        public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)
         {
             var signatures = graph.VisitAll();
             var result = RuleResult.Pass;
             foreach(var signature in signatures)
             {
-                if (signature.DigestAlgorithm.Value == KnownOids.MD2)
+                var signatureInfo = signature.SignerInfo;
+                if (signatureInfo.DigestAlgorithm.Value == KnownOids.MD2)
                 {
-                    verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD2)} digest algorithm.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, $"Uses the {nameof(KnownOids.MD2)} digest algorithm.");
                     result = RuleResult.Fail;
                 }
-                else if (signature.DigestAlgorithm.Value == KnownOids.MD4)
+                else if (signatureInfo.DigestAlgorithm.Value == KnownOids.MD4)
                 {
-                    verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD4)} digest algorithm.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, $"Uses the {nameof(KnownOids.MD4)} digest algorithm.");
                     result = RuleResult.Fail;
                 }
-                else if (signature.DigestAlgorithm.Value == KnownOids.MD5)
+                else if (signatureInfo.DigestAlgorithm.Value == KnownOids.MD5)
                 {
-                    verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD5)} digest algorithm.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, $"Uses the {nameof(KnownOids.MD5)} digest algorithm.");
                     result = RuleResult.Fail;
                 }
             }
diff --git a/AuthenticodeLint/Rules/PublisherInformationRule.cs b/AuthenticodeLint/Rules/PublisherInformationRule.cs
@@ -7,18 +7,19 @@ public class PublisherInformationPresentRule : IAuthenticodeRule
     {
         public int RuleId { get; } = 10004;
 
-        public string RuleName { get; } = "Publisher Information Rule";
+        public string RuleName { get; } = "Publisher Information Present";
 
         public string ShortDescription { get; } = "Checks that the signature provided publisher information.";
 
-        public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)
+        public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)
         {
             var signatures = graph.VisitAll();
             var result = RuleResult.Pass;
-            foreach(var signature in signatures)
+            foreach (var signature in signatures)
             {
+                var signatureInfo = signature.SignerInfo;
                 PublisherInformation info = null;
-                foreach(var attribute in signature.SignedAttributes)
+                foreach (var attribute in signatureInfo.SignedAttributes)
                 {
                     if (attribute.Oid.Value == KnownOids.OpusInfo)
                     {
@@ -29,24 +30,27 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW
                 if (info == null)
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogSignatureMessage(signature, "Signature does not have any publisher information.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have any publisher information.");
                 }
                 if (string.IsNullOrWhiteSpace(info.Description))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying description.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have an accompanying description.");
                 }
 
                 if (string.IsNullOrWhiteSpace(info.UrlLink))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying URL.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have an accompanying URL.");
                 }
-                Uri uri;
-                if (!Uri.TryCreate(info.UrlLink, UriKind.Absolute, out uri))
+                else
                 {
-                    result = RuleResult.Fail;
-                    verboseWriter.LogSignatureMessage(signature, "Signature's accompanying URL is not a valid URI.");
+                    Uri uri;
+                    if (!Uri.TryCreate(info.UrlLink, UriKind.Absolute, out uri))
+                    {
+                        result = RuleResult.Fail;
+                        verboseWriter.LogSignatureMessage(signatureInfo, "Signature's accompanying URL is not a valid URI.");
+                    }
                 }
             }
             return result;
diff --git a/AuthenticodeLint/Rules/PublisherInformationUrlHttpsRule.cs b/AuthenticodeLint/Rules/PublisherInformationUrlHttpsRule.cs
@@ -11,14 +11,15 @@ public class PublisherInformationUrlHttpsRule : IAuthenticodeRule
 
         public string ShortDescription { get; } = "Checks that the signature uses HTTPS for the publisher's URL.";
 
-        public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)
+        public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)
         {
             var signatures = graph.VisitAll();
             var result = RuleResult.Pass;
             foreach(var signature in signatures)
             {
+                var signatureInfo = signature.SignerInfo;
                 PublisherInformation info = null;
-                foreach(var attribute in signature.SignedAttributes)
+                foreach(var attribute in signatureInfo.SignedAttributes)
                 {
                     if (attribute.Oid.Value == KnownOids.OpusInfo)
                     {
@@ -29,17 +30,17 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW
                 if (info == null)
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogSignatureMessage(signature, "Signature does not have any publisher information.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have any publisher information.");
                 }
                 if (string.IsNullOrWhiteSpace(info.UrlLink))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying URL.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have an accompanying URL.");
                 }
-                if (!info.UrlLink.StartsWith(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
+                else if (!info.UrlLink.StartsWith(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogSignatureMessage(signature, $"Signature's publisher information URL \"{info.UrlLink}\" does not use the secure HTTPS scheme.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, $"Signature's publisher information URL \"{info.UrlLink}\" does not use the secure HTTPS scheme.");
                 }
             }
             return result;
diff --git a/AuthenticodeLint/Rules/Sha1PrimarySignatureRule.cs b/AuthenticodeLint/Rules/Sha1PrimarySignatureRule.cs
@@ -1,7 +1,4 @@
-﻿using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Security.Cryptography.Pkcs;
+﻿using System.Linq;
 
 namespace AuthenticodeLint.Rules
 {
@@ -13,17 +10,17 @@ public class Sha1PrimarySignatureRule : IAuthenticodeRule
 
         public string ShortDescription { get; } = "Primary signature should be SHA1.";
 
-        public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)
+        public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)
         {
             var primary = graph.Items.SingleOrDefault()?.Node;
             //There are zero signatures.
             if (primary == null)
             {
                 return RuleResult.Fail;
             }
-            if (primary.DigestAlgorithm.Value != KnownOids.SHA1)
+            if (primary.SignerInfo.DigestAlgorithm.Value != KnownOids.SHA1)
             {
-                verboseWriter.LogSignatureMessage(primary, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.DigestAlgorithm.FriendlyName}.");
+                verboseWriter.LogSignatureMessage(primary.SignerInfo, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.SignerInfo.DigestAlgorithm.FriendlyName}.");
                 return RuleResult.Fail;
             }
             return RuleResult.Pass;
diff --git a/AuthenticodeLint/Rules/Sha2SignatureExistsRule.cs b/AuthenticodeLint/Rules/Sha2SignatureExistsRule.cs
@@ -13,13 +13,13 @@ public class Sha2SignatureExistsRule : IAuthenticodeRule
 
         public string ShortDescription { get; } = "A SHA2 signature should exist.";
 
-        public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)
+        public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)
         {
             var signatures = graph.VisitAll();
             if (signatures.Any(s =>
-                s.DigestAlgorithm.Value == KnownOids.SHA256 ||
-                s.DigestAlgorithm.Value == KnownOids.SHA384 ||
-                s.DigestAlgorithm.Value == KnownOids.SHA512))
+                s.SignerInfo.DigestAlgorithm.Value == KnownOids.SHA256 ||
+                s.SignerInfo.DigestAlgorithm.Value == KnownOids.SHA384 ||
+                s.SignerInfo.DigestAlgorithm.Value == KnownOids.SHA512))
             {
                 return RuleResult.Pass;
             }
diff --git a/AuthenticodeLint/Rules/SigningCertificateDigestAlgorithmRule.cs b/AuthenticodeLint/Rules/SigningCertificateDigestAlgorithmRule.cs
@@ -0,0 +1,69 @@
+﻿using System.Security.Cryptography;
+using System.Security.Cryptography.Pkcs;
+using System.Security.Cryptography.X509Certificates;
+
+namespace AuthenticodeLint.Rules
+{
+    public class SigningCertificateDigestAlgorithmRule : IAuthenticodeRule
+    {
+        public int RuleId { get; } = 10006;
+
+        public string RuleName { get; } = "SHA2 Certificate Chain";
+
+        public string ShortDescription { get; } = "Checks the signing certificate's and chain's signature algorithm.";
+
+        public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)
+        {
+            var signatures = graph.VisitAll();
+            var result = RuleResult.Pass;
+            foreach(var signature in signatures)
+            {
+                var certificates = signature.AdditionalCertificates;
+                using (var chain = new X509Chain())
+                {
+                    chain.ChainPolicy.ExtraStore.AddRange(certificates);
+                    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+                    bool success = chain.Build(signature.SignerInfo.Certificate);
+                    if (!success)
+                    {
+                        verboseWriter.LogSignatureMessage(signature.SignerInfo, $"Cannot build a chain successfully with signing certificate {signature.SignerInfo.Certificate.SerialNumber}.");
+                        result = RuleResult.Fail;
+                        continue;
+                    }
+                    var chainResult = ValidateSha2Chain(signature.SignerInfo, chain, verboseWriter);
+                    if (!chainResult)
+                    {
+                        result = RuleResult.Fail;
+                    }
+                }
+            }
+            return result;
+        }
+
+        private static bool ValidateSha2Chain(SignerInfo signatureInfo, X509Chain chain, SignatureLoggerBase verboseWriter)
+        {
+            var strongSha2Chain = true;
+            //We use count-1 because we don't want to validate SHA2 on the root certificate.
+            for(var i = 0; i < chain.ChainElements.Count-1; i++)
+            {
+                var element = chain.ChainElements[i];
+                var signatureAlgorithm = element.Certificate.SignatureAlgorithm;
+                switch (signatureAlgorithm.Value)
+                {
+                    case KnownOids.sha256ECDSA:
+                    case KnownOids.sha384ECDSA:
+                    case KnownOids.sha512ECDSA:
+                    case KnownOids.sha256RSA:
+                    case KnownOids.sha384RSA:
+                    case KnownOids.sha512RSA:
+                        continue;
+                    default:
+                        verboseWriter.LogSignatureMessage(signatureInfo, $"Certificate {element.Certificate.Thumbprint} in chain uses {element.Certificate.SignatureAlgorithm.FriendlyName} for its signature algorithm instead of SHA2.");
+                        strongSha2Chain = false;
+                        break;
+                }
+            }
+            return strongSha2Chain;
+        }
+    }
+}
diff --git a/AuthenticodeLint/Rules/TimestampedRule.cs b/AuthenticodeLint/Rules/TimestampedRule.cs
diff --git a/AuthenticodeLint/Signature.cs b/AuthenticodeLint/Signature.cs
diff --git a/AuthenticodeLint/SignatureExtractor.cs b/AuthenticodeLint/SignatureExtractor.cs

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,10 @@`
`1`		`-using System.Collections.Generic;`
`2`		`-using System.IO;`
`3`		`-using System.Security.Cryptography.Pkcs;`
`4`		`-`
`5`		`-namespace AuthenticodeLint.Rules`
	`1`	`+namespace AuthenticodeLint.Rules`
`6`	`2`	`{`
`7`	`3`	`public interface IAuthenticodeRule`
`8`	`4`	`{`
`9`	`5`	`int RuleId { get; }`
`10`	`6`	`string ShortDescription { get; }`
`11`	`7`	`string RuleName { get; }`
`12`		`- RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter);`
	`8`	`+ RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter);`
`13`	`9`	`}`
`14`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,4 @@`
`1`		`-using System.Security.Cryptography.Pkcs;`
`2`		`-`
`3`		`-namespace AuthenticodeLint.Rules`
	`1`	`+namespace AuthenticodeLint.Rules`
`4`	`2`	`{`
`5`	`3`	`public class NoWeakFileDigestAlgorithmsRule : IAuthenticodeRule`
`6`	`4`	`{`
`@@ -10,25 +8,26 @@ public class NoWeakFileDigestAlgorithmsRule : IAuthenticodeRule`
`10`	`8`
`11`	`9`	`public string ShortDescription { get; } = "Checks for weak file digest algorithms.";`
`12`	`10`
`13`		`- public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)`
	`11`	`+ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)`
`14`	`12`	`{`
`15`	`13`	`var signatures = graph.VisitAll();`
`16`	`14`	`var result = RuleResult.Pass;`
`17`	`15`	`foreach(var signature in signatures)`
`18`	`16`	`{`
`19`		`- if (signature.DigestAlgorithm.Value == KnownOids.MD2)`
	`17`	`+ var signatureInfo = signature.SignerInfo;`
	`18`	`+ if (signatureInfo.DigestAlgorithm.Value == KnownOids.MD2)`
`20`	`19`	`{`
`21`		`- verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD2)} digest algorithm.");`
	`20`	`+ verboseWriter.LogSignatureMessage(signatureInfo, $"Uses the {nameof(KnownOids.MD2)} digest algorithm.");`
`22`	`21`	`result = RuleResult.Fail;`
`23`	`22`	`}`
`24`		`- else if (signature.DigestAlgorithm.Value == KnownOids.MD4)`
	`23`	`+ else if (signatureInfo.DigestAlgorithm.Value == KnownOids.MD4)`
`25`	`24`	`{`
`26`		`- verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD4)} digest algorithm.");`
	`25`	`+ verboseWriter.LogSignatureMessage(signatureInfo, $"Uses the {nameof(KnownOids.MD4)} digest algorithm.");`
`27`	`26`	`result = RuleResult.Fail;`
`28`	`27`	`}`
`29`		`- else if (signature.DigestAlgorithm.Value == KnownOids.MD5)`
	`28`	`+ else if (signatureInfo.DigestAlgorithm.Value == KnownOids.MD5)`
`30`	`29`	`{`
`31`		`- verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD5)} digest algorithm.");`
	`30`	`+ verboseWriter.LogSignatureMessage(signatureInfo, $"Uses the {nameof(KnownOids.MD5)} digest algorithm.");`
`32`	`31`	`result = RuleResult.Fail;`
`33`	`32`	`}`
`34`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,18 +7,19 @@ public class PublisherInformationPresentRule : IAuthenticodeRule`
`7`	`7`	`{`
`8`	`8`	`public int RuleId { get; } = 10004;`
`9`	`9`
`10`		`- public string RuleName { get; } = "Publisher Information Rule";`
	`10`	`+ public string RuleName { get; } = "Publisher Information Present";`
`11`	`11`
`12`	`12`	`public string ShortDescription { get; } = "Checks that the signature provided publisher information.";`
`13`	`13`
`14`		`- public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)`
	`14`	`+ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)`
`15`	`15`	`{`
`16`	`16`	`var signatures = graph.VisitAll();`
`17`	`17`	`var result = RuleResult.Pass;`
`18`		`- foreach(var signature in signatures)`
	`18`	`+ foreach (var signature in signatures)`
`19`	`19`	`{`
	`20`	`+ var signatureInfo = signature.SignerInfo;`
`20`	`21`	`PublisherInformation info = null;`
`21`		`- foreach(var attribute in signature.SignedAttributes)`
	`22`	`+ foreach (var attribute in signatureInfo.SignedAttributes)`
`22`	`23`	`{`
`23`	`24`	`if (attribute.Oid.Value == KnownOids.OpusInfo)`
`24`	`25`	`{`
`@@ -29,24 +30,27 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW`
`29`	`30`	`if (info == null)`
`30`	`31`	`{`
`31`	`32`	`result = RuleResult.Fail;`
`32`		`- verboseWriter.LogSignatureMessage(signature, "Signature does not have any publisher information.");`
	`33`	`+ verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have any publisher information.");`
`33`	`34`	`}`
`34`	`35`	`if (string.IsNullOrWhiteSpace(info.Description))`
`35`	`36`	`{`
`36`	`37`	`result = RuleResult.Fail;`
`37`		`- verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying description.");`
	`38`	`+ verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have an accompanying description.");`
`38`	`39`	`}`
`39`	`40`
`40`	`41`	`if (string.IsNullOrWhiteSpace(info.UrlLink))`
`41`	`42`	`{`
`42`	`43`	`result = RuleResult.Fail;`
`43`		`- verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying URL.");`
	`44`	`+ verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have an accompanying URL.");`
`44`	`45`	`}`
`45`		`- Uri uri;`
`46`		`- if (!Uri.TryCreate(info.UrlLink, UriKind.Absolute, out uri))`
	`46`	`+ else`
`47`	`47`	`{`
`48`		`- result = RuleResult.Fail;`
`49`		`- verboseWriter.LogSignatureMessage(signature, "Signature's accompanying URL is not a valid URI.");`
	`48`	`+ Uri uri;`
	`49`	`+ if (!Uri.TryCreate(info.UrlLink, UriKind.Absolute, out uri))`
	`50`	`+ {`
	`51`	`+ result = RuleResult.Fail;`
	`52`	`+ verboseWriter.LogSignatureMessage(signatureInfo, "Signature's accompanying URL is not a valid URI.");`
	`53`	`+ }`
`50`	`54`	`}`
`51`	`55`	`}`
`52`	`56`	`return result;`
Original file line number	Diff line number	Diff line change
`@@ -11,14 +11,15 @@ public class PublisherInformationUrlHttpsRule : IAuthenticodeRule`
`11`	`11`
`12`	`12`	`public string ShortDescription { get; } = "Checks that the signature uses HTTPS for the publisher's URL.";`
`13`	`13`
`14`		`- public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)`
	`14`	`+ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)`
`15`	`15`	`{`
`16`	`16`	`var signatures = graph.VisitAll();`
`17`	`17`	`var result = RuleResult.Pass;`
`18`	`18`	`foreach(var signature in signatures)`
`19`	`19`	`{`
	`20`	`+ var signatureInfo = signature.SignerInfo;`
`20`	`21`	`PublisherInformation info = null;`
`21`		`- foreach(var attribute in signature.SignedAttributes)`
	`22`	`+ foreach(var attribute in signatureInfo.SignedAttributes)`
`22`	`23`	`{`
`23`	`24`	`if (attribute.Oid.Value == KnownOids.OpusInfo)`
`24`	`25`	`{`
`@@ -29,17 +30,17 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW`
`29`	`30`	`if (info == null)`
`30`	`31`	`{`
`31`	`32`	`result = RuleResult.Fail;`
`32`		`- verboseWriter.LogSignatureMessage(signature, "Signature does not have any publisher information.");`
	`33`	`+ verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have any publisher information.");`
`33`	`34`	`}`
`34`	`35`	`if (string.IsNullOrWhiteSpace(info.UrlLink))`
`35`	`36`	`{`
`36`	`37`	`result = RuleResult.Fail;`
`37`		`- verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying URL.");`
	`38`	`+ verboseWriter.LogSignatureMessage(signatureInfo, "Signature does not have an accompanying URL.");`
`38`	`39`	`}`
`39`		`- if (!info.UrlLink.StartsWith(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))`
	`40`	`+ else if (!info.UrlLink.StartsWith(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))`
`40`	`41`	`{`
`41`	`42`	`result = RuleResult.Fail;`
`42`		`- verboseWriter.LogSignatureMessage(signature, $"Signature's publisher information URL \"{info.UrlLink}\" does not use the secure HTTPS scheme.");`
	`43`	`+ verboseWriter.LogSignatureMessage(signatureInfo, $"Signature's publisher information URL \"{info.UrlLink}\" does not use the secure HTTPS scheme.");`
`43`	`44`	`}`
`44`	`45`	`}`
`45`	`46`	`return result;`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,4 @@`
`1`		`-using System;`
`2`		`-using System.Collections.Generic;`
`3`		`-using System.Linq;`
`4`		`-using System.Security.Cryptography.Pkcs;`
	`1`	`+using System.Linq;`
`5`	`2`
`6`	`3`	`namespace AuthenticodeLint.Rules`
`7`	`4`	`{`
`@@ -13,17 +10,17 @@ public class Sha1PrimarySignatureRule : IAuthenticodeRule`
`13`	`10`
`14`	`11`	`public string ShortDescription { get; } = "Primary signature should be SHA1.";`
`15`	`12`
`16`		`- public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)`
	`13`	`+ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)`
`17`	`14`	`{`
`18`	`15`	`var primary = graph.Items.SingleOrDefault()?.Node;`
`19`	`16`	`//There are zero signatures.`
`20`	`17`	`if (primary == null)`
`21`	`18`	`{`
`22`	`19`	`return RuleResult.Fail;`
`23`	`20`	`}`
`24`		`- if (primary.DigestAlgorithm.Value != KnownOids.SHA1)`
	`21`	`+ if (primary.SignerInfo.DigestAlgorithm.Value != KnownOids.SHA1)`
`25`	`22`	`{`
`26`		`- verboseWriter.LogSignatureMessage(primary, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.DigestAlgorithm.FriendlyName}.");`
	`23`	`+ verboseWriter.LogSignatureMessage(primary.SignerInfo, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.SignerInfo.DigestAlgorithm.FriendlyName}.");`
`27`	`24`	`return RuleResult.Fail;`
`28`	`25`	`}`
`29`	`26`	`return RuleResult.Pass;`
Original file line number	Diff line number	Diff line change
`@@ -13,13 +13,13 @@ public class Sha2SignatureExistsRule : IAuthenticodeRule`
`13`	`13`
`14`	`14`	`public string ShortDescription { get; } = "A SHA2 signature should exist.";`
`15`	`15`
`16`		`- public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseWriter)`
	`16`	`+ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWriter)`
`17`	`17`	`{`
`18`	`18`	`var signatures = graph.VisitAll();`
`19`	`19`	`if (signatures.Any(s =>`
`20`		`- s.DigestAlgorithm.Value == KnownOids.SHA256 \|\|`
`21`		`- s.DigestAlgorithm.Value == KnownOids.SHA384 \|\|`
`22`		`- s.DigestAlgorithm.Value == KnownOids.SHA512))`
	`20`	`+ s.SignerInfo.DigestAlgorithm.Value == KnownOids.SHA256 \|\|`
	`21`	`+ s.SignerInfo.DigestAlgorithm.Value == KnownOids.SHA384 \|\|`
	`22`	`+ s.SignerInfo.DigestAlgorithm.Value == KnownOids.SHA512))`
`23`	`23`	`{`
`24`	`24`	`return RuleResult.Pass;`
`25`	`25`	`}`