I've been endlessly searching the internet for an answer to this but unfortunately can't seem to find it anywhere.
I'm trying to run the equivalent of this PowerShell command in C#, but without having to import PowerShell libraries into my code:
Get-TpmEndorsementKeyInfo -hashalgorithm sha256
Basically, all I'm trying to get to is the SHA256 representation of my TPM EK. If possible, I'd also like to retrieve the Thumbprint of the same, as the PowerShell command gives when it's run.
I've tried working with Limpet (https://github.com/ms-iot/security/tree/master/Limpet/Limpet.NET) but to no avail.
Why do I need this? I'm trying to use TPM as a mechanism to prove a PC is unique, I could then use that hash which is unique to this computer's TPM device to do other functions including possibly licensing. Either way, I'm trying to do this in C#.
Ideally I also find a way to sign messages using C# and TPM but I'll keep searching for that.
Any clues?
I know the class is defined in an assembly that is in an Azure SDK, but you could have a look at the SecurityProviderTpmHsm class which is defined in the Microsoft.Azure.Devices.Provisioning.Security.Tpm package.
Related
What I'm looking to obtain is a list of signatures on a given file that's been digitally signed ( code signing certificate ) - When you use signtool to sign with a sha1 certificate, you can also sign with a sha256 certificate for instance- Both of these signatures can be found in the file properties under Digital Signatures, under a signature list - You can also see a timestamp if you used that as well.
Is there a standard way to grab that list/details or is this diving into p/invoke territory?
var cert = X509Certificate.CreateFromSignedFile(fileName);
This almost gets me what I need, it assures me a file has a signature and can even build a certificate out of it, it seems - I can then grab the common name and such and do some basic checks from there.
I don't, however, get both signatures, and can't seem to find a way to do so.
Would prefer to do this using standard .NET if possible, but understand that may not be possible. Thanks in advance!
Got an answer for using in console, could likely adapt it for windows forms easily enough but something usable for windows forms out of the box would be great.
Can anyone point me towards a file format for OpenSSH keys? Sample code would be fantastic but even a pointer towards the relevant RFC would be a big help.
As background, I have a C# program which needs to generate a ssh key at runtime. The program will be run on Windows, Linux and Mac so I'd prefer to generate the public/private key pair in C# rather than calling out to platform-specific tools/libraries. I can generate the components of a key using System.Security.Cryptography.RSACryptoServiceProvider but suspect I'm not then writing these out correctly.
Thanks.
The Secure Shell (SSH) Public Key File Format RFC
Is that what you were looking for ?
Also worth a look (unverified by me) is if Putty uses the official libs or own implementations
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Putty is an open source ssh client that can generate keys if I recall right. Maybe you'll find code there that's easier to take out.
Otherwise maybe just dig into ssh-keygen sources
I've been working on such code in the past, it was a real headache ;)
I'm trying to write a C# program that verifies the digital signature of exe's. The exe's are signed with an authenticode certificate, and I want to detect tampering.
I've been able to create a SignedCms instance as described here: Get timestamp from Authenticode Signed files in .NET
I assumed SignedCms.CheckSignature would do the trick, but this method never throws an exception... Even not when I modify some bits of the exe...
I'm assuming you've scoured the .NET Framework docs and didn't find what you needed. The answer to this StackOverflow question has a link that describes how to use the native Windows CryptQueryObject function to verify a signature. So all that's left is to check out PInvoke.NET to see how to bring that function into .NET.
Could you just shell to signtool.exe /verify, and check the result?
I recently wrote a simple app which signs executables using the same method, and it works great.
Signtool on MSDN
I'm developing a launcher application for a 3D game on Windows. The configuration "ini" file requires the user to specify the hardware GUID for the desired device, as in, the Device Identifier GUID returned by dxdiag.exe.
I'm trying to list the available adapters on the system, allow the user to select one and load that device's hardware GUID into the ini file.
I've examined many methods for attempting this. I've tried using the System.Management class, which returns the class GUID but not the specific driver GUID. I've tried using native calls to SetupAPI.h functions, which also seem to not be able to list the specific Device Identifier GUID. I've tried examining the registry, to see if the GUID resides there. No luck.
My best idea was probably using the Managed DirectX library to return the GUID I'm looking for, considering that's probably how dxdiag does it. I was able to enumerate and collect hardware information about each driver using the SharpDX Managed DirectX interface for .NET applications (I'm targeting framework 3.5), but again, I wasn't able to return the same GUID that dxdiag returns.
I'm really stuck for a solution. Help?
Managed to solve it myself.
Decided the best way to solve this was using DirectX. Imported DX libraries, changed my app to x86. The code I was looking for was:
Manager.Adapters[0].Information.DeviceIdentifier
I am trying to secure an application to only run from a specific USB disk.
I have code to get the serial number from the device, but the only way I can make this work the way I want to is to manually code the serial number into the binary.
Is there a way I could make a stub application that would modify the existing binary to insert the serial number into it after it's compiled?
I've seen this done in C++ in the past, but that was a long time ago and I cant quite remember how we did it back then.
Storing it in the assembly is a bad idea. Here is what I would do (and have done similar in the past):
Be sure you are signing your assemblies.
Create an XML document that contains your licensing data - in your case the serial number of the USB device.
Utilize the SignedXml library in .NET (implements XMLDSIG) to sign the licensing XML document that contains the serial number. You will use the same private key that is used to sign the assembly.
When your app starts up, it verifies that the signature of the XML file is valid using the public key that it was signed with (and is embedded in the assembly).
Obviously you don't ship your private key, so if the app needs to generate the XML config file itself (rather than it be a file you ship to the user) you will need to implement a web service.
I don't know, but that hasn't stopped me from answering before.
Maybe figure out where you want to store the SN in the executable (it should be only one place, right?) and just treat the executable as a giant binary blob, and use the stub program to insert it where it needs to go?
Perhaps you want to get a separate USB license key like these ones:
http://www.bhphotovideo.com/c/buy/USB-License-Keys/ci/12454/N/4294550039
???
Why would anybody want to save anything inside an executable. If you're planning to sign the executable for distribution changing the executable in some way would break the signing and saving something in binary to the executable won't prevent someone from taking the value out the executable.
Best thing you can do is store the serial number to a file, registry, or other place then encrypt the value so it can't be modified without breaking it. I use a library that ships with License Vault from a fairly new company called SpearmanTech. You can use their library to store encrypted values to the .NET machine.config file in an encrypted form so it can't be tampered with. This way you can pull the information from the .config file when your application starts.
Are you writing a .NET application in C++ or native C++ well either way you should be able to communicate with the .NET framework so this solution would work.
I would check out their product at http://www.spearmantech.com. Hope it works for you.