Using CryptUIWizDigitalSign() to sign a BLOB

[AlanCordner]

I have been able to successfully sign a dynamically generated executable using the CryptUIWizDigitalSign() function directly in my C# application, but what I really need to be able to do is sign a BLOB (byte array) so that I don't have to write it to disk first. So far, I have been unsuccessful in doing this. I keep getting an error 0x80070057 (Parameter is incorrect). When I saw your library contains support for this function I decided to try it. Unfortunately I am also unable to get it to work. I was hoping there would be a Unit Test that contained an example of using this function to sign a BLOB, but no such luck. I was wondering if anyone would be able to tell me what I am doing wrong?
This is my test app code:

using System;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
using Vanara.PInvoke;

namespace TestVanaraLibrary
{
    internal class Program
    {
        static void Main(string[] args)
        {
            var certificatePath = @"C:\Temp\MyCertificate.pfx";
            var certificatePassword = "~CertPassword~";
            var applicationContent = System.IO.File.ReadAllBytes(@"C:\temp\application.exe");

            var cert = new X509Certificate2(certificatePath, certificatePassword);
            var pSigningCertContext = cert.Handle;

            var size = Marshal.SizeOf(applicationContent[0]) * applicationContent.Length;
            IntPtr ptrBlob = Marshal.AllocHGlobal(size);
            Marshal.Copy(applicationContent, 0, ptrBlob, size);

            CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO blobInfo = new CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO()
            {
                dwSize = (uint)Marshal.SizeOf(typeof(CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO)),
                pGuidSubject = IntPtr.Zero,
                cbBlob = (uint)ptrBlob,
                pbBlob = IntPtr.Zero,
                pwszDisplayName = null
            };

            IntPtr pBlobInfo = Marshal.AllocHGlobal(Marshal.SizeOf(blobInfo));
            Marshal.StructureToPtr(blobInfo, pBlobInfo, false);

            CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO.CRYPTUI_WIZ_DIGITAL_SIGN_INFO_UNION toSign = new CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO.CRYPTUI_WIZ_DIGITAL_SIGN_INFO_UNION()
            {
                pSignBlobInfo = pBlobInfo
            };

            CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO digitalSignInfo = new CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO()
            {
                dwSize = (uint)Marshal.SizeOf(typeof(CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO)),
                dwSubjectChoice = CryptUI.CryptUIWizToSign.CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_BLOB,
                ToSign = toSign,
                dwSigningCertChoice = CryptUI.CryptUIWizSignLoc.CRYPTUI_WIZ_DIGITAL_SIGN_CERT,
                pSigningCertObject = pSigningCertContext,
                pwszTimestampURL = null,
                dwAdditionalCertChoice = 0,
                pSignExtInfo = IntPtr.Zero
            };

            CryptUI.SafePCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT pSignContext = default(CryptUI.SafePCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT);

            var result = CryptUI.CryptUIWizDigitalSign(CryptUI.CryptUIWizFlags.CRYPTUI_WIZ_NO_UI, HWND.NULL, null, digitalSignInfo, out pSignContext);
            Console.WriteLine(result);
        }
    }
}

I had previously created a post on StackOverflow with my attempt at using the CryptoUI library directly, but I have received no responses there as of yet: https://stackoverflow.com/questions/77017250/using-cryptui-library-to-sign-byte-array-in-c-sharp

[dahall]

I'm not sure why you need the blob, and I'm not sure how to get that working, but I was able to do this with a real DER cert.

using var cert = new X509Certificate2(@"C:\Temp\test.cer", "~CertPassword~");
using SafeCoTaskMemString pFile = new(@"C:\temp\application.exe");

var signInfo = new CRYPTUI_WIZ_DIGITAL_SIGN_INFO()
{
   dwSize = (uint)Marshal.SizeOf(typeof(CRYPTUI_WIZ_DIGITAL_SIGN_INFO)),
   dwSubjectChoice = CryptUIWizToSign.CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE,
   ToSign = new () { pwszFileName = (System.IntPtr)pFile },
   dwSigningCertChoice = CryptUIWizSignLoc.CRYPTUI_WIZ_DIGITAL_SIGN_CERT,
   pSigningCertObject = cert.Handle,
};

CryptUIWizDigitalSign(CryptUIWizFlags.CRYPTUI_WIZ_NO_UI, default, default, signInfo, out _);

[dahall]

This same code failed with the .PFX cert.

[AlanCordner]

Thanks for your response. I have been able to successfully sign a .exe file with a .pfx using dwSubjectChoice = CryptUIWizToSign.CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE.
The reason I am trying to get the BLOB to work is that I am generating an executable on-the-fly and the content ends up in a byte array. To avoid having to write the file to disk before signing it, then reading the file back in after signing it so that it can be downloaded, I am trying to take the file system out of the process, and just sign the byte array directly.

[AlanCordner]

See my StackOverflow post for the source code I use to sign the executable file with a .pfx certificate.

[dahall]

I tried a variety of combinations, even pulling some similar code into C++, and could never get anything other than 0x80070057. I also did a bunch of web searching for samples without any success.

[AlanCordner]

No difference when changing the Bitness to x64.
When I set a value for pwszDisplayName, it still returns false, but now GetLastWin32Error() returns 0

[dahall]

If you can test (I'm away from my PC), try using the following to get the Guid and then pass that to the pGuidSubject field using:

Crypt32.CryptSIPRetrieveSubjectGuid(@"C:\temp\application.exe", default, out Guid subGuid);

// in CRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO setup
pGuidSubject = (SafeCoTaskMemStruct<Guid>)subGuid;

[AlanCordner]

Well, see that's the thing. I'm trying to sign the byte array WITHOUT writing the file to disk first!

One question: Is the last argument to CryptUIWizDigitalSign() supposed to be "ref" or "out" in C#? I have seen examples with both, but all examples were signing files, which does not utilize that argument. If it's "out", how should that variable be declared? If it's "ref", same question.

[AlanCordner]

Reading a little bit more into the CryptSIPRetrieveSubjectGuid() function, it appears the "application type" is what is important, not necessarily the application itself, if I read it correctly. After making that change, the process still fails, but now I get an error code of 0x00000012. Here's my current test code using the Vanara library:

using System;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
using Vanara.InteropServices;
using Vanara.PInvoke;

namespace TestVanaraLibrary
{
    internal class Program
    {
        static void Main(string[] args)
        {
            var certificatePath = @"C:\Temp\MyCertificate.pfx";
            var certificatePassword = "MyPassword";

            // this is just to get a byte array to work with
            var applicationContent = System.IO.File.ReadAllBytes(@"C:\temp\bogusapp.exe");

            var cert = new X509Certificate2(certificatePath, certificatePassword);
            var pSigningCertContext = cert.Handle;

            // use an arbitrary file of the same file type as the application to be signed to get a Subject GUID
            Crypt32.CryptSIPRetrieveSubjectGuid(@"C:\Windows\notepad.exe", default, out Guid subGuid);

            var size = Marshal.SizeOf(applicationContent[0]) * applicationContent.Length;
            IntPtr ptrBlob = Marshal.AllocHGlobal(size);
            Marshal.Copy(applicationContent, 0, ptrBlob, size);

            CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO blobInfo = new CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO()
            {
                dwSize = (uint)Marshal.SizeOf(typeof(CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO)),
                pGuidSubject = (SafeCoTaskMemStruct<Guid>)subGuid,
                cbBlob = (uint)size,
                pbBlob = ptrBlob,
                pwszDisplayName = "MyApplication.exe"
            };

            IntPtr pBlobInfo = Marshal.AllocHGlobal(Marshal.SizeOf(blobInfo));
            Marshal.StructureToPtr(blobInfo, pBlobInfo, false);

            CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO.CRYPTUI_WIZ_DIGITAL_SIGN_INFO_UNION toSign = new CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO.CRYPTUI_WIZ_DIGITAL_SIGN_INFO_UNION()
            {
                pSignBlobInfo = pBlobInfo
            };

            CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO digitalSignInfo = new CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO()
            {
                dwSize = (uint)Marshal.SizeOf(typeof(CryptUI.CRYPTUI_WIZ_DIGITAL_SIGN_INFO)),
                dwSubjectChoice = CryptUI.CryptUIWizToSign.CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_BLOB,
                ToSign = toSign,
                dwSigningCertChoice = CryptUI.CryptUIWizSignLoc.CRYPTUI_WIZ_DIGITAL_SIGN_CERT,
                pSigningCertObject = pSigningCertContext,
                pwszTimestampURL = null,
                dwAdditionalCertChoice = 0,
                pSignExtInfo = IntPtr.Zero
            };

            CryptUI.SafePCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT pSignContext = default(CryptUI.SafePCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT);

            if (!CryptUI.CryptUIWizDigitalSign(CryptUI.CryptUIWizFlags.CRYPTUI_WIZ_NO_UI, HWND.NULL, null, digitalSignInfo, out pSignContext))
            {
                var error = Marshal.GetLastWin32Error();
                Console.WriteLine($"Failure: {error}");
            }
            else
                Console.WriteLine("Success!");
        }
    }
}

[AlanCordner]

I don't know why all of the code doesn't end up in the code block...