jborean93 · jborean93 · Feb 12, 2025 · Feb 12, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog for OpenAuthenticode
 
+## v0.6.1 - 2025-02-12
+
+* Fix up certificate selection logic for `Get-OpenAuthenticodeAzTrustedSigner` to retrieve the correct leaf certificate on Windows.
+
 ## v0.6.0 - 2025-02-12
 
 * Added the `-TokenSource` parameter for `Get-OpenAuthenticodeAzKey` to specify the authentication method used.

diff --git a/module/OpenAuthenticode.psd1 b/module/OpenAuthenticode.psd1
@@ -14,7 +14,7 @@
     RootModule = 'OpenAuthenticode.psm1'
 
     # Version number of this module.
-    ModuleVersion = '0.6.0'
+    ModuleVersion = '0.6.1'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()

diff --git a/src/OpenAuthenticode.Module/OpenAuthenticodeAzTrustedSigner.cs b/src/OpenAuthenticode.Module/OpenAuthenticodeAzTrustedSigner.cs
@@ -79,7 +79,8 @@
         WriteVerbose("Importing certificate chain");
         X509Certificate2Collection chain = [];
         chain.Import(rawChain);
-        X509Certificate2 cert = chain[0];
+
+        X509Certificate2 cert = CertificateHelper.GetAzureTrustedSigningCertificate(chain, cmdlet: this);
         WriteVerbose($"Creating AzureTrustedSigner object with cert '{cert.SubjectName.Name}' - {cert.Thumbprint}");
 
         try

diff --git a/src/OpenAuthenticode/CertificateHelper.cs b/src/OpenAuthenticode/CertificateHelper.cs
@@ -0,0 +1,48 @@
+using System.Management.Automation;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+namespace OpenAuthenticode;
+
+internal static class CertificateHelper
+{
+
+    /// <summary>
+    /// The order of cert in the collection is platform specific. We manually
+    /// find the Azure Trusted Signing cert by the one with an EKU that is the
+    /// Azure Trusted Signing OID prefix '1.3.6.1.4.1.311.97.'.
+    /// </summary>
+    /// <param name="collection">The collection to search.</param>
+    /// <param name="cmdlet">The cmdlet to write verbose messages to.</param>
+    /// <returns>The leaf certificate to use for signing.</returns>
+    /// <exception cref="ItemNotFoundException">Leaf certificate was not found.</exception>
+    public static X509Certificate2 GetAzureTrustedSigningCertificate(
+        X509Certificate2Collection collection,
+        AsyncPSCmdlet? cmdlet = null)
+    {
+        foreach (X509Certificate2 cert in collection)
+        {
+            cmdlet?.WriteVerbose(
+                $"Processing Azure Trusted Signing certificate: Subject '{cert.Subject}' - Issuer '{cert.Issuer}'");
+
+            foreach (X509Extension ext in cert.Extensions)
+            {
+                if (ext is not X509EnhancedKeyUsageExtension eku)
+                {
+                    continue;
+                }
+
+                foreach (Oid oid in eku.EnhancedKeyUsages)
+                {
+                    if (oid?.Value?.StartsWith("1.3.6.1.4.1.311.97.") == true)
+                    {
+                        return cert;
+                    }
+                }
+            }
+        }
+
+        // This should not happen but just in case.
+        throw new ItemNotFoundException("Failed to find leaf certificate in Azure Trusted Signing collection.");
+    }
+}
diff --git a/src/OpenAuthenticode/ECDsaPrivateKey.cs b/src/OpenAuthenticode/ECDsaPrivateKey.cs
@@ -5,6 +5,11 @@ namespace OpenAuthenticode;
 
 internal abstract class ECDsaPrivateKey : ECDsa
 {
+    public ECDsaPrivateKey(int keySize)
+    {
+        KeySizeValue = keySize;
+    }
+
     public abstract byte[] SignHashCore(byte[] hash);
 
     public override byte[] SignHash(byte[] hash) => SignHashCore(hash);

diff --git a/src/OpenAuthenticode/KeyProvider.cs b/src/OpenAuthenticode/KeyProvider.cs
@@ -46,8 +46,8 @@ internal KeyProvider(
         DefaultHashAlgorithm = defaultHashAlgorithm;
         Key = keyType switch
         {
-            KeyType.RSA => new CachedRSAPrivateKey(this),
-            KeyType.ECDsa => new CachedECDsaPrivateKey(this),
+            KeyType.RSA => new CachedRSAPrivateKey(this, certificate.GetRSAPublicKey()!.KeySize),
+            KeyType.ECDsa => new CachedECDsaPrivateKey(this, certificate.GetECDsaPublicKey()!.KeySize),
             _ => throw new NotImplementedException(),
         };
     }
@@ -265,7 +265,7 @@ private sealed class CachedRSAPrivateKey : RSAPrivateKey
     {
         private readonly KeyProvider _provider;
 
-        public CachedRSAPrivateKey(KeyProvider provider)
+        public CachedRSAPrivateKey(KeyProvider provider, int keySize) : base(keySize)
         {
             _provider = provider;
         }
@@ -278,7 +278,7 @@ private sealed class CachedECDsaPrivateKey : ECDsaPrivateKey
     {
         private readonly KeyProvider _provider;
 
-        public CachedECDsaPrivateKey(KeyProvider provider)
+        public CachedECDsaPrivateKey(KeyProvider provider, int keySize) : base(keySize)
         {
             _provider = provider;
         }

diff --git a/src/OpenAuthenticode/LoadContext.cs b/src/OpenAuthenticode/LoadContext.cs
@@ -1,10 +1,7 @@
 using System.IO;
 using System.Reflection;
-using System.Runtime.CompilerServices;
 using System.Runtime.Loader;
 
-[assembly: InternalsVisibleTo("OpenAuthenticode.Module")]
-
 namespace OpenAuthenticode;
 
 public class LoadContext : AssemblyLoadContext

diff --git a/src/OpenAuthenticode/OpenAuthenticode.csproj b/src/OpenAuthenticode/OpenAuthenticode.csproj
@@ -28,4 +28,9 @@
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="all"/>
   </ItemGroup>
 
+  <ItemGroup>
+    <InternalsVisibleTo Include="OpenAuthenticode.Module" />
+    <InternalsVisibleTo Include="OpenAuthenticodeTests" />
+  </ItemGroup>
+
 </Project>
diff --git a/src/OpenAuthenticode/RSAPrivateKey.cs b/src/OpenAuthenticode/RSAPrivateKey.cs
@@ -5,6 +5,11 @@ namespace OpenAuthenticode;
 
 internal abstract class RSAPrivateKey : RSA
 {
+    public RSAPrivateKey(int keySize)
+    {
+        KeySizeValue = keySize;
+    }
+
     public abstract byte[] SignHashCore(byte[] hash, HashAlgorithmName hashAlgorithm);
 
     public override byte[] SignHash(

diff --git a/tests/units/OpenAuthenticodeTests.csproj b/tests/units/OpenAuthenticodeTests.csproj
@@ -0,0 +1,37 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>net8.0</TargetFrameworks>
+    <Nullable>enable</Nullable>
+
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.13.0" />
+    <PackageReference Include="xunit" Version="2.9.3" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="coverlet.collector" Version="6.0.4">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Xunit.SkippableFact" Version="1.5.23" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <!--
+    S.M.A brings in these deps but we don't rely on it directly. It's up to
+    the user to run with a newer PowerShell version that isn't affected.
+    -->
+    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-447r-wph3-92pm" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../src/OpenAuthenticode/OpenAuthenticode.csproj" />
+    <PackageReference Include="System.Management.Automation" Version="7.4.0" />
+  </ItemGroup>
+
+</Project>
diff --git a/tests/units/SignatureHelperTests.cs b/tests/units/SignatureHelperTests.cs