Fix cross-platform strong name signing by manually parsing RSA key blobs

Ahmed · Ahmed · commit 248c07bbc3dc · 2026-02-01T14:26:36.000+02:00
diff --git a/src/Compiler/AbstractIL/ilsign.fs b/src/Compiler/AbstractIL/ilsign.fs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) Microsoft Corporation.  All Rights Reserved.  See License.txt in the project root for license information.
+// Copyright (c) Microsoft Corporation.  All Rights Reserved.  See License.txt in the project root for license information.
 
 module internal FSharp.Compiler.AbstractIL.StrongNameSign
 
@@ -126,9 +126,11 @@ type BlobReader =
     val mutable _blob: byte array
     val mutable _offset: int
     new(blob: byte array) = { _blob = blob; _offset = 0 }
-    
-    member x.Offset with get() = x._offset and set(v) = x._offset <- v
-    
+
+    member x.Offset
+        with get () = x._offset
+        and set (v) = x._offset <- v
+
     member x.ReadInt32() : int =
         let offset = x._offset
         x._offset <- offset + 4
@@ -144,34 +146,40 @@ type BlobReader =
         x._offset <- x._offset + length
         arr |> Array.rev
 
-let RSAParametersFromBlob blob keyType =
+/// Decodes an RSA functional blob into RSAParameters.
+/// Ref: https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc
+let RSAParametersFromBlob blob _keyType =
     let mutable reader = BlobReader blob
 
-    let header = reader.ReadInt32()
-    if header <> 0x00000206 && header <> 0x00000207 && keyType = KeyType.KeyPair then
-        raise (CryptographicException(getResourceString (FSComp.SR.ilSignPrivateKeyExpected ())))
-
-    reader.ReadInt32() |> ignore // ALG_ID
+    // Skip PUBLICKEYSTRUC (8 bytes): bType(1), bVersion(1), reserved(2), aiKeyAlg(4)
+    reader.ReadInt32() |> ignore
+    reader.ReadInt32() |> ignore
 
-    if reader.ReadInt32() <> RSA_PRIV_MAGIC then
-        raise (CryptographicException(getResourceString (FSComp.SR.ilSignRsaKeyExpected ()))) // 'RSA2'
+    // Read RSAPUBKEY header (starts with magic)
+    // Ref: https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-rsapubkey
+    let magic = reader.ReadInt32()
 
-    let byteLen, halfLen =
-        let bitLen = reader.ReadInt32()
+    if magic <> RSA_PUB_MAGIC && magic <> RSA_PRIV_MAGIC then
+        raise (CryptographicException(getResourceString (FSComp.SR.ilSignRsaKeyExpected ())))
 
-        match bitLen % 16 with
-        | 0 -> (bitLen / 8, bitLen / 16)
-        | _ -> raise (CryptographicException(getResourceString (FSComp.SR.ilSignInvalidBitLen ())))
+    let bitLen = reader.ReadInt32()
+    let byteLen, halfLen = (bitLen / 8, bitLen / 16)
 
     let mutable key = RSAParameters()
-    key.Exponent <- reader.ReadBigInteger 4
+    key.Exponent <- reader.ReadBigInteger 4 // pubexp (4 bytes)
     key.Modulus <- reader.ReadBigInteger byteLen
-    key.P <- reader.ReadBigInteger halfLen
-    key.Q <- reader.ReadBigInteger halfLen
-    key.DP <- reader.ReadBigInteger halfLen
-    key.DQ <- reader.ReadBigInteger halfLen
-    key.InverseQ <- reader.ReadBigInteger halfLen
-    key.D <- reader.ReadBigInteger byteLen
+
+    // IMPORTANT: Conditional reading based on Magic.
+    // Private fields (P, Q, DP, DQ, InverseQ, D) follow the modulus ONLY in PrivateKeyBlobs (RSA2).
+    // Ref: https://learn.microsoft.com/en-us/windows/win32/seccrypto/base-provider-key-blobs
+    if magic = RSA_PRIV_MAGIC then
+        key.P <- reader.ReadBigInteger halfLen
+        key.Q <- reader.ReadBigInteger halfLen
+        key.DP <- reader.ReadBigInteger halfLen
+        key.DQ <- reader.ReadBigInteger halfLen
+        key.InverseQ <- reader.ReadBigInteger halfLen
+        key.D <- reader.ReadBigInteger byteLen
+
     key
 
 let validateRSAField (field: byte array MaybeNull) expected (name: string) =
@@ -303,30 +311,44 @@ let signStream stream keyBlob =
     let signature = createSignature hash keyBlob KeyType.KeyPair
     patchSignature stream peReader signature
 
-let signatureSize (pk: byte array) =
-    if pk.Length < 20 then 0
+/// Calculates the required signature space in the PE header for an RSA key.
+///
+/// Rationale:
+/// Following Roslyn's 'SigningUtilities', we distinguish between public keys and full key pairs.
+/// For full key pairs (SNKs), we reserve space matching the modulus size (pk.Length - 32 bytes of header).
+/// This ensures parity with 'mscorsn.dll' expectations on Windows Desktop during the signing process.
+let signatureSize (pk: byte array) (isFullKeyPair: bool) =
+    if (box pk |> isNull) || pk.Length < 16 then
+        0
     else
-        let reader = BlobReader pk
-        reader.Offset <- 12
-        let bitLen = reader.ReadInt32()
-        let modulusLength = bitLen / 8
-        
-        if modulusLength < 160 then 128 else modulusLength - 32
-// Key signing
-type keyContainerName = string
-type keyPair = byte array
-type pubkey = byte array
-type pubkeyOptions = byte array * bool
-
+        let adjustedSize =
+            if isFullKeyPair then
+                // Calculate space based on modulus size (Blob length minus 32-byte header)
+                // matching Roslyn's: (keySize < 160) ? 128 : keySize - 32
+                Math.Max(pk.Length - 32, 128)
+            else
+                // For public keys/delay signing, strictly reserve the standard 128 bytes.
+                128
+
+        // PE/COFF Spec Section 5.5: The Certificate Table entry must be aligned on an 8-byte boundary.
+        (adjustedSize + 7) &&& ~~~7
+
+// Returns a CLR Format Blob public key
 let getPublicKeyForKeyPair keyBlob =
     use rsa = RSA.Create()
     rsa.ImportParameters(RSAParametersFromBlob keyBlob KeyType.KeyPair)
     let rsaParameters = rsa.ExportParameters false
     toCLRKeyBlob rsaParameters CALG_RSA_KEYX
 
+// Key signing
+type keyContainerName = string
+type keyPair = byte array
+type pubkey = byte array
+type pubkeyOptions = byte array * bool
+
 let signerGetPublicKeyForKeyPair (kp: keyPair) : pubkey = getPublicKeyForKeyPair kp
 
-let signerSignatureSize (pk: pubkey) : int = signatureSize pk
+let signerSignatureSize (pk: pubkey) (isFullKeyPair: bool) : int = signatureSize pk isFullKeyPair
 
 let signerSignStreamWithKeyPair stream keyBlob = signStream stream keyBlob
 
@@ -367,15 +389,15 @@ type ILStrongNameSigner =
         | KeyContainer _ -> failWithContainerSigningUnsupportedOnThisPlatform ()
 
     member s.SignatureSize =
-        let pkSignatureSize pk =
-            signerSignatureSize pk
-
         match s with
-        | PublicKeySigner pk -> pkSignatureSize pk
+        | PublicKeySigner pk -> signerSignatureSize pk false
         | PublicKeyOptionsSigner pko ->
             let pk, _ = pko
-            pkSignatureSize pk
-        | KeyPair kp -> pkSignatureSize (signerGetPublicKeyForKeyPair kp)
+            signerSignatureSize pk false
+        | KeyPair kp ->
+            // For full key pairs, we calculate based on the public part
+            // but pass true to trigger the legacy padding logic.
+            signerSignatureSize (signerGetPublicKeyForKeyPair kp) true
         | KeyContainer _ -> failWithContainerSigningUnsupportedOnThisPlatform ()
 
     member s.SignStream stream =
