Re: StrongNameIdentityPermission Problem
From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: Mon, 07 Jun 2004 23:39:01 GMT
Junfeng actually got the use of one of the parameters backwards. Check out http://blogs.msdn.com/shawnfa/archive/2004/06/07/150378.aspx for
a more complete explanation of the StrongNameSignatureVerificationEx method, and managed code samples on using it.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- >From: "Nicole Calinoiu" <email@example.com> >References: <#RJR8MGTEHA.1272@TK2MSFTNGP10.phx.gbl> >Subject: Re: StrongNameIdentityPermission Problem >Date: Mon, 7 Jun 2004 12:25:09 -0400 >Lines: 41 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.2900.2120 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2120 >X-RFC2646: Format=Flowed; Original >Message-ID: <urrYCwKTEHA.firstname.lastname@example.org> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: modemcable100.117-131-66.mc.videotron.ca 126.96.36.199 >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:6361 >X-Tomcat-NG: microsoft.public.dotnet.security > >Mario, > >One possible workaround is to verify that the caller is not on the skip >verification list. However, this would be overkill since it could be on the >list even if it's strongly signed with the appropriate private key. A >better approach is to call into mscoree.dll as described at >http://blogs.msdn.com/junfeng/archive/2004/02/06/68498.aspx. > >BTW, as mentioned by Joe, it's also trivial to bypass >StrongNameIdentityPermission demands by disabling CAS entirely. In order to >avoid this, verify that CAS is enabled (SecurityManager.SecurityEnabled) in >_any_ context in which the demand/linkdemand should be enforced. > >HTH, >Nicole > > >"Mario Hallmann" <email@example.com> wrote in message >news:%23RJR8MGTEHA.1272@TK2MSFTNGP10.phx.gbl... >>I was investigating some solutions to protect my code being called by other >> code. The StrongNameIdentityPermission class seems to fit in here very >> well. >> But then I found out, that it is possible to put only the public key into >> an >> assembly (using delay sign) and turn off assembly loading validation for >> that public key (using sn -Vr command). If I get right everything this >> would >> make StrongNameIdentityPermission useless, because everybody can create an >> assembly with my public key and then turn off validation. >> >> Is there any solution for this problem or am I overlooking something? >> >> Thanks, >> Mario >> >> > > > > > >