none
Need to show error if assembly has not signed RRS feed

  • Question

  • Hi,

    I have a assembly with strong name. I need to prevent call API from any assembly which is not signed

    Advance Thanks

    Arun

    Thursday, December 6, 2012 10:49 PM

Answers

  • Hi,

    please refer this link : http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx


    One good question is equivalent to ten best answers.

    That's right on line with what I was proposing.  You will still need to use class System.Reflection.Assembly method GetCallingAssembly to get the Assembly.

    You could call their method CheckToken like this CheckToken(System.Reflection.Assembly.GetCallingAssembly(), myToken).   

    For example, in your foo.dll

        public class SignedAssemblyException : Exception { }
    
        internal static class ObjectExtensions
        {
            private static string ByteArrayToString(byte[] bytes)
            {
                if ((null == bytes) || (0 == bytes.Length))
                    return string.Empty;
    
                StringBuilder byteStr = new StringBuilder();
    
                for (int i = 0; i < bytes.Length; i++)
                    byteStr.AppendFormat("{0:x2}", bytes[i]);
    
                return byteStr.ToString();
            }
    
            public static void CheckForAccess(this object element, Assembly callerAssembly)
            {
                // this gets "us"
                Assembly ourAssembly = Assembly.GetExecutingAssembly();
                
                // extract our public keys and compare
                // you dont have to compare by string you can compare byte array
                // I added this because I wanted to :P
                string ourKey = ByteArrayToString(ourAssembly.GetName().GetPublicKey());
                string theirKey = ByteArrayToString(callerAssembly.GetName().GetPublicKey());
    
                if (0 != string.Compare(ourKey, theirKey))
                    throw new SignedAssemblyException();
            }
        }
    
        public class ConsumableClass
        {
            public string SomethingToGet
            {
                get
                {
                    // pass in Assembly from the caller
                    this.CheckForAccess(System.Reflection.Assembly.GetCallingAssembly());
    
                    return "something to get";
                }
            }
        }
    

    This example uses an object extension to provide the method CheckAccess for every one of your objects in your assembly.

    I hope this helps

    Matt

    Friday, December 7, 2012 3:02 PM

All replies

  • The System.Reflection.AssemblyName class gives you a couple of properties to read the public key information of the assembly.

    The class System.Reflection.Assembly has a method called GetCallingAssembly which gives you an instance to the assembly that is calling the code.   

    You should be able to use these two methods to 1) figure out who is calling you and 2) if they are signed.   From there, you can do whatever it is you wish to do.

    If you would like some code examples, reply here and I will work something up for you.

    Hope this helps

    M

    Thursday, December 6, 2012 11:19 PM
  • Thaks for your quick reply

    If possible can you send me the code snippet

    This is the exact requirement

    Is there any way to secure your assembly down to the class/property & class/method level to prevent the using/calling of them from another assembly that isn't signed by our company?

    I would like to do this without any requirements on strong naming (like using StrongNameIdentityPermission) and stick with how an assembly is signed.  I really do not want to resort to using the InternalsVisibleTo attribute as that is not maintainable in a ever changing software ecosystem.

    For example:

    Scenario One

    Foo.dll is signed by my company and Bar.dll is not signed at all.

    Foo has Class A Bar has Class B

    Class A has public method GetSomething() Class B tries to call Foo.A.GetSomething() and is rejected

    Rejected can be an exception or being ignored in someway

    Scenario Two

    Foo.dll is signed by my company and Moo.dll is also signed by my company.

    Foo has Class A Moo has Class C

    Class A has public method GetSomething() Class C tries to call Foo.A.GetSomething() and is not rejected

    Thanks

    Arun

    Thursday, December 6, 2012 11:35 PM
  • Hi,

    please refer this link : http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx


    One good question is equivalent to ten best answers.

    Friday, December 7, 2012 8:17 AM
  • Hi,

    please refer this link : http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx


    One good question is equivalent to ten best answers.

    That's right on line with what I was proposing.  You will still need to use class System.Reflection.Assembly method GetCallingAssembly to get the Assembly.

    You could call their method CheckToken like this CheckToken(System.Reflection.Assembly.GetCallingAssembly(), myToken).   

    For example, in your foo.dll

        public class SignedAssemblyException : Exception { }
    
        internal static class ObjectExtensions
        {
            private static string ByteArrayToString(byte[] bytes)
            {
                if ((null == bytes) || (0 == bytes.Length))
                    return string.Empty;
    
                StringBuilder byteStr = new StringBuilder();
    
                for (int i = 0; i < bytes.Length; i++)
                    byteStr.AppendFormat("{0:x2}", bytes[i]);
    
                return byteStr.ToString();
            }
    
            public static void CheckForAccess(this object element, Assembly callerAssembly)
            {
                // this gets "us"
                Assembly ourAssembly = Assembly.GetExecutingAssembly();
                
                // extract our public keys and compare
                // you dont have to compare by string you can compare byte array
                // I added this because I wanted to :P
                string ourKey = ByteArrayToString(ourAssembly.GetName().GetPublicKey());
                string theirKey = ByteArrayToString(callerAssembly.GetName().GetPublicKey());
    
                if (0 != string.Compare(ourKey, theirKey))
                    throw new SignedAssemblyException();
            }
        }
    
        public class ConsumableClass
        {
            public string SomethingToGet
            {
                get
                {
                    // pass in Assembly from the caller
                    this.CheckForAccess(System.Reflection.Assembly.GetCallingAssembly());
    
                    return "something to get";
                }
            }
        }
    

    This example uses an object extension to provide the method CheckAccess for every one of your objects in your assembly.

    I hope this helps

    Matt

    Friday, December 7, 2012 3:02 PM