.NET 程序集可以使用 X509Certificate 进行签名吗?
我相信我对 X509Certificate 有基本的了解,并且已经为我的开发环境创建了证书和私钥。现在更加熟悉 X509Certificate 类和其他相关权限。
因此,在此过程中,我决定在系统上安装证书后对其进行测试。然后使用以下代码,我尝试验证认证身份验证的检查过程:
const string x509Cert = @"\PathToMyCertificate\LMC.cer";
var cert = new X509Certificate(x509Cert);
var pmc = new PublisherMembershipCondition(cert);
if(pmc.Check(Assembly.GetCallingAssembly().Evidence))
{
Console.WriteLine("Assembly belongs to publisher");
}
当然,正如预期的那样,内部代码块不会执行。因此,我想简单地使用证书密钥对我的程序集进行签名,但“简单”并不像我预期的那么简单。
我使用以下代码来将证书分配给我的应用程序证据:
var publisher = new Publisher(X509Certificate.CreateFromCertFile(x509Cert));
var evidence = Assembly.GetCallingAssembly().Evidence;
evidence.AddHost(publisher);
// Create an identity permission based on publisher evidence.
var x509Permission = (PublisherIdentityPermission)publisher.CreateIdentityPermission(evidence);
x509Permission.Demand();
但这似乎也不起作用。接下来,我检查了项目的属性,看看是否有任何方法可以使用 X509Certificate 密钥对其进行签名,但什么也没有。我看到的唯一接近的选项是使用 Click Once 清单进行签名;但“从文件中选择”选项正在寻找 .pfx 扩展名。所以我想也许这个方法只适用于支持 Click-Once 生成的证书?
根据 BOL,“如果您有其他格式的密钥文件或证书,请将其存储在 Windows 证书存储中,并按照前面的过程中所述选择证书。”我在受信任的根证书颁发机构存储中安装了 X509Certificate。那不是 Windows 证书存储吗?因为“证书存储”窗口中没有显示任何内容。
搜索在线资源也没有多大收获,除非我使用了错误的关键字组合。现在我可以创建另一个 X509Certificate 和密钥,确保密钥的扩展名是 .pfx,但我想在白费力气之前确保我的解决方案是正确的,我不相信这会是答案。
那么,.NET 程序集可以使用 X509Certificate 进行签名吗?如果是,有哪些文档可以帮助执行此任务?
I believe I have a foundational understanding of the X509Certificate and have created certificates and private keys for my Development environment. Getting more acquainted now with the X509Certificate Class and other relevant permissions also.
So in the process, I decided to test a certificate after having installed it on my system. Then using the following code, I attempted to validate the check process for certification authentication:
const string x509Cert = @"\PathToMyCertificate\LMC.cer";
var cert = new X509Certificate(x509Cert);
var pmc = new PublisherMembershipCondition(cert);
if(pmc.Check(Assembly.GetCallingAssembly().Evidence))
{
Console.WriteLine("Assembly belongs to publisher");
}
Of course as expected, the inner block of code doesn't execute. So then I figured to simply sign my assembly using the certificate key, but "simply" wasn't as simple as I'd anticipated.
I used the following code in effort of assigning the certificate to my applications Evidence:
var publisher = new Publisher(X509Certificate.CreateFromCertFile(x509Cert));
var evidence = Assembly.GetCallingAssembly().Evidence;
evidence.AddHost(publisher);
// Create an identity permission based on publisher evidence.
var x509Permission = (PublisherIdentityPermission)publisher.CreateIdentityPermission(evidence);
x509Permission.Demand();
But this didn't seem to work either. Next, I checked the properties of my project to see if there was any way to sign it there using the X509Certificate key but nothing. The only option I see that comes close is to sign with Click Once manifests; but the "Select from file" option is looking for a .pfx extension. So I think maybe this method only works to support certificates generated by Click-Once?
Per BOL, "If you have a key file or certificate in another format, store it in the Windows certificate store and select the certificate is described in the previous procedure." I installed my X509Certificate in the Trusted Root Certificate Authorities store. Wouldn't that be a Windows certificate store? Because nothing shows up in the Certificate Store window.
Searching online resources didn't yield much either unless I am using the wrong combination of keywords. Now I could create another X509Certificate and key ensuring that the extension of the key is .pfx but I wanted to make certain that I am on the right course of resolve before spinning my wheels for nothing and I don't believe that would be the answer.
So, can a .NET assembly be signed using an X509Certificate? If so, what documentation is available to assist in performing this task?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Publisher* 类与 Authenticode(tm) 相关联。
查找命令行工具:
* 签名代码(或签名工具)
* chktrust
了解如何使用有效的代码签名证书对任何 .exe、.dll(以及 .cab、.ocx)进行签名。在 google 上搜索 Authenticode 或“代码签名证书”也会有所帮助。
Publisher* classes are associated with Authenticode(tm).
Look for the command-line tools:
* signcode (or signtool)
* chktrust
for how you can sign any .exe, .dll (and .cab, .ocx) using a valid code-signing certificate. A google search on Authenticode or "code-signing certificate" can also be helpful.
问题是你想做什么。存在用于对程序集进行强命名的 .NET 签名(使用 RSA 密钥对),并且存在 Authenticode,它允许您对 PE 格式的任何文件(包括 DLL 文件中的程序集)进行签名。请注意,Authenticode 不是特定于 .NET 的,并且对 .NET 一无所知。它标志着PE结构。
正如 poupou 所说,对于 Authenticode 签名(使用适合代码签名的 X.509 证书),您可以使用 SignTool.exe 工具。 .NET 将在加载程序集时验证签名,但在某些情况下,此类验证可能需要额外几秒钟的时间(如果操作系统对链中的证书执行 CRL 和 OCSP 检查),从而减慢程序集加载速度。
所以你需要选择正确的工具并定义你想要实现的目标(签名是一种方法,而不是目标)。
The question is what you want to do. There exist .NET signing (using RSA keypair) used for strong-naming the assemblies, and there exists Authenticode which lets you sign any file in PE format including assemblies in DLL files. Note, that Authenticode is not .NET-specific and knows nothing about .NET. It signs PE structure.
As said by poupou, for Authenticode signing (using X.509 certificates suitable for Code Signing) you can use SignTool.exe tool. .NET will verify the signature when it loads the assembly, but in some cases such verification can take extra seconds (if the OS performs CRL and OCSP checking of certificates in the chain), slowing down assembly loading.
So you need to choose the right tool and define what you want to achieve (signing is a method, not a goal).