How can a "referenced assembly" verify the signature/authenticity of the "caller assembly"?

StackOverflow https://stackoverflow.com/questions/14700740

Question

My question is with regard to enforcing security between .NET assemblies. And here's the scenario:

  • A Foundation assembly is deployed on a server.
  • A series of Plugin assemblies are shipped in an application.
  • The plugins use functionality from the Foundation.
  • Since the Foundation provides sensitive operations and data, it has to ensure that the Plugin (the caller assembly) is authentic and from a certain publisher.

I'm pretty new to security and have a basic grasp of Strong-Naming and Digital Signatures. So, if you can please give a thorough explanation of possible ways to accomplish the mentioned goal, I would greatly appreciate it.

Was it helpful?

Solution

Edit

Sorry, when reading your question again I understand that you don't control the plugins.

You want to restrict usage of the foundation assembly based on the assembly calling it.

Unfortunatly there is no other way to do that than checking the calling assembly in the sensitive parts. If you avoid public static members you can do the check in the constructor.

public class SensitiveClass {
    private readonly byte[] SupplierXKey = new[] {...};

    public SensitiveClass() {
        var key = Assembly.CallingAssembly().GetName().GetPublicKey();

        if (!key.SequenceEqual(SupplierXKey)) {
            throw new SecurityException();
        }
    }
}

Note that this solution requires that your supplier protects their code as well. You might need to extend the above code to check the caller's caller and so on.

old wrong answer

Are you using MEF to load the plugins?

Then you can create your own catalog that only allows assemblies signed with a specific key.

Something like: 

public class OnlyAssembliesFromX : ComposablePartCatalog
{
    private readonly byte[] SupplierXKey = new[] {...};

    AggregateCatalog _catalog = new AggregateCatalog();

    public OnlyAssemblisFromX(string path) {
        foreach (var file in Directory.GetFiles(path)) {
            var key = AssemblyName.GetAssemblyName(file)
                                  .GetPublicKey();

            if (key.SequenceEqual(SupplierXKey)) {
                _catalog.Catalogs.Add(new AssemblyCatalog(file));
            }
        }
    }

    public override IQueryable<ComposablePartDefinition> Parts {
        get { return _aggregateCatalog.Parts; }
    }
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top