问题描述
是否有可能来检查,如果动态加载的程序集已与特定的强名称签名?
Is it possible to check if a dynamically loaded assembly has been signed with a specific strong name?
是否足够/安全的比较值从返回的 AssemblyName.GetPublicKey()方式?
Is it enough / secure to compare the values returned from AssemblyName.GetPublicKey() method?
Assembly loaded = Assembly.LoadFile(path);
byte[] evidenceKey = loaded.GetName().GetPublicKey();
if (evidenceKey != null)
{
byte[] internalKey = Assembly.GetExecutingAssembly().GetName().GetPublicKey();
if (evidenceKey.SequenceEqual(internalKey))
{
return extension;
}
}
不能这样被欺骗?我不知道如果SetPublicKey()方法有一个内置组件的影响,但即使MSDN文档说明了如何在一个动态生成组件使用(反射发出),这样就意味着你可以提取的公共密钥托管应用程序并将其注入到自己的组装和运行mallicious code。如果以上是安全的后卫,还是我失去了一些东西?
Can't this be spoofed? I am not sure if the SetPublicKey() method has any effect on a built assembly, but even the MSDN documentation shows how you can use this on a dynamically generated assembly (reflection emit) so that would mean you could extract the public key from the host application and inject it into an assembly of your own and run mallicious code if the above was the safe-guard, or am I missing something?
有一个更正确,更安全的方法?我知道,如果扭转形势的情况下,也就是,在这里我想从仅安全大会通过签署主机被称为然后我可以标记与StrongNameIdentityPermission属性集。
Is there a more correct and secure approach? I know if the reversed situation was the scenario, that is, where I wanted to secure the assembly from only being called by signed hosts then I could tag the assembly with the StrongNameIdentityPermission attribute.
推荐答案
有是检查的程序集的签名没有管理办法和检查公钥让你容易受到欺骗。你将不得不使用并调用 StrongNameSignatureVerificationEx 函数检查签名
There is no managed way to check the signature of an assembly and checking the public key leaves you vulnerable to spoofing. You will have to use P/Invoke and call the StrongNameSignatureVerificationEx function to check the signature
[DllImport("mscoree.dll", CharSet=CharSet.Unicode)]
static extern bool StrongNameSignatureVerificationEx(string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
这篇关于检查程序集的强名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!