views:

100

answers:

1

I'm using a book for studying for .NET certification, and I'm stumped on the issue of publisher certificates.

Background:

Windows Vista Home Basic SP2 Visual Studio 2008 .NET 3.5 SP1

Goal:

Write a simple C# console application that has its permission to read from a specific text file determined by the application's certificate.

Symptoms:

I am able to read from the file despite assigning the Nothing permission set to the code group that is conditioned by the application's certificate.

Steps taken:

  1. Wrote C# console application that uses StreamReader to read the file and output to the console. The application works as expected.
  2. On the application's properties, I used the Signing tab, set ON the checkbox for "Sign the ClickOnce manifest", clicked the Create Test Certificate button, and entered passwords.
  3. Next, I clicked the More Details button, navigated to the Details tab, selected the Public Key row, and clicked the Copy to File button.
  4. In the Certificate Export Wizard, I chose not to export the private key, chose the DER encoded binary X.509 format, and provided the path of the .CER file.
  5. Next I rebuilt the application.
  6. I opened the .NET Framework 2.0 Configuration tool.
  7. I navigated to My Computer > Runtime Security > Machine > Code Groups > All_Code
  8. Right clicked All_Code, and selected New to begin the Create Code Group wizard.
  9. Gave the new code group a name, then selected the Publisher condition type.
  10. Clicked the Import from Certificate File button, then selected the newly created .CER file.
  11. Next I selected the Nothing permission set.
  12. When running the application, which should now be a member of the new code group, it still works the same. I would expect that if it's a member of the Nothing permission set that it couldn't read the file.

Thanks for any insight you can provide. I'm probably missing one little detail. I wonder if this has anything to do with using Vista Home Basic.

A: 

Can your application read the file in question w/o any certificate?

Adding Nothing to a set of existing permissions won't change much.

Henk Holterman
Henk, in step 1 I was writing and running the program without a certificate. I didn't add that until later.I was under the impression that Nothing would keep the executable from executing if it were found to be a member of the new group, so it was my test to see if .NET was including it as a member. Am I off base on understanding Nothing? Is there a better existing permission set to use to test whether .NET is including the executable as a member of the new group. I'd like to make sure the inclusion is working before pointing it to a new permission set of my own making. Thanks!
Clint
You do understand Nothing, but the 'matching evidence' process is additive, you are adding your Nothing group to the normal rights. To investigate you should create a Folder where the app can't wirite w/o the certificate, then Add rights to the group.
Henk Holterman
I finally found a page that explains what I needed to know. My problem was with the creation of the certificate. As indicated in the original question, everything I was trying was on the signing tab of the application's properties page in Visual Studio. It appears that creating the test certificate here is not enough to have that certificate work as a Publisher condition. Briefly, the steps were MakeCert, Cert2spc, SignTool, and CertMgr. Afterward I continued at step 6.http://www.c-sharpcorner.com/UploadFile/ankithakur/PublishersBasedSecurity12012006061621AM/PublishersBasedSecurity.aspx
Clint
The other thing I finally found was the Evaluate Assembly tool in the .NET Framework 2.0 Configuration tool. This proved that my application was not being found in the code group I had created until I took the steps outlined on the site.<br><br>My question now turns to this: Functionally speaking, which of the steps from the web site are omitted from the original steps. I'm trying to understand the difference between the Visual Studio approach versus the command line approach. Obviously the UI is different - just trying to understand the functional difference.
Clint
Clint, you probaly should see how far you get and maybe ask a new question.
Henk Holterman