Code Access Security - Implementing Publishers Based Security Using Digital Certificates

With upcoming usage of Internet, distributing the software over the Internet is very common now. Assemblies/Components are deployed across wide network. If you the software company and want to distribute code through Internet, you can build an assembly and sign that assembly with digital certificate. Digital certificate provide the information about software publisher, consumer of the software can verify the identity of the software publisher. Security administrator can grant the permission to particular publisher in order to the run assemblies signed by that publisher.

In the commercial environment, we would obtain a certificate form a company such as varisign. The benefit of purchasing a certificate from the supplier rather than creating your own is that they provide high level of trust in authentication. For the testing purpose .Net provides you command line utilities to create and test digital certificates. This gives the picture how we can use digital certificates with .net application

Create Certificate - MakeCert.exe

MakeCert generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

Open Visual Studio command prompt and type following command as shown in following figure

This command creates a test certificate and writes it to AnandThakur.cer.


-sv - Specifies the subject's .pvk private key file. The file is created if none exists.
-r - Creates a self-signed certificate.
-n - Specifies the subject's certificate name. This name must conform to the X.500 standard.

Create Software Publisher Certificate - Cert2spc.exe

The Software Publisher Certificate Test tool creates a Software Publisher's Certificate (SPC) from X.509 certificates. Cert2spc.exe is for test purposes only.

To Create Software Publisher Certificate, type following command in Visual Studio command prompt and as shown in following figure


Signing code with software publisher certificate - SignCode.exe

The File Signing tool signs a portable executable (PE) file (.dll or .exe file) with an Authenticode digital signature. You can sign either an assembly or an individual file contained in a multi file assembly. If you are distributing an assembly, you should sign the assembly rather than the individual files

To run the File Signing tool, type SignCode.exe in VS command prompt. It will launch a wizard.


Enter the name of the .exe/.dll file you want to sign with certificates and click on next. In next screen select custom and press next. In signature certificate screen, click on  "Select from file" and select .spc file(in this case AnandThakur.spc) you have created using Cert2spc.exe.


In private key screen, select "private key on disk" and enter the path to private key created earlier using MakeCert.exe (in this sign.pvk), In next screen choose Sha1 and click next.


In next two screens, click on next to finish the wizard, you will get completion message in the end of the wizard.


Adding certificate to the trusted root storage - CertMgr.exe

In order to run certificate, certificate issuer should be Trusted Certification Authority. Certificate Manager tool (CertMgr.exe) manages certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). By using Certmgr.exe you can add certificates to a certificate store, displays certificates and deletes certificates from a certificate store.

This is required when publisher is a not Trusted publisher. Type CertMgr.exe in Visual Studio command prompt and press enter. CertMgr will be opened as shown in following figure.


Go to Trusted Root Certification Authorities tab and click on import button. In file to import screen, enter the path of your test certificate (in this case AnandThakur.cer) and click on next


In next screen, choose default option (Place all the certificate in following store) and click on next, summary of certificate will we shown here. Click on finish button, Confirmation message box will be shown, click on yes.


Now you will see the new entry in Certification Authorities list


Adding publishers to Code group - Secutil.exe and Caspol.exe

The Secutil.exe tool extracts strong name information or the public key for an X.509 certificate from an assembly and converts this information into a format that can be incorporated into code. In order to add publisher in security group, we need to extract hex code of assembly using SecUtil. 

Type "SecUtil -hex -x D:\DotNet\CSharp\Destop\bin\Debug\Desktop.exe" in command prompt as shown in following image.


You will see hex code in output. Now will use this hex code to add publisher in security code groups.

Before we add publisher to security code groups. Let us have a look at security code groups.

Type "CasPol -lg" in command prompt. You can see all the group, now there are six group shown in image.


Now type the command "CasPol -addgroup 1 -pub -hex HexCODE FullTrust"

Where HexCode is code generated using Secutil.exe, as shown in following image


Now look at security code groups using "CasPol -lg". Now you will find new publisher group added in security groups.


Now your machine is configured to run all the assembly distributed by this particular publisher.