Digital signature technology in Microsoft.NET

Author: Wang Haixuan e-mail: wanghaixuan@lianchuang.com

Digital signature technology in Microsoft.NET

Nanjing Wang Haixuan

SUMMARY: This article creates a signature CAB file in Microsoft.NET as an example, how to create a signature file, so that your code can be securely published on the Internet. I hope to play the role of throwing jade.

Keywords: digital signature, ActiveX, CAB

First, Internet Security and Digital Signature

Document security is a major problem for developers and users of Internet applications. There are the following risks: malicious code, tampering code and code from unknown sites or authors.

There are two basic methods for ensuring security when developing for Internet. The first method is called "sandbox". In this method, the application can only access a set of specific APIs and is excluded from potentially dangerous APIs (such as file I / O, programs may be destroyed in the user's computer). The second method is implemented using a digital signature. This method is called "shrink packaging" on the Internet. Use private / mockup technical verification and signature code. Before the code is run, verify its digital signature, ensuring that the source of the code is known and verified, and the code is not changed after the self-signature.

In the first case, trusted applications do not have any damage and trust the source of the application. In the second case, use a digital signature to verify the authenticity. Digital signatures are industrial standards for identifying and providing detailed information about code issuers. Its technology is based on standards, including RSA and X.509. The browser typically allows users to choose whether you want to download and run the source unknown code.

This article mainly discusses the "digital signature" of the second middle. First give the file signature first get the software issuance certificate. To this end, a request must be made to the certificate authority. During the application, you must generate a key pair and provide identification information to the certificate authority (such as name, address, and public spoon). It is also necessary to make a binding guarantee to ensure that you can't distribute you or if you have to know the software or code that contains a virus or that will maliciously impair the user's computer or code.

In the examples of this article, the Makecert and Cert2SPC utility generated by Microsoft.NET and the Cert2SPC utility generates a test software issuance certificate. Of course, it is invalid for software issuance, only for test code signatures.

Second, create a signature CAB file

This example uses Microsoft Visual Studio .NET 2003 development tools. So you have to have Microsoft Visual Studio .NET 2002 or later environment.

1. Get a software issuance certificate (test)

Step 1: Start menu -> Run, enter cmd.exe. Open the command prompt environment window of Windows 2000.

Step 2: Enter CD C: / Program Files / Microsoft Visual Studio .NET 2003 / SDK / V1.1 / BIN, enter the directory, use DIR commands you can see SignCode.exe, makecert.exe and Cert2Spc.exe programs . Note: The above path varies depending on the installation path of your machine Microsoft.NET.

Step 3: Create a public key and private key pair for a digital signature, and store it in a certificate file.

Enter Makecert -sk WHX -N "CN = Whx Company" c: /testwhx.cer.

Will build TestWhx.cer files in your C:

Description: The certificate name of the parameter -N specified the subject. This name must meet the X.500 standard. The easiest way is to specify this name in dual quotes and add prefix CN =; for example, "cn = myname". Note that the CN here must be capitalized. -SK Specifies the key container position of the topic, which contains private keys. If the key container does not exist, the system will create one. Enter makecert - • You can view the usage of other parameters. Step 4: Create a issuer certificate (SPC).

Note that the issuer certificate test tool creates a Publisher Certificate (SPC) through one or more X.509 certificates. CERT2SPC.EXE is only used for test purposes. An effective SPC can be obtained from a certificate authority (such as VeriSign or Thawte).

Enter the command: CERT2SPC C: /TestWhx.cer C: /TestWHX.SPC, in C: disk generated certificate file. At this point, you already have a software certificate for testing only. In fact, the procedures or ActiveX controls we develop or ActiveX controls can be used only for the interior of the enterprise, so that you can use this method to make a digital signature, so that your control can be downloaded automatically in the browser without having to go to a certificate of certificates.

2, create a CAB file

The CAB file is a Windows standard compression format file. When you publish ActiveX on a web page, the compression format is often wrapped in the compression format to make the file to easily transmit on the Internet. There are many ways to create a CAB file, you can "create a CAB project" in Microsoft Visual Studio .NET 2003, you can also use Windows IexPress.exe (under the C: / Windows / System32 directory), even other compression tool.

The method of use of IexPress.exe will be described below. Enter iExpress in the Start Menu -> Run, follow the illustrations as shown below.

In C: / Create a whx.cab file.

You can also sign DLL and OCX without using a CAB file. The advantage of the CAB file is compressed, and if you use it with the INF file, it can bind all the necessary code together.

3, sign file

In the DOS window opened above, enter the following command:

Signcode / SPC C: /TestWHX.SPC / K WHX C: /WHX.CAB

At this point, it has been signature the WHX.cab file for success. You can view the properties of the file to view the digital signature.

4, embedded to the web page

Use the