Digitally sign files from within a web application

[Joao Maia]

I did that with both my assembly and the Microsoft.Web.Services2.dll
and I still get the same message. When I try to evaluate both
assemblies on .NET Configuration, it says that I have unrestricted
permissions, but I still can't get it to work.

One other thing, my code invokes a Win32 dll (cryptui):

[DllImport("cryptui", CharSet=CharSet.Unicode, SetLastError=true)]
internal extern static IntPtr
CryptUIDlgSelectCertificateFromStore(IntPtr hCertStore, IntPtr hwnd,
string pwszTitle, string pwszDisplayString, uint dwDontUseColumn, uint
dwFlags, IntPtr pvReserved);

Can this be the reason it's still not working ? Is there anything more
I need to do ?
The code above is part of a sample I got from the Microsoft WSE
installation, so I'm figuring it should work...

Thanks for your help,

jm

You may find it more intuitive to use the GUI

Adm. Tools -> .NET Framework Configuration

Runtime Security Policy -> Machine -> All Code

Create new Code group -> use strong name membership condition and assign
full trust.

I looked for a good walkthrough online meanwhile, but couldn't find something...maybe
someone else has a link?

dominick

[dominick]

You have to manually adjust the CAS Policy on every client to grant
Full Trust to your component - best by basing the policy on the
strong name of your component. You can use mscorcfg.msc or CasPol
for this.

How do I do this ? What is mscorcfg.msc ? What is CasPol ?

Thanks,

jm

Ok, after searching for CasPol, I used it on my assembly with the
-addfulltrust option but it still doesn't work. Oh and my assembly is
strongly named.

My assembly (the user control hosted on IE) uses
Microsoft.Web.Services2.dll assembly from Microsoft WSE, so I ran
CasPol on that assembly as well, but I still get the same error
message.

Is there any way to know what is the assembly that is causing the
problem ?

jm

 

[Joe Kaplan \(MVP - ADSI\)]

Shawn Farkas has the canonical sample of this stuff on his blog somewhere.
Google should turn it up.

The big challenge with this type of thing is that granting full trust to the
assembly is not sufficient, because the app domain in IE does not have full
trust. The assembly that has full trust must also assert the permissions
that will be demanded to prevent the stack walk from getting out of the full
trust assembly.

The other way to do it is to grant full trust using a URL membership
condition, in which case the app domain WILL have full trust too. This
makes the programming easier, but less secure.

Programming for partial trust is a bit painful. Where is Nicole when we
need her?

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

You may find it more intuitive to use the GUI

Adm. Tools -> .NET Framework Configuration

Runtime Security Policy -> Machine -> All Code

Create new Code group -> use strong name membership condition and assign
full trust.

I looked for a good walkthrough online meanwhile, but couldn't find
something...maybe someone else has a link?

dominick

[dominick]

You have to manually adjust the CAS Policy on every client to grant
Full Trust to your component - best by basing the policy on the
strong name of your component. You can use mscorcfg.msc or CasPol
for this.

How do I do this ? What is mscorcfg.msc ? What is CasPol ?

Thanks,

jm

Ok, after searching for CasPol, I used it on my assembly with the
-addfulltrust option but it still doesn't work. Oh and my assembly is
strongly named.

My assembly (the user control hosted on IE) uses
Microsoft.Web.Services2.dll assembly from Microsoft WSE, so I ran
CasPol on that assembly as well, but I still get the same error
message.

Is there any way to know what is the assembly that is causing the
problem ?

jm

 

[Dominick Baier]

aah yeah - i knew there was a gotcha.

Try a UrlMembershipCondition instead to get it to work.

Also have a look at blogs.msdn.com/shawnfa

dominick

 

[Joao Maia]

Ok, you guys must think I'm crazy or something but:

I tried asserting every kind of permission in
System.Security.Permissions before I do the call to the method that's
causing the error and guess what... it didn't work.

So I tried what Shawn suggests on his blog, which is creating a
condition based upon the Zone or the Site. I created a condition based
on the Zone, the Site, and the URL and still I get that "partially
trusted" annoying message...

What's weird is that, when I evaluate my dll using the Evaluate
Assembly tool on the .NET configiuration tool, and try to view code
groups that grant permissions to the assembly, the code groups I just
created don't appear for my assembly...

I'm almost throwing myself out of the window...

jm

 

[Joe Kaplan \(MVP - ADSI\)]

I'm not good enough at CAS to help with the nasty problems. Hopefully
Nicole will see this and can save you (or Dominick or someone else wants to
try).

Best of luck,

Joe K.

 

[Joao Maia]

Hi !

I found out two more things that may be important regarding this
problem:

First, the code in my user control is supposed to be .NET Framework 1.1
code (I'm using vstudio 2003), but somehow when the control gets hosted
on IE on my machine, it runs in a .NET Framework 2.0 environment. I
have no idea how this happens, but I was able to figure this out when I
looked at the error details and noticed on the "Loaded Assemblies"
part, that all the loaded assemblies, including mscorlib are version
2.0. I've got both versions of the platform installed on my machine,
but shouldn't the assemblies for version 1.1 be loaded instead of the
ones from version 2.0 ?

The funny thing is that I tried accessing my web page from a machine
with only .net 1.1 and there was a different error: "Security Error" or
something like that.

Now that I think of this, this may actually explain why the code groups
I created are having no effect at all, because they were created on the
..net framework 1.1 configuration tool and the assemblies loaded are all
2.0. My question is, how do you configure code zones on version 2.0 of
the platform ? I see no configuration tool on my administrative tools
for version 2.0...

The second thing that I noticed about my problem is the time when the
security exception is thrown. According to the displayed call stack, it
happens when calling

System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg,
IntPtr wparam, IntPtr lparam)

(I think this is probably called when I do a P/Invoke on
CryptUIDlgSelectCertificateFromStore)

According to the details of the error:

The action that failed was:
LinkDemand
The Zone of the assembly that failed was:
Trusted

I have no idea what this means but some of you guys might...

Thanks once again for all the help you've been giving me.

jm

 

[Joao Maia]

Success !

After installing Visual Studio 2005, and being able to define a zone
code group in the .NET Framework 2.0 Configuration tool, my user
control worked just fine ! The problem is I was defining code groups on
version 1.1 on the framework, but since what was actually loaded were
assemblies from version 2.0 the code groups I defined had no effect at
all. As soon as I was able to create a Code Group with a Zone condition
(just as stated on Shawn Farka's blog) on version 2.0 of the platform,
things worked smoothly.

Thanks to everyone.

jm