The characteristics by which a particular assembly can be identified are its identity permissions. An example is a signed assembly's strong name or the Web site that originated the assembly. Based on the evidence provided to the assembly loader or trusted host, identity permissions are granted by the CLR. Identity Permission Classes To identify running code, there are several identity permission classes. -
PublisherIdentityPermission models the software publisher's digital signature. -
SiteIdentityPermission models the Web site where code originated. -
StrongNameIdentityPermission models the strong name of an assembly. -
ZoneIdentityPermission models the zone where the code originated. -
URLIdentityPermission models the URL and the protocol where the code originated. These identity permissions represent evidence that can be used to determine security policy. It is important to recognize that identity permissions are not code access permissions. Evidence Security policy is based on a set of rules that administrators can establish. The .NET security system can use those rules to enforce the security policy. The evidence, represented by the identity permissions, is used to determine which security policy to apply. The AppDomain class has a function ExecuteAssembly that causes an assembly to load and run. One of the possible arguments to this overloaded method is an Evidence object argument. This Evidence class is a collection of objects that represent the identity of the assembly, which is used in making security policy decisions. The Evidence example illustrates this. This example gets the collection of evidence associated with a strongly named assembly and prints out the associated values. Dim ev As System.Security.Policy.Evidence = _ AppDomain.CurrentDomain.Evidence Dim iEnum As IEnumerator = ev.GetEnumerator() Dim bNext As Boolean Console.WriteLine(_ "Evidence Enumerator has {0} members", _ ev.Count) bNext = iEnum.MoveNext() While bNext = True Dim x As Object = iEnum.Current Dim t As Type = x.GetType() Console.WriteLine(t.ToString()) If t Is Type.GetType(_ "System.Security.Policy.Zone") Then Dim zone As Zone = x Console.WriteLine(" " + _ zone.SecurityZone.ToString()) ElseIf t Is Type.GetType(_ "System.Security.Policy.Url") Then Dim url As Url = x Console.WriteLine(" " + _ url.Value.ToString()) ElseIf t Is Type.GetType(_ "System.Security.Policy.Hash") Then Dim hash As Hash = x Dim md5Hash() As Byte = hash.MD5 Dim sha1Hash() As Byte = hash.SHA1 Console.WriteLine(" MD5 Hash of Assembly:") Console.Write(" ") Dim i As Integer For i = 0 To md5Hash.Length - 1 Console.Write(md5Hash(i)) Next Console.WriteLine() Console.WriteLine(" SHA1 Hash of Assembly:") Console.Write(" ") For i = 0 To sha1Hash.Length - 1 Console.Write(sha1Hash(i)) Next Console.WriteLine() ElseIf t Is Type.GetType(_ "System.Security.Policy.StrongName") Then Dim sn As StrongName = x Console.WriteLine(_ " StrongName of Assembly is: {0} " & _ "version: {1}", sn.Name, sn.Version) Console.WriteLine(" Assembly public key:") Console.Write(" ") Console.WriteLine(sn.PublicKey.ToString()) End If bNext = iEnum.MoveNext() End While The example's output would look something like this: Evidence Enumerator has 4 members System.Security.Policy.Zone MyComputer System.Security.Policy.Url file://C:/OI/NetVB/Chap16/Evidence/bin/Evidence.exe System.Security.Policy.StrongName StrongName of Assembly is: Evidence version: 1.0.808.39413 Assembly public key: 0024000004800000940...5EA897BA System.Security.Policy.Hash MD5 Hash of Assembly: 5934823522219523214999128165198908214168 SHA1 Hash of Assembly: 1592378069174985489611742512062371931814814718180 The evidence associated with the Zone for this assembly is MyComputer. The Url evidence is the location on disk of the assembly. The Hash evidence can give us the MD5 and SHA-1 hashes of the assembly. The StrongName evidence tells us information about the unique assembly name. Some of this evidence is convertible to the associated identity permissions. For example, the Zone class has a CreateIdentityPermission method that returns an IPermission interface representing the ZoneIdentityPermis sion instance associated with this piece of evidence. The Url and StrongName classes have similar methods . Another way of looking at the identity permissions is that they answer a series of questions: -
Who published (signed) it? -
What is the name of the assembly? -
What Web site or URL did it come from? -
What zone did the code originate from? The creator of the application domain (host) can also provide evidence by passing in an Evidence collection when the ExecuteAssembly method is called. Of course, that code must have the ControlEvidence permission. The CLR is also trusted to add evidence, which is reasonable, since it enforces the security policy. Evidence is extensible. You can define evidence types and use them in your own customized security policies. |