Summary: This document takes the cab file created in Microsoft. NET as an example to describe how to create a signature file so that your code can be securely published on the Internet. It is expected to play the role of throwing a token.
Keywords: digital signature, ActiveX, cab
I. Internet security and Digital Signature
Code security is a major issue for Internet application developers and users. The following risks are involved: Malicious Code, tampered code, and code from an unknown site or author.
There are two basic methods to ensure security for Internet development. The first method is called "sandbox ". In this method, an application can only access a specific set of APIs and is excluded from potentially dangerous APIs (such as file I/O, where the program may destroy data in the user's computer. The second method is implemented using digital signatures. This method is called "shrink package" for the Internet ". Use private key/Public Key Technology for verification and signature code. Before running the code, verify its digital signature to ensure that the source of the Code is known and verified, and the Code has not been changed since the self-signature.
In the first case, trust an application without any damage and trust the source of the application. In the second case, use a digital signature to verify the authenticity. Digital signatures are industrial standards used to identify and provide detailed information about code senders. The technology is based on standards, including RSA and X.509. Browsers generally allow users to select whether to download and run code with unknown sources.
This article mainly discusses the second case "Digital Signature ". To sign a file, you must first obtain the software issuance certificate. To this end, a request must be made to the Certificate Authority. During the application process, you must generate a key pair and provide the identity information (such as name, address, and Public Key) to the Certificate Authority ). It is also necessary to provide a legally binding guarantee that you cannot or will not distribute software that you know or should have known that contains viruses or that will maliciously damage your computer or code in other ways.
In this example, use the makecert and cert2spc utilities in Microsoft. NET to generate a software release certificate for testing. Of course, the software release is invalid and can only be used to test the code signature.
2. Create a signed cab file
In this example, Microsoft Visual Studio. NET 2003 is used. Therefore, you must have an environment of Microsoft Visual Studio. NET 2002 or later.
1. Obtain the software issuance certificate (test)
Step 1: Start Menu> Run and enter cmd.exe. Open the windows 2000 command prompt environment window.
Step 2: Enter cd c:/program files/Microsoft Visual Studio. NET 2003/SDK/V1.1/bin, enter the directory, and run the dircommand to check the signcode.exe?makecert.exeand cert2spc.exe programs. Note: The above paths vary depending on the installation path of your machine Microsoft. NET.
Step 3: create a public key and private key pair for digital signature and store it in the certificate file.
Enter makecert-SK whx-n "cn = whx Company" C:/testwhx. Cer.
The testwhx. Cer file will be generated in your C.
Description: parameter-N specifies the Certificate Name of the topic. This name must comply with X.500 standards. The simplest way is to specify this name in double quotes with the prefix Cn =; for example, "cn = myname ". Note that Cn must be capitalized. -SK specifies the location of the key container of the topic, which contains the private key. If the key container does not exist, the system creates one. Enter makecert -? You can view the usage of other parameters.
Step 4: Create a issuer certificate (SPC ).
Note that the issuer Certificate Test Tool creates a issuer certificate (SPC) through one or more X.509 certificates ). Cert2spc.exe is only used for testing purposes. A valid SPC can be obtained from a Certificate Authority (such as Verisign or thawte.
Enter the command: cert2spc C:/testwhx. Cer C:/testwhx. SPC to generate a certificate file on the C: disk. Now, you have software certificates for testing only. In fact, as long as the program or ActiveX control we developed is only used inside the Enterprise, you can use this method for digital signature so that your control can be automatically downloaded in the browser, you do not have to go to a dedicated Certificate Authority to obtain the certificate.
2. Create a cab file
A cab file is a Windows standard compressed file. It is often used to pack files when ActiveX is published on a webpage, so that files can be transmitted over the Internet. There are many ways to create a cab file. You can create a cabproject folder in Microsoft Visual Studio. NET 2003, or use iexpress.exe (C:/Windows/system32 directory) with windows, or even other compression tools.
The following describes how to use iexpress.exe. Choose Start> Run, enter iexpress, and follow the instructions shown in the following figure.
Create the whx. cab file in C.
Or directly sign the DLL and OCX without using the cab file. The advantage of the cab file is compression, and if used together with the INF file, it can bind all necessary code together.
3. Signing documents
In the DOS window opened above, enter the following command:
Signcode/spc c:/testwhx. SPC/K whx C:/whx. Cab
So far, you have successfully signed the whx. cab file. You can view the file attributes and digital signatures.