Injecting information into signed file

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We need to inject information (i.e. server details from where a signed file
was downloaded) into a signed file, without breaking the signature or
integrity of a signed file. Apparently there are areas and ways to inject
custom information into signed files, however, we cannot find the "how to".
It is needed to inject server source when customer downloads signed files
from a site, allowing the downloaded file to query the information and
returning to source where needed.
 
The file could perhaps be prepared and signed server side just before the
download ?

Else you could perhaps have in the file some signed resources and some
unsigned one but if this is a monolothic file I doubt this is possible as
precisely the signature allows to guarantee the file as not been updated
since signed...

In which context are you working ? You could also perhaps pass this info as
a param tag or taken from the URL the file comes from if launched directly
from the web...

Sorry for the poor help.
 
wschaub said:
We need to inject information (i.e. server details from where a
signed file was downloaded) into a signed file, without breaking the
signature or integrity of a signed file. Apparently there are areas
and ways to inject custom information into signed files, however, we
Click to expand...

Nope. There are no areas that you can use. When an assembly is signed a
hash is taken over all of the assembly except the location where the
signed hash (strong name signature) and the public key will be stored,
and the location where a cerificate will be stored. You should not play
with these.
cannot find the "how to". It is needed to inject server source when
customer downloads signed files from a site, allowing the downloaded
file to query the information and returning to source where needed.
Click to expand...

Why does this server information have to be 'injected' in the assembly.
Why can't it be in a separate file? If you want to make sure that such a
file is not corrupted during the download you can sign that file (ie
create a hash and encrypt it with the private key) and add that
signature to your file. When the assembly uses the file it can remove
the signature and decrypt the hash, then calculate the hash of the
remaining data in the file and compare the two. That gives you an
integrity check. My security workshop shows you how to do this.

Richard
 
Thanks. Your reference are most helpful.

Patrice said:
The file could perhaps be prepared and signed server side just before the
download ?

Else you could perhaps have in the file some signed resources and some
unsigned one but if this is a monolothic file I doubt this is possible as
precisely the signature allows to guarantee the file as not been updated
since signed...

In which context are you working ? You could also perhaps pass this info as
a param tag or taken from the URL the file comes from if launched directly
from the web...

Sorry for the poor help.
Click to expand...
 
Back
Top