S*K on creating Security-Trust for your app

Author – Tim Kahne, Sandler*Kahne Software, Inc. Mentor & Editor – Price Brattin, Bueno Software

Creating security for an SL7 VB SDK .NET application

These are steps we went through to accomplish the security requirements.

Our solution was to purchase an Authenticode Certificate and sign our applications. Then in a workstation install program, we use CASPOL to create “trust” for our certificate on that machine.

During this whole process there are many small details – I’ve tried to list the ones we used… it doesn’t mean they are right for you. However, in the end they worked for us.

Purchase an Authenticode Certificate

To sign an application a certificate must be purchased. The three main vendors are Verisign, Thwarte and Comodo. Comodo is by far the cheapest and K Software (www.ksoftware.net) has an even further discount (they are a reseller for Comodo). (3 years @ $85/year). We purchased the three year certificate.

Applying through K Software -

CSP – used the default
Key Filename – chose “In the file” leave the default C:\Mykey.pvk
KeySize – used the default
Exportable? – left checked
User Protected? – left unchecked

When finishing the above a C:\Mykey.pvk file will be written – DO NOT MOVE this file – it must be there for the next step.

K Software will request payment -

Once paid, Comodo will contact you to validate your company – you have to provide one of a number of pieces of documentation (DUNS number, Articles of Incorp. etc.)

Once you get a validation email back, Comodo now sends a link to download the certificate. This will not work unless the MyKey.pvk is located in the same place as it was originally written.

The download is a MyKey.spc file. Now the .pvk and .spc can be moved to another machine.

Next step is to create your certificate. The Pvkimprt.exe utility is used to do this. I found this file in the Microsoft download center (www.microsoft.com/downloads, search for pvkimprt.ext).

To create the certificate:
pvkimprt <path>\MyKey.spc <path>\MyKey.pvk

I believe this prompts you and creates a .pfx file – this is the certificate.

Obfuscation

With .NET apps the assemblies can be “disassembled” and all the source code can go into the public domain. To prevent this, obfuscators have been written to “scramble” this code so it is no longer “readable”, yet usable.

Again, through Price I was directed to www.9rays.net. For $392 you can obtain a Console Edition of their Spices.Net Obfuscator. Using the K9# parameter (supports serialization/reflection) our SWIM apps were successfully obfuscated.

The command line we use: (note the k9# and path to where the Solomon.Kernel.dll assembly resides):

"c:\Program Files\9Rays.Net\SpicesNet5\Bin\NRObfuscator.exe" K9# /PATHS="c:\Windows\Microsoft.Net\Framework\v2.0.50727";"c:\Program Files\Common Files\Microsoft Shared\DynamicsSL"
/SRC="D:\SL7.0\Applications\RV00000.exe"
/OUT="D:\SLDev\R7.0\Review\_Release\SL" > Obs-Sign-Output.txt

Sign your Dynamics SL SDK apps

"c:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\bin\signtool.exe" sign
/f "YourCert.pfx"
/p passwordforcert
/v /t http://timestamp.comodoca.com/authenticode
D:\SLDev\R7.0\Review\_Release\SL\RV00000.exe >> Obs-Sign-Output.txt

Create a workstation install program that uses CASPOL

This program is used at each workstation to set trust for this machine with the signed applications.
The core piece of this for us was the BuenoSoftware workstation VB6 application, MAKETRUST.EXE. Price will send you a copy of MakeTrust for a donation to Feed the Children (www.FeedTheChildren.org). Price can be contacted at PriceBrattin@BuenoSoftware.com. Price will also share the source code for MarketTrust, should it be needed.

Basically this program is a wrapper for the CASPOL utility. In order to use CASPOL you need the Hex equivalent of your certificate. The SecUtil application is used to do this.

"C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\SecUtil.exe" -hex -x

D:\SL7.0\Applications\RV00000.exe > HexKey.txt

The red .exe is an .exe that has been signed with your certificate (from above). The HexKey.txt has the hex string that needs to be referenced in the CASPOL command line. Inside Price’s program there is a spot to put this hex string.

That concludes the steps necessary to set up .NET Security/Trust for a Dynamics SL SDK application.