Professional Documents
Culture Documents
Table of Contents
Add Security to Applications Built with Visual Basic.NET and Visual C#............................. 1
Exercise 1 Create Certificate Using .Net Framework SDK Certificate Creation Tool ..................................................2
Exercise 2 Add Multiple Signatures on the same document.......................................................................................... 4
Exercise 3 Verify signatures in the document ............................................................................................................. 11
Exercise 4 Bug Tracking in Team Foundation Server (TFS) ...................................................................................... 15
Add Security to Applications Built with Visual Basic.NET and Visual C#
Objectives After completing this lab, you will be better able to:
Add security to the applications built with Visual Studio by signing the
messages that you create
Add security to the applications built with Visual Studio by verifying
the messages that you receive
Use Visual Studio Team Foundation Server to track bugs
Scenario Add security to the applications you build with Visual Basic.NET and Visual C#
by having multiple parties digitally sign documents to ensure message integrity
and authenticity.
TFS08RTM
The password for the Administrator account on all computers in this lab is:
Pa$$w0rd. P2ssw0rd for TFS08RTM machine.
Page 1 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Exercise 1
Create Certificate Using .Net Framework SDK Certificate
Creation Tool
Scenario
The public-key infrastructure (PKI) in the Windows platform provides an integrated set of services and
administrative tools for creating, deploying, and managing PK-based applications. This allows application
developers to take advantage of the shared-secret security mechanisms or PK-based security mechanisms, as
appropriate. Enterprises also gain the advantage of being able to manage the environment and applications with
consistent tools and policies.
Page 2 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
d. Examine the options that can be used with the certificate tool
Page 3 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Exercise 2
Add Multiple Signatures on the same document
Scenario
System.Security.Cryptography.Pkcs is the namespace that contains the managed code implementation of the
Cryptographic Message Syntax (CMS) and Public-Key Cryptography Standards #7 (PKCS #7) standards. CMS is a
superset of PKCS #7. Using this standard, you can implement signed messages, enveloped messages, or signed and
enveloped messages.
C#:
using System;
using System.IO;
Page 4 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
3. Create a a. Enter the following code after the End Sub:
function to Note: Create a function called GetSigningCertficateBySubjectName that takes the
search for parameters signer and cert, and returns the certificate if found.
certificate by VB:
subject name.
Function GetSigningCertificateBySubjectName(ByVal signer
As String, ByRef cert As X509Certificate2) As Boolean
End Function
C#:
static public bool
GetSigningCertificateBySubjectName(String subject,
C#:
bool found;
X509Store personalCerts;
X509Certificate2Collection certsColl;
cert = null;
found = false;
c. Enter in the following code after the variable declaration:
Note: Open the private certificate store of the current user for read only access.
VB:
personalCerts = New X509Store(StoreName.My,
StoreLocation.CurrentUser)
personalCerts.Open(OpenFlags.ReadOnly)
C#:
personalCerts = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
personalCerts.Open(OpenFlags.ReadOnly);
d. Enter the following code after the personalCerts are opened:
Note: Search for the certificate in the certificate store. In this demo, we will pass false
in the third parameter, which indicates whether or not to only search valid
certificates. Normally, in a production environment, you should only pass true.
VB:
certsColl =
personalCerts.Certificates.Find(X509FindType.FindBySubject
Name, signer, false)
Page 5 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
C#:
certsColl =
personalCerts.Certificates.Find(X509FindType.FindBySubject
Name, subject, false);
e. Enter the following code after certsColl has been assigned:
Note: Search through the whole collection, if a certificate has a private key, then
return the certificate.
VB:
For Each c As X509Certificate2 In certsColl
If c.HasPrivateKey Then
found = True
cert = c
Exit For
End If
Next
C#:
foreach (X509Certificate2 c in certsColl)
{
if (c.HasPrivateKey)
{
found = true;
cert = c;
break;
}
}
f. Enter the following code after the code shown above:
Note: Close the personal certificates, and return the result.
VB:
personalCerts.Close()
Return found
C#:
personalCerts.Close();
return found;
4. Create a a. Enter the following code after the End function:
function to sign Note: Declare the function that would sign a message with the certificate provided.
a message using VB:
the certificate
Function SignMsg(ByVal msg As Byte(), ByVal signerCert As
X509Certificate2) as byte()
C#:
static public byte[] SignMsg(Byte[] msg, X509Certificate2
signerCert)
{
}
b. Declare variables that will be used in the function:
Note: Adding multiple signatures on the same document requires an already signed
document. The following will decode the document that was previously signed.
VB:
Dim cmsSigner As CmsSigner
Dim signedCms As SignedCms
Page 6 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
C#:
CmsSigner cmsSigner;
SignedCms signedCms;
c. Enter the following code after declaring the variable:
VB:
signedCms = New SignedCms()
signedCms.Decode(msg)
C#:
signedCms = new SignedCms();
signedCms.Decode(msg);
d. Enter the following code after decoding the message:
Note: Re-sign and return the object.
VB:
cmsSigner = New CmsSigner(signerCert)
signedCms.ComputeSignature(cmsSigner)
Return signedCms.Encode()
C#:
cmsSigner = new CmsSigner(signerCert);
signedCms.ComputeSignature(cmsSigner);
return signedCms.Encode();
5. Create the main a. For those using VB, replace the Sub Main() with the following code:
function VB:
Sub Main(ByVal args As String())
C#:
N/A
b. Create variables in the beginning of the program:
Note: Take the name of the file and the party who will sign the document as command
line arguments.
VB:
Dim encodedSignedCms1, encodedSignedCms2 As Byte()
Dim signer As String
Dim signerCert As X509Certificate2
C#:
byte[] encodedSignedCms1, encodedSignedCms2;
String signer;
X509Certificate2 signerCert;
c. Check whether the command line arguments are valid. Place the code after
creating the variables:
VB:
Try
If args.Length < 2 Then
Console.WriteLine("Enter <file name>
<signer name>")
Else
End If
Catch ex As Exception
Page 7 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
End Try
C#:
try
{
if (args.Length < 2)
Console.WriteLine("This application adds a
signature to an already signed file.\r\n" +
"Enter <file name> <signer
name>");
else
{
}
}
catch (Exception e)
{
Console.WriteLine("{0}: {1}", e.GetType().Name,
e.Message);
}
d. Enter the following code in the Else statement:
Note: Read in the file as the first command line and the signer as the second command
line argument and if there are two command line arguments.
VB:
encodedSignedCms1 = File.ReadAllBytes(args(0))
signer = args(1)
C#:
encodedSignedCms1 = File.ReadAllBytes(args[0]);
signer = args[1];
e. If you are using VB, enter the following code:
Note: Assume the signer certificate does not exist.
VB:
signerCert = Nothing
C#:
N/A
f. Search the Certificate store by calling the function created previously. If no signed
certificate was found, display a message:
Note: We now need to access the certificate store, find the certificate and sign the
message with the certificate.
VB:
If Not GetSigningCertificateBySubjectName(signer,
signerCert) Then
Console.WriteLine("Failed to find a
signing certificate for {0} ", signer)
Else
End If
C#:
if (!GetSigningCertificateBySubjectName(args[1], out
signerCert))
Console.WriteLine("Failed to find a signing certificate
Page 8 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
for {0}", signer);
else
{
}
g. Locate the Else statement, and enter the following code:
Note: If a certificate was found, then use the SignMsg function created earlier to sign
the message with the private key from the certificate, and write out the result to a file
with an extension .signed.
VB:
encodedSignedCms2 = SignMsg(encodedSignedCms1, signerCert)
File.WriteAllBytes(args(0) + ".signed", encodedSignedCms2)
C#:
// Sign the message with the private key from the
certificate
encodedSignedCms2 = SignMsg(encodedSignedCms1,
signerCert);
// Write out the result
File.WriteAllBytes(args[0] + ".signed",
encodedSignedCms2);
Page 9 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
Page 10 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Exercise 3
Verify signatures in the document
Scenario
The fundamental issue when receiving a signed message is whether or not to trust that the signature is valid and was
made by whoever claimed to make it. We can confirm that the signature is mathematically valid, that is, if we can
verify the integrity of the signature using a known public key. However, we must still determine whether the public
key used to verify the signature does in fact belong to the entity claiming to have made the signature in the first
place. If we do not implicitly trust the public key to be the sender's, we need to acquire strong evidence that the key
belongs to the message sender. We are likely to trust that we really have the message sender's public key if we find a
certificate that has a cryptographically valid signature from its issuer, attests to a binding between the sender and
sender's public key, and was issued by an issuer that we trust.
C#:
using System;
using System.IO;
using System.Security.Cryptography.Pkcs;
Page 11 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
3. Create Function a. Enter the following code after the End Sub:
to verify Note: Create a function called VerifyMessage that takes the parameter a string of
message. bytes called encoded signed cms.
VB:
Function VerifyMessage(ByVal encodedSignedCms As Byte())
As Boolean
End Function
C#:
static public bool VerifyMsg(byte[] encodedSignedCms)
{
}
b. Declare variables to be used in the function:
VB:
Dim i As Int32
Dim signedCms As SignedCms
C#:
SignedCms signedCms = new SignedCms();
signedCms.Decode(encodedSignedCms);
d. Enter the following code after the message is decoded:
Note: We will list the number of signatures in the message.
VB:
Console.WriteLine("Verifying {0} signatures",
signedCms.SignerInfos.Count)
C#:
Console.WriteLine("Verifying {0} signatures",
signedCms.SignerInfos.Count);
e. Enter the following code after the number of signatures is displayed:
Note: Display each signature in the document.
VB:
For i = 0 To signedCms.SignerInfos.Count - 1
Console.WriteLine(" #{0}. {1}", i + 1,
signedCms.SignerInfos(i).Certificate.Subject)
Next
C#:
for (int i = 0; i < signedCms.SignerInfos.Count; i++)
Console.WriteLine("\t#{0}. {1}", i + 1,
signedCms.SignerInfos[i].Certificate.Subject);
Page 12 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
If the signature is not valid, it will return an exception.
VB:
signedCms.CheckSignature(True)
Return True
C#:
signedCms.CheckSignature(true);
return true;
4. Create the main a. Replace the Sub Main() with the following code:
function VB:
Sub Main(ByVal args As String())
C#:
N/A
b. Create variables in the beginning of the program:
Note: Take the name of the file and the party who will sign the document as command
line arguments.
VB:
Dim encodedSignedCms As Byte()
C#:
byte[] encodedSignedCms;
c. Place the code after creating the variables:
Note: Check whether or not the command line arguments are valid.
VB:
Try
If args.Length < 1 Then
Console.WriteLine("Enter the name of a
file to verify")
Else
End If
Catch ex As Exception
Console.WriteLine("{0}: {1}", ex.GetType.Name,
ex.Message)
End Try
C#:
try
{
if (args.Length < 1)
Console.WriteLine("Enter <filename>");
else
{
}
}
catch (Exception e)
{
Console.WriteLine("{0}: {1}", e.GetType().Name,
e.Message);
}
d. Enter the following code in the Else statement:
Page 13 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
Note: The main function calls the verify message function that we have created to
validate the message. Then displays the result.
VB:
encodedSignedCms = File.ReadAllBytes(args(0))
VerifyMessage(encodedSignedCms)
Console.WriteLine("The signature is valid")
C#:
encodedSignedCms = File.ReadAllBytes(args[0]);
VerifyMsg(encodedSignedCms);
Console.WriteLine("All signatures are valid");
5. Build and run a. Click Build, and Build Solution.
the solution b. After the build succeeds, use Windows Explorer to browse to the directory:
C:\Security\ SecuringApplications\Solution\VB-Sign3_vb\Resign\bin\Release
c. Copy the board.txt.signed.signed file, browse to the directory C:\Security\
SecuringApplications\Starter\ReVerify\ReVerify\bin\Debug
d. Paste the file into the directory.
e. Open a command prompt window.
f. Browse to C:\Security\SecuringApplications
\Starter\ReVerify\ReVerify\bin\Debug by typing in the following command line:
cd C:\Security\SecuringApplications \Starter\ReVerify\ReVerify\bin\Debug
g. Hit Enter.
Note: Verify the message and display the signatures in the message.
h. Type in the command to sign the message with another user:
ReVerify.exe board.txt.signed.signed
Note: Notice the result: there are two valid signatures in the message.
Page 14 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Exercise 4
Bug Tracking in Team Foundation Server (TFS)
Scenario
Team Foundation is a set of tools and technologies that enable a team to collaborate and coordinate their efforts on
building a product or completing a project. Team Foundation enhances team communication, tracks work status,
supports team roles, enacts the team process, and integrates team tools.
Page 15 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
Note: Source Control node provides access to the team project source control
management hierarchy.
i. Right-click on Security-Multiple Signature and click Get Latest Version.
j. In the Browse for Folder, click C:\Security\SecuringApplications \Starter.
k. Click OK.
l. Click File, Open, Project/Solution, browse to C:\Security\SecuringApplications
\Starter\Resign, and double-click on Resign solution.
m. In the Solution Explorer, right-click on Resign solution and click Add solution to
source control.
n. Right-click on Security Multiple Signature in the Source Control Explorer
and click Check in Pending Changes.
o. Click Check in.
Note: Now, Brian will add a work item for Darren to finish the Re-verify program and
upload to the team project.
p. Click on Team Explorer, right-click on Work Item under Security Multiple
Signature.
q. Highlight Add Work Item, select Task
r. In the Title field, add: Code Reverify program to verify signature.
s. Discipline: Development.
t. Assigned to: Darren.
u. Description: Need to Create ReVerify program to verify signature.
v. Click File, Save New Task.
Complete the following Note: Now, lets see how TFS can tracks bugs. Team requested to have the keyword
tasks on: signature changed to certificates for all projects. Brian will now log it as a bug in the
Team Foundation Server, and have Darren fix the issue.
VistaEnt Most activity in Team Foundation Server revolves around a "work item." Work items
4. File a Bug are a single unit of work which needs to be completed. In many respects they are
similar to a "bug" item in bug tracking systems such as Bugzilla, in that a work item
has fields to define Area, Iteration, Assignee, Reported By, a history, file attachments,
Page 16 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
and any number of other attributes. Work items themselves can be of several different
types, such as a Bug, a Task, a Quality of Service Assessment, a Scenario, and so
forth. The framework chosen for any given project in a Team Foundation Server
defines what types of work items are available and what attributes each type of work
item contains.
a. Switch to VistaEnt machine.
b. In the Team Explorer, right-click on Work Items under Security Multiple
Signature.
c. Highlight Add Work Item, and select Bug.
d. In the title fill out: We no longer use the term signature in the project, please
use the term certificate instead.
e. Assigned to: Darren.
f. Click File, Save New Bug.
Complete the following Note: Now, Darren will change all the signature keywords to certificates in the code.
tasks on: a. Switch to VSTS08RTM machine.
b. Double click on Program.cs.
VSTS08RTM
c. Replace all the signature keywords with word Certificate in Writeline code.
5. Fix a bug
6. Build and run Note: Build and Verify the Result.
the solution a. Click Build, and Build Solution.
Note: After the build succeeds:
b. Switch to the command prompt Window.
Note: Verify the message and that all signature keywords have been changed
tocertificates.
c. Type in the command to sign the message with another user:
ReVerify.exe board.txt.signed.signed
Note: Notice the result--, there are two valid certificates in the message.
7. Check in the fix Note: Darren checks the project back to the TFS and checks off the bug that was
in TFS assigned to him regarding to the keyword switch.
a. Switch back to Visual Studio 2008.
b. Right-click on the Module1.vb or Program.cs depending on your language
preference.
c. Click on Check in.
d. Click on Work Items tab.
e. Check the bug that Darren has created earlier, ensure that the Check-in Action is
Resolve.
f. Click on Source Files.
g. In the Comment, type in the following: All keywords have been changed to
certificates.
h. Click on Check-In Notes.
Note: Notice that you are able to add in comments from the Code Reviewer, Security
Reviewer, and the Performance Reviewer.
i. Click Check In.
j. Expand Work Items under Security Multiple Signature in the Team
Explorer.
k. Expand Team Queries.
Page 17 of 18
Add Security to Applications Built with Visual Basic.NET and Visual C#
Tasks Detailed Steps
l. Double-click on Active Bugs.
Note: Notice that there are no more active bugs that need to be resolved for the
project.
m. Double-click on Resolved Bugs.
Note: Notice that the Bug that was reported by Brian has been resolved.
n. Double-click on the Bug that was resolved.
o. Scroll down to the details area and select History Tab.
Note: Notice the history of the bug which was created by Brian has been resolved by
Darren.
Page 18 of 18