ILAsm should generate assemblies that are valid for binskim #108627
Comments
dotnet-policy-service
bot
added
the
untriaged
|
Tagging subscribers to this area: @JulieLeeMSFT |
|
Re: SHA-256 support, #85344 included some work to add it for non-Windows platforms, though the main blocker seemed to be finding an implementation(s) to take a dependency on so we don't have to roll our own. |
|
JanK commented to contact the .NET Security Team. |
|
The agreed upon plan was (quoting from the conversation with .NET Security Team):
|
The implementation is here, but we have some abstraction on top of it. https://github.com/dotnet/runtime/blob/main/src/native/libs/System.Security.Cryptography.Native.Apple/pal_digest.c Here is a more straightforward example of using Apple's APIs. #include <CommonCrypto/CommonCrypto.h>
#include <CommonCrypto/CommonDigest.h>
#include <assert.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
// Apple documents these CommonCrypto functions as always return 1, so we will assert.
CC_SHA256_CTX ctx = {{ 0 }};
int ret;
ret = CC_SHA256_Init(&ctx);
assert(ret == 1);
const char data1[] = "hello";
const char data2[] = "world";
// Example of doing two incremental updates to the digest context.
ret = CC_SHA256_Update(&ctx, data1, 5);
assert(ret == 1);
ret = CC_SHA256_Update(&ctx, data2, 5);
assert(ret == 1);
unsigned char digest[CC_SHA256_DIGEST_LENGTH] = { 0 };
ret = CC_SHA256_Final(digest, &ctx);
assert(ret == 1);
for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
printf("%02x", digest[i]);
}
printf("%s", "\n");
} |
JulieLeeMSFT
removed
the
untriaged
Can we assume OpenSSL will be available on the build machine? Or would we want to make the SHA-256 implementation unavailable when building without OpenSSL installed? I'm hesitant about introducing a new dependency for building the repo. |
Generally, OpenSSL is a hard dependency for .NET on Linux. We abort when we cannot find it. runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.c Lines 175 to 181 in 10ee2b1 It should be reasonable to expect OpenSSL to be present on any Linux system which .NET is expected to run on. (libssl being one of the libraries part of OpenSSL, the other being libcrypto. We require both) |
|
@jkotas did say
There might be some narrow circumstances where is it possible to do something with a .NET application without OpenSSL present, but build machines will generally have it, as building .NET requires it. |
|
ilasm dependency on OpenSSL should have the same characteristics as the .NET runtime (System.Security managed APIs) dependency on OpenSSL:
For System.Security managed APIs, this logic is implemented by native shim https://github.com/dotnet/runtime/tree/main/src/native/libs/System.Security.Cryptography.Native . You may want to reuse the implementation for ilasm since it is not exactly trivial. For example, instead of calling OpenSSL from ilasm directly, call the |
|
With #109091 merged in, ILAsm now emits PDB checksums hashed with SHA256. @Newrad0603 do you still need BinSkim compliance in the .NET Framework version of ILAsm? |
|
@amanasifkhalid I was able to make a combination of tools and settings work to unblock my scenario for NetFx, so for now I no longer need support backported to NetFx ILAsm. Thanks for checking! |
|
Glad to hear that! I don't think there's anything else needed here. |
ILAsm doesn't currently generated assemblies that will pass binskim. For example, https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-ba2004enablesecuresourcecodehashing.
The text was updated successfully, but these errors were encountered: