Allow only authorized code to call routines in library

Okay, I'll try to explain my use scenario here: I have an implementation of a core library of which the lowest level access is APIs to enter data into DB which should be self contained as a sub-system. Now, for strange reasons this library is exposing critical parameters to this DB like Login ID, and Password, etc. It is intended to be only used for 'internal' code of some larger application developed by the same team, and the idea is to discourage use of these APIs by other 3rd party clients that have access to the same library in binary. This is the part where it gets more uglier. To implement these rather 'secret' functions a simple implementation of a previously decided secret key is devised. Say, code like this:

string secretKey = "blah...$$$";
string password = library::secretGetPwd(secretKey);

This is used in several places and the function only works if secretKey is correct. This does not seem like a good approach and can be easily found out. However, it does cause in several places warnings of several magic-strings which makes the lint tool very unhappy. The task at hand is to only remove these lint warnings. Could someone suggest some 'better' worse way to implement this?

1 answer

  • answered 2018-07-11 06:31 MineR

    Doesn't answer your lint question, but you may be able to solve your larger problem this way:

    First, strongly sign all of your stuff. Then you can look through the calling stack to see the assembly calling the code, and validate it's yours (the code uses the public keys to validate that it's yours [maybe not a good way]). Is this 100% secure? I doubt it.

        //This code relies on the public keys of the two assemblies to be the same.
        System::Diagnostics::StackTrace^ st = gcnew System::Diagnostics::StackTrace();
        System::Reflection::Assembly ^ otherAsm = st->GetFrame(1)->GetMethod()->Module->Assembly;
        array<unsigned char, 1> ^ otherKey = otherAsm->GetName()->GetPublicKey();
        System::Reflection::Assembly ^ thisAsm = st->GetFrame(0)->GetMethod()->Module->Assembly;
        array<unsigned char, 1> ^ thisKey = thisAsm->GetName()->GetPublicKey();
        for (int i = 0; i < thisKey->Length; i++)
            if (otherKey[i] != thisKey[i])
                throw gcnew Exception();