private static extern SECURITY_STATUS NCryptGetProperty(
SafeNCryptHandle hObject,
string pszProperty,
ref int pbOutput,
int cbOutput,
[Out] out int pcbResult,
CngPropertyOptions dwFlags);
/// <summary>
/// Returns a CNG key property.
/// </summary>
/// <returns>
/// null - if property not defined on key.
/// throws - for any other type of error.
/// </returns>
public static byte[] GetProperty(this SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
unsafe
{
int numBytesNeeded;
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(ncryptHandle, propertyName, null, 0, out numBytesNeeded, options);
if (errorCode == ErrorCode.NTE_NOT_FOUND)
return null;
if (errorCode != ErrorCode.ERROR_SUCCESS)
throw errorCode.ToCryptographicException();
byte[] propertyValue = new byte[numBytesNeeded];
fixed (byte* pPropertyValue = propertyValue)
{
errorCode = Interop.NCrypt.NCryptGetProperty(ncryptHandle, propertyName, pPropertyValue, propertyValue.Length, out numBytesNeeded, options);
}
if (errorCode == ErrorCode.NTE_NOT_FOUND)
return null;
if (errorCode != ErrorCode.ERROR_SUCCESS)
throw errorCode.ToCryptographicException();
Array.Resize(ref propertyValue, numBytesNeeded);
return propertyValue;
}
}
private static extern int NCryptSetProperty(
SafeNCryptHandle handle,
string property,
[In][MarshalAs(UnmanagedType.LPArray)]
byte[] input1,
int input2,
CngPropertyOptions flags);
private static extern SECURITY_STATUS NCryptSetProperty(
SafeNCryptHandle hObject,
string pszProperty,
[In][MarshalAs(UnmanagedType.LPArray)]
byte[] pbInput,
int cbInput,
CngPropertyOptions dwFlags);
internal static unsafe partial ErrorCode NCryptGetProperty(
SafeNCryptHandle hObject,
string pszProperty,
void *pbOutput,
int cbOutput,
out int pcbResult,
CngPropertyOptions dwFlags);
internal static extern unsafe ErrorCode NCryptSetProperty(
#endif
SafeNCryptHandle hObject,
string pszProperty,
void *pbInput,
int cbInput,
CngPropertyOptions dwFlags);
public CngProperty(string name, byte[]?value, CngPropertyOptions options)
: this()
{
ArgumentNullException.ThrowIfNull(name);
Name = name;
Options = options;
_lazyHashCode = default(int?);
_value = value.CloneByteArray();
}
internal CngProperty(string name, ReadOnlySpan <byte> value, CngPropertyOptions options)
: this()
{
ArgumentNullException.ThrowIfNull(name);
Name = name;
Options = options;
_lazyHashCode = default;
_value = value.ToArray();
}
public bool HasProperty(string name, CngPropertyOptions options)
{
bool flag;
if (name == null)
{
throw new ArgumentNullException("name");
}
NCryptNative.GetProperty(this.m_keyHandle, name, options, out flag);
return(flag);
}
public CngProperty(string name, byte[] value, CngPropertyOptions options)
{
if (name == null)
{
throw new ArgumentNullException("name");
}
this.name = name;
this.val = (value != null) ? (byte[])value.Clone() : null;
this.opts = options;
}
public CngProperty(string name, byte[] value, CngPropertyOptions options)
: this()
{
if (name == null)
{
throw new ArgumentNullException("name");
}
Name = name;
Options = options;
_lazyHashCode = default(int?);
_value = (value == null) ? null : value.CloneByteArray();
}
/// <summary>
/// Get the value of an arbitrary property
/// </summary>
public CngProperty GetProperty(string name, CngPropertyOptions options)
{
if (name == null)
throw new ArgumentNullException(nameof(name));
byte[] value = _keyHandle.GetProperty(name, options);
if (value == null)
throw ErrorCode.NTE_NOT_FOUND.ToCryptographicException();
if (value.Length == 0)
value = null; // Desktop compat: For some reason, CngKey.GetProperty() morphs zero length property values to null.
return new CngProperty(name, value, options);
}
public CngProperty GetProperty(string name, CngPropertyOptions options)
{
bool flag;
if (name == null)
{
throw new ArgumentNullException("name");
}
byte[] buffer = NCryptNative.GetProperty(this.m_keyHandle, name, options, out flag);
if (!flag)
{
throw new CryptographicException(-2146893807);
}
return(new CngProperty(name, buffer, options));
}
public bool HasProperty(string name, CngPropertyOptions options)
{
Contract.Assert(m_keyHandle != null);
if (name == null)
{
throw new ArgumentNullException("name");
}
bool foundProperty;
NCryptNative.GetProperty(m_keyHandle, name, options, out foundProperty);
return(foundProperty);
}
/// <summary>
/// Determine if a property exists on the key
/// </summary>
public bool HasProperty(string name, CngPropertyOptions options)
{
if (name == null)
throw new ArgumentNullException(nameof(name));
unsafe
{
int numBytesNeeded;
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(_keyHandle, name, null, 0, out numBytesNeeded, options);
if (errorCode == ErrorCode.NTE_NOT_FOUND)
return false;
if (errorCode != ErrorCode.ERROR_SUCCESS)
throw errorCode.ToCryptographicException();
return true;
}
}
/// <summary>
/// Get the value of an arbitrary property
/// </summary>
public CngProperty GetProperty(string name, CngPropertyOptions options)
{
ArgumentNullException.ThrowIfNull(name);
byte[]? value = _keyHandle.GetProperty(name, options);
if (value == null)
{
throw ErrorCode.NTE_NOT_FOUND.ToCryptographicException();
}
if (value.Length == 0)
{
value = null; // .NET Framework compat: For some reason, CngKey.GetProperty() morphs zero length property values to null.
}
return(new CngProperty(name, value, options));
}
public CngProperty(string name, byte[] value, CngPropertyOptions options)
{
if (name == null)
{
throw new ArgumentNullException("name");
}
this.m_name = name;
this.m_propertyOptions = options;
this.m_hashCode = null;
if (value != null)
{
this.m_value = value.Clone() as byte[];
}
else
{
this.m_value = null;
}
}
/// <summary>
/// Determine if a property exists on the key
/// </summary>
public bool HasProperty(string name, CngPropertyOptions options)
{
ArgumentNullException.ThrowIfNull(name);
unsafe
{
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(_keyHandle, name, null, 0, out _, options);
if (errorCode == ErrorCode.NTE_NOT_FOUND)
{
return(false);
}
if (errorCode != ErrorCode.ERROR_SUCCESS)
{
throw errorCode.ToCryptographicException();
}
return(true);
}
}
/// <summary>
/// Get the value of an arbitrary property
/// </summary>
public CngProperty GetProperty(string name, CngPropertyOptions options)
{
if (name == null)
{
throw new ArgumentNullException("name");
}
byte[] value = _keyHandle.GetProperty(name, options);
if (value == null)
{
throw ErrorCode.NTE_NOT_FOUND.ToCryptographicException();
}
if (value.Length == 0)
{
value = null; // Desktop compat: For some reason, CngKey.GetProperty() morphs zero length property values to null.
}
return(new CngProperty(name, value, options));
}
internal static void SetAccessRuleOnKSPKey(CngKey key, string accountName, CryptoKeyRights keyAccessMask)
{
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
// retrieve existing permissions
var existingACL = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
// add new rule
CryptoKeySecurity keySec = new CryptoKeySecurity();
keySec.SetSecurityDescriptorBinaryForm(existingACL.GetValue());
keySec.AddAccessRule(new CryptoKeyAccessRule(accountName, keyAccessMask, AccessControlType.Allow));
// put back
CngProperty updatedACL = new CngProperty(existingACL.Name, keySec.GetSecurityDescriptorBinaryForm(), CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
key.SetProperty(updatedACL);
}
public CngProperty GetProperty(string name, CngPropertyOptions options)
{
Contract.Assert(m_keyHandle != null);
if (name == null)
{
throw new ArgumentNullException("name");
}
bool foundProperty;
byte[] value = NCryptNative.GetProperty(m_keyHandle, name, options, out foundProperty);
if (!foundProperty)
{
throw new CryptographicException((int)NCryptNative.ErrorCode.NotFound);
}
return(new CngProperty(name, value, options));
}
/// <summary>
/// Determine if a property exists on the key
/// </summary>
public bool HasProperty(string name, CngPropertyOptions options)
{
if (name == null)
{
throw new ArgumentNullException(nameof(name));
}
unsafe
{
int numBytesNeeded;
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(_keyHandle, name, null, 0, out numBytesNeeded, options);
if (errorCode == ErrorCode.NTE_NOT_FOUND)
{
return(false);
}
if (errorCode != ErrorCode.ERROR_SUCCESS)
{
throw errorCode.ToCryptographicException();
}
return(true);
}
}
/// <summary>
/// Retrieve a well-known CNG dword property. (Note: .NET Framework compat: this helper likes to return special values rather than throw exceptions for missing
/// or ill-formatted property values. Only use it for well-known properties that are unlikely to be ill-formatted.)
/// </summary>
public static int GetPropertyAsDword(this SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
byte[]? value = ncryptHandle.GetProperty(propertyName, options);
if (value == null)
{
return(0); // .NET Framework compat: return 0 if key not present.
}
return(BitConverter.ToInt32(value, 0));
}
/// <summary>
/// Retrieve a well-known CNG string property. (Note: .NET Framework compat: this helper likes to return special values rather than throw exceptions for missing
/// or ill-formatted property values. Only use it for well-known properties that are unlikely to be ill-formatted.)
/// </summary>
internal static string?GetPropertyAsString(SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
Debug.Assert(!ncryptHandle.IsInvalid);
byte[]? value = GetProperty(ncryptHandle, propertyName, options);
if (value == null)
{
return(null); // .NET Framework compat: return null if key not present.
}
if (value.Length == 0)
{
return(string.Empty); // .NET Framework compat: return empty if property value is 0-length.
}
unsafe
{
fixed(byte *pValue = &value[0])
{
string valueAsString = Marshal.PtrToStringUni((IntPtr)pValue) !;
return(valueAsString);
}
}
}
/// <summary>
/// Returns a CNG key property.
/// </summary>
/// <returns>
/// null - if property not defined on key.
/// throws - for any other type of error.
/// </returns>
private static byte[]? GetProperty(SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
Debug.Assert(!ncryptHandle.IsInvalid);
unsafe
{
int numBytesNeeded;
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(ncryptHandle, propertyName, null, 0, out numBytesNeeded, options);
if (errorCode == ErrorCode.NTE_NOT_FOUND)
{
return(null);
}
if (errorCode != ErrorCode.ERROR_SUCCESS)
{
throw errorCode.ToCryptographicException();
}
byte[] propertyValue = new byte[numBytesNeeded];
fixed(byte *pPropertyValue = propertyValue)
{
errorCode = Interop.NCrypt.NCryptGetProperty(ncryptHandle, propertyName, pPropertyValue, propertyValue.Length, out numBytesNeeded, options);
}
if (errorCode == ErrorCode.NTE_NOT_FOUND)
{
return(null);
}
if (errorCode != ErrorCode.ERROR_SUCCESS)
{
throw errorCode.ToCryptographicException();
}
Array.Resize(ref propertyValue, numBytesNeeded);
return(propertyValue);
}
}
internal static unsafe ErrorCode NCryptGetByteProperty(SafeNCryptHandle hObject, string pszProperty, ref byte result, CngPropertyOptions options = CngPropertyOptions.None)
{
fixed(byte *pResult = &result)
{
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(
hObject,
pszProperty,
pResult,
sizeof(byte),
out int cbResult,
options);
if (errorCode == ErrorCode.ERROR_SUCCESS)
{
Debug.Assert(cbResult == sizeof(byte));
}
return(errorCode);
}
}
internal static unsafe partial ErrorCode NCryptSetProperty(
SafeNCryptHandle hObject,
string pszProperty,
void *pbInput,
int cbInput,
CngPropertyOptions dwFlags);
public bool HasProperty(string name, CngPropertyOptions options) {
throw new NotImplementedException ();
}
public CngProperty GetProperty(string name, CngPropertyOptions options) {
Contract.Assert(m_keyHandle != null);
if (name == null) {
throw new ArgumentNullException("name");
}
bool foundProperty;
byte[] value = NCryptNative.GetProperty(m_keyHandle, name, options, out foundProperty);
if (!foundProperty) {
throw new CryptographicException((int)NCryptNative.ErrorCode.NotFound);
}
return new CngProperty(name, value, options);
}
/// <summary>
/// Returns a CNG key property.
/// </summary>
/// <returns>
/// null - if property not defined on key.
/// throws - for any other type of error.
/// </returns>
private static byte[]? GetProperty(SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
return(CngHelpers.GetProperty(ncryptHandle, propertyName, options));
}
/// <summary>
/// Tries to generate and RSA Key in the given provider with this keyName.
/// </summary>
/// <param name="providerName">Name of the provider</param>
/// <param name="keyName">Name of the key</param>
/// <param name="keyLength">Length of the key to generate</param>
/// <returns>true if successful, false if that key already exists.</returns>
public bool TryGenerateLocalRSAKey(string providerName, string keyName, int keyLength = 2048)
{
CngProvider provider = new CngProvider(providerName);
bool keyExists = doesKeyExists(provider, keyName);
if (keyExists)
{
//Key already exists. Can't create it.
return(false);
}
CryptoKeySecurity sec = new CryptoKeySecurity();
CngKeyCreationParameters keyParams = null;
if (IsMicrosoftSoftwareKSP(provider))
{
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinAdministratorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.FullControl,
type: AccessControlType.Allow));
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinSystemOperatorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.GenericRead,
type: AccessControlType.Allow));
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.None,
Provider = provider,
Parameters = { new CngProperty("Length", BitConverter.GetBytes(keyLength), CngPropertyOptions.None),
permissions },
KeyCreationOptions = CngKeyCreationOptions.MachineKey
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
return(true);
}
}
else
{
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.None,
Provider = provider,
Parameters = { new CngProperty("Length", BitConverter.GetBytes(keyLength), CngPropertyOptions.None) }
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
// nothing to do inside here, except to return without throwing an exception
return(true);
}
}
}
public bool HasProperty(string name, CngPropertyOptions options)
{
throw new NotImplementedException();
}
public CngProperty GetProperty(string name, CngPropertyOptions options)
{
return default(CngProperty);
}
public bool HasProperty(string name, CngPropertyOptions options)
{
return default(bool);
}
public bool HasProperty(string name, CngPropertyOptions options) {
Contract.Assert(m_keyHandle != null);
if (name == null) {
throw new ArgumentNullException("name");
}
bool foundProperty;
NCryptNative.GetProperty(m_keyHandle, name, options, out foundProperty);
return foundProperty;
}
internal static extern unsafe ErrorCode NCryptSetProperty(SafeNCryptHandle hObject, string pszProperty, [In] void* pbInput, int cbInput, CngPropertyOptions dwFlags);
/// <summary>
/// Retrieve a well-known CNG pointer property. (Note: desktop compat: this helper likes to return special values rather than throw exceptions for missing
/// or ill-formatted property values. Only use it for well-known properties that are unlikely to be ill-formatted.)
/// </summary>
public static IntPtr GetPropertyAsIntPtr(this SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
unsafe
{
int numBytesNeeded;
IntPtr value;
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(ncryptHandle, propertyName, &value, IntPtr.Size, out numBytesNeeded, options);
if (errorCode == ErrorCode.NTE_NOT_FOUND)
return IntPtr.Zero;
if (errorCode != ErrorCode.ERROR_SUCCESS)
throw errorCode.ToCryptographicException();
return value;
}
}
internal static extern unsafe ErrorCode NCryptGetProperty(SafeNCryptHandle hObject, string pszProperty, [Out] void* pbOutput, int cbOutput, out int pcbResult, CngPropertyOptions dwFlags);
/// <summary>
/// Retrieve a well-known CNG pointer property. (Note: .NET Framework compat: this helper likes to return special values rather than throw exceptions for missing
/// or ill-formatted property values. Only use it for well-known properties that are unlikely to be ill-formatted.)
/// </summary>
public static IntPtr GetPropertyAsIntPtr(this SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
unsafe
{
IntPtr value;
ErrorCode errorCode = Interop.NCrypt.NCryptGetProperty(ncryptHandle, propertyName, &value, IntPtr.Size, out _, options);
if (errorCode == ErrorCode.NTE_NOT_FOUND)
{
return(IntPtr.Zero);
}
if (errorCode != ErrorCode.ERROR_SUCCESS)
{
throw errorCode.ToCryptographicException();
}
return(value);
}
}
/// <summary>
/// Retrieve a well-known CNG dword property. (Note: desktop compat: this helper likes to return special values rather than throw exceptions for missing
/// or ill-formatted property values. Only use it for well-known properties that are unlikely to be ill-formatted.)
/// </summary>
public static int GetPropertyAsDword(this SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
byte[] value = ncryptHandle.GetProperty(propertyName, options);
if (value == null)
return 0; // Desktop compat: return 0 if key not present.
return BitConverter.ToInt32(value, 0);
}
/// <summary>
/// Retrieve a well-known CNG string property. (Note: desktop compat: this helper likes to return special values rather than throw exceptions for missing
/// or ill-formatted property values. Only use it for well-known properties that are unlikely to be ill-formatted.)
/// </summary>
public static string GetPropertyAsString(this SafeNCryptHandle ncryptHandle, string propertyName, CngPropertyOptions options)
{
byte[] value = ncryptHandle.GetProperty(propertyName, options);
if (value == null)
return null; // Desktop compat: return null if key not present.
if (value.Length == 0)
return string.Empty; // Desktop compat: return empty if property value is 0-length.
unsafe
{
fixed (byte* pValue = value)
{
string valueAsString = Marshal.PtrToStringUni((IntPtr)pValue);
return valueAsString;
}
}
}
public CngProperty GetProperty(string name, CngPropertyOptions options)
{
bool flag;
if (name == null)
{
throw new ArgumentNullException("name");
}
byte[] buffer = NCryptNative.GetProperty(this.m_keyHandle, name, options, out flag);
if (!flag)
{
throw new CryptographicException(-2146893807);
}
return new CngProperty(name, buffer, options);
}
public bool HasProperty(string name, CngPropertyOptions options)
{
bool flag;
if (name == null)
{
throw new ArgumentNullException("name");
}
NCryptNative.GetProperty(this.m_keyHandle, name, options, out flag);
return flag;
}
/// <summary>
/// Import a key from a file for use on the machine.
/// </summary>
/// <param name="providerName"></param>
/// <param name="filePath"></param>
public bool ImportKeyToKSP(string providerName, string keyName, string filePath, bool makeExportable = false)
{
CngProvider provider = new CngProvider(providerName);
bool keyExists = doesKeyExists(provider, keyName);
if (keyExists)
{
//Key already exists. Can't create it.
return(false);
}
CryptoKeySecurity sec = new CryptoKeySecurity();
CngKeyCreationParameters keyParams = null;
byte[] keyBlob = File.ReadAllBytes(filePath);
CngProperty keyBlobProp = new CngProperty(new CngKeyBlobFormat("RSAFULLPRIVATEBLOB").Format, keyBlob, CngPropertyOptions.None);
if (IsMicrosoftSoftwareKSP(provider))
{
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinAdministratorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.FullControl,
type: AccessControlType.Allow));
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinSystemOperatorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.GenericRead,
type: AccessControlType.Allow));
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = makeExportable ? CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport : CngExportPolicies.None,
Provider = provider,
Parameters = { permissions, keyBlobProp },
KeyCreationOptions = CngKeyCreationOptions.MachineKey
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
return(true);
}
}
else
{
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = makeExportable ? CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport : CngExportPolicies.None,
Provider = provider,
Parameters = { keyBlobProp },
KeyCreationOptions = CngKeyCreationOptions.MachineKey
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
// nothing to do inside here, except to return without throwing an exception
return(true);
}
}
}
private static extern SECURITY_STATUS NCryptSetProperty(
SafeNCryptHandle hObject,
string pszProperty,
string pbInput,
int cbInput,
CngPropertyOptions dwFlags);
