public CryptoKeyAuditRule (IdentityReference identity,
					   CryptoKeyRights cryptoKeyRights,
					   AuditFlags flags)
			: base (identity, 0, false, InheritanceFlags.None, PropagationFlags.None, flags)
		{
			this.rights = cryptoKeyRights;
		}
		public CryptoKeyAccessRule (IdentityReference identity,
					    CryptoKeyRights cryptoKeyRights,
					    AccessControlType type)
			: base (identity, (int)cryptoKeyRights, false,
				InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)
		{
		}
Exemple #3
0
 public CryptoKeyAccessRule(IdentityReference identity,
                            CryptoKeyRights cryptoKeyRights,
                            AccessControlType type)
     : base(identity, (int)cryptoKeyRights, false,
            InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)
 {
 }
Exemple #4
0
 public CryptoKeyAuditRule(IdentityReference identity,
                           CryptoKeyRights cryptoKeyRights,
                           AuditFlags flags)
     : base(identity, 0, false, InheritanceFlags.None, PropagationFlags.None, flags)
 {
     this.rights = cryptoKeyRights;
 }
Exemple #5
0
        public static void SetAccessRuleForMatchingCertificates(
            StoreLocation storeLocation,
            StoreName storeName,
            X509FindType findType,
            string findValue,
            string accountName,
            CryptoKeyRights keyAccessMask)
        {
            // find matching certs
            X509Certificate2Collection matchingCerts = null;

            try
            {
                matchingCerts = FindMatchingCertificates(storeLocation, storeName, findType, findValue, String.Empty, doTakeMostRecentOnly: false);
            }
            catch (CryptographicException cex)
            {
                Console.WriteLine($"exception '{cex.HResult}: {cex.Message}' encountered.");
                throw;
            }

            foreach (var cert in matchingCerts)
            {
                // skip certs without private keys
                if (!cert.HasPrivateKey)
                {
                    Console.WriteLine($"skipping - no private key: '{cert.Thumbprint}': '{cert.GetNameInfo(X509NameType.SimpleName, forIssuer: false)}'");
                    continue;
                }

                SetAccessRuleForCertificate(cert, accountName, keyAccessMask);
            }
        }
 public CryptoKeyAccessRule(IdentityReference identity,
                            CryptoKeyRights cryptoKeyRights,
                            AccessControlType type)
 // FIXME: accessMask=0 likely causes an error
     : base(identity, 0, false, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)
 {
     this.rights = cryptoKeyRights;
 }
 public CryptoKeyAccessRule (IdentityReference identity, CryptoKeyRights cryptoKeyRights, AccessControlType type)
             : this (identity,
                     AccessMaskFromRights(cryptoKeyRights, type),
                     false,
                     InheritanceFlags.None,
                     PropagationFlags.None,
                     type) {
 }
 public CryptoKeyAccessRule (string identity, CryptoKeyRights cryptoKeyRights, AccessControlType type)
             : this (new NTAccount(identity),
                     AccessMaskFromRights(cryptoKeyRights, type),
                     false,
                     InheritanceFlags.None,
                     PropagationFlags.None,
                     type) {
 }
Exemple #9
0
		public CryptoKeyAccessRule (IdentityReference identity,
					    CryptoKeyRights cryptoKeyRights,
					    AccessControlType type)
			// FIXME: accessMask=0 likely causes an error
			: base (identity, 0, false, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)
		{
			this.rights = cryptoKeyRights;
		}
Exemple #10
0
 public CryptoKeyAuditRule(IdentityReference identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags)
     : this(identity,
            AccessMaskFromRights(cryptoKeyRights),
            false,
            InheritanceFlags.None,
            PropagationFlags.None,
            flags)
 {
 }
Exemple #11
0
 public CryptoKeyAuditRule(string identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags)
     : this(new NTAccount(identity),
            AccessMaskFromRights(cryptoKeyRights),
            false,
            InheritanceFlags.None,
            PropagationFlags.None,
            flags)
 {
 }
Exemple #12
0
 public CryptoKeyAccessRule(IdentityReference identity, CryptoKeyRights cryptoKeyRights, AccessControlType type)
     : this(identity,
            AccessMaskFromRights(cryptoKeyRights, type),
            false,
            InheritanceFlags.None,
            PropagationFlags.None,
            type)
 {
 }
Exemple #13
0
 public CryptoKeyAccessRule(string identity, CryptoKeyRights cryptoKeyRights, AccessControlType type)
     : this(new NTAccount(identity),
            AccessMaskFromRights(cryptoKeyRights, type),
            false,
            InheritanceFlags.None,
            PropagationFlags.None,
            type)
 {
 }
        // Acl's on files have a Synchronize bit, and CreateFile always
        // asks for it. So for allows, let's always include this bit,
        // and for denies, let's never include this bit unless we're denying
        // full control. This is the right thing for users, even if it does
        // make the model look asymmetrical from a purist point of view.
        // Also, crypto key containers are just files in the end, so
        // this tweak to the access rights for files makes sense here.
        private static int AccessMaskFromRights (CryptoKeyRights cryptoKeyRights, AccessControlType controlType) {
            if (controlType == AccessControlType.Allow) {
                cryptoKeyRights |= CryptoKeyRights.Synchronize;
            }
            else if (controlType == AccessControlType.Deny) {
                if (cryptoKeyRights != CryptoKeyRights.FullControl)
                    cryptoKeyRights &= ~CryptoKeyRights.Synchronize;
            }
            else {
                throw new ArgumentException(Environment.GetResourceString("Argument_InvalidEnumValue", controlType, "controlType"), "controlType");
            }

            return (int) cryptoKeyRights;
        }
 private static int AccessMaskFromRights(CryptoKeyRights cryptoKeyRights, AccessControlType controlType)
 {
     if (controlType == AccessControlType.Allow)
     {
         cryptoKeyRights |= CryptoKeyRights.Synchronize;
     }
     else if (controlType == AccessControlType.Deny)
     {
         if (cryptoKeyRights != CryptoKeyRights.FullControl)
         {
             cryptoKeyRights &= ~CryptoKeyRights.Synchronize;
         }
     }
     else
     {
         throw new ArgumentException(Environment.GetResourceString("Argument_InvalidEnumValue", (object)controlType, (object)"controlType"), "controlType");
     }
     return((int)cryptoKeyRights);
 }
Exemple #16
0
        internal static void SetAccessRuleOnKSPKey(CngKey key, string accountName, CryptoKeyRights keyAccessMask)
        {
            const string             NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
            const CngPropertyOptions DACL_SECURITY_INFORMATION      = (CngPropertyOptions)4;

            // retrieve existing permissions
            var existingACL = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);

            // add new rule
            CryptoKeySecurity keySec = new CryptoKeySecurity();

            keySec.SetSecurityDescriptorBinaryForm(existingACL.GetValue());
            keySec.AddAccessRule(new CryptoKeyAccessRule(accountName, keyAccessMask, AccessControlType.Allow));

            // put back
            CngProperty updatedACL = new CngProperty(existingACL.Name, keySec.GetSecurityDescriptorBinaryForm(), CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);

            key.SetProperty(updatedACL);
        }
Exemple #17
0
        // Acl's on files have a Synchronize bit, and CreateFile always
        // asks for it. So for allows, let's always include this bit,
        // and for denies, let's never include this bit unless we're denying
        // full control. This is the right thing for users, even if it does
        // make the model look asymmetrical from a purist point of view.
        // Also, crypto key containers are just files in the end, so
        // this tweak to the access rights for files makes sense here.
        private static int AccessMaskFromRights(CryptoKeyRights cryptoKeyRights, AccessControlType controlType)
        {
            if (controlType == AccessControlType.Allow)
            {
                cryptoKeyRights |= CryptoKeyRights.Synchronize;
            }
            else if (controlType == AccessControlType.Deny)
            {
                if (cryptoKeyRights != CryptoKeyRights.FullControl)
                {
                    cryptoKeyRights &= ~CryptoKeyRights.Synchronize;
                }
            }
            else
            {
                throw new ArgumentException(String.Format($"Argument_InvalidEnumValue: {controlType} is not valid in this context"));
            }

            return((int)cryptoKeyRights);
        }
 public CryptoKeyAccessRule(string identity, CryptoKeyRights cryptoKeyRights, AccessControlType type)
 {
 }
Exemple #19
0
        public static void AssertIdentityHasPrivateKeyAccess(X509Certificate2 certificate, IdentityReference identity, CryptoKeyRights rights)
        {
            if (!certificate.HasPrivateKey)
            {
                throw new Exception("Certificate does not have private key");
            }

            var cspAlgorithm = certificate.PrivateKey as ICspAsymmetricAlgorithm;

            if (cspAlgorithm == null)
            {
                throw new Exception("Private key is not a CSP key");
            }

            var keySecurity = cspAlgorithm.CspKeyContainerInfo.CryptoKeySecurity;

            foreach (var accessRule in keySecurity.GetAccessRules(true, false, identity.GetType()).Cast <CryptoKeyAccessRule>())
            {
                if (accessRule.IdentityReference.Equals(identity) && accessRule.CryptoKeyRights.HasFlag(rights))
                {
                    return;
                }
            }

            throw new Exception($"Identity '{identity.ToString()}' does not have access right '{rights}' to private-key");
        }
Exemple #20
0
 public CryptoKeyAccessRule(string identity,
                            CryptoKeyRights cryptoKeyRights,
                            AccessControlType type)
     : this(new NTAccount(identity), cryptoKeyRights, type)
 {
 }
 public CryptoKeyAccessRule(string identity,
                            CryptoKeyRights cryptoKeyRights,
                            AccessControlType type)
     : this(new SecurityIdentifier(identity), cryptoKeyRights, type)
 {
 }
 /// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CryptoKeyAuditRule" /> class using the specified values. </summary><param name="identity">The identity to which the audit rule applies.</param><param name="cryptoKeyRights">The cryptographic key operation for which this audit rule generates audits.</param><param name="flags">The conditions that generate audits.</param>
 public CryptoKeyAuditRule(string identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags)
     : base(null, 0, false, InheritanceFlags.None, PropagationFlags.None, AuditFlags.None)
 {
     throw new NotImplementedException();
 }
 // Summary:
 //     Initializes a new instance of the System.Security.AccessControl.CryptoKeyAccessRule
 //     class using the specified values.
 //
 // Parameters:
 //   identity:
 //     The identity to which the access rule applies. This parameter must be an
 //     object that can be cast as a System.Security.Principal.SecurityIdentifier.
 //
 //   cryptoKeyRights:
 //     The cryptographic key operation to which this access rule controls access.
 //
 //   type:
 //     The valid access control type.
 extern public CryptoKeyAccessRule(IdentityReference identity, CryptoKeyRights cryptoKeyRights, AccessControlType type);
Exemple #24
0
 /// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CryptoKeyAccessRule" /> class using the specified values.</summary><param name="identity">The identity to which the access rule applies.</param><param name="cryptoKeyRights">The cryptographic key operation to which this access rule controls access.</param><param name="type">The valid access control type.</param>
 public CryptoKeyAccessRule(string identity, CryptoKeyRights cryptoKeyRights, AccessControlType type)
     : base(null, 0, false, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)
 {
     throw new NotImplementedException();
 }
Exemple #25
0
 private static int AccessMaskFromRights(CryptoKeyRights cryptoKeyRights)
 {
     return((int)cryptoKeyRights);
 }
 public CryptoKeyAuditRule(string identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags) : base(default(System.Security.Principal.IdentityReference), default(int), default(bool), default(InheritanceFlags), default(PropagationFlags), default(AuditFlags))
 {
     Contract.Ensures(0 <= identity.Length);
     Contract.Ensures(identity.Length <= 512);
 }
 public CryptoKeyAuditRule(System.Security.Principal.IdentityReference identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags) : base(default(System.Security.Principal.IdentityReference), default(int), default(bool), default(InheritanceFlags), default(PropagationFlags), default(AuditFlags))
 {
 }
Exemple #28
0
 public CryptoKeyAuditRule(string identity,
                           CryptoKeyRights cryptoKeyRights,
                           AuditFlags flags)
     : this(new SecurityIdentifier(identity), cryptoKeyRights, flags)
 {
 }
 // Summary:
 //     Initializes a new instance of the System.Security.AccessControl.CryptoKeyAuditRule
 //     class using the specified values.
 //
 // Parameters:
 //   identity:
 //     The identity to which the audit rule applies. This parameter must be an object
 //     that can be cast as a System.Security.Principal.SecurityIdentifier.
 //
 //   cryptoKeyRights:
 //     The cryptographic key operation for which this audit rule generates audits.
 //
 //   flags:
 //     The conditions that generate audits.
 extern public CryptoKeyAuditRule(IdentityReference identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags);
 private static int AccessMaskFromRights (CryptoKeyRights cryptoKeyRights) {
     return (int) cryptoKeyRights;
 }
Exemple #31
0
		public CryptoKeyAccessRule (string identity,
					    CryptoKeyRights cryptoKeyRights,
					    AccessControlType type)
			: this (new SecurityIdentifier (identity), cryptoKeyRights, type)
		{
		}
 //
 // Summary:
 //     Initializes a new instance of the System.Security.AccessControl.CryptoKeyAccessRule
 //     class using the specified values.
 //
 // Parameters:
 //   identity:
 //     The identity to which the access rule applies.
 //
 //   cryptoKeyRights:
 //     The cryptographic key operation to which this access rule controls access.
 //
 //   type:
 //     The valid access control type.
 extern public CryptoKeyAccessRule(string identity, CryptoKeyRights cryptoKeyRights, AccessControlType type);
 public CryptoKeyAuditRule(string identity,
                           CryptoKeyRights cryptoKeyRights,
                           AuditFlags flags)
     : this(new NTAccount(identity), cryptoKeyRights, flags)
 {
 }
		public CryptoKeyAccessRule (string identity,
					    CryptoKeyRights cryptoKeyRights,
					    AccessControlType type)
			: this (new NTAccount (identity), cryptoKeyRights, type)
		{
		}
		public CryptoKeyAuditRule (string identity,
					   CryptoKeyRights cryptoKeyRights,
					   AuditFlags flags)
			: this (new SecurityIdentifier (identity), cryptoKeyRights, flags)
		{
		}
 public CryptoKeyAuditRule (IdentityReference identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags)
             : this (identity,
                     AccessMaskFromRights(cryptoKeyRights),
                     false,
                     InheritanceFlags.None,
                     PropagationFlags.None,
                     flags) {
 }
	// Constructors
	public CryptoKeyAuditRule(System.Security.Principal.IdentityReference identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags) {}
	// Constructors
	public CryptoKeyAccessRule(System.Security.Principal.IdentityReference identity, CryptoKeyRights cryptoKeyRights, AccessControlType type) {}
 public CryptoKeyAccessRule(System.Security.Principal.IdentityReference identity, CryptoKeyRights cryptoKeyRights, AccessControlType type) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(InheritanceFlags), default(PropagationFlags), default(AccessControlType))
 {
 }
Exemple #40
0
        internal static void SetAccessRuleForCertificate(X509Certificate2 cert, string accountName, CryptoKeyRights keyAccessMask)
        {
            if (!cert.HasPrivateKey)
            {
                throw new ArgumentException($"cert '{cert.Thumbprint}' does not include a private key; shouldn't be here.");
            }

            try
            {
                using (var rsaKey = cert.GetRSAPrivateKey() as RSACng)
                {
                    if (rsaKey == null)
                    {
                        throw new ArgumentException("unsupported key type - expected a RSA private key convertible to RSACng");
                    }

                    // check if this a KSP-managed key; ignore the SmartCard KSP
                    if (rsaKey.Key.Provider == CngProvider.MicrosoftSoftwareKeyStorageProvider)
                    {
                        Console.WriteLine($"Setting ACL on KSP cert '{cert.Thumbprint}: '{accountName}' - '{keyAccessMask.ToString()}");
                        SetAccessRuleOnKSPKey(rsaKey.Key, accountName, keyAccessMask);

                        return;
                    }

                    // else this is a CSP key; however, netcore won't return a RSACryptoServiceProvider object
                    // unless it absolutely has to - for non-Microsoft CSPs. That means we'll always get a RSACng
                    // object, from which there is no direct path to the RSACSP we need in order to manage access.
                    // The workaround is to build CspParameters from the cng private key, and then build a RSACSP
                    // from it. First ensure this isn't a SmartCard provider.
                    if (rsaKey.Key.Provider == CngProvider.MicrosoftSmartCardKeyStorageProvider)
                    {
                        throw new ArgumentException("unsupported key type - the provider is Microsoft SmartCard KSP, which is not supported in this context.");
                    }

                    using (var rsaCSP = ExtractRSACSPFromCNGKey(rsaKey.Key))
                    {
                        Console.WriteLine($"Setting ACL on CSP cert '{cert.Thumbprint}: '{accountName}' - '{keyAccessMask.ToString()}");
                        SetAccessRuleOnCSPKey(rsaCSP, accountName, keyAccessMask);
                    }
                }
            }
            catch (CryptographicException cxe)
            {
                Console.WriteLine($"exception '{cxe.HResult}: {cxe.Message}' was thrown");
            }
        }
        void AssertHasPrivateKeyRights(CryptoKeySecurity privateKeySecurity, string identifier, CryptoKeyRights right)
        {
            var accessRules = privateKeySecurity.GetAccessRules(true, false, typeof(NTAccount));

            var found = accessRules.Cast <CryptoKeyAccessRule>()
                        .Any(x => x.IdentityReference.Value == identifier && x.CryptoKeyRights.HasFlag(right));

            Assert.True(found, "Private-Key right was not set");
        }
Exemple #42
0
        internal static void SetAccessRuleOnCSPKey(RSACryptoServiceProvider key, string accountName, CryptoKeyRights keyAccessMask)
        {
            // CspKeyContainerInfo does not expose the CryptoKeySecurity property in NetCore; in that
            // case, we'll simply set access at the File (key container) level; for net40 and above,
            // we'll use the CryptoKeySecurityConstruct.
#if NETCOREAPP2_1
            SetAccessRuleOnCSPKeyViaKeyContainer(key, accountName, keyAccessMask);
#else
            SetAccessRuleOnCSPKeyViaKeySecurity(key, accountName, keyAccessMask);
#endif
        }
 // Constructors
 public CryptoKeyAccessRule(System.Security.Principal.IdentityReference identity, CryptoKeyRights cryptoKeyRights, AccessControlType type)
 {
 }
Exemple #44
0
        private static void SetAccessRuleOnCSPKeyViaKeySecurity(RSACryptoServiceProvider cspKey, string accountName, CryptoKeyRights keyAccessMask)
        {
#if NETCOREAPP2_1
            throw new InvalidOperationException("incorrect invocation: cannot call this function on non-net40 frameworks.");
#else
            try
            {
                // The Persist method of the CryptoKeySecurity class is not publicly accessible, and so direct changes on an existing CSP
                // cannot be saved. We work around this by extracting the CSP parameters from the existing key, and adding the access rule
                // on a new clone of the CSP key.
                var cspParams = new CspParameters
                {
                    ProviderType      = cspKey.CspKeyContainerInfo.ProviderType,
                    ProviderName      = cspKey.CspKeyContainerInfo.ProviderName,
                    CryptoKeySecurity = cspKey.CspKeyContainerInfo.CryptoKeySecurity,
                    KeyContainerName  = cspKey.CspKeyContainerInfo.KeyContainerName,
                    KeyNumber         = (int)cspKey.CspKeyContainerInfo.KeyNumber,
                    Flags             = CspProviderFlags.UseExistingKey | (cspKey.CspKeyContainerInfo.MachineKeyStore ? CspProviderFlags.UseMachineKeyStore : 0)
                };

                cspParams.CryptoKeySecurity.AddAccessRule(new CryptoKeyAccessRule(accountName, keyAccessMask, AccessControlType.Allow));

                using (RSACryptoServiceProvider newRsaCsp = new RSACryptoServiceProvider(cspParams))
                {
                    ; // no-op
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine($"exception encountered setting access rights on private key '{cspKey.CspKeyContainerInfo.KeyNumber}': {ex.Message} ({ex.HResult})");
            }

#if DEBUG
            // re-open the provider to verify ACL
            using (RSACryptoServiceProvider newRsaCsp = CloneCSP(cspKey))
            {
                // verify rules
                var keySecPostUpdate = newRsaCsp.CspKeyContainerInfo.CryptoKeySecurity;
                foreach (var keySecRule in keySecPostUpdate.GetAccessRules(includeExplicit: true, includeInherited: false, targetType: typeof(System.Security.Principal.NTAccount)))
                {
                    if (keySecRule is CryptoKeyAccessRule cryptoACE)
                    {
                        Console.WriteLine($"ACE: {cryptoACE.IdentityReference}: {cryptoACE.CryptoKeyRights.ToString()}");
                    }
                }
            }
#endif
#endif
        }
 public CryptoKeyAuditRule (string identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags)
             : this (new NTAccount(identity),
                     AccessMaskFromRights(cryptoKeyRights),
                     false,
                     InheritanceFlags.None,
                     PropagationFlags.None,
                     flags) {
 }
Exemple #46
0
        private static void SetAccessRuleOnCSPKeyViaKeyContainer(RSACryptoServiceProvider cspKey, string accountName, CryptoKeyRights keyAccessMask)
        {
#if !NETCOREAPP2_1
            throw new InvalidOperationException("incorrect invocation: cannot call this function on non-netcore frameworks.");
#else
            // If we're here, access is granted directly to the file corresponding to the private key. Assuming
            // this is a machine key (enforced in the calling function), the path to the key container is:
            //
            //   $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys\<key container unique name>
            //
            // e.g.: c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7e426a4e8a1b8c02e1105b9d7b8c056c_8c9bdc00-1bd7-4654-8e9b-8a234a4b3f88

            var keyCtrUniqueName  = cspKey.CspKeyContainerInfo.UniqueKeyContainerName;
            var programDataPath   = Environment.GetEnvironmentVariable("ProgramData"); // unlikely to be missing
            var rsaMachineKeyPath = "Microsoft\\Crypto\\RSA\\MachineKeys";
            var keyContainerPath  = String.Format($"{programDataPath}\\{rsaMachineKeyPath}\\{keyCtrUniqueName}");

            // assert the file exists
            if (!File.Exists(keyContainerPath)) // odd situation
            {
                throw new ArgumentException($"the expected key container file '{keyContainerPath}' does not exist; was it ephemeral or just deleted?");
            }

            try
            {
                // extract the current ACL
                var fileACL = new FileSecurity(keyContainerPath, AccessControlSections.Access);
                FileSystemRights fileSystemKeyAccessRights = FileAccessRightsFromKeySecurityAccessRights(keyAccessMask);

                // add the access rule (OS merges)
                fileACL.AddAccessRule(new FileSystemAccessRule(accountName, fileSystemKeyAccessRights, AccessControlType.Allow));

                // put back
                new FileInfo(keyContainerPath)
                .SetAccessControl(fileACL);
            }
            catch (Exception ex)
            {
                Console.WriteLine($"exception encountered trying to access the key container '{keyContainerPath}': {ex.Message} ({ex.HResult})");
            }

            // quick check
            Console.WriteLine("checking permissions..");
            var rules = new FileSecurity(keyContainerPath, AccessControlSections.Access)
                        .GetAccessRules(
                includeExplicit: true,
                includeInherited: false,
                targetType: typeof(System.Security.Principal.NTAccount));

            foreach (AuthorizationRule rule in rules)
            {
                if (rule is FileSystemAccessRule face)
                {
                    Console.WriteLine($"ACE: {face.IdentityReference.ToString()}: {face.FileSystemRights.ToString()}");
                }
            }
#endif
        }
 public CryptoKeyAccessRule(string identity, CryptoKeyRights cryptoKeyRights, AccessControlType type) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(InheritanceFlags), default(PropagationFlags), default(AccessControlType))
 {
   Contract.Ensures(0 <= identity.Length);
   Contract.Ensures(identity.Length <= 512);
 }
Exemple #48
0
        // translates access rights from the CryptoKeyRights bitmask into the equivalent file system access bitmask.
        private static FileSystemRights FileAccessRightsFromKeySecurityAccessRights(CryptoKeyRights keyAccessMask)
        {
            FileSystemRights fileAccessMask = 0;

            // build the access mask gradually
            if (0 != (keyAccessMask & CryptoKeyRights.ReadData))
            {
                fileAccessMask |= FileSystemRights.ReadData;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.WriteData))
            {
                fileAccessMask |= FileSystemRights.WriteData;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.ReadExtendedAttributes))
            {
                fileAccessMask |= FileSystemRights.ReadExtendedAttributes;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.WriteExtendedAttributes))
            {
                fileAccessMask |= FileSystemRights.WriteExtendedAttributes;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.ReadAttributes))
            {
                fileAccessMask |= FileSystemRights.ReadAttributes;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.WriteAttributes))
            {
                fileAccessMask |= FileSystemRights.WriteAttributes;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.Delete))
            {
                fileAccessMask |= FileSystemRights.Delete;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.ReadPermissions))
            {
                fileAccessMask |= FileSystemRights.ReadPermissions;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.ChangePermissions))
            {
                fileAccessMask |= FileSystemRights.ChangePermissions;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.TakeOwnership))
            {
                fileAccessMask |= FileSystemRights.TakeOwnership;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.Synchronize))
            {
                fileAccessMask |= FileSystemRights.Synchronize;
            }

            // FullControl is a bitmask itself
            if (CryptoKeyRights.FullControl == (keyAccessMask & CryptoKeyRights.FullControl))
            {
                fileAccessMask |= FileSystemRights.FullControl;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.GenericAll))
            {
                fileAccessMask |= FileSystemRights.Modify;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.GenericExecute))
            {
                fileAccessMask |= FileSystemRights.ReadAndExecute;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.GenericWrite))
            {
                fileAccessMask |= FileSystemRights.Write;
            }
            if (0 != (keyAccessMask & CryptoKeyRights.GenericRead))
            {
                fileAccessMask |= FileSystemRights.Read;
            }

            return(fileAccessMask);
        }
Exemple #49
0
 public CryptoKeyAccessRule(IdentityReference identity,
                            CryptoKeyRights cryptoKeyRights,
                            AccessControlType type)
 {
     this.cryptoKeyRights = cryptoKeyRights;
 }
 //
 // Summary:
 //     Initializes a new instance of the System.Security.AccessControl.CryptoKeyAuditRule
 //     class using the specified values.
 //
 // Parameters:
 //   identity:
 //     The identity to which the audit rule applies.
 //
 //   cryptoKeyRights:
 //     The cryptographic key operation for which this audit rule generates audits.
 //
 //   flags:
 //     The conditions that generate audits.
 extern public CryptoKeyAuditRule(string identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags);
		public CryptoKeyAuditRule (string identity,
					   CryptoKeyRights cryptoKeyRights,
					   AuditFlags flags)
			: this (new NTAccount (identity), cryptoKeyRights, flags)
		{
		}
 public CryptoKeyAuditRule(System.Security.Principal.IdentityReference identity, CryptoKeyRights cryptoKeyRights, AuditFlags flags) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(InheritanceFlags), default(PropagationFlags), default(AuditFlags))
 {
 }