public CspParameters(int dwTypeIn, string strProviderNameIn, string strContainerNameIn,
CryptoKeySecurity cryptoKeySecurity, SecureString keyPassword)
: this(dwTypeIn, strProviderNameIn, strContainerNameIn)
{
if (cryptoKeySecurity != null)
{
CryptoKeySecurity = cryptoKeySecurity;
}
_password = keyPassword;
}
public CspParameters(int dwTypeIn, string strProviderNameIn, string strContainerNameIn,
CryptoKeySecurity cryptoKeySecurity, IntPtr parentWindowHandle)
: this(dwTypeIn, strProviderNameIn, strContainerNameIn)
{
if (cryptoKeySecurity != null)
{
CryptoKeySecurity = cryptoKeySecurity;
}
_windowHandle = parentWindowHandle;
}
void RemoveCertificatePrivateKeyAccess(X509Certificate2 cert)
{
if (cert != null && cert.HasPrivateKey)
{
try
{
AsymmetricAlgorithm key = cert.PrivateKey;
// Only RSA provider is supported here
if (key is RSACryptoServiceProvider)
{
RSACryptoServiceProvider prov = key as RSACryptoServiceProvider;
CspKeyContainerInfo info = prov.CspKeyContainerInfo;
CryptoKeySecurity keySec = info.CryptoKeySecurity;
SecurityIdentifier ns = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
AuthorizationRuleCollection rules = keySec.GetAccessRules(true, false, typeof(SecurityIdentifier));
foreach (AuthorizationRule rule in rules)
{
CryptoKeyAccessRule keyAccessRule = (CryptoKeyAccessRule)rule;
if (keyAccessRule.AccessControlType == AccessControlType.Allow &&
(int)(keyAccessRule.CryptoKeyRights & CryptoKeyRights.GenericRead) != 0)
{
SecurityIdentifier sid = keyAccessRule.IdentityReference as SecurityIdentifier;
if (ns.Equals(sid))
{
CryptoKeyAccessRule nsReadRule = new CryptoKeyAccessRule(ns,
CryptoKeyRights.GenericRead,
AccessControlType.Allow);
keySec.RemoveAccessRule(nsReadRule);
CommitCryptoKeySecurity(info, keySec);
break;
}
}
}
}
}
#pragma warning suppress 56500
catch (Exception e)
{
// CommitCryptoKeySecurity can actually throw any exception,
// so the safest way here is to catch a generic exception while throw on critical ones
if (Utilities.IsCriticalException(e))
{
throw;
}
throw new WsatAdminException(WsatAdminErrorCode.CANNOT_UPDATE_PRIVATE_KEY_PERM,
SR.GetString(SR.ErrorUpdateCertPrivateKeyPerm), e);
}
}
}
// This method could throw any exception, because RSACryptoServiceProvider ctor could do so
// We will escalate the exceptions to the callers who will be more sensible on how to deal with them
void CommitCryptoKeySecurity(CspKeyContainerInfo info, CryptoKeySecurity keySec)
{
CspParameters cspParams = new CspParameters(
info.ProviderType, info.ProviderName,
info.KeyContainerName);
cspParams.CryptoKeySecurity = keySec;
// Important flag, or the security setting will silently fail
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
// The RSACryptoServiceProvider ctor will automatically apply DACLs set in CSP's securtiy info
new RSACryptoServiceProvider(cspParams);
}
internal static void SetAccessRuleOnKSPKey(CngKey key, string accountName, CryptoKeyRights keyAccessMask)
{
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
// retrieve existing permissions
var existingACL = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
// add new rule
CryptoKeySecurity keySec = new CryptoKeySecurity();
keySec.SetSecurityDescriptorBinaryForm(existingACL.GetValue());
keySec.AddAccessRule(new CryptoKeyAccessRule(accountName, keyAccessMask, AccessControlType.Allow));
// put back
CngProperty updatedACL = new CngProperty(existingACL.Name, keySec.GetSecurityDescriptorBinaryForm(), CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
key.SetProperty(updatedACL);
}
void AddCertificatePrivateKeyAccess(X509Certificate2 cert)
{
if (cert != null && cert.HasPrivateKey)
{
try
{
AsymmetricAlgorithm key = cert.PrivateKey;
// Only RSA provider is supported here
if (key is RSACryptoServiceProvider)
{
RSACryptoServiceProvider prov = key as RSACryptoServiceProvider;
CspKeyContainerInfo info = prov.CspKeyContainerInfo;
CryptoKeySecurity keySec = info.CryptoKeySecurity;
SecurityIdentifier ns = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
// Just add a rule, exisitng settings will be merged
CryptoKeyAccessRule rule = new CryptoKeyAccessRule(ns,
CryptoKeyRights.GenericRead,
AccessControlType.Allow);
keySec.AddAccessRule(rule);
CommitCryptoKeySecurity(info, keySec);
}
}
#pragma warning suppress 56500
catch (Exception e)
{
// CommitCryptoKeySecurity can actually throw any exception,
// so the safest way here is to catch a generic exception while throw on critical ones
if (Utilities.IsCriticalException(e))
{
throw;
}
throw new WsatAdminException(WsatAdminErrorCode.CANNOT_UPDATE_PRIVATE_KEY_PERM,
SR.GetString(SR.ErrorUpdateCertPrivateKeyPerm), e);
}
}
}
public static RSA CreateRSAAlgorithm(String containerName)
{
RSACryptoServiceProvider rsaKey = null;
try
{
// Create a new CspParameters object to specify a key container.
CspParameters cspParams = new CspParameters();
cspParams.KeyContainerName = containerName;
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
// Add the key's access privilege
CryptoKeySecurity keySecurity = new CryptoKeySecurity();
SecurityIdentifier si = new SecurityIdentifier(WellKnownSidType.LocalSid /*WorldSid*/, null);
keySecurity.AddAccessRule(new CryptoKeyAccessRule(si, CryptoKeyRights.FullControl, AccessControlType.Allow));
cspParams.CryptoKeySecurity = keySecurity;
// Create a new RSA key and save it in the container. This key will encrypt
// a symmetric key, which will then be encrypted in the XML document.
rsaKey = new RSACryptoServiceProvider(cspParams);
}
catch (System.Exception ex)
{
}
return(rsaKey);
}
// // Summary: // Initializes a new instance of the System.Security.Cryptography.CspParameters // class using a provider type, a provider name, a container name, access information, // and a password associated with a smart card key. // // Parameters: // providerType: // The provider type code that specifies the kind of provider to create. // // providerName: // A provider name. // // keyContainerName: // A container name. // // cryptoKeySecurity: // A System.Security.AccessControl.CryptoKeySecurity object that represents // access rights and audit rules for a container. // // keyPassword: // A password associated with a smart card key. public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, SecureString keyPassword);
// // Summary: // Initializes a new instance of the System.Security.Cryptography.CspParameters // class using a provider type, a provider name, a container name, access information, // and a handle to an unmanaged smart card password dialog. // // Parameters: // providerType: // The provider type code that specifies the kind of provider to create. // // providerName: // A provider name. // // keyContainerName: // A container name. // // cryptoKeySecurity: // A System.Security.AccessControl.CryptoKeySecurity object that represents // access rights and audit rules for the container. // // parentWindowHandle: // A handle to the parent window for a smart card password dialog. public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, IntPtr parentWindowHandle);
/// <summary>Initializes a new instance of the <see cref="T:System.Security.Cryptography.CspParameters" /> class using a provider type, a provider name, a container name, access information, and a password associated with a smart card key.</summary>
/// <param name="providerType">The provider type code that specifies the kind of provider to create.</param>
/// <param name="providerName">A provider name. </param>
/// <param name="keyContainerName">A container name. </param>
/// <param name="cryptoKeySecurity">A <see cref="T:System.Security.AccessControl.CryptoKeySecurity" /> object that represents access rights and audit rules for a container. </param>
/// <param name="keyPassword">A password associated with a smart card key.</param>
public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, SecureString keyPassword) : this(providerType, providerName, keyContainerName)
{
if (cryptoKeySecurity != null)
{
this.CryptoKeySecurity = cryptoKeySecurity;
}
this._password = keyPassword;
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.Cryptography.CspParameters" /> class using a provider type, a provider name, a container name, access information, and a handle to an unmanaged smart card password dialog. </summary>
/// <param name="providerType">The provider type code that specifies the kind of provider to create.</param>
/// <param name="providerName">A provider name. </param>
/// <param name="keyContainerName">A container name. </param>
/// <param name="cryptoKeySecurity">A <see cref="T:System.Security.AccessControl.CryptoKeySecurity" /> object that represents access rights and audit rules for the container.</param>
/// <param name="parentWindowHandle">A handle to the parent window for a smart card password dialog.</param>
public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, IntPtr parentWindowHandle) : this(providerType, providerName, keyContainerName)
{
if (cryptoKeySecurity != null)
{
this.CryptoKeySecurity = cryptoKeySecurity;
}
this._windowHandle = parentWindowHandle;
}
