Exemplo n.º 1
0
        internal static void SetAccessRuleOnKSPKey(CngKey key, string accountName, CryptoKeyRights keyAccessMask)
        {
            const string             NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
            const CngPropertyOptions DACL_SECURITY_INFORMATION      = (CngPropertyOptions)4;

            // retrieve existing permissions
            var existingACL = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);

            // add new rule
            CryptoKeySecurity keySec = new CryptoKeySecurity();

            keySec.SetSecurityDescriptorBinaryForm(existingACL.GetValue());
            keySec.AddAccessRule(new CryptoKeyAccessRule(accountName, keyAccessMask, AccessControlType.Allow));

            // put back
            CngProperty updatedACL = new CngProperty(existingACL.Name, keySec.GetSecurityDescriptorBinaryForm(), CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);

            key.SetProperty(updatedACL);
        }
Exemplo n.º 2
0
        /// <summary>
        /// Import a key from a file for use on the machine.
        /// </summary>
        /// <param name="providerName"></param>
        /// <param name="filePath"></param>
        public bool ImportKeyToKSP(string providerName, string keyName, string filePath, bool makeExportable = false)
        {
            CngProvider provider = new CngProvider(providerName);

            bool keyExists = doesKeyExists(provider, keyName);

            if (keyExists)
            {
                //Key already exists. Can't create it.
                return(false);
            }

            CryptoKeySecurity        sec       = new CryptoKeySecurity();
            CngKeyCreationParameters keyParams = null;

            byte[] keyBlob = File.ReadAllBytes(filePath);

            CngProperty keyBlobProp = new CngProperty(new CngKeyBlobFormat("RSAFULLPRIVATEBLOB").Format, keyBlob, CngPropertyOptions.None);

            if (IsMicrosoftSoftwareKSP(provider))
            {
                sec.AddAccessRule(
                    new CryptoKeyAccessRule(
                        new SecurityIdentifier(sidType: WellKnownSidType.BuiltinAdministratorsSid, domainSid: null),
                        cryptoKeyRights: CryptoKeyRights.FullControl,
                        type: AccessControlType.Allow));

                sec.AddAccessRule(
                    new CryptoKeyAccessRule(
                        new SecurityIdentifier(sidType: WellKnownSidType.BuiltinSystemOperatorsSid, domainSid: null),
                        cryptoKeyRights: CryptoKeyRights.GenericRead,
                        type: AccessControlType.Allow));

                const string             NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
                const CngPropertyOptions DACL_SECURITY_INFORMATION      = (CngPropertyOptions)4;

                CngProperty permissions = new CngProperty(
                    NCRYPT_SECURITY_DESCR_PROPERTY,
                    sec.GetSecurityDescriptorBinaryForm(),
                    CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
                keyParams = new CngKeyCreationParameters()
                {
                    ExportPolicy       = makeExportable ? CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport : CngExportPolicies.None,
                    Provider           = provider,
                    Parameters         = { permissions, keyBlobProp },
                    KeyCreationOptions = CngKeyCreationOptions.MachineKey
                };
                using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
                {
                    if (key == null)
                    {
                        return(false);
                    }
                    return(true);
                }
            }
            else
            {
                keyParams = new CngKeyCreationParameters()
                {
                    ExportPolicy       = makeExportable ? CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport : CngExportPolicies.None,
                    Provider           = provider,
                    Parameters         = { keyBlobProp },
                    KeyCreationOptions = CngKeyCreationOptions.MachineKey
                };
                using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
                {
                    if (key == null)
                    {
                        return(false);
                    }
                    // nothing to do inside here, except to return without throwing an exception
                    return(true);
                }
            }
        }
Exemplo n.º 3
0
        internal static void SetKeySetSecurityInfo(SafeProvHandle hProv, CryptoKeySecurity cryptoKeySecurity, AccessControlSections accessControlSections)
        {
            SecurityInfos securityInfo = (SecurityInfos)0;
            Privilege     privilege    = (Privilege)null;

            if ((accessControlSections & AccessControlSections.Owner) != AccessControlSections.None && cryptoKeySecurity._securityDescriptor.Owner != (SecurityIdentifier)null)
            {
                securityInfo |= SecurityInfos.Owner;
            }
            if ((accessControlSections & AccessControlSections.Group) != AccessControlSections.None && cryptoKeySecurity._securityDescriptor.Group != (SecurityIdentifier)null)
            {
                securityInfo |= SecurityInfos.Group;
            }
            if ((accessControlSections & AccessControlSections.Audit) != AccessControlSections.None)
            {
                securityInfo |= SecurityInfos.SystemAcl;
            }
            if ((accessControlSections & AccessControlSections.Access) != AccessControlSections.None && cryptoKeySecurity._securityDescriptor.IsDiscretionaryAclPresent)
            {
                securityInfo |= SecurityInfos.DiscretionaryAcl;
            }
            if (securityInfo == (SecurityInfos)0)
            {
                return;
            }
            int hr = 0;

            RuntimeHelpers.PrepareConstrainedRegions();
            try
            {
                if ((securityInfo & SecurityInfos.SystemAcl) != (SecurityInfos)0)
                {
                    privilege = new Privilege("SeSecurityPrivilege");
                    privilege.Enable();
                }
                byte[] descriptorBinaryForm = cryptoKeySecurity.GetSecurityDescriptorBinaryForm();
                if (descriptorBinaryForm != null)
                {
                    if (descriptorBinaryForm.Length != 0)
                    {
                        hr = Utils.SetKeySetSecurityInfo(hProv, securityInfo, descriptorBinaryForm);
                    }
                }
            }
            finally
            {
                if (privilege != null)
                {
                    privilege.Revert();
                }
            }
            if (hr == 5 || hr == 1307 || hr == 1308)
            {
                throw new UnauthorizedAccessException();
            }
            if (hr == 1314)
            {
                throw new PrivilegeNotHeldException("SeSecurityPrivilege");
            }
            if (hr == 6)
            {
                throw new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
            }
            if (hr != 0)
            {
                throw new CryptographicException(hr);
            }
        }
Exemplo n.º 4
0
        /// <summary>
        /// Tries to generate and RSA Key in the given provider with this keyName.
        /// </summary>
        /// <param name="providerName">Name of the provider</param>
        /// <param name="keyName">Name of the key</param>
        /// <param name="keyLength">Length of the key to generate</param>
        /// <returns>true if successful, false if that key already exists.</returns>
        public bool TryGenerateLocalRSAKey(string providerName, string keyName, int keyLength = 2048)
        {
            CngProvider provider = new CngProvider(providerName);

            bool keyExists = doesKeyExists(provider, keyName);

            if (keyExists)
            {
                //Key already exists. Can't create it.
                return(false);
            }

            CryptoKeySecurity        sec       = new CryptoKeySecurity();
            CngKeyCreationParameters keyParams = null;

            if (IsMicrosoftSoftwareKSP(provider))
            {
                sec.AddAccessRule(
                    new CryptoKeyAccessRule(
                        new SecurityIdentifier(sidType: WellKnownSidType.BuiltinAdministratorsSid, domainSid: null),
                        cryptoKeyRights: CryptoKeyRights.FullControl,
                        type: AccessControlType.Allow));

                sec.AddAccessRule(
                    new CryptoKeyAccessRule(
                        new SecurityIdentifier(sidType: WellKnownSidType.BuiltinSystemOperatorsSid, domainSid: null),
                        cryptoKeyRights: CryptoKeyRights.GenericRead,
                        type: AccessControlType.Allow));

                const string             NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
                const CngPropertyOptions DACL_SECURITY_INFORMATION      = (CngPropertyOptions)4;

                CngProperty permissions = new CngProperty(
                    NCRYPT_SECURITY_DESCR_PROPERTY,
                    sec.GetSecurityDescriptorBinaryForm(),
                    CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
                keyParams = new CngKeyCreationParameters()
                {
                    ExportPolicy = CngExportPolicies.None,
                    Provider     = provider,
                    Parameters   = { new CngProperty("Length", BitConverter.GetBytes(keyLength), CngPropertyOptions.None),
                                     permissions },
                    KeyCreationOptions = CngKeyCreationOptions.MachineKey
                };
                using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
                {
                    if (key == null)
                    {
                        return(false);
                    }
                    return(true);
                }
            }
            else
            {
                keyParams = new CngKeyCreationParameters()
                {
                    ExportPolicy = CngExportPolicies.None,
                    Provider     = provider,
                    Parameters   = { new CngProperty("Length", BitConverter.GetBytes(keyLength), CngPropertyOptions.None) }
                };
                using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
                {
                    if (key == null)
                    {
                        return(false);
                    }
                    // nothing to do inside here, except to return without throwing an exception
                    return(true);
                }
            }
        }
Exemplo n.º 5
0
        internal static void SetKeySetSecurityInfo(SafeProvHandle hProv, CryptoKeySecurity cryptoKeySecurity, AccessControlSections accessControlSections)
        {
            SecurityInfos securityInfo = 0;
            Privilege     privilege    = null;

            if (((accessControlSections & AccessControlSections.Owner) != AccessControlSections.None) && (cryptoKeySecurity._securityDescriptor.Owner != null))
            {
                securityInfo |= SecurityInfos.Owner;
            }
            if (((accessControlSections & AccessControlSections.Group) != AccessControlSections.None) && (cryptoKeySecurity._securityDescriptor.Group != null))
            {
                securityInfo |= SecurityInfos.Group;
            }
            if ((accessControlSections & AccessControlSections.Audit) != AccessControlSections.None)
            {
                securityInfo |= SecurityInfos.SystemAcl;
            }
            if (((accessControlSections & AccessControlSections.Access) != AccessControlSections.None) && cryptoKeySecurity._securityDescriptor.IsDiscretionaryAclPresent)
            {
                securityInfo |= SecurityInfos.DiscretionaryAcl;
            }
            if (securityInfo != 0)
            {
                int hr = 0;
                RuntimeHelpers.PrepareConstrainedRegions();
                try
                {
                    if ((securityInfo & SecurityInfos.SystemAcl) != 0)
                    {
                        privilege = new Privilege("SeSecurityPrivilege");
                        privilege.Enable();
                    }
                    byte[] securityDescriptorBinaryForm = cryptoKeySecurity.GetSecurityDescriptorBinaryForm();
                    if ((securityDescriptorBinaryForm != null) && (securityDescriptorBinaryForm.Length > 0))
                    {
                        hr = SetKeySetSecurityInfo(hProv, securityInfo, securityDescriptorBinaryForm);
                    }
                }
                finally
                {
                    if (privilege != null)
                    {
                        privilege.Revert();
                    }
                }
                switch (hr)
                {
                case 5:
                case 0x51b:
                case 0x51c:
                    throw new UnauthorizedAccessException();

                case 0x522:
                    throw new PrivilegeNotHeldException("SeSecurityPrivilege");

                case 6:
                    throw new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
                }
                if (hr != 0)
                {
                    throw new CryptographicException(hr);
                }
            }
        }