public CspParameters(int dwTypeIn, string strProviderNameIn, string strContainerNameIn, CryptoKeySecurity cryptoKeySecurity, SecureString keyPassword) : this(dwTypeIn, strProviderNameIn, strContainerNameIn) { if (cryptoKeySecurity != null) { CryptoKeySecurity = cryptoKeySecurity; } _password = keyPassword; }
public CspParameters(int dwTypeIn, string strProviderNameIn, string strContainerNameIn, CryptoKeySecurity cryptoKeySecurity, IntPtr parentWindowHandle) : this(dwTypeIn, strProviderNameIn, strContainerNameIn) { if (cryptoKeySecurity != null) { CryptoKeySecurity = cryptoKeySecurity; } _windowHandle = parentWindowHandle; }
void RemoveCertificatePrivateKeyAccess(X509Certificate2 cert) { if (cert != null && cert.HasPrivateKey) { try { AsymmetricAlgorithm key = cert.PrivateKey; // Only RSA provider is supported here if (key is RSACryptoServiceProvider) { RSACryptoServiceProvider prov = key as RSACryptoServiceProvider; CspKeyContainerInfo info = prov.CspKeyContainerInfo; CryptoKeySecurity keySec = info.CryptoKeySecurity; SecurityIdentifier ns = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null); AuthorizationRuleCollection rules = keySec.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (AuthorizationRule rule in rules) { CryptoKeyAccessRule keyAccessRule = (CryptoKeyAccessRule)rule; if (keyAccessRule.AccessControlType == AccessControlType.Allow && (int)(keyAccessRule.CryptoKeyRights & CryptoKeyRights.GenericRead) != 0) { SecurityIdentifier sid = keyAccessRule.IdentityReference as SecurityIdentifier; if (ns.Equals(sid)) { CryptoKeyAccessRule nsReadRule = new CryptoKeyAccessRule(ns, CryptoKeyRights.GenericRead, AccessControlType.Allow); keySec.RemoveAccessRule(nsReadRule); CommitCryptoKeySecurity(info, keySec); break; } } } } } #pragma warning suppress 56500 catch (Exception e) { // CommitCryptoKeySecurity can actually throw any exception, // so the safest way here is to catch a generic exception while throw on critical ones if (Utilities.IsCriticalException(e)) { throw; } throw new WsatAdminException(WsatAdminErrorCode.CANNOT_UPDATE_PRIVATE_KEY_PERM, SR.GetString(SR.ErrorUpdateCertPrivateKeyPerm), e); } } }
// This method could throw any exception, because RSACryptoServiceProvider ctor could do so // We will escalate the exceptions to the callers who will be more sensible on how to deal with them void CommitCryptoKeySecurity(CspKeyContainerInfo info, CryptoKeySecurity keySec) { CspParameters cspParams = new CspParameters( info.ProviderType, info.ProviderName, info.KeyContainerName); cspParams.CryptoKeySecurity = keySec; // Important flag, or the security setting will silently fail cspParams.Flags = CspProviderFlags.UseMachineKeyStore; // The RSACryptoServiceProvider ctor will automatically apply DACLs set in CSP's securtiy info new RSACryptoServiceProvider(cspParams); }
internal static void SetAccessRuleOnKSPKey(CngKey key, string accountName, CryptoKeyRights keyAccessMask) { const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr"; const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4; // retrieve existing permissions var existingACL = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION); // add new rule CryptoKeySecurity keySec = new CryptoKeySecurity(); keySec.SetSecurityDescriptorBinaryForm(existingACL.GetValue()); keySec.AddAccessRule(new CryptoKeyAccessRule(accountName, keyAccessMask, AccessControlType.Allow)); // put back CngProperty updatedACL = new CngProperty(existingACL.Name, keySec.GetSecurityDescriptorBinaryForm(), CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION); key.SetProperty(updatedACL); }
void AddCertificatePrivateKeyAccess(X509Certificate2 cert) { if (cert != null && cert.HasPrivateKey) { try { AsymmetricAlgorithm key = cert.PrivateKey; // Only RSA provider is supported here if (key is RSACryptoServiceProvider) { RSACryptoServiceProvider prov = key as RSACryptoServiceProvider; CspKeyContainerInfo info = prov.CspKeyContainerInfo; CryptoKeySecurity keySec = info.CryptoKeySecurity; SecurityIdentifier ns = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null); // Just add a rule, exisitng settings will be merged CryptoKeyAccessRule rule = new CryptoKeyAccessRule(ns, CryptoKeyRights.GenericRead, AccessControlType.Allow); keySec.AddAccessRule(rule); CommitCryptoKeySecurity(info, keySec); } } #pragma warning suppress 56500 catch (Exception e) { // CommitCryptoKeySecurity can actually throw any exception, // so the safest way here is to catch a generic exception while throw on critical ones if (Utilities.IsCriticalException(e)) { throw; } throw new WsatAdminException(WsatAdminErrorCode.CANNOT_UPDATE_PRIVATE_KEY_PERM, SR.GetString(SR.ErrorUpdateCertPrivateKeyPerm), e); } } }
public static RSA CreateRSAAlgorithm(String containerName) { RSACryptoServiceProvider rsaKey = null; try { // Create a new CspParameters object to specify a key container. CspParameters cspParams = new CspParameters(); cspParams.KeyContainerName = containerName; cspParams.Flags = CspProviderFlags.UseMachineKeyStore; // Add the key's access privilege CryptoKeySecurity keySecurity = new CryptoKeySecurity(); SecurityIdentifier si = new SecurityIdentifier(WellKnownSidType.LocalSid /*WorldSid*/, null); keySecurity.AddAccessRule(new CryptoKeyAccessRule(si, CryptoKeyRights.FullControl, AccessControlType.Allow)); cspParams.CryptoKeySecurity = keySecurity; // Create a new RSA key and save it in the container. This key will encrypt // a symmetric key, which will then be encrypted in the XML document. rsaKey = new RSACryptoServiceProvider(cspParams); } catch (System.Exception ex) { } return(rsaKey); }
// // Summary: // Initializes a new instance of the System.Security.Cryptography.CspParameters // class using a provider type, a provider name, a container name, access information, // and a password associated with a smart card key. // // Parameters: // providerType: // The provider type code that specifies the kind of provider to create. // // providerName: // A provider name. // // keyContainerName: // A container name. // // cryptoKeySecurity: // A System.Security.AccessControl.CryptoKeySecurity object that represents // access rights and audit rules for a container. // // keyPassword: // A password associated with a smart card key. public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, SecureString keyPassword);
// // Summary: // Initializes a new instance of the System.Security.Cryptography.CspParameters // class using a provider type, a provider name, a container name, access information, // and a handle to an unmanaged smart card password dialog. // // Parameters: // providerType: // The provider type code that specifies the kind of provider to create. // // providerName: // A provider name. // // keyContainerName: // A container name. // // cryptoKeySecurity: // A System.Security.AccessControl.CryptoKeySecurity object that represents // access rights and audit rules for the container. // // parentWindowHandle: // A handle to the parent window for a smart card password dialog. public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, IntPtr parentWindowHandle);
/// <summary>Initializes a new instance of the <see cref="T:System.Security.Cryptography.CspParameters" /> class using a provider type, a provider name, a container name, access information, and a password associated with a smart card key.</summary> /// <param name="providerType">The provider type code that specifies the kind of provider to create.</param> /// <param name="providerName">A provider name. </param> /// <param name="keyContainerName">A container name. </param> /// <param name="cryptoKeySecurity">A <see cref="T:System.Security.AccessControl.CryptoKeySecurity" /> object that represents access rights and audit rules for a container. </param> /// <param name="keyPassword">A password associated with a smart card key.</param> public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, SecureString keyPassword) : this(providerType, providerName, keyContainerName) { if (cryptoKeySecurity != null) { this.CryptoKeySecurity = cryptoKeySecurity; } this._password = keyPassword; }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.Cryptography.CspParameters" /> class using a provider type, a provider name, a container name, access information, and a handle to an unmanaged smart card password dialog. </summary> /// <param name="providerType">The provider type code that specifies the kind of provider to create.</param> /// <param name="providerName">A provider name. </param> /// <param name="keyContainerName">A container name. </param> /// <param name="cryptoKeySecurity">A <see cref="T:System.Security.AccessControl.CryptoKeySecurity" /> object that represents access rights and audit rules for the container.</param> /// <param name="parentWindowHandle">A handle to the parent window for a smart card password dialog.</param> public CspParameters(int providerType, string providerName, string keyContainerName, CryptoKeySecurity cryptoKeySecurity, IntPtr parentWindowHandle) : this(providerType, providerName, keyContainerName) { if (cryptoKeySecurity != null) { this.CryptoKeySecurity = cryptoKeySecurity; } this._windowHandle = parentWindowHandle; }