CngKey 为机器密钥分配权限
CngKey Assign permission to machine key
我创建了一个机器范围的 CngKey (MachineKey=true),但我的应用程序无法访问它。
如何分配权限以便我的应用程序池可以访问密钥?最好是务实的,这样我就可以将它构建到安装程序中。
Powershell 创建脚本:
[System.Security.Cryptography.CngKeyCreationParameters] $cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new()
$cngKeyParameter.KeyUsage = [System.Security.Cryptography.CngKeyUsages]::AllUsages
$cngKeyParameter.ExportPolicy = [System.Security.Cryptography.CngExportPolicies]::AllowPlaintextExport
$cngKeyParameter.Provider = [System.Security.Cryptography.CngProvider]::MicrosoftSoftwareKeyStorageProvider
$cngKeyParameter.UIPolicy = [System.Security.Cryptography.CngUIPolicy]::new([System.Security.Cryptography.CngUIProtectionLevels]::None)
$cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey
#Create Cng Property for Length, set its value and add it to Cng Key Parameter
[System.Security.Cryptography.CngProperty] $cngProperty = [System.Security.Cryptography.CngProperty]::new($cngPropertyName, [System.BitConverter]::GetBytes(2048), [System.Security.Cryptography.CngPropertyOptions]::None)
$cngKeyParameter.Parameters.Add($cngProperty)
#Create Cng Key for given $keyName using Rsa Algorithm
[System.Security.Cryptography.CngKey] $key = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::Rsa, "MyKey", $cngKeyParameter)
CNG 密钥的权限有点间接。
如果您知道要应用的完整权限集,可以在创建时执行(抱歉,您必须将 C# 转换为 PowerShell):
CryptoKeySecurity sec = new CryptoKeySecurity();
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
CryptoKeyRights.FullControl,
AccessControlType.Allow));
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
CryptoKeyRights.GenericRead,
AccessControlType.Allow));
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
cngKeyParameter.Parameters.Add(permissions);
如果您想稍后附加规则(例如在使用默认权限创建规则之后):
CngProperty prop = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
CryptoKeySecurity sec = new CryptoKeySecurity();
sec.SetSecurityDescriptorBinaryForm(prop.GetValue());
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
CryptoKeyRights.GenericRead,
AccessControlType.Allow));
CngProperty newProp = new CngProperty(
prop.Name,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
key.SetProperty(newProp);
我创建了一个机器范围的 CngKey (MachineKey=true),但我的应用程序无法访问它。
如何分配权限以便我的应用程序池可以访问密钥?最好是务实的,这样我就可以将它构建到安装程序中。
Powershell 创建脚本:
[System.Security.Cryptography.CngKeyCreationParameters] $cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new()
$cngKeyParameter.KeyUsage = [System.Security.Cryptography.CngKeyUsages]::AllUsages
$cngKeyParameter.ExportPolicy = [System.Security.Cryptography.CngExportPolicies]::AllowPlaintextExport
$cngKeyParameter.Provider = [System.Security.Cryptography.CngProvider]::MicrosoftSoftwareKeyStorageProvider
$cngKeyParameter.UIPolicy = [System.Security.Cryptography.CngUIPolicy]::new([System.Security.Cryptography.CngUIProtectionLevels]::None)
$cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey
#Create Cng Property for Length, set its value and add it to Cng Key Parameter
[System.Security.Cryptography.CngProperty] $cngProperty = [System.Security.Cryptography.CngProperty]::new($cngPropertyName, [System.BitConverter]::GetBytes(2048), [System.Security.Cryptography.CngPropertyOptions]::None)
$cngKeyParameter.Parameters.Add($cngProperty)
#Create Cng Key for given $keyName using Rsa Algorithm
[System.Security.Cryptography.CngKey] $key = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::Rsa, "MyKey", $cngKeyParameter)
CNG 密钥的权限有点间接。
如果您知道要应用的完整权限集,可以在创建时执行(抱歉,您必须将 C# 转换为 PowerShell):
CryptoKeySecurity sec = new CryptoKeySecurity();
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
CryptoKeyRights.FullControl,
AccessControlType.Allow));
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
CryptoKeyRights.GenericRead,
AccessControlType.Allow));
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
cngKeyParameter.Parameters.Add(permissions);
如果您想稍后附加规则(例如在使用默认权限创建规则之后):
CngProperty prop = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
CryptoKeySecurity sec = new CryptoKeySecurity();
sec.SetSecurityDescriptorBinaryForm(prop.GetValue());
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
CryptoKeyRights.GenericRead,
AccessControlType.Allow));
CngProperty newProp = new CngProperty(
prop.Name,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
key.SetProperty(newProp);