在 HSM 中为私钥设置 ACL
Set ACL on private key in HSM
在Windows 服务器A 上,我们可以在HSM 中生成一个密钥,并将其提供给AD CS。该密钥用于生成 CSR,由 public CA 签名,并导入到同一主机上的证书库中。可以使用 certutil -repairstore link 将签名的证书转为私钥,并使用该密钥对工件进行签名。
问题是私钥资源上有一个ACL,如果我们移动到服务器N,并尝试使用HSM中的签名密钥,由于ACL上有一个权限错误事件密钥无法识别访问它的环境。
powershell 工具 Get-Acl 和 Set-Acl(在服务器 A 上调用)似乎可以更改 ACL,但我不知道需要哪些参数、参数中应该包含哪些内容以及如何进行该信息应该格式化。也就是说,Get-Acl 的文档说
Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.
(我用 斜体 突出显示的文本)
那么,Get-Acl 是否正确?或者还有什么其他的东西可以用吗?
如果有人这样做过,我们可以得到一些指导吗?
HSM 中有一个密钥:
------------------------------------------------------------
Provider : Utimaco CryptoServer Key Storage Provider
Device : 3001@127.0.0.1
Group : utimaco
Mode : Internal Key Storage
------------------------------------------------------------
Index AlgId Size Group Name Spec
---------------------------------------------------------------------------------
1 RSA 2048 utimaco testacl 0
Get-Acl -inputobject 可能会让我访问该对象,但如何以 InputObject 满意的方式格式化它?
感谢您的任何提示。如果您包含“改为执行此操作”,我们会很乐意接受“行不通”。如果你就这么说,我会不高兴地接受是行不通的:)
Get-Acl/Set-Acl 通常不适用于 CNG 密钥。你不能使用 -Path 因为没有 PowerShell provider for cryptographic keys in contrast to certificates , nor can you use -InputObject since there is no special PowerShell object for cryptographic keys and System.Security.Cryptography.CngKey does not have a GetSecurityDescriptor method, which is called by Get-Acl internally.
IMO,您必须使用 .NET 类 才能完成此任务:
# open provider and key, get security descriptor
$cngProvider = New-Object System.Security.Cryptography.CngProvider("Utimaco CryptoServer Key Storage Provider")
$cngKey = [System.Security.Cryptography.CngKey]::Open("testacl", $cngProvider)
$cngProp = $cngKey.GetProperty("Security Descr", [System.Security.Cryptography.CngPropertyOptions]::None)
$rawSD = New-Object System.Security.AccessControl.RawSecurityDescriptor($cngProp.GetValue(), 0)
# example: add full access for "NetworkService" at the end of the ACL
$sid = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::NetworkService, $null)
$accessRead = 0x80020001
$accessFull = 0xd01f0003
$newACE = New-Object System.Security.AccessControl.CommonAce([System.Security.AccessControl.AceFlags]::None, [System.Security.AccessControl.AceQualifier]::AccessAllowed, $accessFull, $sid, $false, $null)
$rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newACE)
# finally save the modified security descriptor
$rawSDbin = New-Object 'byte[]' $rawSD.BinaryLength
$rawSD.GetBinaryForm($rawSDbin, 0)
# 4 is DACL_SECURITY_INFORMATION, which is not available in the CngPropertyOptions enumeration
$daclPropertyOptions = [System.Security.Cryptography.CngPropertyOptions]4
$cngProp = New-Object System.Security.Cryptography.CngProperty("Security Descr", $rawSDbin, $daclPropertyOptions)
$cngKey.SetProperty($cngProp)
您还可以使用 $rawSD.DiscretionaryAcl.RemoveAce(position)
从 ACL 中删除条目
在Windows 服务器A 上,我们可以在HSM 中生成一个密钥,并将其提供给AD CS。该密钥用于生成 CSR,由 public CA 签名,并导入到同一主机上的证书库中。可以使用 certutil -repairstore link 将签名的证书转为私钥,并使用该密钥对工件进行签名。
问题是私钥资源上有一个ACL,如果我们移动到服务器N,并尝试使用HSM中的签名密钥,由于ACL上有一个权限错误事件密钥无法识别访问它的环境。
powershell 工具 Get-Acl 和 Set-Acl(在服务器 A 上调用)似乎可以更改 ACL,但我不知道需要哪些参数、参数中应该包含哪些内容以及如何进行该信息应该格式化。也就是说,Get-Acl 的文档说
Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.
(我用 斜体 突出显示的文本)
那么,Get-Acl 是否正确?或者还有什么其他的东西可以用吗?
如果有人这样做过,我们可以得到一些指导吗?
HSM 中有一个密钥:
------------------------------------------------------------
Provider : Utimaco CryptoServer Key Storage Provider
Device : 3001@127.0.0.1
Group : utimaco
Mode : Internal Key Storage
------------------------------------------------------------
Index AlgId Size Group Name Spec
---------------------------------------------------------------------------------
1 RSA 2048 utimaco testacl 0
Get-Acl -inputobject 可能会让我访问该对象,但如何以 InputObject 满意的方式格式化它?
感谢您的任何提示。如果您包含“改为执行此操作”,我们会很乐意接受“行不通”。如果你就这么说,我会不高兴地接受是行不通的:)
Get-Acl/Set-Acl 通常不适用于 CNG 密钥。你不能使用 -Path 因为没有 PowerShell provider for cryptographic keys in contrast to certificates , nor can you use -InputObject since there is no special PowerShell object for cryptographic keys and System.Security.Cryptography.CngKey does not have a GetSecurityDescriptor method, which is called by Get-Acl internally.
IMO,您必须使用 .NET 类 才能完成此任务:
# open provider and key, get security descriptor
$cngProvider = New-Object System.Security.Cryptography.CngProvider("Utimaco CryptoServer Key Storage Provider")
$cngKey = [System.Security.Cryptography.CngKey]::Open("testacl", $cngProvider)
$cngProp = $cngKey.GetProperty("Security Descr", [System.Security.Cryptography.CngPropertyOptions]::None)
$rawSD = New-Object System.Security.AccessControl.RawSecurityDescriptor($cngProp.GetValue(), 0)
# example: add full access for "NetworkService" at the end of the ACL
$sid = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::NetworkService, $null)
$accessRead = 0x80020001
$accessFull = 0xd01f0003
$newACE = New-Object System.Security.AccessControl.CommonAce([System.Security.AccessControl.AceFlags]::None, [System.Security.AccessControl.AceQualifier]::AccessAllowed, $accessFull, $sid, $false, $null)
$rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newACE)
# finally save the modified security descriptor
$rawSDbin = New-Object 'byte[]' $rawSD.BinaryLength
$rawSD.GetBinaryForm($rawSDbin, 0)
# 4 is DACL_SECURITY_INFORMATION, which is not available in the CngPropertyOptions enumeration
$daclPropertyOptions = [System.Security.Cryptography.CngPropertyOptions]4
$cngProp = New-Object System.Security.Cryptography.CngProperty("Security Descr", $rawSDbin, $daclPropertyOptions)
$cngKey.SetProperty($cngProp)
您还可以使用 $rawSD.DiscretionaryAcl.RemoveAce(position)