Swifty
Reputation: 1432
CngKey Assign permission to machine key
I've created a machine wide CngKey (MachineKey=true), but my applications aren't able to access it.
How to I assign permissions to so that my App Pool can access the key? Preferably pragmatically so that I can build it into the installer.
Powershell create script:
[System.Security.Cryptography.CngKeyCreationParameters] $cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new()
$cngKeyParameter.KeyUsage = [System.Security.Cryptography.CngKeyUsages]::AllUsages
$cngKeyParameter.ExportPolicy = [System.Security.Cryptography.CngExportPolicies]::AllowPlaintextExport
$cngKeyParameter.Provider = [System.Security.Cryptography.CngProvider]::MicrosoftSoftwareKeyStorageProvider
$cngKeyParameter.UIPolicy = [System.Security.Cryptography.CngUIPolicy]::new([System.Security.Cryptography.CngUIProtectionLevels]::None)
$cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey
#Create Cng Property for Length, set its value and add it to Cng Key Parameter
[System.Security.Cryptography.CngProperty] $cngProperty = [System.Security.Cryptography.CngProperty]::new($cngPropertyName, [System.BitConverter]::GetBytes(2048), [System.Security.Cryptography.CngPropertyOptions]::None)
$cngKeyParameter.Parameters.Add($cngProperty)
#Create Cng Key for given $keyName using Rsa Algorithm
[System.Security.Cryptography.CngKey] $key = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::Rsa, "MyKey", $cngKeyParameter)
Upvotes: 1
Views: 2301
Answers (1)
bartonjs
Reputation: 33098
The permissions for a CNG key are a bit indirect.
If you know the full set of permissions you want to apply you can do it at creation (you'll have to translate the C# to PowerShell, sorry):
CryptoKeySecurity sec = new CryptoKeySecurity();
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
CryptoKeyRights.FullControl,
AccessControlType.Allow));
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
CryptoKeyRights.GenericRead,
AccessControlType.Allow));
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
cngKeyParameter.Parameters.Add(permissions);
If you want to append a rule later (such as after creating it with the default permissions):
CngProperty prop = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
CryptoKeySecurity sec = new CryptoKeySecurity();
sec.SetSecurityDescriptorBinaryForm(prop.GetValue());
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
CryptoKeyRights.GenericRead,
AccessControlType.Allow));
CngProperty newProp = new CngProperty(
prop.Name,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
key.SetProperty(newProp);
Upvotes: 8
Related Questions
- How to export RSA Keys generated from CNG API?
- Set ACL on private key in HSM
- How to convert CNG key to OpenSSL EVP_PKEY (and vice versa)?
- How do I import a CNG Key to the key store?
- How to get CngKey without using GetCngPrivateKey in net core 2.0
- Export CngKey in PKCS8 with encryption c#
- Permissions to create CNG key
- How to deal with plaintext keys using CNG?
- Can someone explain C# CngKey.Create please?
- NCryptOpenKey()