问题描述

我创建了一个机器范围的 CngKey (MachineKey=true)，但我的应用程序无法访问它.

I've created a machine wide CngKey (MachineKey=true), but my applications aren't able to access it.

如何分配权限以便我的应用程序池可以访问密钥?最好是务实的，这样我就可以将它构建到安装程序中.

How to I assign permissions to so that my App Pool can access the key? Preferably pragmatically so that I can build it into the installer.

Powershell 创建脚本:

Powershell create script:

[System.Security.Cryptography.CngKeyCreationParameters] $cngKeyParameter =  [System.Security.Cryptography.CngKeyCreationParameters]::new()
    $cngKeyParameter.KeyUsage = [System.Security.Cryptography.CngKeyUsages]::AllUsages
    $cngKeyParameter.ExportPolicy = [System.Security.Cryptography.CngExportPolicies]::AllowPlaintextExport

    $cngKeyParameter.Provider = [System.Security.Cryptography.CngProvider]::MicrosoftSoftwareKeyStorageProvider
    $cngKeyParameter.UIPolicy = [System.Security.Cryptography.CngUIPolicy]::new([System.Security.Cryptography.CngUIProtectionLevels]::None)
    $cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey

    #Create Cng Property for Length, set its value and add it to Cng Key Parameter
    [System.Security.Cryptography.CngProperty] $cngProperty = [System.Security.Cryptography.CngProperty]::new($cngPropertyName, [System.BitConverter]::GetBytes(2048), [System.Security.Cryptography.CngPropertyOptions]::None)
    $cngKeyParameter.Parameters.Add($cngProperty)

    #Create Cng Key for given $keyName using Rsa Algorithm
    [System.Security.Cryptography.CngKey] $key = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::Rsa, "MyKey", $cngKeyParameter)

推荐答案

CNG 密钥的权限有点间接.

The permissions for a CNG key are a bit indirect.

如果您知道要应用的完整权限集，则可以在创建时进行(抱歉，您必须将 C# 转换为 PowerShell):

If you know the full set of permissions you want to apply you can do it at creation (you'll have to translate the C# to PowerShell, sorry):

CryptoKeySecurity sec = new CryptoKeySecurity();

sec.AddAccessRule(
    new CryptoKeyAccessRule(
        new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
        CryptoKeyRights.FullControl,
        AccessControlType.Allow));

sec.AddAccessRule(
    new CryptoKeyAccessRule(
        new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
        CryptoKeyRights.GenericRead,
        AccessControlType.Allow));

const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;

CngProperty permissions = new CngProperty(
    NCRYPT_SECURITY_DESCR_PROPERTY,
    sec.GetSecurityDescriptorBinaryForm(),
    CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);

cngKeyParameter.Parameters.Add(permissions);

如果您想稍后附加规则(例如在使用默认权限创建后):

If you want to append a rule later (such as after creating it with the default permissions):

CngProperty prop = key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
CryptoKeySecurity sec = new CryptoKeySecurity();
sec.SetSecurityDescriptorBinaryForm(prop.GetValue());

sec.AddAccessRule(
    new CryptoKeyAccessRule(
        new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
        CryptoKeyRights.GenericRead,
        AccessControlType.Allow));

CngProperty newProp = new CngProperty(
    prop.Name,
    sec.GetSecurityDescriptorBinaryForm(),
    CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);

key.SetProperty(newProp);

这篇关于CngKey 为机器密钥分配权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！