我使用下面给出的powershell代码生成一个CngKey,并使用字节将文件导出到文件中。
同一个创建的文件没有被导入,并且在再次运行时被创建为键。它表示Bad Data再次导入时会显示错误数据。
Param(
[string] $keyName,
[string] $exportPublicKeyFilePath)
function AddAccessToIISUser($filePath)
{
$filePath
[string] $iisUser = "IIS_IUSRS"
if([System.IO.File]::Exists($filePath))
{
#Get File Security
[System.Security.AccessControl.FileSecurity] $fSecurity = [System.IO.File]::GetAccessControl($filePath);
#Add the FileSystemAccessRule
[System.Security.AccessControl.FileSystemAccessRule] $accessRule = [System.Security.AccessControl.FileSystemAccessRule]::new($iisUser, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow)
#Add access rule
$fSecurity.AddAccessRule($accessRule)
#Set the new access settings.
[System.IO.File]::SetAccessControl($filePath, $fSecurity);
Write-Output "Access to $iisUser is provided on $filePath"
}
}
TRY{
[string] $fileName = $exportPublicKeyFilePath
[string] $globalkeyName = $keyName
[string] $cngPropertyName = "Length"
if($exportPublicKeyFilePath -eq "")
{
$fileName = "C:\\Users\\user\\Desktop\\PublicKeyBytes"
}
Write-Output "Public Key File : $fileName "
if($keyName -eq "")
{
$globalkeyName = "MyWorkplaceEncryptionKey2";
}
Write-Output "Global Key : $globalkeyName "
$isFileExists = [System.IO.File]::Exists($fileName)
$isKeyExists = [System.Security.Cryptography.CngKey]::Exists($globalkeyName, [System.Security.Cryptography.CngProvider]::MicrosoftSoftwareKeyStorageProvider, [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey)
Write-Output "CNG Key : $globalkeyName - Exists :: $isKeyExists"
$isKeyExists
if(!$isKeyExists)
{
#Create Cng Key Parameter and set its properties
[System.Security.Cryptography.CngKeyCreationParameters] $cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new()
$cngKeyParameter.KeyUsage = [System.Security.Cryptography.CngKeyUsages]::AllUsages
$cngKeyParameter.ExportPolicy = [System.Security.Cryptography.CngExportPolicies]::AllowPlaintextExport
$cngKeyParameter.Provider = [System.Security.Cryptography.CngProvider]::MicrosoftSoftwareKeyStorageProvider
$cngKeyParameter.UIPolicy = [System.Security.Cryptography.CngUIPolicy]::new([System.Security.Cryptography.CngUIProtectionLevels]::None)
$cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey
if($isFileExists)
{
Write-Output 'true 1'
$bytes = [System.IO.File]::ReadAllBytes(("C:\\Users\\user\\Desktop\\PublicKeyBytes"))
#[System.Security.Cryptography.CngKey]::Import($bytes, [System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)
}
else{
Write-Output 'false 1'
$bytes = [System.BitConverter]::GetBytes(2048)
}
#$bytes
#Create Cng Property for Length, set its value and add it to Cng Key Parameter
[System.Security.Cryptography.CngProperty] $cngProperty = [System.Security.Cryptography.CngProperty]::new($cngPropertyName, $bytes, [System.Security.Cryptography.CngPropertyOptions]::None)
$cngProperty
$cngKeyParameter.Parameters.Add($cngProperty)
$cngKeyParameter
#Create Cng Key for given $keyName using Rsa Algorithm
[System.Security.Cryptography.CngKey] $key = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::Rsa, $globalkeyName, $cngKeyParameter)
Write-Output "CNG Key : $globalkeyName - Created with below given properties"
$key
#Delete exportedKeyFile, re-create it and Write key bytes to it
if($isFileExists)
{
Write-Output "File $fileName exist - deleting file"
[System.IO.File]::Delete($fileName)
# [System.IO.File]::WriteAllBytes($fileName, $key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob));
}
else
{
Write-Output "File $fileName doesn't exist - creting file"
[System.IO.File]::WriteAllBytes($fileName, $key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob));
}
Write-Output "Allow access to IIS User - IIS_USRS on exported key file "
#Allow access to IIS User - IIS_USRS on exported key file
AddAccessToIISUser($env:ProgramData + "\Microsoft\Crypto\Keys\" + $key.UniqueName)
}
else
{
Write-Output "opening key - $fileName "
[System.Security.Cryptography.CngKey] $key = [System.Security.Cryptography.CngKey]::Open($globalkeyName, [System.Security.Cryptography.CngProvider]::MicrosoftSoftwareKeyStorageProvider, [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey)
#Delete exportedKeyFile, re-create it and Write key bytes to it
if($isFileExists)
{
[System.IO.File]::Delete($fileName)
[System.IO.File]::WriteAllBytes($fileName, $key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob));
}
else
{
Write-Output "File $fileName doesn't exist"
[System.IO.File]::WriteAllBytes($fileName, $key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob));
}
#Allow access to IIS User - IIS_USRS on exported key file
AddAccessToIISUser($env:ProgramData + "\Microsoft\Crypto\Keys\" + $key.UniqueName)
$key.Delete()
}
}
CATCH{
Write-Output "CNG Key for RSA encryption not created"
$_.Exception.Message
throw $_.Exception
}
我使用下面给出的powershell代码生成一个CngKey,并使用字节将文件导出到文件中。
同一个创建的文件没有被导入,并且在再次运行时被创建为键。它表示Bad Data再次导入时会显示错误数据。