Add ACL support for Certificates

Add the ability to get and set ACLs for certificate keys under the Certificate PSProvider. This can be used to manage the permissions of the keys associated with a certificate and not the certificates themselves which are governed by the store they are located in.
PowerShell · Mar 19, 2024 · d0a81c8 · d0a81c8
1 parent 4faf527
commit d0a81c8
Show file tree

Hide file tree

Showing 12 changed files with 1,287 additions and 1 deletion.
diff --git a/src/Microsoft.PowerShell.Security/resources/CertificateProviderStrings.resx b/src/Microsoft.PowerShell.Security/resources/CertificateProviderStrings.resx
@@ -186,4 +186,25 @@
   <data name="RemoteErrorMessage" xml:space="preserve">
     <value>. The following error may be a result of user credentials required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting. </value>
   </data>
+  <data name="CannotGetAclWrongPathType" xml:space="preserve">
+    <value>You cannot get an ACL for the certificate provider path '{0}', only certificate items are supported.</value>
+  </data>
+  <data name="CannotSetAclWrongPathType" xml:space="preserve">
+    <value>You cannot set an ACL for the certificate provider path '{0}', only certificate items are supported.</value>
+  </data>
+  <data name="CannotGetAclWrongItemType" xml:space="preserve">
+    <value>You cannot get Certificate SecurityDescriptor for the type '{0}', only the 'Key' type is supported.</value>
+  </data>
+  <data name="GetKeyHandleAuthFailure" xml:space="preserve">
+    <value>Failed to retrieve certificate key handle due to access permissions: {0}</value>
+  </data>
+  <data name="GetKeyHandleMissingFailure" xml:space="preserve">
+    <value>Failed to retrieve certificate key handle as certificate has no associated key: {0}</value>
+  </data>
+  <data name="GetKeySDFailure" xml:space="preserve">
+    <value>Failed to retrieve certificate key security descriptor: {0}</value>
+  </data>
+  <data name="SetKeySDFailure" xml:space="preserve">
+    <value>Failed to set certificate key security descriptor: {0}</value>
+  </data>
 </root>
diff --git a/src/Microsoft.PowerShell.Security/security/CertificateProvider.cs b/src/Microsoft.PowerShell.Security/security/CertificateProvider.cs
@@ -17,6 +17,7 @@
 using System.Management.Automation.Provider;
 using System.Runtime.InteropServices;
 using System.Security;
+using System.Security.AccessControl;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text.RegularExpressions;
@@ -559,7 +560,9 @@ internal enum CertificateProviderItem
     [OutputType(typeof(PathInfo), ProviderCmdlet = ProviderCmdlet.PopLocation)]
     [OutputType(typeof(Microsoft.PowerShell.Commands.X509StoreLocation), typeof(X509Certificate2), ProviderCmdlet = ProviderCmdlet.GetItem)]
     [OutputType(typeof(X509Store), typeof(X509Certificate2), ProviderCmdlet = ProviderCmdlet.GetChildItem)]
-    public sealed class CertificateProvider : NavigationCmdletProvider, ICmdletProviderSupportsHelp
+    [OutputType(typeof(CertificateKeySecurity), ProviderCmdlet = ProviderCmdlet.GetAcl)]
+    [OutputType(typeof(CertificateKeySecurity), ProviderCmdlet = ProviderCmdlet.SetAcl)]
+    public sealed partial class CertificateProvider : NavigationCmdletProvider, ICmdletProviderSupportsHelp, ISecurityDescriptorCmdletProvider
     {
         #region tracer