Public/Get-PrivateKeyProperty.ps1
|
<#
.SYNOPSIS If a System.Security.Cryptography.X509Certificates.X509Certificate2 object has properties... HasPrivateKey : True PrivateKey : ...and you would like to get the System.Security.Cryptography.RSACryptoServiceProvider object that should be in the PrivateKey property, use this function. .DESCRIPTION See SYNOPSIS .NOTES Depends on Extract-PfxCerts and therefore depends on openssl.exe. NOTE: Nothing needs to be installed in order to use openssl.exe. IMPORTANT NOTE REGARDING -CertObject PARAMETER: If you are getting the value for the -CertObject parameter from an already existing .pfx file (as opposed to the Cert Store), *DO NOT* use the Get-PFXCertificate cmdlet. The cmdlet does something strange that causes a misleading/incorrect error if the private key in the .pfx is password protected. Instead, use the following: $CertPwd = ConvertTo-SecureString -String 'RaNDompaSSwd123' -Force -AsPlainText $CertObj = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("$HOME\Desktop\testcert7.pfx", $CertPwd, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) If you are getting the value for the -CertObject parameter from the Certificate Store, either of the following should be fine $CertObj = Get-ChildItem Cert:\LocalMachine\My\<Thumbprint> $CertObj = Get-ChildItem Cert:\CurrentUser\My\<Thumbprint> WARNING: This function defaults to temporarily writing the unprotected private key to its own file in -TempOutputDirectory. The parameter -CleanupOpenSSLOutputs is set to $true by default, so the unprotected private key will only exist on the file system for a couple seconds. If you would like to keep the unprotected private key on the file system, set the -CleanupOpenSSLOutputs parameter to $false. .PARAMETER CertObject Mandatory. Must be a System.Security.Cryptography.X509Certificates.X509Certificate2 object. If you are getting the value for the -CertObject parameter from an already existing .pfx file (as opposed to the Cert Store), *DO NOT* use the Get-PFXCertificate cmdlet. The cmdlet does something strange that causes a misleading/incorrect error if the private key in the .pfx is password protected. Instead, use the following: $CertPwd = ConvertTo-SecureString -String 'RaNDompaSSwd123' -Force -AsPlainText $CertObj = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("$HOME\Desktop\testcert7.pfx", $CertPwd, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) If you are getting the value for the -CertObject parameter from the Certificate Store, either of the following should be fine $CertObj = Get-ChildItem Cert:\LocalMachine\My\<Thumbprint> $CertObj = Get-ChildItem Cert:\CurrentUser\My\<Thumbprint> .PARAMETER TempOutputDirectory Mandatory. Must be a full path to a directory. Punlic certificates and the private key within the -CertObject will *temporarily* be written to this directory as a result of the helper function Extract-PfxCerts. .PARAMETER CertPwd Optional. This parameter must be a System.Security.SecureString. This parameter is Mandatory if the private key in the .pfx is password protected. .PARAMETER CleanupOpenSSLOutputs Optional. Must be Boolean. During this function, openssl.exe is used to extract all public certs and the private key from the -CertObject. Each of these certs and the key are written to separate files in -TempOutputDirectory. This parameter removes these file outputs at the conclusion of the function. This parameter is set to $true by default. .PARAMETER DownloadAndAddOpenSSLToPath Optional. If openssl.exe is not already on your localhost and part of your $env:Path, use this parameter to download openssl.exe / add it to your $env:Path .EXAMPLE # If the private key in the .pfx is password protected... PS C:\Users\zeroadmin> $CertPwd = Read-Host -Prompt "Please enter the Certificate's Private Key password" -AsSecureString Please enter the Certificate's Private Key password: *************** PS C:\Users\zeroadmin> $CertObj = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("$HOME\Desktop\testcert7.pfx", $CertPwd, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) PS C:\Users\zeroadmin> Get-PrivateKeyProperty -CertObject $CertObj -TempOutputDirectory "$HOME\tempout" -CertPwd $CertPwd .EXAMPLE # If the private key in the .pfx is NOT password protected... PS C:\Users\zeroadmin> $CertObj = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("$HOME\Desktop\testcert7.pfx", $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) PS C:\Users\zeroadmin> Get-PrivateKeyProperty -CertObject $CertObj -TempOutputDirectory "$HOME\tempout" .EXAMPLE # Getting -CertObject from the Certificate Store where private key is password protected... PS C:\Users\zeroadmin> $CertPwd = Read-Host -Prompt "Please enter the Certificate's Private Key password" -AsSecureString Please enter the Certificate's Private Key password: *************** PS C:\Users\zeroadmin> $CertObj = Get-ChildItem "Cert:\LocalMachine\My\5359DDD9CB88873DF86617EC28FAFADA17112AE6" PS C:\Users\zeroadmin> Get-PrivateKeyProperty -CertObject $CertObj -TempOutputDirectory "$HOME\tempout" -CertPwd $CertPwd .EXAMPLE # Getting -CertObject from the Certificate Store where private key is NOT password protected... PS C:\Users\zeroadmin> $CertObj = Get-ChildItem "Cert:\LocalMachine\My\5359DDD9CB88873DF86617EC28FAFADA17112AE6" PS C:\Users\zeroadmin> Get-PrivateKeyProperty -CertObject $CertObj -TempOutputDirectory "$HOME\tempout" #> function Get-PrivateKeyProperty { [CmdletBinding()] Param( [Parameter(Mandatory=$True)] [System.Security.Cryptography.X509Certificates.X509Certificate2]$CertObject, [Parameter(Mandatory=$True)] $TempOutputDirectory = $(Read-Host -Prompt "Please enter the full path to the directory where all output files will be written"), [Parameter(Mandatory=$False)] [securestring]$CertPwd, [Parameter(Mandatory=$False)] [bool]$CleanupOpenSSLOutputs = $true, [Parameter(Mandatory=$False)] [switch]$DownloadAndAddOpenSSLToPath ) ##### BEGIN Variable/Parameter Transforms and PreRun Prep ##### if ($CertObject.PrivateKey -eq $null -and $CertObject.HasPrivateKey -eq $false -or $CertObject.HasPrivateKey -ne $true) { Write-Error "There is no Private Key associated with this X509Certificate2 object! Halting!" $global:FunctionResult = "1" return } if (!$(Get-Command openssl.exe -ErrorAction SilentlyContinue)) { if (!$DownloadAndAddOpenSSLToPath) { Write-Error "The Helper Function Extract-PFXCerts requires openssl.exe. Openssl.exe cannot be found on this machine. Use the -DownloadAndAddOpenSSLToPath parameter to download openssl.exe and add it to `$env:Path. NOTE: Openssl.exe does NOT require installation. Halting!" $global:FunctionResult = "1" return } } $CertName = $($CertObject.Subject | Select-String -Pattern "^CN=[\w]+").Matches.Value -replace "CN=","" try { $pfxbytes = $CertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx) [System.IO.File]::WriteAllBytes("$TempOutputDirectory\$CertName.pfx", $pfxbytes) } catch { Write-Warning "Either the Private Key is Password Protected or it is marked as Unexportable...Trying to import `$CertObject to Cert:\LocalMachine\My Store..." # NOTE: The $CertObject.Export() method in the above try block has a second argument for PlainTextPassword, but it doesn't seem to work consistently # Check to see if it's already in the Cert:\LocalMachine\My Store if ($(Get-Childitem "Cert:\LocalMachine\My").Thumbprint -contains $CertObject.Thumbprint) { Write-Host "The certificate $CertName is already in the Cert:\LocalMachine\My Store." } else { Write-Host "Importing $CertName to Cert:\LocalMachine\My Store..." $X509Store = [System.Security.Cryptography.X509Certificates.X509Store]::new([System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine) $X509Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) $X509Store.Add($CertObject) } Write-Host "Attempting to export `$CertObject from Cert:\LocalMachine\My Store to .pfx file..." if (!$CertPwd) { $CertPwd = Read-Host -Prompt "Please enter the password for the private key in the certificate $CertName" -AsSecureString } $CertItem = Get-Item "Cert:\LocalMachine\My\$($CertObject.Thumbprint)" [System.IO.File]::WriteAllBytes("$TempOutputDirectory\$CertName.pfx", $CertItem.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $CertPwd)) #Export-PfxCertificate -FilePath "$TempOutputDirectory\$CertName.pfx" -Cert "Cert:\LocalMachine\My\$($CertObject.Thumbprint)" -Password $CertPwd } # NOTE: If openssl.exe isn't already available, the Extract-PFXCerts function downloads it and adds it to $env:Path if ($CertPwd) { $global:PubCertAndPrivKeyInfo = Extract-PFXCerts -PFXFilePath "$TempOutputDirectory\$CertName.pfx" -PFXFilePwd $CertPwd -OutputDirectory "$TempOutputDirectory" -DownloadAndAddOpenSSLToPath } else { $global:PubCertAndPrivKeyInfo = Extract-PFXCerts -PFXFilePath "$TempOutputDirectory\$CertName.pfx" -OutputDirectory "$TempOutputDirectory" -DownloadAndAddOpenSSLToPath } ##### END Variable/Parameter Transforms and PreRun Prep ##### ##### BEGIN Main Body ##### if ($global:PubCertAndPrivKeyInfo.PrivateKeyInfo.UnProtectedPrivateKeyFilePath -eq $null) { # Strip Private Key of Password $UnProtectedPrivateKeyOut = "$($(Get-ChildItem $PathToCertFile).BaseName)"+"_unprotected_private_key"+".pem" & openssl.exe rsa -in $global:PubCertAndPrivKeyInfo.PrivateKeyInfo.ProtectedPrivateKeyFilePath -out "$HOME\$UnProtectedPrivateKeyOut" 2>&1 | Out-Null $global:PubCertAndPrivKeyInfo.PrivateKeyInfo.UnProtectedPrivateKeyFilePath = "$HOME\$UnProtectedPrivateKeyOut" } #Write-Host "Loading opensslkey.cs from https://github.com/sushihangover/SushiHangover-PowerShell/blob/master/modules/SushiHangover-RSACrypto/opensslkey.cs" #$opensslkeysource = $(Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sushihangover/SushiHangover-PowerShell/master/modules/SushiHangover-RSACrypto/opensslkey.cs").Content try { Add-Type -TypeDefinition $opensslkeysource } catch { if ($_.Exception -match "already exists") { Write-Verbose "The JavaScience.Win32 assembly (i.e. opensslkey.cs) is already loaded. Continuing..." } } $PemText = [System.IO.File]::ReadAllText($global:PubCertAndPrivKeyInfo.PrivateKeyInfo.UnProtectedPrivateKeyFilePath) $PemPrivateKey = [javascience.opensslkey]::DecodeOpenSSLPrivateKey($PemText) [System.Security.Cryptography.RSACryptoServiceProvider]$RSA = [javascience.opensslkey]::DecodeRSAPrivateKey($PemPrivateKey) $RSA # Cleanup if ($CleanupOpenSSLOutputs) { $ItemsToRemove = @( $global:PubCertAndPrivKeyInfo.PrivateKeyInfo.ProtectedPrivateKeyFilePath $global:PubCertAndPrivKeyInfo.PrivateKeyInfo.UnProtectedPrivateKeyFilePath ) + $global:PubCertAndPrivKeyInfo.PublicKeysInfo.FileLocation foreach ($item in $ItemsToRemove) { Remove-Item $item } } ##### END Main Body ##### } |