Where are my keys ??? !!!
Technical cross-post from my main blog :
- No, really. You took the certificate received from somewhere, installed it in the localmachine store, and suddenly your program does not see it !!! What's this? What is it like? What a disgrace? Guard! Rob! Virus! Well, not quite…
For a start, how is this whole thing set? The certificate is recorded in the registry, as it should be, it also contains the public-public-key. But the private key in the certificate, as well as in the registry, is not stored. To be honest, I don’t know what exactly this conspiracy is connected with ... well, of course, they would have kept it somewhere in a secret place, but no, it’s a public place - there’s nowhere else. Or almost nowhere, about which a little lower. It is called “% system drive% \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Crypto \ RSA \ MachineKeys”, well, or whatever is in a localized version.
This folder (or there is a directory - call it what you like) is special. First, there is practically nothing to store a normal user version of Windows, so it is often empty. Or at least sometimes it is empty. That, alas, is very important for our history, which I will again say a little later.
So, you install this certificate. Fresh, freshly baked, from the Certificate Authority itself. The certificate, of course, goes to the registry, and the key? The key is the same folder (see above). Moreover, the ACL is put on it the same as on the folder. Which is also logical, because rights are inherited, right? And then a very clever thing happens, well, just a little too clever thing - the file with the private key removes access for Everyone (or, there, WD). Logical, right? Nothing for anyone to have access to a private key! But, as always, not without problems. Namely, if on the folder itself, the rights of only this Everyone and are given, then after this quite logical operation there is no one to access the private access key at all. Neither the admin nor even the SYSTEM, above which in Windows only the core mode ... In general, he sees an eye, but a tooth is nymet.
')
You can tell, think ... well, there is nothing to have right curves on this folder. And really nothing. But then the fun part begins. The fact is that sometimes the OS cryptographic layer simply removes this folder when there are no keys left in it. And there are few keys, so it happens all the time. As the next step, it creates it when you need to create a new and first key. And then - hold the chairs - he, of course, creates them under the current user. Do you understand what this means? This means that you have no idea in advance what access will be on this folder and, accordingly, on your new keys. So as not to listen to comments about MS software, I’ll add that deleting a folder seems to be in the MS partner code that comes with Windows and with which MS cannot do anything special.
In general, if you are going to import certificates, please note that this folder has permissions for the built-in administrators and SYSTEM. We plunged into it like a snout in a salad, and we still come across cases when the rights to this folder are broken, which is not necessary.
- No, really. You took the certificate received from somewhere, installed it in the localmachine store, and suddenly your program does not see it !!! What's this? What is it like? What a disgrace? Guard! Rob! Virus! Well, not quite…
For a start, how is this whole thing set? The certificate is recorded in the registry, as it should be, it also contains the public-public-key. But the private key in the certificate, as well as in the registry, is not stored. To be honest, I don’t know what exactly this conspiracy is connected with ... well, of course, they would have kept it somewhere in a secret place, but no, it’s a public place - there’s nowhere else. Or almost nowhere, about which a little lower. It is called “% system drive% \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Crypto \ RSA \ MachineKeys”, well, or whatever is in a localized version.
This folder (or there is a directory - call it what you like) is special. First, there is practically nothing to store a normal user version of Windows, so it is often empty. Or at least sometimes it is empty. That, alas, is very important for our history, which I will again say a little later.
So, you install this certificate. Fresh, freshly baked, from the Certificate Authority itself. The certificate, of course, goes to the registry, and the key? The key is the same folder (see above). Moreover, the ACL is put on it the same as on the folder. Which is also logical, because rights are inherited, right? And then a very clever thing happens, well, just a little too clever thing - the file with the private key removes access for Everyone (or, there, WD). Logical, right? Nothing for anyone to have access to a private key! But, as always, not without problems. Namely, if on the folder itself, the rights of only this Everyone and are given, then after this quite logical operation there is no one to access the private access key at all. Neither the admin nor even the SYSTEM, above which in Windows only the core mode ... In general, he sees an eye, but a tooth is nymet.
')
You can tell, think ... well, there is nothing to have right curves on this folder. And really nothing. But then the fun part begins. The fact is that sometimes the OS cryptographic layer simply removes this folder when there are no keys left in it. And there are few keys, so it happens all the time. As the next step, it creates it when you need to create a new and first key. And then - hold the chairs - he, of course, creates them under the current user. Do you understand what this means? This means that you have no idea in advance what access will be on this folder and, accordingly, on your new keys. So as not to listen to comments about MS software, I’ll add that deleting a folder seems to be in the MS partner code that comes with Windows and with which MS cannot do anything special.
In general, if you are going to import certificates, please note that this folder has permissions for the built-in administrators and SYSTEM. We plunged into it like a snout in a salad, and we still come across cases when the rights to this folder are broken, which is not necessary.
Source: https://habr.com/ru/post/17323/
All Articles