I have a service that uses a private key for encryption. When I give the service administrative privileges, it works. With normal privileges, it does not. I get the error "Invalid provider type specified" when calling GetRSAPrivateKey().
var data = Convert.FromBase64String(cipherText);
var dataList = data.ToList();
using (var store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine))
using (var aesProvider = new AesCryptoServiceProvider())
{
store.Open(OpenFlags.ReadOnly);
byte[] key;
using (var cert = store.Certificates.Find(X509FindType.FindBySubjectName, CertificateName, false)[0])
{
var publicKey = cert.GetRSAPublicKey();
var encryptLength = publicKey.Encrypt(Encoding.UTF8.GetBytes("xxxxxxx"), RSAEncryptionPadding.OaepSHA512).Length;
var encryptedKey = dataList.Take(encryptLength).ToArray();
dataList.RemoveRange(0, encryptLength);
var privateKey = cert.GetRSAPrivateKey();
key = privateKey.Decrypt(encryptedKey, RSAEncryptionPadding.OaepSHA512);
}
If the key does not exist, it is added to the store programmatically during setup.
var rsa = RSA.Create(2048);
var request = new CertificateRequest($"cn={CertificateName}", rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
var cert = request.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(50));
File.WriteAllBytes("c:\\temp\\EncryptionCert.pfx", cert.Export(X509ContentType.Pfx, _certificatePassword));
store.Open(OpenFlags.ReadWrite);
using (var cert = new X509Certificate2("c:\\temp\\EncryptionCert.pfx", _certificatePassword,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet))
{
store.Add(cert);
}
Is there a non-administrator account setting that allows access to the certificate store, or something that I am doing wrong in my code when loading it?
Only administrators and local system has access to keys in Local Machine store. For client applications that run under different security context, a
CurrentUser\Mystore shall be used. And do not use any other store thanMyto store certificates with private key. Otherwise, you can open a vulnerability when keys from Local Machine store are propagated down to all users on a system. OnlyMystore is not propagated to other users.