首先,我們先設計出透過憑證找出私鑰的檔案資訊物件,此物件有此檔案的路徑位置資訊:
private static FileInfo GetPrivateKeyFileInfo(X509Certificate2 cert)
{
RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;
if (rsa != null)
{
string keyFileName = rsa.CspKeyContainerInfo.UniqueKeyContainerName;
string comAppDataPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
string comAppDataForKeyPath = comAppDataPath + @"\Microsoft\Crypto\RSA\MachineKeys";
if (Directory.GetFiles(comAppDataForKeyPath, keyFileName).Length > 0)
return new FileInfo(comAppDataForKeyPath + "\\" + keyFileName);
string appDataPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
string appDataForKeyPath = appDataPath + @"\Microsoft\Crypto\RSA\";
string[] dirArray = Directory.GetDirectories(appDataForKeyPath);
if (Directory.GetDirectories(appDataForKeyPath).Length > 0)
{
foreach (string dir in dirArray)
{
if (Directory.GetFiles(dir, keyFileName).Length > 0)
return new FileInfo(dir + "\\" + keyFileName);
}
}
throw new Exception("Private key 存在,但找不到它的位置");
}
return null;
}
再來就是設計指定某個帳戶為 private key 的檔案加入 ACL 的權限:
private static void AddAccessToCertificate(X509Certificate2 cert, string user)
{
FileInfo keyFile = GetPrivateKeyFileInfo(cert);
if (keyFile != null)
{
FileSecurity fs = keyFile.GetAccessControl();
NTAccount account = new NTAccount(user);
fs.AddAccessRule(
new FileSystemAccessRule(account, FileSystemRights.FullControl, AccessControlType.Allow));
keyFile.SetAccessControl(fs);
}
}
沒有留言:
張貼留言