Where are my keys ??? !!!
A purely technical cross-post from my main blog :
- No, really. You took the certificate received from somewhere, installed it in the localmachine store, and suddenly your program does not see it !!! What's this? What is it like? What a mess? Guard! Rob! Virus! Well, not quite…
For starters, how is this whole thing set up? The certificate is recorded in the registry, as it should be, it also contains the public-public-public key. But the private key in the certificate, as well as in the registry, is not stored. To be honest, I don’t know what this conspiracy is specifically connected with ... well, of course, they would have kept it somewhere in a secret place, but no, the public place is nowhere to go. Or almost nowhere, about which a little lower. It is called "% system drive% \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Crypto \ RSA \ MachineKeys", or whatever in a localized version.
This folder (or directory there - call it as you like) is special. Firstly, there is practically nothing to store a normal user version of Windows, so it is often empty. Or at least sometimes it is empty. Which, alas, is very important for our history, which I again will tell a little later.
So, install it you certificate. Fresh, freshly sintered, from the Certificate Authority itself. The certificate, of course, goes to the registry, but the key? The key is in the same folder (see above). Moreover, the ACL on it is set to the same as on the folder. Which is also logical, because rights are inherited, right? And then a very clever, well, just a little too clever thing happens - a file with a private key removes access for Everyone (or, there, WD). Is it logical, right? There is nothing to anyone to have access to the private key! But, as always, is not without problems. Namely, if on the folder itself the rights are given only to this same Everyone, then after this completely logical operation no one has access to the private key. Neither the administrator, nor even SYSTEM, above which in Windows only the sound mode ... In general, sees an eye, but the tooth is numb.
You can say, think ... well, there is nothing to have crooked rights on this folder. And really, nothing. But here the funniest begins. The fact is that sometimes the cryptographic layer of the OS simply removes this folder when there are no keys left in it. But there are few keys, so this happens all the time. As a next step, he creates it when you need to create a new and first key. And here - hold onto the chairs - he, of course, creates them under the current user. See what that means? This means that you have no idea in advance what access will be on this folder and, accordingly, on your new keys. In order not to listen to comments about MS software, I’ll add that the removal of the folder seems to be in the code of the MS partner that comes with Windows and with which MS can’t do anything special.
In general, if you are planning to import certificates, please note that this folder has permissions for the built-in administrators and SYSTEM. We plunged into it like a muzzle in a salad, and still run into cases when the rights to this folder are broken that is not necessary.
- No, really. You took the certificate received from somewhere, installed it in the localmachine store, and suddenly your program does not see it !!! What's this? What is it like? What a mess? Guard! Rob! Virus! Well, not quite…
For starters, how is this whole thing set up? The certificate is recorded in the registry, as it should be, it also contains the public-public-public key. But the private key in the certificate, as well as in the registry, is not stored. To be honest, I don’t know what this conspiracy is specifically connected with ... well, of course, they would have kept it somewhere in a secret place, but no, the public place is nowhere to go. Or almost nowhere, about which a little lower. It is called "% system drive% \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Crypto \ RSA \ MachineKeys", or whatever in a localized version.
This folder (or directory there - call it as you like) is special. Firstly, there is practically nothing to store a normal user version of Windows, so it is often empty. Or at least sometimes it is empty. Which, alas, is very important for our history, which I again will tell a little later.
So, install it you certificate. Fresh, freshly sintered, from the Certificate Authority itself. The certificate, of course, goes to the registry, but the key? The key is in the same folder (see above). Moreover, the ACL on it is set to the same as on the folder. Which is also logical, because rights are inherited, right? And then a very clever, well, just a little too clever thing happens - a file with a private key removes access for Everyone (or, there, WD). Is it logical, right? There is nothing to anyone to have access to the private key! But, as always, is not without problems. Namely, if on the folder itself the rights are given only to this same Everyone, then after this completely logical operation no one has access to the private key. Neither the administrator, nor even SYSTEM, above which in Windows only the sound mode ... In general, sees an eye, but the tooth is numb.
You can say, think ... well, there is nothing to have crooked rights on this folder. And really, nothing. But here the funniest begins. The fact is that sometimes the cryptographic layer of the OS simply removes this folder when there are no keys left in it. But there are few keys, so this happens all the time. As a next step, he creates it when you need to create a new and first key. And here - hold onto the chairs - he, of course, creates them under the current user. See what that means? This means that you have no idea in advance what access will be on this folder and, accordingly, on your new keys. In order not to listen to comments about MS software, I’ll add that the removal of the folder seems to be in the code of the MS partner that comes with Windows and with which MS can’t do anything special.
In general, if you are planning to import certificates, please note that this folder has permissions for the built-in administrators and SYSTEM. We plunged into it like a muzzle in a salad, and still run into cases when the rights to this folder are broken that is not necessary.