View All Certificates On Smart Card
I am trying to create a script to remove all but the newest certificate from any given smart card (in the SC Reader at the time). This is something that I intend to be abl
-
So my solution was to check if the powershell session is running in 32 or 64 bit mode, and if it is running in 64 bit mode (most likely) then it will run the original script as a job using the
-RunAs32argument switch. If it's already running in 32 bit mode it will simply invoke the scriptblock in the current session. Final script to get certificates off a smart card (as an x509 Certificate Store) ended up being:$RunAs32Bit = { [string]$providerName ="Microsoft Base Smart Card Crypto Provider" # import CrytoAPI from advapi32.dll $signature = @" [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)] [return : MarshalAs(UnmanagedType.Bool)] public static extern bool CryptGetProvParam( IntPtr hProv, uint dwParam, byte[] pbProvData, ref uint pdwProvDataLen, uint dwFlags); [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)] [return : MarshalAs(UnmanagedType.Bool)] public static extern bool CryptDestroyKey( IntPtr hKey); [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)] [return : MarshalAs(UnmanagedType.Bool)] public static extern bool CryptAcquireContext( ref IntPtr hProv, string pszContainer, string pszProvider, uint dwProvType, long dwFlags); [DllImport("advapi32.dll", CharSet=CharSet.Auto)] [return : MarshalAs(UnmanagedType.Bool)] public static extern bool CryptGetUserKey( IntPtr hProv, uint dwKeySpec, ref IntPtr phUserKey); [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptGetKeyParam( IntPtr hKey, uint dwParam, byte[] pbData, ref uint pdwDataLen, uint dwFlags); [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)] [return : MarshalAs(UnmanagedType.Bool)] public static extern bool CryptReleaseContext( IntPtr hProv, uint dwFlags); "@ $CryptoAPI = Add-Type -member $signature -name advapiUtils -Namespace CryptoAPI -passthru # set some constants for CryptoAPI $AT_KEYEXCHANGE = 1 $AT_SIGNATURE = 2 $PROV_RSA_FULL = 1 $KP_CERTIFICATE = 26 $PP_ENUMCONTAINERS = 2 $PP_CONTAINER = 6 $PP_USER_CERTSTORE = 42 $CRYPT_FIRST = 1 $CRYPT_NEXT = 2 $CRYPT_VERIFYCONTEXT = 0xF0000000 [System.IntPtr]$hProvParent=0 $contextRet = $CryptoAPI::CryptAcquireContext([ref]$hprovParent,$null,$providerName,$PROV_RSA_FULL,$CRYPT_VERIFYCONTEXT) [Uint32]$pdwProvDataLen = 0 [byte[]]$pbProvData = $null $GetProvParamRet = $CryptoAPI::CryptGetProvParam($hprovParent,$PP_CONTAINER,$pbProvData,[ref]$pdwProvDataLen,0) if($pdwProvDataLen -gt 0) { $ProvData = new-Object byte[] $pdwProvDataLen $GetKeyParamRet = $CryptoAPI::CryptGetProvParam($hprovParent,$PP_CONTAINER,$ProvData,[ref]$pdwProvDataLen,0) } $enc = new-object System.Text.UTF8Encoding($null) $keyContainer = $enc.GetString($ProvData) write-host " The Default User Key Container:" $keyContainer [Uint32]$pdwProvDataLen = 0 [byte[]]$pbProvData = $null $GetProvParamRet = $CryptoAPI::CryptGetProvParam($hprovParent,$PP_USER_CERTSTORE,$pbProvData,[ref]$pdwProvDataLen,0) if($pdwProvDataLen -gt 0) { $ProvData = new-Object byte[] $pdwProvDataLen $GetKeyParamRet = $CryptoAPI::CryptGetProvParam($hprovParent,$PP_USER_CERTSTORE,$ProvData,[ref]$pdwProvDataLen,0) [uint32]$provdataInt = [System.BitConverter]::ToUInt32($provdata,0) [System.IntPtr]$hwStore = $provdataInt } $store = new-object System.Security.Cryptography.X509Certificates.X509Store($hwStore) # release smart card $ReleaseContextRet = $CryptoAPI::CryptReleaseContext($hprovParent,0) return $store } #Run the code in 32bit mode if PowerShell isn't already running in 32bit mode If($env:PROCESSOR_ARCHITECTURE -ne "x86"){ Write-Warning "Non-32bit architecture detected, collecting certificate information in separate 32bit process." $Job = Start-Job $RunAs32Bit -RunAs32 $SCStore = $Job | Wait-Job | Receive-Job }Else{ $SCStore = $RunAs32Bit.Invoke() }
加载中...
- 热议问题