Automatic detection of decryption certificates

dlwyatt · dlwyatt · commit b9492a1cd948 · 2015-03-30T12:55:44.000-04:00
The Certificate parameter of Unprotect-Data is no longer mandatory.  If a matching certificate is found in the Personal store of either the user or the machine (and the private key is accessible in either location), then that cert will automatically be used to decrypt.

Also fixed a bug that was producing KeyData objects that were hashtables instead of PSCustomObjects when encrypting data with an ECDH certificate.  (All of the code still works either way, but it was inconsistent.)
diff --git a/Commands.ps1 b/Commands.ps1
@@ -265,7 +265,7 @@ function Unprotect-Data
         })]
         $InputObject,
 
-        [Parameter(Mandatory = $true, ParameterSetName = 'Certificate')]
+        [Parameter(ParameterSetName = 'Certificate')]
         [object]
         $Certificate,
 
@@ -313,13 +313,47 @@ function Unprotect-Data
         $key = $null
         $iv = $null
 
-        if ($null -ne $cert)
+        if ($null -ne $Password)
         {
-            $params = @{ Certificate = $cert }
+            $params = @{ Password = $Password }
         }
         else
         {
-            $params = @{ Password = $Password }
+            if ($null -eq $cert)
+            {
+                $paths = 'Cert:\CurrentUser\My', 'Cert:\LocalMachine\My'
+
+                $cert = :outer foreach ($path in $paths)
+                {
+                    foreach ($keyData in $InputObject.KeyData)
+                    {
+                        if ($keyData.Thumbprint)
+                        {
+                            $certObject = $null
+                            try
+                            {
+                                $certObject = Get-KeyEncryptionCertificate -Path $path -CertificateThumbprint $keyData.Thumbprint -RequirePrivateKey -ErrorAction $IgnoreError
+                            } catch { }
+
+                            if ($null -ne $certObject)
+                            {
+                                $certObject
+                                break outer
+                            }
+                        }
+                    }
+                }
+            }
+
+            if ($null -eq $cert)
+            {
+                Write-Error -Message 'No decryption certificate for the specified InputObject was found.' -TargetObject $InputObject
+                return
+            }
+
+            $params = @{
+                Certificate = $cert
+            }
         }
 
         try
@@ -1655,7 +1689,7 @@ function Protect-KeyDataWithEcdhCertificate
         $encryptedKey = Protect-DataWithAes -PlainText $Key -Key $derivedKey -IV $ecdhIv -NoHMAC
         $encryptedIv  = Protect-DataWithAes -PlainText $IV -Key $derivedKey -IV $ecdhIv -NoHMAC
 
-        New-Object psobject @{
+        New-Object psobject -Property @{
             Key = $encryptedKey.CipherText
             IV = $encryptedIv.CipherText
             EcdhPublicKey = $ecdh.PublicKey.ToByteArray()
diff --git a/ProtectedData.Tests.ps1 b/ProtectedData.Tests.ps1
@@ -361,6 +361,29 @@ Describe 'Certificate-based encryption / decryption (by certificate path)' {
     }
 }
 
+Describe 'Certificate-based decryption (automatic detection of cert)' {
+    Remove-TestCertificate
+
+    $certThumbprint = New-TestCertificate -Subject $testCertificateSubject
+
+    $protectedData = $stringToEncrypt | Protect-Data -Certificate Cert:\CurrentUser\My\$certThumbprint
+
+    It 'Successfully finds the matching certificate and decrypts the data' {
+        $hash = @{}
+        $scriptBlock = { $hash.Decrypted = Unprotect-Data $protectedData -ErrorAction Stop }
+
+        $scriptBlock | Should Not Throw
+        $hash.Decrypted | Should Be $stringToEncrypt
+    }
+
+    Remove-TestCertificate
+
+    It 'Gives a useful error message when no matching certificate is found' {
+        $scriptBlock = { $null = Unprotect-Data $protectedData -ErrorAction Stop }
+        $scriptBlock | Should Throw 'No decryption certificate for the specified InputObject was found'
+    }
+}
+
 Describe 'HMAC authentication of AES data' {
     $protectedData = $stringToEncrypt | Protect-Data -Password $passwordForEncryption
 
diff --git a/ProtectedData.psd1 b/ProtectedData.psd1
@@ -8,7 +8,7 @@
 
 @{
     ModuleToProcess        = 'ProtectedData.psm1'
-    ModuleVersion          = '4.1.0'
+    ModuleVersion          = '4.1.1'
     GUID                   = 'fc6a2f6a-563d-422a-85b5-9638e45a370e'
     Author                 = 'Dave Wyatt'
     CompanyName            = 'Home'
@@ -37,7 +37,7 @@
             # Indicates this is a pre-release/testing version of the module.
             IsPrerelease = 'False'
 
-            ReleaseNotes = 'Deprecated the -SkipCertificateVerification parameter.  Made InputObject parameter positional for all relevant cmdlets.'
+            ReleaseNotes = 'Added code to automatically detect an available decryption certificate.'
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`
`9`	`9`	`@{`
`10`	`10`	`ModuleToProcess = 'ProtectedData.psm1'`
`11`		`- ModuleVersion = '4.1.0'`
	`11`	`+ ModuleVersion = '4.1.1'`
`12`	`12`	`GUID = 'fc6a2f6a-563d-422a-85b5-9638e45a370e'`
`13`	`13`	`Author = 'Dave Wyatt'`
`14`	`14`	`CompanyName = 'Home'`
`@@ -37,7 +37,7 @@`
`37`	`37`	`# Indicates this is a pre-release/testing version of the module.`
`38`	`38`	`IsPrerelease = 'False'`
`39`	`39`
`40`		`- ReleaseNotes = 'Deprecated the -SkipCertificateVerification parameter. Made InputObject parameter positional for all relevant cmdlets.'`
	`40`	`+ ReleaseNotes = 'Added code to automatically detect an available decryption certificate.'`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`	`}`