Automatic detection of decryption certificates

The Certificate parameter of Unprotect-Data is no longer mandatory. If a matching certificate is found in the Personal store of either the user or the machine (and the private key is accessible in either location), then that cert will automatically be used to decrypt. Also fixed a bug that was producing KeyData objects that were hashtables instead of PSCustomObjects when encrypting data with an ECDH certificate. (All of the code still works either way, but it was inconsistent.)
dlwyatt · Mar 30, 2015 · b9492a1 · b9492a1
1 parent 9bfa49f
commit b9492a1
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 7 deletions.
diff --git a/Commands.ps1 b/Commands.ps1
@@ -265,7 +265,7 @@ function Unprotect-Data
         })]
         $InputObject,
 
-        [Parameter(Mandatory = $true, ParameterSetName = 'Certificate')]
+        [Parameter(ParameterSetName = 'Certificate')]
         [object]
         $Certificate,
 
@@ -313,13 +313,47 @@ function Unprotect-Data
         $key = $null
         $iv = $null
 
-        if ($null -ne $cert)
+        if ($null -ne $Password)
         {
-            $params = @{ Certificate = $cert }
+            $params = @{ Password = $Password }
         }
         else
         {
-            $params = @{ Password = $Password }
+            if ($null -eq $cert)
+            {
+                $paths = 'Cert:\CurrentUser\My', 'Cert:\LocalMachine\My'
+
+                $cert = :outer foreach ($path in $paths)
+                {
+                    foreach ($keyData in $InputObject.KeyData)
+                    {
+                        if ($keyData.Thumbprint)
+                        {
+                            $certObject = $null
+                            try
+                            {
+                                $certObject = Get-KeyEncryptionCertificate -Path $path -CertificateThumbprint $keyData.Thumbprint -RequirePrivateKey -ErrorAction $IgnoreError
+                            } catch { }
+
+                            if ($null -ne $certObject)
+                            {
+                                $certObject
+                                break outer
+                            }
+                        }
+                    }
+                }
+            }
+
+            if ($null -eq $cert)
+            {
+                Write-Error -Message 'No decryption certificate for the specified InputObject was found.' -TargetObject $InputObject
+                return
+            }
+
+            $params = @{
+                Certificate = $cert
+            }
         }
 
         try
@@ -1655,7 +1689,7 @@ function Protect-KeyDataWithEcdhCertificate
         $encryptedKey = Protect-DataWithAes -PlainText $Key -Key $derivedKey -IV $ecdhIv -NoHMAC
         $encryptedIv  = Protect-DataWithAes -PlainText $IV -Key $derivedKey -IV $ecdhIv -NoHMAC
 
-        New-Object psobject @{
+        New-Object psobject -Property @{
             Key = $encryptedKey.CipherText
             IV = $encryptedIv.CipherText
             EcdhPublicKey = $ecdh.PublicKey.ToByteArray()

diff --git a/ProtectedData.Tests.ps1 b/ProtectedData.Tests.ps1
@@ -361,6 +361,29 @@ Describe 'Certificate-based encryption / decryption (by certificate path)' {
     }
 }
 
+Describe 'Certificate-based decryption (automatic detection of cert)' {
+    Remove-TestCertificate
+
+    $certThumbprint = New-TestCertificate -Subject $testCertificateSubject
+
+    $protectedData = $stringToEncrypt | Protect-Data -Certificate Cert:\CurrentUser\My\$certThumbprint
+
+    It 'Successfully finds the matching certificate and decrypts the data' {
+        $hash = @{}
+        $scriptBlock = { $hash.Decrypted = Unprotect-Data $protectedData -ErrorAction Stop }
+
+        $scriptBlock | Should Not Throw
+        $hash.Decrypted | Should Be $stringToEncrypt
+    }
+
+    Remove-TestCertificate
+
+    It 'Gives a useful error message when no matching certificate is found' {
+        $scriptBlock = { $null = Unprotect-Data $protectedData -ErrorAction Stop }
+        $scriptBlock | Should Throw 'No decryption certificate for the specified InputObject was found'
+    }
+}
+
 Describe 'HMAC authentication of AES data' {
     $protectedData = $stringToEncrypt | Protect-Data -Password $passwordForEncryption
 

diff --git a/ProtectedData.psd1 b/ProtectedData.psd1
@@ -8,7 +8,7 @@
 
 @{
     ModuleToProcess        = 'ProtectedData.psm1'
-    ModuleVersion          = '4.1.0'
+    ModuleVersion          = '4.1.1'
     GUID                   = 'fc6a2f6a-563d-422a-85b5-9638e45a370e'
     Author                 = 'Dave Wyatt'
     CompanyName            = 'Home'
@@ -37,7 +37,7 @@
             # Indicates this is a pre-release/testing version of the module.
             IsPrerelease = 'False'
 
-            ReleaseNotes = 'Deprecated the -SkipCertificateVerification parameter.  Made InputObject parameter positional for all relevant cmdlets.'
+            ReleaseNotes = 'Added code to automatically detect an available decryption certificate.'
         }
     }
 }