implement remove policy

Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/CertPolicyAppender.cs

@@ -9,23 +9,23 @@ namespace SoftCertPolicyAppender
 {
     public class CertPolicyAppender
     {
-        private X509Certificate2 _cert;
-
         public void Load(string certFile)
         {
             var cert = new X509Certificate2();
             cert.Import(certFile);
-            _cert = cert;
+            Certificate = cert;
 
         }
 
+        public X509Certificate2 Certificate { get; private set; }
+
         /// <summary>
         /// 构造写写入注册表的证书数据
         /// </summary>
         /// <returns></returns>
         private byte[] CalcRegCertData()
         {
-            var cert = _cert;
+            var cert = Certificate;
             var thumbprintData = cert.Thumbprint.HexString2Bytes().ToArray();
 
             var rtn = new List<byte>();
@@ -58,7 +58,7 @@ namespace SoftCertPolicyAppender
         /// <returns></returns>
         public void WriteRegisty()
         {
-            var cer = _cert;
+            var cer = Certificate;
             const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
             var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default);
             var srk = rk.OpenSubKey(keyPath);
@@ -85,13 +85,46 @@ namespace SoftCertPolicyAppender
         }
 
 
+        /// <summary>
+        /// 写入注册表项
+        /// </summary>
+        /// <returns></returns>
+        public void RemoveRegisty()
+        {
+            var cer = Certificate;
+            const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
+            var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default);
+            var srk = rk.OpenSubKey(keyPath);
+            if (srk == null)
+            {
+                throw new ApplicationException("无法打开注册表项:" + keyPath);
+            }
+            var certKeys = srk.GetSubKeyNames()
+                .Where(x => x.EndsWith("Machine"))
+                .Select(
+                    x =>
+                        string.Format(
+                            "{0}\\{1}\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{2}",
+                            keyPath, x, cer.Thumbprint))
+                //.Where(x => rk.OpenSubKey(x) == null)
+                .ToList();
+
+            foreach (var certKey in certKeys)
+            {
+                rk.DeleteSubKey(certKey);
+            }
+
+        }
+
+
+
         /// <summary>
         /// 添加证书组策略
         /// </summary>
         /// <remarks>引用组件来自:https://bitbucket.org/MartinEden/local-policy/overview </remarks>
         public void AddCertPolicy()
         {
-            var cert = _cert;
+            var cert = Certificate;
 
             var gpo = new ComputerGroupPolicyObject();
             var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
@@ -105,6 +138,21 @@ namespace SoftCertPolicyAppender
             gpo.Save();
 
         }
+
+
+        public void RemoveCertPolicy()
+        {
+            var cert = Certificate;
+
+            var gpo = new ComputerGroupPolicyObject();
+            var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
+            using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
+            {
+                machine.DeleteSubKey(keyPath);
+            }
+            gpo.Save();
+
+        }
     }
 
 

Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/Program.cs

@@ -8,17 +8,32 @@ namespace SoftCertPolicyAppender
         [STAThread]
         static void Main(string[] args)
         {
-
+            var flag = 0;
             var cers = args.Where(x => x.EndsWith(".cer") || x.EndsWith(".crt") || x.EndsWith(".pem"));
-
+            if (args.Contains("-r"))
+            {
+                flag = 1;
+            }
             foreach (var s in cers)
             {
                 try
                 {
                     var appdender = new CertPolicyAppender();
                     appdender.Load(s);
-                    appdender.WriteRegisty();
-                    appdender.AddCertPolicy();
+                    switch (flag)
+                    {
+                        case 0:
+                            appdender.WriteRegisty();
+                            appdender.AddCertPolicy();
+                            Console.WriteLine("Add cert policy for {0}",appdender.Certificate.Thumbprint);
+                            break;
+                        case 1:
+                            appdender.RemoveRegisty();
+                            appdender.RemoveCertPolicy();
+                            Console.WriteLine("Remove cert policy for {0}", appdender.Certificate.Thumbprint);
+                            break;                            
+                    }
+                    
                 }
                 catch (Exception e)
                 {
@@ -28,7 +43,7 @@ namespace SoftCertPolicyAppender
                 }
             }
             Console.ForegroundColor = ConsoleColor.Green;
-            Console.WriteLine("Success!");
+            Console.WriteLine("All Success!");
             Console.ResetColor();
         }
     }