From 779b129de7ac0d9a56a0464bf4f3888a8a28ab5d Mon Sep 17 00:00:00 2001
From: unknown-user <unknown-user@fe80::a956:a8d7:3dc8:ecf1%3>
Date: Tue, 20 Jan 2015 21:41:23 +0800
Subject: [PATCH] force cert policy
---
.../CertPolicyAppender.cs | 433 ++++++++++--------
.../SoftCertPolicyAppender/Program.cs | 121 +++--
2 files changed, 307 insertions(+), 247 deletions(-)
diff --git a/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/CertPolicyAppender.cs b/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/CertPolicyAppender.cs
index 05532ae..46bb17d 100644
--- a/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/CertPolicyAppender.cs
+++ b/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/CertPolicyAppender.cs
@@ -1,198 +1,237 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Security.Cryptography.X509Certificates;
-using LocalPolicy;
-using Microsoft.Win32;
-
-namespace SoftCertPolicyAppender
-{
- public class CertPolicyAppender
- {
- public void Load(string certFile)
- {
- var cert = new X509Certificate2();
- cert.Import(certFile);
- Certificate = cert;
-
- }
-
- public X509Certificate2 Certificate { get; private set; }
-
- /// <summary>
- /// æž„é€ å†™å†™å…¥æ³¨å†Œè¡¨çš„è¯ä¹¦æ•°æ®
- /// </summary>
- /// <returns></returns>
- private byte[] CalcRegCertData()
- {
- var cert = Certificate;
- var thumbprintData = cert.Thumbprint.HexString2Bytes().ToArray();
-
- var rtn = new List<byte>();
-
- //æ·»åŠ æ•°æ®å¤´,æ ¼å¼æ˜¯æ ¹æ®æ³¨å†Œè¡¨çš„æ•°æ®æŽ¨ç®—çš„,未注释部分为未知
- rtn.AddRange(BitConverter.GetBytes(3)); //å¯èƒ½ä¸ºç‰ˆæœ¬å·
- rtn.AddRange(BitConverter.GetBytes(1)); //å¯èƒ½ä¸ºæ¬¡ç‰ˆæœ¬å·
- rtn.AddRange(BitConverter.GetBytes(thumbprintData.Length)); //è¯ä¹¦å®…指纹长度
- rtn.AddRange(thumbprintData); //è¯ä¹¦æŒ‡çº¹æ•°æ®
- rtn.AddRange(BitConverter.GetBytes(0x0d));
- rtn.AddRange(BitConverter.GetBytes(1));
- rtn.AddRange(BitConverter.GetBytes((short)2));
- rtn.AddRange(BitConverter.GetBytes(0));
- rtn.AddRange(BitConverter.GetBytes(0x1b));
- rtn.AddRange(BitConverter.GetBytes(1));
- rtn.AddRange(BitConverter.GetBytes(8));
- rtn.AddRange(BitConverter.GetBytes(DateTime.Now.ToFileTime())); //时间戳
- rtn.AddRange(BitConverter.GetBytes(0x20));
- rtn.AddRange(BitConverter.GetBytes(1));
- rtn.AddRange(BitConverter.GetBytes(cert.RawData.Length)); //è¯ä¹¦é•¿åº¦
- //æ·»åŠ è¯ä¹¦æ•°æ®
- rtn.AddRange(cert.RawData);
-
- return rtn.ToArray();
- }
-
- /// <summary>
- /// 写入注册表项
- /// </summary>
- /// <returns></returns>
- public void WriteRegisty()
- {
- var cer = Certificate;
- const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
- var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default);
- var srk = rk.OpenSubKey(keyPath);
- if (srk == null)
- {
- throw new ApplicationException("æ— æ³•æ‰“å¼€æ³¨å†Œè¡¨é¡¹:" + keyPath);
- }
- var certKeys = srk.GetSubKeyNames()
- .Where(x => x.EndsWith("Machine"))
- .Select(
- x =>
- string.Format(
- "{0}\\{1}\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{2}",
- keyPath, x, cer.Thumbprint))
- //.Where(x => rk.OpenSubKey(x) == null)
- .ToList();
-
- foreach (var key in certKeys.Select(rk.CreateSubKey))
- {
- key.SetValue("Blob", CalcRegCertData(), RegistryValueKind.Binary);
- }
-
-
- }
-
-
- /// <summary>
- /// 写入注册表项
- /// </summary>
- /// <returns></returns>
- public void RemoveRegisty()
- {
- var cer = Certificate;
- const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
- var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default);
- var srk = rk.OpenSubKey(keyPath);
- if (srk == null)
- {
- throw new ApplicationException("æ— æ³•æ‰“å¼€æ³¨å†Œè¡¨é¡¹:" + keyPath);
- }
- var certKeys = srk.GetSubKeyNames()
- .Where(x => x.EndsWith("Machine"))
- .Select(
- x =>
- string.Format(
- "{0}\\{1}\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{2}",
- keyPath, x, cer.Thumbprint))
- //.Where(x => rk.OpenSubKey(x) == null)
- .ToList();
-
- foreach (var certKey in certKeys)
- {
- rk.DeleteSubKey(certKey);
- }
-
- }
-
-
-
- /// <summary>
- /// æ·»åŠ è¯ä¹¦ç»„ç–ç•¥
- /// </summary>
- /// <remarks>引用组件æ¥è‡ª:https://bitbucket.org/MartinEden/local-policy/overview </remarks>
- public void AddCertPolicy()
- {
- var cert = Certificate;
-
- var gpo = new ComputerGroupPolicyObject();
- var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
- using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
- {
- using (var cerKey = machine.CreateSubKey(keyPath))
- {
- cerKey.SetValue("Blob", CalcRegCertData(), RegistryValueKind.Binary);
- }
- }
- gpo.Save();
-
- }
-
-
- public void RemoveCertPolicy()
- {
- var cert = Certificate;
-
- var gpo = new ComputerGroupPolicyObject();
- var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
- using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
- {
- machine.DeleteSubKey(keyPath);
- }
- gpo.Save();
-
- }
- }
-
-
- /// <summary>
- /// 工具类
- /// </summary>
- public static class Helper
- {
-
- /// <summary>
- /// 解æž16进制å—符串为byte数组
- /// </summary>
- /// <param name="hexstring"></param>
- /// <returns></returns>
- public static IEnumerable<byte> HexString2Bytes(this string hexstring)
- {
- for (int i = 0; i < hexstring.Length; i += 2)
- {
- var hex = hexstring.Substring(i, 2);
- yield return Convert.ToByte(hex, 16);
- }
- }
-
- /// <summary>
- /// 转æ¢ä¸º16进制å—符串
- /// </summary>
- /// <param name="bs"></param>
- /// <param name="isLowcase"></param>
- /// <param name="split"></param>
- /// <returns></returns>
- public static string ToHexString(this IEnumerable<byte> bs, bool isLowcase = false, string split = "")
- {
- var rtn = "";
- foreach (var item in bs)
- {
- var fmtstr = isLowcase ? "x2" : "X2";
- rtn += item.ToString(fmtstr) + split;
- }
- return rtn.TrimEnd(split.ToCharArray());
- }
- }
-
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography.X509Certificates;
+using LocalPolicy;
+using Microsoft.Win32;
+
+namespace SoftCertPolicyAppender
+{
+ public class CertPolicyAppender
+ {
+ public void Load(string certFile)
+ {
+ var cert = new X509Certificate2();
+ cert.Import(certFile);
+ Certificate = cert;
+
+ }
+
+ public X509Certificate2 Certificate { get; private set; }
+
+ /// <summary>
+ /// æž„é€ å†™å†™å…¥æ³¨å†Œè¡¨çš„è¯ä¹¦æ•°æ®
+ /// </summary>
+ /// <returns></returns>
+ private byte[] CalcRegCertData()
+ {
+ var cert = Certificate;
+ var thumbprintData = cert.Thumbprint.HexString2Bytes().ToArray();
+
+ var rtn = new List<byte>();
+
+ //æ·»åŠ æ•°æ®å¤´,æ ¼å¼æ˜¯æ ¹æ®æ³¨å†Œè¡¨çš„æ•°æ®æŽ¨ç®—çš„,未注释部分为未知
+ rtn.AddRange(BitConverter.GetBytes(3)); //å¯èƒ½ä¸ºç‰ˆæœ¬å·
+ rtn.AddRange(BitConverter.GetBytes(1)); //å¯èƒ½ä¸ºæ¬¡ç‰ˆæœ¬å·
+ rtn.AddRange(BitConverter.GetBytes(thumbprintData.Length)); //è¯ä¹¦å®…指纹长度
+ rtn.AddRange(thumbprintData); //è¯ä¹¦æŒ‡çº¹æ•°æ®
+ rtn.AddRange(BitConverter.GetBytes(0x0d));
+ rtn.AddRange(BitConverter.GetBytes(1));
+ rtn.AddRange(BitConverter.GetBytes((short)2));
+ rtn.AddRange(BitConverter.GetBytes(0));
+ rtn.AddRange(BitConverter.GetBytes(0x1b));
+ rtn.AddRange(BitConverter.GetBytes(1));
+ rtn.AddRange(BitConverter.GetBytes(8));
+ rtn.AddRange(BitConverter.GetBytes(DateTime.Now.ToFileTime())); //时间戳
+ rtn.AddRange(BitConverter.GetBytes(0x20));
+ rtn.AddRange(BitConverter.GetBytes(1));
+ rtn.AddRange(BitConverter.GetBytes(cert.RawData.Length)); //è¯ä¹¦é•¿åº¦
+ //æ·»åŠ è¯ä¹¦æ•°æ®
+ rtn.AddRange(cert.RawData);
+
+ return rtn.ToArray();
+ }
+
+ /// <summary>
+ /// 写入注册表项
+ /// </summary>
+ /// <returns></returns>
+ public void WriteRegisty()
+ {
+ var cer = Certificate;
+ const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
+ var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default);
+ var srk = rk.OpenSubKey(keyPath);
+ if (srk == null)
+ {
+ throw new ApplicationException("æ— æ³•æ‰“å¼€æ³¨å†Œè¡¨é¡¹:" + keyPath);
+ }
+ var certKeys = srk.GetSubKeyNames()
+ .Where(x => x.EndsWith("Machine"))
+ .Select(
+ x =>
+ string.Format(
+ "{0}\\{1}\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{2}",
+ keyPath, x, cer.Thumbprint))
+ //.Where(x => rk.OpenSubKey(x) == null)
+ .ToList();
+
+ foreach (var key in certKeys.Select(rk.CreateSubKey))
+ {
+ key.SetValue("Blob", CalcRegCertData(), RegistryValueKind.Binary);
+ }
+
+
+ }
+
+
+ /// <summary>
+ /// 写入注册表项
+ /// </summary>
+ /// <returns></returns>
+ public void RemoveRegisty()
+ {
+ var cer = Certificate;
+ const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
+ var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default);
+ var srk = rk.OpenSubKey(keyPath);
+ if (srk == null)
+ {
+ throw new ApplicationException("æ— æ³•æ‰“å¼€æ³¨å†Œè¡¨é¡¹:" + keyPath);
+ }
+ var certKeys = srk.GetSubKeyNames()
+ .Where(x => x.EndsWith("Machine"))
+ .Select(
+ x =>
+ string.Format(
+ "{0}\\{1}\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{2}",
+ keyPath, x, cer.Thumbprint))
+ //.Where(x => rk.OpenSubKey(x) == null)
+ .ToList();
+
+ foreach (var certKey in certKeys)
+ {
+ rk.DeleteSubKey(certKey,false);
+ }
+
+ }
+
+
+
+ /// <summary>
+ /// æ·»åŠ è¯ä¹¦ç»„ç–ç•¥
+ /// </summary>
+ /// <remarks>引用组件æ¥è‡ª:https://bitbucket.org/MartinEden/local-policy/overview </remarks>
+ public void AddCertPolicy()
+ {
+ var cert = Certificate;
+
+ var gpo = new ComputerGroupPolicyObject();
+ var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
+ using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
+ {
+ using (var cerKey = machine.CreateSubKey(keyPath))
+ {
+ cerKey.SetValue("Blob", CalcRegCertData(), RegistryValueKind.Binary);
+ }
+ }
+ gpo.Save();
+
+ }
+
+
+ public void RemoveCertPolicy()
+ {
+ var cert = Certificate;
+
+ var gpo = new ComputerGroupPolicyObject();
+ var keyPath = string.Format("Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\{0}", cert.Thumbprint);
+ using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
+ {
+ machine.DeleteSubKey(keyPath,false);
+ }
+ gpo.Save();
+
+ }
+
+ public void SetForcePolicyStat(bool enable)
+ {
+ var gpo = new ComputerGroupPolicyObject();
+ var keyPath = "Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers";
+ using (var machine = gpo.GetRootRegistryKey(GroupPolicySection.Machine))
+ {
+ using (var cerKey = machine.CreateSubKey(keyPath))
+ {
+ cerKey.SetValue("AuthenticodeEnable", enable?1:0, RegistryValueKind.DWord);
+ }
+ }
+ gpo.Save();
+ }
+
+ public void SetForceRegistryPolicyStat(bool enable)
+ {
+ const string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Group Policy Objects";
+ var rk = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default);
+ var srk = rk.OpenSubKey(keyPath);
+ if (srk == null)
+ {
+ throw new ApplicationException("æ— æ³•æ‰“å¼€æ³¨å†Œè¡¨é¡¹:" + keyPath);
+ }
+ var certKeys = srk.GetSubKeyNames()
+ .Where(x => x.EndsWith("Machine"))
+ .Select(
+ x =>
+ string.Format(
+ "{0}\\{1}\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers",
+ keyPath, x))
+ //.Where(x => rk.OpenSubKey(x) == null)
+ .ToList();
+
+ foreach (var key in certKeys.Select(rk.CreateSubKey))
+ {
+ key.SetValue("AuthenticodeEnable", enable?1:0, RegistryValueKind.DWord);
+ }
+ }
+ }
+
+
+ /// <summary>
+ /// 工具类
+ /// </summary>
+ public static class Helper
+ {
+
+ /// <summary>
+ /// 解æž16进制å—符串为byte数组
+ /// </summary>
+ /// <param name="hexstring"></param>
+ /// <returns></returns>
+ public static IEnumerable<byte> HexString2Bytes(this string hexstring)
+ {
+ for (int i = 0; i < hexstring.Length; i += 2)
+ {
+ var hex = hexstring.Substring(i, 2);
+ yield return Convert.ToByte(hex, 16);
+ }
+ }
+
+ /// <summary>
+ /// 转æ¢ä¸º16进制å—符串
+ /// </summary>
+ /// <param name="bs"></param>
+ /// <param name="isLowcase"></param>
+ /// <param name="split"></param>
+ /// <returns></returns>
+ public static string ToHexString(this IEnumerable<byte> bs, bool isLowcase = false, string split = "")
+ {
+ var rtn = "";
+ foreach (var item in bs)
+ {
+ var fmtstr = isLowcase ? "x2" : "X2";
+ rtn += item.ToString(fmtstr) + split;
+ }
+ return rtn.TrimEnd(split.ToCharArray());
+ }
+ }
+
}
\ No newline at end of file
diff --git a/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/Program.cs b/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/Program.cs
index b3e09d0..c1b4b74 100644
--- a/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/Program.cs
+++ b/Windows/SoftCertPolicyAppender/SoftCertPolicyAppender/SoftCertPolicyAppender/Program.cs
@@ -1,50 +1,71 @@
-using System;
-using System.Linq;
-
-namespace SoftCertPolicyAppender
-{
- class Program
- {
- [STAThread]
- static void Main(string[] args)
- {
- var flag = 0;
- var cers = args.Where(x => x.EndsWith(".cer") || x.EndsWith(".crt") || x.EndsWith(".pem"));
- if (args.Contains("-r"))
- {
- flag = 1;
- }
- foreach (var s in cers)
- {
- try
- {
- var appdender = new CertPolicyAppender();
- appdender.Load(s);
- switch (flag)
- {
- case 0:
- appdender.WriteRegisty();
- appdender.AddCertPolicy();
- Console.WriteLine("Add cert policy for {0}",appdender.Certificate.Thumbprint);
- break;
- case 1:
- appdender.RemoveRegisty();
- appdender.RemoveCertPolicy();
- Console.WriteLine("Remove cert policy for {0}", appdender.Certificate.Thumbprint);
- break;
- }
-
- }
- catch (Exception e)
- {
- Console.ForegroundColor = ConsoleColor.Red;
- Console.WriteLine(e);
- Console.ResetColor();
- }
- }
- Console.ForegroundColor = ConsoleColor.Green;
- Console.WriteLine("All Success!");
- Console.ResetColor();
- }
- }
-}
+using System;
+using System.Linq;
+
+namespace SoftCertPolicyAppender
+{
+ class Program
+ {
+ [STAThread]
+ static void Main(string[] args)
+ {
+ var flag = 0;
+ var cers = args.Where(x => x.EndsWith(".cer") || x.EndsWith(".crt") || x.EndsWith(".pem")).ToArray();
+ if (args.Contains("-r"))
+ {
+ flag = 1;
+ }
+
+ if (args.Contains("--set-force"))
+ {
+ var appender = new CertPolicyAppender ();
+ appender.SetForceRegistryPolicyStat (true);
+ appender.SetForcePolicyStat (true);
+ Console.WriteLine("Apply force certificate policy");
+ }
+
+ if (args.Contains("--unset-force"))
+ {
+ var appender = new CertPolicyAppender ();
+ appender.SetForceRegistryPolicyStat (false);
+ appender.SetForcePolicyStat (false);
+ Console.WriteLine("Cancel force certificate policy");
+ }
+
+ for (var i=0 ;i<cers.Length;i++)
+ {
+ try
+ {
+ var appdender = new CertPolicyAppender();
+ appdender.Load(cers[i]);
+ Console.ForegroundColor = ConsoleColor.DarkGreen;
+ Console.Write("{0}.",i+1);
+ Console.ResetColor();
+ switch (flag)
+ {
+ case 0:
+ appdender.WriteRegisty();
+ appdender.AddCertPolicy();
+ Console.Write("Add cert policy for ");
+
+ break;
+ case 1:
+ appdender.RemoveRegisty();
+ appdender.RemoveCertPolicy();
+ Console.Write("Remove cert policy for ");
+ break;
+ }
+ Console.ForegroundColor = ConsoleColor.Yellow;
+ Console.WriteLine("{0}({1})",appdender.Certificate.Subject,appdender.Certificate.Thumbprint);
+ Console.ResetColor();
+ }
+ catch (Exception e)
+ {
+ Console.ForegroundColor = ConsoleColor.Red;
+ Console.WriteLine(e);
+ Console.ResetColor();
+ }
+ }
+ Console.WriteLine("Done");
+ }
+ }
+}
--
GitLab