Last active
September 9, 2021 16:46
-
-
Save joerodgers/f01555e53e9455dfa6521061786e2440 to your computer and use it in GitHub Desktop.
Examples of how to encrypt/decrypt strings using a X509Certificate2 certificate.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function ConvertTo-PlaintextString | |
{ | |
[CmdletBinding()] | |
param | |
( | |
[parameter(Mandatory=$true)][string]$EncryptedPassword, | |
[parameter(Mandatory=$true)][System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate | |
) | |
begin | |
{ | |
Add-type -AssemblyName "System.Security" | |
} | |
process | |
{ | |
$content = [System.Byte[]]::new(0) | |
$bytes = [System.Convert]::FromBase64String($EncryptedPassword) | |
# need to use a cert collection so the Decrypt method doesn't look in the cert store of the local machine. | |
$certificateCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection | |
$certificateCollection.Add($Certificate) | Out-Null | |
$envelopedCms = [System.Security.Cryptography.Pkcs.EnvelopedCms]::new() | |
$envelopedCms.Decode($bytes) | |
$envelopedCms.Decrypt($certificateCollection) | |
if( $envelopedCms.ContentInfo.Content -eq $null -or $envelopedCms.ContentInfo.Content.Length -eq 0 ) | |
{ | |
$content = $bytes | |
} | |
else | |
{ | |
try | |
{ | |
$signedCms = New-Object System.Security.Cryptography.Pkcs.SignedCms | |
$signedCms.Decode($bytes) | |
$signedCms.CheckSignature($true) | |
$content = $signedCms.ContentInfo.Content | |
} | |
catch | |
{ | |
$content = $null | |
} | |
} | |
if( $content -ne $null ) | |
{ | |
return [System.Text.Encoding]::Unicode.GetString( $content ) | |
} | |
return [System.Text.Encoding]::Unicode.GetString( $envelopedCms.ContentInfo.Content ) | |
} | |
end | |
{ | |
} | |
} | |
function ConvertTo-EncryptedString | |
{ | |
[CmdletBinding()] | |
param | |
( | |
[parameter(Mandatory=$true)][string]$String, | |
[parameter(Mandatory=$true)][System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate | |
) | |
begin | |
{ | |
Add-type -AssemblyName "System.Security" | |
} | |
process | |
{ | |
$bytes = [System.Text.Encoding]::Unicode.GetBytes($String) | |
$contentInfo = New-Object System.Security.Cryptography.Pkcs.ContentInfo(,$bytes) | |
$envelopedCms = New-Object System.Security.Cryptography.Pkcs.EnvelopedCms($contentInfo) | |
$envelopedCms.Certificates.Add($Certificate) | Out-Null | |
$cmsRecipient = New-Object System.Security.Cryptography.Pkcs.CmsRecipient($Certificate) | |
$envelopedCms.Encrypt($cmsRecipient) | |
[System.Convert]::ToBase64String( $envelopedCms.Encode() ) | |
} | |
end | |
{ | |
} | |
} | |
$certificate = Get-ChildItem Cert:\CurrentUser\my\b8adc572332a16418f3b0caf09dbfc89ba3415a7 | |
$encryptedString = ConvertTo-EncryptedString -String 'password' -Certificate $certificate | |
ConvertTo-PlaintextString -EncryptedPassword $encryptedString -Certificate $certificate | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment