PSCredentialTools

1.1.0

Functions/ConvertTo-PKISecureString.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
                                <#

    .SYNOPSIS

        Converts a string of encrypted text back into a SecureString object with the private key of a PKI certificate.

    .PARAMETER EncryptedString

        The string of encrypted text to convert back into a SecureString object

    .PARAMETER Thumbprint

        The ThumbPrint of a certificate on the local computer that will be used to decrypt the string.

    .PARAMETER CertificateStore

        Specifies the certifcate store of the specified certificate thumbprint. Either LocalMachine or CurrentUser.

    .EXAMPLE

        $EncryptedText = Get-Content ./encryptedText.txt

        $MySecretValue = ConvertTo-PKISecureString -EncryptedString $EncryptedValue -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80'

        Reads an encrypted string from disk and decrypts it back into a SecureString.

#>

function ConvertTo-PKISecureString

{

    [CmdletBinding()]

    param

    (

        [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$True)]

        [ValidateNotNullOrEmpty()]

        [System.String]

        $EncryptedString,

        [Parameter(Mandatory=$true)]

        [ValidateNotNullOrEmpty()]

        [System.String]

        $Thumbprint,

        [Parameter(Mandatory=$False)]

        [ValidateSet('CurrentUser','LocalMachine')]

        [System.String]

        $CertificateStore

    )

    if ($PSBoundParameters.ContainsKey('CertificateStore'))

    {

        $Certificate = Get-Item "Cert:\$CertificateStore\My\$Thumbprint" -ErrorAction "SilentlyContinue"

        #error checking

        if ($null -eq $Certificate.Thumbprint)

        {

            throw "Could not find a valid certificate in the $CertificateStore store with thumbprint $Thumbprint"

        }

    }

    else

    {

        #first look in CurrentUser

        $Certificate = Get-Item "Cert:\CurrentUser\My\$Thumbprint" -ErrorAction "Silentlycontinue"

        if ($null -eq $Certificate.Thumbprint)

        {

            #nothing in CurrentUser, try LocalMachine

            $Certificate = Get-Item "Cert:\LocalMachine\My\$Thumbprint" -ErrorAction "Silentlycontinue"

        }

        #error checking

        if ($null -eq $Certificate.Thumbprint)

        {

            throw "Could not find a valid certificate in the CurrentUser or LocalMachine store with thumbprint $Thumbprint"

        }

    }

    Write-Verbose "Converting encrypted string to SecureString with certificate thumbprint $($Certificate.Thumbprint)"

    $EncryptedBytes = [System.Convert]::FromBase64String($EncryptedString)

    return ([System.Text.Encoding]::UTF8.GetString($Certificate.PrivateKey.Decrypt($EncryptedBytes,$True)) | ConvertTo-SecureString -AsPlainText -Force)

}