Welcome to MSDN Blogs Sign in | Join | Help

Signing Modules in SQL Server 2005 with Certificates

The one topic that I get asked to talk about frequently is Encrypting Data with SQL Server 2005.  Personally, I am very impressed with the build-in encryption support provided in SQL Server 2005, but one of my favorite and what appears to be a subtle Security enhancement in SQL Server 2005 is the ability to sign Modules such as Stored Procedures, Functions or Triggers with Certificates.

The first thing you are probably wonder is why would I want to sign a Stored Procedures?

By signing a Module with a certificate, the certificate is then granted the relevant permission and goes beyond what can be achieved with the "Execute As" feature, especially from an auditing perspective. 

When you perform tracing, the auditing table will record the "Execute As User" that performed the operation of the Stored Procedure (the user account in which the stored procedure is executing under) but does not show who the actual calling user was.  Now, there is a additional column in the auditing table that will record the original login that caused the actions to occur, however, in the trace records it will only show that Execute As User performed all the operations and not the original caller.

Thus the moral of the story is we use the Sign Module approach in SQL Server 2005 this will allow us to capture the original caller that caused the action to occur in the Stored Procedure.

So how do I set this up?

Let say we have an End User calling a Stored Procedure called Proc1 that will perform some kind of action on Table1.  The End User does not have permission on the Table 1, only the Proc1 does, however, the End User has been granted Execute permission.

Now we can sign Proc1 with a certificate called Cert1.  We then create a User called CertUser which is mapped to the Cert1.  Then we grant the necessary permission on Table1 to CertUser.

What is going on under the Hood of SQL Server 2005?

When a SQL Server 2005 User calls a Module the User Token--similar to a token in Windows will be passed to the Module.  The Token will contain both the primary id--identifies the calling user--and the secondary's id--the SQL Server 2005 roles the user belongs to.  If the Module has been signed, SQL Server 2005 will add the User Account which has been mapped to the Certificate--that was used to sign the Module--to the secondary id of the calling user.

Therefore, in our example, when EndUser calls SP1, SP1 will verify the signature of Cert1 and add CertUser--the user that was mapped to the Certificate--to the secondary id of the EndUser token.  Now EndUser can have access to the Table1 via the signed Module "Proc1" and in tracing we can capture the "Calling User"--End User--and not just the "Executing As User" only.

Published Wednesday, September 06, 2006 2:10 PM by dansellers
Filed under:

Comments

# re: Signing Modules in SQL Server 2005 with Certificates

Monday, August 11, 2008 9:47 AM by toddsriley

I am looking into using certificates and procedure signing as a temporary means of getting around granting direct permissions to the sp_OA procedures to our developers.  Eventually, we will, of course, move to using CLR procedures instead of sp_OA but as it stands, I just need a way to give these permissions to our developers through stored procedure signing. 

Here’s what I have been able to do and where I am running into issues.  I started by creating a stored procedure that was similar to the situation we have in our real production environment.  The procedure simply uses the sp_send_dbmail stored procedure to send me an email:

USE [my_database]

CREATE   PROCEDURE dbo.P_Send_Mail_Test

AS

BEGIN

EXECUTE msdb.dbo.sp_send_dbmail

   @profile_name = 'Name',

    @recipients = 'myemail@whatever.com',

    @body = 'Will this certification test work?',

    @subject = 'Certification Test'

END

Then I execute the proc to ensure that it works.  It does.  Then I grant permissions to a user in our database who is not a member of the sysadmin server role, impersonate him, then try to execute the procedure – “you do not have permissions to execute sp_send_dbmail”.  This was expected.  So I reverted to my own permissions and went to the msdb database.  I created a master key that was encrypted by a password and then a certificate:

CREATE CERTIFICATE My_Certificate

   WITH SUBJECT = 'User Certificate to Extend Impersonation',

   EXPIRY_DATE = '12/31/2009';

Then I added a signature to sp_send_dbmail by the certificate I had created and backed the cert up to a file location. (I had also removed the private key before backing up a few of the times I tried this).  I created a user from the cert in msdb, granted execute permissions on sp_send_dbmail to the user and also granted authenticate to the user.

I went back to my_database and created cert with same name from file location:

CREATE CERTIFICATE My_Certificate FROM FILE = 'C:\cert_sign.cer'

HERE IS WHERE I AM HAVING MY PROBLEM.  When I then try to sign my procedure, P_Send_Mail_Test, I get an error:

ADD SIGNATURE TO P_Send_Mail_Test BY CERTIFICATE My_Certificate

Msg 15556, Level 16, State 1, Line 2

Cannot decrypt or encrypt using the specified certificate, either because it has no private key or because the password provided for the private key is incorrect.

In other articles, I have seen examples where the author makes use of a private key and not the master key.  I would be more than happy to try this but do not know how to create a private key.  I even tried, when signing the procedure, using the signature from crypt_properties – didn’t work.  And also tried providing the password I used when creating the master key:

ADD SIGNATURE TO P_Send_Mail_Test BY CERTIFICATE User_Certificate

WITH  PASSWORD = 'WhateverItWas'

Without being able to sign my procedure, I don’t think this will work as P_Send_Mail_Test calls another procedure (namely sp_send_dbmail) from within it. 

Any information you might be able to give me would be most helpful.

Thanks,

Todd

# Security for Canadian Developers Signing Modules in SQL Server 2005 | Wood TV Stand

Sunday, May 31, 2009 5:52 PM by Security for Canadian Developers Signing Modules in SQL Server 2005 | Wood TV Stand

PingBack from http://woodtvstand.info/story.php?id=11937

Anonymous comments are disabled
 
Page view tracker