SQL Server – How to Add Signature to Stored Procedure by Certificate

certificatepermissionssql serversql-server-2017stored-procedures

I have a stored procedure in Database 1 that updates couple of tables in Database 1 and Database 2

To avoid granting calling login/user permissions to do table updates, I try to use code signing

Created certificate in the master database, and created login from this certificate
Then I've created users for this certificate-mapped login, in Database 1 and Database 2, and granted them permissions to do table updates

When I try to run below t-sql:

use [Database 1]
add signature to MyProcedure
by certificate MyCertificate

It throws:

Msg 15151, Level 16, State 1, Line 168
Cannot find the certificate 'MyCertificate', because it does not exist or you do not have permission.

Then I try

use [master]
add signature to [Database1].[dbo].MyProcedure
by certificate MyCertificate

I am in a sysadmin server role, but it throws:

Msg 15151, Level 16, State 1, Line 168
Cannot alter the object 'Database1.dbo.MyProcedure', because it does not exist or you do not have permission.

Question:

How can I properly add signature to my stored procedure in Database 1, by certificate that is in the master database ?

Best Answer

You need to copy the certificate from master to your user database. For example:

-- Copy master certificate to user database
USE master;
DECLARE @cert_id int = cert_id('your_certificate')
DECLARE @public_key  varbinary(MAX) = certencoded(@cert_id),
        @private_key varbinary(MAX) =
           certprivatekey(@cert_id,
              'your encryption password',
              'your decryption password')

--these values should not be NULL
SELECT @cert_id, @public_key, @private_key;

DECLARE @sql nvarchar(MAX) =
      'CREATE CERTIFICATE your_certificate
       FROM  BINARY = ' + convert(varchar(MAX), @public_key, 1) + '
       WITH PRIVATE KEY (BINARY = ' +
          convert(varchar(MAX), @private_key, 1) + ',
          DECRYPTION BY PASSWORD = ''your encryption password'',
          ENCRYPTION BY PASSWORD = ''your decryption password'')'

EXEC YourUserDatabase.sys.sp_executesql @sql;

EDIT

If the certificate is encrypted with the database master key instead of a password, omit the decryption password from CERTPRIVATEKEY (to decrypt with the source database DBMK) and omit the ENCRYPTION BY PASSWORD clause of CREATE CERTIFICATE (to encrypt with the target database DBMK). The password in this case is used only to encrypt the private key in transit.

-- Copy cert to user database
USE master;
DECLARE @cert_id int = cert_id('your_certificate')
DECLARE @public_key  varbinary(MAX) = CERTENCODED(@cert_id),
        @private_key varbinary(MAX) =
           CERTPRIVATEKEY(@cert_id,
              'your encryption password');

--these values should not be NULL
SELECT @cert_id, @public_key, @private_key;

--create certificate in target database encrypted with DBMK
DECLARE @sql nvarchar(MAX) =
      'CREATE CERTIFICATE your_certificate
       FROM  BINARY = ' + convert(varchar(MAX), @public_key, 1) + '
       WITH PRIVATE KEY (BINARY = ' +
          convert(varchar(MAX), @private_key, 1)
        + ', DECRYPTION BY PASSWORD = ''your encryption password'');'
PRINT @sql

EXEC YourUserDatabase.sys.sp_executesql @sql;
GO

I'll add that for only cross-database permissions, one doesn't need to create a login from the certificate. Create a certificate in a user database, copy the cert to other databases as needed, create a user from the certificate in each database and grant permissions to the cert user, and finally sign the proc with the certificate.

A server level principal is needed only when server-level permissions must be granted.

Related Solutions

Sql-server – New login is created but ‘sa’ cant assign grant/deny permissions to user in SQL Server 2008 R2

Syntax is OBJECT::Schema.Table not OBJECT::Database.Table

e.g.

use test
Deny INSERT,SELECT,UPDATE,DELETE ON OBJECT::dbo.T1 to public

SQL Server – Issues with Module Signing and SSIS Catalog Internal Procedures

Two thoughts, both revolving around Impersonation:

From the description of the issue as well as the error messages, they all deal with errors related to attempts to Impersonate / EXECUTE AS. This attempt to switch the execution context could be the entire problem. Why are you using EXECUTE AS LOGIN = N'CrossDbCertLogin'? That login (and the associated certificate, etc.) exists as a proxy to get implied permissions, not to execute anything directly. If you look more closely at the example you followed from sqlxdetails.com, you will notice that there is never a call to EXECUTE AS LOGIN = N'HighPrivCertLogin'.

Hence, I would start by:
1. No more attempts to EXECUTE AS LOGIN = N'CrossDbCertLogin'
2. Your stored procedure that calls the three SSIS Catalog Procedures should either have no EXECUTE AS clause or EXECUTE AS CALLER (which is the default if not specified)
3. Grant execute permission on each SSIS stored procedure to the certificate-based user in the [SSISDB] database. These are the implied permissions that your restricted login will pick up from the link between the proc being signed with the certificate that maps to a user that does have the necessary permissions:
```
USE [SSISDB];
GRANT EXECUTE ON [Create_Execution] TO [CrossDbCertUser];
GRANT EXECUTE ON [Set_Execution_Parameter_Value] TO [CrossDbCertUser];
GRANT EXECUTE ON [Start_Execution] TO [CrossDbCertUser];
```
  Of course, your example code doesn't show the creation of a local database user in either [msdb] or [SSISDB], but I assume these users were created. If not, then at the very least you need to create the user in [SSISDB] since that is where the database-level permission is needed (i.e. to execute the 3 SSIS procs). But it probably couldn't hurt to also create the certificate-based user in [msdb] as well.
If, for some reason (maybe SSIS, being an external process, cannot use an impersonated authentication token?) the execution context itself needs to be both privileged and impersonatable (yes, that is a perfectly cromulent word ;-), then the current approach won't work as you are trying to:
- impersonate logins that cannot have an execution context (i.e. certificate- and asymmetric key- based logins)
- impersonate via the EXECUTE AS clause of the CREATE PROCEDURE clause which cannot be reverted (I don't know why anyone would want to revert from that, but it is an error message you are getting when attempting this).
So, here are two things to try (again, assuming option # 1 above doesn't do the trick):
1. Create a SQLCLR stored procedure that does nothing more than connect via the connection string of "trusted_connection = true;" (which will connect to the default instance, presumably the instance you are currently on) and execute your stored procedure in [msdb] that runs the three SSIS procedures. This would work because unless you explicitly code for using Impersonation, it will by default make the external connection as the Windows/Active Directory account that is running the SQL Server process (i.e. the "Log On As" account in Services) and that account should be able to EXEC those SSIS procedures. This option wouldn't require any certificates or logins because you would GRANT EXECUTE on this SQLCLR stored procedure to that restricted login and this stored procedure makes a new, independent connection as a privileged login. This SQLCLR procedure has a single purpose such that logging in as the privileged login doesn't pose a security threat. The other key piece is: due to the connection being made by non-impersonated context, the authentication token can be passed to an external machine. But yes, the Assembly will need a PERMISSION_SET of EXTERNAL_ACCESS, and that should be accomplished by signing the Assembly and then creating an asymmetric key from the assembly and then creating a login based on that asymmetric key and then granting the EXTERNAL_ACCESS ASSEMBLY permission to that login.
  
  If assistance is needed with the database side of the Assembly / Asymmetric Key steps, I wrote an article, Stairway to SQLCLR Level 4: Security (EXTERNAL and UNSAFE Assemblies) (free registration required), that contains a step-by-step example of doing this; it just doesn't show the creation of the private key in Visual Studio.
  
  or
2. Create a queue table that your restricted login has permissions to INSERT into. Then create a SQL Agent Job that checks the queue table and if a "New" record is found, updates the status to "In Process", calls the stored procedure in [msdb] that calls the three SSIS procedures, and then finished, updates the queue record again to "Completed". In this method SQL Agent is running the stored procedure via a new connection from a non-impersonated context; hence, the authentication token can be passed to an external machine.

Best Answer

Related Solutions

Sql-server – New login is created but ‘sa’ cant assign grant/deny permissions to user in SQL Server 2008 R2

SQL Server – Issues with Module Signing and SSIS Catalog Internal Procedures

Related Question