Don't use Win32 native APIs on non-Windows for crypto of secure string over remoting (#8746)

Remoting relies on Windows native crypto APIs to pass a secure string.  Of course these APIs don't work on non-Windows.  However, the remoting code does not expect this to fail so ends up in a hang waiting for an event that never happens.

Have not figured out how to return an error to the user in the case `Get-Credential` is called within a PSSession.  Currently it just quietly closes the remote connection.  @PaulHigin can you give a pointer to where this code would exist?  Debugging the current code, it has a bunch of error handlers which just result in the pssession being closed and not sure where throwing is appropriate.

Fix #8723

## PR Context  

Fix is to provide implementations of the Win32 native pinvoke apis that throw an exception.  The reason to do it this way is that there's a bunch of code that calls some of the APIs of the wrapper .Net class to setup structures that eventually get passed to the win32 api.  Throwing in the managed class causes other things to fail early that should work on non-Windows.

Author: SteveL-MSFT

src/System.Management.Automation/engine/remoting/client/clientremotesession.cs

@@ -364,12 +364,14 @@ internal override void StartKeyExchange()
 
                     SessionDataStructureHandler.StateMachine.RaiseEvent(eventArgs);
                 }
+                else
+                {
+                    // send using data structure handler
+                    eventArgs = new RemoteSessionStateMachineEventArgs(RemoteSessionEvent.KeySent);
+                    SessionDataStructureHandler.StateMachine.RaiseEvent(eventArgs);
 
-                // send using data structure handler
-                eventArgs = new RemoteSessionStateMachineEventArgs(RemoteSessionEvent.KeySent);
-                SessionDataStructureHandler.StateMachine.RaiseEvent(eventArgs);
-
-                SessionDataStructureHandler.SendPublicKeyAsync(localPublicKey);
+                    SessionDataStructureHandler.SendPublicKeyAsync(localPublicKey);
+                }
             }
         }
 

src/System.Management.Automation/engine/serialization.cs

@@ -1108,47 +1108,42 @@ private bool HandleSecureString(object source, string streamName, string propert
                 {
                     // the principle used in serialization is that serialization
                     // never throws, and if something can't be serialized nothing
-                    // is written. So we write the elements only if encryption succeeds
-                    try
+                    // is written. So we write the elements only if encryption succeeds.
+                    // However, in the case for non-Windows where secure string encryption
+                    // is not yet supported, a PSCryptoException will be thrown.
+                    string encryptedString;
+                    if (_context.cryptoHelper != null)
                     {
-                        string encryptedString;
-                        if (_context.cryptoHelper != null)
-                        {
-                            encryptedString = _context.cryptoHelper.EncryptSecureString(secureString);
-                        }
-                        else
-                        {
-                            encryptedString = Microsoft.PowerShell.SecureStringHelper.Protect(secureString);
-                        }
+                        encryptedString = _context.cryptoHelper.EncryptSecureString(secureString);
+                    }
+                    else
+                    {
+                        encryptedString = Microsoft.PowerShell.SecureStringHelper.Protect(secureString);
+                    }
 
-                        if (property != null)
-                        {
-                            WriteStartElement(SerializationStrings.SecureStringTag);
-                            WriteNameAttribute(property);
-                        }
-                        else
-                        {
-                            WriteStartElement(SerializationStrings.SecureStringTag);
-                        }
+                    if (property != null)
+                    {
+                        WriteStartElement(SerializationStrings.SecureStringTag);
+                        WriteNameAttribute(property);
+                    }
+                    else
+                    {
+                        WriteStartElement(SerializationStrings.SecureStringTag);
+                    }
 
-                        if (streamName != null)
-                        {
-                            WriteAttribute(SerializationStrings.StreamNameAttribute, streamName);
-                        }
+                    if (streamName != null)
+                    {
+                        WriteAttribute(SerializationStrings.StreamNameAttribute, streamName);
+                    }
 
-                        // Note: We do not use WriteRaw for serializing secure string. WriteString
-                        // does necessary escaping which may be needed for certain
-                        // characters.
-                        _writer.WriteString(encryptedString);
+                    // Note: We do not use WriteRaw for serializing secure string. WriteString
+                    // does necessary escaping which may be needed for certain
+                    // characters.
+                    _writer.WriteString(encryptedString);
 
-                        _writer.WriteEndElement();
+                    _writer.WriteEndElement();
 
-                        return true;
-                    }
-                    catch (PSCryptoException)
-                    {
-                        // do nothing
-                    }
+                    return true;
                 }
             }
 

src/System.Management.Automation/resources/SecuritySupportStrings.resx

@@ -138,4 +138,7 @@
   <data name="CouldNotUseCertificate" xml:space="preserve">
     <value>ERROR: Could not find or use certificate: {0}</value>
   </data>
+  <data name="CannotEncryptSecureString" xml:space="preserve">
+    <value>Session key not available to encrypt secure string.</value>
+  </data>
 </root>

src/System.Management.Automation/utils/CryptoUtils.cs

@@ -80,6 +80,143 @@ internal class PSCryptoNativeUtils
     {
         #region Functions
 
+#if UNIX
+        /// Return Type: BOOL->int
+        ///hProv: HCRYPTPROV->ULONG_PTR->unsigned int
+        ///Algid: ALG_ID->unsigned int
+        ///dwFlags: DWORD->unsigned int
+        ///phKey: HCRYPTKEY*
+        public static bool CryptGenKey(
+            PSSafeCryptProvHandle hProv,
+            uint Algid,
+            uint dwFlags,
+            ref PSSafeCryptKey phKey)
+        {
+            throw new PSCryptoException();
+        }
+
+        /// Return Type: BOOL->int
+        ///hKey: HCRYPTKEY->ULONG_PTR->unsigned int
+        public static bool CryptDestroyKey(IntPtr hKey)
+        {
+            throw new PSCryptoException();
+        }
+
+        /// Return Type: BOOL->int
+        ///phProv: HCRYPTPROV*
+        ///szContainer: LPCWSTR->WCHAR*
+        ///szProvider: LPCWSTR->WCHAR*
+        ///dwProvType: DWORD->unsigned int
+        ///dwFlags: DWORD->unsigned int
+        public static bool CryptAcquireContext(ref PSSafeCryptProvHandle phProv,
+            [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string szContainer,
+            [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string szProvider,
+            uint dwProvType,
+            uint dwFlags)
+        {
+            throw new PSCryptoException();
+        }
+
+        /// Return Type: BOOL->int
+        ///hProv: HCRYPTPROV->ULONG_PTR->unsigned int
+        ///dwFlags: DWORD->unsigned int
+        public static bool CryptReleaseContext(IntPtr hProv, uint dwFlags)
+        {
+            throw new PSCryptoException();
+        }
+
+
+        /// Return Type: BOOL->int
+        ///hKey: HCRYPTKEY->ULONG_PTR->unsigned int
+        ///hHash: HCRYPTHASH->ULONG_PTR->unsigned int
+        ///Final: BOOL->int
+        ///dwFlags: DWORD->unsigned int
+        ///pbData: BYTE*
+        ///pdwDataLen: DWORD*
+        ///dwBufLen: DWORD->unsigned int
+        public static bool CryptEncrypt(PSSafeCryptKey hKey,
+            IntPtr hHash,
+            [MarshalAsAttribute(UnmanagedType.Bool)] bool Final,
+            uint dwFlags,
+            byte[] pbData,
+            ref int pdwDataLen,
+            int dwBufLen)
+        {
+            throw new PSCryptoException();
+        }
+
+
+        /// Return Type: BOOL->int
+        ///hKey: HCRYPTKEY->ULONG_PTR->unsigned int
+        ///hHash: HCRYPTHASH->ULONG_PTR->unsigned int
+        ///Final: BOOL->int
+        ///dwFlags: DWORD->unsigned int
+        ///pbData: BYTE*
+        ///pdwDataLen: DWORD*
+        public static bool CryptDecrypt(PSSafeCryptKey hKey,
+            IntPtr hHash,
+            [MarshalAsAttribute(UnmanagedType.Bool)] bool Final,
+            uint dwFlags,
+            byte[] pbData,
+            ref int pdwDataLen)
+        {
+            throw new PSCryptoException();
+        }
+
+        /// Return Type: BOOL->int
+        ///hKey: HCRYPTKEY->ULONG_PTR->unsigned int
+        ///hExpKey: HCRYPTKEY->ULONG_PTR->unsigned int
+        ///dwBlobType: DWORD->unsigned int
+        ///dwFlags: DWORD->unsigned int
+        ///pbData: BYTE*
+        ///pdwDataLen: DWORD*
+        public static bool CryptExportKey(PSSafeCryptKey hKey,
+            PSSafeCryptKey hExpKey,
+            uint dwBlobType,
+            uint dwFlags,
+            byte[] pbData,
+            ref uint pdwDataLen)
+        {
+            throw new PSCryptoException();
+        }
+
+        /// Return Type: BOOL->int
+        ///hProv: HCRYPTPROV->ULONG_PTR->unsigned int
+        ///pbData: BYTE*
+        ///dwDataLen: DWORD->unsigned int
+        ///hPubKey: HCRYPTKEY->ULONG_PTR->unsigned int
+        ///dwFlags: DWORD->unsigned int
+        ///phKey: HCRYPTKEY*
+        public static bool CryptImportKey(PSSafeCryptProvHandle hProv,
+            byte[] pbData,
+            int dwDataLen,
+            PSSafeCryptKey hPubKey,
+            uint dwFlags,
+            ref PSSafeCryptKey phKey)
+        {
+            throw new PSCryptoException();
+        }
+
+        /// Return Type: BOOL->int
+        ///hKey: HCRYPTKEY->ULONG_PTR->unsigned int
+        ///pdwReserved: DWORD*
+        ///dwFlags: DWORD->unsigned int
+        ///phKey: HCRYPTKEY*
+        public static bool CryptDuplicateKey(PSSafeCryptKey hKey,
+                                                    ref uint pdwReserved,
+                                                    uint dwFlags,
+                                                    ref PSSafeCryptKey phKey)
+        {
+            throw new PSCryptoException();
+        }
+
+        /// Return Type: DWORD->unsigned int
+        public static uint GetLastError()
+        {
+            throw new PSCryptoException();
+        }
+#else
+
         /// Return Type: BOOL->int
         ///hProv: HCRYPTPROV->ULONG_PTR->unsigned int
         ///Algid: ALG_ID->unsigned int
@@ -200,6 +337,7 @@ public static extern bool CryptDuplicateKey(PSSafeCryptKey hKey,
         /// Return Type: DWORD->unsigned int
         [DllImportAttribute(PinvokeDllNames.GetLastErrorDllName, EntryPoint = "GetLastError")]
         public static extern uint GetLastError();
+#endif
 
         #endregion Functions
 
@@ -1022,7 +1160,7 @@ protected string EncryptSecureStringCore(SecureString secureString)
             }
             else
             {
-                Dbg.Assert(false, "Session key not available to encrypt secure string");
+                throw new PSCryptoException(SecuritySupportStrings.CannotEncryptSecureString);
             }
 
             return encryptedDataAsString;