diff --git a/TameMyCerts/AutoVersionIncrement.cs b/AutoVersionIncrement.cs similarity index 74% rename from TameMyCerts/AutoVersionIncrement.cs rename to AutoVersionIncrement.cs index 8e803e3..be50a78 100644 --- a/TameMyCerts/AutoVersionIncrement.cs +++ b/AutoVersionIncrement.cs @@ -9,5 +9,5 @@ // Build Number // Revision -[assembly: AssemblyVersion("1.5.760.827")] -[assembly: AssemblyFileVersion("1.5.760.827")] +[assembly: AssemblyVersion("1.6.1027.907")] +[assembly: AssemblyFileVersion("1.6.1027.907")] diff --git a/TameMyCerts/AutoVersionIncrement.tt b/AutoVersionIncrement.tt similarity index 86% rename from TameMyCerts/AutoVersionIncrement.tt rename to AutoVersionIncrement.tt index c24d9db..d4054bb 100644 --- a/TameMyCerts/AutoVersionIncrement.tt +++ b/AutoVersionIncrement.tt @@ -10,8 +10,8 @@ using System.Reflection; // Build Number // Revision -[assembly: AssemblyVersion("1.5.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] -[assembly: AssemblyFileVersion("1.5.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] +[assembly: AssemblyVersion("1.6.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] +[assembly: AssemblyFileVersion("1.6.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] <#+ // Days that have passed since Jan 1, 2021 00:00:00 int BuildNumber = (int)(DateTime.UtcNow - new DateTime( diff --git a/TameMyCerts/CERTCLILib.dll b/CERTCLILIB.dll similarity index 98% rename from TameMyCerts/CERTCLILib.dll rename to CERTCLILIB.dll index 9d86d10..9c655c3 100644 Binary files a/TameMyCerts/CERTCLILib.dll and b/CERTCLILIB.dll differ diff --git a/CERTCLILIB.il b/CERTCLILIB.il new file mode 100644 index 0000000..dd7a0d3 --- /dev/null +++ b/CERTCLILIB.il @@ -0,0 +1,1258 @@ + +// Microsoft (R) .NET Framework IL Disassembler. Version 4.8.3928.0 +// Copyright (c) Microsoft Corporation. Alle Rechte vorbehalten. + + + +// Metadata version: v4.0.30319 +.assembly extern mscorlib +{ + .publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4.. + .ver 4:0:0:0 +} +.assembly CERTCLILib +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.ImportedFromTypeLibAttribute::.ctor(string) = ( 01 00 0A 43 45 52 54 43 4C 49 4C 69 62 00 00 ) // ...CERTCLILib.. + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 37 32 46 43 45 33 32 2D 34 33 32 34 // ..$372FCE32-4324 + 2D 31 31 44 30 2D 38 38 31 30 2D 30 30 41 30 43 // -11D0-8810-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibVersionAttribute::.ctor(int32, + int32) = ( 01 00 01 00 00 00 00 00 00 00 00 00 ) + .hash algorithm 0x00008004 + .ver 1:0:0:0 +} +.module CERTCLILib.dll +// MVID: {C9EBF003-E9A0-49B8-BBFE-DA0BDF77D064} +.imagebase 0x00400000 +.file alignment 0x00000200 +.stackreserve 0x00100000 +.subsystem 0x0003 // WINDOWS_CUI +.corflags 0x00000001 // ILONLY +// Image base: 0x06C10000 + + +// =============== CLASS MEMBERS DECLARATION =================== + +.class interface public abstract auto ansi import CERTCLILib.ICertGetConfig +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 43 37 45 41 30 39 43 30 2D 43 45 31 37 // ..$C7EA09C0-CE17 + 2D 31 31 44 30 2D 38 38 33 33 2D 30 30 41 30 43 // -11D0-8833-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetConfig([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertGetConfig::GetConfig + +} // end of class CERTCLILib.ICertGetConfig + +.class interface public abstract auto ansi import CERTCLILib.CCertGetConfig + implements CERTCLILib.ICertGetConfig +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.CoClassAttribute::.ctor(class [mscorlib]System.Type) = ( 01 00 1E 43 45 52 54 43 4C 49 4C 69 62 2E 43 43 // ...CERTCLILib.CC + 65 72 74 47 65 74 43 6F 6E 66 69 67 43 6C 61 73 // ertGetConfigClas + 73 00 00 ) // s.. + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 43 37 45 41 30 39 43 30 2D 43 45 31 37 // ..$C7EA09C0-CE17 + 2D 31 31 44 30 2D 38 38 33 33 2D 30 30 41 30 43 // -11D0-8833-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. +} // end of class CERTCLILib.CCertGetConfig + +.class public auto ansi import CERTCLILib.CCertGetConfigClass + extends [mscorlib]System.Object + implements CERTCLILib.ICertGetConfig, + CERTCLILib.CCertGetConfig +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 02 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 43 36 43 43 34 39 42 30 2D 43 45 31 37 // ..$C6CC49B0-CE17 + 2D 31 31 44 30 2D 38 38 33 33 2D 30 30 41 30 43 // -11D0-8833-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .custom instance void [mscorlib]System.Runtime.InteropServices.ClassInterfaceAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.ClassInterfaceType) = ( 01 00 00 00 00 00 00 00 ) + .method public specialname rtspecialname + instance void .ctor() runtime managed internalcall + { + } // end of method CCertGetConfigClass::.ctor + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetConfig([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertGetConfig::GetConfig + } // end of method CCertGetConfigClass::GetConfig + +} // end of class CERTCLILib.CCertGetConfigClass + +.class interface public abstract auto ansi import CERTCLILib.ICertConfig +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 37 32 46 43 45 33 34 2D 34 33 32 34 // ..$372FCE34-4324 + 2D 31 31 44 30 2D 38 38 31 30 2D 30 30 41 30 43 // -11D0-8810-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .method public hidebysig newslot abstract virtual + instance int32 Reset([in] int32 Index) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig::Reset + + .method public hidebysig newslot abstract virtual + instance int32 Next() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig::Next + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetField([in] string marshal( bstr) strFieldName) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig::GetField + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetConfig([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig::GetConfig + +} // end of class CERTCLILib.ICertConfig + +.class interface public abstract auto ansi import CERTCLILib.ICertConfig2 + implements CERTCLILib.ICertConfig +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 37 41 31 38 45 44 44 45 2D 37 45 37 38 // ..$7A18EDDE-7E78 + 2D 34 31 36 33 2D 38 44 45 44 2D 37 38 45 32 43 // -4163-8DED-78E2C + 39 43 45 45 39 32 34 00 00 ) // 9CEE924.. + .method public hidebysig newslot abstract virtual + instance int32 Reset([in] int32 Index) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig2::Reset + + .method public hidebysig newslot abstract virtual + instance int32 Next() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig2::Next + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetField([in] string marshal( bstr) strFieldName) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig2::GetField + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetConfig([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertConfig2::GetConfig + + .method public hidebysig newslot abstract virtual + instance void SetSharedFolder([in] string marshal( bstr) strSharedFolder) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 03 60 00 00 ) // .....`.. + } // end of method ICertConfig2::SetSharedFolder + +} // end of class CERTCLILib.ICertConfig2 + +.class interface public abstract auto ansi import CERTCLILib.CCertConfig + implements CERTCLILib.ICertConfig2 +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.CoClassAttribute::.ctor(class [mscorlib]System.Type) = ( 01 00 1B 43 45 52 54 43 4C 49 4C 69 62 2E 43 43 // ...CERTCLILib.CC + 65 72 74 43 6F 6E 66 69 67 43 6C 61 73 73 00 00 ) // ertConfigClass.. + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 37 41 31 38 45 44 44 45 2D 37 45 37 38 // ..$7A18EDDE-7E78 + 2D 34 31 36 33 2D 38 44 45 44 2D 37 38 45 32 43 // -4163-8DED-78E2C + 39 43 45 45 39 32 34 00 00 ) // 9CEE924.. +} // end of class CERTCLILib.CCertConfig + +.class public auto ansi import CERTCLILib.CCertConfigClass + extends [mscorlib]System.Object + implements CERTCLILib.ICertConfig2, + CERTCLILib.CCertConfig +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 02 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.ClassInterfaceAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.ClassInterfaceType) = ( 01 00 00 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 37 32 46 43 45 33 38 2D 34 33 32 34 // ..$372FCE38-4324 + 2D 31 31 44 30 2D 38 38 31 30 2D 30 30 41 30 43 // -11D0-8810-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .method public specialname rtspecialname + instance void .ctor() runtime managed internalcall + { + } // end of method CCertConfigClass::.ctor + + .method public hidebysig newslot virtual + instance int32 Reset([in] int32 Index) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertConfig2::Reset + } // end of method CCertConfigClass::Reset + + .method public hidebysig newslot virtual + instance int32 Next() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertConfig2::Next + } // end of method CCertConfigClass::Next + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetField([in] string marshal( bstr) strFieldName) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertConfig2::GetField + } // end of method CCertConfigClass::GetField + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetConfig([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertConfig2::GetConfig + } // end of method CCertConfigClass::GetConfig + + .method public hidebysig newslot virtual + instance void SetSharedFolder([in] string marshal( bstr) strSharedFolder) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 03 60 00 00 ) // .....`.. + .override CERTCLILib.ICertConfig2::SetSharedFolder + } // end of method CCertConfigClass::SetSharedFolder + +} // end of class CERTCLILib.CCertConfigClass + +.class interface public abstract auto ansi import CERTCLILib.ICertRequest +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 30 31 34 45 34 38 34 30 2D 35 35 32 33 // ..$014E4840-5523 + 2D 31 31 44 30 2D 38 38 31 32 2D 30 30 41 30 43 // -11D0-8812-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .method public hidebysig newslot abstract virtual + instance int32 Submit([in] int32 Flags, + [in] string marshal( bstr) strRequest, + [in] string marshal( bstr) strAttributes, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest::Submit + + .method public hidebysig newslot abstract virtual + instance int32 RetrievePending([in] int32 RequestId, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest::RetrievePending + + .method public hidebysig newslot abstract virtual + instance int32 GetLastStatus() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest::GetLastStatus + + .method public hidebysig newslot abstract virtual + instance int32 GetRequestId() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest::GetRequestId + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetDispositionMessage() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest::GetDispositionMessage + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCACertificate([in] int32 fExchangeCertificate, + [in] string marshal( bstr) strConfig, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest::GetCACertificate + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCertificate([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest::GetCertificate + +} // end of class CERTCLILib.ICertRequest + +.class interface public abstract auto ansi import CERTCLILib.ICertRequest2 + implements CERTCLILib.ICertRequest +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 41 34 37 37 32 39 38 38 2D 34 41 38 35 // ..$A4772988-4A85 + 2D 34 46 41 39 2D 38 32 34 45 2D 42 35 43 46 35 // -4FA9-824E-B5CF5 + 43 31 36 34 30 35 41 00 00 ) // C16405A.. + .method public hidebysig newslot abstract virtual + instance int32 Submit([in] int32 Flags, + [in] string marshal( bstr) strRequest, + [in] string marshal( bstr) strAttributes, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest2::Submit + + .method public hidebysig newslot abstract virtual + instance int32 RetrievePending([in] int32 RequestId, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest2::RetrievePending + + .method public hidebysig newslot abstract virtual + instance int32 GetLastStatus() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetLastStatus + + .method public hidebysig newslot abstract virtual + instance int32 GetRequestId() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetRequestId + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetDispositionMessage() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetDispositionMessage + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCACertificate([in] int32 fExchangeCertificate, + [in] string marshal( bstr) strConfig, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetCACertificate + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCertificate([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetCertificate + + .method public hidebysig newslot abstract virtual + instance int32 GetIssuedCertificate([in] string marshal( bstr) strConfig, + [in] int32 RequestId, + [in] string marshal( bstr) strSerialNumber) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetIssuedCertificate + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetErrorMessageText([in] int32 hrMessage, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetErrorMessageText + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetCAProperty([in] string marshal( bstr) strConfig, + [in] int32 PropId, + [in] int32 PropIndex, + [in] int32 PropType, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetCAProperty + + .method public hidebysig newslot abstract virtual + instance int32 GetCAPropertyFlags([in] string marshal( bstr) strConfig, + [in] int32 PropId) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetCAPropertyFlags + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCAPropertyDisplayName([in] string marshal( bstr) strConfig, + [in] int32 PropId) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetCAPropertyDisplayName + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetFullResponseProperty([in] int32 PropId, + [in] int32 PropIndex, + [in] int32 PropType, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest2::GetFullResponseProperty + +} // end of class CERTCLILib.ICertRequest2 + +.class interface public abstract auto ansi import CERTCLILib.ICertRequest3 + implements CERTCLILib.ICertRequest2 +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 41 46 43 38 46 39 32 42 2D 33 33 41 32 // ..$AFC8F92B-33A2 + 2D 34 38 36 31 2D 42 46 33 36 2D 32 39 33 33 42 // -4861-BF36-2933B + 37 43 44 36 37 42 33 00 00 ) // 7CD67B3.. + .method public hidebysig newslot abstract virtual + instance int32 Submit([in] int32 Flags, + [in] string marshal( bstr) strRequest, + [in] string marshal( bstr) strAttributes, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest3::Submit + + .method public hidebysig newslot abstract virtual + instance int32 RetrievePending([in] int32 RequestId, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest3::RetrievePending + + .method public hidebysig newslot abstract virtual + instance int32 GetLastStatus() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetLastStatus + + .method public hidebysig newslot abstract virtual + instance int32 GetRequestId() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetRequestId + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetDispositionMessage() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetDispositionMessage + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCACertificate([in] int32 fExchangeCertificate, + [in] string marshal( bstr) strConfig, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetCACertificate + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCertificate([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetCertificate + + .method public hidebysig newslot abstract virtual + instance int32 GetIssuedCertificate([in] string marshal( bstr) strConfig, + [in] int32 RequestId, + [in] string marshal( bstr) strSerialNumber) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetIssuedCertificate + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetErrorMessageText([in] int32 hrMessage, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetErrorMessageText + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetCAProperty([in] string marshal( bstr) strConfig, + [in] int32 PropId, + [in] int32 PropIndex, + [in] int32 PropType, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetCAProperty + + .method public hidebysig newslot abstract virtual + instance int32 GetCAPropertyFlags([in] string marshal( bstr) strConfig, + [in] int32 PropId) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetCAPropertyFlags + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetCAPropertyDisplayName([in] string marshal( bstr) strConfig, + [in] int32 PropId) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetCAPropertyDisplayName + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetFullResponseProperty([in] int32 PropId, + [in] int32 PropIndex, + [in] int32 PropType, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 03 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetFullResponseProperty + + .method public hidebysig newslot abstract virtual + instance void SetCredential([in] int32 hWnd, + [in] valuetype CERTCLILib.X509EnrollmentAuthFlags AuthType, + [in] string marshal( bstr) strCredential, + [in] string marshal( bstr) strPassword) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 04 60 00 00 ) // .....`.. + } // end of method ICertRequest3::SetCredential + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetRequestIdString() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 04 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetRequestIdString + + .method public hidebysig newslot abstract virtual + instance int32 GetIssuedCertificate2([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strRequestId, + [in] string marshal( bstr) strSerialNumber) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 04 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetIssuedCertificate2 + + .method public hidebysig newslot abstract virtual + instance bool GetRefreshPolicy() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 04 60 00 00 ) // .....`.. + } // end of method ICertRequest3::GetRefreshPolicy + +} // end of class CERTCLILib.ICertRequest3 + +.class interface public abstract auto ansi import CERTCLILib.CCertRequest + implements CERTCLILib.ICertRequest3 +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 41 46 43 38 46 39 32 42 2D 33 33 41 32 // ..$AFC8F92B-33A2 + 2D 34 38 36 31 2D 42 46 33 36 2D 32 39 33 33 42 // -4861-BF36-2933B + 37 43 44 36 37 42 33 00 00 ) // 7CD67B3.. + .custom instance void [mscorlib]System.Runtime.InteropServices.CoClassAttribute::.ctor(class [mscorlib]System.Type) = ( 01 00 1C 43 45 52 54 43 4C 49 4C 69 62 2E 43 43 // ...CERTCLILib.CC + 65 72 74 52 65 71 75 65 73 74 43 6C 61 73 73 00 // ertRequestClass. + 00 ) +} // end of class CERTCLILib.CCertRequest + +.class public auto ansi import CERTCLILib.CCertRequestClass + extends [mscorlib]System.Object + implements CERTCLILib.ICertRequest3, + CERTCLILib.CCertRequest +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.ClassInterfaceAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.ClassInterfaceType) = ( 01 00 00 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 02 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 39 38 41 46 46 33 46 30 2D 35 35 32 34 // ..$98AFF3F0-5524 + 2D 31 31 44 30 2D 38 38 31 32 2D 30 30 41 30 43 // -11D0-8812-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .method public specialname rtspecialname + instance void .ctor() runtime managed internalcall + { + } // end of method CCertRequestClass::.ctor + + .method public hidebysig newslot virtual + instance int32 Submit([in] int32 Flags, + [in] string marshal( bstr) strRequest, + [in] string marshal( bstr) strAttributes, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::Submit + } // end of method CCertRequestClass::Submit + + .method public hidebysig newslot virtual + instance int32 RetrievePending([in] int32 RequestId, + [in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::RetrievePending + } // end of method CCertRequestClass::RetrievePending + + .method public hidebysig newslot virtual + instance int32 GetLastStatus() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetLastStatus + } // end of method CCertRequestClass::GetLastStatus + + .method public hidebysig newslot virtual + instance int32 GetRequestId() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetRequestId + } // end of method CCertRequestClass::GetRequestId + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetDispositionMessage() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetDispositionMessage + } // end of method CCertRequestClass::GetDispositionMessage + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetCACertificate([in] int32 fExchangeCertificate, + [in] string marshal( bstr) strConfig, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetCACertificate + } // end of method CCertRequestClass::GetCACertificate + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetCertificate([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetCertificate + } // end of method CCertRequestClass::GetCertificate + + .method public hidebysig newslot virtual + instance int32 GetIssuedCertificate([in] string marshal( bstr) strConfig, + [in] int32 RequestId, + [in] string marshal( bstr) strSerialNumber) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 03 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetIssuedCertificate + } // end of method CCertRequestClass::GetIssuedCertificate + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetErrorMessageText([in] int32 hrMessage, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 03 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetErrorMessageText + } // end of method CCertRequestClass::GetErrorMessageText + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetCAProperty([in] string marshal( bstr) strConfig, + [in] int32 PropId, + [in] int32 PropIndex, + [in] int32 PropType, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 03 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetCAProperty + } // end of method CCertRequestClass::GetCAProperty + + .method public hidebysig newslot virtual + instance int32 GetCAPropertyFlags([in] string marshal( bstr) strConfig, + [in] int32 PropId) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 03 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetCAPropertyFlags + } // end of method CCertRequestClass::GetCAPropertyFlags + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetCAPropertyDisplayName([in] string marshal( bstr) strConfig, + [in] int32 PropId) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 03 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetCAPropertyDisplayName + } // end of method CCertRequestClass::GetCAPropertyDisplayName + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetFullResponseProperty([in] int32 PropId, + [in] int32 PropIndex, + [in] int32 PropType, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 03 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetFullResponseProperty + } // end of method CCertRequestClass::GetFullResponseProperty + + .method public hidebysig newslot virtual + instance void SetCredential([in] int32 hWnd, + [in] valuetype CERTCLILib.X509EnrollmentAuthFlags AuthType, + [in] string marshal( bstr) strCredential, + [in] string marshal( bstr) strPassword) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 04 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::SetCredential + } // end of method CCertRequestClass::SetCredential + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetRequestIdString() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 04 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetRequestIdString + } // end of method CCertRequestClass::GetRequestIdString + + .method public hidebysig newslot virtual + instance int32 GetIssuedCertificate2([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strRequestId, + [in] string marshal( bstr) strSerialNumber) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 04 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetIssuedCertificate2 + } // end of method CCertRequestClass::GetIssuedCertificate2 + + .method public hidebysig newslot virtual + instance bool GetRefreshPolicy() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 04 60 00 00 ) // .....`.. + .override CERTCLILib.ICertRequest3::GetRefreshPolicy + } // end of method CCertRequestClass::GetRefreshPolicy + +} // end of class CERTCLILib.CCertRequestClass + +.class interface public abstract auto ansi import CERTCLILib.ICertServerPolicy +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 41 41 30 30 30 39 32 32 2D 46 46 42 45 // ..$AA000922-FFBE + 2D 31 31 43 46 2D 38 38 30 30 2D 30 30 41 30 43 // -11CF-8800-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .method public hidebysig newslot abstract virtual + instance void SetContext([in] int32 Context) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::SetContext + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetRequestProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::GetRequestProperty + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetRequestAttribute([in] string marshal( bstr) strAttributeName) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::GetRequestAttribute + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetCertificateProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::GetCertificateProperty + + .method public hidebysig newslot abstract virtual + instance void SetCertificateProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [in] object& marshal( struct) pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::SetCertificateProperty + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetCertificateExtension([in] string marshal( bstr) strExtensionName, + [in] int32 Type, + [out] native int pvarValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::GetCertificateExtension + + .method public hidebysig newslot abstract virtual + instance int32 GetCertificateExtensionFlags() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::GetCertificateExtensionFlags + + .method public hidebysig newslot abstract virtual + instance void SetCertificateExtension([in] string marshal( bstr) strExtensionName, + [in] int32 Type, + [in] int32 ExtFlags, + [in] native int pvarValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 07 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::SetCertificateExtension + + .method public hidebysig newslot abstract virtual + instance void EnumerateExtensionsSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 08 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::EnumerateExtensionsSetup + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + EnumerateExtensions() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 09 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::EnumerateExtensions + + .method public hidebysig newslot abstract virtual + instance void EnumerateExtensionsClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0A 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::EnumerateExtensionsClose + + .method public hidebysig newslot abstract virtual + instance void EnumerateAttributesSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0B 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::EnumerateAttributesSetup + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + EnumerateAttributes() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0C 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::EnumerateAttributes + + .method public hidebysig newslot abstract virtual + instance void EnumerateAttributesClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0D 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerPolicy::EnumerateAttributesClose + +} // end of class CERTCLILib.ICertServerPolicy + +.class interface public abstract auto ansi import CERTCLILib.CCertServerPolicy + implements CERTCLILib.ICertServerPolicy +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.CoClassAttribute::.ctor(class [mscorlib]System.Type) = ( 01 00 21 43 45 52 54 43 4C 49 4C 69 62 2E 43 43 // ..!CERTCLILib.CC + 65 72 74 53 65 72 76 65 72 50 6F 6C 69 63 79 43 // ertServerPolicyC + 6C 61 73 73 00 00 ) // lass.. + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 41 41 30 30 30 39 32 32 2D 46 46 42 45 // ..$AA000922-FFBE + 2D 31 31 43 46 2D 38 38 30 30 2D 30 30 41 30 43 // -11CF-8800-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. +} // end of class CERTCLILib.CCertServerPolicy + +.class public auto ansi import CERTCLILib.CCertServerPolicyClass + extends [mscorlib]System.Object + implements CERTCLILib.ICertServerPolicy, + CERTCLILib.CCertServerPolicy +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 41 41 30 30 30 39 32 36 2D 46 46 42 45 // ..$AA000926-FFBE + 2D 31 31 43 46 2D 38 38 30 30 2D 30 30 41 30 43 // -11CF-8800-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .custom instance void [mscorlib]System.Runtime.InteropServices.ClassInterfaceAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.ClassInterfaceType) = ( 01 00 00 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 02 00 00 00 00 00 ) + .method public specialname rtspecialname + instance void .ctor() runtime managed internalcall + { + } // end of method CCertServerPolicyClass::.ctor + + .method public hidebysig newslot virtual + instance void SetContext([in] int32 Context) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::SetContext + } // end of method CCertServerPolicyClass::SetContext + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetRequestProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::GetRequestProperty + } // end of method CCertServerPolicyClass::GetRequestProperty + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetRequestAttribute([in] string marshal( bstr) strAttributeName) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::GetRequestAttribute + } // end of method CCertServerPolicyClass::GetRequestAttribute + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetCertificateProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::GetCertificateProperty + } // end of method CCertServerPolicyClass::GetCertificateProperty + + .method public hidebysig newslot virtual + instance void SetCertificateProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [in] object& marshal( struct) pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::SetCertificateProperty + } // end of method CCertServerPolicyClass::SetCertificateProperty + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetCertificateExtension([in] string marshal( bstr) strExtensionName, + [in] int32 Type, + [out] native int pvarValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::GetCertificateExtension + } // end of method CCertServerPolicyClass::GetCertificateExtension + + .method public hidebysig newslot virtual + instance int32 GetCertificateExtensionFlags() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::GetCertificateExtensionFlags + } // end of method CCertServerPolicyClass::GetCertificateExtensionFlags + + .method public hidebysig newslot virtual + instance void SetCertificateExtension([in] string marshal( bstr) strExtensionName, + [in] int32 Type, + [in] int32 ExtFlags, + [in] native int pvarValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 07 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::SetCertificateExtension + } // end of method CCertServerPolicyClass::SetCertificateExtension + + .method public hidebysig newslot virtual + instance void EnumerateExtensionsSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 08 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::EnumerateExtensionsSetup + } // end of method CCertServerPolicyClass::EnumerateExtensionsSetup + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + EnumerateExtensions() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 09 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::EnumerateExtensions + } // end of method CCertServerPolicyClass::EnumerateExtensions + + .method public hidebysig newslot virtual + instance void EnumerateExtensionsClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0A 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::EnumerateExtensionsClose + } // end of method CCertServerPolicyClass::EnumerateExtensionsClose + + .method public hidebysig newslot virtual + instance void EnumerateAttributesSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0B 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::EnumerateAttributesSetup + } // end of method CCertServerPolicyClass::EnumerateAttributesSetup + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + EnumerateAttributes() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0C 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::EnumerateAttributes + } // end of method CCertServerPolicyClass::EnumerateAttributes + + .method public hidebysig newslot virtual + instance void EnumerateAttributesClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0D 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerPolicy::EnumerateAttributesClose + } // end of method CCertServerPolicyClass::EnumerateAttributesClose + +} // end of class CERTCLILib.CCertServerPolicyClass + +.class interface public abstract auto ansi import CERTCLILib.ICertServerExit +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 34 42 41 39 45 42 39 30 2D 37 33 32 43 // ..$4BA9EB90-732C + 2D 31 31 44 30 2D 38 38 31 36 2D 30 30 41 30 43 // -11D0-8816-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .method public hidebysig newslot abstract virtual + instance void SetContext([in] int32 Context) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::SetContext + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetRequestProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::GetRequestProperty + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetRequestAttribute([in] string marshal( bstr) strAttributeName) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::GetRequestAttribute + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetCertificateProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::GetCertificateProperty + + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetCertificateExtension([in] string marshal( bstr) strExtensionName, + [in] int32 Type, + [out] native int pvarValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::GetCertificateExtension + + .method public hidebysig newslot abstract virtual + instance int32 GetCertificateExtensionFlags() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::GetCertificateExtensionFlags + + .method public hidebysig newslot abstract virtual + instance void EnumerateExtensionsSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::EnumerateExtensionsSetup + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + EnumerateExtensions() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 07 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::EnumerateExtensions + + .method public hidebysig newslot abstract virtual + instance void EnumerateExtensionsClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 08 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::EnumerateExtensionsClose + + .method public hidebysig newslot abstract virtual + instance void EnumerateAttributesSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 09 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::EnumerateAttributesSetup + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + EnumerateAttributes() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0A 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::EnumerateAttributes + + .method public hidebysig newslot abstract virtual + instance void EnumerateAttributesClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0B 00 02 60 00 00 ) // .....`.. + } // end of method ICertServerExit::EnumerateAttributesClose + +} // end of class CERTCLILib.ICertServerExit + +.class interface public abstract auto ansi import CERTCLILib.CCertServerExit + implements CERTCLILib.ICertServerExit +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.CoClassAttribute::.ctor(class [mscorlib]System.Type) = ( 01 00 1F 43 45 52 54 43 4C 49 4C 69 62 2E 43 43 // ...CERTCLILib.CC + 65 72 74 53 65 72 76 65 72 45 78 69 74 43 6C 61 // ertServerExitCla + 73 73 00 00 ) // ss.. + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 34 42 41 39 45 42 39 30 2D 37 33 32 43 // ..$4BA9EB90-732C + 2D 31 31 44 30 2D 38 38 31 36 2D 30 30 41 30 43 // -11D0-8816-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. +} // end of class CERTCLILib.CCertServerExit + +.class public auto ansi import CERTCLILib.CCertServerExitClass + extends [mscorlib]System.Object + implements CERTCLILib.ICertServerExit, + CERTCLILib.CCertServerExit +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 34 43 34 41 35 45 34 30 2D 37 33 32 43 // ..$4C4A5E40-732C + 2D 31 31 44 30 2D 38 38 31 36 2D 30 30 41 30 43 // -11D0-8816-00A0C + 39 30 33 42 38 33 43 00 00 ) // 903B83C.. + .custom instance void [mscorlib]System.Runtime.InteropServices.ClassInterfaceAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.ClassInterfaceType) = ( 01 00 00 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 02 00 00 00 00 00 ) + .method public specialname rtspecialname + instance void .ctor() runtime managed internalcall + { + } // end of method CCertServerExitClass::.ctor + + .method public hidebysig newslot virtual + instance void SetContext([in] int32 Context) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::SetContext + } // end of method CCertServerExitClass::SetContext + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetRequestProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::GetRequestProperty + } // end of method CCertServerExitClass::GetRequestProperty + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetRequestAttribute([in] string marshal( bstr) strAttributeName) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::GetRequestAttribute + } // end of method CCertServerExitClass::GetRequestAttribute + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetCertificateProperty([in] string marshal( bstr) strPropertyName, + [in] int32 PropertyType, + [out] native int pvarPropertyValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::GetCertificateProperty + } // end of method CCertServerExitClass::GetCertificateProperty + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetCertificateExtension([in] string marshal( bstr) strExtensionName, + [in] int32 Type, + [out] native int pvarValue) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 04 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::GetCertificateExtension + } // end of method CCertServerExitClass::GetCertificateExtension + + .method public hidebysig newslot virtual + instance int32 GetCertificateExtensionFlags() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 05 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::GetCertificateExtensionFlags + } // end of method CCertServerExitClass::GetCertificateExtensionFlags + + .method public hidebysig newslot virtual + instance void EnumerateExtensionsSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 06 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::EnumerateExtensionsSetup + } // end of method CCertServerExitClass::EnumerateExtensionsSetup + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + EnumerateExtensions() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 07 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::EnumerateExtensions + } // end of method CCertServerExitClass::EnumerateExtensions + + .method public hidebysig newslot virtual + instance void EnumerateExtensionsClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 08 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::EnumerateExtensionsClose + } // end of method CCertServerExitClass::EnumerateExtensionsClose + + .method public hidebysig newslot virtual + instance void EnumerateAttributesSetup([in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 09 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::EnumerateAttributesSetup + } // end of method CCertServerExitClass::EnumerateAttributesSetup + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + EnumerateAttributes() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0A 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::EnumerateAttributes + } // end of method CCertServerExitClass::EnumerateAttributes + + .method public hidebysig newslot virtual + instance void EnumerateAttributesClose() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 0B 00 02 60 00 00 ) // .....`.. + .override CERTCLILib.ICertServerExit::EnumerateAttributesClose + } // end of method CCertServerExitClass::EnumerateAttributesClose + +} // end of class CERTCLILib.CCertServerExitClass + +.class public auto ansi sealed CERTCLILib.X509EnrollmentAuthFlags + extends [mscorlib]System.Enum +{ + .field public specialname rtspecialname int32 value__ + .field public static literal valuetype CERTCLILib.X509EnrollmentAuthFlags X509AuthNone = int32(0x00000000) + .field public static literal valuetype CERTCLILib.X509EnrollmentAuthFlags X509AuthAnonymous = int32(0x00000001) + .field public static literal valuetype CERTCLILib.X509EnrollmentAuthFlags X509AuthKerberos = int32(0x00000002) + .field public static literal valuetype CERTCLILib.X509EnrollmentAuthFlags X509AuthUsername = int32(0x00000004) + .field public static literal valuetype CERTCLILib.X509EnrollmentAuthFlags X509AuthCertificate = int32(0x00000008) +} // end of class CERTCLILib.X509EnrollmentAuthFlags + + +// ============================================================= + +// *********** DISASSEMBLY COMPLETE *********************** +// Warnung: Win32-Ressourcendatei "CERTCLILIB.res" wurde erstellt. diff --git a/CERTCLILIB.res b/CERTCLILIB.res new file mode 100644 index 0000000..91adcda Binary files /dev/null and b/CERTCLILIB.res differ diff --git a/CERTPOLICYLIB.dll b/CERTPOLICYLIB.dll new file mode 100644 index 0000000..b56cc72 Binary files /dev/null and b/CERTPOLICYLIB.dll differ diff --git a/CERTPOLICYLIB.il b/CERTPOLICYLIB.il new file mode 100644 index 0000000..612c552 --- /dev/null +++ b/CERTPOLICYLIB.il @@ -0,0 +1,291 @@ + +// Microsoft (R) .NET Framework IL Disassembler. Version 4.8.3928.0 +// Copyright (c) Microsoft Corporation. Alle Rechte vorbehalten. + + + +// Metadata version: v4.0.30319 +.assembly extern mscorlib +{ + .publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4.. + .ver 4:0:0:0 +} +.assembly CERTPOLICYLib +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibVersionAttribute::.ctor(int32, + int32) = ( 01 00 01 00 00 00 00 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 41 30 42 37 35 34 30 2D 43 32 43 38 // ..$3A0B7540-C2C8 + 2D 31 31 44 32 2D 42 33 31 33 2D 30 30 43 30 34 // -11D2-B313-00C04 + 46 37 39 44 43 37 32 00 00 ) // F79DC72.. + .custom instance void [mscorlib]System.Runtime.InteropServices.ImportedFromTypeLibAttribute::.ctor(string) = ( 01 00 0D 43 45 52 54 50 4F 4C 49 43 59 4C 69 62 // ...CERTPOLICYLib + 00 00 ) + .hash algorithm 0x00008004 + .ver 1:0:0:0 +} +.module CERTPOLICYLib.dll +// MVID: {E1129AE2-FAA4-490B-9546-69BB7452B9B6} +.imagebase 0x00400000 +.file alignment 0x00000200 +.stackreserve 0x00100000 +.subsystem 0x0003 // WINDOWS_CUI +.corflags 0x00000001 // ILONLY +// Image base: 0x07020000 + + +// =============== CLASS MEMBERS DECLARATION =================== + +.class interface public abstract auto ansi import CERTPOLICYLib.ICertPolicy +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 38 42 42 35 41 30 30 2D 37 36 33 36 // ..$38BB5A00-7636 + 2D 31 31 44 30 2D 42 34 31 33 2D 30 30 41 30 43 // -11D0-B413-00A0C + 39 31 42 42 46 38 43 00 00 ) // 91BBF8C.. + .method public hidebysig newslot abstract virtual + instance void Initialize([in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy::Initialize + + .method public hidebysig newslot abstract virtual + instance int32 VerifyRequest([in] string marshal( bstr) strConfig, + [in] int32 Context, + [in] int32 bNewRequest, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy::VerifyRequest + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetDescription() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy::GetDescription + + .method public hidebysig newslot abstract virtual + instance void ShutDown() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy::ShutDown + +} // end of class CERTPOLICYLib.ICertPolicy + +.class interface public abstract auto ansi import CERTPOLICYLib.ICertPolicy2 + implements CERTPOLICYLib.ICertPolicy +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 44 42 34 39 31 30 45 2D 38 30 30 31 // ..$3DB4910E-8001 + 2D 34 42 46 31 2D 41 41 31 42 2D 46 34 33 41 38 // -4BF1-AA1B-F43A8 + 30 38 33 31 37 41 30 00 00 ) // 08317A0.. + .method public hidebysig newslot abstract virtual + instance void Initialize([in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy2::Initialize + + .method public hidebysig newslot abstract virtual + instance int32 VerifyRequest([in] string marshal( bstr) strConfig, + [in] int32 Context, + [in] int32 bNewRequest, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy2::VerifyRequest + + .method public hidebysig newslot abstract virtual + instance string + marshal( bstr) + GetDescription() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy2::GetDescription + + .method public hidebysig newslot abstract virtual + instance void ShutDown() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + } // end of method ICertPolicy2::ShutDown + + .method public hidebysig newslot abstract virtual + instance class CERTPOLICYLib.CCertManagePolicyModule + marshal( interface ) + GetManageModule() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 03 60 00 00 ) // .....`.. + } // end of method ICertPolicy2::GetManageModule + +} // end of class CERTPOLICYLib.ICertPolicy2 + +.class interface public abstract auto ansi import CERTPOLICYLib.CCertPolicy + implements CERTPOLICYLib.ICertPolicy2 +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 44 42 34 39 31 30 45 2D 38 30 30 31 // ..$3DB4910E-8001 + 2D 34 42 46 31 2D 41 41 31 42 2D 46 34 33 41 38 // -4BF1-AA1B-F43A8 + 30 38 33 31 37 41 30 00 00 ) // 08317A0.. + .custom instance void [mscorlib]System.Runtime.InteropServices.CoClassAttribute::.ctor(class [mscorlib]System.Type) = ( 01 00 1E 43 45 52 54 50 4F 4C 49 43 59 4C 69 62 // ...CERTPOLICYLib + 2E 43 43 65 72 74 50 6F 6C 69 63 79 43 6C 61 73 // .CCertPolicyClas + 73 00 00 ) // s.. +} // end of class CERTPOLICYLib.CCertPolicy + +.class public auto ansi import CERTPOLICYLib.CCertPolicyClass + extends [mscorlib]System.Object + implements CERTPOLICYLib.ICertPolicy2, + CERTPOLICYLib.CCertPolicy +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 02 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.ClassInterfaceAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.ClassInterfaceType) = ( 01 00 00 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 42 36 36 35 34 44 30 2D 43 32 43 38 // ..$3B6654D0-C2C8 + 2D 31 31 44 32 2D 42 33 31 33 2D 30 30 43 30 34 // -11D2-B313-00C04 + 46 37 39 44 43 37 32 00 00 ) // F79DC72.. + .method public specialname rtspecialname + instance void .ctor() runtime managed internalcall + { + } // end of method CCertPolicyClass::.ctor + + .method public hidebysig newslot virtual + instance void Initialize([in] string marshal( bstr) strConfig) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertPolicy2::Initialize + } // end of method CCertPolicyClass::Initialize + + .method public hidebysig newslot virtual + instance int32 VerifyRequest([in] string marshal( bstr) strConfig, + [in] int32 Context, + [in] int32 bNewRequest, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertPolicy2::VerifyRequest + } // end of method CCertPolicyClass::VerifyRequest + + .method public hidebysig newslot virtual + instance string + marshal( bstr) + GetDescription() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertPolicy2::GetDescription + } // end of method CCertPolicyClass::GetDescription + + .method public hidebysig newslot virtual + instance void ShutDown() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 03 00 02 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertPolicy2::ShutDown + } // end of method CCertPolicyClass::ShutDown + + .method public hidebysig newslot virtual + instance class CERTPOLICYLib.CCertManagePolicyModule + marshal( interface ) + GetManageModule() runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 03 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertPolicy2::GetManageModule + } // end of method CCertPolicyClass::GetManageModule + +} // end of class CERTPOLICYLib.CCertPolicyClass + +.class interface public abstract auto ansi import CERTPOLICYLib.ICertManageModule +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 45 37 44 37 41 44 34 32 2D 42 44 33 44 // ..$E7D7AD42-BD3D + 2D 31 31 44 31 2D 39 41 34 44 2D 30 30 43 30 34 // -11D1-9A4D-00C04 + 46 43 32 39 37 45 42 00 00 ) // FC297EB.. + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 40 10 00 00 00 00 ) // ..@..... + .method public hidebysig newslot abstract virtual + instance object + marshal( struct) + GetProperty([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strStorageLocation, + [in] string marshal( bstr) strPropertyName, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + } // end of method ICertManageModule::GetProperty + + .method public hidebysig newslot abstract virtual + instance void SetProperty([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strStorageLocation, + [in] string marshal( bstr) strPropertyName, + [in] int32 Flags, + [in] object& marshal( struct) pvarProperty) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + } // end of method ICertManageModule::SetProperty + + .method public hidebysig newslot abstract virtual + instance void Configure([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strStorageLocation, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + } // end of method ICertManageModule::Configure + +} // end of class CERTPOLICYLib.ICertManageModule + +.class interface public abstract auto ansi import CERTPOLICYLib.CCertManagePolicyModule + implements CERTPOLICYLib.ICertManageModule +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.CoClassAttribute::.ctor(class [mscorlib]System.Type) = ( 01 00 2A 43 45 52 54 50 4F 4C 49 43 59 4C 69 62 // ..*CERTPOLICYLib + 2E 43 43 65 72 74 4D 61 6E 61 67 65 50 6F 6C 69 // .CCertManagePoli + 63 79 4D 6F 64 75 6C 65 43 6C 61 73 73 00 00 ) // cyModuleClass.. + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 45 37 44 37 41 44 34 32 2D 42 44 33 44 // ..$E7D7AD42-BD3D + 2D 31 31 44 31 2D 39 41 34 44 2D 30 30 43 30 34 // -11D1-9A4D-00C04 + 46 43 32 39 37 45 42 00 00 ) // FC297EB.. +} // end of class CERTPOLICYLib.CCertManagePolicyModule + +.class public auto ansi import CERTPOLICYLib.CCertManagePolicyModuleClass + extends [mscorlib]System.Object + implements CERTPOLICYLib.ICertManageModule, + CERTPOLICYLib.CCertManagePolicyModule +{ + .custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 33 42 42 34 34 33 36 30 2D 43 32 43 38 // ..$3BB44360-C2C8 + 2D 31 31 44 32 2D 42 33 31 33 2D 30 30 43 30 34 // -11D2-B313-00C04 + 46 37 39 44 43 37 32 00 00 ) // F79DC72.. + .custom instance void [mscorlib]System.Runtime.InteropServices.ClassInterfaceAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.ClassInterfaceType) = ( 01 00 00 00 00 00 00 00 ) + .custom instance void [mscorlib]System.Runtime.InteropServices.TypeLibTypeAttribute::.ctor(valuetype [mscorlib]System.Runtime.InteropServices.TypeLibTypeFlags) = ( 01 00 02 00 00 00 00 00 ) + .method public specialname rtspecialname + instance void .ctor() runtime managed internalcall + { + } // end of method CCertManagePolicyModuleClass::.ctor + + .method public hidebysig newslot virtual + instance object + marshal( struct) + GetProperty([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strStorageLocation, + [in] string marshal( bstr) strPropertyName, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 00 00 02 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertManageModule::GetProperty + } // end of method CCertManagePolicyModuleClass::GetProperty + + .method public hidebysig newslot virtual + instance void SetProperty([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strStorageLocation, + [in] string marshal( bstr) strPropertyName, + [in] int32 Flags, + [in] object& marshal( struct) pvarProperty) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 01 00 02 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertManageModule::SetProperty + } // end of method CCertManagePolicyModuleClass::SetProperty + + .method public hidebysig newslot virtual + instance void Configure([in] string marshal( bstr) strConfig, + [in] string marshal( bstr) strStorageLocation, + [in] int32 Flags) runtime managed internalcall + { + .custom instance void [mscorlib]System.Runtime.InteropServices.DispIdAttribute::.ctor(int32) = ( 01 00 02 00 02 60 00 00 ) // .....`.. + .override CERTPOLICYLib.ICertManageModule::Configure + } // end of method CCertManagePolicyModuleClass::Configure + +} // end of class CERTPOLICYLib.CCertManagePolicyModuleClass + + +// ============================================================= + +// *********** DISASSEMBLY COMPLETE *********************** +// Warnung: Win32-Ressourcendatei "CERTPOLICYLIB.res" wurde erstellt. diff --git a/CERTPOLICYLIB.res b/CERTPOLICYLIB.res new file mode 100644 index 0000000..88a9b5a Binary files /dev/null and b/CERTPOLICYLIB.res differ diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc deleted file mode 100644 index 10a0322..0000000 --- a/CHANGELOG.adoc +++ /dev/null @@ -1,67 +0,0 @@ -== Changelog for the TameMyCerts Policy Module - -=== 1.5.760.827 (Jan 31, 2023) - -This is a quality improvement only release. TameMyCerts now uses the interfaces provided by the certification authority to determine Subject and Subject Alternative Name information. - -* Fix a security vulnerability causing nested certificate requests to bypass subject alternative name rule processing. *All users of previous versions are urged to upgrade!* -* Subject RDN inspection is now done against the properties constructed by the certification authority (how the CA would issue the certificate. Previously it was done against the original inline PKCS#10 certificate request). This should enhance compatibility with malformed certificate requests but does not work with undefined relative distinguished names. Behavior can be changed back to previous logic by setting _ReadSubjectFromRequest_ to true in request policy. -* Enhance logging for directory service query failures. -* Refactor the code for building the security identifier certificate extension. - -=== 1.4.728.502 (Dec 30, 2022) - -This is a quality improvement only release. TameMyCerts is now covered by link:TameMyCerts.IntegrationTests[automated integration tests^] featuring Pester and link:https://github.com/Sleepw4lker/PSCertificateEnrollment[PSCertificateEnrollment^] which allows to test parts of the code base not testable with unit tests. - -* Fix a bug causing directory mapping not finding all of mapped object's attributes when using global catalog (no SearchRoot configured in policy) to find an object. -* Fix a bug causing to not display the correct error message in case no connection to Active Directory is possible during directory validation. -* Fix a bug causing certificate modifications made by TameMyCerts are not applied when a template is configured to put requests in pending state. -* Fix a bug causing to falsely log that a certificate request would get denied even if there is no reason to when policy is configured in audit mode. -* Fix a bug causing the StartDate request attribute not getting applied if no policy is configured for the given certificate template. -* Fix a bug causing request attributes to get processed case-sensitive which would allow cirvumventing security measures. -* Fix a bug causing directory mapping to fail when the userPrincipalName attribute is not populated for an account (even if is was not used for mapping). Due to this, mapped accounts are now identified and logged with their distinguishedName attribute instead oder userPrincipalName. -* Fix a bug causing an exception with directory mapping when the telexNumber directory attribute is populated for an object, as the property is not of string data type. Support for the telexNumber directory attribute has therefore been dropped. -* Fix a bug causing requests using a valid process name to get denied when only DisallowedProcesses is configured. -* Fix a bug causing requests using a valid cryptographic provider to get denied when only DisallowedCryptoProviders is configured. -* Attributes used for modification of a certificate's subject distinguished name are now only retrieved from AD if the feature is enabled for a certificate template. - -=== 1.3.683.747 (Nov 15, 2022) - -* Implement support for (over)writing the subject relative distinguished name (RDN) of issued certificates with configurable attributes from a mapped Active Directory object. -* Implement support for supplementing missing DNS names and IP addresses from commonName field in subject distringushed name into the subject alternative name of the issued certificate. This is to automatically make issued certificates compliant to link:https://www.rfc-editor.org/rfc/rfc2818[RFC 2818^]. -* Add option to issue certificates for mapped acounts that are disabled (e.g. to prestage certificates in combination with the "StartDate" attribute functionality). -* Add option to remove Security Identifier (szOID_NTDS_CA_SECURITY_EXT) certificate extension when provided in a certificate request instead of denying it entirely ("Remove" keyword for the SecurityIdentifierExtension directive). -* Key rules can now also be applied to requests for online certificate templates. -* Fix string substitution for the "serialNumber", "unstructuredName" and "unstructuredAddress" relative distinguished name types. -* Fix a bug preventing the use of the "any" IPv4 CIDR mask (0.0.0.0/0) in a subject rule. -* Fix a bug in installer script not updating policy directory. - -=== 1.2.587.662 (Aug 11, 2022) - -* Implement support for looking up identities that are requested in offline templates against Active Directory (called "directory mapping"). It may be specified if a certificate request shall get denied if a matching user or computer account does not exist, is disabled, if it is member of a forbidden group, or not member of any permitted group. -* Implement support for adding the new Security Identifier (szOID_NTDS_CA_SECURITY_EXT with object id 1.3.6.1.4.1.311.25.2) certificate extension that was introduced with link:https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16[KB5014754^] to certificates issued for offline certificate requests (requires directory mapping). This should enable users to prevent authentication to fail when strong certificate mapping will be enforced on May 9, 2023. -* Implement protection against forgery of the szOID_NTDS_CA_SECURITY_EXT certificate extension by the enrollee. Policy can be configured to deny or allow offline requests containing this extension (default is to deny). -* Implement support for specifying a fixed expiration date on a per-template basis. -* Implement proper logging for processing of the "StartDate" request attribute and align behavior with Windows Default policy module. -* Fix a bug causing the module to return the validation result too early. This had no effect on security but not all violations against the ruleset would get logged, making troubleshooting somewhat more difficult. -* Fix a bug causing the module to throw an exception in the case a SAN extension could not be parsed. -* Fix the organizationalUnitName RDN to align with X.520 specifications (it was wrongly called "organizationalUnit" in earlier versions). *Note that this breaks existing policy files. These must be adjusted.* -* Remove code for denying certificate requests containing the Subject Directory Atttributes (2.5.29.9) request extension, as this is disabled for issuance on AD CS by default anyway. -* Remove excessive calling of garbage collection which should improve processing performance. - -=== 1.1.432.1215 (Mar 10, 2022) - -* Change logic for allowed and disallowed patterns on SubjectRule directives. Now, for each defined "field" it is possible to specify how the expression will get treated (regular expression or CIDR notation), which allows for IP addresses to get verified if they are present in fields other that the iPAddress alternative name field. *Note that this breaks existing policy files. These must be adjusted.* -* Implement support for applying rules on process names used to create certificate requests for both online and offline certificate templates. -* Implement support for applying rules on cryptographic providers used to create certificate requests' private keys for both online and offline certificate templates. -* Implement support for custom NotBefore date on a certificate with the "StartDate" request attribute, in analogy to the "ExpirationDate" request attribute supported by the Windows Default policy module. -* Implement basic protection against abuse of having the link:https://www.gradenegger.eu/?p=1486[EDITF_ATTRIBUTESUBJECTALTNAME2^] flag enabled. Requests with a "san" attribute get denied if the flag is enabled. -* Fix a bug causing the module to log an exception for requests with invalid "ExpirationDate" attribute. -* SubjectRule "Field" definition is now processed case insensitive. -* Change required link:https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2[.NET Framework 4.7.2^] due to link:https://docs.microsoft.com/en-us/lifecycle/products/microsoft-net-framework[end of life^] of previously used version 4.6. -* General code optimization that should slightly increase processing performance and overall maintainability of the code. -* install.ps1 is now also digitally signed. - -=== 1.0.410.1186 (Feb 15, 2022) - -_Initial release_ \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..1abd78e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,114 @@ +## Changelog for the TameMyCerts policy module {#changelog} + +### Version \ + +_This version was released on \_. + +> **NOTE** +> TameMyCerts has developed into a reliable, secure and stable enterprise product. Many organizations around the world are relying on it to improve their security and their PKI workflows. Professional development, testing and documentation consumes a considerable amount of time and resources. Whilst still being fully committed on keeping source code available for the community, _digitally signed binaries_, a _print-optimized documentation_ and _priority support_ are benefits **only available for customers with an active maintenance contract**. + +This is a major release containing lots of bug fixes for edge-cases as well as many new exciting features, whilst staying backwards-compatible to existing configuration files. + +- The _SubjectDistingushedName_ directive within _DirectoryServicesMapping_ has been renamed to _DsBoundSubject_. **Note that this breaks existing policy files. These must be adjusted when upgrading.** +- The _RelativeDistingushedName_ directive within _DirectoryServicesMapping_ has been renamed to _DsBoundSubjectRule_. **Note that this breaks existing policy files. These must be adjusted when upgrading.** +- TameMyCerts now implements caching for policy configuration files. Instead of loading them over and over again for any incoming request, this is now only done if the file has changed. +- TameMyCerts now supports for building or extending the Subject Alternative Name extension of issued certificates with configurable attributes from a mapped Active Directory object. You configure a _DsBoundSubjectAlternativeName_ Node containing at least one _DsBoundSubjectRule_ within _DirectoryServicesMapping_. +- TameMyCerts now supports setting static values into the Subject Relative Distinguished Name with the _StaticSubject_ directive containing at least one _StaticSubjectRule_. +- TameMyCerts now supports setting static values into the Subject Alternative Name with the _StaticSubjectAlternativeName_ directive containing at least one _StaticSubjectRule_. +- TameMyCerts now supports configuring per-Template CRL Distribution Point, Authority Information Access, and Online Certificate Status Protocol URIs. Configure them with the _CrlDistributionPoints_, _AuthorityInformationAccess_ and _OnlineCertificateStatusProtocol_ directives. +- TameMyCerts now automatically determines the desired key algorithm from the certificate template. The _KeyAlgorithm_ parameter has therefore been removed. Existing configurations will continue to work but without using the configured _KeyAlgorithm_. +- TameMyCerts now reads all available request properties directly from the certification authority instead of parsing the inline request. The inline certificate request will now only be parsed when _AllowedProcesses_ or _DisallowedProcesses_ directives are configured, as this information cannot be obtained from the CA directly. There are rare cases where it may not be possible to parse the inline certificate request. In this case, the requested properties will be treated as non-existent. +- TameMyCerts now supports the DSA key algorithm for incoming certificate requests. +- TameMyCerts now detects if a resulting certificate wouldn't contain any identity, and will deny such a request by default. This allows to make both _commonName_ and Subject Alternative Name fields optional at the same time in a policy, whilst ensuring a certitificate request has one of them set. The behavior can be disabled with the _PermitEmptyIdentities_ parameter. +- Directory Services mapping now supports the _SupplementServicePrincipalNames_ directive. This mode allows to automatically add all DNS names found in the Service Principal Names (SPNs) of mapped AD objects to the SAN extension of issued certificates. +- Directory Services mapping now allows to specify _Pattern_ directives like in Subject or SAN rules that can get applied all of the attributes that can be used for building the Subject Distingushed Name. +- Directory Services mapping now allows to filter based on organizational unit memberships of mapped AD objects with the _AllowedOrganizationalUnits_ and _DisallowedOrganizationalUnits_ parameters. +- Directory Services mapping now allows adding the SID of a mapped AD object into the Subject Alternative Name (SAN) extension of an issued certificate [as introduced by Microsoft in April 2023](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/preview-of-san-uri-for-certificate-strong-mapping-for-kb5014754/bc-p/3794144#M965). The directive is called _AddSidIUniformResourceIdentifier_. +- _Pattern_ directives now support the new _RegExIgnoreCase_ kind for the _TreatAs_ attribute, which allows a regular expression to be treated case-insensitive. +- _Pattern_ directives now support the new _ExactMatch_ and _ExactMatchIgnoreCase_ kinds for the _TreatAs_ attribute, which allow simple value comparisons, either case sensitive or case-insensitive. +- _Pattern_ directives now support matching IPv6 addresses against CIDR masks when _TreatAs_ is set to _Cidr_. +- Supplementing DNS names from the Subject DN can now append missing entries to an existing SAN certificate extension (instead of only building a new one as it was before). Same goes for all other cases that potentially build or modify the SAN extension. +- The new mode to interpret the Subject Distinguished Name introduced with version 1.5 now correctly handles multiple RDNs of same type. +- When TameMyCerts is unable to interpret a policy configuration file, the error message now contains more detailed information about the possible cause. +- Fix a bug causing to allow blacklisted patterns when an invalid kind for the _TreatAs_ attribute was specified for a _Pattern_ in a Subject or SAN rule. +- Fix a bug potentially allowing LDAP injections via requested certificate content. +- Fix a bug causing requests getting denied when a template name contains invalid file name characters. +- Fix a bug in the installer script preventing to run it without arguments. + +### Version 1.5.760.827 + +_This version was released on Jan 31, 2023._ + +This is a quality improvement only release. TameMyCerts now uses the interfaces provided by the certification authority to determine Subject and Subject Alternative Name information. + +- Fix a security vulnerability causing nested certificate requests to bypass subject alternative name rule processing. **All users of previous versions are urged to upgrade!** +- Subject RDN inspection is now done against the properties constructed by the certification authority (how the CA would issue the certificate. Previously it was done against the original inline PKCS#10 certificate request). This should enhance compatibility with malformed certificate requests but does not work with undefined relative distinguished names. Behavior can be changed back to previous logic by setting _ReadSubjectFromRequest_ to true in request policy. +- Enhance logging for directory service query failures. +- Refactor the code for building the security identifier certificate extension. + +### Version 1.4.728.502 + +_This version was released on Dec 30, 2022._ + +This is a quality improvement only release. TameMyCerts is now covered by automated integration tests which allow testing parts of the code base otherwise not testable with unit tests. + +- Fix a bug causing directory mapping not finding all of mapped object's attributes when using global catalog (no SearchRoot configured in policy) to find an object. +- Fix a bug causing to not display the correct error message in case no connection to Active Directory is possible during directory validation. +- Fix a bug causing certificate modifications made by TameMyCerts are not applied when a template is configured to put requests in pending state. +- Fix a bug causing to falsely log that a certificate request would get denied even if there is no reason to when policy is configured in audit mode. +- Fix a bug causing the StartDate request attribute not getting applied if no policy is configured for the given certificate template. +- Fix a bug causing request attributes to get processed case-sensitive which would allow circumventing security measures. +- Fix a bug causing directory mapping to fail when the userPrincipalName attribute is not populated for an account (even if is was not used for mapping). Due to this, mapped accounts are now identified and logged with their distinguishedName attribute instead oder userPrincipalName. +- Fix a bug causing an exception with directory mapping when the telexNumber directory attribute is populated for an object, as the property is not of string data type. Support for the telexNumber directory attribute has therefore been dropped. +- Fix a bug causing requests using a valid process name to get denied when only DisallowedProcesses is configured. +- Fix a bug causing requests using a valid cryptographic provider to get denied when only DisallowedCryptoProviders is configured. +- Attributes used for modification of a certificate's subject distinguished name are now only retrieved from AD if the feature is enabled for a certificate template. + +### Version 1.3.683.747 + +_This version was released on Nov 15, 2022._ + +- Implement support for (over)writing the subject relative distinguished name (RDN) of issued certificates with configurable attributes from a mapped Active Directory object. +- Implement support for supplementing missing DNS names and IP addresses from commonName field in subject distringushed name into the subject alternative name of the issued certificate. This is to automatically make issued certificates compliant to [IETF RFC 2818](https://www.rfc-editor.org/rfc/rfc2818). +- Add option to issue certificates for mapped acounts that are disabled (e.g. to prestage certificates in combination with the "StartDate" attribute functionality). +- Add option to remove Security Identifier (**szOID\_NTDS\_CA\_SECURITY\_EXT**) certificate extension when provided in a certificate request instead of denying it entirely ("Remove" keyword for the SecurityIdentifierExtension directive). +- Key rules can now also be applied to requests for online certificate templates. +- Fix string substitution for the "serialNumber", "unstructuredName" and "unstructuredAddress" relative distinguished name types. +- Fix a bug preventing the use of the "any" IPv4 CIDR mask (0.0.0.0/0) in a subject rule. +- Fix a bug in installer script not updating policy directory. + +### Version 1.2.587.662 + +_This version was released on Aug 11, 2022._ + +- Implement support for looking up identities that are requested in offline templates against Active Directory (called "directory mapping"). It may be specified if a certificate request shall get denied if a matching user or computer account does not exist, is disabled, if it is member of a forbidden group, or not member of any permitted group. +- Implement support for adding the new Security Identifier (**szOID\_NTDS\_CA\_SECURITY\_EXT** with object id 1.3.6.1.4.1.311.25.2) certificate extension that was introduced with [KB5014754](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) to certificates issued for offline certificate requests (requires directory mapping). This should enable users to prevent authentication to fail when strong certificate mapping will be enforced on February 11, 2025. +- Implement protection against forgery of the **szOID\_NTDS\_CA\_SECURITY\_EXT** certificate extension by the enrollee. Policy can be configured to deny or allow offline requests containing this extension (default is to deny). +- Implement support for specifying a fixed expiration date on a per-template basis. +- Implement proper logging for processing of the "StartDate" request attribute and align behavior with Windows Default policy module. +- Fix a bug causing the module to return the validation result too early. This had no effect on security but not all violations against the ruleset would get logged, making troubleshooting somewhat more difficult. +- Fix a bug causing the module to throw an exception in the case a SAN extension could not be parsed. +- Fix the organizationalUnitName RDN to align with X.520 specifications (it was wrongly called "organizationalUnit" in earlier versions). **Note that this breaks existing policy files. These must be adjusted when upgrading.** +- Remove code for denying certificate requests containing the Subject Directory Atttributes (2.5.29.9) request extension, as this is disabled for issuance on AD CS by default anyway. +- Remove excessive calling of garbage collection which should improve processing performance. + +### Version 1.1.432.1215 + +_This version was released on Mar 10, 2022._ + +- Change logic for allowed and disallowed patterns on SubjectRule directives. Now, for each defined "field" it is possible to specify how the expression will get treated (regular expression or CIDR notation), which allows for IP addresses to get verified if they are present in fields other that the iPAddress alternative name field. **Note that this breaks existing policy files. These must be adjusted when upgrading.** +- Implement support for applying rules on process names used to create certificate requests for both online and offline certificate templates. +- Implement support for applying rules on cryptographic providers used to create certificate requests' private keys for both online and offline certificate templates. +- Implement support for custom NotBefore date on a certificate with the "StartDate" request attribute, in analogy to the "ExpirationDate" request attribute supported by the Windows Default policy module. +- Implement basic protection against abuse of having the [EDITF\_ATTRIBUTESUBJECTALTNAME2](https://www.gradenegger.eu/?lang=en&p=1486) flag enabled. Requests with a "san" attribute get denied if the flag is enabled. +- Fix a bug causing the module to log an exception for requests with invalid "ExpirationDate" attribute. +- SubjectRule "Field" definition is now processed case insensitive. +- Change required [.NET Framework 4.7.2](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2) due to [end of life](https://docs.microsoft.com/en-us/lifecycle/products/microsoft-net-framework) of previously used version 4.6. +- General code optimization that should slightly increase processing performance and overall maintainability of the code. +- install.ps1 is now also digitally signed. + +### Version 1.0.410.1186 + +_This version was released on Feb 15, 2022._ + +This is the initial release of TameMyCerts made publicly available. \ No newline at end of file diff --git a/TameMyCerts/ClassExtensions/ByteArrayExtensions.cs b/ClassExtensions/ByteArrayExtensions.cs similarity index 93% rename from TameMyCerts/ClassExtensions/ByteArrayExtensions.cs rename to ClassExtensions/ByteArrayExtensions.cs index 1e3cf8e..cf3f56a 100644 --- a/TameMyCerts/ClassExtensions/ByteArrayExtensions.cs +++ b/ClassExtensions/ByteArrayExtensions.cs @@ -1,4 +1,4 @@ -// Copyright 2021 Uwe Gradenegger +// Copyright 2021-2023 Uwe Gradenegger // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/TameMyCerts/ClassExtensions/CCertServerPolicyExtensions.cs b/ClassExtensions/CCertServerPolicyExtensions.cs similarity index 85% rename from TameMyCerts/ClassExtensions/CCertServerPolicyExtensions.cs rename to ClassExtensions/CCertServerPolicyExtensions.cs index d13405e..f9eba1f 100644 --- a/TameMyCerts/ClassExtensions/CCertServerPolicyExtensions.cs +++ b/ClassExtensions/CCertServerPolicyExtensions.cs @@ -1,4 +1,4 @@ -// Copyright 2021 Uwe Gradenegger +// Copyright 2021-2023 Uwe Gradenegger // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -14,10 +14,11 @@ using System; using System.Collections.Generic; -using System.Linq; +using System.IO; using System.Runtime.InteropServices; using CERTCLILib; using TameMyCerts.Enums; +using TameMyCerts.Models; namespace TameMyCerts.ClassExtensions { @@ -28,31 +29,30 @@ internal static class CCertServerPolicyExtensions public static List> GetSubjectRelativeDistinguishedNames( this CCertServerPolicy serverPolicy) { - var rdnInfo = - new Dictionary + var result = new List>(); + + foreach (var rdnType in RdnTypes.ToList()) + { + var value = serverPolicy.GetStringRequestPropertyOrDefault(RdnTypes.NameProperty[rdnType]); + + if (value == null) + { + continue; + } + + // NewLine qualifies to separate multiple RDNs of same type, regardless if requested RDNs were properly + // separated or contained newlines + using (var reader = new StringReader(value)) { - {"emailAddress", "Subject.Email"}, - {"commonName", "Subject.CommonName"}, - {"organizationName", "Subject.Organization"}, - {"organizationalUnitName", "Subject.OrgUnit"}, - {"localityName", "Subject.Locality"}, - {"stateOrProvinceName", "Subject.State"}, - {"countryName", "Subject.Country"}, - {"title", "Subject.Title"}, - {"givenName", "Subject.GivenName"}, - {"initials", "Subject.Initials"}, - {"surname", "Subject.SurName"}, - {"streetAddress", "Subject.StreetAddress"}, - {"unstructuredName", "Subject.UnstructuredName"}, - {"unstructuredAddress", "Subject.UnstructuredAddress"}, - {"serialNumber", "Subject.DeviceSerialNumber"}, - {"domainComponent", "Subject.DomainComponent"} - }; - - return (from keyValuePair in rdnInfo - let value = serverPolicy.GetStringRequestPropertyOrDefault(keyValuePair.Value) - where value != null - select new KeyValuePair(keyValuePair.Key, value)).ToList(); + string line; + while ((line = reader.ReadLine()) != null) + { + result.Add(new KeyValuePair(rdnType, line)); + } + } + } + + return result; } #endregion @@ -85,9 +85,9 @@ public static Dictionary GetRequestAttributes(this CCertServerPo #region GetRequestExtensions - public static Dictionary GetCertificateExtensions(this CCertServerPolicy serverPolicy) + public static Dictionary GetCertificateExtensions(this CCertServerPolicy serverPolicy) { - var extensionList = new Dictionary(StringComparer.InvariantCultureIgnoreCase); + var extensionList = new Dictionary(StringComparer.InvariantCultureIgnoreCase); string extensionOid; serverPolicy.EnumerateExtensionsSetup(0); @@ -97,8 +97,7 @@ public static Dictionary GetCertificateExtensions(this CCertServ extensionOid = serverPolicy.EnumerateExtensions(); if (extensionOid != null) { - extensionList.Add(extensionOid, - Convert.ToBase64String(serverPolicy.GetCertificateExtensionOrDefault(extensionOid))); + extensionList.Add(extensionOid, serverPolicy.GetCertificateExtensionOrDefault(extensionOid)); } } while (extensionOid != null); @@ -111,20 +110,18 @@ public static Dictionary GetCertificateExtensions(this CCertServ #region SetCertificateExtension - public static void SetCertificateExtension(this CCertServerPolicy serverPolicy, string oid, string value, + public static void SetCertificateExtension(this CCertServerPolicy serverPolicy, string oid, byte[] value, bool critical = false) { // Kudos to Vadims Podans for his research and support! - var rawData = Convert.FromBase64String(value); - - var pBstr = Marshal.AllocHGlobal(rawData.Length + 4); - Marshal.WriteInt32(pBstr, 0, rawData.Length); - Marshal.Copy(rawData, 0, pBstr + 4, rawData.Length); + var pBstr = Marshal.AllocHGlobal(value.Length + 4); + Marshal.WriteInt32(pBstr, 0, value.Length); + Marshal.Copy(value, 0, pBstr + 4, value.Length); var variant = new OleAut32.VARIANT { - vt = 8, // VT_BSTR + vt = (short) VarEnum.VT_BSTR, pvRecord = pBstr + 4 }; @@ -153,7 +150,7 @@ public static void DisableCertificateExtension(this CCertServerPolicy serverPoli var variant = new OleAut32.VARIANT { - vt = 0, // VT_EMPTY + vt = (short) VarEnum.VT_EMPTY, pvRecord = IntPtr.Zero }; diff --git a/ClassExtensions/CX509CertificateRequestPkcs10Extensions.cs b/ClassExtensions/CX509CertificateRequestPkcs10Extensions.cs new file mode 100644 index 0000000..818c769 --- /dev/null +++ b/ClassExtensions/CX509CertificateRequestPkcs10Extensions.cs @@ -0,0 +1,177 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; +using System.Collections.Generic; +using System.Runtime.InteropServices; +using CERTENROLLLib; +using TameMyCerts.Enums; + +namespace TameMyCerts.ClassExtensions +{ + internal static class CX509CertificateRequestPkcs10Extensions + { + public static Dictionary GetRequestExtensions( + this IX509CertificateRequestPkcs10 certificateRequestPkcs10) + { + var extensionList = new Dictionary(StringComparer.InvariantCultureIgnoreCase); + + for (var i = 0; i < certificateRequestPkcs10.X509Extensions.Count; i++) + { + extensionList.Add(certificateRequestPkcs10.X509Extensions[i].ObjectId.Value, + Convert.FromBase64String(certificateRequestPkcs10.X509Extensions[i] + .get_RawData(EncodingType.XCN_CRYPT_STRING_BASE64))); + } + + return extensionList; + } + + public static bool TryInitializeFromInnerRequest(this IX509CertificateRequestPkcs10 certificateRequestPkcs10, + string certificateRequest, int requestType) + { + switch (requestType) + { + case CertCli.CR_IN_CMC: + + var certificateRequestCmc = + (IX509CertificateRequestCmc)Activator.CreateInstance( + Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestCmc")); + + try + { + certificateRequestCmc.InitializeDecode(certificateRequest, + EncodingType.XCN_CRYPT_STRING_BASE64_ANY); + + var innerRequest = certificateRequestCmc.GetInnerRequest(InnerRequestLevel.LevelInnermost); + certificateRequest = innerRequest.get_RawData(); + } + catch + { + return false; + } + finally + { + Marshal.ReleaseComObject(certificateRequestCmc); + } + + break; + + case CertCli.CR_IN_PKCS7: + + var certificateRequestPkcs7 = + (IX509CertificateRequestPkcs7)Activator.CreateInstance( + Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs7")); + + try + { + certificateRequestPkcs7.InitializeDecode(certificateRequest, + EncodingType.XCN_CRYPT_STRING_BASE64_ANY); + + var innerRequest = certificateRequestPkcs7.GetInnerRequest(InnerRequestLevel.LevelInnermost); + certificateRequest = innerRequest.get_RawData(); + } + catch + { + return false; + } + finally + { + Marshal.ReleaseComObject(certificateRequestPkcs7); + } + + break; + } + + try + { + certificateRequestPkcs10.InitializeDecode(certificateRequest, EncodingType.XCN_CRYPT_STRING_BASE64_ANY); + } + catch + { + return false; + } + + return true; + } + + public static KeyAlgorithmFamily GetKeyAlgorithm( + this IX509CertificateRequestPkcs10 certificateRequestPkcs10) + { + switch (certificateRequestPkcs10.PublicKey.Algorithm.Value) + { + case WinCrypt.szOID_ECC_PUBLIC_KEY: return KeyAlgorithmFamily.ECC; + case WinCrypt.szOID_RSA_RSA: return KeyAlgorithmFamily.RSA; + case WinCrypt.szOID_X957_DSA: return KeyAlgorithmFamily.DSA; + default: return KeyAlgorithmFamily.UNKNOWN; + } + } + + public static Dictionary GetInlineRequestAttributeList( + this IX509CertificateRequestPkcs10 certificateRequestPkcs10) + { + Dictionary attributeList = new Dictionary(); + + for (var i = 0; i < certificateRequestPkcs10.CryptAttributes.Count; i++) + { + var cryptAttribute = certificateRequestPkcs10.CryptAttributes[i]; + + // Note that there is no need to extract the RequestCSPProvider here as it is automatically added to the extensions table + if (cryptAttribute.ObjectId.Value != WinCrypt.szOID_REQUEST_CLIENT_INFO) + { + continue; + } + + string rawData; + + try + { + rawData = cryptAttribute.Values[0].get_RawData(EncodingType.XCN_CRYPT_STRING_BASE64); + } + catch + { + continue; + } + + var clientId = new CX509AttributeClientId(); + + try + { + clientId.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData); + + attributeList.Add("ProcessName", clientId.ProcessName.ToLowerInvariant()); + attributeList.Add("MachineDnsName", clientId.MachineDnsName); + } + finally + { + Marshal.ReleaseComObject(clientId); + } + } + + return attributeList; + } + + public static string GetSubjectDistinguishedName(this IX509CertificateRequestPkcs10 certificateRequestPkcs10) + { + try + { + return certificateRequestPkcs10.Subject.Name; + } + catch + { + // Subject DN is empty + return string.Empty; + } + } + } +} \ No newline at end of file diff --git a/ClassExtensions/IPAddressExtensions.cs b/ClassExtensions/IPAddressExtensions.cs new file mode 100644 index 0000000..cab7906 --- /dev/null +++ b/ClassExtensions/IPAddressExtensions.cs @@ -0,0 +1,104 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; +using System.Collections; +using System.Linq; +using System.Net; +using System.Net.Sockets; + +namespace TameMyCerts.ClassExtensions +{ + internal static class IPAddressExtensions + { + /// + /// This code was adopted from a sample provided by Christoph Sonntag thus all credits go to the original author + /// + /// + /// + /// + /// + public static bool IsInRange(this IPAddress address, string subnetMask) + { + IPAddress maskAddress; + int maskLength; + + try + { + var parts = subnetMask.Split('/'); + + maskAddress = IPAddress.Parse(parts[0]); + maskLength = int.Parse(parts[1]); + } + catch + { + return false; + } + + if (maskLength == 0) + { + return true; + } + + if (maskLength < 0 || maskAddress.AddressFamily != address.AddressFamily) + { + return false; + } + + switch (maskAddress.AddressFamily) + { + case AddressFamily.InterNetwork: + { + if (maskLength > 32) + { + return false; + } + + var maskAddressBits = BitConverter.ToInt32(maskAddress.GetAddressBytes(), 0); + var ipAddressBits = BitConverter.ToInt32(address.GetAddressBytes(), 0); + var maskBits = IPAddress.HostToNetworkOrder(-1 << (32 - maskLength)); + + return (ipAddressBits & maskBits) == (maskAddressBits & maskBits); + } + case AddressFamily.InterNetworkV6: + { + if (maskLength > 128) + { + return false; + } + + var maskAddressBits = new BitArray(maskAddress.GetAddressBytes().Reverse().ToArray()); + var ipAddressBits = new BitArray(address.GetAddressBytes().Reverse().ToArray()); + + if (maskAddressBits.Length != ipAddressBits.Length) + { + return false; + } + + for (var i = ipAddressBits.Length - 1; i >= ipAddressBits.Length - maskLength; i--) + { + if (ipAddressBits[i] != maskAddressBits[i]) + { + return false; + } + } + + return true; + } + default: + return false; + } + } + } +} \ No newline at end of file diff --git a/TameMyCerts/Enums/CaType.cs b/Enums/CaType.cs similarity index 91% rename from TameMyCerts/Enums/CaType.cs rename to Enums/CaType.cs index 5d78c92..2f1b9e1 100644 --- a/TameMyCerts/Enums/CaType.cs +++ b/Enums/CaType.cs @@ -3,7 +3,7 @@ /// /// Certification authority types from CertSrv.h /// - public enum CaType + internal enum CaType { ENUM_ENTERPRISE_ROOTCA = 0, ENUM_ENTERPRISE_SUBCA = 1, diff --git a/TameMyCerts/Enums/CertCli.cs b/Enums/CertCli.cs similarity index 100% rename from TameMyCerts/Enums/CertCli.cs rename to Enums/CertCli.cs diff --git a/TameMyCerts/Enums/CertSrv.cs b/Enums/CertSrv.cs similarity index 100% rename from TameMyCerts/Enums/CertSrv.cs rename to Enums/CertSrv.cs diff --git a/TameMyCerts/Enums/EditFlag.cs b/Enums/EditFlag.cs similarity index 97% rename from TameMyCerts/Enums/EditFlag.cs rename to Enums/EditFlag.cs index 4c4f148..25b2648 100644 --- a/TameMyCerts/Enums/EditFlag.cs +++ b/Enums/EditFlag.cs @@ -4,7 +4,7 @@ namespace TameMyCerts.Enums { // From CertSrv.h [Flags] - public enum EditFlag : uint + internal enum EditFlag : uint { EDITF_ENABLEREQUESTEXTENSIONS = 0x00000001, EDITF_REQUESTEXTENSIONLIST = 0x00000002, diff --git a/TameMyCerts/Enums/GeneralFlag.cs b/Enums/GeneralFlag.cs similarity index 97% rename from TameMyCerts/Enums/GeneralFlag.cs rename to Enums/GeneralFlag.cs index 4ed101f..3393aec 100644 --- a/TameMyCerts/Enums/GeneralFlag.cs +++ b/Enums/GeneralFlag.cs @@ -3,7 +3,7 @@ /// /// General flags from CertCa.h /// - public enum GeneralFlag : uint + internal enum GeneralFlag : uint { /// /// This is a machine cert type diff --git a/Enums/KeyAlgorithmFamily.cs b/Enums/KeyAlgorithmFamily.cs new file mode 100644 index 0000000..97760c6 --- /dev/null +++ b/Enums/KeyAlgorithmFamily.cs @@ -0,0 +1,24 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +namespace TameMyCerts.Enums +{ + internal enum KeyAlgorithmFamily + { + UNKNOWN = 0, + RSA = 1, + DSA = 2, + ECC = 3 + } +} \ No newline at end of file diff --git a/Enums/KeyAlgorithmType.cs b/Enums/KeyAlgorithmType.cs new file mode 100644 index 0000000..8c83400 --- /dev/null +++ b/Enums/KeyAlgorithmType.cs @@ -0,0 +1,62 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +namespace TameMyCerts.Enums +{ + /// + /// Public key algorithm types supported by the Microsoft certification authority. + /// + internal enum KeyAlgorithmType + { + /// + /// The RSA algorithm. + /// + RSA = 1, + + /// + /// The DSA algorithm. + /// + DSA = 2, + + /// + /// The elliptic curve digital signature algorithm using the nistp256 curve. + /// + ECDSA_P256 = 3, + + /// + /// The elliptic curve digital signature algorithm using the nistp384 curve. + /// + ECDSA_P384 = 4, + + /// + /// The elliptic curve digital signature algorithm using the nistp521 curve. + /// + ECDSA_P521 = 5, + + /// + /// The elliptic curve diffie hellman algorithm using the nistp256 curve. + /// + ECDH_P256 = 6, + + /// + /// The elliptic curve diffie hellman algorithm using the nistp384 curve. + /// + ECDH_P384 = 7, + + /// + /// The elliptic curve diffie hellman algorithm using the nistp521 curve. + /// + ECDH_P521 = 8 + } +} \ No newline at end of file diff --git a/TameMyCerts/Enums/OleAut32.cs b/Enums/OleAut32.cs similarity index 93% rename from TameMyCerts/Enums/OleAut32.cs rename to Enums/OleAut32.cs index 080dde6..b072934 100644 --- a/TameMyCerts/Enums/OleAut32.cs +++ b/Enums/OleAut32.cs @@ -6,8 +6,6 @@ namespace TameMyCerts.Enums // Kudos to Vadims Podans for his research and support! internal class OleAut32 { - public const short VT_BSTR = 0x8; - [DllImport("OleAut32.dll", SetLastError = true)] public static extern int VariantClear(IntPtr pvarg); diff --git a/TameMyCerts/Enums/SubjectNameFlag.cs b/Enums/SubjectNameFlag.cs similarity index 98% rename from TameMyCerts/Enums/SubjectNameFlag.cs rename to Enums/SubjectNameFlag.cs index d9d0b72..581df7d 100644 --- a/TameMyCerts/Enums/SubjectNameFlag.cs +++ b/Enums/SubjectNameFlag.cs @@ -6,7 +6,7 @@ namespace TameMyCerts.Enums /// Certificate Subject Name Flags from CertCa.h /// [Flags] - public enum SubjectNameFlag : uint + internal enum SubjectNameFlag : uint { /// /// The enrolling application must supply the subject name. diff --git a/TameMyCerts/Enums/UserAccountControl.cs b/Enums/UserAccountControl.cs similarity index 96% rename from TameMyCerts/Enums/UserAccountControl.cs rename to Enums/UserAccountControl.cs index 462d785..8075537 100644 --- a/TameMyCerts/Enums/UserAccountControl.cs +++ b/Enums/UserAccountControl.cs @@ -3,7 +3,7 @@ namespace TameMyCerts.Enums { [Flags] - public enum UserAccountControl + internal enum UserAccountControl { SCRIPT = 0x0001, ACCOUNTDISABLE = 0x0002, diff --git a/TameMyCerts/Enums/WinCrypt.cs b/Enums/WinCrypt.cs similarity index 81% rename from TameMyCerts/Enums/WinCrypt.cs rename to Enums/WinCrypt.cs index df37ab0..ebcf696 100644 --- a/TameMyCerts/Enums/WinCrypt.cs +++ b/Enums/WinCrypt.cs @@ -1,4 +1,4 @@ -// Copyright 2021 Uwe Gradenegger +// Copyright 2021-2023 Uwe Gradenegger // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -20,11 +20,14 @@ namespace TameMyCerts.Enums internal static class WinCrypt { public const string szOID_RSA_RSA = "1.2.840.113549.1.1.1"; + public const string szOID_X957_DSA = "1.2.840.10040.4.1"; public const string szOID_ECC_PUBLIC_KEY = "1.2.840.10045.2.1"; public const string szOID_OS_VERSION = "1.3.6.1.4.1.311.13.2.3"; public const string szOID_ENROLLMENT_CSP_PROVIDER = "1.3.6.1.4.1.311.13.2.2"; public const string szOID_REQUEST_CLIENT_INFO = "1.3.6.1.4.1.311.21.20"; public const string szOID_DS_CA_SECURITY_EXT = "1.3.6.1.4.1.311.25.2"; public const string szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"; + public const string szOID_CRL_DIST_POINTS = "2.5.29.31"; + public const string szOID_AUTHORITY_INFO_ACCESS = "1.3.6.1.5.5.7.1.1"; } } \ No newline at end of file diff --git a/TameMyCerts/Enums/WinError.cs b/Enums/WinError.cs similarity index 89% rename from TameMyCerts/Enums/WinError.cs rename to Enums/WinError.cs index 3f46053..59f9272 100644 --- a/TameMyCerts/Enums/WinError.cs +++ b/Enums/WinError.cs @@ -1,4 +1,4 @@ -// Copyright 2021 Uwe Gradenegger +// Copyright 2021-2023 Uwe Gradenegger // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -39,11 +39,6 @@ internal static class WinError /// public const int CERTSRV_E_TEMPLATE_DENIED = unchecked((int)0x80094012); - /// - /// The request subject name is invalid or too long. - /// - public const int CERTSRV_E_BAD_REQUESTSUBJECT = unchecked((int)0x80094001); - /// /// The requested certificate template is not supported by this CA. /// diff --git a/TameMyCerts/LocalizedStrings.Designer.cs b/LocalizedStrings.Designer.cs similarity index 82% rename from TameMyCerts/LocalizedStrings.Designer.cs rename to LocalizedStrings.Designer.cs index 5ebbf51..0b9d594 100644 --- a/TameMyCerts/LocalizedStrings.Designer.cs +++ b/LocalizedStrings.Designer.cs @@ -114,6 +114,24 @@ internal static string DirVal_Account_Groups_Not_Allowed { } } + /// + /// Looks up a localized string similar to The value "{0}" does match the expression {1} which disallowed for the object name of {2}.. + /// + internal static string DirVal_Disallow_Match { + get { + return ResourceManager.GetString("DirVal_Disallow_Match", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The {0} account for {1} is member of the forbidden organizational unit {2}.. + /// + internal static string DirVal_Disallow_Match_OU { + get { + return ResourceManager.GetString("DirVal_Disallow_Match_OU", resourceCulture); + } + } + /// /// Looks up a localized string similar to An invalid directory attribute was specified in request policy: {0}.. /// @@ -141,6 +159,15 @@ internal static string DirVal_Invalid_Result_Count { } } + /// + /// Looks up a localized string similar to The mandatory "{0}" attribute is not present on {1}. Unable to apply syntax rules.. + /// + internal static string DirVal_Invalid_Rule_Attribute { + get { + return ResourceManager.GetString("DirVal_Invalid_Rule_Attribute", resourceCulture); + } + } + /// /// Looks up a localized string similar to No matching identity found for the {0} attribute in certificate request.. /// @@ -150,6 +177,24 @@ internal static string DirVal_No_Cert_Identity { } } + /// + /// Looks up a localized string similar to The value "{0}" does not match any of the allowed patterns for the object name of {1}.. + /// + internal static string DirVal_No_Match { + get { + return ResourceManager.GetString("DirVal_No_Match", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The {0} account for {1} is not member of any allowed organizational unit.. + /// + internal static string DirVal_No_Match_OU { + get { + return ResourceManager.GetString("DirVal_No_Match_OU", resourceCulture); + } + } + /// /// Looks up a localized string similar to No {0} account with {1} of {2} was found in the directory. Search root is {3}.. /// @@ -195,6 +240,33 @@ internal static string DirVal_Rdn_Invalid_Field { } } + /// + /// Looks up a localized string similar to The attempt to add the mandatory directory attribute "{0}" to the mandatory "{1}" subject alternative name type failed for {2}. This may be because of an incompatibility of data types.. + /// + internal static string DirVal_San_Failed_to_add { + get { + return ResourceManager.GetString("DirVal_San_Failed_to_add", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The directory attribute "{0}" that was specified for construction of the mandatory "{1}" subject alternative name is either not supported or not populated for {2}.. + /// + internal static string DirVal_San_Invalid_Directory_Attribute { + get { + return ResourceManager.GetString("DirVal_San_Invalid_Directory_Attribute", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The field name "{0}" that was specified for construction of the mandatory subject alternative name for {1} is unsupported.. + /// + internal static string DirVal_San_Invalid_Field { + get { + return ResourceManager.GetString("DirVal_San_Invalid_Field", resourceCulture); + } + } + /// /// Looks up a localized string similar to The {0} policy module currently does not support standalone certification authorities.. /// @@ -262,7 +334,7 @@ internal static string Events_PDEF_SUCCESS_INIT { } /// - /// Looks up a localized string similar to Unable to find policy file for {0}. Request {1} will get issued. Expected policy file name: "{2}". + /// Looks up a localized string similar to Unable to find policy file for {0}. Request {1} will get issued.. /// internal static string Events_POLICY_NOT_FOUND { get { @@ -291,7 +363,8 @@ internal static string Events_REQUEST_DENIED_AUDIT { } /// - /// Looks up a localized string similar to Unable to interpret policy from {0}. Request {1} will get denied.. + /// Looks up a localized string similar to Request {0} will get denied. Unable to interpret policy for {1} because: + ///{2}. /// internal static string Events_REQUEST_DENIED_NO_POLICY { get { @@ -326,6 +399,15 @@ internal static string Events_VALIDITY_REDUCED { } } + /// + /// Looks up a localized string similar to The resulting certificate wouldn't contain any identity in form of a commonName or a Subject Alternative Name.. + /// + internal static string FinVal_No_Identity { + get { + return ResourceManager.GetString("FinVal_No_Identity", resourceCulture); + } + } + /// /// Looks up a localized string similar to Cryptographic provider "{0}" used to create the certificate request is explicitly disallowed.. /// @@ -480,7 +562,7 @@ internal static string ReqVal_Forbidden_Extensions { } /// - /// Looks up a localized string similar to The certificate request does not use a {0} key pair, which is required by policy.. + /// Looks up a localized string similar to The certificate request does not use a {0} key pair as required by the certificate template, but a {1} key pair.. /// internal static string ReqVal_Key_Pair_Mismatch { get { @@ -550,5 +632,23 @@ internal static string ReqVal_Unsupported_San_Type { return ResourceManager.GetString("ReqVal_Unsupported_San_Type", resourceCulture); } } + + /// + /// Looks up a localized string similar to The field name "{0}" that was specified for construction of a static subject relative distinguished is unsupported.. + /// + internal static string StatVal_Rdn_Invalid_Field { + get { + return ResourceManager.GetString("StatVal_Rdn_Invalid_Field", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The value "{0}" for that was specified for construction of the static subject relative distinguished name with type "{1}" is too long. The maximum length is {2} characters for this RDN but the attribute is {3} characters long.. + /// + internal static string StatVal_Rdn_Value_Too_Long { + get { + return ResourceManager.GetString("StatVal_Rdn_Value_Too_Long", resourceCulture); + } + } } } diff --git a/TameMyCerts/LocalizedStrings.resx b/LocalizedStrings.resx similarity index 85% rename from TameMyCerts/LocalizedStrings.resx rename to LocalizedStrings.resx index 06797e4..1406723 100644 --- a/TameMyCerts/LocalizedStrings.resx +++ b/LocalizedStrings.resx @@ -136,7 +136,7 @@ {0} policy module version {1} is ready to process incoming certificate requests. - Unable to find policy file for {0}. Request {1} will get issued. Expected policy file name: "{2}" + Unable to find policy file for {0}. Request {1} will get issued. Request {0} for {1} was denied because: @@ -147,7 +147,8 @@ {2} - Unable to interpret policy from {0}. Request {1} will get denied. + Request {0} will get denied. Unable to interpret policy for {1} because: +{2} No certificate template information for request {0} could be retrieved from the certification authority service. The request will get denied. @@ -156,7 +157,7 @@ Unable to parse the given certificate request. Request type was {0}. - The certificate request does not use a {0} key pair, which is required by policy. + The certificate request does not use a {0} key pair as required by the certificate template, but a {1} key pair. Key length of {0} Bits is less than the required minimum length of {1} Bits. @@ -284,4 +285,37 @@ No {0} account with {1} of {2} was found in the directory. Search root is {3}. + + The value "{0}" does match the expression {1} which disallowed for the object name of {2}. + + + The value "{0}" does not match any of the allowed patterns for the object name of {1}. + + + The {0} account for {1} is member of the forbidden organizational unit {2}. + + + The {0} account for {1} is not member of any allowed organizational unit. + + + The mandatory "{0}" attribute is not present on {1}. Unable to apply syntax rules. + + + The field name "{0}" that was specified for construction of a static subject relative distinguished is unsupported. + + + The value "{0}" for that was specified for construction of the static subject relative distinguished name with type "{1}" is too long. The maximum length is {2} characters for this RDN but the attribute is {3} characters long. + + + The attempt to add the mandatory directory attribute "{0}" to the mandatory "{1}" subject alternative name type failed for {2}. This may be because of an incompatibility of data types. + + + The directory attribute "{0}" that was specified for construction of the mandatory "{1}" subject alternative name is either not supported or not populated for {2}. + + + The field name "{0}" that was specified for construction of the mandatory subject alternative name for {1} is unsupported. + + + The resulting certificate wouldn't contain any identity in form of a commonName or a Subject Alternative Name. + \ No newline at end of file diff --git a/Logger.cs b/Logger.cs new file mode 100644 index 0000000..1bd0cab --- /dev/null +++ b/Logger.cs @@ -0,0 +1,66 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System.Diagnostics; +using System.Security; +using TameMyCerts.Enums; +using TameMyCerts.Models; + +namespace TameMyCerts +{ + internal class Logger + { + private readonly EventLog _eventLog; + private readonly int _logLevel; + + public Logger(string eventSource, int logLevel = CertSrv.CERTLOG_WARNING) + { + const string logName = "Application"; + + _logLevel = logLevel; + + _eventLog = new EventLog(logName) + { + Source = CreateEventSource(eventSource, logName) + }; + } + + public void Log(Event logEvent, params object[] args) + { + if (_logLevel >= logEvent.LogLevel) + { + _eventLog.WriteEntry(string.Format(logEvent.MessageText, args), logEvent.Type, logEvent.Id); + } + } + + private static string CreateEventSource(string currentAppName, string logName) + { + var eventSource = currentAppName; + + try + { + if (!EventLog.SourceExists(eventSource)) + { + EventLog.CreateEventSource(eventSource, logName); + } + } + catch (SecurityException) + { + eventSource = "Application"; + } + + return eventSource; + } + } +} \ No newline at end of file diff --git a/TameMyCerts/Models/ActiveDirectoryObject.cs b/Models/ActiveDirectoryObject.cs similarity index 73% rename from TameMyCerts/Models/ActiveDirectoryObject.cs rename to Models/ActiveDirectoryObject.cs index 2f04815..7f58496 100644 --- a/TameMyCerts/Models/ActiveDirectoryObject.cs +++ b/Models/ActiveDirectoryObject.cs @@ -1,4 +1,4 @@ -// Copyright 2021 Uwe Gradenegger +// Copyright 2021-2023 Uwe Gradenegger // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ using System.Linq; using System.Runtime.InteropServices; using System.Security.Principal; +using System.Text; using TameMyCerts.Enums; namespace TameMyCerts.Models @@ -50,7 +51,9 @@ public ActiveDirectoryObject(string forestRootDomain, string dsAttribute, string } var attributesToRetrieve = new List - {"memberOf", "userAccountControl", "objectSid", "distinguishedName"}; + { + "memberOf", "userAccountControl", "objectSid", "distinguishedName", "servicePrincipalName" + }; // Only load extended attributes if we have a use for them (e.g. modifying Subject DN from AD attributes) attributesToRetrieve.AddRange(loadExtendedAttributes @@ -69,28 +72,38 @@ public ActiveDirectoryObject(string forestRootDomain, string dsAttribute, string MemberOf.Add(dsObject.Properties["memberOf"][index].ToString()); } + for (var index = 0; index < dsObject.Properties["servicePrincipalName"].Count; index++) + { + ServicePrincipalNames.Add(dsObject.Properties["servicePrincipalName"][index].ToString()); + } + foreach (var s in DsRetrievalAttributes.Where(s => dsObject.Properties[s].Count > 0)) { Attributes.Add(s, (string) dsObject.Properties[s][0]); } } + // To inject Unit tests public ActiveDirectoryObject(string distinguishedName, UserAccountControl userAccountControl, - List memberOf, Dictionary attributes, SecurityIdentifier securityIdentifier) + List memberOf, Dictionary attributes, SecurityIdentifier securityIdentifier, + List servicePrincipalNames) { DistinguishedName = distinguishedName; UserAccountControl = userAccountControl; MemberOf = memberOf; Attributes = attributes; SecurityIdentifier = securityIdentifier; + ServicePrincipalNames = servicePrincipalNames; } public string DistinguishedName { get; } - public UserAccountControl UserAccountControl { get; set; } + public UserAccountControl UserAccountControl { get; } public List MemberOf { get; } = new List(); + public List ServicePrincipalNames { get; } = new List(); + public Dictionary Attributes { get; } = new Dictionary(StringComparer.InvariantCultureIgnoreCase); @@ -118,7 +131,7 @@ public ActiveDirectoryObject(string distinguishedName, UserAccountControl userAc private static SearchResult GetDirectoryEntry(string searchRoot, string dsAttribute, string identity, string objectCategory, List searchProperties) { - var filter = $"(&({dsAttribute}={identity})(objectCategory={objectCategory}))"; + var filter = $"(&({dsAttribute}={EscapeForLdapSearchFilter(identity)})(objectCategory={objectCategory}))"; SearchResultCollection searchResults; try @@ -159,5 +172,48 @@ private static SearchResult GetDirectoryEntry(string searchRoot, string dsAttrib return searchResults[0]; } + + /// + /// Escapes the LDAP search filter to prevent LDAP injection attacks. + /// + /// The search filter. + /// + /// + /// + /// The escaped search filter. + private static string EscapeForLdapSearchFilter(string input) + { + var output = new StringBuilder(); + + foreach (var character in input) + { + switch (character) + { + case '\\': + output.Append(@"\5c"); + break; + case '*': + output.Append(@"\2a"); + break; + case '(': + output.Append(@"\28"); + break; + case ')': + output.Append(@"\29"); + break; + case '\u0000': + output.Append(@"\00"); + break; + case '/': + output.Append(@"\2f"); + break; + default: + output.Append(character); + break; + } + } + + return output.ToString(); + } } } \ No newline at end of file diff --git a/Models/CertificateAuthorityConfiguration.cs b/Models/CertificateAuthorityConfiguration.cs new file mode 100644 index 0000000..05c414c --- /dev/null +++ b/Models/CertificateAuthorityConfiguration.cs @@ -0,0 +1,112 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; +using System.IO; +using CERTCLILib; +using Microsoft.Win32; +using TameMyCerts.ClassExtensions; +using TameMyCerts.Enums; + +namespace TameMyCerts.Models +{ + internal class CertificateAuthorityConfiguration + { + private const string CONFIG_ROOT = + "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration"; + + public CertificateAuthorityConfiguration(string strConfig, string appName) + { + var serverPolicy = new CCertServerPolicy(); + serverPolicy.SetContext(0); + + CaCertIndex = serverPolicy.GetLongCertificatePropertyOrDefault("CertCount") - 1; + CrlIndex = serverPolicy.GetLongCertificatePropertyOrDefault($"CRLIndex.{CaCertIndex}"); + SanitizedCaName = serverPolicy.GetStringCertificatePropertyOrDefault("SanitizedShortName"); + + // TODO: Use registry only for the properties that cannot ready directly from CCertServerPolicy + + var serverRoot = $"{CONFIG_ROOT}\\{strConfig}"; + var policyModulesRoot = $"{serverRoot}\\PolicyModules"; + + var activePolicyModuleName = (string) Registry.GetValue(policyModulesRoot, "Active", appName); + var activePolicyModuleRoot = $"{policyModulesRoot}\\{activePolicyModuleName}"; + + LogLevel = (int) Registry.GetValue($"{serverRoot}", "LogLevel", CertSrv.CERTLOG_WARNING); + Type = (CaType) (int) Registry.GetValue($"{serverRoot}", "CAType", (int) CaType.ENUM_STANDALONE_ROOTCA); + ServerDnsName = (string) Registry.GetValue(serverRoot, "CAServerName", string.Empty); + CaName = (string) Registry.GetValue(serverRoot, "CommonName", string.Empty); + ConfigurationContainer = (string) Registry.GetValue(serverRoot, "DSConfigDN", string.Empty); + PolicyDirectory = (string) Registry.GetValue(activePolicyModuleRoot, "PolicyDirectory", Path.GetTempPath()); + EditFlags = (EditFlag) (int) Registry.GetValue(activePolicyModuleRoot, "EditFlags", 0); + } + + // TODO: Merge the two testing constructors, move default values to Unit test project + // To inject Unit tests + public CertificateAuthorityConfiguration(EditFlag editFlags) + { + LogLevel = 3; + Type = CaType.ENUM_ENTERPRISE_SUBCA; + PolicyDirectory = string.Empty; + EditFlags = editFlags; + } + + // To inject Unit tests + public CertificateAuthorityConfiguration(int caCertIndex, int crlIndex, string caName, string sanitizedCaName, + string serverShortName, string serverDnsName, string configurationContainer) + { + LogLevel = 3; + Type = CaType.ENUM_ENTERPRISE_SUBCA; + PolicyDirectory = string.Empty; + EditFlags = 0; + CaCertIndex = caCertIndex; + CrlIndex = crlIndex; + CaName = caName; + SanitizedCaName = sanitizedCaName; + ServerShortName = serverShortName; + ServerDnsName = serverDnsName; + ConfigurationContainer = configurationContainer; + } + + public string PolicyDirectory { get; } + public EditFlag EditFlags { get; } + public CaType Type { get; } + public bool IsSupportedCaType => Type == CaType.ENUM_ENTERPRISE_ROOTCA || Type == CaType.ENUM_ENTERPRISE_SUBCA; + public int LogLevel { get; } + private string ServerShortName { get; } = Environment.MachineName; + private string ServerDnsName { get; } + private string CaName { get; } + private string SanitizedCaName { get; } + private string ConfigurationContainer { get; } + private string CrlNameSuffix => CrlIndex == 0 ? string.Empty : $"({CrlIndex})"; + private string CertificateName => CaCertIndex == 0 ? string.Empty : $"({CaCertIndex})"; + private int CaCertIndex { get; } + private int CrlIndex { get; } + + public string ReplaceTokenValues(string input) + { + return input + .Replace("%11", "?cACertificate?base?objectClass=certificationAuthority") + .Replace("%10", "?certificateRevocationList?base?objectClass=cRLDistributionPoint") + .Replace("%9", string.Empty) // not relevant as we issue only certificates, not CRLs + .Replace("%8", CrlNameSuffix) + .Replace("%7", SanitizedCaName) + .Replace("%6", ConfigurationContainer) + .Replace("%4", CertificateName) + .Replace("%3", CaName) + .Replace("%2", ServerShortName) + .Replace("%1", ServerDnsName); + } + } +} \ No newline at end of file diff --git a/Models/CertificateDatabaseRow.cs b/Models/CertificateDatabaseRow.cs new file mode 100644 index 0000000..f7e3158 --- /dev/null +++ b/Models/CertificateDatabaseRow.cs @@ -0,0 +1,405 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Runtime.InteropServices; +using System.Text; +using CERTCLILib; +using CERTENROLLLib; +using TameMyCerts.ClassExtensions; +using TameMyCerts.Enums; +using TameMyCerts.X509; + +namespace TameMyCerts.Models +{ + internal class CertificateDatabaseRow + { + public CertificateDatabaseRow(CCertServerPolicy serverPolicy) + { + NotBefore = serverPolicy.GetDateCertificatePropertyOrDefault("NotBefore"); + NotAfter = serverPolicy.GetDateCertificatePropertyOrDefault("NotAfter"); + KeyLength = serverPolicy.GetLongCertificatePropertyOrDefault("PublicKeyLength"); + RawRequest = serverPolicy.GetBinaryRequestPropertyOrDefault("RawRequest"); + RequestType = serverPolicy.GetLongRequestPropertyOrDefault("RequestType") ^ CertCli.CR_IN_FULLRESPONSE; + Upn = serverPolicy.GetStringCertificatePropertyOrDefault("UPN") ?? string.Empty; + DistinguishedName = serverPolicy.GetStringRequestPropertyOrDefault("Request.DistinguishedName") ?? + string.Empty; + CertificateTemplate = serverPolicy.GetStringCertificatePropertyOrDefault("CertificateTemplate"); + + RequestAttributes = serverPolicy.GetRequestAttributes(); + CertificateExtensions = serverPolicy.GetCertificateExtensions(); + KeyAlgorithm = + GetKeyAlgorithmFamily(serverPolicy.GetStringCertificatePropertyOrDefault("PublicKeyAlgorithm")); + SubjectRelativeDistinguishedNames = serverPolicy.GetSubjectRelativeDistinguishedNames(); + SubjectAlternativeNameExtension = GetSubjectAlternativeNameExtension(); + } + + // To inject unit tests + public CertificateDatabaseRow(string request, int requestType, + Dictionary requestAttributes = null) + { + NotBefore = DateTimeOffset.Now; + NotAfter = DateTimeOffset.Now.AddYears(1); + + var certificateRequestPkcs10 = new CX509CertificateRequestPkcs10(); + + if (certificateRequestPkcs10.TryInitializeFromInnerRequest(request, requestType)) + { + CertificateExtensions = certificateRequestPkcs10.GetRequestExtensions(); + KeyAlgorithm = certificateRequestPkcs10.GetKeyAlgorithm(); + KeyLength = certificateRequestPkcs10.PublicKey.Length; + DistinguishedName = certificateRequestPkcs10.GetSubjectDistinguishedName(); + SubjectRelativeDistinguishedNames = DistinguishedName.Equals(string.Empty) + ? new List>() + : GetDnComponents(DistinguishedName); + SubjectAlternativeNameExtension = GetSubjectAlternativeNameExtension(); + RawRequest = Convert.FromBase64String(certificateRequestPkcs10.get_RawData()); + RequestType = CertCli.CR_IN_PKCS10; + } + + Marshal.ReleaseComObject(certificateRequestPkcs10); + + // This is to ensure string comparison against request attributes will be processed case-insensitive + RequestAttributes = new Dictionary(StringComparer.InvariantCultureIgnoreCase); + + if (requestAttributes != null) + { + foreach (var keyValuePair in requestAttributes.Where(keyValuePair => + !RequestAttributes.ContainsKey(keyValuePair.Key))) + { + RequestAttributes.Add(keyValuePair.Key, keyValuePair.Value); + } + } + } + + public DateTimeOffset NotBefore { get; } + + /// + /// The NotAfter Date as read from the CA database record. + /// + public DateTimeOffset NotAfter { get; } + + /// + /// A list of request attributes as read from the CA database record. + /// + public Dictionary RequestAttributes { get; } + + /// + /// The X.509 certificate extensions before TameMyCerts has processed the certificate request (as they come from the + /// Windows Default policy module) + /// + public Dictionary CertificateExtensions { get; } + + public KeyAlgorithmFamily KeyAlgorithm { get; } + + /// + /// A list of all Subject Relative Distinguished names in the certificate request. Can either be populated from the + /// data read from the CA database record or parsed from an actual certificate request. + /// + public List> SubjectRelativeDistinguishedNames { get; } + + public List> SubjectAlternativeNames => + SubjectAlternativeNameExtension.AlternativeNames; + + public int KeyLength { get; } + + /// + /// The Subject Alternative Name certificate extension class. It allows to inspect or add or remove entries during + /// processing. Only available if the Initialize method has been called before. + /// + public X509CertificateExtensionSubjectAlternativeName SubjectAlternativeNameExtension { get; } + + /// + /// The raw certificate request in binary form. + /// + public byte[] RawRequest { get; } + + /// + /// The request type as defined in certcli.h (PKCS#10, PKCS#7 or CMS). + /// + public int RequestType { get; } + + /// + /// The UPN database column. Contains the UPN of the requesting user or machine. + /// + public string Upn { get; } = string.Empty; + + /// + /// The Subject Distinguished name as comma-separated string. + /// + public string DistinguishedName { get; } + + /// + /// The identifier for the certificate template used. V1 templates are identified by their name, V2 and higher + /// templates are identified by their OID. + /// + public string CertificateTemplate { get; } + + /// + /// Inline request attributes (like process name). These are read on-demand from the inline certificate request. There + /// are rare cases in which it is not possible to parse the inline request. The property returns an empty collection in + /// this case. + /// + public Dictionary InlineRequestAttributes + { + get + { + // Early binding would raise an E_NOINTERFACE exception on Windows 2012 R2 and earlier + var certificateRequestPkcs10 = + (IX509CertificateRequestPkcs10)Activator.CreateInstance( + Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10")); + + var attributeList = new Dictionary(); + + if (certificateRequestPkcs10.TryInitializeFromInnerRequest( + Convert.ToBase64String(RawRequest), RequestType)) + { + attributeList = certificateRequestPkcs10.GetInlineRequestAttributeList(); + } + + Marshal.ReleaseComObject(certificateRequestPkcs10); + + return attributeList; + } + } + + /// + /// The Subject RDNs taken from the inline certificate request, which may become useful when requesting custom RDNs. + /// + public List> InlineSubjectRelativeDistinguishedNames => + DistinguishedName.Equals(string.Empty) + ? new List>() + : GetDnComponents(DistinguishedName); + + /// + /// A list of all identities contained in the certificate request (containing Subject and SAN). In case of an online + /// template, this returns only the UPN or dNSName of the requesting entity. + /// + /// + /// + /// + public List> GetIdentities(bool isOffline = false, bool isUserScope = false) + { + var result = new List>(); + + if (isOffline) + { + result.AddRange(SubjectRelativeDistinguishedNames); + result.AddRange(SubjectAlternativeNames); + } + else + { + result.Add(isUserScope + ? new KeyValuePair("userPrincipalName", Upn) + : new KeyValuePair("dNSName", Upn.Replace("$@", "."))); + } + + return result; + } + + private static KeyAlgorithmFamily GetKeyAlgorithmFamily(string oid) + { + switch (oid) + { + case WinCrypt.szOID_RSA_RSA: + return KeyAlgorithmFamily.RSA; + + case WinCrypt.szOID_X957_DSA: + return KeyAlgorithmFamily.DSA; + + case WinCrypt.szOID_ECC_PUBLIC_KEY: + return KeyAlgorithmFamily.ECC; + + default: + return KeyAlgorithmFamily.UNKNOWN; + } + } + + private X509CertificateExtensionSubjectAlternativeName GetSubjectAlternativeNameExtension() + { + if (!CertificateExtensions.ContainsKey(WinCrypt.szOID_SUBJECT_ALT_NAME2)) + { + return new X509CertificateExtensionSubjectAlternativeName(); + } + + try + { + return new X509CertificateExtensionSubjectAlternativeName( + CertificateExtensions.First(x => x.Key.Equals(WinCrypt.szOID_SUBJECT_ALT_NAME2)).Value); + } + catch + { + throw new Exception(LocalizedStrings.ReqVal_Err_Parse_San); + } + } + + private static string SubstituteRdnTypeAliases(string rdnType) + { + // Convert all known aliases used by the Microsoft API to the "official" name as specified in ITU-T X.520 and/or RFC 4519 + // https://www.itu.int/itu-t/recommendations/rec.aspx?rec=X.520 + // https://datatracker.ietf.org/doc/html/rfc4519#section-2 + + // Here are some sources the used list is based on + // https://www.gradenegger.eu/?p=2717 + // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea + // https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-osco/dbdc3411-ed0a-4713-a01b-1ae0da5e75d4 + + var key = rdnType.ToUpperInvariant(); + + return RdnTypes.ShortToLongName.TryGetValue(key, out var value) + ? value + : rdnType; + } + + // If the Subject RDN contains quotes or special characters, the IX509CertificateRequest interface escapes these with quotes + // As this messes up our comparison logic, we must remove the additional quotes + private static string RemoveQuotesFromSubjectRdn(string rdn) + { + if (rdn.Length == 0) + { + return rdn; + } + + // Not in quotes, nothing to do + if (rdn[0] != '"' && rdn[rdn.Length - 1] != '"') + { + return rdn; + } + + // Skip first and last char, then remove every 2nd quote + + const char quoteChar = '\"'; + var inQuotedString = false; + var stringBuilder = new StringBuilder(); + + for (var i = 1; i < rdn.Length - 1; i++) + { + var currentChar = rdn[i]; + + if (currentChar == quoteChar) + { + if (!inQuotedString) + { + stringBuilder.Append(currentChar); + } + + inQuotedString = !inQuotedString; + } + else + { + stringBuilder.Append(currentChar); + } + } + + return stringBuilder.ToString(); + } + + private static List> GetDnComponents(string distinguishedName) + { + // Licensed to the .NET Foundation under one or more agreements. + // The .NET Foundation licenses this file to you under the MIT license. + + // https://github.com/dotnet/corefx/blob/c539d6c627b169d45f0b4cf1826b560cd0862abe/src/System.DirectoryServices/src/System/DirectoryServices/ActiveDirectory/Utils.cs#L440-L449 + + var components = SplitSubjectDn(distinguishedName, ','); + var dnComponents = new List>(); + + if (components.Length == 0) + { + return dnComponents; + } + + for (var i = 0; i < components.GetLength(0); i++) + { + var subComponents = SplitSubjectDn(components[i], '='); + + if (subComponents.GetLength(0) != 2) + { + throw new ArgumentException(); + } + + var key = SubstituteRdnTypeAliases(subComponents[0].Trim()); + var value = RemoveQuotesFromSubjectRdn(subComponents[1].Trim()); + + if (key.Length > 0) + { + dnComponents.Add(new KeyValuePair(key, value)); + } + else + { + throw new ArgumentException(); + } + } + + return dnComponents; + } + + private static string[] SplitSubjectDn(string distinguishedName, char delimiter) + { + // Licensed to the .NET Foundation under one or more agreements. + // The .NET Foundation licenses this file to you under the MIT license. + + // https://github.com/dotnet/corefx/blob/c539d6c627b169d45f0b4cf1826b560cd0862abe/src/System.DirectoryServices/src/System/DirectoryServices/ActiveDirectory/Utils.cs#L440-L449 + + var resultList = new List(); + + if (string.IsNullOrEmpty(distinguishedName)) + { + return resultList.ToArray(); + } + + var inQuotedString = false; + const char quoteChar = '\"'; + const char escapeChar = '\\'; + var nextTokenStart = 0; + + for (var i = 0; i < distinguishedName.Length; i++) + { + var currentChar = distinguishedName[i]; + + switch (currentChar) + { + case quoteChar: + + inQuotedString = !inQuotedString; + + break; + + case escapeChar: + + if (i < distinguishedName.Length - 1) + { + i++; + } + + break; + } + + if (!inQuotedString && currentChar == delimiter) + { + // we found an unquoted character that matches the delimiter + // split it at the delimiter (add the token that ends at this delimiter) + resultList.Add(distinguishedName.Substring(nextTokenStart, i - nextTokenStart)); + nextTokenStart = i + 1; + } + + if (i != distinguishedName.Length - 1) + { + continue; + } + + // we've reached the end + + // if we are still in quoted string, the format is invalid + if (inQuotedString) + { + throw new ArgumentException(); + } + + // we need to end the last token + resultList.Add(distinguishedName.Substring(nextTokenStart, i - nextTokenStart + 1)); + } + + return resultList.ToArray(); + } + } +} \ No newline at end of file diff --git a/TameMyCerts/Models/CertificateRequestPolicy.cs b/Models/CertificateRequestPolicy.cs similarity index 79% rename from TameMyCerts/Models/CertificateRequestPolicy.cs rename to Models/CertificateRequestPolicy.cs index e8007fc..42f6655 100644 --- a/TameMyCerts/Models/CertificateRequestPolicy.cs +++ b/Models/CertificateRequestPolicy.cs @@ -1,4 +1,4 @@ -// Copyright 2021 Uwe Gradenegger +// Copyright 2021-2023 Uwe Gradenegger // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -30,16 +30,20 @@ public class CertificateRequestPolicy public List DisallowedProcesses { get; set; } = new List(); public List AllowedCryptoProviders { get; set; } = new List(); public List DisallowedCryptoProviders { get; set; } = new List(); - public string KeyAlgorithm { get; set; } = "RSA"; + public List CrlDistributionPoints { get; set; } = new List(); + public List AuthorityInformationAccess { get; set; } = new List(); + public List OnlineCertificateStatusProtocol { get; set; } = new List(); public int MinimumKeyLength { get; set; } public int MaximumKeyLength { get; set; } public List Subject { get; set; } = new List(); public List SubjectAlternativeName { get; set; } = new List(); + public List StaticSubject { get; set; } = new List(); + public List StaticSubjectAlternativeName { get; set; } = new List(); public string SecurityIdentifierExtension { get; set; } = "Deny"; public DirectoryServicesMapping DirectoryServicesMapping { get; set; } public bool SupplementDnsNames { get; set; } - public bool ReadSubjectFromRequest { get; set; } + public bool PermitEmptyIdentities { get; set; } private static string ConvertToHumanReadableXml(string inputString) { @@ -73,14 +77,7 @@ public void SaveToFile(string path) xmlSerializer.Serialize(xmlWriter, this); var xmlData = stringWriter.ToString(); - try - { - File.WriteAllText(path, ConvertToHumanReadableXml(xmlData)); - } - catch - { - // fail silently - } + File.WriteAllText(path, ConvertToHumanReadableXml(xmlData)); } } } @@ -89,16 +86,9 @@ public static CertificateRequestPolicy LoadFromFile(string path) { var xmlSerializer = new XmlSerializer(typeof(CertificateRequestPolicy)); - try - { - using (var reader = new StreamReader(path)) - { - return (CertificateRequestPolicy) xmlSerializer.Deserialize(reader.BaseStream); - } - } - catch + using (var reader = new StreamReader(path)) { - return null; + return (CertificateRequestPolicy) xmlSerializer.Deserialize(reader.BaseStream); } } } diff --git a/Models/CertificateRequestPolicyCache.cs b/Models/CertificateRequestPolicyCache.cs new file mode 100644 index 0000000..7166b36 --- /dev/null +++ b/Models/CertificateRequestPolicyCache.cs @@ -0,0 +1,67 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; +using System.Collections.Generic; +using System.IO; +using System.Linq; + +namespace TameMyCerts.Models +{ + internal class CertificateRequestPolicyCache + { + private readonly Dictionary _cache = + new Dictionary(); + private readonly DateTimeOffset _fileDoesNotExist = new DateTimeOffset(1601, 01, 01, 0, 0, 0, TimeSpan.Zero); + private readonly object _lockObject = new object(); + private readonly string _policyDirectory; + + public CertificateRequestPolicyCache(string policyDirectory) + { + _policyDirectory = policyDirectory; + } + + public CertificateRequestPolicyCacheEntry GetCertificateRequestPolicy(string certificateTemplate) + { + var policyFileName = Path.Combine(_policyDirectory, RemoveInvalidFileNameChars($"{certificateTemplate}.xml")); + var policyFileLastChange = File.GetLastWriteTime(policyFileName); + + if (policyFileLastChange == _fileDoesNotExist) + { + return null; + } + + lock (_lockObject) + { + if (_cache.TryGetValue(certificateTemplate, out var cacheEntry) && + cacheEntry.LastUpdate > policyFileLastChange) + { + return cacheEntry; + } + + var newCacheEntry = new CertificateRequestPolicyCacheEntry(policyFileName); + + _cache[certificateTemplate] = newCacheEntry; + + return newCacheEntry; + } + } + + private static string RemoveInvalidFileNameChars(string fileName) + { + return Path.GetInvalidFileNameChars() + .Aggregate(fileName, (current, c) => current.Replace(c.ToString(), string.Empty)); + } + } +} \ No newline at end of file diff --git a/Models/CertificateRequestPolicyCacheEntry.cs b/Models/CertificateRequestPolicyCacheEntry.cs new file mode 100644 index 0000000..fb4b991 --- /dev/null +++ b/Models/CertificateRequestPolicyCacheEntry.cs @@ -0,0 +1,41 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; + +namespace TameMyCerts.Models +{ + internal class CertificateRequestPolicyCacheEntry + { + public CertificateRequestPolicyCacheEntry(string fileName) + { + try + { + CertificateRequestPolicy = CertificateRequestPolicy.LoadFromFile(fileName); + } + catch (Exception ex) + { + ErrorMessage = ex.InnerException != null + ? $"{ex.Message} {ex.InnerException.Message}" + : ex.Message; + } + + LastUpdate = DateTimeOffset.Now; + } + + public CertificateRequestPolicy CertificateRequestPolicy { get; } + public DateTimeOffset LastUpdate { get; } + public string ErrorMessage { get; } = string.Empty; + } +} \ No newline at end of file diff --git a/Models/CertificateRequestValidationResult.cs b/Models/CertificateRequestValidationResult.cs new file mode 100644 index 0000000..3902010 --- /dev/null +++ b/Models/CertificateRequestValidationResult.cs @@ -0,0 +1,181 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; +using System.Collections.Generic; +using System.Globalization; +using TameMyCerts.Enums; +using TameMyCerts.X509; + +namespace TameMyCerts.Models +{ + /// + /// This class contains all necessary information that must be tracked during request validation. Imagine it as a batch + /// card. Its content may get modified by the validator classes. + /// + internal class CertificateRequestValidationResult + { + private readonly Dictionary _certificateExtensions = new Dictionary(); + + public CertificateRequestValidationResult(CertificateDatabaseRow dbRow) + { + NotBefore = dbRow.NotBefore; + NotAfter = dbRow.NotAfter; + SubjectAlternativeNameExtension = dbRow.SubjectAlternativeNameExtension; + } + + // TODO: Implement setter method + /// + /// The NotBefore Date as read from the CA database record. May be modified during inspection. + /// + public DateTimeOffset NotBefore { get; internal set; } + + // TODO: Implement setter method + /// + /// The NotAfter Date as read from the CA database record. May be modified during inspection. + /// + public DateTimeOffset NotAfter { get; internal set; } + + /// + /// The HResult status code that shall be returned to the certification authority. + /// + public int StatusCode { get; private set; } = WinError.ERROR_SUCCESS; + + /// + /// Determines if the certificate request shall be denied or not. Can be modified with the SetFailureStatus method. + /// + public bool DeniedForIssuance => StatusCode != WinError.ERROR_SUCCESS; + + /// + /// A textual description of the reasons why the certificate request was denied by the validator classes. + /// + public List Description { get; } = new List(); + + /// + /// The X.509 certificate extensions that shall be set after TameMyCerts has processed the certificate request + /// + public Dictionary CertificateExtensions + { + get + { + SubjectAlternativeNameExtension.InitializeEncode(); + + if (SubjectAlternativeNameExtension.RawData != Array.Empty()) + { + AddCertificateExtension(WinCrypt.szOID_SUBJECT_ALT_NAME2, SubjectAlternativeNameExtension.RawData); + } + + return _certificateExtensions; + } + } + + // TODO: Implement setter method + // TODO: How to ensure uniqueness? + /// + /// A list of certificate extensions that shall be disabled when TameMyCerts finishes processing. + /// + public List DisabledCertificateExtensions { get; } = new List(); + + // TODO: Implement setter method + // TODO: How to ensure uniqueness? + /// + /// A list of certificate properties that shall be disabled when TameMyCerts finishes processing. + /// + public List DisabledCertificateProperties { get; } = new List(); + + // TODO: Implement setter method + // TODO: Why is this not a dictionary? + /// + /// A list of certificate properties that shall be set after TameMyCerts has processed the certificate request + /// + public List> CertificateProperties { get; } = + new List>(); + + // TODO: Implement setter method + /// + /// The Subject Alternative Name certificate extension class. It allows to inspect or add or remove entries. + /// + public X509CertificateExtensionSubjectAlternativeName SubjectAlternativeNameExtension { get; } + + public void AddCertificateExtension(string key, byte[] value) + { + _certificateExtensions[key] = value; + } + + public void SetFailureStatus() + { + StatusCode = StatusCode == WinError.ERROR_SUCCESS ? WinError.NTE_FAIL : StatusCode; + } + + public void SetFailureStatus(int statusCode) + { + SetFailureStatus(); + StatusCode = statusCode; + } + + public void SetFailureStatus(int statusCode, string description) + { + SetFailureStatus(statusCode); + SetFailureStatus(description); + } + + public void SetFailureStatus(int statusCode, List descriptionList) + { + SetFailureStatus(statusCode); + SetFailureStatus(descriptionList); + } + + public void SetFailureStatus(string description) + { + SetFailureStatus(); + Description.Add(description); + } + + public void SetFailureStatus(List descriptionList) + { + SetFailureStatus(); + Description.AddRange(descriptionList); + } + + public void SetNotAfter(string desiredNotAfter) + { + if (desiredNotAfter == string.Empty) + { + return; + } + + // The "o" standard format specifier corresponds to the "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fffffffzzz" custom format string for DateTimeOffset values. + if (DateTimeOffset.TryParseExact(desiredNotAfter, "o", CultureInfo.InvariantCulture.DateTimeFormat, + DateTimeStyles.AssumeUniversal, out var notAfter)) + { + if (notAfter > DateTimeOffset.UtcNow) + { + if (notAfter <= NotAfter) + { + NotAfter = notAfter; + } + } + else + { + SetFailureStatus(WinError.ERROR_INVALID_TIME, + string.Format(LocalizedStrings.ReqVal_Err_NotAfter_Passed, notAfter.UtcDateTime)); + } + } + else + { + SetFailureStatus(WinError.ERROR_INVALID_TIME, LocalizedStrings.ReqVal_Err_NotAfter_Invalid); + } + } + } +} \ No newline at end of file diff --git a/Models/CertificateTemplate.cs b/Models/CertificateTemplate.cs new file mode 100644 index 0000000..9028098 --- /dev/null +++ b/Models/CertificateTemplate.cs @@ -0,0 +1,56 @@ +// Copyright 2021-2023 Uwe Gradenegger + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using TameMyCerts.Enums; + +namespace TameMyCerts.Models +{ + internal class CertificateTemplate + { + public CertificateTemplate(string name, bool enrolleeSuppliesSubject, KeyAlgorithmType keyAlgorithm, + bool userScope = false, string oid = null) + { + Name = name; + Oid = oid ?? string.Empty; + EnrolleeSuppliesSubject = enrolleeSuppliesSubject; + UserScope = userScope; + KeyAlgorithm = keyAlgorithm; + } + + public string Name { get; } + public string Oid { get; } + public bool EnrolleeSuppliesSubject { get; } + public bool UserScope { get; } + public KeyAlgorithmType KeyAlgorithm { get; } + + public KeyAlgorithmFamily KeyAlgorithmFamily + { + get + { + switch (KeyAlgorithm) + { + case KeyAlgorithmType.DSA: return KeyAlgorithmFamily.DSA; + case KeyAlgorithmType.ECDH_P256: return KeyAlgorithmFamily.ECC; + case KeyAlgorithmType.ECDH_P384: return KeyAlgorithmFamily.ECC; + case KeyAlgorithmType.ECDH_P521: return KeyAlgorithmFamily.ECC; + case KeyAlgorithmType.ECDSA_P256: return KeyAlgorithmFamily.ECC; + case KeyAlgorithmType.ECDSA_P384: return KeyAlgorithmFamily.ECC; + case KeyAlgorithmType.ECDSA_P521: return KeyAlgorithmFamily.ECC; + case KeyAlgorithmType.RSA: return KeyAlgorithmFamily.RSA; + default: return KeyAlgorithmFamily.UNKNOWN; + } + } + } + } +} \ No newline at end of file diff --git a/TameMyCerts/Models/CertificateTemplateInfo.cs b/Models/CertificateTemplateCache.cs similarity index 50% rename from TameMyCerts/Models/CertificateTemplateInfo.cs rename to Models/CertificateTemplateCache.cs index 6bd2994..956af36 100644 --- a/TameMyCerts/Models/CertificateTemplateInfo.cs +++ b/Models/CertificateTemplateCache.cs @@ -1,4 +1,4 @@ -// Copyright 2021 Uwe Gradenegger +// Copyright 2021-2023 Uwe Gradenegger // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -21,22 +21,23 @@ namespace TameMyCerts.Models { - internal class CertificateTemplateInfo + internal class CertificateTemplateCache { private static readonly Regex IsLegacyTemplate = new Regex(@"^[a-zA-z]*$"); private readonly object _lockObject = new object(); private readonly int _refreshInterval; + + // TODO: Can't this be a dictionary? + private List _certificateTemplateList; private DateTime _lastRefreshTime = new DateTime(1970, 1, 1); - private List