search

PKISolutions / PSPKI

PowerShell PKI Module
Microsoft Public License
382 stars 59 forks source link

Get-CertificateRequest Fails If IP Address SAN has 132 in the Second Octect #221

Closed BearThatIsGrumpy closed 1 month ago

BearThatIsGrumpy commented 1 month ago

If a CSR includes an IP address subject alternative name and its value has 132 in the second octect, Get-CertificateRequest fails:

PS C:\WINDOWS\system32> get-module pspki

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     4.2.0      PSPKI                               {Add-AdCertificate, Add-AdCertificateRevocationList, Conve...

PS C:\WINDOWS\system32> Get-CertificateRequest -Path C:\kpg\PSPKI\Test.csr
New-Object : Exception calling ".ctor" with "1" argument(s): "Input data does not represent valid 'OBJECT_IDENTIFIER'
type."
At C:\Program Files\WindowsPowerShell\Modules\PSPKI\4.2.0\Client\Get-CertificateRequest.ps1:20 char:13
+             New-Object SysadminsLV.PKI.Cryptography.X509Certificates. ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

PS C:\WINDOWS\system32>

Example INF contents:

[NewRequest]
Subject = "CN=TestFqdn.example.com"
Exportable = TRUE
HashAlgorithm = sha256
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE|CERT_KEY_ENCIPHERMENT_KEY_USAGE"
MachineKeySet = TRUE

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=TestFqdn.example.com&IPAddress=10.132.10.10"
2.5.29.37 = "{text}"
_continue_ = "1.3.6.1.5.5.7.3.1"

Certutil output:

PS C:\WINDOWS\system32> .\certutil.exe C:\KPG\PSPKI\Test.csr
PKCS10 Certificate Request:
Version: 1
Subject:
    CN=TestFqdn.example.com
  Name Hash(sha1): 3b18fc44bf2805034f2ea667081fbca341a9243d
  Name Hash(md5): 07f6ff17f9b44836b70a49dc75ee909e

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000  30 82 01 0a 02 82 01 01  00 c5 7f ff 44 9b fa 86
    0010  8f 52 e3 49 bb c3 a0 87  9c d7 22 81 0a 4d 43 d2
    0020  91 f8 4d 8c 82 a3 ab 72  64 57 e1 76 65 24 ef 19
    0030  7b d9 b9 d3 8a af c2 09  39 7a 0e 5c a4 b0 73 06
    0040  24 81 cd e5 a1 c0 cb 71  d3 d1 86 b2 65 2b 56 e9
    0050  59 87 6a ca e3 e7 fd 69  4e 54 c7 e6 a8 0f fe 4c
    0060  69 65 29 01 18 0f 09 7c  79 b9 2c 3e a6 a5 56 f1
    0070  4c 73 fd f2 89 b7 64 4f  be 8c 78 6e f0 61 4a 0c
    0080  63 dd 7e 30 48 c6 c3 a2  07 2c 78 9c 99 8b 55 c1
    0090  6c 86 b1 9e 96 58 50 ea  ae 80 c9 cb 24 20 42 25
    00a0  42 d0 16 be 15 d3 7c d0  c3 a6 db 70 f2 8a 84 56
    00b0  55 3e 1a b6 9d 3a 17 8e  a2 f9 72 a7 44 32 fe 21
    00c0  08 bb c0 dc 98 20 29 32  e4 70 1d 2d 7e f7 96 f0
    00d0  61 89 16 21 44 0c 98 f0  ee ef 2f e1 20 3e 13 6a
    00e0  19 66 6b ae 3a c4 4d 2e  d9 ad b9 2b 1c 18 fb 66
    00f0  cd fe 4e 06 ca 5a 79 7b  75 43 be 5c 27 4d fa 20
    0100  1a 75 57 e9 75 92 39 97  71 02 03 01 00 01
Request Attributes: 4
  4 attributes:

  Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
    Value[0][0], Length = e
        10.0.22631.2

  Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
    Value[1][0], Length = 35
    Client Id: = 9
    ClientIdCertReq -- 9
    User: DOMAIN\BearThatIsGrumpy
    Machine: test.domain.local
    Process: certreq.exe

  Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
    Value[2][0], Length = 58
    CSP Provider Info
    KeySpec = 1
    Provider = Microsoft Strong Cryptographic Provider
    Signature: UnusedBits=0

  Attribute[3]: 1.2.840.113549.1.9.14 (Certificate Extensions)
    Value[3][0], Length = b4
Certificate Extensions: 5
    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Key Encipherment (a0)

    2.5.29.17: Flags = 0, Length = 1e
    Subject Alternative Name
        DNS Name=TestFqdn.example.com
        IP Address=10.132.10.10

    2.5.29.37: Flags = 0, Length = c
    Enhanced Key Usage
        Server Authentication (1.3.6.1.5.5.7.3.1)

    1.2.840.113549.1.9.15: Flags = 0, Length = 37
    SMIME Capabilities
        [1]SMIME Capability
             Object ID=1.2.840.113549.3.2
             Parameters=02 02 00 80
        [2]SMIME Capability
             Object ID=1.2.840.113549.3.4
             Parameters=02 02 00 80
        [3]SMIME Capability
             Object ID=1.3.14.3.2.7
        [4]SMIME Capability
             Object ID=1.2.840.113549.3.7

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        ed16baaad3d3feabaf78ab8f3cb127005c8b51a1

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  66 3a 84 77 57 96 82 65  89 6d 1e 7e 03 60 7f 68
    0010  9a 4d 8e c3 79 f7 c1 66  52 1a 8c 1a 6a 15 d1 8b
    0020  98 fd 0d a5 75 49 11 e5  1d 18 3c de 66 29 f4 da
    0030  79 0b 74 34 f7 e8 6c 0c  a8 d9 be 6d ff 04 c5 8e
    0040  c1 8a 53 b2 05 5e c8 c1  e0 63 05 72 b0 e7 90 d7
    0050  6a de 7f c0 ca 53 6d a6  b6 d7 fb 97 b4 6c b7 07
    0060  68 59 ab c3 43 87 8f 5d  c8 50 95 6e 9d e1 7d bc
    0070  49 88 b9 3d a2 d6 dd 64  87 2b 13 7f 54 46 99 66
    0080  10 1f 17 d7 32 d9 3f a0  94 03 83 f4 66 12 dd b4
    0090  2f fe 5e 50 07 e8 f7 12  3f 78 7b 93 1e ab cd f4
    00a0  67 a3 23 ed e7 19 1c be  6a fb 64 80 42 83 1d 74
    00b0  bd f2 3f e2 41 28 bc 31  32 1b cc f2 4e d4 32 6e
    00c0  f6 e9 13 cb 28 5f 5c 2c  cf 16 ad d8 c3 dc 8e 23
    00d0  7f a9 ce 28 65 07 50 cd  7a 17 b1 c4 19 de 1e 12
    00e0  84 80 1d 4a a1 68 9f b5  70 57 ea 26 54 fe 50 b2
    00f0  a8 3f ac 4c 45 e3 06 29  e1 f8 04 b7 af 32 d0 6b
Signature matches Public Key
Key Id Hash(rfc-sha1): ed16baaad3d3feabaf78ab8f3cb127005c8b51a1
Key Id Hash(sha1): 1458084fdf519cb7f992dc88614e3106743e8f74
Key Id Hash(bcrypt-sha1): 172dc5aedbcda1dfbfef370f4b2e3ef6e7f6e7ff
Key Id Hash(bcrypt-sha256): b57bda158b3bd7c421b9076d44639a655a170c8583070c452a4f8138b3e2dc95
CertUtil: -dump command completed successfully.
PS C:\WINDOWS\system32>
Crypt32 commented 1 month ago

I will take a look into this.

Crypt32 commented 1 month ago

I was able to repro the issue. The issue is caused by a flawed recursion logic in ASN.1 parser library. Here is another ticket with same problem: https://github.com/PKISolutions/PSPKI/issues/216

Here is the actual ticket: https://github.com/PKISolutions/Asn1DerParser.NET/issues/13 which is fixed in ASN.1 parser library, but PSPKI hasn't updated yet. I will ship the fix in PSPKI 4.3.

Crypt32 commented 1 month ago

As a temporary workaround, you can extract attached ZIP archive to PSPKI\Library folder. Backup original files before replacing files. SysadminsLV.Asn1Parser.zip

BearThatIsGrumpy commented 1 month ago

Thank you for the fast investigation! I've confirmed the workaround is functional in our environment. We look forward to the 4.3 release.

Crypt32 commented 1 month ago

Cool! I'm closing this for now.