search

PKISolutions / PSPKI

PowerShell PKI Module
Microsoft Public License
367 stars 59 forks source link

Get-CertificateRequest does not return all content of nested request #52

Open PatrickOnGit opened 5 years ago

PatrickOnGit commented 5 years ago

Using the following command together with a policy.inf file allows to "change" some content of a CSR:

CertReq -f -q –config "MyCA\Test Root CA" -cert 88884808333333336960447CE1731EA6654345676 –policy .\MyFriends.CSR .\MyCPS.inf .\MyUpdated.csr

The command creates a new nested PKCS7 request file. Using certutil -dump .\MyUpdated.csr returns 4 different objects:

`PKCS7/CMS

Message PKCS7 Message Content: ================ Begin Nesting Level 1 ================ CMS Certificate Request: ---- CUSTOM REQUEST DATA BASED ON .\MyCPS.inf -------

================ Begin Nesting Level 2 ================ PKCS10 Certificate Request: ---- ORIGINAL REQUEST DATA BASED ON .\MyFriends.CSR -------

---------------- End Nesting Level 2 ---------------- ---------------- End Nesting Level 1 ---------------- Signer Count: 2 Signer Info[0]: NULL signature verifies ---- SOME KIND OF DUMMY SIGNATURE OID.1.3.6.1.4.1.311.21.9=Dummy Signer -------

Signer Info[1]: ---- SIGNER CERT -------`

Reading the new request

$req = Get-CertificateRequest ( Resolve-Path .\MyUpdated.csr )

$req.RequestType returns an object of type PKCS7 which seems to be the original request but as PKCS7 $req.ExternalData returns an object of content type CMC Data but with content SysadminsLV.PKI.Cryptography.X509CertificateRequests.X509CertificateRequestPkcs10 which is again the original request.

So the object returned by Get-CertificateRequest is missing the data injected by policy.inf as well as all signatures.

I'm happy to share more detailed examples if required

Thank you for your support.

Crypt32 commented 5 years ago

Can you submit me example files for investigation?

Current PKCS#7 decoder has some limitations (skips some parts from decoding), so it would be great if you wuld supply these files for investigation.

PatrickOnGit commented 5 years ago

Thank you for investigating the issue.

I added Files including all script and transcript how I processed it so you may generate additional examples. I hope this helps to troubleshoot the issue. If you need more details or examples with different "overwrites" let me know.

If I could have access to the source code of your library I may have a look as well.

PSPKI_Get-CertificateRequest_Improvement_supporting_files.zip

Crypt32 commented 5 years ago

Library's source codes are on GitHib, specifically you need SignedPkcs7 class: https://github.com/Crypt32/pkix.net/blob/master/PKI/Cryptography/Pkcs/SignedPkcs7.cs