Open PatrickOnGit opened 5 years ago
Can you submit me example files for investigation?
Current PKCS#7 decoder has some limitations (skips some parts from decoding), so it would be great if you wuld supply these files for investigation.
Thank you for investigating the issue.
I added Files including all script and transcript how I processed it so you may generate additional examples. I hope this helps to troubleshoot the issue. If you need more details or examples with different "overwrites" let me know.
If I could have access to the source code of your library I may have a look as well.
PSPKI_Get-CertificateRequest_Improvement_supporting_files.zip
Library's source codes are on GitHib, specifically you need SignedPkcs7 class: https://github.com/Crypt32/pkix.net/blob/master/PKI/Cryptography/Pkcs/SignedPkcs7.cs
Using the following command together with a policy.inf file allows to "change" some content of a CSR:
CertReq -f -q –config "MyCA\Test Root CA" -cert 88884808333333336960447CE1731EA6654345676 –policy .\MyFriends.CSR .\MyCPS.inf .\MyUpdated.csr
The command creates a new nested PKCS7 request file. Using certutil -dump .\MyUpdated.csr returns 4 different objects:
`PKCS7/CMS
Message PKCS7 Message Content: ================ Begin Nesting Level 1 ================ CMS Certificate Request: ---- CUSTOM REQUEST DATA BASED ON .\MyCPS.inf -------
================ Begin Nesting Level 2 ================ PKCS10 Certificate Request: ---- ORIGINAL REQUEST DATA BASED ON .\MyFriends.CSR -------
---------------- End Nesting Level 2 ---------------- ---------------- End Nesting Level 1 ---------------- Signer Count: 2 Signer Info[0]: NULL signature verifies ---- SOME KIND OF DUMMY SIGNATURE OID.1.3.6.1.4.1.311.21.9=Dummy Signer -------
Signer Info[1]: ---- SIGNER CERT -------`
Reading the new request
$req = Get-CertificateRequest ( Resolve-Path .\MyUpdated.csr )
$req.RequestType returns an object of type PKCS7 which seems to be the original request but as PKCS7 $req.ExternalData returns an object of content type CMC Data but with content SysadminsLV.PKI.Cryptography.X509CertificateRequests.X509CertificateRequestPkcs10 which is again the original request.
So the object returned by Get-CertificateRequest is missing the data injected by policy.inf as well as all signatures.
I'm happy to share more detailed examples if required
Thank you for your support.