I’m glad to announce another version of PowerShell PKI module release.
This release includes major internal code changes with new functionality.
At first, I completely separated Abstract Syntax Notation (ASN.1) code from main library to a dedicated DLL:
SysadminsLV.Asn1Parser.dll. As I mentioned in one of previous posts, PKI.Core.dll and ASN parser are opensourced on GitHub: pkix.net and Asn1DerParser.NET.
Documentation for APIs in the PKI.Core.dll is here: PKI Library documentation. Documentation for ASN parser is pending.
As you may know, I moved all module documentation to dedicated directory on my web site: PowerShell PKI Module. All wiki docs on CodePlex are deprecated and deleted. Though, for compatibility purposes, pages themselves are not wiped, instead, they store URLs to new doc pages.
Added managed implementation of the following X.509 extensions:
Now, you can use them to encode/decode these extension in managed way.
I have deprecated two old functions that used to enumerate cryptographic service providers: Get-CryptographicServiceProviderEx and Get-CryptographicServiceProviderCNG. They are replaced by a unified command Get-CryptographicServiceProvider which supports all provider types, including CSP and modern, key storage providers.
Based on feature requests in this working item: https://pspki.codeplex.com/workitem/91, I added the ‘-IncludeChain’ switch parameter to Convert-PfxToPem command, which exports all available intermediate certificates to PEM file.
Again, based on feature request, I reworked the command in the following way:
After private discussions with Windows PKI Team I realized that my managed OCSP client doesn’t behave correctly and in most cases produce different results comparing with OCSP implementation in Windows CryptoAPI. The biggest problem there was network method. By default, Windows OCSP client sends HTTP GET request to OCSP server. If the request was unsuccessful and server returned either, HTTP404 or HTTP405, a HTTP POST is attempted. If server returned any other HTTP error, the code doesn’t fallback to HTTP POST and immediately reports that OCSP server is non-functional.
In addition, I made OCSPRequest class more flexible and powerful.
At first, I get rid of 8(!) very similar constructors and ended up with only 4 different constructors. Previously, the code retrieved issuer information by building the certificate chain and failed if chain cannot be constructed. Now it is possible to construct the OCSP request by using OCSPRequest(X509Certificate2Collection, X509Certificate2) constructor, where you can pass issuer certificate explicitly, as the result you can work with certificates whose chain is unavailable at the moment. I updated all related classes to support explicit issuer information: CertID, OCSPSingleRequest and OCSPRequest classes.
To achieve request configuration, almost all class properties are now read-write. Sometimes I receive reports that customer’s OCSP server is behind proxy, requires authentication, and so on, I decided to add this functionality in the class. Now you can specify/override:
As always, I’m trying to make the module more stable and constantly working on bug fixes. The following working items/bugs are fixed/closed:
And here is the download link for PowerShell PKI Module v3.2.5: PowerShell PKI Module v3.2.5
Post your comment: