Hello S-1-1-0!

After three months since PSPKI module v3.2.5 was released I received a number of unfortunate bugs (which weren’t tested very well from my side) and other issues. So I decided to address them while I have some spare time. In addition, I made an attempt to provide new functionality I really missed in the module.

This release is intended to make the module more stable and less buggy. In some aspects it become faster.

Bug Fixes

I have fixed a number of private bugs (found by myself) and publically reported bugs:

• https://pspki.codeplex.com/workitem/96
• https://pspki.codeplex.com/workitem/95
• https://pspki.codeplex.com/workitem/93 – I reported this bug as fixed in v3.2.5, however, there was another code path where this issue wasn’t fixed. So I reopened the bug. Now it is completely fixed. I believe so :)
• Set-CertificateExtension problem with naming constraint and certificate policies extensions

For detailed change logs and privately reported issues see:

• https://github.com/Crypt32/PSPKI/commits/master – from April 27, 2016 – August 7, 2016
• https://github.com/Crypt32/pkix.net/commits/master – from April 27, 2016 – August 7, 2016
• https://github.com/Crypt32/Asn1DerParser.NET/commits/master – from April 27, 2016 – August 7, 2016

New Functionality

I had a dream about certificate context properties for X.509 certificates which are available when certificate is installed in the certificate store. There were various problems in this functionality implementation. At first, there are a lot of properties and most of them have different formats. Eventually I decided to give a try and wrote several classes, extension methods and PowerShell function that would support at least common and well-known properties:

X509Certificate2 class extension methods:

• GetCertificateContextPropertyList – Gets the list of certificate properties associated with the current certificate object.
• GetCertificateContextProperty – Gets a specified certificate context property.
• GetCertificateContextProperties – Gets a collection of certificate context properties associated with the current certificate.

And central class: X509CertificateContextProperty. Check online help documentation for details.

All these classes and methods are wrapped in the Get-CertificateContextProperty PowerShell function which is added to PSPKI module. Currently, this function returns single or a collection of X509CertificateContextProperty objects for each certificate. Each property object contains a reference to a certificate.

For example, retrieve a list of available certificate context properties:

PS C:\> $cert = (dir Cert:\LocalMachine\My)[8]
PS C:\> $cert | Get-CertificateContextProperty -NameList
RequestOriginatorMachine
CEPEnrollmentInfo
ProviderInfo
IssuerPublicKeyMD5Hash
PublicKeyLength
SuibjectKeyIdentifier
SignatureHash
MD5Hash
PublicKeyMD5Hash
SHA1Hash
OcspCachePrefix
PS C:\>

And retrieve all properties with their values:

PS C:\> $cert | Get-CertificateContextProperty

Certificate                                    PropertyName PropertyValue                 UnderlyingType
-----------                                    ------------ -------------                 --------------
[Subject]...                       RequestOriginatorMachine hq-s-sql.sysadmins.lv         System.String
[Subject]...                              CEPEnrollmentInfo ...                           System.Security.Cryptograp...
[Subject]...                                   ProviderInfo PKI.Structs.Wincrypt+CRYPT... PKI.Structs.Wincrypt+CRYPT...
[Subject]...                         IssuerPublicKeyMD5Hash c2 ba 59 89 4d 65 55 f3 72... System.String
[Subject]...                                PublicKeyLength 2048                          System.Int32
[Subject]...                          SuibjectKeyIdentifier 21 59 3f 73 79 a1 dd 71 67... System.String
[Subject]...                                  SignatureHash 89 5c 32 16 99 0a 44 77 67... System.String
[Subject]...                                        MD5Hash 3f d8 85 67 d7 b5 95 e4 18... System.String
[Subject]...                               PublicKeyMD5Hash f1 db 40 9f e8 a5 d2 ce 70... System.String
[Subject]...                                       SHA1Hash 08 7c 98 52 d1 86 3e 69 55... System.String
[Subject]...                                OcspCachePrefix D1DF52D504A99E8E7503513713... System.String


PS C:\>

The output doesn’t look pretty good, but already provides useful information. For example, we can see that originally this certificate was requested from “hq-s-sql.sysadmins.lv” machine (RequestOriginatorMachine property). CEPEnrollmentInfo property indicates that the certificate was requested by using ADCS Enrollment Web Services. We can read some information about certificate enrollment details:

PS C:\> ($cert | Get-CertificateContextProperty -PropertyName CEPEnrollmentInfo).PropertyValue


Version                         : 1
PolicyServerUrl                 : https://hq-s-pkix.sysadmins.lv/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
PolicyServerUrlFlags            : None
PolicyServerAuthentication      : Kerberos
PolicyId                        : {F29AC102-CDCD-4AA8-B1F5-761051FB52C5}
EnrollmentServerUrl             : https://hq-s-pkix.sysadmins.lv/Sysadmins LV Internal Class 1 SubCA-1_CES_Kerberos/ser
                                  vice.svc/CES
EnrollmentyServerAuthentication : Kerberos
RequestID                       : 785



PS C:\>

We can see detailed information about policy and enrollment server URLs, policy ID, authentication methods for each service and request ID.

In similar ways you can read other properties. For example, some trusted root CA certificates are restricted to allow only specific enhanced key usages for subsequent certificates:

PS C:\> $cert = gi Cert:\LocalMachine\Root\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
PS C:\> $cert


    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root


Thumbprint                                Subject
----------                                -------
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US


PS C:\> $cert | Get-CertificateContextProperty -NameList
PublicKeyLength
RootProgramCertificatePolicies
98
SuibjectKeyIdentifier
FriendlyName
EnhancedKeyUsage
SHA1Hash
SignatureHash
PublicKeyMD5Hash
SubjectNameMD5Hash
MD5Hash
PS C:\> ($cert | Get-CertificateContextProperty -PropertyName EnhancedKeyUsage).PropertyValue

EnhancedKeyUsages                                  Critical Oid                           RawData
-----------------                                  -------- ---                           -------
{Server Authentication, Cl...                         False 2.5.29.37 (Enhanced Key Us... {48, 50, 6, 8...}


PS C:\> (($cert | Get-CertificateContextProperty -PropertyName EnhancedKeyUsage).PropertyValue).EnhancedKeyUsages

Value                                                       FriendlyName
-----                                                       ------------
1.3.6.1.5.5.7.3.1                                           Server Authentication
1.3.6.1.5.5.7.3.2                                           Client Authentication
1.3.6.1.5.5.7.3.4                                           Secure Email
1.3.6.1.5.5.7.3.3                                           Code Signing
1.3.6.1.5.5.7.3.8                                           Time Stamping


PS C:\>

We see that this particular root CA is limited only to specified key usages. In addition, there is RootProgramCertificatePolicies property. This property contains certificate policies for Extended Validation (EV) SSL certificate issuance:

PS C:\> (($cert | Get-CertificateContextProperty -PropertyName RootProgramCertificatePolicies).PropertyValue).Format(1)
[1]Certificate Policy:
     Policy Identifier=2.16.840.1.114412.2.1
     [1,1]Policy Qualifier Info:
          Policy Qualifier Id=1.3.6.1.4.1.311.60.1.1
          Qualifier:
               03 02 00 c0

PS C:\>

I’m using Format() method for quick textual representation of the property object that displays policy information. But you still can manually decode this information by digging into underlying object which is of X509CertificatePoliciesExtension class:

PS C:\> ($cert | Get-CertificateContextProperty -PropertyName RootProgramCertificatePolicies).UnderlyingType.FullName
System.Security.Cryptography.X509Certificates.X509CertificatePoliciesExtension
PS C:\>

I made a lot of efforts to make the property object more discoverable in an automated way. That is, context property object contains all required information about the property:

• Property name;
• Underlying type of the property value;
• Property value;
• Associated certificate

I hope you find this feature useful for you.

This is “preview” version of Get-CertificateContextProperty command. I have to admit that the design is not the best, so I would like to hear your suggestions on how I should compose properties to support better display in PowerShell console and class management.

Comment policy on PSPKI documentation

Each page on PowerShell PKI Module site directory is open for comments. However, I noticed that some users misuse comments there, so I would like to clarify comment policy. Comments are intended to help and improve documentation, point to bugs, typos incomplete and unclear information. Once I fix the issue, the comment will be deleted.

Related things: ASN.1

In previous release, I removed PKI.ASN namespace from PKI.Core.dll library, because ASN classes are used in other projects, so I moved them to dedicated project. I’m continuing to develop and improve my ASN.1 library and its documentation (for parts that are working right now and are extensively used by PSPKI module) is published online: http://pkix2.sysadmins.lv/asn1parser-docs/html/R_Project_Documentation.htm. I will post more information about this library in future posts.

Download

>> PowerShell PKI Module v3.2.6 <<