-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get-CertificateRequest does not return all content of nested request #52
Comments
Can you submit me example files for investigation? Current PKCS#7 decoder has some limitations (skips some parts from decoding), so it would be great if you wuld supply these files for investigation. |
Thank you for investigating the issue. I added Files including all script and transcript how I processed it so you may generate additional examples. I hope this helps to troubleshoot the issue. If you need more details or examples with different "overwrites" let me know. If I could have access to the source code of your library I may have a look as well. PSPKI_Get-CertificateRequest_Improvement_supporting_files.zip |
Library's source codes are on GitHib, specifically you need SignedPkcs7 class: https://github.com/Crypt32/pkix.net/blob/master/PKI/Cryptography/Pkcs/SignedPkcs7.cs |
Using the following command together with a policy.inf file allows to "change" some content of a CSR:
CertReq -f -q –config "MyCA\Test Root CA" -cert 88884808333333336960447CE1731EA6654345676 –policy .\MyFriends.CSR .\MyCPS.inf .\MyUpdated.csr
The command creates a new nested PKCS7 request file.
Using certutil -dump .\MyUpdated.csr returns 4 different objects:
`PKCS7/CMS
Message
PKCS7 Message Content:
================ Begin Nesting Level 1 ================
CMS Certificate Request:
---- CUSTOM REQUEST DATA BASED ON .\MyCPS.inf -------
================ Begin Nesting Level 2 ================
PKCS10 Certificate Request:
---- ORIGINAL REQUEST DATA BASED ON .\MyFriends.CSR -------
---------------- End Nesting Level 2 ----------------
---------------- End Nesting Level 1 ----------------
Signer Count: 2
Signer Info[0]:
NULL signature verifies
---- SOME KIND OF DUMMY SIGNATURE OID.1.3.6.1.4.1.311.21.9=Dummy Signer -------
Signer Info[1]:
---- SIGNER CERT -------`
Reading the new request
$req = Get-CertificateRequest ( Resolve-Path .\MyUpdated.csr )
$req.RequestType returns an object of type PKCS7 which seems to be the original request but as PKCS7
$req.ExternalData returns an object of content type CMC Data but with content SysadminsLV.PKI.Cryptography.X509CertificateRequests.X509CertificateRequestPkcs10 which is again the original request.
So the object returned by Get-CertificateRequest is missing the data injected by policy.inf as well as all signatures.
I'm happy to share more detailed examples if required
Thank you for your support.
The text was updated successfully, but these errors were encountered: