Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-CertificateRequest does not return all content of nested request #52

Open
PatrickOnGit opened this issue Oct 2, 2018 · 3 comments
Open

Get-CertificateRequest does not return all content of nested request #52

PatrickOnGit opened this issue Oct 2, 2018 · 3 comments
Labels
enhancement This is a new feature request. Not a bug really.

Comments

@PatrickOnGit
Copy link

Using the following command together with a policy.inf file allows to "change" some content of a CSR:

CertReq -f -q –config "MyCA\Test Root CA" -cert 88884808333333336960447CE1731EA6654345676 –policy .\MyFriends.CSR .\MyCPS.inf .\MyUpdated.csr

The command creates a new nested PKCS7 request file.
Using certutil -dump .\MyUpdated.csr returns 4 different objects:

`PKCS7/CMS

Message
PKCS7 Message Content:
================ Begin Nesting Level 1 ================
CMS Certificate Request:
---- CUSTOM REQUEST DATA BASED ON .\MyCPS.inf -------

================ Begin Nesting Level 2 ================
PKCS10 Certificate Request:
---- ORIGINAL REQUEST DATA BASED ON .\MyFriends.CSR -------

---------------- End Nesting Level 2 ----------------
---------------- End Nesting Level 1 ----------------
Signer Count: 2
Signer Info[0]:
NULL signature verifies
---- SOME KIND OF DUMMY SIGNATURE OID.1.3.6.1.4.1.311.21.9=Dummy Signer -------

Signer Info[1]:
---- SIGNER CERT -------`

Reading the new request

$req = Get-CertificateRequest ( Resolve-Path .\MyUpdated.csr )

$req.RequestType returns an object of type PKCS7 which seems to be the original request but as PKCS7
$req.ExternalData returns an object of content type CMC Data but with content SysadminsLV.PKI.Cryptography.X509CertificateRequests.X509CertificateRequestPkcs10 which is again the original request.

So the object returned by Get-CertificateRequest is missing the data injected by policy.inf as well as all signatures.

I'm happy to share more detailed examples if required

Thank you for your support.
@Crypt32
Copy link
Collaborator

Crypt32 commented Oct 2, 2018

Can you submit me example files for investigation?

Current PKCS#7 decoder has some limitations (skips some parts from decoding), so it would be great if you wuld supply these files for investigation.

@PatrickOnGit
Copy link
Author

Thank you for investigating the issue.

I added Files including all script and transcript how I processed it so you may generate additional examples. I hope this helps to troubleshoot the issue. If you need more details or examples with different "overwrites" let me know.

If I could have access to the source code of your library I may have a look as well.

PSPKI_Get-CertificateRequest_Improvement_supporting_files.zip

@Crypt32
Copy link
Collaborator

Crypt32 commented Oct 3, 2018

Library's source codes are on GitHib, specifically you need SignedPkcs7 class: https://github.com/Crypt32/pkix.net/blob/master/PKI/Cryptography/Pkcs/SignedPkcs7.cs

@Crypt32 Crypt32 added the enhancement This is a new feature request. Not a bug really. label Oct 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement This is a new feature request. Not a bug really.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Crypt32 @PatrickOnGit