CertificateValidation/PublicCertHelper.psm1
|
<#############################################################
# # # Copyright (C) Microsoft Corporation. All rights reserved. # # # #############################################################> $ErrorActionPreference = 'Stop' # Explicitly importing it as ERCS VM does not have it by default Import-Module PKI Import-LocalizedData LocalizedData -Filename PublicCertHelper.Strings.psd1 -ErrorAction SilentlyContinue # workaround for https://github.com/PowerShell/JEA/issues/42 # can't use Import-PowerShellDataFile because PS5.1 Import-LocalizedData -FileName Microsoft.AzureStack.CertificateConfig.psd1 -BaseDirectory $PSScriptRoot -BindingVariable CertificateData $certificateDefaults = $CertificateData.CertificateDefaults $myCertPath = 'cert:\localmachine\my\' if ($standalone) { $publicCertRoot = $PSScriptRoot $WarnOnSelfSigned = $true } else { $publicCertRoot = 'C:\CloudDeployment\Setup\Certificates' } $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} # This function appends the region and domainFQDN to the RecordPrefix/es and returns the array for multiple endpoints function New-DNSList { Param ( [Parameter(Mandatory=$true)] [string[]] $RecordPrefixList, [Parameter(Mandatory=$true)] [String] $RegionExternalFQDN ) $dnsListCreated = @() foreach ($RecordPrefix in $RecordPrefixList) { $dnsListCreated += $RecordPrefix + ".$RegionExternalFQDN" } return $dnsListCreated } function New-SelfSignedCertificateWrapper { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')] Param ( [Parameter(Mandatory=$true)] [string[]] $DnsRecord, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $OutFilePath, [Parameter(Mandatory=$true)] [string] $RootCertThumbprint ) # Creating if the path does not exist as SecretRotation BVT needs it if(-not (Test-Path $OutFilePath)) { $null = New-Item -Path $OutFilePath -ItemType Directory } if(-not (Get-ChildItem -Path $OutFilePath -Filter '*.pfx')) { $OutFilePath = Join-Path -Path $OutFilePath -ChildPath "SSL.pfx" $rootCert = ( Get-ChildItem -path $RootCertThumbprint ) $certThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -Signer $rootCert -KeyExportPolicy Exportable -Verbose:$false $certPath = $myCertPath + $certThumbprint.Thumbprint # It can sometimes take a few seconds to populate the store $retryCount = 0; while(-not (Test-Path $certPath)) { Start-Sleep -Seconds 1 if($retryCount++ -eq 10) { throw ($LocalizedData.FailedCreatingCert -f $certPath) } } $null = Export-PfxCertificate -FilePath $OutFilePath -Cert $certPath -Password $CertificatePassword -ChainOption BuildChain -Force -Verbose:$false } } function New-SelfSignedRootCert { [Alias("Create-RootCert")] Param ( [Parameter(Mandatory=$true)] [string] $DnsRecord, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword ) $baseRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedRootCert" -FriendlyName "Azs Self Signed RootCert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=3") $intermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate1Cert" -FriendlyName "Azs Self Signed Intermediate 1 Cert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=2") -Signer $baseRootCertThumbprint $secondIntermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate2Cert" -FriendlyName "Azs Self Signed Intermediate 2 Cert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=0") -Signer $intermediateRootCertThumbprint $certPath = $myCertPath + $secondIntermediateRootCertThumbprint.Thumbprint # It can sometimes take a few seconds to populate the store $retryCount = 0; while(-not (Test-Path $certPath)) { Start-Sleep -Seconds 1 if($retryCount++ -eq 10) { throw "Failed to create self signed root certificate in store '$certPath'." } } return $certPath } # Use for one nodes and internal testing only! function New-AzureStackSelfSignedCerts { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')] Param ( [Parameter(Mandatory=$true)] [string] $RegionExternalFQDN, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$false)] [string] $ExternalCertRoot ) if($ExternalCertRoot) { $publicCertRoot = $ExternalCertRoot $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} } else { Write-VerboseLog $LocalizedData.CreatingExternalSelfSignedCerts } # getting rootCert thumbprint $rootCertThumbprint = New-SelfSignedRootCert -DnsRecord "$RegionExternalFQDN" -CertificatePassword $CertificatePassword # AAD certs New-SelfSignedCertificateWrapper -OutFilePath $armPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $adminPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three New-SelfSignedCertificateWrapper -OutFilePath $acsTableCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsQueueCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsBlobCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating two additional Extension Host Certs New-SelfSignedCertificateWrapper -OutFilePath $adminHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating Container Registry cert, which is optional but required in BCDR pipeline New-SelfSignedCertificateWrapper -OutFilePath $acrCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint # ADFS certs New-SelfSignedCertificateWrapper -OutFilePath $adfsCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adfsCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $graphCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $graphCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armADFSPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $adminADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three New-SelfSignedCertificateWrapper -OutFilePath $acsTableADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsQueueADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsBlobADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating two additional Extension Host Certs New-SelfSignedCertificateWrapper -OutFilePath $adminHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating Container Registry cert, which is optional but required in BCDR pipeline New-SelfSignedCertificateWrapper -OutFilePath $acrADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint } function Test-AzureStackCerts { Param ( [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $UseADFS = $false, [Parameter(Mandatory=$false)] [bool] $isACRInstalled = $false, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [string] $PfxFilesPath, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '' ) $thisFunction = $MyInvocation.MyCommand.Name $publicCertHelperModuleVersion = $MyInvocation.MyCommand.Module.Version if (!$PfxFilesPath) { Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction } else { # we are in external cert rotation, need to use path provided by customer Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction $publicCertRoot = $PfxFilesPath $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} } if($UseADFS) { $allCertInfo = @( $adfsCertInfo, $graphCertInfo, $armADFSPublicCertInfo, $armADFSAdminCertInfo, $publicADFSPortalCertInfo, $adminADFSPortalCertInfo, $keyvaultADFSCertInfo, $keyvaultADFSAdminCertInfo, $acsTableADFSCertInfo, $acsQueueADFSCertInfo, $acsBlobADFSCertInfo, $adminHostingADFSCertInfo, $publicHostingADFSCertInfo ) # Validate ACR Certificate only if ACR has been installed on the stamp if($isACRInstalled) { $allCertInfo += $acrADFSCertInfo } } else { $allCertInfo = @( $armPublicCertInfo, $armAdminCertInfo, $publicPortalCertInfo, $adminPortalCertInfo, $keyvaultCertInfo, $keyvaultAdminCertInfo, $acsTableCertInfo, $acsQueueCertInfo, $acsBlobCertInfo, $adminHostingCertInfo, $publicHostingCertInfo ) # Validate ACR Certificate only if ACR has been installed on the stamp if($isACRInstalled) { $allCertInfo += $acrCertInfo } } $allCertResults = @() $allCertResults += $allCertInfo | ForEach-Object { ` Write-Log -Message "Launching Test-Certificate with Path = $($PSITEM.path), ExpectedPrefix = $($PSITEM.RecordPrefix), ExpectedDomainFQDN = $ExpectedDomainFQDN, WarnOnSelfSigned = $WarnOnSelfSigned, RootValidation = $RootValidation" -Type Info -Function $thisfunction $testCertificateParams = @{ CertificatePath = $PSITEM.Path CertificatePassword = $CertificatePassword certConfig = @{DNSName = $PSITEM.RecordPrefix;IncludeTests = 'All';ExcludeTests = 'CNG Key','HTTP CRL';pfxPath = $PSITEM.path} ExpectedDomainFQDN = $ExpectedDomainFQDN WarnOnSelfSigned = $WarnOnSelfSigned RootValidation = $RootValidation } Test-Certificate @testCertificateParams } return $allCertResults } function Test-Certificate { Param ( # Path of folder which contains the cert [Parameter(Mandatory=$true)] [string] $CertificatePath, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '', [Parameter(Mandatory=$false)] [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $ErrorActionPreference = 'SilentlyContinue' if(-not (Test-Path -Path $CertificatePath)) { # Terminating error for install, need to throw throw ($LocalizedData.IncorrectPath -f $CertificatePath) } $script:pfxFile = Get-ChildItem -Path $CertificatePath -Filter '*.pfx' | ForEach-Object FullName Write-Log -Message "Test PFX Certificate $pfxfile" -Type info -Function $thisFunction if($pfxFile.Count -ne 1) { # Terminating error for install Write-Log -Message ($LocalizedData.MoreThanOneCert -f $CertificatePath) -Type Error -Function $thisFunction } if(-not (Test-Path -Path $pfxFile)) { # Terminating error for install Write-Log ($LocalizedData.MissingCertificate) -Type Error -Function $thisFunction } if ((Get-Command Get-Content).Parameters.AsByteStream) { [byte[]]$pfxBinary = Get-Content -Path $pfxFile -AsByteStream } else { [byte[]]$pfxBinary = Get-Content -Path $pfxFile -Encoding Byte } #$certConfig.pfxPath = $pfxFile $params = @{ CertificateBinary = $pfxBinary CertificatePassword = $CertificatePassword ExpectedDomainFQDN = $ExpectedDomainFQDN WarnOnSelfSigned = $WarnOnSelfSigned RootValidation = $RootValidation certConfig = $certConfig } Test-AzsCertificate @params } function Test-AzsCertificate { Param ( [Parameter(Mandatory=$true)] [ValidateNotNull()] [byte[]] $CertificateBinary, [Parameter(Mandatory=$false)] [ValidateNotNull()] [SecureString] $CertificatePassword, [Parameter(Mandatory=$false)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '', [Parameter(Mandatory=$false)] [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $results = @() $ExpectedPrefix = $certConfig.DnsName # Get Relative Path # Depending on the entry point (deployment, secret rotation, standalone) the path can be in 1 of 2 places if ($pfxFile -or $certConfig.pfxPath) { if ($pfxFile) { $pf = Get-item -Path $pfxFile } else { $pf = Get-item -Path $certConfig.pfxPath } $pathValue = $pf.Directory.Name + '\' + $pf.name Write-Host "Testing: $pathValue" # Check PFX encryption first in case we have difficulty with encryption used and defer printing result until after import attempt for formatting purposes $pfxEncryptCheck = Test-PFXEncryption -pfxfile $pf.fullname -pfxpassword $certificatePassword -certConfig $certConfig $results += $pfxEncryptCheck if ($pfxEncryptCheck.result -eq 'Fail') { Write-Result -in $pfxEncryptCheck Write-Result -in $results.failureDetail throw "Unable to continue until PFX Encryption is TripleDES-SHA1" } } # Begin Checks $ErrorActionPreference = 'Stop' # make sure errors are not suppressed during import. if ($CertificatePassword) { try { $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificateBinary, $CertificatePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) $includePFXChecks = $true } catch { # if the exception is bad password and encryption check failed/warned, give additional help about ensuring Triple-DES encryption. if ($_.Exception.ErrorRecord -match 'The specified network password is not correct' -and $pfxEncryptCheck.result -ne 'OK') { Write-Log -Message ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction throw ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n","")) } elseif ($_.Exception.ErrorRecord -match 'Cannot find the requested object') { Write-Log -Message ($LocalizedData.ErrorOnX509Import) -Type Error -Function $thisFunction throw $LocalizedData.ErrorOnX509Import } else { Write-Log -Message ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction throw ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n","")) } } } else { $cert.Import($CertificateBinary) $includePFXChecks = $false } Write-Host ("Thumbprint: {0}" -f ($cert | Get-ThumbprintMask)) # if PFXEncryption Check exists write the result to screen. if ($pfxEncryptCheck) { Write-Result -in $pfxEncryptCheck } $ErrorActionPreference = 'SilentlyContinue' #Setting erroraction to continue so tests can complete and user gets full break down of all issues. $expiryCheck = Test-CertificateExpiry -cert $cert -certConfig $certConfig Write-Result -in $expiryCheck $results += $expiryCheck $signatureAlgorithmCheck = Test-SignatureAlgorithm -x509 $cert -certConfig $certConfig Write-Result -in $signatureAlgorithmCheck $results += $signatureAlgorithmCheck $dnsNamesCheck = Test-DnsNames -cert $cert -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig Write-Result -in $dnsNamesCheck $results += $dnsNamesCheck $keyUsageCheck = Test-KeyUsage -cert $cert -certConfig $certConfig Write-Result -in $keyUsageCheck $results += $keyUsageCheck $keySizeCheck = Test-KeySize -cert $cert -certConfig $certConfig Write-Result -in $keySizeCheck $results += $keySizeCheck $httpCDPCheck = Test-HttpCdp -cert $cert -certConfig $certConfig Write-Result -in $httpCDPCheck $results += $httpCDPCheck if ($includePFXChecks) { $pfxParseResult = Test-Pfx -certificateBinary $CertificateBinary -certificatePassword $certificatePassword if ($pfxParseResult.Result -eq 'Fail') { Write-Log -Message ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';')) -Type Error -Function $thisFunction throw ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';')) } $pfxData = $pfxParseResult.outputObject $pfxParseResult.outputObject = "" # clear the output object Write-Result -in $pfxParseResult $results += $pfxParseResult $privateKeyCheck = Test-PrivateKey -cert $cert -certConfig $certConfig Write-Result -in $privateKeyCheck $results += $privateKeyCheck $selfSignedCheck = Test-CertificateChain -pfxData $pfxData -certConfig $certConfig Write-Result -in $selfSignedCheck $results += $selfSignedCheck $chainOrderCheck = Test-CertificateChainOrder -pfxData $pfxData -certConfig $certConfig Write-Result -in $chainOrderCheck $results += $chainOrderCheck # Only run check for other certificates if cert chain is good and dnsnames are good to avoid noise. if ($selfSignedCheck.result -eq 'OK' -AND $dnsNamesCheck.result -eq 'OK') { $otherCertificateCheck = Test-OtherCertificates -pfxData $pfxData -ExpectedPrefix $ExpectedPrefix -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig } Else { $hash = @{'Test' = 'Other Certificates'; 'Result' = 'Skipped'; 'FailureDetail' = $LocalizedData.TestOtherCertificatesSkipped; 'outputObject' = $null} $otherCertificateCheck = New-Object PSObject -Property $hash } Write-Result -in $otherCertificateCheck $results += $otherCertificateCheck if (-not $standalone -AND $RootValidation -ne '') { if ($RootValidation -eq 'SameRootOnly') { $rootCheck = Test-CertificateRoot -pfx $pfxData -certConfig $certConfig Write-Result -in $rootCheck $results += $rootCheck } else { #Check trust without using pfx as extra store $chainTest = Test-TrustedChain -cert $cert -retryCount 3 -intervalSeconds 5 -certConfig $certConfig if ($chainTest.Result -eq 'Fail') { #create certificate collection object $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $pfxdata.EndEntityCertificates + $pfxData.OtherCertificates | ForEach-Object {$collection.add($_) | Out-Null} #create new chain $chain = New-Object Security.Cryptography.X509Certificates.X509Chain $chain.ChainPolicy.ExtraStore.AddRange($collection) #Check trust with pfx as extra store $chainTest = Test-TrustedChain -chain $chain -cert $cert -retryCount 3 -intervalSeconds 5 } else { Write-Log -Message ("Chain trust passed with {0} - {1}. No further action." -f $chainTest.Result,($chainTest.Chain.ChainStatus.Status -join ',')) -Type Info -Function $thisFunction } Write-Result -in $chainTest $results += $chainTest } } } # add relative path, thumbprint, certificateID $results | add-member -NotePropertyName CertificateId -NotePropertyValue ([guid]::NewGuid().ToString()) $results | add-member -NotePropertyName Path -NotePropertyValue $pathValue $results | add-member -NotePropertyName Thumbprint -NotePropertyValue $($cert | Get-ThumbprintMask) if ($results.result -match "Fail|Warning") { Write-Result -in $results.failureDetail } return $results } function Test-Pfx { param ([byte[]]$certificateBinary, [securestring]$certificatePassword) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Parse PFX' Write-Log -Message "Parse PFX binary with password" -Type Info -Function $thisFunction $parseResult = Open-PfxData -certificateBinary $certificateBinary -certificatePassword $certificatePassword if ($parseResult.Success) { $tmpParseResult = Open-PfxData -certificateBinary $certificateBinary if ($tmpParseResult.Success) { $result = 'Warning' $failureDetail = ($LocalizedData.UnprotectedPublicCertInfo) Write-Log -Message $LocalizedData.UnprotectedPublicCertInfo -Type Warning -Function $thisFunction } else { $result = 'OK' if ($tmpParseResult.ErrorCode -eq 86) { Write-Log -Message "Parsing PFX binary privacy success" -Type Info -Function $thisFunction } else { Write-Log -Message ("Parsing PFX binary without password with error code 0x{0:x}" -f $($tmpParseResult.ErrorCode)) -Type Warn -Function $thisFunction } } } else { $result = 'Fail' if ($parseResult.ErrorCode -in @(0x80092002, 0x0D)) { $failureDetail = "Pfx data is Invalid" # Terminating error for install Write-Log -Message "Pfx data is Invalid" -Type Error -Function $thisFunction } elseif ($parseResult.ErrorCode -eq 86) { $failureDetail = "Pfx password is Invalid" # Terminating error for install Write-Log -Message $failureDetail -Type Error -Function $thisFunction } else { # Terminating error for install $errorMessage = "Parsing PFX binary with error code 0x{0:x}" -f $($parseResult.ErrorCode) $failureDetail = $errorMessage Write-Log -Message $errorMessage -Type Error -Function $thisFunction } } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $parseResult} $object = New-Object PSObject -Property $hash $object } function Test-SignatureAlgorithm { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$x509,[Hashtable]$certConfig) # Name for log and name for test $thisFunction = $MyInvocation.MyCommand.Name $test = 'Signature Algorithm' # config to run test by if ($certConfig.HashAlgorithm -eq 'default' -or $null -eq $certConfig.HashAlgorithm) { $blockedAlgorithms = 'SHA1RSA' } else { $blockedAlgorithms = $certConfig.HashAlgorithm Write-Log -Message ('Using user-defined Signature Algorithms {0} for test.' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction } # run test if applicable if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ('Checking Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction $signatureAlgorithm = $x509.SignatureAlgorithm.FriendlyName Write-Log -Message ('Signature Algorithm is {0}' -f $signatureAlgorithm) -Type Info -Function $thisFunction if ($signatureAlgorithm -in $blockedAlgorithms) { $result = 'Fail' $failureDetail = ($LocalizedData.SignatureAlgorithmInvalid -f $signatureAlgorithm, ($blockedAlgorithms -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $result = 'OK' Write-Log -Message ('Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } # return output $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-PrivateKey { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Private Key' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { $privateKeyFailed = @() $failureDetail = @() try { Write-Log -Message 'Checking Private Key exists' -Type Info -Function $thisFunction if(-not $cert.HasPrivateKey) { $privateKeyFailed += $true $failureDetail += ($LocalizedData.NoPrivateKey) Write-Log -Message ($LocalizedData.NoPrivateKey) -Type Warn -Function $thisFunction } Else { # Check if certificate has been exported from user store. Write-Log -Message 'Private Key Exists, checking Local Machine Key Attribute' -Type Info -Function $thisFunction $key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) Write-Log -Message ('Private Key Provider: {0}' -f $key.Key.Provider) -Type Info -Function $thisFunction if(-not $key.Key.IsMachineKey) { $privateKeyFailed += $true $failureDetail += ($LocalizedData.NotMachineKeyStore) Write-Log -Message ($LocalizedData.NotMachineKeyStore) -Type Warn -Function $thisFunction } else { $privateKeyFailed += $false Write-Log -Message 'Private Key Exists and Local Machine Key Attribute exists' -Type Info -Function $thisFunction } if('CNG key' -notin $certConfig.ExcludeTests) { Write-Log -Message 'Checking PaaS for CNG key...' -Type Info -Function $thisFunction if($key.Key.Provider -eq 'Microsoft Software Key Storage Provider') { $privateKeyFailed += $true $failureDetail += "CNG Certificate detected, support for this certificate type may not currently be available. Please use https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-get-pki-certs to generate the certificates." Write-Log -Message 'Microsoft Software Key Storage Provider cannot be used for this certificate.' -Type Warn -Function $thisFunction } } } } catch { $privateKeyFailed += $true $failureDetail += $_.exception.message Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } if ($privateKeyFailed -notcontains $true) { $result = 'OK' } else { $result = 'Fail' } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateChain { param ([Hashtable]$pfxData,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Cert Chain' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message 'Checking Certificate chain' -Type Info -Function $thisFunction # Check for chain of trust. Not validating signature algorithm on root or intermediates $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates if(-not $otherCertificates) { Write-Log -Message 'No other certificates found in pfx' -Type Info -Function $thisFunction if($cert.Issuer -eq $cert.Subject) { $failureDetail = ($LocalizedData.SelfSignedCertificate -f $cert.Subject) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $result = 'Fail' } else { $result = 'Fail' $failureDetail = ($LocalizedData.NoChainOfTrust) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { if ($cert.Issuer -in $otherCertificates.subject) { $result = 'OK' Write-Log -Message ('The issuer certificate from {0} is included in the PFX' -f $cert.Issuer) -Type Info -Function $thisFunction } Else { $result = 'Fail' $failureDetail = ($LocalizedData.NoChainOfTrust) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-DNSNames { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,$ExpectedDomainFQDN,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'DNS Names' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { # Get the records between cn="<records>" $records = @() $records = $cert.DnsNameList.Unicode $recordsString = $records -join ', ' Write-Log -Message ('DNS Names on certificate: {0}' -f $recordsString) -Type Info -Function $thisFunction $dnsNameFailed = @() foreach($prefix in $certConfig.DnsName) { # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods. if ($ExpectedDomainFQDN) { $fullExpectedRecord = ($prefix,$ExpectedDomainFQDN) -join '.' } else { $fullExpectedRecord = $prefix } Write-Log -Message ('Testing for full expected record: {0}' -f $fullExpectedRecord) -Type Info -Function $thisFunction if($records -eq $fullExpectedRecord) { $dnsNameFailed += $false Write-Log -Message ('Records: {0} match: {1}' -f $recordsString,($fullExpectedRecord -join ', ')) -Type Info -Function $thisFunction continue } elseif ($records -eq "*." + $fullExpectedRecord.split('.',2)[1]) { $dnsNameFailed += $false Write-Log -Message ('Records: {0} match wildcard: {1}' -f $recordsString,("\*." + $fullExpectedRecord.split('.',2)[1])) -Type Info -Function $thisFunction } else { $failureDetail += ($LocalizedData.MissingRecord -f @($recordsString, $fullExpectedRecord)) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $dnsNameFailed += $true } if ($prefix -eq 'adfs') { Write-Log -Message ('Testing ADFS certificate subject {0} for ADFS compatability' -f $cert.subject) -Type Info -Function $thisFunction if ($cert.SubjectName -notlike '*.*') { $dnsNameFailed += $true $failureDetail += ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord) Write-Log -Message ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord) -Type Warn -Function $thisFunction } else { Write-Log -Message ('ADFS certificate subject {0} compatible for ADFS' -f $cert.subject) -Type Info -Function $thisFunction } } } if ($dnsNameFailed -notcontains $true) { $result = 'OK' } else { $result = 'Fail' $failureDetail += ($LocalizedData.CheckDocumentation) } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-KeyUsage { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Key Usage' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { # Validating KeyUsage should have Digital Signature, and Key Encipherment. # EnhancedKeyUsage should have Server Authentication and Client Authentication # Data Encipherment no longer required if ($certConfig.KeyUsage -eq 'default' -or $null -eq $certConfig.KeyUsage) { Write-Log -Message ('Testing for default Key Usage') -Type Info -Function $thisFunction $keyUsageArray = $certificateDefaults.KeyUsage.Keys } else { [array]$keyUsageArray = $certConfig.KeyUsage } if ($certConfig.EnhancedKeyUsage -eq 'default' -or $null -eq $certConfig.EnhancedKeyUsage) { Write-Log -Message ('Testing for default Enhanced Key Usage') -Type Info -Function $thisFunction $enhancedKeyUsageArray = $certificateDefaults.EnhancedKeyUsage.Keys | Foreach-Object { $certificateDefaults.EnhancedKeyUsage[$PSITEM].Oid } } else { Write-Log -Message ('Testing for custom Enhanced Key Usage') -Type Info -Function $thisFunction $certConfig.EnhancedKeyUsage = $certConfig.EnhancedKeyUsage | Foreach-Object { ConvertTo-Oid $PSITEM } [array]$enhancedKeyUsageArray = $certConfig.EnhancedKeyUsage | Foreach-Object { $PSITEM.Value } } # Create emtpy arrays for result handling. $keyUsageFailed = @() $failureDetail = @() $keyUsage = $cert.Extensions.KeyUsages $enhancedKeyUsage = $cert.EnhancedKeyUsageList.ObjectId # Check KeyUsage Write-Log -Message ('Testing for expected Key Usage {0}' -f ($keyUsageArray -join ',')) -Type Info -Function $thisFunction Write-Log -Message ('Certificate key usage is {0}' -f ($keyUsage -join ',')) -Type Info -Function $thisFunction foreach ($requiredKeyUsage in $keyUsageArray) { if ($keyUsage -notmatch $requiredKeyUsage) { $keyUsageFailed += $true $failureDetail += ($LocalizedData.IncorrectKeyUsage -f $keyUsage,($requiredKeyUsage -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $keyUsageFailed += $false } } # Check Enhanced KeyUsage Write-Log -Message ('Testing for expected Enhanced Key Usage {0}' -f (($certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value }) -join ',')) -Type Info -Function $thisFunction Write-Log -Message ('Certificate Enhanced key usage is {0}' -f ($enhancedKeyUsage -join ',')) -Type Info -Function $thisFunction foreach ($requiredEku in $enhancedKeyUsageArray) { if ($enhancedKeyUsage -notcontains $requiredEku) { $keyUsageFailed += $true if ($enhancedKeyUsage) { $CertFriendlyNames = $cert.EnhancedKeyUsageList.FriendlyName | Foreach-Object {if (!$PSITEM) { 'Custom Oid' }else { $PSITEM }} $RequiredUsageStrings = $certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value } $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f ($CertFriendlyNames -join ','),($RequiredUsageStrings -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f '[Missing]',($enhancedKeyUsageArray -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $keyUsageFailed += $false } } # Check overall results if ($keyUsageFailed -notcontains $true) { $result = 'OK' Write-Log -Message 'Certificate key usage succeeded' -Type Info -Function $thisFunction } else { $result = 'Fail' Write-Log -Message 'Certificate key usage failed' -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = ($failureDetail | Sort-Object | Get-Unique); 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateChainOrder { param ([Hashtable]$pfxData,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Chain Order' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message 'Checking Certificate Chain Order' -Type Info -Function $thisFunction # Validating cert chain order $otherCertificates = $pfxData.OtherCertificates if ($otherCertificates[-1].Issuer -ne $otherCertificates[-1].Subject) { $result = 'Fail' $failureDetail = ($LocalizedData.IncorrectCertChainOrder) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } Else { $result = 'OK' Write-Log -Message 'Certificate Chain Order succeeded' -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } Function Test-OtherCertificates { param ([Hashtable]$pfxData,[string]$ExpectedDomainFQDN,[Hashtable]$certConfig) $test = 'Other Certificates' $thisFunction = $MyInvocation.MyCommand.Name if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message "Checking Pfx file for additional certificates" -Type Info -Function $thisFunction $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates $allcerts = $otherCertificates + @($cert) $otherCertificatesFailed = @() foreach ($prefix in $certConfig.DNSName) { # Apply literal to any wildcard on the expect DNSName. # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods. if ($ExpectedDomainFQDN) { $expectedDNSName = (($prefix,$ExpectedDomainFQDN) -join '.') -replace "\*", "\*" } else { $expectedDNSName = $prefix -replace "\*", "\*" } Write-Log -Message "Checking Pfx file for additional certificate with context of DNS Name: $prefix.$ExpectedDomainFQDN" -Type Info -Function $thisFunction # Find expected certificate according to DNSName literally or by matching wildcard. $targetCert = $allcerts | Where-Object {$_.dnsnamelist.unicode -match $expectedDNSName -OR $_.dnsnamelist.unicode -match "\*." + $expectedDNSName.split('.',2)[1]} # Remove all certs that are the target cert or an issuer of any certificate in the array. $unexpectedCerts = $allcerts | Where-Object {$_.Subject -notin $allcerts.Issuer -AND $_.thumbprint -ne $targetCert.Thumbprint} # Find expected certs for logging. $validCerts = $allcerts | Where-Object {$_.thumbprint -notin $unexpectedCerts.thumbprint} if ($unexpectedCerts) { $otherCertificatesFailed += $true $failureDetail += ($LocalizedData.UnwantedCertificatesInPfx -f ($unexpectedCerts | Get-ThumbprintMask),($validCerts | Get-ThumbprintMask)) Write-Log -Message $failureDetail -Type Warning -Function $thisFunction } Else { $otherCertificatesFailed += $false } } if ($otherCertificatesFailed -notcontains $true) { $result = 'OK' Write-Log -Message ('No additional certificates were detected. Validcert thumbprints {0}' -f ($validCerts | Get-ThumbprintMask)) -Type Info -Function $thisFunction } else { $result = 'Fail' } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-KeySize { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $test = 'Key Length' $thisFunction = $MyInvocation.MyCommand.Name if ($certConfig.KeyLength -eq 'default' -or $null -eq $certConfig.KeyLength) { $keySizeLowerLimit = 2048 } else { [int]$keySizeLowerLimit = $certConfig.KeyLength } if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { #get the key length of the public key. $keySize = $cert.publickey.key.KeySize Write-Log -Message ("Checking Certificate for Key Length {0}" -f $keySizeLowerLimit) -Type Info -Function $thisFunction Write-Log -Message ("Certificate Key Length {0}" -f $keySize) -Type Info -Function $thisFunction if ($keySize -lt $keySizeLowerLimit) { $result = 'Fail' $failureDetail = ($LocalizedData.WrongKeySize -f $keySize,$keySizeLowerLimit) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $result = 'OK' Write-Log -Message 'Certificate Key Length succeeded' -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-PFXEncryption { # mandatory check param ($pfxFile, [ValidateNotNullOrEmpty()][SecureString]$pfxpassword,[Hashtable]$certConfig) $test = 'PFX Encryption' $thisFunction = $MyInvocation.MyCommand.Name if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ("Checking PFX Encryption is tripleDES-SHA1.") -Type Info -Function $thisFunction $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $pfxpassword) $plainCertPassword = $networkCredential.Password try { $cmd = "-p {0} -dumpPFX `"{1}`"" -f $plainCertPassword,$pfxfile $certutilOutputPath = "$ENV:TEMP\AzsRCCertUtil.log" $null = Start-Process -FilePath certutil.exe ` -ArgumentList $cmd ` -WindowStyle Hidden ` -PassThru ` -Wait ` -RedirectStandardOutput $certutilOutputPath $certutilOutput = Get-Content -path $certutilOutputPath $TripleDESMatch = $certutilOutput | Select-String -SimpleMatch "1.2.840.113549.1.12.1.3" if ($TripleDESMatch) { Write-Log -Message ('PFX {0} Encryption is tripleDES-SHA1. CertUtil output {1}' -f $pfxFile,($TripleDESMatch -join ' ::Match:: ')) -Type Info -Function $thisFunction $result = 'OK' } else { if ($certutilOutput -match 'CertUtil: Unknown arg: -dumppfx') { $failureDetail = $LocalizedData.DumpPfxParamFail $result = 'Skipped' } else { $failureDetail = $LocalizedData.IncorrectPFXEncryption -f (($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ") $result = 'Warning' } Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } catch { Write-Log -Message ('Unable to determine PFX encryption. Run CertUtil -dumppfx <filename> to check encryption. Checking PFX encryption failed with exception: {0}`n OID dump: {1}' -f $_.exception,(($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ")) -Type Warn -Function $thisFunction $failureDetail = $LocalizedData.IncorrectPFXEncryption $result = 'Fail' } finally { Remove-item $certutilOutputPath -Force Clear-Variable -Name pfxFile } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Get-CDP { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert) $crlext = $cert.Extensions | Where-Object { $_.Oid.FriendlyName -eq 'CRL Distribution Points' } $crldata = $crlext.RawData for ($i = 0 ; $i -lt $crldata.Count ; $i++) { if ($crldata[$i] -eq 0x86) { if ($crldata[$i + 1] -band 0x80) { #long length $start = $i + 3 $end = $crldata[$i + 2] + $start - 1 } else { #short length $start = $i + 2 $end = $crldata[$i + 1] + $start - 1 } [System.Text.Encoding]::ASCII.GetString($crldata[$start..$end]) } } } function Test-HttpCdp { # fail if CDP HTTP is not present # fail if CDP HTTP is not contactable param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'HTTP CRL' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { $cdps = Get-CDP -cert $cert $httpCdp = $cdps | Where-Object {$_ -like 'http://*'} Write-Log -Message 'Checking Http CDP EndPoint' -Type Info -Function $thisFunction $failureDetail = @() if ($httpCdp) { $cdpSuccess = $false foreach ($uri in $httpCdp) { try { $responseStatusCode = (Invoke-WebRequest -Uri $uri -UseBasicParsing).StatusCode if ($responseStatusCode -eq 200) { Write-Log -Message ('Checking {0}. Success.' -f $uri) -Type Info -Function $thisFunction $cdpSuccess = $true break } else { throw "URI: $uri. StatusCode: $responseStatusCode" } } catch { $failureDetail += $LocalizedData.HttpCdpFail -f $uri,$_.Exception.Message } } if ($cdpSuccess) { $result = 'OK' # if result is good, remove any failuredetails as they would have been written to the log $failureDetail = $null } else { $result = 'Fail' Write-Log -Message ($failureDetail -join '. ') -Type Error -Function $thisFunction } } Else { $result = 'Skipped' $failureDetail = ($LocalizedData.NoHttpCdp) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Import-AzsCertificate { param ($pfxPath, [securestring]$pfxPassword, [string]$CertStoreLocation = 'cert:\localmachine\trust') $thisFunction = $MyInvocation.MyCommand.Name try { Write-Log -Message ('Importing PFX certificate from {0} to {1}' -f $pfxPath,$CertStoreLocation) -Type Info -Function $thisFunction $certificate = Import-PfxCertificate -Exportable -CertStoreLocation $CertStoreLocation -Password $pfxPassword -FilePath $pfxPath Write-Log -Message 'Import complete' -Type Info -Function $thisFunction } catch { Write-Log -Message ('Import failed: {0}' -f $_.exception) -Type Error -Function $thisFunction } $certificate } function Export-AzsCertificate { param ($filePath, $certPath, [securestring]$pfxPassword) $thisFunction = $MyInvocation.MyCommand.Name try { Write-Log -Message ('Exporting PFX certificate from {0} to {1}' -f $certPath,$filePath) -Type Info -Function $thisFunction $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force -CryptoAlgorithmOption TripleDES_SHA1 Write-Log -Message 'Export complete' -Type Info -Function $thisFunction } catch { if ($_.CategoryInfo.Reason -eq 'ParameterBindingException' -AND $_.Exception.ErrorId -eq 'NamedParameterNotFound' -AND $_.Exception.ParameterName -eq 'CryptoAlgorithmOption') { Write-Log -Message 'Unable to force Crypto Algorithm to TripleDES_SHA1. Retrying with default value.' -Type Warn -Function $thisFunction $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force Write-Log -Message 'Export complete' -Type Info -Function $thisFunction } else { Write-Log -Message ('Export failed: {0}' -f $_.exception) -Type Error -Function $thisFunction } } } function Write-Result { param([psobject]$in) if ($in.test) { Write-Host ("`t{0}: " -f $($in.Test)) -noNewLine if ($in.Result -eq 'OK') { Write-Host 'OK' -foregroundcolor Green } elseif ($in.Result -eq 'WARNING') { Write-Host 'Warning' -foregroundcolor Yellow } elseif ($in.Result -eq 'Skipped') { Write-Host 'Skipped' -foregroundcolor White } elseif ($in.Result -eq 'SkippedByConfig') { Write-Host 'SkippedByConfig' -foregroundcolor DarkGray } else { Write-Host 'Fail' -foregroundcolor Red } } else { Write-Host "`Details:" $in | ForEach-Object {if($_){Write-Host "[-] $_" -foregroundcolor Yellow}} Write-Host ("Additional help URL {0}" -f "https://aka.ms/AzsRemediateCerts") } } function Write-Log { param([string]$Message, [string]$Type = 'verbose', [string]$Function ) # if InstallAzureStackCommon is loaded and ScriptLog global variable exists, # we are in install and will push to install log, otherwise, do a standalone log $pii = $($ENV:USERDNSDOMAIN),$($ENV:COMPUTERNAME),$($ENV:USERNAME),$($ENV:USERDOMAIN) | Foreach-Object { if ($null -ne $PSITEM) { $PSITEM } } $redact = $pii -join '|' $message = [regex]::replace($Message,$redact,"[*redacted*]") if ((-not $standalone) -AND (Get-Module InstallAzureStackCommon) -AND (Get-Variable -Name ScriptLog -Scope Global -ea SilentlyContinue)) { if ($type -match 'verbose|info') { Write-VerboseLog $message } elseif ($type -eq 'warn') { Write-WarningLog $message } elseif ($type -eq 'error') { Write-TerminatingErrorLog $message } } Else { $outfile = "$PSScriptRoot\CertChecker.log" $entry = "[{0}] [{1}] [{2}] {3}" -f ([datetime]::now).tostring(), $type, $function, $Message $entry | Out-File -FilePath $outfile -Append -Force } } function Get-ThumbprintMask { [cmdletbinding()] [OutputType([string])] Param ([Parameter(ValueFromPipelinebyPropertyName=$True)]$thumbprint) Begin { $thumbprintMasks = @() } Process { $thumbprintMasks += foreach ($thumb in $thumbprint) { try { if (($thumb.length - 12) -gt 0) { $firstSix = $thumb.Substring(0,6) $lastSix = $thumb.Substring(($thumb.length - 6),6) $middleN = '*' * ($thumb.length - 12) $thumbprintMask = '{0}{1}{2}' -f $firstSix,$middleN, $lastSix } else { throw ("Error applying thumbprint mask from thumbprint starting with {0} and length of {1}" -f $thumbprint.Substring(0,10),$thumbprint.Length) } } catch { $_.exception } $thumbprintMask } } End { $thumbprintMasks -join ',' } } function Open-PfxData { param ([byte[]]$certificateBinary, [securestring]$certificatePassword) $thisFunction = $MyInvocation.MyCommand.Name $Source = @' using System; using System.Runtime.InteropServices; namespace AzureStack.PartnerToolkit { [StructLayout(LayoutKind.Sequential)] public struct CRYPT_DATA_BLOB { public int cbData; public IntPtr pbData; } public class Crypto { [DllImport("Crypt32.dll", SetLastError = true)] public static extern IntPtr PFXImportCertStore( ref CRYPT_DATA_BLOB pPfx, [MarshalAs(UnmanagedType.LPWStr)] String szPassword, uint dwFlags); [DllImport("Crypt32.DLL", SetLastError = true)] public static extern IntPtr CertEnumCertificatesInStore( IntPtr storeProvider, IntPtr prevCertContext ); [DllImport("Crypt32.dll", SetLastError = true)] public static extern Boolean CertCloseStore( IntPtr hCertStore, Int32 dwFlags ); [DllImport("CRYPT32.DLL", EntryPoint = "CertGetCertificateContextProperty", CharSet = CharSet.Unicode, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] public static extern Boolean CertGetCertificateContextProperty( [In] IntPtr pCertContext, [In] Int32 dwPropId, [Out] IntPtr pvData, [In, Out] ref Int32 pcbData); } } '@ Add-Type -TypeDefinition $Source -Language CSharp Write-Log -Message "Marshalling PFX binary..." -Type Verbose -Function $thisFunction $pPfxBinary = New-Object AzureStack.PartnerToolkit.CRYPT_DATA_BLOB $pPfxBinary.cbData = $certificateBinary.Length $pPfxBinary.pbData = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($certificateBinary.Length) [System.Runtime.InteropServices.Marshal]::Copy($certificateBinary, 0, $pPfxBinary.pbData, $certificateBinary.Length) Write-Log -Message "Convert cert password to string..." -Type Verbose -Function $thisFunction if ($certificatePassword) { $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $certificatePassword) $plainCertPassword = $networkCredential.Password } else { $plainCertPassword = "" } try { # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS (0x8250) | CRYPT_EXPORTABLE (0x00000001) # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS = # PKCS12_ALWAYS_CNG_KSP (0x00000200) | # PKCS12_NO_PERSIST_KEY (0x00008000) | # PKCS12_IMPORT_SILENT (0x00000040) | # PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x0010) $importFlag = 0x8251 Write-Log -Message "Parsing PFX binary with flag $importFlag ..." -Type Verbose -Function $thisFunction $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag) if ($hCertStore -eq [System.IntPtr]::Zero) { $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() if (-not $plainCertPassword) { # PKCS12_ONLY_NOT_ENCRYPTED_CERTIFICATES (0x0800) | PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x00000010) $importFlag = 0x0810 Write-Log -Message "Parsing PFX binary with error. Try to parse without password with flag $importFlag again..." -Type Verbose -Function $thisFunction $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag) } if ($hCertStore -eq [System.IntPtr]::Zero) { return @{ Success = $false ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() } } } Write-Log -Message "Retrieving the certs from the temp store..." -Type Verbose -Function $thisFunction $ret = @{ EndEntityCertificates = @() OtherCertificates = @() } $currentCertContext = 0 while ($true) { $currentCertContext = [System.IntPtr]([AzureStack.PartnerToolkit.Crypto]::CertEnumCertificatesInStore($hCertStore, $currentCertContext)) if ($currentCertContext -ne [System.IntPtr]::Zero) { $newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($currentCertContext) if (Get-EndEntityCertificate $currentCertContext) { $ret.EndEntityCertificates += @($newCert); } else { $ret.OtherCertificates += @($newCert); } continue } break } $ret.Success = $true return $ret } finally { if ($hCertStore -ne [System.IntPtr]::Zero) { if (-not ([AzureStack.PartnerToolkit.Crypto]::CertCloseStore($hCertStore, 0))) { $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Log -Message "Close cert store with error code $ErrorCode" -Type Warning -Function $thisFunction } } } } function Get-EndEntityCertificate { param ([System.IntPtr] $pCertificate) $privateKeyPropIds = @( 5, # CERT_KEY_CONTEXT_PROP_ID 2 # CERT_KEY_PROV_INFO_PROP_ID ) foreach ($propId in $privateKeyPropIds) { $cbData = 0 if ([AzureStack.PartnerToolkit.Crypto]::CertGetCertificateContextProperty( $pCertificate, $propId, [System.IntPtr]::Zero, [ref]$cbData)) { return $true } } return $false } function New-CertificateCollection { param ([hashtable]$pfxdata) $thisFunction = $MyInvocation.MyCommand.Name #create array of all certificates from pfx package $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates $allcerts = $otherCertificates + @($cert) Write-Log -Message ('Building certificate collection.') -Type Info -Function $thisFunction # create collection of all certificates $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $allcerts | ForEach-Object {$collection.add($PSITEM) | Out-Null} Write-Log -Message ('Building certificate collection complete.') -Type Info -Function $thisFunction #return collection return $collection } function Test-TrustedChain { #Function to test certificate chain, will retry (configurable) 3 times with (configurable) 5 seconds intervals param ([Security.Cryptography.X509Certificates.X509Chain]$chain,[System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$retryCount = 3,[int]$intervalSeconds = 5,[Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Trusted Chain' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ('Testing Chain Trust for {0}' -f ($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction $failureDetail = @() try { #create empty chain is one was not passed to the function if(-not $chain) { $chain = New-Object Security.Cryptography.X509Certificates.X509Chain } if ($chain.ChainPolicy.extrastore) { Write-Log -Message $localizedData.ChainCheckExtraStore -Type Info -Function $thisfunction } else { Write-Log -Message $localizedData.ChainCheckNoStore -Type Info -Function $thisfunction } # If no CDP info exists on the certificate disable the revocation check. $cdpInfo = $cert.Extensions | Where-Object {$_.oid.Value -eq '2.5.29.31'} if (-not $cdpInfo) { $chain.ChainPolicy.RevocationMode = 'NoCheck' Write-Log -Message $localizedData.RevocationModeNoCheck -Type Warn -Function $thisfunction } else { Write-Log -Message $localizedData.RevocationModeDefault -Type Info -Function $thisfunction } # Attempt to build the chain do { $chainResult = $chain.build($cert) $chainFailureReasons = $chain.ChainStatus.status $retry++ #sleep if unsuccessful and none CRL error present if (-not $chainResult -AND $retry -lt $retryCount -AND $chainFailureReasons) { Write-Log -Message ($localizedData.ChainCheckRetry -f ($chainFailureReasons -join ','),$retry) -Type Warn -Function $thisfunction start-Sleep -Seconds $intervalSeconds } } while (-not $chainResult -AND $retry -le $retryCount) #Interpret result if ($chainResult) { Write-Log -Message $localizedData.ChainCheckSuccess -Type Info -Function $thisfunction $result = 'OK' } else { Write-Log -Message ($localizedData.ChainCheckFailed -f ($chainFailureReasons -join ',')) -Type Warn -Function $thisfunction $failureDetail = $chain.ChainStatus.StatusInformation -join '' $result = 'Fail' } # Downgrade result and add failure detail if revocation was disabled if ($chain.ChainPolicy.RevocationMode -eq 'NoCheck') { switch ( $result ) { 'OK' {$result = 'Warning'} 'Fail' {$result = 'Fail'} } $failureDetail += $localizedData.RevocationModeNoCheck } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } finally { if ($chain) { $chain.Dispose() } } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $chain} $object = New-Object PSObject -Property $hash $object } function Test-CertificateRoot { #test if root is the same as stored on ercs machine param ($pfx, [ValidateScript({Test-Path -Path $_ -PathType Container})] $rootpath = "$ENV:SystemDrive\ExternalCerts\Root", [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Match Root' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { try { $rootCerts = Get-ChildItem -Path $rootpath -Recurse -Filter *.cer Write-Log -Message ($LocalizedData.RootCertificateFoundOnStamp -f $rootCerts.count, $rootpath) -Type Info -Function $thisFunction if (-not $rootCerts) { $result = 'Fail' $failureDetail = ($LocalizedData.RootCertNotOnDisk -f $rootpath) } else { foreach ($rootCert in $rootCerts) { Write-Log -Message ("Loading {0} for same root comparison" -f $rootCert.fullname) -Type Info -Function $thisFunction $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($rootCert.fullname) $rootThumbprint = $cert.Thumbprint $pfxIssuer = $pfx.OtherCertificates | Where-Object subject -eq $pfx.EndEntityCertificates.Issuer if ($pfxIssuer.thumbprint -eq $rootThumbprint) { Write-Log -Message ($LocalizedData.RootCertificateMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction $result = 'OK' break } else { $failureDetail = $LocalizedData.RootCertificateNotMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $result = 'Fail' } } } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception.message) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateExpiry { # block if certificate expiry <= threshold (default 7 days) param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$expiryThresholdDays = 7,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Expiry Date' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { try { $thresholdDateTime = [System.DateTime]::Now.AddDays($expiryThresholdDays) $certExpiry = $cert.NotAfter if ($certExpiry -le $thresholdDateTime) { $result = 'Fail' Write-Log -Message ($localizedData.ExpiryFailure -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime ) -Type Warn -Function $thisFunction if ($certExpiry -le [System.DateTime]::Now) { $failureDetail = $localizedData.ExpiredFailureDetail } else { $failureDetail = $localizedData.ExpiryFailureDetail -f $certExpiry, $expiryThresholdDays } } else { $result = 'OK' Write-Log -Message ($localizedData.ExpirySuccess -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime ) -Type Info -Function $thisFunction } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception.message) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function ConvertTo-Oid { param ($in) $thisFunction = $MyInvocation.MyCommand.Name try { # user may have passed in Write-Log -Message $in -Type Info -Function $thisFunction if ($in -is [string]) { $oid = [System.Security.Cryptography.Oid]::new($in) if (!$oid.FriendlyName -or !$oid.Value) { throw ("Unable to convert {0} into Oid" -f $in) } } elseif ($in -is [Hashtable]) { $oid = $in.Keys | ForEach-Object { [System.Security.Cryptography.Oid]::new($in[$PSITEM],$PSITEM) } } else { throw ("Unable to convert {0} into Oid" -f $in) } return $oid } catch { throw ("Unable to convert {0} into Oid. Make sure the input has a valid name and Oid. Error {1}" -f $in,$_.exception.message) } } # SIG # Begin signature block # MIInsQYJKoZIhvcNAQcCoIInojCCJ54CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAwl3HmUlOW0KCK # 7yTHhVIRj0/qKD3Uec8gkfD8JSCGX6CCDYUwggYDMIID66ADAgECAhMzAAACU+OD # 3pbexW7MAAAAAAJTMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMzAwWhcNMjIwOTAxMTgzMzAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDLhxHwq3OhH+4J+SX4qS/VQG8HybccH7tnG+BUqrXubfGuDFYPZ29uCuHfQlO1 # lygLgMpJ4Geh6/6poQ5VkDKfVssn6aA1PCzIh8iOPMQ9Mju3sLF9Sn+Pzuaie4BN # rp0MuZLDEXgVYx2WNjmzqcxC7dY9SC3znOh5qUy2vnmWygC7b9kj0d3JrGtjc5q5 # 0WfV3WLXAQHkeRROsJFBZfXFGoSvRljFFUAjU/zdhP92P+1JiRRRikVy/sqIhMDY # +7tVdzlE2fwnKOv9LShgKeyEevgMl0B1Fq7E2YeBZKF6KlhmYi9CE1350cnTUoU4 # YpQSnZo0YAnaenREDLfFGKTdAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUlZpLWIccXoxessA/DRbe26glhEMw # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzQ2NzU5ODAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AKVY+yKcJVVxf9W2vNkL5ufjOpqcvVOOOdVyjy1dmsO4O8khWhqrecdVZp09adOZ # 8kcMtQ0U+oKx484Jg11cc4Ck0FyOBnp+YIFbOxYCqzaqMcaRAgy48n1tbz/EFYiF # zJmMiGnlgWFCStONPvQOBD2y/Ej3qBRnGy9EZS1EDlRN/8l5Rs3HX2lZhd9WuukR # bUk83U99TPJyo12cU0Mb3n1HJv/JZpwSyqb3O0o4HExVJSkwN1m42fSVIVtXVVSa # YZiVpv32GoD/dyAS/gyplfR6FI3RnCOomzlycSqoz0zBCPFiCMhVhQ6qn+J0GhgR # BJvGKizw+5lTfnBFoqKZJDROz+uGDl9tw6JvnVqAZKGrWv/CsYaegaPePFrAVSxA # yUwOFTkAqtNC8uAee+rv2V5xLw8FfpKJ5yKiMKnCKrIaFQDr5AZ7f2ejGGDf+8Tz # OiK1AgBvOW3iTEEa/at8Z4+s1CmnEAkAi0cLjB72CJedU1LAswdOCWM2MDIZVo9j # 0T74OkJLTjPd3WNEyw0rBXTyhlbYQsYt7ElT2l2TTlF5EmpVixGtj4ChNjWoKr9y # TAqtadd2Ym5FNB792GzwNwa631BPCgBJmcRpFKXt0VEQq7UXVNYBiBRd+x4yvjqq # 5aF7XC5nXCgjbCk7IXwmOphNuNDNiRq83Ejjnc7mxrJGMIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGYIwghl+AgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAAJT44Pelt7FbswAAAAA # AlMwDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEICxk # K5ku4k256oU4ZDg3JKyurl0zrvW/5zJsNMVv8vbQMEIGCisGAQQBgjcCAQwxNDAy # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20wDQYJKoZIhvcNAQEBBQAEggEAOrdixlUJ3cFSGnqJTRQVo+zuDojPnRvym63i # SPqeWFoHTQkRwAWb6+AaGs7qf4D/xWihIjxjW7AqfKew8cps/K9fV0/+yCBDiOsn # FTWVB142YuMY0PtVO6e8NLkxGL7t7W5b5ihMo7yNJj1w13eCkQn4JnfPXQB78ija # pT2xZQWN8xJenIpCGt1XfgledPtwDCcB0+pAwUBtC+bckvmMvEC3KyXiNEJXnTxe # U7wQa2TtQu0tL9hviMzs38bJhvmnIo/rzvXVPfukQ6bk5OcYd6TNJ0VVqb+pLEoC # TKdgwltLG7ozVFb+gB0hch98YttvDgez1VHdwKsk5OIU+49FuKGCFwwwghcIBgor # BgEEAYI3AwMBMYIW+DCCFvQGCSqGSIb3DQEHAqCCFuUwghbhAgEDMQ8wDQYJYIZI # AWUDBAIBBQAwggFVBgsqhkiG9w0BCRABBKCCAUQEggFAMIIBPAIBAQYKKwYBBAGE # WQoDATAxMA0GCWCGSAFlAwQCAQUABCCwPGzhxBobYr0U7sRQmVTmY0mt/S6ZZ0iW # WyylFGb3EAIGYnwsHc/JGBMyMDIyMDUxNzIwMTUyOS40NjJaMASAAgH0oIHUpIHR # MIHOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQL # EyBNaWNyb3NvZnQgT3BlcmF0aW9ucyBQdWVydG8gUmljbzEmMCQGA1UECxMdVGhh # bGVzIFRTUyBFU046NEQyRi1FM0RELUJFRUYxJTAjBgNVBAMTHE1pY3Jvc29mdCBU # aW1lLVN0YW1wIFNlcnZpY2WgghFfMIIHEDCCBPigAwIBAgITMwAAAbCh44My6I07 # wAABAAABsDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg # MjAxMDAeFw0yMjAzMDIxODUxNDJaFw0yMzA1MTExODUxNDJaMIHOMQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQLEyBNaWNyb3NvZnQg # T3BlcmF0aW9ucyBQdWVydG8gUmljbzEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046 # NEQyRi1FM0RELUJFRUYxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNl # cnZpY2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCcxm07DNfSgp0H # OUQu1aIJcklzCi7rf8llj0Fg+lQJSYAXsVSsdp9c4F96P8QNmYGfzRRnIDQ0Qie5 # iYjnlu8Xh56DVz5YOxI2FrpX5N6DgI+muzteRr3JKWLLy3MfqPEnvAq3yG+NBCfF # tEMeEyF39Mg8ACeP6jveHSf4Rmm3iWIOBqdBtLkJocBaLwFkx5Q9XIvrKd+gMU/c # CIR6sP+9LczL65wxe45kI2lVD54zoDzshVmYla+3uq5EpeGp09bS79t0loV6jLNe # MKJb+GXkHFj/OK1dha69Sm8JCGtL5R45b+MRvWup5U0X6NAmFEA362TjFwiOSnAD # dgWen1W9ParQnbFnTTcQdMuJcDI57jZsfORTX8z3DGY5sABfWkVFDCx7+tuiOu7d # fnWaFT6Sqn0jZhrVbfQxE1pJg4qZxoOPgXU6Zb4BlavRdymTwxR2m8Wy6Uln11vd # DGVzrhR/MgjMwyTVM3sgKsrRRci2Yq94+E9Rse5UXgjlD8Nablc21irKVezKHWY7 # TfyFFnVSHZNxz6eEDdcMHVb3VzrGHYRvJIIxsgGSA+aK+wv++YcikG+RdGfhHtOL # mPSvrA2d5d8/E0GVgH2Lq22QjFlp5iVbLuVeD0eTzvlOg+7QLTLzFCzWIm0/frMV # WSv1kHq9iSfat2e5YxbOJYKZn3OgFQIDAQABo4IBNjCCATIwHQYDVR0OBBYEFDrf # ASQ3ASZuHcugEmR61yBH1jY/MB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1 # GelyMF8GA1UdHwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9w # a2lvcHMvY3JsL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEp # LmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUy # MFBDQSUyMDIwMTAoMSkuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYB # BQUHAwgwDQYJKoZIhvcNAQELBQADggIBAN1z4oebDbVHwMi55V6ujGUqQodExfrh # vp4SCeOP/3DHEBhFYmdjdutzcL60IwhTp4v/qMX++o3JlIXCli15PYYXe73xQYWW # c3BeWjbNO1JYoLNuKb3mrBboZieMvNjmJtRtTkWLBZ3WXbxf/za2BsWl6lDZUR0J # bJFf6ZnHKjtzousCx3Dwdf1kUyybWGyIosBP7kxRBRC+OcFg/9ZkwjxJBV94ZYlx # MqcV83WdZOl6hk8rBgLS11AeyAugh9umMoCkLlxvEI3CQQFBv/Rd8jWTnWxb5+xY # p2cjXCFS8ZXe4dGxC30M4SI3pY/ubASoS3GhVNL2425n9FhDYBZp8iTYjKy+/9hW # Di7IIkA2yceg6ctRH77kRrHS+X/o1VXbOaDGiq4cYFe6BKG6wOmeep51mDeO7MMK # LrnB39MptQ0Fh8tgxzhUUTe8r/vs3rNBkgjo0UWDyu669UHPjt57HetODoJuZ0fU # KoTjnNjkE677UoFwUrbubxelvAz3LJ7Od3EOIHXEdWPTYOSGBMMQmc82LKvaGpcZ # R/mR/wOie2THkjSjZK1z8eqaRV1MR7gt5OJs1cmTRlj/2YHFDotqldN5uiJsrb4t # ZHxnumHQod9jzoFnjR/ZXyrfndTPquCISS5l9BNmWSAmBG/UNK6JnjF/BmfnG4bj # bBYpiYGv3447MIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAAAAAAFTANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg # VGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC # ggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+ # F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU # 88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqY # O7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzp # cGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSueik3rMvrg0Xn # Rm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1 # zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZN # N3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLR # vWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTY # uVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUX # k8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB # 2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKR # PEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0g # BFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5t # aWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQM # MAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQE # AwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQ # W9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNv # bS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBa # BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqG # SIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOX # PTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6c # qYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/z # jj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz # /AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyR # gNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdU # bZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo # 3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4K # u+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10Cga # iQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9 # vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGC # AtIwggI7AgEBMIH8oYHUpIHRMIHOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSkwJwYDVQQLEyBNaWNyb3NvZnQgT3BlcmF0aW9ucyBQdWVydG8g # UmljbzEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046NEQyRi1FM0RELUJFRUYxJTAj # BgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMC # GgMVAAKeL5Dd3w+RTQVWGZJWXkvyRTwYoIGDMIGApH4wfDELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt # U3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDmLeqrMCIYDzIwMjIwNTE3 # MTMzNDM1WhgPMjAyMjA1MTgxMzM0MzVaMHcwPQYKKwYBBAGEWQoEATEvMC0wCgIF # AOYt6qsCAQAwCgIBAAICERoCAf8wBwIBAAICEVgwCgIFAOYvPCsCAQAwNgYKKwYB # BAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGG # oDANBgkqhkiG9w0BAQUFAAOBgQAarX8AA2Gpeus1wensO3g9JkD3rWykoEfQ6UVS # OBoVD8rblcHb/8uyb3+ivIfmto9egVs3qbGTBKhv+DfEbLVy6hyFYViSoUyqgApg # SlQRrGduTbgsbWU6gHflMfb3rZE6jhYAVsw3ReQsU4QHD/AqaKGhtO/6IrSiPRUK # Vw8CnjGCBA0wggQJAgEBMIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # AhMzAAABsKHjgzLojTvAAAEAAAGwMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG # 9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJKoZIhvcNAQkEMSIEIFuDPOpaXD3fWF8B # v7yJZ3aJmfy4vhzldNnmwlSWGzXWMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCB # vQQgzQYLQ3fLn/Sk4xn9RuuyHypnDRSZnlk3eopQMucVhKAwgZgwgYCkfjB8MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNy # b3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAbCh44My6I07wAABAAABsDAi # BCDcFvKgB0oDalsvelIAtSkiwXTgs0BxnDnNsRbeAS1aNjANBgkqhkiG9w0BAQsF # AASCAgARzScGqw7lbPJ8iUj6cApWKQ4N7sZwXRDRDfL6V+d6osh0rUOFDsnRL7X7 # CsAWVyGhdByCKNFcni/0M42sUEyL2yEnCplcwn+JfjfBmRMzghdHEfk6Gg/+8zFK # 0QPH877+wlJOu0oeZnkXQjSbj+UfILmK131mx65Ji/Vvf8jqCKVpBzS7kq94+97m # V+Fs8/2CbJFLo/uwOvGIlXepjkCHt2pKvJggZWrT/g/740JBQ8qWKDErpF+d17xv # pgX/8r3rxvk/e4mrf1PWJ1YIc25ot2DwBmjd4nZ+492Ng/2xXmB2MHhr+hVKmmqa # bXzEvjVSra406XeDOhETr80gzzT2MC1++1jmrKWOnNki+JMFyx4shAX4nYDDJ11B # Oyji7bBsmbn6HcZtqVGsgsR6GYbcVM2T5SPkj8t43tlwKppyuDsLd70i0O0Pa1ms # MJi7zgsT9Yr/nRk5lUjcko8583gaCC2evlAnbKFTZqJC9V6ixCqOFxblgwBShqaB # ZXeeaRQW3GA9IrPjD24WQqQYwPYeEslbSGlZJjgWRpJWLKH4P2JwQsQ1g4EXwJ+e # C2N+MHcAeJRk1fnHSe3WjZTF/odpNZllUl8wluBqJG4/65jNB5ajmZYcQMKqkvrO # zWCEHx0okgMZBAJjVkVnePI0WUMwagjJmHWlQjD78RdapjIsDw== # SIG # End signature block |