CertificateValidation/PublicCertHelper.psm1
|
<#############################################################
# # # Copyright (C) Microsoft Corporation. All rights reserved. # # # #############################################################> $ErrorActionPreference = 'Stop' # Explicitly importing it as ERCS VM does not have it by default Import-Module PKI Import-LocalizedData LocalizedData -Filename PublicCertHelper.Strings.psd1 -ErrorAction SilentlyContinue # workaround for https://github.com/PowerShell/JEA/issues/42 # can't use Import-PowerShellDataFile because PS5.1 Import-LocalizedData -FileName Microsoft.AzureStack.CertificateConfig.psd1 -BaseDirectory $PSScriptRoot -BindingVariable CertificateData $certificateDefaults = $CertificateData.CertificateDefaults $myCertPath = 'cert:\localmachine\my\' if ($standalone) { $publicCertRoot = $PSScriptRoot $WarnOnSelfSigned = $true } else { $publicCertRoot = 'C:\CloudDeployment\Setup\Certificates' } $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} # This function appends the region and domainFQDN to the RecordPrefix/es and returns the array for multiple endpoints function New-DNSList { Param ( [Parameter(Mandatory=$true)] [string[]] $RecordPrefixList, [Parameter(Mandatory=$true)] [String] $RegionExternalFQDN ) $dnsListCreated = @() foreach ($RecordPrefix in $RecordPrefixList) { $dnsListCreated += $RecordPrefix + ".$RegionExternalFQDN" } return $dnsListCreated } function New-SelfSignedCertificateWrapper { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')] Param ( [Parameter(Mandatory=$true)] [string[]] $DnsRecord, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $OutFilePath, [Parameter(Mandatory=$true)] [string] $RootCertThumbprint ) # Creating if the path does not exist as SecretRotation BVT needs it if(-not (Test-Path $OutFilePath)) { $null = New-Item -Path $OutFilePath -ItemType Directory } if(-not (Get-ChildItem -Path $OutFilePath -Filter '*.pfx')) { $OutFilePath = Join-Path -Path $OutFilePath -ChildPath "SSL.pfx" $rootCert = ( Get-ChildItem -path $RootCertThumbprint ) $certThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -Signer $rootCert -KeyExportPolicy Exportable -Verbose:$false $certPath = $myCertPath + $certThumbprint.Thumbprint # It can sometimes take a few seconds to populate the store $retryCount = 0; while(-not (Test-Path $certPath)) { Start-Sleep -Seconds 1 if($retryCount++ -eq 10) { throw ($LocalizedData.FailedCreatingCert -f $certPath) } } $null = Export-PfxCertificate -FilePath $OutFilePath -Cert $certPath -Password $CertificatePassword -ChainOption BuildChain -Force -Verbose:$false } } function New-SelfSignedRootCert { [Alias("Create-RootCert")] Param ( [Parameter(Mandatory=$true)] [string] $DnsRecord, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword ) $baseRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedRootCert" -FriendlyName "Azs Self Signed RootCert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=3") $intermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate1Cert" -FriendlyName "Azs Self Signed Intermediate 1 Cert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=2") -Signer $baseRootCertThumbprint $secondIntermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate2Cert" -FriendlyName "Azs Self Signed Intermediate 2 Cert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=0") -Signer $intermediateRootCertThumbprint $certPath = $myCertPath + $secondIntermediateRootCertThumbprint.Thumbprint # It can sometimes take a few seconds to populate the store $retryCount = 0; while(-not (Test-Path $certPath)) { Start-Sleep -Seconds 1 if($retryCount++ -eq 10) { throw "Failed to create self signed root certificate in store '$certPath'." } } return $certPath } # Use for one nodes and internal testing only! function New-AzureStackSelfSignedCerts { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')] Param ( [Parameter(Mandatory=$true)] [string] $RegionExternalFQDN, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$false)] [string] $ExternalCertRoot ) if($ExternalCertRoot) { $publicCertRoot = $ExternalCertRoot $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} } else { Write-VerboseLog $LocalizedData.CreatingExternalSelfSignedCerts } # getting rootCert thumbprint $rootCertThumbprint = New-SelfSignedRootCert -DnsRecord "$RegionExternalFQDN" -CertificatePassword $CertificatePassword # AAD certs New-SelfSignedCertificateWrapper -OutFilePath $armPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $adminPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three New-SelfSignedCertificateWrapper -OutFilePath $acsTableCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsQueueCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsBlobCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating two additional Extension Host Certs New-SelfSignedCertificateWrapper -OutFilePath $adminHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating Container Registry cert, which is optional but required in BCDR pipeline New-SelfSignedCertificateWrapper -OutFilePath $acrCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint # ADFS certs New-SelfSignedCertificateWrapper -OutFilePath $adfsCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adfsCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $graphCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $graphCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armADFSPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $adminADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three New-SelfSignedCertificateWrapper -OutFilePath $acsTableADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsQueueADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsBlobADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating two additional Extension Host Certs New-SelfSignedCertificateWrapper -OutFilePath $adminHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating Container Registry cert, which is optional but required in BCDR pipeline New-SelfSignedCertificateWrapper -OutFilePath $acrADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint } function Test-AzureStackCerts { Param ( [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $UseADFS = $false, [Parameter(Mandatory=$false)] [bool] $isACRInstalled = $false, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [string] $PfxFilesPath, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '' ) $thisFunction = $MyInvocation.MyCommand.Name $publicCertHelperModuleVersion = $MyInvocation.MyCommand.Module.Version if (!$PfxFilesPath) { Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction } else { # we are in external cert rotation, need to use path provided by customer Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction $publicCertRoot = $PfxFilesPath $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} } if($UseADFS) { $allCertInfo = @( $adfsCertInfo, $graphCertInfo, $armADFSPublicCertInfo, $armADFSAdminCertInfo, $publicADFSPortalCertInfo, $adminADFSPortalCertInfo, $keyvaultADFSCertInfo, $keyvaultADFSAdminCertInfo, $acsTableADFSCertInfo, $acsQueueADFSCertInfo, $acsBlobADFSCertInfo, $adminHostingADFSCertInfo, $publicHostingADFSCertInfo ) # Validate ACR Certificate only if ACR has been installed on the stamp if($isACRInstalled) { $allCertInfo += $acrADFSCertInfo } } else { $allCertInfo = @( $armPublicCertInfo, $armAdminCertInfo, $publicPortalCertInfo, $adminPortalCertInfo, $keyvaultCertInfo, $keyvaultAdminCertInfo, $acsTableCertInfo, $acsQueueCertInfo, $acsBlobCertInfo, $adminHostingCertInfo, $publicHostingCertInfo ) # Validate ACR Certificate only if ACR has been installed on the stamp if($isACRInstalled) { $allCertInfo += $acrCertInfo } } $allCertResults = @() $allCertResults += $allCertInfo | ForEach-Object { ` Write-Log -Message "Launching Test-Certificate with Path = $($PSITEM.path), ExpectedPrefix = $($PSITEM.RecordPrefix), ExpectedDomainFQDN = $ExpectedDomainFQDN, WarnOnSelfSigned = $WarnOnSelfSigned, RootValidation = $RootValidation" -Type Info -Function $thisfunction $testCertificateParams = @{ CertificatePath = $PSITEM.Path CertificatePassword = $CertificatePassword certConfig = @{DNSName = $PSITEM.RecordPrefix;IncludeTests = 'All';ExcludeTests = 'CNG Key';pfxPath = $PSITEM.path} ExpectedDomainFQDN = $ExpectedDomainFQDN WarnOnSelfSigned = $WarnOnSelfSigned RootValidation = $RootValidation } Test-Certificate @testCertificateParams } return $allCertResults } function Test-Certificate { Param ( # Path of folder which contains the cert [Parameter(Mandatory=$true)] [string] $CertificatePath, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '', [Parameter(Mandatory=$false)] [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $ErrorActionPreference = 'SilentlyContinue' if(-not (Test-Path -Path $CertificatePath)) { # Terminating error for install, need to throw throw ($LocalizedData.IncorrectPath -f $CertificatePath) } $script:pfxFile = Get-ChildItem -Path $CertificatePath -Filter '*.pfx' | ForEach-Object FullName Write-Log -Message "Test PFX Certificate $pfxfile" -Type info -Function $thisFunction if($pfxFile.Count -ne 1) { # Terminating error for install Write-Log -Message ($LocalizedData.MoreThanOneCert -f $CertificatePath) -Type Error -Function $thisFunction } if(-not (Test-Path -Path $pfxFile)) { # Terminating error for install Write-Log ($LocalizedData.MissingCertificate) -Type Error -Function $thisFunction } if ((Get-Command Get-Content).Parameters.AsByteStream) { [byte[]]$pfxBinary = Get-Content -Path $pfxFile -AsByteStream } else { [byte[]]$pfxBinary = Get-Content -Path $pfxFile -Encoding Byte } #$certConfig.pfxPath = $pfxFile $params = @{ CertificateBinary = $pfxBinary CertificatePassword = $CertificatePassword ExpectedDomainFQDN = $ExpectedDomainFQDN WarnOnSelfSigned = $WarnOnSelfSigned RootValidation = $RootValidation certConfig = $certConfig } Test-AzsCertificate @params } function Test-AzsCertificate { Param ( [Parameter(Mandatory=$true)] [ValidateNotNull()] [byte[]] $CertificateBinary, [Parameter(Mandatory=$false)] [ValidateNotNull()] [SecureString] $CertificatePassword, [Parameter(Mandatory=$false)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '', [Parameter(Mandatory=$false)] [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $results = @() $ExpectedPrefix = $certConfig.DnsName # Get Relative Path # Depending on the entry point (deployment, secret rotation, standalone) the path can be in 1 of 2 places if ($pfxFile -or $certConfig.pfxPath) { if ($pfxFile) { $pf = Get-item -Path $pfxFile } else { $pf = Get-item -Path $certConfig.pfxPath } $pathValue = $pf.Directory.Name + '\' + $pf.name Write-Host "Testing: $pathValue" # Check PFX encryption first in case we have difficulty with encryption used and defer printing result until after import attempt for formatting purposes $pfxEncryptCheck = Test-PFXEncryption -pfxfile $pf.fullname -pfxpassword $certificatePassword -certConfig $certConfig $results += $pfxEncryptCheck if ($pfxEncryptCheck.result -eq 'Fail') { Write-Result -in $pfxEncryptCheck Write-Result -in $results.failureDetail throw "Unable to continue until PFX Encryption is TripleDES-SHA1" } } # Begin Checks $ErrorActionPreference = 'Stop' # make sure errors are not suppressed during import. if ($CertificatePassword) { try { $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificateBinary, $CertificatePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) $includePFXChecks = $true } catch { # if the exception is bad password and encryption check failed/warned, give additional help about ensuring Triple-DES encryption. if ($_.Exception.ErrorRecord -match 'The specified network password is not correct' -and $pfxEncryptCheck.result -ne 'OK') { Write-Log -Message ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction throw ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n","")) } elseif ($_.Exception.ErrorRecord -match 'Cannot find the requested object') { Write-Log -Message ($LocalizedData.ErrorOnX509Import) -Type Error -Function $thisFunction throw $LocalizedData.ErrorOnX509Import } else { Write-Log -Message ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction throw ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n","")) } } } else { $cert.Import($CertificateBinary) $includePFXChecks = $false } Write-Host ("Thumbprint: {0}" -f ($cert | Get-ThumbprintMask)) # if PFXEncryption Check exists write the result to screen. if ($pfxEncryptCheck) { Write-Result -in $pfxEncryptCheck } $ErrorActionPreference = 'SilentlyContinue' #Setting erroraction to continue so tests can complete and user gets full break down of all issues. $expiryCheck = Test-CertificateExpiry -cert $cert -certConfig $certConfig Write-Result -in $expiryCheck $results += $expiryCheck $signatureAlgorithmCheck = Test-SignatureAlgorithm -x509 $cert -certConfig $certConfig Write-Result -in $signatureAlgorithmCheck $results += $signatureAlgorithmCheck $dnsNamesCheck = Test-DnsNames -cert $cert -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig Write-Result -in $dnsNamesCheck $results += $dnsNamesCheck $keyUsageCheck = Test-KeyUsage -cert $cert -certConfig $certConfig Write-Result -in $keyUsageCheck $results += $keyUsageCheck $keySizeCheck = Test-KeySize -cert $cert -certConfig $certConfig Write-Result -in $keySizeCheck $results += $keySizeCheck $httpCDPCheck = Test-HttpCdp -cert $cert -certConfig $certConfig Write-Result -in $httpCDPCheck $results += $httpCDPCheck if ($includePFXChecks) { $pfxParseResult = Test-Pfx -certificateBinary $CertificateBinary -certificatePassword $certificatePassword if ($pfxParseResult.Result -eq 'Fail') { Write-Log -Message ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';')) -Type Error -Function $thisFunction throw ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';')) } $pfxData = $pfxParseResult.outputObject $pfxParseResult.outputObject = "" # clear the output object Write-Result -in $pfxParseResult $results += $pfxParseResult $privateKeyCheck = Test-PrivateKey -cert $cert -certConfig $certConfig Write-Result -in $privateKeyCheck $results += $privateKeyCheck $selfSignedCheck = Test-CertificateChain -pfxData $pfxData -certConfig $certConfig Write-Result -in $selfSignedCheck $results += $selfSignedCheck $chainOrderCheck = Test-CertificateChainOrder -pfxData $pfxData -certConfig $certConfig Write-Result -in $chainOrderCheck $results += $chainOrderCheck # Only run check for other certificates if cert chain is good and dnsnames are good to avoid noise. if ($selfSignedCheck.result -eq 'OK' -AND $dnsNamesCheck.result -eq 'OK') { $otherCertificateCheck = Test-OtherCertificates -pfxData $pfxData -ExpectedPrefix $ExpectedPrefix -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig } Else { $hash = @{'Test' = 'Other Certificates'; 'Result' = 'Skipped'; 'FailureDetail' = $LocalizedData.TestOtherCertificatesSkipped; 'outputObject' = $null} $otherCertificateCheck = New-Object PSObject -Property $hash } Write-Result -in $otherCertificateCheck $results += $otherCertificateCheck if (-not $standalone -AND $RootValidation -ne '') { if ($RootValidation -eq 'SameRootOnly') { $rootCheck = Test-CertificateRoot -pfx $pfxData -certConfig $certConfig Write-Result -in $rootCheck $results += $rootCheck } else { #Check trust without using pfx as extra store $chainTest = Test-TrustedChain -cert $cert -retryCount 3 -intervalSeconds 5 -certConfig $certConfig if ($chainTest.Result -eq 'Fail') { #create certificate collection object $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $pfxdata.EndEntityCertificates + $pfxData.OtherCertificates | ForEach-Object {$collection.add($_) | Out-Null} #create new chain $chain = New-Object Security.Cryptography.X509Certificates.X509Chain $chain.ChainPolicy.ExtraStore.AddRange($collection) #Check trust with pfx as extra store $chainTest = Test-TrustedChain -chain $chain -cert $cert -retryCount 3 -intervalSeconds 5 } else { Write-Log -Message ("Chain trust passed with {0} - {1}. No further action." -f $chainTest.Result,($chainTest.Chain.ChainStatus.Status -join ',')) -Type Info -Function $thisFunction } Write-Result -in $chainTest $results += $chainTest } } } # add relative path, thumbprint, certificateID $results | add-member -NotePropertyName CertificateId -NotePropertyValue ([guid]::NewGuid().ToString()) $results | add-member -NotePropertyName Path -NotePropertyValue $pathValue $results | add-member -NotePropertyName Thumbprint -NotePropertyValue $($cert | Get-ThumbprintMask) if ($results.result -match "Fail|Warning") { Write-Result -in $results.failureDetail } return $results } function Test-Pfx { param ([byte[]]$certificateBinary, [securestring]$certificatePassword) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Parse PFX' Write-Log -Message "Parse PFX binary with password" -Type Info -Function $thisFunction $parseResult = Open-PfxData -certificateBinary $certificateBinary -certificatePassword $certificatePassword if ($parseResult.Success) { $tmpParseResult = Open-PfxData -certificateBinary $certificateBinary if ($tmpParseResult.Success) { $result = 'Warning' $failureDetail = ($LocalizedData.UnprotectedPublicCertInfo) Write-Log -Message $LocalizedData.UnprotectedPublicCertInfo -Type Warning -Function $thisFunction } else { $result = 'OK' if ($tmpParseResult.ErrorCode -eq 86) { Write-Log -Message "Parsing PFX binary privacy success" -Type Info -Function $thisFunction } else { Write-Log -Message ("Parsing PFX binary without password with error code 0x{0:x}" -f $($tmpParseResult.ErrorCode)) -Type Warn -Function $thisFunction } } } else { $result = 'Fail' if ($parseResult.ErrorCode -in @(0x80092002, 0x0D)) { $failureDetail = "Pfx data is Invalid" # Terminating error for install Write-Log -Message "Pfx data is Invalid" -Type Error -Function $thisFunction } elseif ($parseResult.ErrorCode -eq 86) { $failureDetail = "Pfx password is Invalid" # Terminating error for install Write-Log -Message $failureDetail -Type Error -Function $thisFunction } else { # Terminating error for install $errorMessage = "Parsing PFX binary with error code 0x{0:x}" -f $($parseResult.ErrorCode) $failureDetail = $errorMessage Write-Log -Message $errorMessage -Type Error -Function $thisFunction } } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $parseResult} $object = New-Object PSObject -Property $hash $object } function Test-SignatureAlgorithm { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$x509,[Hashtable]$certConfig) # Name for log and name for test $thisFunction = $MyInvocation.MyCommand.Name $test = 'Signature Algorithm' # config to run test by if ($certConfig.HashAlgorithm -eq 'default' -or $null -eq $certConfig.HashAlgorithm) { $blockedAlgorithms = 'SHA1RSA' } else { $blockedAlgorithms = $certConfig.HashAlgorithm Write-Log -Message ('Using user-defined Signature Algorithms {0} for test.' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction } # run test if applicable if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ('Checking Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction $signatureAlgorithm = $x509.SignatureAlgorithm.FriendlyName Write-Log -Message ('Signature Algorithm is {0}' -f $signatureAlgorithm) -Type Info -Function $thisFunction if ($signatureAlgorithm -in $blockedAlgorithms) { $result = 'Fail' $failureDetail = ($LocalizedData.SignatureAlgorithmInvalid -f $signatureAlgorithm, ($blockedAlgorithms -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $result = 'OK' Write-Log -Message ('Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } # return output $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-PrivateKey { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Private Key' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { $privateKeyFailed = @() $failureDetail = @() try { Write-Log -Message 'Checking Private Key exists' -Type Info -Function $thisFunction if(-not $cert.HasPrivateKey) { $privateKeyFailed += $true $failureDetail += ($LocalizedData.NoPrivateKey) Write-Log -Message ($LocalizedData.NoPrivateKey) -Type Warn -Function $thisFunction } Else { # Check if certificate has been exported from user store. Write-Log -Message 'Private Key Exists, checking Local Machine Key Attribute' -Type Info -Function $thisFunction $key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) Write-Log -Message ('Private Key Provider: {0}' -f $key.Key.Provider) -Type Info -Function $thisFunction if(-not $key.Key.IsMachineKey) { $privateKeyFailed += $true $failureDetail += ($LocalizedData.NotMachineKeyStore) Write-Log -Message ($LocalizedData.NotMachineKeyStore) -Type Warn -Function $thisFunction } else { $privateKeyFailed += $false Write-Log -Message 'Private Key Exists and Local Machine Key Attribute exists' -Type Info -Function $thisFunction } if('CNG key' -notin $certConfig.ExcludeTests) { Write-Log -Message 'Checking PaaS for CNG key...' -Type Info -Function $thisFunction if($key.Key.Provider -eq 'Microsoft Software Key Storage Provider') { $privateKeyFailed += $true $failureDetail += "CNG Certificate detected, support for this certificate type may not currently be available. Please use https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-get-pki-certs to generate the certificates." Write-Log -Message 'Microsoft Software Key Storage Provider cannot be used for this certificate.' -Type Warn -Function $thisFunction } } } } catch { $privateKeyFailed += $true $failureDetail += $_.exception.message Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } if ($privateKeyFailed -notcontains $true) { $result = 'OK' } else { $result = 'Fail' } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateChain { param ([Hashtable]$pfxData,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Cert Chain' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message 'Checking Certificate chain' -Type Info -Function $thisFunction # Check for chain of trust. Not validating signature algorithm on root or intermediates $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates if(-not $otherCertificates) { Write-Log -Message 'No other certificates found in pfx' -Type Info -Function $thisFunction if($cert.Issuer -eq $cert.Subject) { $failureDetail = ($LocalizedData.SelfSignedCertificate -f $cert.Subject) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $result = 'Fail' } else { $result = 'Fail' $failureDetail = ($LocalizedData.NoChainOfTrust) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { if ($cert.Issuer -in $otherCertificates.subject) { $result = 'OK' Write-Log -Message ('The issuer certificate from {0} is included in the PFX' -f $cert.Issuer) -Type Info -Function $thisFunction } Else { $result = 'Fail' $failureDetail = ($LocalizedData.NoChainOfTrust) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-DNSNames { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,$ExpectedDomainFQDN,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'DNS Names' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { # Get the records between cn="<records>" $records = @() $records = $cert.DnsNameList.Unicode $recordsString = $records -join ', ' Write-Log -Message ('DNS Names on certificate: {0}' -f $recordsString) -Type Info -Function $thisFunction $dnsNameFailed = @() foreach($prefix in $certConfig.DnsName) { # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods. if ($ExpectedDomainFQDN) { $fullExpectedRecord = ($prefix,$ExpectedDomainFQDN) -join '.' } else { $fullExpectedRecord = $prefix } Write-Log -Message ('Testing for full expected record: {0}' -f $fullExpectedRecord) -Type Info -Function $thisFunction if($records -eq $fullExpectedRecord) { $dnsNameFailed += $false Write-Log -Message ('Records: {0} match: {1}' -f $recordsString,($fullExpectedRecord -join ', ')) -Type Info -Function $thisFunction continue } elseif ($records -eq "*." + $fullExpectedRecord.split('.',2)[1]) { $dnsNameFailed += $false Write-Log -Message ('Records: {0} match wildcard: {1}' -f $recordsString,("\*." + $fullExpectedRecord.split('.',2)[1])) -Type Info -Function $thisFunction } else { $failureDetail += ($LocalizedData.MissingRecord -f @($recordsString, $fullExpectedRecord)) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $dnsNameFailed += $true } if ($prefix -eq 'adfs') { Write-Log -Message ('Testing ADFS certificate subject {0} for ADFS compatability' -f $cert.subject) -Type Info -Function $thisFunction if ($cert.SubjectName -notlike '*.*') { $dnsNameFailed += $true $failureDetail += ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord) Write-Log -Message ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord) -Type Warn -Function $thisFunction } else { Write-Log -Message ('ADFS certificate subject {0} compatible for ADFS' -f $cert.subject) -Type Info -Function $thisFunction } } } if ($dnsNameFailed -notcontains $true) { $result = 'OK' } else { $result = 'Fail' $failureDetail += ($LocalizedData.CheckDocumentation) } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-KeyUsage { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Key Usage' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { # Validating KeyUsage should have Digital Signature, and Key Encipherment. # EnhancedKeyUsage should have Server Authentication and Client Authentication # Data Encipherment no longer required if ($certConfig.KeyUsage -eq 'default' -or $null -eq $certConfig.KeyUsage) { Write-Log -Message ('Testing for default Key Usage') -Type Info -Function $thisFunction $keyUsageArray = $certificateDefaults.KeyUsage.Keys } else { [array]$keyUsageArray = $certConfig.KeyUsage } if ($certConfig.EnhancedKeyUsage -eq 'default' -or $null -eq $certConfig.EnhancedKeyUsage) { Write-Log -Message ('Testing for default Enhanced Key Usage') -Type Info -Function $thisFunction $enhancedKeyUsageArray = $certificateDefaults.EnhancedKeyUsage.Keys | Foreach-Object { $certificateDefaults.EnhancedKeyUsage[$PSITEM].Oid } } else { Write-Log -Message ('Testing for custom Enhanced Key Usage') -Type Info -Function $thisFunction $certConfig.EnhancedKeyUsage = $certConfig.EnhancedKeyUsage | Foreach-Object { ConvertTo-Oid $PSITEM } [array]$enhancedKeyUsageArray = $certConfig.EnhancedKeyUsage | Foreach-Object { $PSITEM.Value } } # Create emtpy arrays for result handling. $keyUsageFailed = @() $failureDetail = @() $keyUsage = $cert.Extensions.KeyUsages $enhancedKeyUsage = $cert.EnhancedKeyUsageList.ObjectId # Check KeyUsage Write-Log -Message ('Testing for expected Key Usage {0}' -f ($keyUsageArray -join ',')) -Type Info -Function $thisFunction Write-Log -Message ('Certificate key usage is {0}' -f ($keyUsage -join ',')) -Type Info -Function $thisFunction foreach ($requiredKeyUsage in $keyUsageArray) { if ($keyUsage -notmatch $requiredKeyUsage) { $keyUsageFailed += $true $failureDetail += ($LocalizedData.IncorrectKeyUsage -f $keyUsage,($requiredKeyUsage -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $keyUsageFailed += $false } } # Check Enhanced KeyUsage Write-Log -Message ('Testing for expected Enhanced Key Usage {0}' -f (($certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value }) -join ',')) -Type Info -Function $thisFunction Write-Log -Message ('Certificate Enhanced key usage is {0}' -f ($enhancedKeyUsage -join ',')) -Type Info -Function $thisFunction foreach ($requiredEku in $enhancedKeyUsageArray) { if ($enhancedKeyUsage -notcontains $requiredEku) { $keyUsageFailed += $true if ($enhancedKeyUsage) { $CertFriendlyNames = $cert.EnhancedKeyUsageList.FriendlyName | Foreach-Object {if (!$PSITEM) { 'Custom Oid' }else { $PSITEM }} $RequiredUsageStrings = $certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value } $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f ($CertFriendlyNames -join ','),($RequiredUsageStrings -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f '[Missing]',($enhancedKeyUsageArray -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $keyUsageFailed += $false } } # Check overall results if ($keyUsageFailed -notcontains $true) { $result = 'OK' Write-Log -Message 'Certificate key usage succeeded' -Type Info -Function $thisFunction } else { $result = 'Fail' Write-Log -Message 'Certificate key usage failed' -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = ($failureDetail | Sort-Object | Get-Unique); 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateChainOrder { param ([Hashtable]$pfxData,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Chain Order' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message 'Checking Certificate Chain Order' -Type Info -Function $thisFunction # Validating cert chain order $otherCertificates = $pfxData.OtherCertificates if ($otherCertificates[-1].Issuer -ne $otherCertificates[-1].Subject) { $result = 'Fail' $failureDetail = ($LocalizedData.IncorrectCertChainOrder) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } Else { $result = 'OK' Write-Log -Message 'Certificate Chain Order succeeded' -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } Function Test-OtherCertificates { param ([Hashtable]$pfxData,[string]$ExpectedDomainFQDN,[Hashtable]$certConfig) $test = 'Other Certificates' $thisFunction = $MyInvocation.MyCommand.Name if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message "Checking Pfx file for additional certificates" -Type Info -Function $thisFunction $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates $allcerts = $otherCertificates + @($cert) $otherCertificatesFailed = @() foreach ($prefix in $certConfig.DNSName) { # Apply literal to any wildcard on the expect DNSName. # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods. if ($ExpectedDomainFQDN) { $expectedDNSName = (($prefix,$ExpectedDomainFQDN) -join '.') -replace "\*", "\*" } else { $expectedDNSName = $prefix -replace "\*", "\*" } Write-Log -Message "Checking Pfx file for additional certificate with context of DNS Name: $prefix.$ExpectedDomainFQDN" -Type Info -Function $thisFunction # Find expected certificate according to DNSName literally or by matching wildcard. $targetCert = $allcerts | Where-Object {$_.dnsnamelist.unicode -match $expectedDNSName -OR $_.dnsnamelist.unicode -match "\*." + $expectedDNSName.split('.',2)[1]} # Remove all certs that are the target cert or an issuer of any certificate in the array. $unexpectedCerts = $allcerts | Where-Object {$_.Subject -notin $allcerts.Issuer -AND $_.thumbprint -ne $targetCert.Thumbprint} # Find expected certs for logging. $validCerts = $allcerts | Where-Object {$_.thumbprint -notin $unexpectedCerts.thumbprint} if ($unexpectedCerts) { $otherCertificatesFailed += $true $failureDetail += ($LocalizedData.UnwantedCertificatesInPfx -f ($unexpectedCerts | Get-ThumbprintMask),($validCerts | Get-ThumbprintMask)) Write-Log -Message $failureDetail -Type Warning -Function $thisFunction } Else { $otherCertificatesFailed += $false } } if ($otherCertificatesFailed -notcontains $true) { $result = 'OK' Write-Log -Message ('No additional certificates were detected. Validcert thumbprints {0}' -f ($validCerts | Get-ThumbprintMask)) -Type Info -Function $thisFunction } else { $result = 'Fail' } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-KeySize { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $test = 'Key Length' $thisFunction = $MyInvocation.MyCommand.Name if ($certConfig.KeyLength -eq 'default' -or $null -eq $certConfig.KeyLength) { $keySizeLowerLimit = 2048 } else { [int]$keySizeLowerLimit = $certConfig.KeyLength } if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { #get the key length of the public key. $keySize = $cert.publickey.key.KeySize Write-Log -Message ("Checking Certificate for Key Length {0}" -f $keySizeLowerLimit) -Type Info -Function $thisFunction Write-Log -Message ("Certificate Key Length {0}" -f $keySize) -Type Info -Function $thisFunction if ($keySize -lt $keySizeLowerLimit) { $result = 'Fail' $failureDetail = ($LocalizedData.WrongKeySize -f $keySize,$keySizeLowerLimit) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $result = 'OK' Write-Log -Message 'Certificate Key Length succeeded' -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-PFXEncryption { # mandatory check param ($pfxFile, [ValidateNotNullOrEmpty()][SecureString]$pfxpassword,[Hashtable]$certConfig) $test = 'PFX Encryption' $thisFunction = $MyInvocation.MyCommand.Name if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ("Checking PFX Encryption is tripleDES-SHA1.") -Type Info -Function $thisFunction $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $pfxpassword) $plainCertPassword = $networkCredential.Password try { $cmd = "-p {0} -dumpPFX `"{1}`"" -f $plainCertPassword,$pfxfile $certutilOutputPath = "$ENV:TEMP\AzsRCCertUtil.log" $null = Start-Process -FilePath certutil.exe ` -ArgumentList $cmd ` -WindowStyle Hidden ` -PassThru ` -Wait ` -RedirectStandardOutput $certutilOutputPath $certutilOutput = Get-Content -path $certutilOutputPath $TripleDESMatch = $certutilOutput | Select-String -SimpleMatch "1.2.840.113549.1.12.1.3" if ($TripleDESMatch) { Write-Log -Message ('PFX {0} Encryption is tripleDES-SHA1. CertUtil output {1}' -f $pfxFile,($TripleDESMatch -join ' ::Match:: ')) -Type Info -Function $thisFunction $result = 'OK' } else { if ($certutilOutput -match 'CertUtil: Unknown arg: -dumppfx') { $failureDetail = $LocalizedData.DumpPfxParamFail $result = 'Skipped' } else { $failureDetail = $LocalizedData.IncorrectPFXEncryption -f (($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ") $result = 'Warning' } Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } catch { Write-Log -Message ('Unable to determine PFX encryption. Run CertUtil -dumppfx <filename> to check encryption. Checking PFX encryption failed with exception: {0}`n OID dump: {1}' -f $_.exception,(($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ")) -Type Warn -Function $thisFunction $failureDetail = $LocalizedData.IncorrectPFXEncryption $result = 'Fail' } finally { Remove-item $certutilOutputPath -Force Clear-Variable -Name pfxFile } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Get-CDP { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert) $crlext = $cert.Extensions | Where-Object { $_.Oid.FriendlyName -eq 'CRL Distribution Points' } $crldata = $crlext.RawData for ($i = 0 ; $i -lt $crldata.Count ; $i++) { if ($crldata[$i] -eq 0x86) { if ($crldata[$i + 1] -band 0x80) { #long length $start = $i + 3 $end = $crldata[$i + 2] + $start - 1 } else { #short length $start = $i + 2 $end = $crldata[$i + 1] + $start - 1 } [System.Text.Encoding]::ASCII.GetString($crldata[$start..$end]) } } } function Test-HttpCdp { # fail if CDP HTTP is not present # fail if CDP HTTP is not contactable param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'HTTP CRL' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { $cdps = Get-CDP -cert $cert $httpCdp = $cdps | Where-Object {$_ -like 'http://*'} Write-Log -Message 'Checking Http CDP EndPoint' -Type Info -Function $thisFunction $failureDetail = @() if ($cdps) { if ($httpCdp) { $result = 'OK' Write-Log -Message ('HTTP exists {0}. Success.' -f ($httpCdp -join ',')) -Type Info -Function $thisFunction } else { $result = 'Fail' $failureDetail += $LocalizedData.HttpCdpFail -f ($cdps -join ',') Write-Log -Message ($failureDetail -join '. ') -Type Error -Function $thisFunction } } Else { $result = 'Skipped' $failureDetail = ($LocalizedData.NoCDP) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Import-AzsCertificate { param ($pfxPath, [securestring]$pfxPassword, [string]$CertStoreLocation = 'cert:\localmachine\trust') $thisFunction = $MyInvocation.MyCommand.Name try { Write-Log -Message ('Importing PFX certificate from {0} to {1}' -f $pfxPath,$CertStoreLocation) -Type Info -Function $thisFunction $certificate = Import-PfxCertificate -Exportable -CertStoreLocation $CertStoreLocation -Password $pfxPassword -FilePath $pfxPath Write-Log -Message 'Import complete' -Type Info -Function $thisFunction } catch { Write-Log -Message ('Import failed: {0}' -f $_.exception) -Type Error -Function $thisFunction } $certificate } function Export-AzsCertificate { param ($filePath, $certPath, [securestring]$pfxPassword) $thisFunction = $MyInvocation.MyCommand.Name try { Write-Log -Message ('Exporting PFX certificate from {0} to {1}' -f $certPath,$filePath) -Type Info -Function $thisFunction $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force -CryptoAlgorithmOption TripleDES_SHA1 Write-Log -Message 'Export complete' -Type Info -Function $thisFunction } catch { if ($_.CategoryInfo.Reason -eq 'ParameterBindingException' -AND $_.Exception.ErrorId -eq 'NamedParameterNotFound' -AND $_.Exception.ParameterName -eq 'CryptoAlgorithmOption') { Write-Log -Message 'Unable to force Crypto Algorithm to TripleDES_SHA1. Retrying with default value.' -Type Warn -Function $thisFunction $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force Write-Log -Message 'Export complete' -Type Info -Function $thisFunction } else { Write-Log -Message ('Export failed: {0}' -f $_.exception) -Type Error -Function $thisFunction } } } function Write-Result { param([psobject]$in) if ($in.test) { Write-Host ("`t{0}: " -f $($in.Test)) -noNewLine if ($in.Result -eq 'OK') { Write-Host 'OK' -foregroundcolor Green } elseif ($in.Result -eq 'WARNING') { Write-Host 'Warning' -foregroundcolor Yellow } elseif ($in.Result -eq 'Skipped') { Write-Host 'Skipped' -foregroundcolor White } elseif ($in.Result -eq 'SkippedByConfig') { Write-Host 'SkippedByConfig' -foregroundcolor DarkGray } else { Write-Host 'Fail' -foregroundcolor Red } } else { Write-Host "`Details:" $in | ForEach-Object {if($_){Write-Host "[-] $_" -foregroundcolor Yellow}} Write-Host ("Additional help URL {0}" -f "https://aka.ms/AzsRemediateCerts") } } function Write-Log { param([string]$Message, [string]$Type = 'verbose', [string]$Function ) # if InstallAzureStackCommon is loaded and ScriptLog global variable exists, # we are in install and will push to install log, otherwise, do a standalone log $pii = $($ENV:USERDNSDOMAIN),$($ENV:COMPUTERNAME),$($ENV:USERNAME),$($ENV:USERDOMAIN) | Foreach-Object { if ($null -ne $PSITEM) { $PSITEM } } $redact = $pii -join '|' $message = [regex]::replace($Message,$redact,"[*redacted*]") if ((-not $standalone) -AND (Get-Module InstallAzureStackCommon) -AND (Get-Variable -Name ScriptLog -Scope Global -ea SilentlyContinue)) { if ($type -match 'verbose|info') { Write-VerboseLog $message } elseif ($type -eq 'warn') { Write-WarningLog $message } elseif ($type -eq 'error') { Write-TerminatingErrorLog $message } } Else { $outfile = "$PSScriptRoot\CertChecker.log" $entry = "[{0}] [{1}] [{2}] {3}" -f ([datetime]::now).tostring(), $type, $function, $Message $entry | Out-File -FilePath $outfile -Append -Force } } function Get-ThumbprintMask { [cmdletbinding()] [OutputType([string])] Param ([Parameter(ValueFromPipelinebyPropertyName=$True)]$thumbprint) Begin { $thumbprintMasks = @() } Process { $thumbprintMasks += foreach ($thumb in $thumbprint) { try { if (($thumb.length - 12) -gt 0) { $firstSix = $thumb.Substring(0,6) $lastSix = $thumb.Substring(($thumb.length - 6),6) $middleN = '*' * ($thumb.length - 12) $thumbprintMask = '{0}{1}{2}' -f $firstSix,$middleN, $lastSix } else { throw ("Error applying thumbprint mask from thumbprint starting with {0} and length of {1}" -f $thumbprint.Substring(0,10),$thumbprint.Length) } } catch { $_.exception } $thumbprintMask } } End { $thumbprintMasks -join ',' } } function Open-PfxData { param ([byte[]]$certificateBinary, [securestring]$certificatePassword) $thisFunction = $MyInvocation.MyCommand.Name $Source = @' using System; using System.Runtime.InteropServices; namespace AzureStack.PartnerToolkit { [StructLayout(LayoutKind.Sequential)] public struct CRYPT_DATA_BLOB { public int cbData; public IntPtr pbData; } public class Crypto { [DllImport("Crypt32.dll", SetLastError = true)] public static extern IntPtr PFXImportCertStore( ref CRYPT_DATA_BLOB pPfx, [MarshalAs(UnmanagedType.LPWStr)] String szPassword, uint dwFlags); [DllImport("Crypt32.DLL", SetLastError = true)] public static extern IntPtr CertEnumCertificatesInStore( IntPtr storeProvider, IntPtr prevCertContext ); [DllImport("Crypt32.dll", SetLastError = true)] public static extern Boolean CertCloseStore( IntPtr hCertStore, Int32 dwFlags ); [DllImport("CRYPT32.DLL", EntryPoint = "CertGetCertificateContextProperty", CharSet = CharSet.Unicode, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] public static extern Boolean CertGetCertificateContextProperty( [In] IntPtr pCertContext, [In] Int32 dwPropId, [Out] IntPtr pvData, [In, Out] ref Int32 pcbData); } } '@ Add-Type -TypeDefinition $Source -Language CSharp Write-Log -Message "Marshalling PFX binary..." -Type Verbose -Function $thisFunction $pPfxBinary = New-Object AzureStack.PartnerToolkit.CRYPT_DATA_BLOB $pPfxBinary.cbData = $certificateBinary.Length $pPfxBinary.pbData = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($certificateBinary.Length) [System.Runtime.InteropServices.Marshal]::Copy($certificateBinary, 0, $pPfxBinary.pbData, $certificateBinary.Length) Write-Log -Message "Convert cert password to string..." -Type Verbose -Function $thisFunction if ($certificatePassword) { $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $certificatePassword) $plainCertPassword = $networkCredential.Password } else { $plainCertPassword = "" } try { # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS (0x8250) | CRYPT_EXPORTABLE (0x00000001) # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS = # PKCS12_ALWAYS_CNG_KSP (0x00000200) | # PKCS12_NO_PERSIST_KEY (0x00008000) | # PKCS12_IMPORT_SILENT (0x00000040) | # PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x0010) $importFlag = 0x8251 Write-Log -Message "Parsing PFX binary with flag $importFlag ..." -Type Verbose -Function $thisFunction $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag) if ($hCertStore -eq [System.IntPtr]::Zero) { $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() if (-not $plainCertPassword) { # PKCS12_ONLY_NOT_ENCRYPTED_CERTIFICATES (0x0800) | PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x00000010) $importFlag = 0x0810 Write-Log -Message "Parsing PFX binary with error. Try to parse without password with flag $importFlag again..." -Type Verbose -Function $thisFunction $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag) } if ($hCertStore -eq [System.IntPtr]::Zero) { return @{ Success = $false ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() } } } Write-Log -Message "Retrieving the certs from the temp store..." -Type Verbose -Function $thisFunction $ret = @{ EndEntityCertificates = @() OtherCertificates = @() } $currentCertContext = 0 while ($true) { $currentCertContext = [System.IntPtr]([AzureStack.PartnerToolkit.Crypto]::CertEnumCertificatesInStore($hCertStore, $currentCertContext)) if ($currentCertContext -ne [System.IntPtr]::Zero) { $newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($currentCertContext) if (Get-EndEntityCertificate $currentCertContext) { $ret.EndEntityCertificates += @($newCert); } else { $ret.OtherCertificates += @($newCert); } continue } break } $ret.Success = $true return $ret } finally { if ($hCertStore -ne [System.IntPtr]::Zero) { if (-not ([AzureStack.PartnerToolkit.Crypto]::CertCloseStore($hCertStore, 0))) { $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Log -Message "Close cert store with error code $ErrorCode" -Type Warning -Function $thisFunction } } } } function Get-EndEntityCertificate { param ([System.IntPtr] $pCertificate) $privateKeyPropIds = @( 5, # CERT_KEY_CONTEXT_PROP_ID 2 # CERT_KEY_PROV_INFO_PROP_ID ) foreach ($propId in $privateKeyPropIds) { $cbData = 0 if ([AzureStack.PartnerToolkit.Crypto]::CertGetCertificateContextProperty( $pCertificate, $propId, [System.IntPtr]::Zero, [ref]$cbData)) { return $true } } return $false } function New-CertificateCollection { param ([hashtable]$pfxdata) $thisFunction = $MyInvocation.MyCommand.Name #create array of all certificates from pfx package $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates $allcerts = $otherCertificates + @($cert) Write-Log -Message ('Building certificate collection.') -Type Info -Function $thisFunction # create collection of all certificates $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $allcerts | ForEach-Object {$collection.add($PSITEM) | Out-Null} Write-Log -Message ('Building certificate collection complete.') -Type Info -Function $thisFunction #return collection return $collection } function Test-TrustedChain { #Function to test certificate chain, will retry (configurable) 3 times with (configurable) 5 seconds intervals param ([Security.Cryptography.X509Certificates.X509Chain]$chain,[System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$retryCount = 3,[int]$intervalSeconds = 5,[Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Trusted Chain' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ('Testing Chain Trust for {0}' -f ($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction $failureDetail = @() try { #create empty chain is one was not passed to the function if(-not $chain) { $chain = New-Object Security.Cryptography.X509Certificates.X509Chain } if ($chain.ChainPolicy.extrastore) { Write-Log -Message $localizedData.ChainCheckExtraStore -Type Info -Function $thisfunction } else { Write-Log -Message $localizedData.ChainCheckNoStore -Type Info -Function $thisfunction } # If no CDP info exists on the certificate disable the revocation check. $cdpInfo = $cert.Extensions | Where-Object {$_.oid.Value -eq '2.5.29.31'} if (-not $cdpInfo) { $chain.ChainPolicy.RevocationMode = 'NoCheck' Write-Log -Message $localizedData.RevocationModeNoCheck -Type Warn -Function $thisfunction } else { Write-Log -Message $localizedData.RevocationModeDefault -Type Info -Function $thisfunction } # Attempt to build the chain do { $chainResult = $chain.build($cert) $chainFailureReasons = $chain.ChainStatus.status $retry++ #sleep if unsuccessful and none CRL error present if (-not $chainResult -AND $retry -lt $retryCount -AND $chainFailureReasons) { Write-Log -Message ($localizedData.ChainCheckRetry -f ($chainFailureReasons -join ','),$retry) -Type Warn -Function $thisfunction start-Sleep -Seconds $intervalSeconds } } while (-not $chainResult -AND $retry -le $retryCount) #Interpret result if ($chainResult) { Write-Log -Message $localizedData.ChainCheckSuccess -Type Info -Function $thisfunction $result = 'OK' } else { Write-Log -Message ($localizedData.ChainCheckFailed -f ($chainFailureReasons -join ',')) -Type Warn -Function $thisfunction $failureDetail = $chain.ChainStatus.StatusInformation -join '' $result = 'Fail' } # Downgrade result and add failure detail if revocation was disabled if ($chain.ChainPolicy.RevocationMode -eq 'NoCheck') { switch ( $result ) { 'OK' {$result = 'Warning'} 'Fail' {$result = 'Fail'} } $failureDetail += $localizedData.RevocationModeNoCheck } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } finally { if ($chain) { $chain.Dispose() } } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $chain} $object = New-Object PSObject -Property $hash $object } function Test-CertificateRoot { #test if root is the same as stored on ercs machine param ($pfx, [ValidateScript({Test-Path -Path $_ -PathType Container})] $rootpath = "$ENV:SystemDrive\ExternalCerts\Root", [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Match Root' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { try { $rootCerts = Get-ChildItem -Path $rootpath -Recurse -Filter *.cer Write-Log -Message ($LocalizedData.RootCertificateFoundOnStamp -f $rootCerts.count, $rootpath) -Type Info -Function $thisFunction if (-not $rootCerts) { $result = 'Fail' $failureDetail = ($LocalizedData.RootCertNotOnDisk -f $rootpath) } else { foreach ($rootCert in $rootCerts) { Write-Log -Message ("Loading {0} for same root comparison" -f $rootCert.fullname) -Type Info -Function $thisFunction $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($rootCert.fullname) $rootThumbprint = $cert.Thumbprint $pfxIssuer = $pfx.OtherCertificates | Where-Object subject -eq $pfx.EndEntityCertificates.Issuer if ($pfxIssuer.thumbprint -eq $rootThumbprint) { Write-Log -Message ($LocalizedData.RootCertificateMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction $result = 'OK' break } else { $failureDetail = $LocalizedData.RootCertificateNotMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $result = 'Fail' } } } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception.message) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateExpiry { # block if certificate expiry <= threshold (default 7 days) param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$expiryThresholdDays = 7,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Expiry Date' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { try { $thresholdDateTime = [System.DateTime]::Now.AddDays($expiryThresholdDays) $certExpiry = $cert.NotAfter if ($certExpiry -le $thresholdDateTime) { $result = 'Fail' Write-Log -Message ($localizedData.ExpiryFailure -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime ) -Type Warn -Function $thisFunction if ($certExpiry -le [System.DateTime]::Now) { $failureDetail = $localizedData.ExpiredFailureDetail } else { $failureDetail = $localizedData.ExpiryFailureDetail -f $certExpiry, $expiryThresholdDays } } else { $result = 'OK' Write-Log -Message ($localizedData.ExpirySuccess -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime ) -Type Info -Function $thisFunction } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception.message) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function ConvertTo-Oid { param ($in) $thisFunction = $MyInvocation.MyCommand.Name try { # user may have passed in Write-Log -Message $in -Type Info -Function $thisFunction if ($in -is [string]) { $oid = [System.Security.Cryptography.Oid]::new($in) if (!$oid.FriendlyName -or !$oid.Value) { throw ("Unable to convert {0} into Oid" -f $in) } } elseif ($in -is [Hashtable]) { $oid = $in.Keys | ForEach-Object { [System.Security.Cryptography.Oid]::new($in[$PSITEM],$PSITEM) } } else { throw ("Unable to convert {0} into Oid" -f $in) } return $oid } catch { throw ("Unable to convert {0} into Oid. Make sure the input has a valid name and Oid. Error {1}" -f $in,$_.exception.message) } } # SIG # Begin signature block # MIInkwYJKoZIhvcNAQcCoIInhDCCJ4ACAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC7LZpSGdLoUJsn # RgFbiLz/beOuCnlh/cEApQ0gEACRMaCCDXYwggX0MIID3KADAgECAhMzAAADTrU8 # esGEb+srAAAAAANOMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMwMzE2MTg0MzI5WhcNMjQwMzE0MTg0MzI5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDdCKiNI6IBFWuvJUmf6WdOJqZmIwYs5G7AJD5UbcL6tsC+EBPDbr36pFGo1bsU # p53nRyFYnncoMg8FK0d8jLlw0lgexDDr7gicf2zOBFWqfv/nSLwzJFNP5W03DF/1 # 1oZ12rSFqGlm+O46cRjTDFBpMRCZZGddZlRBjivby0eI1VgTD1TvAdfBYQe82fhm # WQkYR/lWmAK+vW/1+bO7jHaxXTNCxLIBW07F8PBjUcwFxxyfbe2mHB4h1L4U0Ofa # +HX/aREQ7SqYZz59sXM2ySOfvYyIjnqSO80NGBaz5DvzIG88J0+BNhOu2jl6Dfcq # jYQs1H/PMSQIK6E7lXDXSpXzAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUnMc7Zn/ukKBsBiWkwdNfsN5pdwAw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMDUxNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAD21v9pHoLdBSNlFAjmk # mx4XxOZAPsVxxXbDyQv1+kGDe9XpgBnT1lXnx7JDpFMKBwAyIwdInmvhK9pGBa31 # TyeL3p7R2s0L8SABPPRJHAEk4NHpBXxHjm4TKjezAbSqqbgsy10Y7KApy+9UrKa2 # kGmsuASsk95PVm5vem7OmTs42vm0BJUU+JPQLg8Y/sdj3TtSfLYYZAaJwTAIgi7d # hzn5hatLo7Dhz+4T+MrFd+6LUa2U3zr97QwzDthx+RP9/RZnur4inzSQsG5DCVIM # pA1l2NWEA3KAca0tI2l6hQNYsaKL1kefdfHCrPxEry8onJjyGGv9YKoLv6AOO7Oh # JEmbQlz/xksYG2N/JSOJ+QqYpGTEuYFYVWain7He6jgb41JbpOGKDdE/b+V2q/gX # UgFe2gdwTpCDsvh8SMRoq1/BNXcr7iTAU38Vgr83iVtPYmFhZOVM0ULp/kKTVoir # IpP2KCxT4OekOctt8grYnhJ16QMjmMv5o53hjNFXOxigkQWYzUO+6w50g0FAeFa8 # 5ugCCB6lXEk21FFB1FdIHpjSQf+LP/W2OV/HfhC3uTPgKbRtXo83TZYEudooyZ/A # Vu08sibZ3MkGOJORLERNwKm2G7oqdOv4Qj8Z0JrGgMzj46NFKAxkLSpE5oHQYP1H # tPx1lPfD7iNSbJsP6LiUHXH1MIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGXMwghlvAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAANOtTx6wYRv6ysAAAAAA04wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIMOrcvL0sL7nm+MLO15BdSgJ # 8LaRkhVe0uc2dDeGK5vfMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAylsj3PBa0fzkz0U3r03KPKX9uyJxNT0MVgxzUqzPFNxecbzv0KtJu1/q # bhUAbke90P7fAGCIegygLYFu5vtap50Sj+/3qI+xmUQCit9dASi327/rP0vjC/Ms # kg9vKAWjD42dkf8SgqPF0pPfv9Rc+eOx2rxAmN5dWdKnCM/wPQTc1mMBLkqCb6K0 # x/EuOT73A/w4O5j2sTfXVoqSEmXpJ73Mwm2VnNKU78byM09ic4k/V5DfHGHCYxwa # 6JzDn0ZOgZIWH9gIW+SPeXVXnvuSjQvLAhZuRshGnl/rgsmsRsAfwZMOp2EX6JY6 # 5xZIQRbdGsvKl5FKVisEr1hE5WucfqGCFv0wghb5BgorBgEEAYI3AwMBMYIW6TCC # FuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFRBgsq # hkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCCfLf8L53kwFlOyNHt8n3DUHAuAvA7q1v3jVi22Zl5rDgIGZMl6asrh # GBMyMDIzMDgwMzA4MjA0NC42MTdaMASAAgH0oIHQpIHNMIHKMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l # cmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjoxMkJDLUUz # QUUtNzRFQjElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCC # EVQwggcMMIIE9KADAgECAhMzAAAByk/Cs+0DDRhsAAEAAAHKMA0GCSqGSIb3DQEB # CwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTIyMTEwNDE5MDE0 # MFoXDTI0MDIwMjE5MDE0MFowgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMx # JjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjEyQkMtRTNBRS03NEVCMSUwIwYDVQQD # ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG9w0BAQEF # AAOCAg8AMIICCgKCAgEAwwGcq9j50rWEkcLSlGZLweUVfxXRaUjiPsyaNVxPdMRs # 3CVe58siu/EkaVt7t7PNTPko/s8lNtusAeLEnzki44yxk2c9ekm8E1SQ2YV9b8/L # OxfKapZ8tVlPyxw6DmFzNFQjifVm8EiZ7lFRoY448vpcbBD18qjYNF/2Z3SQchcs # dV1N9Y6V2WGl55VmLqFRX5+dptdjreBXzi3WW9TsoCEWcYCBK5wYgS9tT2SSSTza # e3jmdw40g+LOIyrVPF2DozkStv6JBDPvwahXWpKGpO7rHrKF+o7ECN/ViQFMZyp/ # vxePiUABDNqzEUI8s7klYmeHXvjeQOq/CM3C/Y8bj3fJObnZH7eAXvRDnxT8R6W/ # uD1mGUJvv9M9BMu3nhKpKmSxzzO5LtcMEh2tMXxhMGGNMUP3DOEK3X+2/LD1Z03u # sJTk5pHNoH/gDIvbp787Cw40tsApiAvtrHYwub0TqIv8Zy62l8n8s/Mv/P764CTq # rxcXzalBHh+Xy4XPjmadnPkZJycp3Kczbkg9QbvJp0H/0FswHS+efFofpDNJwLh1 # hs/aMi1K/ozEv7/WLIPsDgK16fU/axybqMKk0NOxgelUjAYKl4wU0Y6Q4q9N/9Pw # AS0csifQhY1ooQfAI0iDCCSEATslD8bTO0tRtqdcIdavOReqzoPdvAv3Dr1XXQ8C # AwEAAaOCATYwggEyMB0GA1UdDgQWBBT6x/6lS4ESQ8KZhd0RgU7RYXM8fzAfBgNV # HSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQhk5o # dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBU # aW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwG # CCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz # L01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNV # HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IC # AQDY0HkqCS3KuKefFX8/rm/dtD9066dKEleNqriwZqsM4Ym8Ew4QiqOqO7mWoYYY # 4K5y8eXSOHKNXOfpO6RbaYj8jCOcJAB5tqLl5hiMgaMbAVLrl1hlix9sloO45LON # 0JphKva3D6AVKA7P78mA9iRHZYUVrRiyfvQjWxmUnxhis8fom92+/RHcEZ1Dh5+p # 4gzeeL84Yl00Wyq9EcgBKKfgq0lCjWNSq1AUG1sELlgXOSvKZ4/lXXH+MfhcHe91 # WLIaZkS/Hu9wdTT6I14BC97yhDsZWXAl0IJ801I6UtEFpCsTeOyZBJ7CF0rf5lxJ # 8tE9ojNsyqXJKuwVn0ewCMkZqz/cEwv9FEx8QmsZ0ZNodTtsl+V9dZm+eUrMKZk6 # PKsKArtQ+jHkfVsHgKODloelpOmHqgX7UbO0NVnIlpP55gQTqV76vU7wRXpUfz7K # hE3BZXNgwG05dRnCXDwrhhYz+Itbzs1K1R8I4YMDJjW90ASCg9Jf+xygRKZGKHjo # 2Bs2XyaKuN1P6FFCIVXN7KgHl/bZiakGq7k5TQ4OXK5xkhCHhjdgHuxj3hK5AaOy # +GXxO/jbyqGRqeSxf+TTPuWhDWurIo33RMDGe5DbImjcbcj6dVhQevqHClR1OHSf # r+8m1hWRJGlC1atcOWKajArwOURqJSVlThwVgIyzGNmjzjCCB3EwggVZoAMCAQIC # EzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBS # b290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoX # DTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 # b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh # dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC # 0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VG # Iwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP # 2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/P # XfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361 # VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwB # Sru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9 # X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269e # wvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDw # wvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr # 9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+e # FnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAj # BgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+n # FV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEw # PwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9j # cy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3 # FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAf # BgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBH # hkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNS # b29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF # BzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0Nl # ckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4Swf # ZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTC # j/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu # 2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/ # GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3D # YXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbO # xnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqO # Cb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I # 6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0 # zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaM # mdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNT # TY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIBATCB+KGB0KSBzTCByjEL # MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v # bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWlj # cm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBF # U046MTJCQy1FM0FFLTc0RUIxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1w # IFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAKOO55cMT4syPP6nClg2IWfajMqkoIGD # MIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV # BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG # A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEF # BQACBQDodUpHMCIYDzIwMjMwODAzMDUzMzU5WhgPMjAyMzA4MDQwNTMzNTlaMHQw # OgYKKwYBBAGEWQoEATEsMCowCgIFAOh1SkcCAQAwBwIBAAICG2owBwIBAAICEogw # CgIFAOh2m8cCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgC # AQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQAiPHxOsb5DPdO+ # J4mjb+y62cUGc9V/pS+zZ4PlwRd1uDNuKq5nPUlM5zYWRow0Madp0A+REQJz+Y15 # /NIgEwBrTfgbFLzdtcR/1NeUglZw3PMqKYm/HIuvymYQNMKc9ZlX6QRQfwLFK7sV # FXJFGxHAeN3UNH0sWbj41GCSXg5lsjGCBA0wggQJAgEBMIGTMHwxCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBU # aW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAByk/Cs+0DDRhsAAEAAAHKMA0GCWCGSAFl # AwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJKoZIhvcN # AQkEMSIEINpVG8D+AuDaXKoEsNXtsmw8Pq6DOE8MS9C6U/QAsZddMIH6BgsqhkiG # 9w0BCRACLzGB6jCB5zCB5DCBvQQgEz0b85vrVU2slZAk4jt1SDEk6IzZAwVCoWwF # 3KzcGuAwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAA # AcpPwrPtAw0YbAABAAAByjAiBCDJXCct+xAnuDvjWf/SVHS9An6X/DlDwmRQAN56 # cN+j1jANBgkqhkiG9w0BAQsFAASCAgCdpt3XVBUBAFro7QPbQFfQsZjpRxn69tWI # aoGVQ/u3LMJBMIs4sNDrzhC2IIkV9tsWV9ZDRYmzOeGG51AKICOHXXsKMCjBrE1e # M+zahQhJG3E1PjFjiSXOF3Hjm8lrJnj5pK36kt5IU+oYHTyYUfVXAzUZg2PP29ce # lsSqXitAcZgKNkm85LjH2LjrIpp51tTUUU9c9G+elNxDX9VsZpbWrTxJszQskJ9W # ESz96aF3KtPyUBAvkUGB4viYefdpBKT+i94py3COfcJ+EblGVlFQYcN2pNzsg8mE # d9eqbp1XErpLiTPgN5CMHr4yAjSpl5B0FzP4M9jYN581BVkfKBb7Zx7xBqxiR4JJ # aw6xSbvFOt3IWIUTtwDjuRxFTcSXcKawcduFGRiHbvKVJqk4if+QQ0ilGqQYVcin # 96/YzoNyEoAxWZP7095rDX3NB2mtevrd65FdSEt07KQt1VuMPfUzk1bgGfe6Xl+W # w+NKZMBdfV9wuWJtNR51aXuTyob7Ewa0j9Gx1FWJuJXE7wRsqgb7pXtJnQztHVrl # yTiaBPabAMbjI0vgZpCizmIgRlmvRF0oFEKxEt4pxYQH1Epjm4kdc6+XX5+I6b99 # OIYmrn8OXQuAsUMWS8Z8pr3FLolE7qEh18MrCs7lFia6/AE0ZbwI0OfLh9CLCECd # IZXK8hF8qA== # SIG # End signature block |