CertificateValidation/PublicCertHelper.psm1
|
<#############################################################
# # # Copyright (C) Microsoft Corporation. All rights reserved. # # # #############################################################> $ErrorActionPreference = 'Stop' # Explicitly importing it as ERCS VM does not have it by default Import-Module PKI Import-LocalizedData LocalizedData -Filename PublicCertHelper.Strings.psd1 -ErrorAction SilentlyContinue # workaround for https://github.com/PowerShell/JEA/issues/42 # can't use Import-PowerShellDataFile because PS5.1 Import-LocalizedData -FileName Microsoft.AzureStack.CertificateConfig.psd1 -BaseDirectory $PSScriptRoot -BindingVariable CertificateData $certificateDefaults = $CertificateData.CertificateDefaults $myCertPath = 'cert:\localmachine\my\' if ($standalone) { $publicCertRoot = $PSScriptRoot $WarnOnSelfSigned = $true } else { $publicCertRoot = 'C:\CloudDeployment\Setup\Certificates' } $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} # This function appends the region and domainFQDN to the RecordPrefix/es and returns the array for multiple endpoints function New-DNSList { Param ( [Parameter(Mandatory=$true)] [string[]] $RecordPrefixList, [Parameter(Mandatory=$true)] [String] $RegionExternalFQDN ) $dnsListCreated = @() foreach ($RecordPrefix in $RecordPrefixList) { $dnsListCreated += $RecordPrefix + ".$RegionExternalFQDN" } return $dnsListCreated } function New-SelfSignedCertificateWrapper { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')] Param ( [Parameter(Mandatory=$true)] [string[]] $DnsRecord, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $OutFilePath, [Parameter(Mandatory=$true)] [string] $RootCertThumbprint ) # Creating if the path does not exist as SecretRotation BVT needs it if(-not (Test-Path $OutFilePath)) { $null = New-Item -Path $OutFilePath -ItemType Directory } if(-not (Get-ChildItem -Path $OutFilePath -Filter '*.pfx')) { $OutFilePath = Join-Path -Path $OutFilePath -ChildPath "SSL.pfx" $rootCert = ( Get-ChildItem -path $RootCertThumbprint ) $certThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -Signer $rootCert -KeyExportPolicy Exportable -Verbose:$false $certPath = $myCertPath + $certThumbprint.Thumbprint # It can sometimes take a few seconds to populate the store $retryCount = 0; while(-not (Test-Path $certPath)) { Start-Sleep -Seconds 1 if($retryCount++ -eq 10) { throw ($LocalizedData.FailedCreatingCert -f $certPath) } } $null = Export-PfxCertificate -FilePath $OutFilePath -Cert $certPath -Password $CertificatePassword -ChainOption BuildChain -Force -Verbose:$false } } function New-SelfSignedRootCert { [Alias("Create-RootCert")] Param ( [Parameter(Mandatory=$true)] [string] $DnsRecord, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword ) $baseRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedRootCert" -FriendlyName "Azs Self Signed RootCert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=3") $intermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate1Cert" -FriendlyName "Azs Self Signed Intermediate 1 Cert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=2") -Signer $baseRootCertThumbprint $secondIntermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate2Cert" -FriendlyName "Azs Self Signed Intermediate 2 Cert" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=0") -Signer $intermediateRootCertThumbprint $certPath = $myCertPath + $secondIntermediateRootCertThumbprint.Thumbprint # It can sometimes take a few seconds to populate the store $retryCount = 0; while(-not (Test-Path $certPath)) { Start-Sleep -Seconds 1 if($retryCount++ -eq 10) { throw "Failed to create self signed root certificate in store '$certPath'." } } return $certPath } # Use for one nodes and internal testing only! function New-AzureStackSelfSignedCerts { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')] Param ( [Parameter(Mandatory=$true)] [string] $RegionExternalFQDN, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$false)] [string] $ExternalCertRoot ) if($ExternalCertRoot) { $publicCertRoot = $ExternalCertRoot $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} } else { Write-VerboseLog $LocalizedData.CreatingExternalSelfSignedCerts } # getting rootCert thumbprint $rootCertThumbprint = New-SelfSignedRootCert -DnsRecord "$RegionExternalFQDN" -CertificatePassword $CertificatePassword # AAD certs New-SelfSignedCertificateWrapper -OutFilePath $armPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $adminPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three New-SelfSignedCertificateWrapper -OutFilePath $acsTableCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsQueueCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsBlobCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating two additional Extension Host Certs New-SelfSignedCertificateWrapper -OutFilePath $adminHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating Container Registry cert, which is optional but required in BCDR pipeline New-SelfSignedCertificateWrapper -OutFilePath $acrCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint # ADFS certs New-SelfSignedCertificateWrapper -OutFilePath $adfsCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adfsCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $graphCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $graphCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armADFSPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $armADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $adminADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three New-SelfSignedCertificateWrapper -OutFilePath $acsTableADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsQueueADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $acsBlobADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating two additional Extension Host Certs New-SelfSignedCertificateWrapper -OutFilePath $adminHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint New-SelfSignedCertificateWrapper -OutFilePath $publicHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint #Creating Container Registry cert, which is optional but required in BCDR pipeline New-SelfSignedCertificateWrapper -OutFilePath $acrADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint } function Test-AzureStackCerts { Param ( [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $UseADFS = $false, [Parameter(Mandatory=$false)] [bool] $isACRInstalled = $false, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [string] $PfxFilesPath, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '' ) $thisFunction = $MyInvocation.MyCommand.Name $publicCertHelperModuleVersion = $MyInvocation.MyCommand.Module.Version if (!$PfxFilesPath) { Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction } else { # we are in external cert rotation, need to use path provided by customer Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction $publicCertRoot = $PfxFilesPath $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")} $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")} $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")} $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")} $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")} $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")} $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")} $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")} $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")} $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")} $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")} $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")} $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")} $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")} $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")} $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")} $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")} $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")} $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")} $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")} $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")} } if($UseADFS) { $allCertInfo = @( $adfsCertInfo, $graphCertInfo, $armADFSPublicCertInfo, $armADFSAdminCertInfo, $publicADFSPortalCertInfo, $adminADFSPortalCertInfo, $keyvaultADFSCertInfo, $keyvaultADFSAdminCertInfo, $acsTableADFSCertInfo, $acsQueueADFSCertInfo, $acsBlobADFSCertInfo, $adminHostingADFSCertInfo, $publicHostingADFSCertInfo ) # Validate ACR Certificate only if ACR has been installed on the stamp if($isACRInstalled) { $allCertInfo += $acrADFSCertInfo } } else { $allCertInfo = @( $armPublicCertInfo, $armAdminCertInfo, $publicPortalCertInfo, $adminPortalCertInfo, $keyvaultCertInfo, $keyvaultAdminCertInfo, $acsTableCertInfo, $acsQueueCertInfo, $acsBlobCertInfo, $adminHostingCertInfo, $publicHostingCertInfo ) # Validate ACR Certificate only if ACR has been installed on the stamp if($isACRInstalled) { $allCertInfo += $acrCertInfo } } $allCertResults = @() $allCertResults += $allCertInfo | ForEach-Object { ` Write-Log -Message "Launching Test-Certificate with Path = $($PSITEM.path), ExpectedPrefix = $($PSITEM.RecordPrefix), ExpectedDomainFQDN = $ExpectedDomainFQDN, WarnOnSelfSigned = $WarnOnSelfSigned, RootValidation = $RootValidation" -Type Info -Function $thisfunction $testCertificateParams = @{ CertificatePath = $PSITEM.Path CertificatePassword = $CertificatePassword certConfig = @{DNSName = $PSITEM.RecordPrefix;IncludeTests = 'All';ExcludeTests = 'CNG Key';pfxPath = $PSITEM.path} ExpectedDomainFQDN = $ExpectedDomainFQDN WarnOnSelfSigned = $WarnOnSelfSigned RootValidation = $RootValidation } Test-Certificate @testCertificateParams } return $allCertResults } function Test-Certificate { Param ( # Path of folder which contains the cert [Parameter(Mandatory=$true)] [string] $CertificatePath, [Parameter(Mandatory=$true)] [SecureString] $CertificatePassword, [Parameter(Mandatory=$true)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '', [Parameter(Mandatory=$false)] [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $ErrorActionPreference = 'SilentlyContinue' if(-not (Test-Path -Path $CertificatePath)) { # Terminating error for install, need to throw throw ($LocalizedData.IncorrectPath -f $CertificatePath) } $script:pfxFile = Get-ChildItem -Path $CertificatePath -Filter '*.pfx' | ForEach-Object FullName Write-Log -Message "Test PFX Certificate $pfxfile" -Type info -Function $thisFunction if($pfxFile.Count -ne 1) { # Terminating error for install Write-Log -Message ($LocalizedData.MoreThanOneCert -f $CertificatePath) -Type Error -Function $thisFunction } if(-not (Test-Path -Path $pfxFile)) { # Terminating error for install Write-Log ($LocalizedData.MissingCertificate) -Type Error -Function $thisFunction } if ((Get-Command Get-Content).Parameters.AsByteStream) { [byte[]]$pfxBinary = Get-Content -Path $pfxFile -AsByteStream } else { [byte[]]$pfxBinary = Get-Content -Path $pfxFile -Encoding Byte } #$certConfig.pfxPath = $pfxFile $params = @{ CertificateBinary = $pfxBinary CertificatePassword = $CertificatePassword ExpectedDomainFQDN = $ExpectedDomainFQDN WarnOnSelfSigned = $WarnOnSelfSigned RootValidation = $RootValidation certConfig = $certConfig } Test-AzsCertificate @params } function Test-AzsCertificate { Param ( [Parameter(Mandatory=$true)] [ValidateNotNull()] [byte[]] $CertificateBinary, [Parameter(Mandatory=$false)] [ValidateNotNull()] [SecureString] $CertificatePassword, [Parameter(Mandatory=$false)] [string] $ExpectedDomainFQDN, [Parameter(Mandatory=$false)] [bool] $WarnOnSelfSigned = $true, [Parameter(Mandatory=$false)] [Alias('SecretRotation')] [ValidateSet('SameRootOnly','AnyTrustedRoot','')] [string] $RootValidation = '', [Parameter(Mandatory=$false)] [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $results = @() $ExpectedPrefix = $certConfig.DnsName # Get Relative Path # Depending on the entry point (deployment, secret rotation, standalone) the path can be in 1 of 2 places if ($pfxFile -or $certConfig.pfxPath) { if ($pfxFile) { $pf = Get-item -Path $pfxFile } else { $pf = Get-item -Path $certConfig.pfxPath } $pathValue = $pf.Directory.Name + '\' + $pf.name Write-Host "Testing: $pathValue" # Check PFX encryption first in case we have difficulty with encryption used and defer printing result until after import attempt for formatting purposes $pfxEncryptCheck = Test-PFXEncryption -pfxfile $pf.fullname -pfxpassword $certificatePassword -certConfig $certConfig $results += $pfxEncryptCheck if ($pfxEncryptCheck.result -eq 'Fail') { Write-Result -in $pfxEncryptCheck Write-Result -in $results.failureDetail throw "Unable to continue until PFX Encryption is TripleDES-SHA1" } } # Begin Checks $ErrorActionPreference = 'Stop' # make sure errors are not suppressed during import. if ($CertificatePassword) { try { $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificateBinary, $CertificatePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) $includePFXChecks = $true } catch { # if the exception is bad password and encryption check failed/warned, give additional help about ensuring Triple-DES encryption. if ($_.Exception.ErrorRecord -match 'The specified network password is not correct' -and $pfxEncryptCheck.result -ne 'OK') { Write-Log -Message ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction throw ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n","")) } elseif ($_.Exception.ErrorRecord -match 'Cannot find the requested object') { Write-Log -Message ($LocalizedData.ErrorOnX509Import) -Type Error -Function $thisFunction throw $LocalizedData.ErrorOnX509Import } else { Write-Log -Message ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction throw ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n","")) } } } else { $cert.Import($CertificateBinary) $includePFXChecks = $false } Write-Host ("Thumbprint: {0}" -f ($cert | Get-ThumbprintMask)) # if PFXEncryption Check exists write the result to screen. if ($pfxEncryptCheck) { Write-Result -in $pfxEncryptCheck } $ErrorActionPreference = 'SilentlyContinue' #Setting erroraction to continue so tests can complete and user gets full break down of all issues. $expiryCheck = Test-CertificateExpiry -cert $cert -certConfig $certConfig Write-Result -in $expiryCheck $results += $expiryCheck $signatureAlgorithmCheck = Test-SignatureAlgorithm -x509 $cert -certConfig $certConfig Write-Result -in $signatureAlgorithmCheck $results += $signatureAlgorithmCheck $dnsNamesCheck = Test-DnsNames -cert $cert -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig Write-Result -in $dnsNamesCheck $results += $dnsNamesCheck $keyUsageCheck = Test-KeyUsage -cert $cert -certConfig $certConfig Write-Result -in $keyUsageCheck $results += $keyUsageCheck $keySizeCheck = Test-KeySize -cert $cert -certConfig $certConfig Write-Result -in $keySizeCheck $results += $keySizeCheck $httpCDPCheck = Test-HttpCdp -cert $cert -certConfig $certConfig Write-Result -in $httpCDPCheck $results += $httpCDPCheck if ($includePFXChecks) { $pfxParseResult = Test-Pfx -certificateBinary $CertificateBinary -certificatePassword $certificatePassword if ($pfxParseResult.Result -eq 'Fail') { Write-Log -Message ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';')) -Type Error -Function $thisFunction throw ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';')) } $pfxData = $pfxParseResult.outputObject $pfxParseResult.outputObject = "" # clear the output object Write-Result -in $pfxParseResult $results += $pfxParseResult $privateKeyCheck = Test-PrivateKey -cert $cert -certConfig $certConfig Write-Result -in $privateKeyCheck $results += $privateKeyCheck $selfSignedCheck = Test-CertificateChain -pfxData $pfxData -certConfig $certConfig Write-Result -in $selfSignedCheck $results += $selfSignedCheck $chainOrderCheck = Test-CertificateChainOrder -pfxData $pfxData -certConfig $certConfig Write-Result -in $chainOrderCheck $results += $chainOrderCheck # Only run check for other certificates if cert chain is good and dnsnames are good to avoid noise. if ($selfSignedCheck.result -eq 'OK' -AND $dnsNamesCheck.result -eq 'OK') { $otherCertificateCheck = Test-OtherCertificates -pfxData $pfxData -ExpectedPrefix $ExpectedPrefix -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig } Else { $hash = @{'Test' = 'Other Certificates'; 'Result' = 'Skipped'; 'FailureDetail' = $LocalizedData.TestOtherCertificatesSkipped; 'outputObject' = $null} $otherCertificateCheck = New-Object PSObject -Property $hash } Write-Result -in $otherCertificateCheck $results += $otherCertificateCheck if (-not $standalone -AND $RootValidation -ne '') { if ($RootValidation -eq 'SameRootOnly') { $rootCheck = Test-CertificateRoot -pfx $pfxData -certConfig $certConfig Write-Result -in $rootCheck $results += $rootCheck } else { #Check trust without using pfx as extra store $chainTest = Test-TrustedChain -cert $cert -retryCount 3 -intervalSeconds 5 -certConfig $certConfig if ($chainTest.Result -eq 'Fail') { #create certificate collection object $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $pfxdata.EndEntityCertificates + $pfxData.OtherCertificates | ForEach-Object {$collection.add($_) | Out-Null} #create new chain $chain = New-Object Security.Cryptography.X509Certificates.X509Chain $chain.ChainPolicy.ExtraStore.AddRange($collection) #Check trust with pfx as extra store $chainTest = Test-TrustedChain -chain $chain -cert $cert -retryCount 3 -intervalSeconds 5 } else { Write-Log -Message ("Chain trust passed with {0} - {1}. No further action." -f $chainTest.Result,($chainTest.Chain.ChainStatus.Status -join ',')) -Type Info -Function $thisFunction } Write-Result -in $chainTest $results += $chainTest } } } # add relative path, thumbprint, certificateID $results | add-member -NotePropertyName CertificateId -NotePropertyValue ([guid]::NewGuid().ToString()) $results | add-member -NotePropertyName Path -NotePropertyValue $pathValue $results | add-member -NotePropertyName Thumbprint -NotePropertyValue $($cert | Get-ThumbprintMask) if ($results.result -match "Fail|Warning") { Write-Result -in $results.failureDetail } return $results } function Test-Pfx { param ([byte[]]$certificateBinary, [securestring]$certificatePassword) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Parse PFX' Write-Log -Message "Parse PFX binary with password" -Type Info -Function $thisFunction $parseResult = Open-PfxData -certificateBinary $certificateBinary -certificatePassword $certificatePassword if ($parseResult.Success) { $tmpParseResult = Open-PfxData -certificateBinary $certificateBinary if ($tmpParseResult.Success) { $result = 'Warning' $failureDetail = ($LocalizedData.UnprotectedPublicCertInfo) Write-Log -Message $LocalizedData.UnprotectedPublicCertInfo -Type Warning -Function $thisFunction } else { $result = 'OK' if ($tmpParseResult.ErrorCode -eq 86) { Write-Log -Message "Parsing PFX binary privacy success" -Type Info -Function $thisFunction } else { Write-Log -Message ("Parsing PFX binary without password with error code 0x{0:x}" -f $($tmpParseResult.ErrorCode)) -Type Warn -Function $thisFunction } } } else { $result = 'Fail' if ($parseResult.ErrorCode -in @(0x80092002, 0x0D)) { $failureDetail = "Pfx data is Invalid" # Terminating error for install Write-Log -Message "Pfx data is Invalid" -Type Error -Function $thisFunction } elseif ($parseResult.ErrorCode -eq 86) { $failureDetail = "Pfx password is Invalid" # Terminating error for install Write-Log -Message $failureDetail -Type Error -Function $thisFunction } else { # Terminating error for install $errorMessage = "Parsing PFX binary with error code 0x{0:x}" -f $($parseResult.ErrorCode) $failureDetail = $errorMessage Write-Log -Message $errorMessage -Type Error -Function $thisFunction } } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $parseResult} $object = New-Object PSObject -Property $hash $object } function Test-SignatureAlgorithm { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$x509,[Hashtable]$certConfig) # Name for log and name for test $thisFunction = $MyInvocation.MyCommand.Name $test = 'Signature Algorithm' # config to run test by if ($certConfig.HashAlgorithm -eq 'default' -or $null -eq $certConfig.HashAlgorithm) { $blockedAlgorithms = 'SHA1RSA' } else { $blockedAlgorithms = $certConfig.HashAlgorithm Write-Log -Message ('Using user-defined Signature Algorithms {0} for test.' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction } # run test if applicable if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ('Checking Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction $signatureAlgorithm = $x509.SignatureAlgorithm.FriendlyName Write-Log -Message ('Signature Algorithm is {0}' -f $signatureAlgorithm) -Type Info -Function $thisFunction if ($signatureAlgorithm -in $blockedAlgorithms) { $result = 'Fail' $failureDetail = ($LocalizedData.SignatureAlgorithmInvalid -f $signatureAlgorithm, ($blockedAlgorithms -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $result = 'OK' Write-Log -Message ('Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } # return output $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-PrivateKey { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Private Key' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { $privateKeyFailed = @() $failureDetail = @() try { Write-Log -Message 'Checking Private Key exists' -Type Info -Function $thisFunction if(-not $cert.HasPrivateKey) { $privateKeyFailed += $true $failureDetail += ($LocalizedData.NoPrivateKey) Write-Log -Message ($LocalizedData.NoPrivateKey) -Type Warn -Function $thisFunction } Else { # Check if certificate has been exported from user store. Write-Log -Message 'Private Key Exists, checking Local Machine Key Attribute' -Type Info -Function $thisFunction $key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) Write-Log -Message ('Private Key Provider: {0}' -f $key.Key.Provider) -Type Info -Function $thisFunction if(-not $key.Key.IsMachineKey) { $privateKeyFailed += $true $failureDetail += ($LocalizedData.NotMachineKeyStore) Write-Log -Message ($LocalizedData.NotMachineKeyStore) -Type Warn -Function $thisFunction } else { $privateKeyFailed += $false Write-Log -Message 'Private Key Exists and Local Machine Key Attribute exists' -Type Info -Function $thisFunction } if('CNG key' -notin $certConfig.ExcludeTests) { Write-Log -Message 'Checking PaaS for CNG key...' -Type Info -Function $thisFunction if($key.Key.Provider -eq 'Microsoft Software Key Storage Provider') { $privateKeyFailed += $true $failureDetail += "CNG Certificate detected, support for this certificate type may not currently be available. Please use https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-get-pki-certs to generate the certificates." Write-Log -Message 'Microsoft Software Key Storage Provider cannot be used for this certificate.' -Type Warn -Function $thisFunction } } } } catch { $privateKeyFailed += $true $failureDetail += $_.exception.message Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } if ($privateKeyFailed -notcontains $true) { $result = 'OK' } else { $result = 'Fail' } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateChain { param ([Hashtable]$pfxData,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Cert Chain' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message 'Checking Certificate chain' -Type Info -Function $thisFunction # Check for chain of trust. Not validating signature algorithm on root or intermediates $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates if(-not $otherCertificates) { Write-Log -Message 'No other certificates found in pfx' -Type Info -Function $thisFunction if($cert.Issuer -eq $cert.Subject) { $failureDetail = ($LocalizedData.SelfSignedCertificate -f $cert.Subject) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $result = 'Fail' } else { $result = 'Fail' $failureDetail = ($LocalizedData.NoChainOfTrust) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { if ($cert.Issuer -in $otherCertificates.subject) { $result = 'OK' Write-Log -Message ('The issuer certificate from {0} is included in the PFX' -f $cert.Issuer) -Type Info -Function $thisFunction } Else { $result = 'Fail' $failureDetail = ($LocalizedData.NoChainOfTrust) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-DNSNames { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,$ExpectedDomainFQDN,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'DNS Names' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { # Get the records between cn="<records>" $records = @() $records = $cert.DnsNameList.Unicode $recordsString = $records -join ', ' Write-Log -Message ('DNS Names on certificate: {0}' -f $recordsString) -Type Info -Function $thisFunction $dnsNameFailed = @() foreach($prefix in $certConfig.DnsName) { # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods. if ($ExpectedDomainFQDN) { $fullExpectedRecord = ($prefix,$ExpectedDomainFQDN) -join '.' } else { $fullExpectedRecord = $prefix } Write-Log -Message ('Testing for full expected record: {0}' -f $fullExpectedRecord) -Type Info -Function $thisFunction if($records -eq $fullExpectedRecord) { $dnsNameFailed += $false Write-Log -Message ('Records: {0} match: {1}' -f $recordsString,($fullExpectedRecord -join ', ')) -Type Info -Function $thisFunction continue } elseif ($records -eq "*." + $fullExpectedRecord.split('.',2)[1]) { $dnsNameFailed += $false Write-Log -Message ('Records: {0} match wildcard: {1}' -f $recordsString,("\*." + $fullExpectedRecord.split('.',2)[1])) -Type Info -Function $thisFunction } else { $failureDetail += ($LocalizedData.MissingRecord -f @($recordsString, $fullExpectedRecord)) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $dnsNameFailed += $true } if ($prefix -eq 'adfs') { Write-Log -Message ('Testing ADFS certificate subject {0} for ADFS compatability' -f $cert.subject) -Type Info -Function $thisFunction if ($cert.SubjectName -notlike '*.*') { $dnsNameFailed += $true $failureDetail += ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord) Write-Log -Message ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord) -Type Warn -Function $thisFunction } else { Write-Log -Message ('ADFS certificate subject {0} compatible for ADFS' -f $cert.subject) -Type Info -Function $thisFunction } } } if ($dnsNameFailed -notcontains $true) { $result = 'OK' } else { $result = 'Fail' $failureDetail += ($LocalizedData.CheckDocumentation) } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-KeyUsage { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Key Usage' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { # Validating KeyUsage should have Digital Signature, and Key Encipherment. # EnhancedKeyUsage should have Server Authentication and Client Authentication # Data Encipherment no longer required if ($certConfig.KeyUsage -eq 'default' -or $null -eq $certConfig.KeyUsage) { Write-Log -Message ('Testing for default Key Usage') -Type Info -Function $thisFunction $keyUsageArray = $certificateDefaults.KeyUsage.Keys } else { [array]$keyUsageArray = $certConfig.KeyUsage } if ($certConfig.EnhancedKeyUsage -eq 'default' -or $null -eq $certConfig.EnhancedKeyUsage) { Write-Log -Message ('Testing for default Enhanced Key Usage') -Type Info -Function $thisFunction $enhancedKeyUsageArray = $certificateDefaults.EnhancedKeyUsage.Keys | Foreach-Object { $certificateDefaults.EnhancedKeyUsage[$PSITEM].Oid } } else { Write-Log -Message ('Testing for custom Enhanced Key Usage') -Type Info -Function $thisFunction $certConfig.EnhancedKeyUsage = $certConfig.EnhancedKeyUsage | Foreach-Object { ConvertTo-Oid $PSITEM } [array]$enhancedKeyUsageArray = $certConfig.EnhancedKeyUsage | Foreach-Object { $PSITEM.Value } } # Create emtpy arrays for result handling. $keyUsageFailed = @() $failureDetail = @() $keyUsage = $cert.Extensions.KeyUsages $enhancedKeyUsage = $cert.EnhancedKeyUsageList.ObjectId # Check KeyUsage Write-Log -Message ('Testing for expected Key Usage {0}' -f ($keyUsageArray -join ',')) -Type Info -Function $thisFunction Write-Log -Message ('Certificate key usage is {0}' -f ($keyUsage -join ',')) -Type Info -Function $thisFunction foreach ($requiredKeyUsage in $keyUsageArray) { if ($keyUsage -notmatch $requiredKeyUsage) { $keyUsageFailed += $true $failureDetail += ($LocalizedData.IncorrectKeyUsage -f $keyUsage,($requiredKeyUsage -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $keyUsageFailed += $false } } # Check Enhanced KeyUsage Write-Log -Message ('Testing for expected Enhanced Key Usage {0}' -f (($certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value }) -join ',')) -Type Info -Function $thisFunction Write-Log -Message ('Certificate Enhanced key usage is {0}' -f ($enhancedKeyUsage -join ',')) -Type Info -Function $thisFunction foreach ($requiredEku in $enhancedKeyUsageArray) { if ($enhancedKeyUsage -notcontains $requiredEku) { $keyUsageFailed += $true if ($enhancedKeyUsage) { $CertFriendlyNames = $cert.EnhancedKeyUsageList.FriendlyName | Foreach-Object {if (!$PSITEM) { 'Custom Oid' }else { $PSITEM }} $RequiredUsageStrings = $certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value } $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f ($CertFriendlyNames -join ','),($RequiredUsageStrings -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f '[Missing]',($enhancedKeyUsageArray -join ',')) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $keyUsageFailed += $false } } # Check overall results if ($keyUsageFailed -notcontains $true) { $result = 'OK' Write-Log -Message 'Certificate key usage succeeded' -Type Info -Function $thisFunction } else { $result = 'Fail' Write-Log -Message 'Certificate key usage failed' -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = ($failureDetail | Sort-Object | Get-Unique); 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateChainOrder { param ([Hashtable]$pfxData,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Chain Order' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message 'Checking Certificate Chain Order' -Type Info -Function $thisFunction # Validating cert chain order $otherCertificates = $pfxData.OtherCertificates if ($otherCertificates[-1].Issuer -ne $otherCertificates[-1].Subject) { $result = 'Fail' $failureDetail = ($LocalizedData.IncorrectCertChainOrder) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } Else { $result = 'OK' Write-Log -Message 'Certificate Chain Order succeeded' -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } Function Test-OtherCertificates { param ([Hashtable]$pfxData,[string]$ExpectedDomainFQDN,[Hashtable]$certConfig) $test = 'Other Certificates' $thisFunction = $MyInvocation.MyCommand.Name if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message "Checking Pfx file for additional certificates" -Type Info -Function $thisFunction $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates $allcerts = $otherCertificates + @($cert) $otherCertificatesFailed = @() foreach ($prefix in $certConfig.DNSName) { # Apply literal to any wildcard on the expect DNSName. # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods. if ($ExpectedDomainFQDN) { $expectedDNSName = (($prefix,$ExpectedDomainFQDN) -join '.') -replace "\*", "\*" } else { $expectedDNSName = $prefix -replace "\*", "\*" } Write-Log -Message "Checking Pfx file for additional certificate with context of DNS Name: $prefix.$ExpectedDomainFQDN" -Type Info -Function $thisFunction # Find expected certificate according to DNSName literally or by matching wildcard. $targetCert = $allcerts | Where-Object {$_.dnsnamelist.unicode -match $expectedDNSName -OR $_.dnsnamelist.unicode -match "\*." + $expectedDNSName.split('.',2)[1]} # Remove all certs that are the target cert or an issuer of any certificate in the array. $unexpectedCerts = $allcerts | Where-Object {$_.Subject -notin $allcerts.Issuer -AND $_.thumbprint -ne $targetCert.Thumbprint} # Find expected certs for logging. $validCerts = $allcerts | Where-Object {$_.thumbprint -notin $unexpectedCerts.thumbprint} if ($unexpectedCerts) { $otherCertificatesFailed += $true $failureDetail += ($LocalizedData.UnwantedCertificatesInPfx -f ($unexpectedCerts | Get-ThumbprintMask),($validCerts | Get-ThumbprintMask)) Write-Log -Message $failureDetail -Type Warning -Function $thisFunction } Else { $otherCertificatesFailed += $false } } if ($otherCertificatesFailed -notcontains $true) { $result = 'OK' Write-Log -Message ('No additional certificates were detected. Validcert thumbprints {0}' -f ($validCerts | Get-ThumbprintMask)) -Type Info -Function $thisFunction } else { $result = 'Fail' } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-KeySize { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $test = 'Key Length' $thisFunction = $MyInvocation.MyCommand.Name if ($certConfig.KeyLength -eq 'default' -or $null -eq $certConfig.KeyLength) { $keySizeLowerLimit = 2048 } else { [int]$keySizeLowerLimit = $certConfig.KeyLength } if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { #get the key length of the public key. $keySize = $cert.publickey.key.KeySize Write-Log -Message ("Checking Certificate for Key Length {0}" -f $keySizeLowerLimit) -Type Info -Function $thisFunction Write-Log -Message ("Certificate Key Length {0}" -f $keySize) -Type Info -Function $thisFunction if ($keySize -lt $keySizeLowerLimit) { $result = 'Fail' $failureDetail = ($LocalizedData.WrongKeySize -f $keySize,$keySizeLowerLimit) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } else { $result = 'OK' Write-Log -Message 'Certificate Key Length succeeded' -Type Info -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-PFXEncryption { # mandatory check param ($pfxFile, [ValidateNotNullOrEmpty()][SecureString]$pfxpassword,[Hashtable]$certConfig) $test = 'PFX Encryption' $thisFunction = $MyInvocation.MyCommand.Name if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ("Checking PFX Encryption is tripleDES-SHA1.") -Type Info -Function $thisFunction $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $pfxpassword) $plainCertPassword = $networkCredential.Password try { $cmd = "-p {0} -dumpPFX `"{1}`"" -f $plainCertPassword,$pfxfile $certutilOutputPath = "$ENV:TEMP\AzsRCCertUtil.log" $null = Start-Process -FilePath certutil.exe ` -ArgumentList $cmd ` -WindowStyle Hidden ` -PassThru ` -Wait ` -RedirectStandardOutput $certutilOutputPath $certutilOutput = Get-Content -path $certutilOutputPath $TripleDESMatch = $certutilOutput | Select-String -SimpleMatch "1.2.840.113549.1.12.1.3" if ($TripleDESMatch) { Write-Log -Message ('PFX {0} Encryption is tripleDES-SHA1. CertUtil output {1}' -f $pfxFile,($TripleDESMatch -join ' ::Match:: ')) -Type Info -Function $thisFunction $result = 'OK' } else { if ($certutilOutput -match 'CertUtil: Unknown arg: -dumppfx') { $failureDetail = $LocalizedData.DumpPfxParamFail $result = 'Skipped' } else { $failureDetail = $LocalizedData.IncorrectPFXEncryption -f (($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ") $result = 'Warning' } Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } catch { Write-Log -Message ('Unable to determine PFX encryption. Run CertUtil -dumppfx <filename> to check encryption. Checking PFX encryption failed with exception: {0}`n OID dump: {1}' -f $_.exception,(($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ")) -Type Warn -Function $thisFunction $failureDetail = $LocalizedData.IncorrectPFXEncryption $result = 'Fail' } finally { Remove-item $certutilOutputPath -Force Clear-Variable -Name pfxFile } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Get-CDP { param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert) $crlext = $cert.Extensions | Where-Object { $_.Oid.FriendlyName -eq 'CRL Distribution Points' } $crldata = $crlext.RawData for ($i = 0 ; $i -lt $crldata.Count ; $i++) { if ($crldata[$i] -eq 0x86) { if ($crldata[$i + 1] -band 0x80) { #long length $start = $i + 3 $end = $crldata[$i + 2] + $start - 1 } else { #short length $start = $i + 2 $end = $crldata[$i + 1] + $start - 1 } [System.Text.Encoding]::ASCII.GetString($crldata[$start..$end]) } } } function Test-HttpCdp { # fail if CDP HTTP is not present # fail if CDP HTTP is not contactable param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'HTTP CRL' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { $cdps = Get-CDP -cert $cert $httpCdp = $cdps | Where-Object {$_ -like 'http://*'} Write-Log -Message 'Checking Http CDP EndPoint' -Type Info -Function $thisFunction $failureDetail = @() if ($cdps) { if ($httpCdp) { $result = 'OK' Write-Log -Message ('HTTP exists {0}. Success.' -f ($httpCdp -join ',')) -Type Info -Function $thisFunction } else { $result = 'Fail' $failureDetail += $LocalizedData.HttpCdpFail -f ($cdps -join ',') Write-Log -Message ($failureDetail -join '. ') -Type Error -Function $thisFunction } } Else { $result = 'Skipped' $failureDetail = ($LocalizedData.NoCDP) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Import-AzsCertificate { param ($pfxPath, [securestring]$pfxPassword, [string]$CertStoreLocation = 'cert:\localmachine\trust') $thisFunction = $MyInvocation.MyCommand.Name try { Write-Log -Message ('Importing PFX certificate from {0} to {1}' -f $pfxPath,$CertStoreLocation) -Type Info -Function $thisFunction $certificate = Import-PfxCertificate -Exportable -CertStoreLocation $CertStoreLocation -Password $pfxPassword -FilePath $pfxPath Write-Log -Message 'Import complete' -Type Info -Function $thisFunction } catch { Write-Log -Message ('Import failed: {0}' -f $_.exception) -Type Error -Function $thisFunction } $certificate } function Export-AzsCertificate { param ($filePath, $certPath, [securestring]$pfxPassword) $thisFunction = $MyInvocation.MyCommand.Name try { Write-Log -Message ('Exporting PFX certificate from {0} to {1}' -f $certPath,$filePath) -Type Info -Function $thisFunction $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force -CryptoAlgorithmOption TripleDES_SHA1 Write-Log -Message 'Export complete' -Type Info -Function $thisFunction } catch { if ($_.CategoryInfo.Reason -eq 'ParameterBindingException' -AND $_.Exception.ErrorId -eq 'NamedParameterNotFound' -AND $_.Exception.ParameterName -eq 'CryptoAlgorithmOption') { Write-Log -Message 'Unable to force Crypto Algorithm to TripleDES_SHA1. Retrying with default value.' -Type Warn -Function $thisFunction $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force Write-Log -Message 'Export complete' -Type Info -Function $thisFunction } else { Write-Log -Message ('Export failed: {0}' -f $_.exception) -Type Error -Function $thisFunction } } } function Write-Result { param([psobject]$in) if ($in.test) { Write-Host ("`t{0}: " -f $($in.Test)) -noNewLine if ($in.Result -eq 'OK') { Write-Host 'OK' -foregroundcolor Green } elseif ($in.Result -eq 'WARNING') { Write-Host 'Warning' -foregroundcolor Yellow } elseif ($in.Result -eq 'Skipped') { Write-Host 'Skipped' -foregroundcolor White } elseif ($in.Result -eq 'SkippedByConfig') { Write-Host 'SkippedByConfig' -foregroundcolor DarkGray } else { Write-Host 'Fail' -foregroundcolor Red } } else { Write-Host "`Details:" $in | ForEach-Object {if($_){Write-Host "[-] $_" -foregroundcolor Yellow}} Write-Host ("Additional help URL {0}" -f "https://aka.ms/AzsRemediateCerts") } } function Write-Log { param([string]$Message, [string]$Type = 'verbose', [string]$Function ) # if InstallAzureStackCommon is loaded and ScriptLog global variable exists, # we are in install and will push to install log, otherwise, do a standalone log $pii = $($ENV:USERDNSDOMAIN),$($ENV:COMPUTERNAME),$($ENV:USERNAME),$($ENV:USERDOMAIN) | Foreach-Object { if ($null -ne $PSITEM) { $PSITEM } } $redact = $pii -join '|' $message = [regex]::replace($Message,$redact,"[*redacted*]") if ((-not $standalone) -AND (Get-Module InstallAzureStackCommon) -AND (Get-Variable -Name ScriptLog -Scope Global -ea SilentlyContinue)) { if ($type -match 'verbose|info') { Write-VerboseLog $message } elseif ($type -eq 'warn') { Write-WarningLog $message } elseif ($type -eq 'error') { Write-TerminatingErrorLog $message } } Else { $outfile = "$PSScriptRoot\CertChecker.log" $entry = "[{0}] [{1}] [{2}] {3}" -f ([datetime]::now).tostring(), $type, $function, $Message $entry | Out-File -FilePath $outfile -Append -Force } } function Get-ThumbprintMask { [cmdletbinding()] [OutputType([string])] Param ([Parameter(ValueFromPipelinebyPropertyName=$True)]$thumbprint) Begin { $thumbprintMasks = @() } Process { $thumbprintMasks += foreach ($thumb in $thumbprint) { try { if (($thumb.length - 12) -gt 0) { $firstSix = $thumb.Substring(0,6) $lastSix = $thumb.Substring(($thumb.length - 6),6) $middleN = '*' * ($thumb.length - 12) $thumbprintMask = '{0}{1}{2}' -f $firstSix,$middleN, $lastSix } else { throw ("Error applying thumbprint mask from thumbprint starting with {0} and length of {1}" -f $thumbprint.Substring(0,10),$thumbprint.Length) } } catch { $_.exception } $thumbprintMask } } End { $thumbprintMasks -join ',' } } function Open-PfxData { param ([byte[]]$certificateBinary, [securestring]$certificatePassword) $thisFunction = $MyInvocation.MyCommand.Name $Source = @' using System; using System.Runtime.InteropServices; namespace AzureStack.PartnerToolkit { [StructLayout(LayoutKind.Sequential)] public struct CRYPT_DATA_BLOB { public int cbData; public IntPtr pbData; } public class Crypto { [DllImport("Crypt32.dll", SetLastError = true)] public static extern IntPtr PFXImportCertStore( ref CRYPT_DATA_BLOB pPfx, [MarshalAs(UnmanagedType.LPWStr)] String szPassword, uint dwFlags); [DllImport("Crypt32.DLL", SetLastError = true)] public static extern IntPtr CertEnumCertificatesInStore( IntPtr storeProvider, IntPtr prevCertContext ); [DllImport("Crypt32.dll", SetLastError = true)] public static extern Boolean CertCloseStore( IntPtr hCertStore, Int32 dwFlags ); [DllImport("CRYPT32.DLL", EntryPoint = "CertGetCertificateContextProperty", CharSet = CharSet.Unicode, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] public static extern Boolean CertGetCertificateContextProperty( [In] IntPtr pCertContext, [In] Int32 dwPropId, [Out] IntPtr pvData, [In, Out] ref Int32 pcbData); } } '@ Add-Type -TypeDefinition $Source -Language CSharp Write-Log -Message "Marshalling PFX binary..." -Type Verbose -Function $thisFunction $pPfxBinary = New-Object AzureStack.PartnerToolkit.CRYPT_DATA_BLOB $pPfxBinary.cbData = $certificateBinary.Length $pPfxBinary.pbData = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($certificateBinary.Length) [System.Runtime.InteropServices.Marshal]::Copy($certificateBinary, 0, $pPfxBinary.pbData, $certificateBinary.Length) Write-Log -Message "Convert cert password to string..." -Type Verbose -Function $thisFunction if ($certificatePassword) { $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $certificatePassword) $plainCertPassword = $networkCredential.Password } else { $plainCertPassword = "" } try { # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS (0x8250) | CRYPT_EXPORTABLE (0x00000001) # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS = # PKCS12_ALWAYS_CNG_KSP (0x00000200) | # PKCS12_NO_PERSIST_KEY (0x00008000) | # PKCS12_IMPORT_SILENT (0x00000040) | # PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x0010) $importFlag = 0x8251 Write-Log -Message "Parsing PFX binary with flag $importFlag ..." -Type Verbose -Function $thisFunction $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag) if ($hCertStore -eq [System.IntPtr]::Zero) { $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() if (-not $plainCertPassword) { # PKCS12_ONLY_NOT_ENCRYPTED_CERTIFICATES (0x0800) | PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x00000010) $importFlag = 0x0810 Write-Log -Message "Parsing PFX binary with error. Try to parse without password with flag $importFlag again..." -Type Verbose -Function $thisFunction $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag) } if ($hCertStore -eq [System.IntPtr]::Zero) { return @{ Success = $false ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() } } } Write-Log -Message "Retrieving the certs from the temp store..." -Type Verbose -Function $thisFunction $ret = @{ EndEntityCertificates = @() OtherCertificates = @() } $currentCertContext = 0 while ($true) { $currentCertContext = [System.IntPtr]([AzureStack.PartnerToolkit.Crypto]::CertEnumCertificatesInStore($hCertStore, $currentCertContext)) if ($currentCertContext -ne [System.IntPtr]::Zero) { $newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($currentCertContext) if (Get-EndEntityCertificate $currentCertContext) { $ret.EndEntityCertificates += @($newCert); } else { $ret.OtherCertificates += @($newCert); } continue } break } $ret.Success = $true return $ret } finally { if ($hCertStore -ne [System.IntPtr]::Zero) { if (-not ([AzureStack.PartnerToolkit.Crypto]::CertCloseStore($hCertStore, 0))) { $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Log -Message "Close cert store with error code $ErrorCode" -Type Warning -Function $thisFunction } } } } function Get-EndEntityCertificate { param ([System.IntPtr] $pCertificate) $privateKeyPropIds = @( 5, # CERT_KEY_CONTEXT_PROP_ID 2 # CERT_KEY_PROV_INFO_PROP_ID ) foreach ($propId in $privateKeyPropIds) { $cbData = 0 if ([AzureStack.PartnerToolkit.Crypto]::CertGetCertificateContextProperty( $pCertificate, $propId, [System.IntPtr]::Zero, [ref]$cbData)) { return $true } } return $false } function New-CertificateCollection { param ([hashtable]$pfxdata) $thisFunction = $MyInvocation.MyCommand.Name #create array of all certificates from pfx package $otherCertificates = $pfxData.OtherCertificates $cert = $pfxData.EndEntityCertificates $allcerts = $otherCertificates + @($cert) Write-Log -Message ('Building certificate collection.') -Type Info -Function $thisFunction # create collection of all certificates $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $allcerts | ForEach-Object {$collection.add($PSITEM) | Out-Null} Write-Log -Message ('Building certificate collection complete.') -Type Info -Function $thisFunction #return collection return $collection } function Test-TrustedChain { #Function to test certificate chain, will retry (configurable) 3 times with (configurable) 5 seconds intervals param ([Security.Cryptography.X509Certificates.X509Chain]$chain,[System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$retryCount = 3,[int]$intervalSeconds = 5,[Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Trusted Chain' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { Write-Log -Message ('Testing Chain Trust for {0}' -f ($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction $failureDetail = @() try { #create empty chain is one was not passed to the function if(-not $chain) { $chain = New-Object Security.Cryptography.X509Certificates.X509Chain } if ($chain.ChainPolicy.extrastore) { Write-Log -Message $localizedData.ChainCheckExtraStore -Type Info -Function $thisfunction } else { Write-Log -Message $localizedData.ChainCheckNoStore -Type Info -Function $thisfunction } # If no CDP info exists on the certificate disable the revocation check. $cdpInfo = $cert.Extensions | Where-Object {$_.oid.Value -eq '2.5.29.31'} if (-not $cdpInfo) { $chain.ChainPolicy.RevocationMode = 'NoCheck' Write-Log -Message $localizedData.RevocationModeNoCheck -Type Warn -Function $thisfunction } else { Write-Log -Message $localizedData.RevocationModeDefault -Type Info -Function $thisfunction } # Attempt to build the chain do { $chainResult = $chain.build($cert) $chainFailureReasons = $chain.ChainStatus.status $retry++ #sleep if unsuccessful and none CRL error present if (-not $chainResult -AND $retry -lt $retryCount -AND $chainFailureReasons) { Write-Log -Message ($localizedData.ChainCheckRetry -f ($chainFailureReasons -join ','),$retry) -Type Warn -Function $thisfunction start-Sleep -Seconds $intervalSeconds } } while (-not $chainResult -AND $retry -le $retryCount) #Interpret result if ($chainResult) { Write-Log -Message $localizedData.ChainCheckSuccess -Type Info -Function $thisfunction $result = 'OK' } else { Write-Log -Message ($localizedData.ChainCheckFailed -f ($chainFailureReasons -join ',')) -Type Warn -Function $thisfunction $failureDetail = $chain.ChainStatus.StatusInformation -join '' $result = 'Fail' } # Downgrade result and add failure detail if revocation was disabled if ($chain.ChainPolicy.RevocationMode -eq 'NoCheck') { switch ( $result ) { 'OK' {$result = 'Warning'} 'Fail' {$result = 'Fail'} } $failureDetail += $localizedData.RevocationModeNoCheck } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } finally { if ($chain) { $chain.Dispose() } } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $chain} $object = New-Object PSObject -Property $hash $object } function Test-CertificateRoot { #test if root is the same as stored on ercs machine param ($pfx, [ValidateScript({Test-Path -Path $_ -PathType Container})] $rootpath = "$ENV:SystemDrive\ExternalCerts\Root", [Hashtable]$certConfig ) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Match Root' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { try { $rootCerts = Get-ChildItem -Path $rootpath -Recurse -Filter *.cer Write-Log -Message ($LocalizedData.RootCertificateFoundOnStamp -f $rootCerts.count, $rootpath) -Type Info -Function $thisFunction if (-not $rootCerts) { $result = 'Fail' $failureDetail = ($LocalizedData.RootCertNotOnDisk -f $rootpath) } else { foreach ($rootCert in $rootCerts) { Write-Log -Message ("Loading {0} for same root comparison" -f $rootCert.fullname) -Type Info -Function $thisFunction $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($rootCert.fullname) $rootThumbprint = $cert.Thumbprint $pfxIssuer = $pfx.OtherCertificates | Where-Object subject -eq $pfx.EndEntityCertificates.Issuer if ($pfxIssuer.thumbprint -eq $rootThumbprint) { Write-Log -Message ($LocalizedData.RootCertificateMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction $result = 'OK' break } else { $failureDetail = $LocalizedData.RootCertificateNotMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction $result = 'Fail' } } } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception.message) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function Test-CertificateExpiry { # block if certificate expiry <= threshold (default 7 days) param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$expiryThresholdDays = 7,[Hashtable]$certConfig) $thisFunction = $MyInvocation.MyCommand.Name $test = 'Expiry Date' if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests)) { try { $thresholdDateTime = [System.DateTime]::Now.AddDays($expiryThresholdDays) $certExpiry = $cert.NotAfter if ($certExpiry -le $thresholdDateTime) { $result = 'Fail' Write-Log -Message ($localizedData.ExpiryFailure -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime ) -Type Warn -Function $thisFunction if ($certExpiry -le [System.DateTime]::Now) { $failureDetail = $localizedData.ExpiredFailureDetail } else { $failureDetail = $localizedData.ExpiryFailureDetail -f $certExpiry, $expiryThresholdDays } } else { $result = 'OK' Write-Log -Message ($localizedData.ExpirySuccess -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime ) -Type Info -Function $thisFunction } } catch { $result = 'Fail' $failureDetail = ($localizedData.TestException -f $test, $_.exception.message) Write-Log -Message $failureDetail -Type Warn -Function $thisFunction } } else { $result = 'SkippedByConfig' $failureDetail = ($LocalizedData.SkippedByConfig -f $test) Write-Log -Message $failureDetail -Type Info -Function $thisFunction } $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null} $object = New-Object PSObject -Property $hash $object } function ConvertTo-Oid { param ($in) $thisFunction = $MyInvocation.MyCommand.Name try { # user may have passed in Write-Log -Message $in -Type Info -Function $thisFunction if ($in -is [string]) { $oid = [System.Security.Cryptography.Oid]::new($in) if (!$oid.FriendlyName -or !$oid.Value) { throw ("Unable to convert {0} into Oid" -f $in) } } elseif ($in -is [Hashtable]) { $oid = $in.Keys | ForEach-Object { [System.Security.Cryptography.Oid]::new($in[$PSITEM],$PSITEM) } } else { throw ("Unable to convert {0} into Oid" -f $in) } return $oid } catch { throw ("Unable to convert {0} into Oid. Make sure the input has a valid name and Oid. Error {1}" -f $in,$_.exception.message) } } # SIG # Begin signature block # MIInvwYJKoZIhvcNAQcCoIInsDCCJ6wCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC7LZpSGdLoUJsn # RgFbiLz/beOuCnlh/cEApQ0gEACRMaCCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGZ8wghmbAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIMOrcvL0sL7nm+MLO15BdSgJ # 8LaRkhVe0uc2dDeGK5vfMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAzcK1yCveOEC+t4ctybaPlvMY8jBYaimeDBeocWBbg+sJqogtNACflBpS # cObL41nR1wWRjXNTCsjR4RExh41brqqnmJEJhm1DHH33MFzYMlOjFKQaWYV8qucv # vWJshgZU6K8N9BtF+5ZaHzcTZGPITbPO3qTD/PTalSJwldmhgPFzxtJhlrNAKAe9 # 4I0qgR3fpPzZkSAWbBiRu8JzIYyBbcDyYQe9pPEyXh5CGRU2Ufdi7EjaqJdsxn2M # S/XP/ryBcT+n7SbAapDwb1Rpv57O0v1C380sex1abBg6oLhoyQg5IHt058MdoRfy # Vl6Dc6iwnqBzMiFM8hb5no1ThceFGaGCFykwghclBgorBgEEAYI3AwMBMYIXFTCC # FxEGCSqGSIb3DQEHAqCCFwIwghb+AgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFZBgsq # hkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCCI1iNt1byF0x/Ersb+V8eEJgYdfzFpDBiU4Np/Y8j8KwIGZlcWLlbR # GBMyMDI0MDYwODA3MDkwMi43MjhaMASAAgH0oIHYpIHVMIHSMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl # bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNO # OjhENDEtNEJGNy1CM0I3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNloIIReDCCBycwggUPoAMCAQICEzMAAAHj372bmhxogyIAAQAAAeMwDQYJ # KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcNMjMx # MDEyMTkwNzI5WhcNMjUwMTEwMTkwNzI5WjCB0jELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxhbmQgT3Bl # cmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjo4RDQxLTRC # RjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCC # AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6kDWgeRp+fxSBUD6N/yuEJ # pXggzBeNG5KB8M9AbIWeEokJgOghlMg8JmqkNsB4Wl1NEXR7cL6vlPCsWGLMhyqm # scQu36/8h2bx6TU4M8dVZEd6V4U+l9gpte+VF91kOI35fOqJ6eQDMwSBQ5c9ElPF # UijTA7zV7Y5PRYrS4FL9p494TidCpBEH5N6AO5u8wNA/jKO94Zkfjgu7sLF8SUdr # c1GRNEk2F91L3pxR+32FsuQTZi8hqtrFpEORxbySgiQBP3cH7fPleN1NynhMRf6T # 7XC1L0PRyKy9MZ6TBWru2HeWivkxIue1nLQb/O/n0j2QVd42Zf0ArXB/Vq54gQ8J # IvUH0cbvyWM8PomhFi6q2F7he43jhrxyvn1Xi1pwHOVsbH26YxDKTWxl20hfQLdz # z4RVTo8cFRMdQCxlKkSnocPWqfV/4H5APSPXk0r8Cc/cMmva3g4EvupF4ErbSO0U # NnCRv7UDxlSGiwiGkmny53mqtAZ7NLePhFtwfxp6ATIojl8JXjr3+bnQWUCDCd5O # ap54fGeGYU8KxOohmz604BgT14e3sRWABpW+oXYSCyFQ3SZQ3/LNTVby9ENsuEh2 # UIQKWU7lv7chrBrHCDw0jM+WwOjYUS7YxMAhaSyOahpbudALvRUXpQhELFoO6tOx # /66hzqgjSTOEY3pu46BFAgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQUsa4NZr41Fbeh # Z8Y+ep2m2YiYqQMwHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYD # VR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9j # cmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwG # CCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIw # MjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcD # CDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBALe+my6p1NPMEW1t # 70a8Y2hGxj6siDSulGAs4UxmkfzxMAic4j0+GTPbHxk193mQ0FRPa9dtbRbaezV0 # GLkEsUWTGF2tP6WsDdl5/lD4wUQ76ArFOencCpK5svE0sO0FyhrJHZxMLCOclvd6 # vAIPOkZAYihBH/RXcxzbiliOCr//3w7REnsLuOp/7vlXJAsGzmJesBP/0ERqxjKu # dPWuBGz/qdRlJtOl5nv9NZkyLig4D5hy9p2Ec1zaotiLiHnJ9mlsJEcUDhYj8PnY # nJjjsCxv+yJzao2aUHiIQzMbFq+M08c8uBEf+s37YbZQ7XAFxwe2EVJAUwpWjmtJ # 3b3zSWTMmFWunFr2aLk6vVeS0u1MyEfEv+0bDk+N3jmsCwbLkM9FaDi7q2HtUn3z # 6k7AnETc28dAvLf/ioqUrVYTwBrbRH4XVFEvaIQ+i7esDQicWW1dCDA/J3xOoCEC # V68611jriajfdVg8o0Wp+FCg5CAUtslgOFuiYULgcxnqzkmP2i58ZEa0rm4LZymH # BzsIMU0yMmuVmAkYxbdEDi5XqlZIupPpqmD6/fLjD4ub0SEEttOpg0np0ra/MNCf # v/tVhJtz5wgiEIKX+s4akawLfY+16xDB64Nm0HoGs/Gy823ulIm4GyrUcpNZxnXv # E6OZMjI/V1AgSAg8U/heMWuZTWVUMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJ # mQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNh # dGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1 # WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEB # BQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjK # NVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhg # fWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJp # rx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/d # vI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka9 # 7aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKR # Hh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9itu # qBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyO # ArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItb # oKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6 # bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6t # AgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQW # BBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacb # UzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYz # aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnku # aHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIA # QwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2 # VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwu # bWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEw # LTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93 # d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt # MjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/q # XBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6 # U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVt # I1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis # 9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTp # kbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0 # sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138e # W0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJ # sWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7 # Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0 # dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQ # tB1VM1izoXBm8qGCAtQwggI9AgEBMIIBAKGB2KSB1TCB0jELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxh # bmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjo4 # RDQxLTRCRjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy # dmljZaIjCgEBMAcGBSsOAwIaAxUAPYiXu8ORQ4hvKcuE7GK0COgxWnqggYMwgYCk # fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF # AOoOGVUwIhgPMjAyNDA2MDgwNzQyMTNaGA8yMDI0MDYwOTA3NDIxM1owdDA6Bgor # BgEEAYRZCgQBMSwwKjAKAgUA6g4ZVQIBADAHAgEAAgIGCTAHAgEAAgIRrDAKAgUA # 6g9q1QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAID # B6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAIcfeXzdfmHxoZVFTN/I # pIcs8JZflgvYIGQsYO21xVx6ApDfCJejtgM2oLyk5ZSRpP9YuHdwyLeTI3p8ZubG # TFtMvE16gdB7cDh4WBt/hWC5elC/iRqBkEbKYPOaR5yKcTqoLb0ZYV50cS6rcFIR # AisyZcqsZEozFUSab2OJiIFGMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt # U3RhbXAgUENBIDIwMTACEzMAAAHj372bmhxogyIAAQAAAeMwDQYJYIZIAWUDBAIB # BQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQx # IgQgsJ5BPl5a9AZdiMSYzunQ8NlyVr2bZwsj/QQ5JWPLz/YwgfoGCyqGSIb3DQEJ # EAIvMYHqMIHnMIHkMIG9BCAz1COr5bD+ZPdEgQjWvcIWuDJcQbdgq8Ndj0xyMuYm # KjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB49+9 # m5ocaIMiAAEAAAHjMCIEIAAOeqmekOZd2Sv68LuVIsqCiAAxk9dffanqjwM3DYI3 # MA0GCSqGSIb3DQEBCwUABIICACQ2w26J06unIbk4CKUo7mvcWMhDS7BUk4hS9eHd # v3XLo/RtiU9dOITW2P4XiE9/8GDYWkiCBfAELCRSL1YqfMP/f+jAEaNdl/EYFtim # NQvPs75xsoQRTReUoVVTNWj4Itiq6PQDnqBUqpJO1ADM88DonwE4l20aUJENxiDt # OgSqsylCZNayLWXJA/4OXHUCwgZU+f/a6YAR+j5vX9uShxurKxOl2x3iYkmWMUEU # 4qg94mM1IBwtqH1GoindSmnAD/atXJsiuF4BB6rd2xUbbprvN9+Jv3jXMa6wV6Z8 # 5/gGM0rZtiF8btkvaxXrvZ6fEwF2AF7v973yvdl16j/tddwoIHcjAoiaMpypoaQ6 # /eTXeqVmZjCWhbKsjCYj2yioiF94T9I/gA8lWsszkmH7YrZ9zrV2g7OCy+eG4OLZ # ZLYxGDlPpw1Ytf//rWRXFYr4IGR95B93A1PnVlqLpFQpQTepeZ5LXRQkYeeaMv18 # +Cb9me/1QpfuP5y2G18Vg506d+Qj2wczSH11mcGCMgm6SO57o6obNTaBSwsFcOAS # CgUyazeb8jhhmFRyPcJIEaGG1D+QX0n1UPZosYkt4+e1YJW1Uvu6sXzTvZ7Y3YuP # NM87APXy13laG2Yy1AcA48wWMaO8QDuAGr6JNUT2KLwIPSRxit2kzFbJ3Pzl0Gh0 # 74Fv # SIG # End signature block |