PSPKI icon indicating copy to clipboard operation
PSPKI copied to clipboard

Published 20 hours ago verified publisher icon PKISolutions

Extension table doesn't show subject alternative name value

Open TheBZKing opened this issue 1 year ago • 3 comments

I need to check the subject alternative DNS names before issuing a certificate but the Get-PendingRequest and Get-ADCSDatabaseRow both don't display the DNS names.

Connect-CertificationAuthority -ComputerName MyCA | Get-AdcsDatabaseRow -Table Extension -RowID 838 -Filter "ExtensionName -eq 2.5.29.17"

TheBZKing avatar May 28 '24 13:05 TheBZKing

This means that SAN extension doesn't exist in request. I've checked this scenario in my CA:

PS C:\> Connect-CA | Get-AdcsDatabaseRow -Table Extension -RowID 1001423 -Filter "ExtensionName -eq 2.5.29.17"


ExtensionRequestId : 1001423
ExtensionName      : 2.5.29.17
ExtensionFlags     : 131072
ExtensionRawValue  : MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t

ExtensionNameOid   : System.Security.Cryptography.Oid
RowId              : 1001423
RequestId          : 0
ConfigString       : redacted\redacted
Table              : Extension
Properties         : {[ExtensionRequestId, 1001423], [ExtensionName, 2.5.29.17], [ExtensionFlags, 131072], [ExtensionRa
                     wValue, MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t
                     ]...}



PS C:\>

Crypt32 avatar Aug 02 '24 08:08 Crypt32

Hello,

Thank you for your time. Offcourse I've tested this with a PKI certificate with SAN extension and a filled in DNS name. Could you try this out on a certificate with SAN extention and show me the DNS name in the output? This does not work for me. =(

TheBZKing avatar Aug 06 '24 08:08 TheBZKing

You need to look into ExtensionRawValue which contains ASN.1-encoded SAN extension (in this particular case). You can decode it this way:

PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> ipmo pspki
PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> $asnEncoded = New-Object System.Security.Cryptography.AsnEncodedData (,$bin)
PS C:\> $san = New-Object SysadminsLV.PKI.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $asnEncoded,$false
PS C:\> $san

AlternativeNames                                      Critical Oid                                  RawData
----------------                                      -------- ---                                  -------
{Other Name:Principal [email protected]}    False Subject Alternative Name (2.5.29.17) {48, 43, 160, 41...


PS C:\> $san.AlternativeNames

             Type OID                                     Value                     RawData
             ---- ---                                     -----                     -------
UserPrincipalName Principal Name (1.3.6.1.4.1.311.20.2.3) [email protected] {160, 41, 6, 10...}


PS C:\>

$san.AlternativeNames contains a collection of all SAN entries in extension.

Crypt32 avatar Aug 06 '24 08:08 Crypt32

After re-evaluating your inquiry, I found it reasonable to automatically decode extensions into managed objects (derivations of X509Extension class) as part of PSPKI. Here is the relevant ticket in underlying API library: https://github.com/Crypt32/pkix.net/issues/101

Crypt32 avatar Jun 09 '25 10:06 Crypt32

I've come with something that would simplify your use case. Here is the relevant pull request where it is addressed: https://github.com/Crypt32/pkix.net/pull/107

With next PSPKI release, you will be able to access request/certificate extension by reading ExtensionObject syntehtic property which contains a managed object of type/subtype of X509Extension. For example, the new way to read SAN extension would be:

PS C:\> $row = $ca | Get-AdcsDatabaseRow -RowID 1001423 -Table Extension -Filter "ExtensionName -eq 2.5.29.17"
PS C:\> $row


ExtensionRequestId : 1001423
ExtensionName      : 2.5.29.17
ExtensionFlags     : 131072
ExtensionRawValue  : MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t

ExtensionFlagsEnum : OriginPolicy
ExtensionNameOid   : System.Security.Cryptography.Oid
ExtensionObject    : SysadminsLV.PKI.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension
RowId              : 1001423
RequestId          : 0
ConfigString       : redacted\redacted
Table              : Extension
Properties         : {[ExtensionRequestId, 1001423], [ExtensionName, 2.5.29.17], [ExtensionFlags, 131072], [ExtensionRa
                     wValue, MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t
                     ]...}



PS C:\> $row.ExtensionObject

AlternativeNames                                   Critical Oid                           RawData
----------------                                   -------- ---                           -------
{Other Name:Principal Name...                         False System.Security.Cryptograp... {48, 43, 160, 41...}


PS C:\> $row.ExtensionObject.AlternativeNames

                         Type OID                           Value                         RawData
                         ---- ---                           -----                         -------
            UserPrincipalName System.Security.Cryptograp... [email protected]     {160, 41, 6, 10...}


PS C:\>

In first line, I query Extension table and filter for SAN extension for request row with RequestID=1001423. $row object contains raw Extension table values and synthetic (custom) property called ExtensionObject. Since SAN extension is supported by PSPKI, a specific instance of type of X509SubjectAlternativeNamesExtension is returned, where you loop over alternative names and inspect them. This is something you can expect in PSPKI v4.4 (or whatever next version will be). I'm closing this as it is implemented, but feel free to comment if you have any questions on this.

Crypt32 avatar Jun 10 '25 14:06 Crypt32