PSPKI icon indicating copy to clipboard operation
PSPKI copied to clipboard

Published 20 hours ago verified publisher icon PKISolutions

New-SelfSignedCertificateEx -Subject "CN=TestCA" -IsCA $true -ProviderName "Microsoft Software Key Storage Provider" -Exportable -customextension $extCollection

Open ckrueger1979 opened this issue 2 years ago • 5 comments

Hi Vadims,

is this a bug or is my extension wrong?

Import-Module pspki

$permittedSubtree = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeNameCollection
$dnsType = [System.Security.Cryptography.X509Certificates.X509AlternativeNamesEnum]::DnsName
$corpDomains = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeName $dnsType,"example.com"
$excludedSubtree = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeNameCollection
[void] $excludedSubtree.Add($corpDomains)
$nameConstraintExt = New-Object System.Security.Cryptography.X509Certificates.X509NameConstraintsExtension $permittedSubtree,$excludedSubtree
$nameConstraintExt.Critical = $true

$extCollection = New-Object System.Security.Cryptography.X509Certificates.X509ExtensionCollection
[void] $extCollection.Add($nameConstraintExt)

New-SelfSignedCertificateEx -Subject "CN=TestCA" -IsCA $true -ProviderName "Microsoft Software Key Storage Provider" -Exportable -customextension $extCollection

New-SelfSignedCertificateEx : Exception calling "Build" with "1" argument(s): "Index was outside the bounds of the array." At line:1 char:1

ckrueger1979 avatar Sep 09 '21 06:09 ckrueger1979

Can you provide a full stack trace of the exception by calling the following line immediately after exception is thrown:

$error[0].Exception.InnerException.StackTrace

Crypt32 avatar Sep 09 '21 07:09 Crypt32 

PS C:\> $error[0].Exception.InnerException.StackTrace
   at System.Security.Cryptography.X509Certificates.X509AlternativeName.decodeFromRawData(Byte[] asnData) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509AlternativeName.cs:line 426
   at System.Security.Cryptography.X509Certificates.X509NameConstraintsExtension.decodeNamesFromAsn(Byte[] rawData) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509NameConstraintsExtension.cs:line 103
   at System.Security.Cryptography.X509Certificates.X509NameConstraintsExtension.m_decode(Byte[] rawData) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509NameConstraintsExtension.cs:line 79
   at PKI.Utils.CryptographyUtils.ConvertExtension(X509Extension extension) in c:\temp\pkix.net\PKI\Utils\CryptographyUtils.cs:line 61
   at SysadminsLV.PKI.Cryptography.X509Certificates.X509CertificateBuilder.processExtensions() in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509CertificateBuilder.cs:line 130
   at SysadminsLV.PKI.Cryptography.X509Certificates.X509CertificateBuilder.Build(X509Certificate2 signer) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509CertificateBuilder.cs:line 217
   at CallSite.Target(Closure , CallSite , Object , X509Certificate2 )

ckrueger1979 avatar Sep 09 '21 07:09 ckrueger1979

Thanks, I will take a look into this.

Crypt32 avatar Sep 09 '21 07:09 Crypt32

I can confirm the bug. It is fixed in sources, see this commit: https://github.com/PKISolutions/pkix.net/commit/8b808e050f381406936d70780cd48f692be39427

Crypt32 avatar Sep 09 '21 11:09 Crypt32

Waow, that was fast. Thanks!

ckrueger1979 avatar Sep 09 '21 12:09 ckrueger1979

Fixed in v4.0.0

Crypt32 avatar Jun 15 '23 07:06 Crypt32