PSPKI icon indicating copy to clipboard operation
PSPKI copied to clipboard

Published 20 hours ago verified publisher icon PKISolutions

Get-CertificateRequest does not return all content of nested request

Open PatrickOnGit opened this issue 6 years ago • 3 comments

Using the following command together with a policy.inf file allows to "change" some content of a CSR:

CertReq -f -q –config "MyCA\Test Root CA" -cert 88884808333333336960447CE1731EA6654345676 –policy .\MyFriends.CSR .\MyCPS.inf .\MyUpdated.csr

The command creates a new nested PKCS7 request file. Using certutil -dump .\MyUpdated.csr returns 4 different objects:

`PKCS7/CMS

Message PKCS7 Message Content: ================ Begin Nesting Level 1 ================ CMS Certificate Request: ---- CUSTOM REQUEST DATA BASED ON .\MyCPS.inf -------

================ Begin Nesting Level 2 ================ PKCS10 Certificate Request: ---- ORIGINAL REQUEST DATA BASED ON .\MyFriends.CSR -------

---------------- End Nesting Level 2 ---------------- ---------------- End Nesting Level 1 ---------------- Signer Count: 2 Signer Info[0]: NULL signature verifies ---- SOME KIND OF DUMMY SIGNATURE OID.1.3.6.1.4.1.311.21.9=Dummy Signer -------

Signer Info[1]: ---- SIGNER CERT -------`

Reading the new request

$req = Get-CertificateRequest ( Resolve-Path .\MyUpdated.csr )

$req.RequestType returns an object of type PKCS7 which seems to be the original request but as PKCS7 $req.ExternalData returns an object of content type CMC Data but with content SysadminsLV.PKI.Cryptography.X509CertificateRequests.X509CertificateRequestPkcs10 which is again the original request.

So the object returned by Get-CertificateRequest is missing the data injected by policy.inf as well as all signatures.

I'm happy to share more detailed examples if required

Thank you for your support.

PatrickOnGit avatar Oct 02 '18 10:10 PatrickOnGit

Can you submit me example files for investigation?

Current PKCS#7 decoder has some limitations (skips some parts from decoding), so it would be great if you wuld supply these files for investigation.

Crypt32 avatar Oct 02 '18 13:10 Crypt32

Thank you for investigating the issue.

I added Files including all script and transcript how I processed it so you may generate additional examples. I hope this helps to troubleshoot the issue. If you need more details or examples with different "overwrites" let me know.

If I could have access to the source code of your library I may have a look as well.

PSPKI_Get-CertificateRequest_Improvement_supporting_files.zip

PatrickOnGit avatar Oct 03 '18 09:10 PatrickOnGit

Library's source codes are on GitHib, specifically you need SignedPkcs7 class: https://github.com/Crypt32/pkix.net/blob/master/PKI/Cryptography/Pkcs/SignedPkcs7.cs

Crypt32 avatar Oct 03 '18 09:10 Crypt32