Release 2.4 to main (#103)

* Initial changes for creating and importing pfx files to accept specific csps.
* Added ReEnrollment jobs to WinSQL
* Added additional exception handling for SQL Management jobs.  Updated the manifest for SQL Reenrollment.
* Changed 'MaxAllowed' back to '5' and documented what that value represents.  Cleaned up some old code.
* Modified how runspaces are created for local machines access .  Added code to get the last exit code from certutil to accurately report errors
* Added error trapping when attepting to get the last exit code from a remote machine.  Microsoft does not allow you to retrieve information from remote computers due to security and architecture.
* Added store path and addstore for certs with no private keys
* AB#58570 Added additional error trapping and logging.  Also modified the certutil logic to use -addstore when no password was provided when adding a certificate.

Author: fiddlermikey

CHANGELOG.md

@@ -1,3 +1,17 @@
+2.4.1
+* Modified the CertUtil logic to use the -addstore argument when no password is sent with the certificate information.
+* Added additional error trapping and trace logs
+
+2.4.0
+* Changed the way certificates are added to cert stores.  CertUtil is now used to import the PFX certificate into the associated store.  The CSP is now considered when maintaining certificates, empty CSP values will result in using the machines default CSP.
+* Added the Crypto Service Provider and SAN Entry Parameters to be used on Inventory queries, Adding and ReEnrollments for the WinCert, WinSQL and IISU extensions.
+* Changed how Client Machine Names are handled when a 'localhost' connection is desiered.  The new naming convention is:  {machineName}|localmachine.  This will eliminate the issue of unqiue naming conflicts.
+* Updated the manifest.json to now include WinSQL ReEnrollment.
+* Updated the integration-manifest.json file for new fields in cert store types.
+
+2.3.2
+* Changed the Open Cert Store access level from a '5' to 'MaxAllowed'
+
 2.3.1
 * Added additional error trapping for WinRM connections to allow actual error on failure.
 

IISU/Certificate.cs

@@ -13,6 +13,8 @@
 // limitations under the License.
 
 using System;
+using System.Linq;
+using System.Text.RegularExpressions;
 
 namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore
 {
@@ -22,5 +24,35 @@ public class Certificate
         public byte[] RawData { get; set; }
         public bool HasPrivateKey { get; set; }
         public string CertificateData => Convert.ToBase64String(RawData);
+        public string CryptoServiceProvider { get; set; }
+        public string SAN { get; set; }
+
+        public class Utilities
+        {
+            public static string FormatSAN(string san)
+            {
+                // Use regular expression to extract key-value pairs
+                var regex = new Regex(@"(?<key>DNS Name|Email|IP Address)=(?<value>[^=,\s]+)");
+                var matches = regex.Matches(san);
+
+                // Format matches into the desired format  
+                string result = string.Join("&", matches.Cast<Match>()
+                    .Select(m => $"{NormalizeKey(m.Groups["key"].Value)}={m.Groups["value"].Value}"));
+
+                return result;
+            }
+
+            private static string NormalizeKey(string key)
+            {
+                return key.ToLower() switch
+                {
+                    "dns name" => "dns",
+                    "email" => "email",
+                    "ip address" => "ip",
+                    _ => key.ToLower() // For other types, keep them as-is
+                };
+            }
+
+        }
     }
 }

IISU/CertificateStore.cs

@@ -41,10 +41,12 @@ public void RemoveCertificate(string thumbprint)
         {
             using var ps = PowerShell.Create();
             ps.Runspace = RunSpace;
+
+            // Open with value of 5 means:  Open existing only (4) + Open ReadWrite (1)
             var removeScript = $@"
                         $ErrorActionPreference = 'Stop'
                         $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store('{StorePath}','LocalMachine')
-                        $certStore.Open('MaxAllowed')
+                        $certStore.Open(5)
                         $certToRemove = $certStore.Certificates.Find(0,'{thumbprint}',$false)
                         if($certToRemove.Count -gt 0) {{
                             $certStore.Remove($certToRemove[0])

IISU/ClientPSCertStoreInventory.cs

@@ -46,21 +46,37 @@ public List<Certificate> GetCertificatesFromStore(Runspace runSpace, string stor
                                 $certs = $certStore.Certificates
                                 $certStore.Close()
                                 $certStore.Dispose()
-                                foreach ( $cert in $certs){{ 
-                                    $cert | Select-Object -Property Thumbprint, RawData, HasPrivateKey
+                                    $certs | ForEach-Object {{
+                                        $certDetails = @{{
+                                            Subject = $_.Subject
+                                            Thumbprint = $_.Thumbprint
+                                            HasPrivateKey = $_.HasPrivateKey
+                                            RawData = $_.RawData
+                                            san = $_.Extensions | Where-Object {{ $_.Oid.FriendlyName -eq ""Subject Alternative Name"" }} | ForEach-Object {{ $_.Format($false) }}
+                                        }}
+
+                                        if ($_.HasPrivateKey) {{
+                                            $certDetails.CSP = $_.PrivateKey.CspKeyContainerInfo.ProviderName
+                                        }}
+
+                                        New-Object PSObject -Property $certDetails
                                 }}";
 
                 ps.AddScript(certStoreScript);
 
                 var certs = ps.Invoke();
 
                 foreach (var c in certs)
+                {
                     myCertificates.Add(new Certificate
                     {
                         Thumbprint = $"{c.Properties["Thumbprint"]?.Value}",
                         HasPrivateKey = bool.Parse($"{c.Properties["HasPrivateKey"]?.Value}"),
-                        RawData = (byte[])c.Properties["RawData"]?.Value
+                        RawData = (byte[])c.Properties["RawData"]?.Value,
+                        CryptoServiceProvider = $"{c.Properties["CSP"]?.Value }",
+                        SAN = Certificate.Utilities.FormatSAN($"{c.Properties["san"]?.Value}")  
                     });
+                }
 
                 return myCertificates;
             }