Merge pull request #141 from Keyfactor/72207_Binding_Attempted_With_Bad_CSP

AB#72207 Fixed error adding cert to store when CSP was changed by user.

Author: doebrowsk

CHANGELOG.md

@@ -1,3 +1,20 @@
+2.6.2
+* Fixed error when attempting to connect to remote computer using UO service account
+* Fixed error when connecting to remote computer using HTTPS; was defaulting to HTTP
+* Fixed the creation of a certificate when the Cryptographic Service Provider was changed by the user
+* Updated logic when getting the CSP.  Now supports modern CHG and legacy CAPI APIs.  This will allow the CSP to show in the stores inventory.
+* Re-factored code to eliminate warnings
+* Bumped up he following packages to eliminate .net vulnerabilities and obsolete packages:
+	* Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="1.0.0"
+    * Microsoft.PowerShell.SDK" Version="7.4.10" Condition="'$(TargetFramework)' == 'net8.0'"
+    * runtime.linux-arm64.runtime.native.System.IO.Ports" Version="9.0.5"
+    * runtime.osx-arm64.runtime.native.System.IO.Ports" Version="9.0.5"
+    * System.Formats.Asn1" Version="8.0.2" Condition="'$(TargetFramework)' == 'net6.0'"
+	* System.Formats.Asn1" Version="9.0.0" Condition="'$(TargetFramework)' == 'net8.0'"
+    * System.IO.Packaging" Version="6.0.2" Condition="'$(TargetFramework)' == 'net6.0'"
+    * System.IO.Packaging" Version="8.0.1" Condition="'$(TargetFramework)' == 'net8.0'"
+    * System.Text.Json" Version="8.0.5"
+
 2.6.1
 * Documentation updates for the 2.6 release
 * Fix a naming typo in the 2.5 migration SQL script
@@ -11,6 +28,7 @@
 * Added the ability to run the extension in a Linux environment.  To utilize this change, for each Cert Store Types (WinCert/WinIIS/WinSQL), add ssh to the Custom Field <b>WinRM Protocol</b>.  When using ssh as a protocol, make sure to enter the appropriate ssh port number under WinRM Port.
 * NOTE: For legacy purposes the Display names WinRM Protocol and WinRM Port are maintained although the type of protocols now includes ssh.
 * Moved all inventory and management jobs to external PowerShell script file .\PowerShellScripts\WinCertScripts.ps1
+* Changed how IIS Bound certificates are deleted; Certificates are only deleted from the certificate store when the certificate is NOT BOUND to any other sites.
 * NOTE:  This version was not publicly released.
 
 2.5.1
@@ -19,6 +37,7 @@
 2.5.0
 * Added the Bindings to the end of the thumbprint to make the alias unique.
 * Using new IISWebBindings cmdlet to use additional SSL flags when binding certificate to website.
+* NOTE:  The property SNIFlag has changed from a multi-select to a string with default of "0". To properly use the new SNI/SSL flags you can delete the SNIFlag from the store type and re-add the field as described in the ReadMe. If you have several existing cert stores, you may can execute the SQL script (IISU Sni Flag 2.5 upgrade script) to update the field type.  Consult your Keyfactor Rep for help.
 * Added multi-platform support for .Net6 and .Net8.
 * Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absence of the WebAdministration module in PS SDK 7.4.x+)
 * Fixed issue to update multiple websites when using the same cert.

IISU/ClientPSCertStoreReEnrollment.cs

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Ignore Spelling: Keyfactor
+// Ignore Spelling: Keyfactor Reenrollment
 
 // 021225 rcp   Cleaned up and removed unnecessary code
 
@@ -40,7 +40,9 @@ internal class ClientPSCertStoreReEnrollment
         private readonly IPAMSecretResolver _resolver;
 
         private PSHelper _psHelper;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         private Collection<PSObject>? _results;
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
         public ClientPSCertStoreReEnrollment(ILogger logger, IPAMSecretResolver resolver)
         {

IISU/ImplementedStoreTypes/Win/Inventory.cs

@@ -14,6 +14,8 @@
 
 // 021225 rcp   2.6.0   Cleaned up and verified code
 
+// Ignore Spelling: Keyfactor
+
 using System;
 using System.Collections.Generic;
 using System.Collections.ObjectModel;
@@ -31,9 +33,11 @@ public class Inventory : WinCertJobTypeBase, IInventoryJobExtension
     {
         private ILogger _logger;
         public string ExtensionName => "WinCertInventory";
-        
+
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         Collection<PSObject>? results = null;
-        
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
+
         public Inventory()
         {
 

IISU/ImplementedStoreTypes/Win/Management.cs

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.using Keyfactor.Logging;
 
-// Ignore Spelling: Keyfactor
+// Ignore Spelling: Keyfactor crypto
 
 // 021225 rcp   2.6.0   Cleaned up and verified code
 
@@ -35,7 +35,9 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension
         private ILogger _logger;
 
         private PSHelper _psHelper;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         private Collection<PSObject>? _results = null;
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
         // Function wide config values
         private string _clientMachineName = string.Empty;
@@ -95,7 +97,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                         {
                             string certificateContents = config.JobCertificate.Contents;
                             string privateKeyPassword = config.JobCertificate.PrivateKeyPassword;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
                             string? cryptoProvider = config.JobProperties["ProviderName"]?.ToString();
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
                             complete = AddCertificate(certificateContents, privateKeyPassword, cryptoProvider);
                             _logger.LogTrace($"Completed adding the certificate to the store");

IISU/ImplementedStoreTypes/WinIIS/IISBindingInfo.cs

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Ignore Spelling: Keyfactor IISU
+// Ignore Spelling: Keyfactor IISU Sni Aliase
 
 // 021225 rcp   2.6.0   Cleaned up and verified code
 
@@ -29,7 +29,9 @@ public class IISBindingInfo
         public string Protocol { get; set; }
         public string IPAddress { get; set; }
         public string Port { get; set; }
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         public string? HostName { get; set; }
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         public string SniFlag { get; set; }
         public string Thumbprint { get; private set; }
 

IISU/ImplementedStoreTypes/WinIIS/Inventory.cs

@@ -14,6 +14,8 @@
 
 // 021225 rcp   2.6.0   Cleaned up and verified code
 
+// Ignore Spelling: Keyfactor IISU
+
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;
@@ -30,7 +32,9 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU
     public class Inventory : WinCertJobTypeBase, IInventoryJobExtension
     {
         private ILogger _logger;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         Collection<PSObject>? results = null;
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
         public string ExtensionName => "WinIISUInventory";
 

IISU/ImplementedStoreTypes/WinIIS/Management.cs

@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// Ignore Spelling: Keyfactor IISU Crypto
 using System;
 using System.Collections.Generic;
 using System.Collections.ObjectModel;
@@ -34,7 +35,9 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension
         private ILogger _logger;
 
         private PSHelper _psHelper;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         private Collection<PSObject>? _results = null;
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
         // Function wide config values
         private string _clientMachineName = string.Empty;
@@ -99,11 +102,15 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                             {
                                 string certificateContents = config.JobCertificate.Contents;
                                 string privateKeyPassword = config.JobCertificate.PrivateKeyPassword;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
                                 string? cryptoProvider = config.JobProperties["ProviderName"]?.ToString();
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
                                 // Add Certificate to Cert Store
                                 try
                                 {
+                                    IISBindingInfo bindingInfo = new IISBindingInfo(config.JobProperties);
+
                                     OrchestratorJobStatusJobResult psResult = OrchestratorJobStatusJobResult.Unknown;
                                     string failureMessage = "";
 
@@ -112,9 +119,8 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                     _logger.LogTrace($"New thumbprint: {newThumbprint}");
 
                                     // Bind Certificate to IIS Site
-                                    if (newThumbprint != null)
+                                    if (!string.IsNullOrEmpty(newThumbprint))
                                     {
-                                        IISBindingInfo bindingInfo = new IISBindingInfo(config.JobProperties);
                                         _logger.LogTrace("Returned after binding certificate to store");
                                         var results = WinIISBinding.BindCertificate(_psHelper, bindingInfo, newThumbprint, "", _storePath);
                                         if (results != null && results.Count > 0)
@@ -172,6 +178,14 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                             FailureMessage = failureMessage
                                         };
                                     }
+                                    else
+                                    {
+                                        complete = new JobResult
+                                        {
+                                            Result = OrchestratorJobStatusJobResult.Failure,
+                                            JobHistoryId = _jobHistoryID,
+                                            FailureMessage = $"No thumbprint was returned.  Unable to bind certificate to site: {bindingInfo.SiteName}."
+                                        };                                    }
                                 }
                                 catch (Exception ex)
                                 {
@@ -183,7 +197,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                     };
                                 }
 
-                                _logger.LogTrace($"Completed adding and binding the certificate to the store");
+                                _logger.LogTrace($"Exiting the Adding of Certificate process.");
 
                                 break;
                             }
@@ -284,9 +298,10 @@ public string AddCertificate(string certificateContents, string privateKeyPasswo
             catch (Exception ex)        
             {
                 var failureMessage = $"Management job {_operationType} failed on Store '{_storePath}' on server '{_clientMachineName}' with error: '{LogHandler.FlattenException(ex)}'";
+                var niceMessage = $"Management job {_operationType} failed on Store '{_storePath}' on server '{_clientMachineName}' with error: {ex.Message}";
                 _logger.LogError(failureMessage);
 
-                throw new Exception (failureMessage);
+                throw new Exception (niceMessage);
             }
 }
         public void RemoveIISCertificate(string thumbprint)

IISU/ImplementedStoreTypes/WinIIS/WinIISBinding.cs

@@ -14,6 +14,8 @@
 
 // 021225 rcp   2.6.0   Cleaned up and verified code
 
+// Ignore Spelling: Keyfactor IISU
+
 using Keyfactor.Logging;
 using Microsoft.Extensions.Logging;
 using System;
@@ -25,9 +27,9 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU
 {
     public class WinIISBinding
     {
-        private static ILogger _logger;
-        private static Collection<PSObject>? _results = null;
-        private static PSHelper _helper;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
+        private static ILogger? _logger;
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
         public static Collection<PSObject> BindCertificate(PSHelper psHelper, IISBindingInfo bindingInfo, string thumbprint, string renewalThumbprint, string storePath)
         {

IISU/ImplementedStoreTypes/WinSQL/Inventory.cs

@@ -35,7 +35,9 @@ public class Inventory : WinCertJobTypeBase, IInventoryJobExtension
         private ILogger _logger;
         public string ExtensionName => "WinSqlInventory";
 
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         Collection<PSObject>? results = null;
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
         public Inventory()
         {

IISU/ImplementedStoreTypes/WinSQL/Management.cs

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Ignore Spelling: thumbprint Keyfactor sql
+// Ignore Spelling: thumbprint Keyfactor sql crypto
 
 // 021225 rcp   2.6.0   Cleaned up and verified code
 
@@ -35,7 +35,9 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension
         private ILogger _logger;
 
         private PSHelper _psHelper;
+#pragma warning disable CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
         private Collection<PSObject>? _results = null;
+#pragma warning restore CS8632 // The annotation for nullable reference types should only be used in code within a '#nullable' annotations context.
 
         // Function wide config values
         private string _clientMachineName = string.Empty;
@@ -172,8 +174,6 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                         // Remove the certificate from the cert store
                                         complete = RemoveCertificate(config.JobCertificate.Alias);
                                         _logger.LogTrace($"Completed removing the certificate from the store");
-
-                                        break;
                                     }
                                     else
                                     {
@@ -184,7 +184,6 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                             FailureMessage = "Unable to unbind one or more certificates from the SQL Instances."
                                         };
                                     }
-
                                 }
                                 catch (Exception ex)
                                 {
@@ -195,10 +194,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                         FailureMessage = ex.Message
                                     };
                                 }
-
-                                _logger.LogTrace($"Completed unbinding and removing the certificate from the store");
-                                return complete;
                             }
+                            _logger.LogTrace($"Completed unbinding and removing the certificate from the store");
+                            return complete;
                     }
                 }