From fe33add69e82443a7d09c87d83b6853b805d283f Mon Sep 17 00:00:00 2001 From: Uwe Gradenegger Date: Tue, 31 Jan 2023 14:59:25 +0100 Subject: [PATCH] Release 1.5.760.827 --- CHANGELOG.adoc | 14 ++++++++++++-- README.adoc | 3 ++- TameMyCerts/AutoVersionIncrement.cs | 4 ++-- TameMyCerts/AutoVersionIncrement.tt | 4 ++-- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 9115c70..10a0322 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -1,8 +1,17 @@ == Changelog for the TameMyCerts Policy Module -=== 1.4.728.502 (Dec 29, 2022) +=== 1.5.760.827 (Jan 31, 2023) -This is a bug fix only release. TameMyCerts is now covered by link:TameMyCerts.IntegrationTests[automated integration tests^] featuring Pester and link:https://github.com/Sleepw4lker/PSCertificateEnrollment[PSCertificateEnrollment^] which allows to test parts of the code base not testable with unit tests. +This is a quality improvement only release. TameMyCerts now uses the interfaces provided by the certification authority to determine Subject and Subject Alternative Name information. + +* Fix a security vulnerability causing nested certificate requests to bypass subject alternative name rule processing. *All users of previous versions are urged to upgrade!* +* Subject RDN inspection is now done against the properties constructed by the certification authority (how the CA would issue the certificate. Previously it was done against the original inline PKCS#10 certificate request). This should enhance compatibility with malformed certificate requests but does not work with undefined relative distinguished names. Behavior can be changed back to previous logic by setting _ReadSubjectFromRequest_ to true in request policy. +* Enhance logging for directory service query failures. +* Refactor the code for building the security identifier certificate extension. + +=== 1.4.728.502 (Dec 30, 2022) + +This is a quality improvement only release. TameMyCerts is now covered by link:TameMyCerts.IntegrationTests[automated integration tests^] featuring Pester and link:https://github.com/Sleepw4lker/PSCertificateEnrollment[PSCertificateEnrollment^] which allows to test parts of the code base not testable with unit tests. * Fix a bug causing directory mapping not finding all of mapped object's attributes when using global catalog (no SearchRoot configured in policy) to find an object. * Fix a bug causing to not display the correct error message in case no connection to Active Directory is possible during directory validation. @@ -14,6 +23,7 @@ This is a bug fix only release. TameMyCerts is now covered by link:TameMyCerts.I * Fix a bug causing an exception with directory mapping when the telexNumber directory attribute is populated for an object, as the property is not of string data type. Support for the telexNumber directory attribute has therefore been dropped. * Fix a bug causing requests using a valid process name to get denied when only DisallowedProcesses is configured. * Fix a bug causing requests using a valid cryptographic provider to get denied when only DisallowedCryptoProviders is configured. +* Attributes used for modification of a certificate's subject distinguished name are now only retrieved from AD if the feature is enabled for a certificate template. === 1.3.683.747 (Nov 15, 2022) diff --git a/README.adoc b/README.adoc index d3698bf..a9c512f 100644 --- a/README.adoc +++ b/README.adoc @@ -19,7 +19,8 @@ The TameMyCerts policy module addresses, amongst others, the following use cases * Certificate issuance must be delegated to a 3rd party service, for example, Mobile Device Management (MDM) systems like link:https://www.microsoft.com/en-us/security/business/microsoft-endpoint-manager[Microsoft Endpoint Manager (aka InTune)^] or link:https://www.vmware.com/content/vmware/vmware-published-sites/de/products/workspace-one.html.html[VMware AirWatch/Workspace One^], link:https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx[Network Device Enrollment Service (NDES)^] deployments or similar use cases that require the certificate template to be configured to have the enrollee supply the subject information with the certificate signing request in combination with direct certificate issuance. Without the module, there is absolutely no control over the issued certificate content. ** The module can also mitigate the problem that certificates may be inconsistent among platforms (e.g. having differing subject information on a mobile phone managed by MDM than on a PC that uses Autoenrollment because of inconsistent configuration settings on the MDM) by enforcing certificate content. ** It is also capable of ensuring that a user or computer account exists in Active Directory matching the requested certificate, and that it is enabled and member (or not) of specific security groups (e.g. this can prevent issuing certificates for administrative accounts via MDM). -* Adding the the newly introduced Security Identifier (szOID_NTDS_CA_SECURITY_EXT with object id 1.3.6.1.4.1.311.25.2 that was introduced with link:https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16[KB5014754^]) extension into offline certificate requests, which e.g. allows you to use Microsoft Network Policy Server (NPS) with certificates issued to mobile devices and the like and avoid breaking authentication when "strong" certificate mapping link:https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_fullenforcemode[will be enforced by Microsoft on May 9, 2023^]. +* Building the Subject Distinguished Name (DN) from Active Directory object attribues (e.g. supplementing Organizational Units, or issuing certificates containing the DisplayName or UPN as identity) via offline and online certificate requests. +* Adding the the newly introduced Security Identifier (szOID_NTDS_CA_SECURITY_EXT with object id 1.3.6.1.4.1.311.25.2 that was introduced with link:https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16[KB5014754^]) extension into offline certificate requests, which e.g. allows you to use Microsoft Network Policy Server (NPS) with certificates issued to mobile devices and the like and avoid breaking authentication when "strong" certificate mapping link:https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_fullenforcemode[will be enforced by Microsoft on November 14, 2023^]. * Technical or legal requirements to allow any kind of subject RDN to be enabled for issuance on the certification authority (enabling link:https://www.gradenegger.eu/?p=952[CRLF_REBUILD_MODIFIED_SUBJECT_ONLY^] flag on the certification authority). Without the module, there is no control over which exact subject RDNs are allowed to be issued. * Certificate templates configured to allow Elliptic Curve Cryptography (ECC) keys. Without the module, it would be possible that certificates get issued that use small RSA keys (e.g. 512 bit or even smaller) even though these would be not allowed in the certificate template configuration, as the Windows Default policy module link:https://www.gradenegger.eu/?p=14138[only validates the key length but not the key algorithm^]. * Issuance of certificates with a validity period within exactly defined timeframe (e.g. valid only exactly for one work shift), or having the requirement to have all certificates end by a specific date. diff --git a/TameMyCerts/AutoVersionIncrement.cs b/TameMyCerts/AutoVersionIncrement.cs index 233f166..8e803e3 100644 --- a/TameMyCerts/AutoVersionIncrement.cs +++ b/TameMyCerts/AutoVersionIncrement.cs @@ -9,5 +9,5 @@ // Build Number // Revision -[assembly: AssemblyVersion("1.4.728.502")] -[assembly: AssemblyFileVersion("1.4.728.502")] +[assembly: AssemblyVersion("1.5.760.827")] +[assembly: AssemblyFileVersion("1.5.760.827")] diff --git a/TameMyCerts/AutoVersionIncrement.tt b/TameMyCerts/AutoVersionIncrement.tt index dcbd30a..c24d9db 100644 --- a/TameMyCerts/AutoVersionIncrement.tt +++ b/TameMyCerts/AutoVersionIncrement.tt @@ -10,8 +10,8 @@ using System.Reflection; // Build Number // Revision -[assembly: AssemblyVersion("1.4.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] -[assembly: AssemblyFileVersion("1.4.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] +[assembly: AssemblyVersion("1.5.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] +[assembly: AssemblyFileVersion("1.5.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")] <#+ // Days that have passed since Jan 1, 2021 00:00:00 int BuildNumber = (int)(DateTime.UtcNow - new DateTime(