Implementation of E-Mail and SMIME Capabilities

Uwe Gradenegger · Uwe Gradenegger · commit f3f924825748 · 2020-12-04T22:57:47.000+01:00
diff --git a/Functions/Get-NDESCertificate.ps1 b/Functions/Get-NDESCertificate.ps1
@@ -24,6 +24,10 @@
     Specifies one or more User Principal Names to be written into the Subject Alternative Name (SAN) Extension of the Certificate Request.
     May be left Empty if you specify a Subject, DnsName or IP instead.
 
+    .PARAMETER Email
+    Specifies one or more E-Mail addresses (RFC 822) to be written into the Subject Alternative Name (SAN) Extension of the Certificate Request.
+    May be left Empty if you specify a Subject, DnsName, Upn or IP instead.
+
     .PARAMETER IP
     Specifies or more IP Addresses to be written into the Subject Alternative Name (SAN) Extension of the Certificate Request.
     May be left Empty if you specify a Subject, DnsName or Upn instead.
@@ -100,6 +104,13 @@ Function Get-NDESCertificate {
         [mailaddress[]]
         $Upn,
 
+        [Parameter(ParameterSetName="NewRequest",Mandatory=$False)]
+        [Alias("RFC822Name")]
+        [Alias("E-Mail")]
+        [ValidateNotNullOrEmpty()]
+        [mailaddress[]]
+        $Email,
+
         [Alias("IPAddress")]
         [Parameter(Mandatory=$False)]
         [ValidateNotNullOrEmpty()]
@@ -268,7 +279,7 @@ Function Get-NDESCertificate {
 
             # New Certificate Request
 
-            If ((-not $Dns) -and (-not $Upn) -and (-not $IP) -and ((-not $Subject) -or ($Subject -eq "CN="))) {
+            If ((-not $Dns) -and (-not $Upn) -and (-not $Email) -and (-not $IP) -and ((-not $Subject) -or ($Subject -eq "CN="))) {
                 Write-Error -Message "You must provide an Identity, either in Form ob a Subject or Subject Alternative Name!"
                 return
             }
@@ -289,7 +300,7 @@ Function Get-NDESCertificate {
             }
 
             # Set the Subject Alternative Names Extension if specified as Argument
-            If ($Upn -or $Dns -or $IP) {
+            If ($Upn -or $Email -or $Dns -or $IP) {
 
                 $SubjectAlternativeNamesExtension = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames
                 $Sans = New-Object -ComObject X509Enrollment.CAlternativeNames
@@ -304,6 +315,19 @@ Function Get-NDESCertificate {
                         $Entry
                     )
                     $Sans.Add($AlternativeNameObject)
+                    [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
+    
+                }
+
+                Foreach ($Entry in $Email) {
+            
+                    $AlternativeNameObject = New-Object -ComObject X509Enrollment.CAlternativeName
+                    $AlternativeNameObject.InitializeFromString(
+                        $XCN_CERT_ALT_NAME_RFC822_NAME, 
+                        $Entry
+                    )
+                    $Sans.Add($AlternativeNameObject)
+                    [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
     
                 }
     
@@ -315,6 +339,7 @@ Function Get-NDESCertificate {
                         $Entry
                     )
                     $Sans.Add($AlternativeNameObject)
+                    [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
     
                 }
 
@@ -327,6 +352,7 @@ Function Get-NDESCertificate {
                         [Convert]::ToBase64String($Entry.GetAddressBytes())
                     )
                     $Sans.Add($AlternativeNameObject)
+                    [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
     
                 }
                 
diff --git a/Functions/New-CertificateRequest.ps1 b/Functions/New-CertificateRequest.ps1
@@ -20,15 +20,22 @@
 
     .PARAMETER Dns
     Specifies one or more DNS Names to be written into the Subject Alternative Name (SAN) Extension of the Certificate Request.
-    May be left Empty if you specify a Subject, Upn or IP instead.
+    May be left Empty if you specify a Subject, Upn, Email or IP instead.
 
     .PARAMETER Upn
     Specifies one or more User Principal Names to be written into the Subject Alternative Name (SAN) Extension of the Certificate Request.
-    May be left Empty if you specify a Subject, DnsName or IP instead.
+    May be left Empty if you specify a Subject, DnsName, Email or IP instead.
+
+    .PARAMETER Email
+    Specifies one or more E-Mail addresses (RFC 822) to be written into the Subject Alternative Name (SAN) Extension of the Certificate Request.
+    May be left Empty if you specify a Subject, DnsName, Upn or IP instead.
 
     .PARAMETER IP
     Specifies or more IP Addresses to be written into the Subject Alternative Name (SAN) Extension of the Certificate Request.
-    May be left Empty if you specify a Subject, DnsName or Upn instead.
+    May be left Empty if you specify a Subject, DnsName, Email or Upn instead.
+
+    .PARAMETER Smime
+    Specifies the S/MIME Capabilities the requestor supports.
 
     .PARAMETER Aki
     Specifies the Authority Key Identifier Attribute to be included in the Request.
@@ -158,12 +165,43 @@ Function New-CertificateRequest {
         [mailaddress[]]
         $Upn,
 
+        [Alias("RFC822Name")]
+        [Alias("E-Mail")]
+        [Parameter(Mandatory=$False)]
+        [ValidateNotNullOrEmpty()]
+        [mailaddress[]]
+        $Email,
+
         [Alias("IPAddress")]
         [Parameter(Mandatory=$False)]
         [ValidateNotNullOrEmpty()]
         [System.Net.IPAddress[]]
         $IP,
 
+        [Alias("SmimeCapabilities")]
+        [Parameter(Mandatory=$False)]
+        [ValidateSet(
+            "des",
+            "des3",
+            "rc2",
+            "rc4",
+            "des3wrap",
+            "rc2wrap",
+            "aes128",
+            "aes192",
+            "aes256",
+            "aes128wrap",
+            "aes192wrap",
+            "aes256wrap",
+            "md5",
+            "sha1",
+            "sha256",
+            "sha384",
+            "sha512"
+        )]
+        [String[]]
+        $Smime,
+
         [Alias("AuthorityKeyIdentifier")]
         [Parameter(Mandatory=$False)]
         [ValidatePattern("^[0-9a-fA-F]{40}$")]
@@ -286,7 +324,7 @@ Function New-CertificateRequest {
             }
         }
 
-        If ((-not $Dns) -and (-not $Upn) -and (-not $IP) -and ((-not $Subject) -or ($Subject -eq "CN="))) {
+        If ((-not $Dns) -and (-not $Upn) -and (-not $Email) -and (-not $IP) -and ((-not $Subject) -or ($Subject -eq "CN="))) {
             Write-Error -Message "You must provide an Identity, either in Form ob a Subject or Subject Alternative Name!"
             return
         }
@@ -500,46 +538,60 @@ Function New-CertificateRequest {
         }
 
         # Set the Subject Alternative Names Extension if specified as Argument
-        If ($Upn -or $Dns -or $IP) {
+        If ($Upn -or $Email -or $Dns -or $IP) {
 
             # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nn-certenroll-ix509extensionalternativenames
             $SubjectAlternativeNamesExtension = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames
             $Sans = New-Object -ComObject X509Enrollment.CAlternativeNames
 
+            # https://msdn.microsoft.com/en-us/library/aa374981(VS.85).aspx
+
             Foreach ($Entry in $Upn) {
             
-                # https://msdn.microsoft.com/en-us/library/aa374981(VS.85).aspx
                 $AlternativeNameObject = New-Object -ComObject X509Enrollment.CAlternativeName
                 $AlternativeNameObject.InitializeFromString(
                     $XCN_CERT_ALT_NAME_USER_PRINCIPLE_NAME, 
                     $Entry
                 )
                 $Sans.Add($AlternativeNameObject)
+                [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
+
+            }
+
+            Foreach ($Entry in $Email) {
+            
+                $AlternativeNameObject = New-Object -ComObject X509Enrollment.CAlternativeName
+                $AlternativeNameObject.InitializeFromString(
+                    $XCN_CERT_ALT_NAME_RFC822_NAME, 
+                    $Entry
+                )
+                $Sans.Add($AlternativeNameObject)
+                [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
 
             }
 
             Foreach ($Entry in $Dns) {
             
-                # https://msdn.microsoft.com/en-us/library/aa374981(VS.85).aspx
                 $AlternativeNameObject = New-Object -ComObject X509Enrollment.CAlternativeName
                 $AlternativeNameObject.InitializeFromString(
                     $XCN_CERT_ALT_NAME_DNS_NAME,
                     $Entry
                 )
                 $Sans.Add($AlternativeNameObject)
+                [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
 
             }
 
             Foreach ($Entry in $IP) {
 
-                # https://msdn.microsoft.com/en-us/library/aa374981(VS.85).aspx
                 $AlternativeNameObject = New-Object -ComObject X509Enrollment.CAlternativeName
                 $AlternativeNameObject.InitializeFromRawData(
                     $XCN_CERT_ALT_NAME_IP_ADDRESS,
                     $XCN_CRYPT_STRING_BASE64,
                     [Convert]::ToBase64String($Entry.GetAddressBytes())
                 )
                 $Sans.Add($AlternativeNameObject)
+                [void]([System.Runtime.Interopservices.Marshal]::ReleaseComObject($AlternativeNameObject))
 
             }
             
@@ -550,6 +602,38 @@ Function New-CertificateRequest {
             $CertificateRequestObject.X509Extensions.Add($SubjectAlternativeNamesExtension)
 
         }
+
+        # Set the S/MIME Capabilities Extension if specified as Argument
+        If ($Smime) {
+
+            # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nn-certenroll-ix509extensionsmimecapabilities
+            $SmimeExtension = New-Object -ComObject X509Enrollment.CX509ExtensionSmimeCapabilities
+
+            # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nn-certenroll-ismimecapabilities
+            $SmimeCapabilitiesObject = New-Object -ComObject X509Enrollment.CSmimeCapabilities
+
+            $Smime | ForEach-Object -Process {
+
+                # The Bit length is only relevant for RC2 and RC4. We use the same defaults as Microsoft does.
+                If ($_ -in ("rc2","rc2wrap","rc4")) { $BitCount = 128 } Else { $BitCount = 0 }
+
+                $OidObject = New-Object -ComObject X509Enrollment.CObjectId
+                $OidObject.InitializeFromValue($SmimeCapabilityToOidTable[$_])
+
+                # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nf-certenroll-ismimecapability-initialize
+                $SmimeCapabilityObject = New-Object -ComObject X509Enrollment.CSmimeCapability
+                $SmimeCapabilityObject.Initialize(
+                    $OidObject,
+                    $BitCount
+                )
+                $SmimeCapabilitiesObject.Add($SmimeCapabilityObject)
+            }
+
+            $SmimeExtension.InitializeEncode($SmimeCapabilitiesObject)
+
+            # Adding the Extension to the Certificate
+            $CertificateRequestObject.X509Extensions.Add($SmimeExtension)
+        }
     
         # Set the Authority Key Identifier Extension if specified as Argument
         If ($Aki) {
diff --git a/PSCertificateEnrollment.psm1 b/PSCertificateEnrollment.psm1
@@ -52,7 +52,7 @@ New-Variable -Option Constant -Name XCN_CERT_NAME_STR_NONE -Value 0
 New-Variable -Option Constant -Name XCN_CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG -Value 0x80000
 New-Variable -Option Constant -Name XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG -Value 0x100000
 
-# https://blog.css-security.com/blog/creating-a-self-signed-ssl-certificate-using-powershell
+# https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-alternativenametype
 New-Variable -Option Constant -Name XCN_CERT_ALT_NAME_UNKNOWN -Value 0
 New-Variable -Option Constant -Name XCN_CERT_ALT_NAME_OTHER_NAME -Value 1
 New-Variable -Option Constant -Name XCN_CERT_ALT_NAME_RFC822_NAME -Value 2
@@ -107,6 +107,27 @@ New-Variable -Option Constant -Name XCN_OID_WHQL_CRYPTO -Value "1.3.6.1.4.1.311.
 New-Variable -Option Constant -Name XCN_OID_KP_KDC -Value "1.3.6.1.5.2.3.5"
 New-Variable -Option Constant -Name XCN_OID_KP_RDC -Value "1.3.6.1.4.1.311.54.1.2"
 
+# https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nn-certenroll-ix509extensionsmimecapabilities
+New-Variable -Option Constant -Name XCN_OID_OIWSEC_desCBC -Value "1.3.14.3.2.7"
+New-Variable -Option Constant -Name XCN_OID_RSA_DES_EDE3_CBC -Value "1.2.840.113549.3.7"
+New-Variable -Option Constant -Name XCN_OID_RSA_RC2CBC -Value "1.2.840.113549.3.2"
+New-Variable -Option Constant -Name XCN_OID_RSA_RC4 -Value "1.2.840.113549.3.4"
+New-Variable -Option Constant -Name XCN_OID_RSA_SMIMEalgCMS3DESwrap -Value "1.2.840.113549.1.9.16.3.6"
+New-Variable -Option Constant -Name XCN_OID_RSA_SMIMEalgCMSRC2wrap -Value "1.2.840.113549.1.9.16.3.7"
+New-Variable -Option Constant -Name XCN_OID_NIST_AES128_CBC -Value "2.16.840.1.101.3.4.1.2"
+New-Variable -Option Constant -Name XCN_OID_NIST_AES192_CBC -Value "2.16.840.1.101.3.4.1.22"
+New-Variable -Option Constant -Name XCN_OID_NIST_AES256_CBC -Value "2.16.840.1.101.3.4.1.42"
+New-Variable -Option Constant -Name XCN_OID_NIST_AES128_WRAP -Value "2.16.840.1.101.3.4.1.5"
+New-Variable -Option Constant -Name XCN_OID_NIST_AES192_WRAP -Value "2.16.840.1.101.3.4.1.25"
+New-Variable -Option Constant -Name XCN_OID_NIST_AES256_WRAP -Value "2.16.840.1.101.3.4.1.45"
+
+# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnap/a48b02b2-2a10-4eb0-bed4-1807a6d2f5ad
+New-Variable -Option Constant -Name md5NoSign -Value "1.2.840.113549.2.5"
+New-Variable -Option Constant -Name sha1NoSign -Value "1.3.14.3.2.26"
+New-Variable -Option Constant -Name sha256NoSign -Value "2.16.840.1.101.3.4.2.1"
+New-Variable -Option Constant -Name sha384NoSign -Value "2.16.840.1.101.3.4.2.2"
+New-Variable -Option Constant -Name sha512NoSign -Value "2.16.840.1.101.3.4.2.3"
+
 # https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx
 New-Variable -Option Constant -Name XCN_CRYPT_STRING_BASE64HEADER -Value 0
 New-Variable -Option Constant -Name XCN_CRYPT_STRING_BASE64 -Value 1
@@ -209,7 +230,7 @@ New-Variable -Option Constant -Name SCEPFailInfo -Value @(
 )
 
 # https://msdn.microsoft.com/en-us/library/windows/desktop/aa378132(v=vs.85).aspx
-New-Variable -Option Constant EkuNameToOidTable -Value @{
+New-Variable -Option Constant -Name EkuNameToOidTable -Value @{
 
     EnrollmentAgent = $XCN_OID_ENROLLMENT_AGENT
     ClientAuthentication = $XCN_OID_PKIX_KP_CLIENT_AUTH
@@ -233,6 +254,28 @@ New-Variable -Option Constant EkuNameToOidTable -Value @{
     
 }
 
+New-Variable -Option Constant -Name SmimeCapabilityToOidTable -Value @{
+
+    des = $XCN_OID_OIWSEC_desCBC
+    des3 = $XCN_OID_RSA_DES_EDE3_CBC
+    rc2 = $XCN_OID_RSA_RC2CBC
+    rc4 = $XCN_OID_RSA_RC4
+    des3wrap = $XCN_OID_RSA_SMIMEalgCMS3DESwrap
+    rc2wrap = $XCN_OID_RSA_SMIMEalgCMSRC2wrap
+    aes128 = $XCN_OID_NIST_AES128_CBC
+    aes192 = $XCN_OID_NIST_AES192_CBC
+    aes256 = $XCN_OID_NIST_AES256_CBC
+    aes128wrap = $XCN_OID_NIST_AES128_WRAP
+    aes192wrap = $XCN_OID_NIST_AES192_WRAP
+    aes256wrap = $XCN_OID_NIST_AES256_WRAP
+    md5 = $md5NoSign
+    sha1 = $sha1NoSign
+    sha256 = $sha256NoSign
+    sha384 = $sha384NoSign
+    sha512 = $sha512NoSign
+  
+}
+
 $ModuleRoot = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
 
 # Import Public Functions
@@ -248,4 +291,6 @@ $ModuleRoot = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
 . $ModuleRoot\Functions\Convert-StringToHex.ps1
 . $ModuleRoot\Functions\Get-Asn1LengthOctets.ps1
 . $ModuleRoot\Functions\New-AiaExtension.ps1
-. $ModuleRoot\Functions\New-CdpExtension.ps1
+. $ModuleRoot\Functions\New-CdpExtension.ps1
+
+write-host $XCN_CERT_ALT_NAME_USER_PRINCIPLE_NAME
