Remove undocumented certificate APIs#3818
Conversation
SteveL-MSFT
left a comment
There was a problem hiding this comment.
Is there sufficient test coverage?
| { | ||
| return new CertificateProviderCodeSigningDynamicParameters(); | ||
| } | ||
| return new CertificateProviderCodeSigningDynamicParameters(); |
There was a problem hiding this comment.
This will work on downlevel like Win7?
There was a problem hiding this comment.
This is the code path that is always taken on Windows PowerShell on Win7. It should work.
|
|
||
| Security.NativeMethods.LogCertDelete(fMachine, cert.Handle); | ||
| } | ||
| //TODO: log cert move |
| { | ||
| Security.NativeMethods.LogCertDelete(fMachine, cert.Handle); | ||
| } | ||
| //TODO: Log Cert Delete |
There was a problem hiding this comment.
I'm not sure we need these, but I'll open an issue or remove them based on my investigation.
| names.Add(new DnsNameRepresentation( | ||
| Marshal.PtrToStringUni(Marshal.ReadIntPtr(papwszPunycodeNames, i * Marshal.SizeOf(papwszPunycodeNames))), | ||
| Marshal.PtrToStringUni(Marshal.ReadIntPtr(papwszUnicodeNames, i * Marshal.SizeOf(papwszUnicodeNames))))); | ||
| //TODO: detect and handle punyCode |
| out papwszUnicodeNames); | ||
| if (hr != Security.NativeConstants.S_OK) | ||
| // Get the part after 'DNS Name=' | ||
| if(nameLine.Length > 9) |
There was a problem hiding this comment.
Any validation needed here? Prefer to have const DnsNamePrefixLength used than 9
There was a problem hiding this comment.
Yes, I was planning on adding it with the support for punyCode. The only way I can see puny code being supported is a different record format.
ca9f38b to
0348ee2
Compare
SteveL-MSFT
left a comment
There was a problem hiding this comment.
My concerns are addressed, but would like @LeeHolmes to review before we merge
| @@ -480,22 +445,6 @@ public void Open(bool includeArchivedCerts) | |||
| public IntPtr GetFirstCert( | |||
| CertificateFilterInfo filter) | |||
There was a problem hiding this comment.
It looks like the "filter" argument is no longer needed here.
| } | ||
| if (Valid) | ||
| { | ||
| if (_filterHandle != null) |
There was a problem hiding this comment.
What do we lose by removing this down level cert filtering option?
There was a problem hiding this comment.
probably just performance. Looking at the CmdLet we only supported filtering by codesigning certs which the tests pass after the change.
There was a problem hiding this comment.
line 2636, is filtering.
| { | ||
| if (DownLevelHelper.NativeFilteringSupported()) | ||
| { | ||
| return new CertificateProviderDynamicParameters(); |
There was a problem hiding this comment.
It looks like the internal CertificateProviderDynamicParameters class is no longer used. Has it been removed?
| Collection<string> ekuCollection = System.Management.Automation.Internal.SecuritySupport.GetCertEKU(cert); | ||
|
|
||
| foreach (string oidString in ekuCollection) | ||
| if (extension.Oid.FriendlyName == "Enhanced Key Usage") |
There was a problem hiding this comment.
Would it be better to use the Oid.Value property ("1.3.6.1.5.5.7.3.4")? Maybe it makes no difference but I wonder if we should use case insensitive string compare?
There was a problem hiding this comment.
Comparing the value would be better. I'll update the code.
There was a problem hiding this comment.
Except that is the OID for a specific EKU, not specifying an EKU. The OID should be 2.5.29.37
| if (extension.Oid.FriendlyName == "Enhanced Key Usage") | ||
| { | ||
| if (!String.IsNullOrEmpty(oidString)) | ||
| X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)extension; |
There was a problem hiding this comment.
Is this cast guaranteed? Or should we be using "as" keyword cast and check for null?
| { | ||
| private List<DnsNameRepresentation> _dnsList = new List<DnsNameRepresentation>(); | ||
| private System.Globalization.IdnMapping idnMapping = new System.Globalization.IdnMapping(); | ||
| private static string dnsNamePrefix = "DNS Name="; |
There was a problem hiding this comment.
We normally use "private const string"
| // extract DNS name from subject distinguish name | ||
| // if it exists and does not contain a comma | ||
| // a comma, indicates it is not a DNS name | ||
| if(cert.Subject.Length > distinguishedNamePrefix.Length && |
There was a problem hiding this comment.
I don't think the Length check is necessary. I would expect the StartsWith method to do that check.
| } | ||
| if (cPunycodeName != cUnicodeName) | ||
| // Get the part after 'DNS Name=' | ||
| if(nameLine.Length > dnsNamePrefix.Length && nameLine.StartsWith(dnsNamePrefix, System.StringComparison.InvariantCulture)) |
There was a problem hiding this comment.
Again, I don't think the length check is needed.
| dnsName = new DnsNameRepresentation(name,unicodeName); | ||
|
|
||
| // Only add the name if it is not the same as an existing name. | ||
| if(!_dnsList.Contains(dnsName)) |
There was a problem hiding this comment.
Should this be a case sensitive compare?
There was a problem hiding this comment.
The old code gave all variations back in the results. So, no.
| @@ -0,0 +1,138 @@ | |||
| Import-Module (Join-Path -Path $PSScriptRoot 'certificateCommon.psm1') -Force | |||
There was a problem hiding this comment.
Please put this test prep inside "if ($IsWindows) {}"
There was a problem hiding this comment.
What is the concern here?
There was a problem hiding this comment.
It seems like we can skip the prep work if not running on Windows.
There was a problem hiding this comment.
The only imports functions, the actual prep work is done in the beforeall of the feature tests and is skipped on non-windows platforms.
Compare OIDs by value instead of name Remove unneeded length comparison when comparing string prefixes
Addresses #3792
The code paths deleted where using the undocumented API on WIn8 and newer for the following purposes:
After the change, all the code uses public APIs. Filtering is done in PowerShell using existing code. I don't believe the logging is needed.