81018 adding jea support

.github/workflows/keyfactor-starter-workflow.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v4
+    uses: keyfactor/actions/.github/workflows/starter.yml@v5
     with:
       command_token_url: ${{ vars.COMMAND_TOKEN_URL }} # Only required for doctool generated screenshots
       command_hostname: ${{ vars.COMMAND_HOSTNAME }} # Only required for doctool generated screenshots

.gitignore

@@ -3,6 +3,9 @@
 ##
 ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
 
+# Local test credentials (never commit)
+local.runsettings
+
 # User-specific files
 *.rsuser
 *.suo

.vscode/launch.json

@@ -0,0 +1,15 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "PowerShell: Launch Script",
+            "type": "PowerShell",
+            "request": "launch",
+            "script": "${file}",
+            "args": []
+        }
+    ]
+}

CHANGELOG.md

@@ -1,46 +1,61 @@
+4.0.0
+
+* As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command and will no longer use the SAN Entry Parameter. This version, we are removing all support for the SAN Entry Parameter. If you are still using the SAN Entry Parameter, you will need to remove it from your store types and re-run inventory to remove it from your database.
+* Adding JEA Support for local PowerShell execution.  This will allow for more secure execution of the extension when running in a local PowerShell Runspace.  To utilize this feature, you will need to create a JEA endpoint on the target server and specify the endpoint name as a new parameter in the specific Cert Store definition.  Refer to the README for more details.
+* .NET6 assemblies are no longer supported.
+
 3.0.1
-* Fixed an issues when renewing ECC Certificates 
+* Fixed an issues when renewing ECC Certificates
+
 
 3.0.0
+
 * As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command, and will no longer use the SAN Entry Parameter. This version, we are removing the Entry Parameter "SAN" from the integration-manifest.json, but will still support previous versions of Command in the event the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter.
 * Added WinADFS Store Type for rotating certificates in ADFS environments.  Please note, only the service-communications certificate is rotated throughout your farm.
 * Internal only: Added Integration Tests to aid in future development and testing.
 * Improved messaging in the event an Entry Parameter is missing (or does not meet the casing requirements)
 * Fixed the SNI/SSL flag being returned during inventory, now returns extended SSL flags
 * Fixed the SNI/SSL flag when binding the certificate to allow for extended SSL flags
 * Added SSL Flag validation to make sure the bit flag is correct.  These are the valid bit flags for the version of Windows:
-  ### Windows Server 2012 R2 / Windows 8.1 and earlier (IIS 8.5):
-  * 0	No SNI
-  * 1	Use SNI
-  * 2	Use Centralized SSL certificate store.
-
-  ### Windows Server 2016 (IIS 10.0):
-  * 0	No SNI
-  * 1	Use SNI
-  * 4	Disable HTTP/2.
-
-  ### Windows Server 2019 (IIS 10.0.17763)
-  * 0	No SNI
-  * 1	Use SNI
-  * 4	Disable HTTP/2.
-  * 8	Disable OCSP Stapling.
-
-  ### Windows Server 2022+ (IIS 10.0.20348+)
-  * 0	No SNI
-  * 1	Use SNI
-  * 4	Disable HTTP/2.
-  * 8	Disable OCSP Stapling.
-  * 16	Disable QUIC.
-  * 32	Disable TLS 1.3 over TCP.
-  * 64	Disable Legacy TLS.
+  ### Windows Server 2012 R2 / Windows 8.1 and earlier (IIS 8.5)### Windows Server 2012 R2 / Windows 8.1 and earlier (IIS 8.5):
+
+  * 0    No SNI
+
+  * 1    Use SNI
+  * 2    Use Centralized SSL certificate store.
+
+  ### Windows Server 2016 (IIS 10.0)### Windows Server 2016 (IIS 10.0):
+  * 0    No SNI
+
+  * 1    Use SNI
+  * 4    Disable HTTP/2.
+
+### Windows Server 2019 (IIS 10.0.17763)
+  * 0    No SNI
+
+  * 1    Use SNI
+  * 4    Disable HTTP/2.
+  * 8    Disable OCSP Stapling.
+
+### Windows Server 2022+ (IIS 10.0.20348+)
+  * 0    No SNI
+
+  * 1    Use SNI
+  * 4    Disable HTTP/2.
+  * 8    Disable OCSP Stapling.
+  * 16    Disable QUIC.
+  * 32    Disable TLS 1.3 over TCP.
+  * 64    Disable Legacy TLS.
 
 2.6.4
+
 * Fixed an issue with SSL Flags greater than 3 were not being applied correctly to newer IIS servers.
 * Fixed an issue when formatting private RSA keys when connecting using the ssh protocol.
 * When using ssh protocol in containers, the SQL ACL on private keys was not being updating correctly.  This has been fixed.
 * Updated documentation to indicate that the username and password fields on the Cert Store are automatically added by Command.
 
 2.6.3
+
 * Fixed re-enrollment or ODKG job when RDN Components contained escaped commas.
 * Updated renewal job for IIS Certs to delete the old cert if not bound or used by other web sites.
 * Improved Inventory reporting of CSP when cert uses newer CNG Keys.
@@ -51,23 +66,25 @@
 * Fixed an issue with (remote) ODKG jobs that caused an error when the CSP was not specified that did not require binding.
 
 2.6.2
+
 * Fixed error when attempting to connect to remote computer using UO service account
 * Fixed error when connecting to remote computer using HTTPS; was defaulting to HTTP
 * Fixed the creation of a certificate when the Cryptographic Service Provider was changed by the user
 * Updated logic when getting the CSP.  Now supports modern CHG and legacy CAPI APIs.  This will allow the CSP to show in the stores inventory.
 * Re-factored code to eliminate warnings
 * Bumped up he following packages to eliminate .net vulnerabilities and obsolete packages:
-	* Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="1.0.0"
+    * Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="1.0.0"
     * Microsoft.PowerShell.SDK" Version="7.4.10" Condition="'$(TargetFramework)' == 'net8.0'"
     * runtime.linux-arm64.runtime.native.System.IO.Ports" Version="9.0.5"
     * runtime.osx-arm64.runtime.native.System.IO.Ports" Version="9.0.5"
     * System.Formats.Asn1" Version="8.0.2" Condition="'$(TargetFramework)' == 'net6.0'"
-	* System.Formats.Asn1" Version="9.0.0" Condition="'$(TargetFramework)' == 'net8.0'"
+    * System.Formats.Asn1" Version="9.0.0" Condition="'$(TargetFramework)' == 'net8.0'"
     * System.IO.Packaging" Version="6.0.2" Condition="'$(TargetFramework)' == 'net6.0'"
     * System.IO.Packaging" Version="8.0.1" Condition="'$(TargetFramework)' == 'net8.0'"
     * System.Text.Json" Version="8.0.5"
 
 2.6.1
+
 * Documentation updates for the 2.6 release
 * Fix a naming typo in the 2.5 migration SQL script
 * Update integration-manifest.json
@@ -77,16 +94,19 @@
 * Bumped System.IO.Packaging to 6.0.2 & 8.0.1 for .Net vulnerabilities.
 
 2.6.0
+
 * Added the ability to run the extension in a Linux environment.  To utilize this change, for each Cert Store Types (WinCert/WinIIS/WinSQL), add ssh to the Custom Field <b>WinRM Protocol</b>.  When using ssh as a protocol, make sure to enter the appropriate ssh port number under WinRM Port.
 * NOTE: For legacy purposes the Display names WinRM Protocol and WinRM Port are maintained although the type of protocols now includes ssh.
 * Moved all inventory and management jobs to external PowerShell script file .\PowerShellScripts\WinCertScripts.ps1
 * Changed how IIS Bound certificates are deleted; Certificates are only deleted from the certificate store when the certificate is NOT BOUND to any other sites.
 * NOTE:  This version was not publicly released.
 
 2.5.1
+
 * Fixed WinSQL service name when InstanceID differs from InstanceName
 
 2.5.0
+
 * Added the Bindings to the end of the thumbprint to make the alias unique.
 * Using new IISWebBindings cmdlet to use additional SSL flags when binding certificate to website.
 * NOTE:  The property SNIFlag has changed from a multi-select to a string with default of "0". To properly use the new SNI/SSL flags you can delete the SNIFlag from the store type and re-add the field as described in the ReadMe. If you have several existing cert stores, you may can execute the SQL script (IISU Sni Flag 2.5 upgrade script) to update the field type.  Consult your Keyfactor Rep for help.
@@ -96,89 +116,106 @@
 * Removed renewal thumbprint logic to update multiple website; each job now updates its own specific certificate.
 
 2.4.4
+
 * Fix an issue with WinRM parameters when migrating Legacy IIS Stores to the WinCert type
 * Fix an issue with "Delete" script in the Legacy IIS Migration that did not remove some records from dependent tables
 
 2.4.3
+
 * Adding Legacy IIS Migration scripting and ReadMe guide
 
 2.4.2
+
 * Correct false positive error when completing an IIS inventory job.
 * Revert to specifying the version of PowerShell to use when establishing a local PowerShell Runspace.
 * Fixed typo in error message.
 
 2.4.1
+
 * Modified the CertUtil logic to use the -addstore argument when no password is sent with the certificate information.
 * Added additional error trapping and trace logs
 
 2.4.0
+
 * Changed the way certificates are added to cert stores.  CertUtil is now used to import the PFX certificate into the associated store.  The CSP is now considered when maintaining certificates, empty CSP values will result in using the machines default CSP.
 * Added the Crypto Service Provider and SAN Entry Parameters to be used on Inventory queries, Adding and ReEnrollments for the WinCert, WinSQL and IISU extensions.
 * Changed how Client Machine Names are handled when a 'localhost' connection is desired.  The new naming convention is:  {machineName}|localmachine.  This will eliminate the issue of unique naming conflicts.
 * Updated the manifest.json to now include WinSQL ReEnrollment.
 * Updated the integration-manifest.json file for new fields in cert store types.
 
 2.3.2
+
 * Changed the Open Cert Store access level from a '5' to 'MaxAllowed'
 
 2.3.1
+
 * Added additional error trapping for WinRM connections to allow actual error on failure.
 
 2.3.0
+
 * Added Sql Server Binding Support
 * Modified WinCert Advanced PrivateKeyAllowed setting from Required to Optional
 
 2.2.2
+
 * Removed empty constructor to resolve PAM provider error when using WinCert store types
 
 2.2.1
+
 * Fixed issue where https binding without cert was causing an error
 
 2.2.0
-* Added Support for GMSA Account by using no value for ServerUsernanme and ServerPassword. KF Command version 10.2 or later is required to specify empty credentials. 
+* Added Support for GMSA Account by using no value for ServerUsernanme and ServerPassword. KF Command version 10.2 or later is required to specify empty credentials.
+
 * Added local PowerShell support, triggered when specifying 'localhost' as the client machine while using the IISU or WinCert Orchestrator.  This change was tested using KF Command 10.3
 * Moved to .NET 6
 
 2.1.1
+
 * Fixed the missing site name error when issuing a WinCert job when writing trace log settings to the log file.
 * Several display names changed in the documented certificate store type definitions. There are no changes to the internal type or parameter names, so no migration is necessary for currently configured stores.
-	* Display name for IISU changed to "IIS Bound Certificate".
-	* Display name for WinCert changed to "Windows Certificate".
-	* Display names for several Store and Entry parameters changed to be more descriptive and UI friendly.
+    * Display name for IISU changed to "IIS Bound Certificate".
+    * Display name for WinCert changed to "Windows Certificate".
+    * Display names for several Store and Entry parameters changed to be more descriptive and UI friendly.
 * Significant ReadMe cleanup
 
 2.1.0
+
 * Fixed issue that was occurring during renewal when there were bindings outside of http and https like net.tcp
 * Added PAM registration/initialization documentation in README.md
-* Resolved Null HostName error 
+* Resolved Null HostName error
 * Added WinCert Cert Store Type
 * Added custom property parser to not show any passwords
 * Removed any password references in trace logs and output settings in JSON format
 
 2.0.0
+
 * Add support for re-enrollment jobs (On Device Key Generation) with the ability to specify a cryptographic provider. Specification of cryptographic provider allows HSM (Hardware Security Module) use.
 * Local PAM Support added (requires Universal Orchestrator Framework version 10.1)
 * Certificate store type changed from IISBin to IISU. See README for migration notes.
 
-
 1.1.3
+
 * Made WinRM port a store parameter
 * Made WinRM protocol a store parameter
 * IISWBin 1.1.3 upgrade script.sql added to upgrade from 1.1.2
 
 1.1.0
+
 * Migrate to Universal Orchestrator (KF9 / .NET Core)
 * Perform Renewals using RenewalThumbprint
 
 1.0.3
+
 * Add support for the SNI Flags when creating new bindings.  Supported flags include:
-	* 0  No SNI
+    * 0  No SNI
     * 1  SNI Enabled
     * 2  Non SNI binding which uses Central Certificate Store
     * 3  SNI binding which uses Central Certificate Store
 * Last release to support Windows Orchestrator (KF8)
 
 1.0.2
+
 * Remove dependence on Windows.Web.Administration on the orchestrator server.  The agent will now use the local version on the managed server via remote PowerShell
 * add support for the IncludePortInSPN flag
 * add support to use credentials from Keyfactor for Add/Remove/Inventory jobs.  

IISU/ClientPSCertStoreReEnrollment.cs

@@ -90,12 +90,11 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit
                 string protocol = jobProperties.WinRmProtocol;
                 string port = jobProperties.WinRmPort;
                 bool includePortInSPN = jobProperties.SpnPortFlag;
+                string jeaEndpoint = jobProperties?.JEAEndpointName ?? "";
                 string clientMachineName = config.CertificateStoreDetails.ClientMachine;
                 string storePath = config.CertificateStoreDetails.StorePath;
 
-                //_psHelper = new(protocol, port, includePortInSPN, clientMachineName, serverUserName, serverPassword);
-
-                _psHelper = new(protocol, port, includePortInSPN, clientMachineName, serverUserName, serverPassword);
+                _psHelper = new(protocol, port, includePortInSPN, clientMachineName, serverUserName, serverPassword, jeaEndpoint: jeaEndpoint);
                 _psHelper.Initialize();
 
                 using (_psHelper)
@@ -160,25 +159,25 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit
                                             {
                                                 case "Success":
                                                     psResult = OrchestratorJobStatusJobResult.Success;
-                                                    _logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned successfully with Code: {code}, on Step: {step}");
+                                                    _logger.LogDebug($"PowerShell function New-KeyfactorIISSiteBinding returned successfully with Code: {code}, on Step: {step}");
                                                     break;
                                                 case "Skipped":
                                                     psResult = OrchestratorJobStatusJobResult.Failure;
-                                                    failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} - message:\n {errorMessage}");
+                                                    failureMessage = ($"PowerShell function New-KeyfactorIISSiteBinding failed on step: {step} - message:\n {errorMessage}");
                                                     _logger.LogDebug(failureMessage);
                                                     break;
                                                 case "Warning":
                                                     psResult = OrchestratorJobStatusJobResult.Warning;
-                                                    _logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned with a Warning on step: {step} with code: {code} - message: {message}");
+                                                    _logger.LogDebug($"PowerShell function New-KeyfactorIISSiteBinding returned with a Warning on step: {step} with code: {code} - message: {message}");
                                                     break;
                                                 case "Error":
                                                     psResult = OrchestratorJobStatusJobResult.Failure;
-                                                    failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} with code: {code} - message: {errorMessage}");
+                                                    failureMessage = ($"PowerShell function New-KeyfactorIISSiteBinding failed on step: {step} with code: {code} - message: {errorMessage}");
                                                     _logger.LogDebug(failureMessage);
                                                     break;
                                                 default:
                                                     psResult = OrchestratorJobStatusJobResult.Unknown;
-                                                    _logger.LogWarning("Unknown status returned from New-KFIISSiteBinding: " + status);
+                                                    _logger.LogWarning("Unknown status returned from New-KeyfactorIISSiteBinding: " + status);
                                                     break;
                                             }
                                         }
@@ -294,9 +293,9 @@ private string CreateCSR(string subjectText, string providerName, string keyType
                     { "keyLength", keySize },
                     { "SAN", SAN }
                 };
-                _logger.LogInformation("Attempting to execute PS function (New-CsrEnrollment)");
-                _results = _psHelper.ExecutePowerShell("New-CsrEnrollment", parameters);
-                _logger.LogInformation("Returned from executing PS function (New-CsrEnrollment)");
+                _logger.LogInformation("Attempting to execute PS function (New-KeyfactorODKGEnrollment)");
+                _results = _psHelper.ExecutePowerShell("New-KeyfactorODKGEnrollment", parameters);
+                _logger.LogInformation("Returned from executing PS function (New-KeyfactorODKGEnrollment)");
 
                 // This should return the CSR that was generated
                 if (_results == null || _results.Count == 0)
@@ -356,9 +355,9 @@ private string ImportCertificate(byte[] certificateRawData, string storeName)
                     { "storeName", storeName }
                 };
 
-                _logger.LogTrace("Attempting to execute PS function (Import-SignedCertificate)");
-                _results = _psHelper.ExecutePowerShell("Import-SignedCertificate", parameters);
-                _logger.LogTrace("Returned from executing PS function (Import-SignedCertificate)");
+                _logger.LogTrace("Attempting to execute PS function (Import-KeyfactorSignedCertificate)");
+                _results = _psHelper.ExecutePowerShell("Import-KeyfactorSignedCertificate", parameters);
+                _logger.LogTrace("Returned from executing PS function (Import-KeyfactorSignedCertificate)");
 
                 // This should return the CSR that was generated
                 if (_results != null && _results.Count > 0)
@@ -399,7 +398,7 @@ public string ResolveSANString(ReenrollmentJobConfiguration config)
             }
             else if (config.JobProperties != null &&
                 config.JobProperties.TryGetValue("SAN", out object legacySanValue) &&
-                !string.IsNullOrWhiteSpace(legacySanValue.ToString()))
+                    (legacySanValue is not null && !string.IsNullOrWhiteSpace(legacySanValue.ToString())))
             {
                 sanValue = legacySanValue.ToString().Trim();
                 sourceUsed = "config.JobProperties[\"SAN\"] (legacy)";