81018 adding jea support

.github/workflows/keyfactor-starter-workflow.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v4
+    uses: keyfactor/actions/.github/workflows/starter.yml@v5
     with:
       command_token_url: ${{ vars.COMMAND_TOKEN_URL }} # Only required for doctool generated screenshots
       command_hostname: ${{ vars.COMMAND_HOSTNAME }} # Only required for doctool generated screenshots

.gitignore

@@ -3,6 +3,9 @@
 ##
 ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
 
+# Local test credentials (never commit)
+local.runsettings
+
 # User-specific files
 *.rsuser
 *.suo

.vscode/launch.json

@@ -0,0 +1,15 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "PowerShell: Launch Script",
+            "type": "PowerShell",
+            "request": "launch",
+            "script": "${file}",
+            "args": []
+        }
+    ]
+}

CHANGELOG.md

@@ -1,3 +1,7 @@
+4.0.0
+* As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command and will no longer use the SAN Entry Parameter. This version, we are removing all support for the SAN Entry Parameter. If you are still using the SAN Entry Parameter, you will need to remove it from your store types and re-run inventory to remove it from your database.
+* Adding JEA Support for local PowerShell execution.  This will allow for more secure execution of the extension when running in a local PowerShell Runspace.  To utilize this feature, you will need to create a JEA endpoint on the target server and specify the endpoint name as a new parameter in the specific Cert Store definition.  Refer to the README for more details.
+
 3.0.1
 * Fixed an issues when renewing ECC Certificates 
 

IISU/ClientPSCertStoreReEnrollment.cs

@@ -90,12 +90,11 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit
                 string protocol = jobProperties.WinRmProtocol;
                 string port = jobProperties.WinRmPort;
                 bool includePortInSPN = jobProperties.SpnPortFlag;
+                string jeaEndpoint = jobProperties?.JEAEndpointName ?? "";
                 string clientMachineName = config.CertificateStoreDetails.ClientMachine;
                 string storePath = config.CertificateStoreDetails.StorePath;
 
-                //_psHelper = new(protocol, port, includePortInSPN, clientMachineName, serverUserName, serverPassword);
-
-                _psHelper = new(protocol, port, includePortInSPN, clientMachineName, serverUserName, serverPassword);
+                _psHelper = new(protocol, port, includePortInSPN, clientMachineName, serverUserName, serverPassword, jeaEndpoint: jeaEndpoint);
                 _psHelper.Initialize();
 
                 using (_psHelper)
@@ -160,25 +159,25 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit
                                             {
                                                 case "Success":
                                                     psResult = OrchestratorJobStatusJobResult.Success;
-                                                    _logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned successfully with Code: {code}, on Step: {step}");
+                                                    _logger.LogDebug($"PowerShell function New-KeyfactorIISSiteBinding returned successfully with Code: {code}, on Step: {step}");
                                                     break;
                                                 case "Skipped":
                                                     psResult = OrchestratorJobStatusJobResult.Failure;
-                                                    failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} - message:\n {errorMessage}");
+                                                    failureMessage = ($"PowerShell function New-KeyfactorIISSiteBinding failed on step: {step} - message:\n {errorMessage}");
                                                     _logger.LogDebug(failureMessage);
                                                     break;
                                                 case "Warning":
                                                     psResult = OrchestratorJobStatusJobResult.Warning;
-                                                    _logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned with a Warning on step: {step} with code: {code} - message: {message}");
+                                                    _logger.LogDebug($"PowerShell function New-KeyfactorIISSiteBinding returned with a Warning on step: {step} with code: {code} - message: {message}");
                                                     break;
                                                 case "Error":
                                                     psResult = OrchestratorJobStatusJobResult.Failure;
-                                                    failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} with code: {code} - message: {errorMessage}");
+                                                    failureMessage = ($"PowerShell function New-KeyfactorIISSiteBinding failed on step: {step} with code: {code} - message: {errorMessage}");
                                                     _logger.LogDebug(failureMessage);
                                                     break;
                                                 default:
                                                     psResult = OrchestratorJobStatusJobResult.Unknown;
-                                                    _logger.LogWarning("Unknown status returned from New-KFIISSiteBinding: " + status);
+                                                    _logger.LogWarning("Unknown status returned from New-KeyfactorIISSiteBinding: " + status);
                                                     break;
                                             }
                                         }
@@ -294,9 +293,9 @@ private string CreateCSR(string subjectText, string providerName, string keyType
                     { "keyLength", keySize },
                     { "SAN", SAN }
                 };
-                _logger.LogInformation("Attempting to execute PS function (New-CsrEnrollment)");
-                _results = _psHelper.ExecutePowerShell("New-CsrEnrollment", parameters);
-                _logger.LogInformation("Returned from executing PS function (New-CsrEnrollment)");
+                _logger.LogInformation("Attempting to execute PS function (New-KeyfactorODKGEnrollment)");
+                _results = _psHelper.ExecutePowerShell("New-KeyfactorODKGEnrollment", parameters);
+                _logger.LogInformation("Returned from executing PS function (New-KeyfactorODKGEnrollment)");
 
                 // This should return the CSR that was generated
                 if (_results == null || _results.Count == 0)
@@ -356,9 +355,9 @@ private string ImportCertificate(byte[] certificateRawData, string storeName)
                     { "storeName", storeName }
                 };
 
-                _logger.LogTrace("Attempting to execute PS function (Import-SignedCertificate)");
-                _results = _psHelper.ExecutePowerShell("Import-SignedCertificate", parameters);
-                _logger.LogTrace("Returned from executing PS function (Import-SignedCertificate)");
+                _logger.LogTrace("Attempting to execute PS function (Import-KeyfactorSignedCertificate)");
+                _results = _psHelper.ExecutePowerShell("Import-KeyfactorSignedCertificate", parameters);
+                _logger.LogTrace("Returned from executing PS function (Import-KeyfactorSignedCertificate)");
 
                 // This should return the CSR that was generated
                 if (_results != null && _results.Count > 0)

IISU/ImplementedStoreTypes/Win/Inventory.cs

@@ -81,6 +81,7 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
                     settings.IncludePortInSPN = jobProperties.SpnPortFlag;
                     settings.ServerUserName = serverUserName;
                     settings.ServerPassword = serverPassword;
+                    settings.JEAEndpointName = jobProperties.JEAEndpointName;
 
                     _logger.LogTrace($"Querying Window certificate in store: {storePath}");
                     inventoryItems = QueryWinCertCertificates(settings, storePath);
@@ -126,7 +127,7 @@ public List<CurrentInventoryItem> QueryWinCertCertificates(RemoteSettings settin
         {
             List<CurrentInventoryItem> Inventory = new();
 
-            using (PSHelper ps = new(settings.Protocol, settings.Port, settings.IncludePortInSPN, settings.ClientMachineName, settings.ServerUserName, settings.ServerPassword))
+            using (PSHelper ps = new(settings.Protocol, settings.Port, settings.IncludePortInSPN, settings.ClientMachineName, settings.ServerUserName, settings.ServerPassword, jeaEndpoint: settings.JEAEndpointName))
             {
                 ps.Initialize();
 
@@ -135,7 +136,7 @@ public List<CurrentInventoryItem> QueryWinCertCertificates(RemoteSettings settin
                     { "StoreName", StoreName }
                 };
 
-                results = ps.ExecutePowerShell("Get-KFCertificates", parameters);
+                results = ps.ExecutePowerShell("Get-KeyfactorCertificates", parameters);
 
                 // If there are certificates, deserialize the results and send them back to command
                 if (results != null && results.Count > 0)
@@ -147,8 +148,7 @@ public List<CurrentInventoryItem> QueryWinCertCertificates(RemoteSettings settin
                     {
                         var siteSettingsDict = new Dictionary<string, object>
                                 {
-                                    { "ProviderName", cert.ProviderName},
-                                    { "SAN", cert.SAN }
+                                    { "ProviderName", cert.ProviderName}
                                 };
 
                         Inventory.Add(

IISU/ImplementedStoreTypes/Win/Management.cs

@@ -88,8 +88,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                 string protocol = jobProperties?.WinRmProtocol;
                 string port = jobProperties?.WinRmPort;
                 bool includePortInSPN = (bool)jobProperties?.SpnPortFlag;
+                string jeaEndpoint = jobProperties?.JEAEndpointName ?? "";
 
-                _psHelper = new(protocol, port, includePortInSPN, _clientMachineName, serverUserName, serverPassword);
+                _psHelper = new(protocol, port, includePortInSPN, _clientMachineName, serverUserName, serverPassword, jeaEndpoint: jeaEndpoint);
 
                 switch (_operationType)
                 {
@@ -158,8 +159,8 @@ public JobResult AddCertificate(string certificateContents, string privateKeyPas
                     if (!string.IsNullOrEmpty(privateKeyPassword)) { parameters.Add("PrivateKeyPassword", privateKeyPassword); }
                     if (!string.IsNullOrEmpty(cryptoProvider)) { parameters.Add("CryptoServiceProvider", cryptoProvider); }
 
-                    _results = _psHelper.ExecutePowerShell("Add-KFCertificateToStore", parameters);
-                    _logger.LogTrace("Returned from executing PS function (Add-KFCertificateToStore)");
+                    _results = _psHelper.ExecutePowerShell("Add-KeyfactorCertificate", parameters);
+                    _logger.LogTrace("Returned from executing PS function (Add-KeyfactorCertificate)");
 
                     // This should return the thumbprint of the certificate
                     if (_results != null && _results.Count > 0)
@@ -212,8 +213,8 @@ public JobResult RemoveCertificate(string thumbprint)
                         { "StorePath", _storePath }
                     };
 
-                    _psHelper.ExecutePowerShell("Remove-KFCertificateFromStore", parameters);
-                    _logger.LogTrace("Returned from executing PS function (Remove-KFCertificateFromStore)");
+                    _psHelper.ExecutePowerShell("Remove-KeyfactorCertificate", parameters);
+                    _logger.LogTrace("Returned from executing PS function (Remove-KeyfactorCertificate)");
 
                     _psHelper.Terminate();
                 }

IISU/ImplementedStoreTypes/Win/WinCertCertificateInfo.cs

@@ -24,7 +24,6 @@ public class WinCertCertificateInfo
         public string Issuer { get; set; }
         public string Thumbprint { get; set; }
         public bool HasPrivateKey { get; set; }
-        public string SAN { get; set; }
         public string ProviderName { get; set; }
         public string Base64Data { get; set; }
     }

IISU/ImplementedStoreTypes/Win/WinInventory.cs

@@ -24,6 +24,7 @@
 
 namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert
 {
+    [Obsolete("This class is no longer used and will be removed in a future release.")]
     internal class WinInventory : ClientPSCertStoreInventory
     {
         private ILogger _logger;

IISU/ImplementedStoreTypes/WinADFS/Inventory.cs

@@ -180,8 +180,7 @@ public List<CurrentInventoryItem> QueryWinADFSCertificates(RemoteSettings settin
                     {
                         var siteSettingsDict = new Dictionary<string, object>
                                 {
-                                    { "ProviderName", cert.ProviderName},
-                                    { "SAN", cert.SAN }
+                                    { "ProviderName", cert.ProviderName}
                                 };
 
                         Inventory.Add(

IISU/ImplementedStoreTypes/WinIIS/Inventory.cs

@@ -83,6 +83,7 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
                     settings.IncludePortInSPN = jobProperties.SpnPortFlag;
                     settings.ServerUserName = serverUserName;
                     settings.ServerPassword = serverPassword;
+                    settings.JEAEndpointName = jobProperties.JEAEndpointName;
 
                     _logger.LogTrace("Querying IIS Inventory..");
                     inventoryItems = QueryIISCertificates(settings);
@@ -127,7 +128,7 @@ public List<CurrentInventoryItem> QueryIISCertificates(RemoteSettings settings)
         {
             List<CurrentInventoryItem> Inventory = new();
 
-            using (PSHelper ps = new(settings.Protocol, settings.Port, settings.IncludePortInSPN, settings.ClientMachineName, settings.ServerUserName, settings.ServerPassword))
+            using (PSHelper ps = new(settings.Protocol, settings.Port, settings.IncludePortInSPN, settings.ClientMachineName, settings.ServerUserName, settings.ServerPassword, jeaEndpoint: settings.JEAEndpointName))
             {
                 ps.Initialize();
 
@@ -142,7 +143,7 @@ public List<CurrentInventoryItem> QueryIISCertificates(RemoteSettings settings)
                 //    results = ps.InvokeFunction("Get-KFIISBoundCertificates");
                 //}
 
-                results = ps.ExecutePowerShell("Get-KFIISBoundCertificates");
+                results = ps.ExecutePowerShell("Get-KeyfactorIISBoundCertificates");
 
                 // If there are certificates, deserialize the results and send them back to command
                 if (results != null && results.Count > 0)

IISU/ImplementedStoreTypes/WinIIS/Management.cs

@@ -92,12 +92,13 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                 string protocol = jobProperties?.WinRmProtocol;
                 string port = jobProperties?.WinRmPort;
                 bool includePortInSPN = (bool)jobProperties?.SpnPortFlag;
+                string jeaEndpoint = jobProperties?.JEAEndpointName ?? "";
                 string alias = config.JobCertificate?.Alias?.Split(':').FirstOrDefault() ?? string.Empty;  // Thumbprint is first part of the alias
 
                 // Assign the binding information
                 IISBindingInfo bindingInfo = new IISBindingInfo(config.JobProperties);
 
-                _psHelper = new(protocol, port, includePortInSPN, _clientMachineName, serverUserName, serverPassword);
+                _psHelper = new(protocol, port, includePortInSPN, _clientMachineName, serverUserName, serverPassword, jeaEndpoint: jeaEndpoint);
 
                 _psHelper.Initialize();
 
@@ -295,7 +296,7 @@ public string AddCertificate(string certificateContents, string privateKeyPasswo
                 if (!string.IsNullOrEmpty(privateKeyPassword)) { parameters.Add("PrivateKeyPassword", privateKeyPassword); }
                 if (!string.IsNullOrEmpty(cryptoProvider)) { parameters.Add("CryptoServiceProvider", cryptoProvider); }
 
-                _results = _psHelper.ExecutePowerShell("Add-KFCertificateToStore", parameters);
+                _results = _psHelper.ExecutePowerShell("Add-KeyfactorCertificate", parameters);
                 _logger.LogTrace("Returned from executing PS function (Add-KFCertificateToStore)");
 
                 // This should return the thumbprint of the certificate
@@ -330,7 +331,7 @@ public void RemoveIISCertificate(string thumbprint)
                         { "StoreName", _storePath }
                     };
 
-            _psHelper.ExecutePowerShell("Remove-KFIISCertificateIfUnused", parameters);
+            _psHelper.ExecutePowerShell("Remove-KeyfactorIISCertificateIfUnused", parameters);
 
         }