Sleepw4lker
diff --git a/‎TameMyCerts.IntegrationTests/Tests/User_Online_YubiKey.ps1‎ renamed to ‎TameMyCerts.IntegrationTests/Tests/User_Online_YubiKey.Tests.ps1‎
Lines changed: 0 additions & 2 deletions b/‎TameMyCerts.IntegrationTests/Tests/User_Online_YubiKey.ps1‎ renamed to ‎TameMyCerts.IntegrationTests/Tests/User_Online_YubiKey.Tests.ps1‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎TameMyCerts.Tests/RequestAttributeValidatorTests.cs‎
Lines changed: 13 additions & 4 deletions b/‎TameMyCerts.Tests/RequestAttributeValidatorTests.cs‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎TameMyCerts/LocalizedStrings.Designer.cs‎
Lines changed: 15 additions & 5 deletions b/‎TameMyCerts/LocalizedStrings.Designer.cs‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎TameMyCerts/LocalizedStrings.resx‎
Lines changed: 14 additions & 4 deletions b/‎TameMyCerts/LocalizedStrings.resx‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎TameMyCerts/Models/CertificateDatabaseRow.cs‎
Lines changed: 6 additions & 0 deletions b/‎TameMyCerts/Models/CertificateDatabaseRow.cs‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎TameMyCerts/Policy.cs‎
Lines changed: 2 additions & 3 deletions b/‎TameMyCerts/Policy.cs‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎TameMyCerts/Validators/RequestAttributeValidator.cs‎
Lines changed: 7 additions & 2 deletions b/‎TameMyCerts/Validators/RequestAttributeValidator.cs‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎TameMyCerts/Validators/YubikeyValidator.cs‎
Lines changed: 4 additions & 4 deletions b/‎TameMyCerts/Validators/YubikeyValidator.cs‎
Lines changed: 4 additions & 4 deletions
@@ -9,8 +9,6 @@ Describe 'User_Online_Yubikey.Tests' {
 
     It 'Given YubiKey Policy is enabled and a request contains a valid attestation, a certificate is issued' {
 
-        #$Csr = Get-Content -Path "User_Online_Yubikey.pem" -Raw
-
         $Csr =  "MIIIxDCCB6wCAQAwHDEaMBgGA1UEAwwRVGFtZU15Q2VydHNfNS43LjIwggEiMA0G" +
                 "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8PsNNUt67rgq4+EGGnBU46XiiXv4g" +
                 "ADdAhOB8IQp1eZ+7Dq8JOQ9XDjjBObPj7TnEzxS+PSpXTmwV46FA4gykcVj+tRhT" +
 
@@ -1,4 +1,5 @@
 using Microsoft.VisualStudio.TestPlatform.ObjectModel.Client;
+using Newtonsoft.Json.Linq;
 using System;
 using System.Collections.Generic;
 using System.ComponentModel;
@@ -187,12 +188,15 @@ public void Allow_StartDate()
     }
 
     [Fact]
-    public void Deny_invalid_flags()
+    public void Deny_SAN_request_attribute_when_insecure_flag_is_set()
     {
+        const string attrName = "saN"; // note that we also test case sensitivity
+        const string attrValue = "doesnt-matter";
+
         var caConfig = new CertificateAuthorityConfiguration(EditFlag.EDITF_ATTRIBUTESUBJECTALTNAME2);
 
         var dbRow = new CertificateDatabaseRow(_defaultCsr, CertCli.CR_IN_PKCS10,
-            new Dictionary<string, string> { { "saN", "doesnt-matter" } });
+            new Dictionary<string, string> { { attrName, attrValue } });
 
         var result = new CertificateRequestValidationResult(dbRow);
 
@@ -202,15 +206,19 @@ public void Deny_invalid_flags()
 
         Assert.True(result.DeniedForIssuance);
         Assert.True(result.StatusCode == WinError.NTE_FAIL);
+        Assert.Contains($"{attrName}:{attrValue}", string.Join("\n", result.Warnings));
     }
 
     [Fact]
-    public void Allow_valid_flags()
+    public void Allow_SAN_request_attribute_when_insecure_flag_is_not_set()
     {
+        const string attrName = "saN"; // note that we also test case sensitivity
+        const string attrValue = "doesnt-matter";
+
         var caConfig = new CertificateAuthorityConfiguration(0);
 
         var dbRow = new CertificateDatabaseRow(_defaultCsr, CertCli.CR_IN_PKCS10,
-            new Dictionary<string, string> { { "saN", "doesnt-matter" } });
+            new Dictionary<string, string> { { attrName, attrValue } });
 
         var result = new CertificateRequestValidationResult(dbRow);
 
@@ -220,6 +228,7 @@ public void Allow_valid_flags()
 
         Assert.False(result.DeniedForIssuance);
         Assert.True(result.StatusCode == WinError.ERROR_SUCCESS);
+        Assert.Contains($"{attrName}:{attrValue}", string.Join("\n", result.Warnings));
     }
 
     [Fact]
 
@@ -142,7 +142,7 @@
 {2}</value>
   </data>
   <data name="Events_REQUEST_CONTAINS_WARNINGS" xml:space="preserve">
-    <value>The following warnings have been logged during the processing of request {0} for {1}:
+    <value>The following warning has been logged during the processing of request {0} for {1}:
 {2}</value>
   </data>
   <data name="Events_REQUEST_DENIED_AUDIT" xml:space="preserve">
@@ -213,11 +213,21 @@
   <data name="ReqVal_Crypto_Provider_Unknown" xml:space="preserve">
     <value>Unable to determine the cryptographic provider that was used to create the certificate request, but policy requires this information. Probably the certificate request does not contain such information.</value>
   </data>
-  <data name="AttribVal_Insecure_Flags" xml:space="preserve">
-    <value>The certificate request metadata contains the "san" request attribute, and the certification authority is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. This is a highly dangerous configuration. The request was therefore denied.</value>
+  <data name="AttribVal_Insecure_Flags_denied" xml:space="preserve">
+    <value>The certificate request metadata contains the "san" request attribute, and the certification authority is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. This is a highly dangerous configuration. The request was therefore denied.
+
+The request contains the following request attributes:
+
+{0}</value>
   </data>
   <data name="AttribVal_Insecure_Flags_detected" xml:space="preserve">
-    <value>The certificate request metadata contains the "san" request attribute. If the certification authority is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag, this is a highly dangerous configuration.</value>
+    <value>The certificate request metadata contains the "san" request attribute. If the certification authority is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag, this is a highly dangerous configuration.
+
+The request contains the following request attributes:
+
+{0}
+
+Requester name is {1}</value>
   </data>
   <data name="ReqVal_Err_NotAfter_Invalid" xml:space="preserve">
     <value>Unable to parse the configured expiration date specified in certificate request policy.</value>
 
@@ -35,6 +35,7 @@ public CertificateDatabaseRow(CCertServerPolicy serverPolicy)
         PublicKey = serverPolicy.GetBinaryCertificatePropertyOrDefault("RawPublicKey");
         RawRequest = serverPolicy.GetBinaryRequestPropertyOrDefault("RawRequest");
         RequestID = serverPolicy.GetLongRequestPropertyOrDefault("RequestID");
+        RequesterName = serverPolicy.GetStringRequestPropertyOrDefault("RequesterName");
         RequestType = serverPolicy.GetLongRequestPropertyOrDefault("RequestType") ^ CertCli.CR_IN_FULLRESPONSE;
         Upn = serverPolicy.GetStringCertificatePropertyOrDefault("UPN") ?? string.Empty;
         DistinguishedName = serverPolicy.GetStringRequestPropertyOrDefault("Request.DistinguishedName") ??
@@ -136,6 +137,11 @@ public CertificateDatabaseRow(string request, int requestType,
     /// </summary>
     public int RequestID { get; }
 
+    /// <summary>
+    ///     The requester name.
+    /// </summary>
+    public string RequesterName { get; }
+
     /// <summary>
     ///     The request type as defined in certcli.h (PKCS#10, PKCS#7 or CMS).
     /// </summary>
 
@@ -216,10 +216,9 @@ public int VerifyRequest(string strConfig, int context, int isNewRequest, int fl
 
         #region Log warnings, if any
 
-        if (result.Warnings.Count > 0)
+        foreach (var warning in result.Warnings.Distinct().ToList())
         {
-            _logger.Log(Events.REQUEST_CONTAINS_WARNINGS, requestId, template.Name,
-                string.Join("\n", result.Warnings.Distinct().ToList()));
+            _logger.Log(Events.REQUEST_CONTAINS_WARNINGS, requestId, template.Name, warning);
         }
 
         #endregion
 
@@ -14,6 +14,7 @@
 
 using System;
 using System.Globalization;
+using System.Linq;
 using TameMyCerts.Enums;
 using TameMyCerts.Models;
 
@@ -39,12 +40,16 @@ public CertificateRequestValidationResult VerifyRequest(CertificateRequestValida
 
         if (dbRow.RequestAttributes.ContainsKey("san"))
         {
-            result.AddWarning(LocalizedStrings.AttribVal_Insecure_Flags_detected);
+            var requestAttributes = string.Join("\n",
+                dbRow.RequestAttributes.Select(x => $"{x.Key}:{x.Value}").ToList());
+
+            result.AddWarning(string.Format(LocalizedStrings.AttribVal_Insecure_Flags_detected, requestAttributes, dbRow.RequesterName));
 
             if (caConfig.EditFlags.HasFlag(EditFlag.EDITF_ATTRIBUTESUBJECTALTNAME2) &&
                 !caConfig.TmcFlags.HasFlag(TmcFlag.TMC_WARN_ONLY_ON_INSECURE_FLAGS))
             {
-                result.SetFailureStatus(WinError.NTE_FAIL, LocalizedStrings.AttribVal_Insecure_Flags);
+                result.SetFailureStatus(WinError.NTE_FAIL,
+                    string.Format(LocalizedStrings.AttribVal_Insecure_Flags_denied, requestAttributes, dbRow.RequesterName));
             }
         }
 
 
@@ -253,10 +253,10 @@ private bool ObjectMatchesPolicy(YubikeyPolicy policy, YubikeyObject yubikey)
     /// <returns></returns>
     private static X509Certificate2Collection GetCertificatesFromMachineStore(string storeName)
     {
-        var rootCaStore = new X509Store(storeName, StoreLocation.LocalMachine);
-        rootCaStore.Open(OpenFlags.ReadOnly);
-        var certificates = rootCaStore.Certificates;
-        rootCaStore.Close();
+        var store = new X509Store(storeName, StoreLocation.LocalMachine);
+        store.Open(OpenFlags.ReadOnly);
+        var certificates = store.Certificates;
+        store.Close();
 
         return certificates;
     }
Original file line number	Diff line number	Diff line change
`@@ -216,10 +216,9 @@ public int VerifyRequest(string strConfig, int context, int isNewRequest, int fl`
`216`	`216`
`217`	`217`	`#region Log warnings, if any`
`218`	`218`
`219`		`- if (result.Warnings.Count > 0)`
	`219`	`+ foreach (var warning in result.Warnings.Distinct().ToList())`
`220`	`220`	`{`
`221`		`- _logger.Log(Events.REQUEST_CONTAINS_WARNINGS, requestId, template.Name,`
`222`		`- string.Join("\n", result.Warnings.Distinct().ToList()));`
	`221`	`+ _logger.Log(Events.REQUEST_CONTAINS_WARNINGS, requestId, template.Name, warning);`
`223`	`222`	`}`
`224`	`223`
`225`	`224`	`#endregion`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@`
`14`	`14`
`15`	`15`	`using System;`
`16`	`16`	`using System.Globalization;`
	`17`	`+using System.Linq;`
`17`	`18`	`using TameMyCerts.Enums;`
`18`	`19`	`using TameMyCerts.Models;`
`19`	`20`
`@@ -39,12 +40,16 @@ public CertificateRequestValidationResult VerifyRequest(CertificateRequestValida`
`39`	`40`
`40`	`41`	`if (dbRow.RequestAttributes.ContainsKey("san"))`
`41`	`42`	`{`
`42`		`- result.AddWarning(LocalizedStrings.AttribVal_Insecure_Flags_detected);`
	`43`	`+ var requestAttributes = string.Join("\n",`
	`44`	`+ dbRow.RequestAttributes.Select(x => $"{x.Key}:{x.Value}").ToList());`
	`45`	`+`
	`46`	`+ result.AddWarning(string.Format(LocalizedStrings.AttribVal_Insecure_Flags_detected, requestAttributes, dbRow.RequesterName));`
`43`	`47`
`44`	`48`	`if (caConfig.EditFlags.HasFlag(EditFlag.EDITF_ATTRIBUTESUBJECTALTNAME2) &&`
`45`	`49`	`!caConfig.TmcFlags.HasFlag(TmcFlag.TMC_WARN_ONLY_ON_INSECURE_FLAGS))`
`46`	`50`	`{`
`47`		`- result.SetFailureStatus(WinError.NTE_FAIL, LocalizedStrings.AttribVal_Insecure_Flags);`
	`51`	`+ result.SetFailureStatus(WinError.NTE_FAIL,`
	`52`	`+ string.Format(LocalizedStrings.AttribVal_Insecure_Flags_denied, requestAttributes, dbRow.RequesterName));`
`48`	`53`	`}`
`49`	`54`	`}`
`50`	`55`
Original file line number	Diff line number	Diff line change
`@@ -253,10 +253,10 @@ private bool ObjectMatchesPolicy(YubikeyPolicy policy, YubikeyObject yubikey)`
`253`	`253`	`/// <returns></returns>`
`254`	`254`	`private static X509Certificate2Collection GetCertificatesFromMachineStore(string storeName)`
`255`	`255`	`{`
`256`		`- var rootCaStore = new X509Store(storeName, StoreLocation.LocalMachine);`
`257`		`- rootCaStore.Open(OpenFlags.ReadOnly);`
`258`		`- var certificates = rootCaStore.Certificates;`
`259`		`- rootCaStore.Close();`
	`256`	`+ var store = new X509Store(storeName, StoreLocation.LocalMachine);`
	`257`	`+ store.Open(OpenFlags.ReadOnly);`
	`258`	`+ var certificates = store.Certificates;`
	`259`	`+ store.Close();`
`260`	`260`
`261`	`261`	`return certificates;`
`262`	`262`	`}`