Implement logic to remove SAN of specific type (#87)

* Implement and document removal of SAN of specific type

* Add modifications to SAN extension for removal of specific type

Author: Sleepw4lker

CHANGELOG.md

@@ -7,6 +7,7 @@
 _This version was not yet released._
 
 - Add new `Continue` action for Directory Services mapping that will cause the certificate request not getting denied when no object could be found.
+- Subject Alternative Names can be removed via an empty `Value` in a `OutboundSubjectRule` the same way as it was already possible for the Subject Distinguished Name.
 
 ### Version 1.7.1609.1089
 

TameMyCerts.Tests/CertificateContentValidatorTests.cs

@@ -407,7 +407,7 @@ public void Does_transfer_RDN_to_RDN()
     }
 
     [Fact]
-    public void Does_transfer_RDN_to_RDN_and_clears_original_RDN()
+    public void Does_transfer_RDN_to_RDN_and_removes_original_RDN()
     {
         var policy = new CertificateRequestPolicy
         {
@@ -1317,7 +1317,7 @@ public void Allow_but_dont_add_RDN_if_DS_attribute_too_long()
     }
 
     [Fact]
-    public void Does_clear_existing_RDN()
+    public void Does_remove_existing_RDN()
     {
         var policy = new CertificateRequestPolicy
         {
@@ -1347,7 +1347,62 @@ public void Does_clear_existing_RDN()
     }
 
     [Fact]
-    public void Does_clear_nonexisting_RDN()
+    public void Does_remove_existing_SAN()
+    {
+        // 2048 Bit RSA Key
+        // CN=intranet.adcslabor.de
+        // dnsName=intranet.adcslabor.de
+        const string request =
+            "-----BEGIN NEW CERTIFICATE REQUEST-----\n" +
+            "MIIDkjCCAnoCAQAwIDEeMBwGA1UEAxMVaW50cmFuZXQuYWRjc2xhYm9yLmRlMIIB\n" +
+            "IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3GmfcSDSunQ6+vmz9mTHcEKg\n" +
+            "DMzDSXj0lQ7Erazl9CJ4WzROZaa1BUITfRlVXreku6ljYsO3jyTDBRBtCUXNwFk+\n" +
+            "MTmzTqXx82MRpK2ATDp2jEPfP7l7K30DwDyiapkpaAvZlxIVWtIDoGxAG+yRFjAF\n" +
+            "Qh4HDvSaBoaNvwdjZsUcdgOuJQbIwBhto/RB+4L23oT7+8e2GyRMm/bQK2gDvCbV\n" +
+            "9SwTwm9gXljth0wuZ8RRkC7MMVIiPaxUH575SUKE7YvHeZ4Hq20Q2XYBSigqNXBM\n" +
+            "VCUVCfsBGA18/MR/ZMFSSCIt2KLjkpp5q9gOCibw0oPrGTqUoLtCkLREbMrHbQID\n" +
+            "AQABoIIBKzAcBgorBgEEAYI3DQIDMQ4WDDEwLjAuMTkwNDQuMjA+BgkrBgEEAYI3\n" +
+            "FRQxMTAvAgEFDApvdHRpLW90dGVsDA5PVFRJLU9UVEVMXHV3ZQwOcG93ZXJzaGVs\n" +
+            "bC5leGUwYwYJKoZIhvcNAQkOMVYwVDAOBgNVHQ8BAf8EBAMCB4AwIwYDVR0RAQH/\n" +
+            "BBkwF4IVaW50cmFuZXQuYWRjc2xhYm9yLmRlMB0GA1UdDgQWBBRmh46ij+b3RODb\n" +
+            "JXIj5NFC58DFZzBmBgorBgEEAYI3DQICMVgwVgIBAB5OAE0AaQBjAHIAbwBzAG8A\n" +
+            "ZgB0ACAAUwBvAGYAdAB3AGEAcgBlACAASwBlAHkAIABTAHQAbwByAGEAZwBlACAA\n" +
+            "UAByAG8AdgBpAGQAZQByAwEAMA0GCSqGSIb3DQEBCwUAA4IBAQAmQ8B9fZ+ewB3+\n" +
+            "kDFsJcqeMJ+nbFBcHJKmKfhn9564tiBZayK8kpkTvS1Cjb5C79Yimimw2AqGqdFK\n" +
+            "W3+wWPCkFN996GoXFOU+lg3I5Byz3Eq4Vyv/H7RCufC68ezVG5v4EaqE4TsYcfoE\n" +
+            "zH8HJu0jKKf+QKj9LpXI+HYLwvQ0Fyz4lr839NMidsPF4AWMpEXs/2OSTjg5qDVj\n" +
+            "LKMPzd0wrOea0XWx2fEeibdW+KFi1656J+OIGuYP/q0SaPqYgFey+kOS2KLz+9/r\n" +
+            "CA+TvKzFxxgRPAfA0TO7GAuwspV2wLOfXVOxIpG5GkmpxeK0nZvyw9HvxWWNlkgw\n" +
+            "kbUQqV43\n" +
+            "-----END NEW CERTIFICATE REQUEST-----";
+
+        var policy = new CertificateRequestPolicy
+        {
+            OutboundSubjectAlternativeName = new List<OutboundSubjectRule>
+            {
+                new()
+                {
+                    Field = SanTypes.DnsName,
+                    Value = string.Empty,
+                    Force = true
+                }
+            }
+        };
+
+        var dbRow = new CertificateDatabaseRow(request, CertCli.CR_IN_PKCS10);
+
+        var result = new CertificateRequestValidationResult(dbRow);
+        result = _validator.VerifyRequest(result, policy, dbRow, null, _caConfig);
+
+        PrintResult(result);
+
+        Assert.False(result.DeniedForIssuance);
+        Assert.Equal(WinError.ERROR_SUCCESS, result.StatusCode);
+        Assert.False(result.SubjectAlternativeNameExtension.AlternativeNames.Exists(x => x.Key.Equals(SanTypes.DnsName)));
+    }
+
+    [Fact]
+    public void Does_remove_nonexisting_RDN()
     {
         var policy = new CertificateRequestPolicy
         {
@@ -1375,6 +1430,34 @@ public void Does_clear_nonexisting_RDN()
                     result.CertificateProperties[RdnTypes.NameProperty[RdnTypes.State]].Equals(string.Empty));
     }
 
+    [Fact]
+    public void Does_remove_nonexisting_SAN()
+    {
+        var policy = new CertificateRequestPolicy
+        {
+            OutboundSubjectAlternativeName = new List<OutboundSubjectRule>
+            {
+                new()
+                {
+                    Field = SanTypes.DnsName,
+                    Value = string.Empty,
+                    Force = true
+                }
+            }
+        };
+
+        var dbRow = new CertificateDatabaseRow(_defaultCsr, CertCli.CR_IN_PKCS10);
+
+        var result = new CertificateRequestValidationResult(dbRow);
+        result = _validator.VerifyRequest(result, policy, dbRow, null, _caConfig);
+
+        PrintResult(result);
+
+        Assert.False(result.DeniedForIssuance);
+        Assert.Equal(WinError.ERROR_SUCCESS, result.StatusCode);
+        Assert.False(result.SubjectAlternativeNameExtension.AlternativeNames.Exists(x => x.Key.Equals(SanTypes.DnsName)));
+    }
+
     [Fact]
     public void Does_not_clear_existing_RDN_if_not_mandatory()
     {

TameMyCerts/Validators/CertificateContentValidator.cs

@@ -151,6 +151,11 @@ public CertificateRequestValidationResult VerifyRequest(CertificateRequestValida
 
         foreach (var rule in policy.OutboundSubjectAlternativeName)
         {
+            if (rule.Value.Equals(string.Empty))
+            {
+                result.SubjectAlternativeNameExtension.RemoveAllAlternativeNames(rule.Field);
+            }
+
             // Check if the SAN is already present unless it is forced
             if (!rule.Force && SanTypes.ToList().Contains(rule.Field) &&
                 result.SubjectAlternativeNameExtension.AlternativeNames.Any(x =>
@@ -175,7 +180,6 @@ public CertificateRequestValidationResult VerifyRequest(CertificateRequestValida
                         : dbRow.SubjectRelativeDistinguishedNames);
                 value = ReplaceTokenValues(value, "san", dbRow.SubjectAlternativeNames);
 
-
                 result.SubjectAlternativeNameExtension.AddAlternativeName(rule.Field, value, true);
 
                 // Log that we are adding a SAN, only on success

TameMyCerts/X509/X509CertificateExtensionSubjectAlternativeName.cs

@@ -325,7 +325,16 @@ public bool TryAddAlternativeName(string type, string value)
 
     public bool ContainsAlternativeName(string type, string value)
     {
-        return AlternativeNames.Contains(new KeyValuePair<string, string>(type, value));
+        return AlternativeNames.Exists(kvp =>
+            kvp.Key.Equals(type, StringComparison.OrdinalIgnoreCase) &&
+            kvp.Value.Equals(value, StringComparison.OrdinalIgnoreCase));
+    }
+
+    public void RemoveAllAlternativeNames(string type)
+    {
+        AlternativeNames.RemoveAll(kvp =>
+            kvp.Key.Equals(type, StringComparison.OrdinalIgnoreCase));
+        _modified = true;
     }
 
     public void RemoveAlternativeName(string type, string value)
@@ -335,7 +344,9 @@ public void RemoveAlternativeName(string type, string value)
             return;
         }
 
-        AlternativeNames.Remove(new KeyValuePair<string, string>(type, value));
+        AlternativeNames.RemoveAll(kvp =>
+            kvp.Key.Equals(type, StringComparison.OrdinalIgnoreCase) &&
+            kvp.Value.Equals(value, StringComparison.OrdinalIgnoreCase));
         _modified = true;
     }
 }

user-guide/modify-san.md

@@ -68,3 +68,16 @@ The `commonName` from the Subject DN is transferred to the Subject Alternative N
   </OutboundSubjectRule>
 </OutboundSubjectAlternativeName>
 ```
+
+All Subject Alternative Names of the `dNSName` type will be removed from the issueed certificate, if present in the certificate request.
+
+```xml
+<OutboundSubjectAlternativeName>
+  <OutboundSubjectRule>
+    <Field>dNSName</Field>
+    <Value></Value>
+    <Mandatory>true</Mandatory>
+    <Force>true</Force>
+  </OutboundSubjectRule>
+</OutboundSubjectAlternativeName>
+```

user-guide/modify-subject-dn.md

@@ -156,7 +156,6 @@ Transfering the **first** `dNSName` of the Subject Alternative Name into the `co
 The content of the `stateOrProvinceName` field will be removed from the issueed certificate, if present in the certificate request.
 
 ```xml
-<DirectoryServicesMapping />
 <OutboundSubject>
   <OutboundSubjectRule>
     <Field>stateOrProvinceName</Field>
@@ -170,7 +169,6 @@ The content of the `stateOrProvinceName` field will be removed from the issueed
 The content of the `stateOrProvinceName` field will be transferred from the certificate request into the `serialNumber` field of the issued certificate, and the `stateOrProvinceName` field will be removed from the issued certificate.
 
 ```xml
-<DirectoryServicesMapping />
 <OutboundSubject>
   <OutboundSubjectRule>
     <Field>stateOrProvinceName</Field>