Release 1.7.1609.1089 (#76)

* Simplify .NET detection

* Migrate Integration Tests to AutomatedLab

* Implement inverted behavior for DS mapping

* Update yubikey-piv-attestation.md (#70) (#74)

Fix case

Co-authored-by: Oscar Virot <[email protected]>

* Update User Guide

* Update Lab setup script

* Update Lab setup script

* Delete unnecessary file

* Update gitignore file

* Fix DS mapping Deny Action and add Tests for this

* Re-add certificate export script

* Slight refactoring of Yubikey logic, and update of documentation

* Fix possible memory leak in SearchResultCollection

* Add Integration Tests for YubiKey attestation

* Add hint on required permissions for DS mapping

* Release 1.7.1609.1089

* Update Github action

* Update remaining Github actions

---------

Co-authored-by: Oscar Virot <[email protected]>

Author: Sleepw4lker

.github/workflows/main.yml

@@ -29,10 +29,10 @@ jobs:
         ACTIONS_ALLOW_UNSECURE_COMMANDS: true
 
     - name: Build Debug
-      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug
+      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug /restore /t:Rebuild
 
     - name: Build ETW Manifest
-      run: msbuild Support.GenerateETWManifest\Support.GenerateETWManifest.csproj -property:Configuration=debug
+      run: msbuild Support.GenerateETWManifest\Support.GenerateETWManifest.csproj -property:Configuration=debug /restore /t:Rebuild
 
     - name: Save Build TameMyCerts
       uses: actions/upload-artifact@v4

.github/workflows/release.yml

@@ -33,10 +33,10 @@ jobs:
         ACTIONS_ALLOW_UNSECURE_COMMANDS: true
 
     - name: Build Debug
-      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=release
+      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=release /restore /t:Rebuild
 
     - name: Build ETW Manifest
-      run: msbuild Support.GenerateETWManifest\Support.GenerateETWManifest.csproj -property:Configuration=release
+      run: msbuild Support.GenerateETWManifest\Support.GenerateETWManifest.csproj -property:Configuration=release /restore /t:Rebuild
 
     - name: Create ZIP file
       run: |

.github/workflows/xunit.yml

@@ -29,10 +29,10 @@ jobs:
         ACTIONS_ALLOW_UNSECURE_COMMANDS: true
 
     - name: Build Debug
-      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug
+      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug /restore /t:Rebuild
 
     - name: Build TameMyCerts.Tests
-      run: msbuild TameMyCerts.Tests\TameMyCerts.Tests.csproj -property:Configuration=debug
+      run: msbuild TameMyCerts.Tests\TameMyCerts.Tests.csproj -property:Configuration=debug /restore /t:Rebuild
 
     - name: Run xunit tests
       run: dotnet test --no-build --verbosity minimal

.gitignore

@@ -340,4 +340,7 @@ ASALocalRun/
 .localhistory/
 
 # BeatPulse healthcheck temp database
-healthchecksdb
+healthchecksdb
+
+# AutomatedLab Test results file
+testResults.xml

CHANGELOG.md

@@ -2,11 +2,11 @@
 
 > TameMyCerts has evolved into a reliable, secure and stable enterprise product. Many organizations around the world are relying on it to improve their security and their PKI workflows. Professional development, testing and documentation consumes a considerable amount of time and resources. Whilst still being fully committed on keeping source code available for the community, _digitally signed binaries_, a _print-optimized documentation_ and _priority support_ are benefits **only available for customers with an active maintenance contract**.
 
-### Version 1.7.x.y
+### Version 1.7.1609.1089
 
-_This version has not yet been released._
+_This version was released on May 29, 2025._
 
-- The code base has been upgraded from .NET Framework 4.7.2 to .NET Core 8.0. Files are no longer installed into the System32 folder but under the Program Files directory. Also, the [.NET 8.0 Desktop Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) must be installed.
+- The code base has been upgraded from .NET Framework 4.7.2 to .NET 8.0. Files are no longer installed into the System32 folder but under the Program Files directory. Also, the [.NET 8.0 Desktop Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) must be installed.
 - Policy configuration files are now strictly processed, means that there will be errors raised when they contain invalid nodes. This may especially affect the following:
   - If policy configuration files still contain `KeyAlgorithm` nodes (which were removed with version 1.6), these must be removed from the configuration files.
   - The `Action` directives as well as the `TreatAs` directives for `Pattern` directives as processed case-sensitive, means that they must be specified exactly as documentated.
@@ -19,13 +19,15 @@ _This version has not yet been released._
   - Currently, the detection of the `san` request attribute will get logged regardless if the dangerous `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is enabled or not.
   - This new behavior allows to silently [detect attack attempts](https://github.com/srlabs/Certiception) on the certification authority without raising suspicion.
 - Introducing a `SupplementUnqualifiedNames` switch to use in combination with supplementing of DNS names (both `SupplementDnsNames` and `SupplementServicePrincipalNames`). To keep compatibility with the previous behavior, this setting defaults to `true`. If set to `false`, supplementation logic will not include DNS names that are not fully qualified.
+- Directory Services mapping can now be configured to deny a certificate request in the case a matching object was found in the directory.
 - Introducing global settings for TameMyCerts which allows to define behavior that applies globally, regardless of the defined certificate templates (the default behavior stays as before):
   - Allow to set the default behavior to globally deny a certificate request when no policy configuration file is found for the requested certificate template.
   - Allow to certificate requests containing insecure request attribute and certification authority flag combinations to get issued (**Only for testing purposes. Use at your own risk!**).
   - Disable the resolving of nested Group Memberships.
 - Introducing support for adding custom certificate extensions with static values to issued certificates (e.g. OCSP Must-staple or Microsoft Hyper-V/SCVMM Virtual Machine Connection).
 - Fix the module denying certificate requests with error 0x80131500 when the certificate request contains a Subject Alternative Name extension with empty content (#20).
 - Fix the installer script not removing the event source on uninstall (#22).
+- Since Windows Server 2012 R2 is now out of support by Microsoft, support by TameMyCerts has been dropped as well.
 - Improved documentation, especially description of event logs and use cases.
 
 ### Version 1.6.1045.1129

TameMyCerts.IntegrationTests/Lab-Setup/Export-CertificateTemplates.ps1 renamed to TameMyCerts.IntegrationTests/Export-CertificateTemplates.ps1

@@ -1,4 +1,4 @@
-<#
+<#
     .SYNOPSIS
     Exports all certificate templates in an Active Directory Forest to LDIF files.
     Needs ldifde.exe, thus run it on a Domain Controller.

TameMyCerts.IntegrationTests/Lab-Setup/functions/Enable-Templatesynchronization.ps1 renamed to TameMyCerts.IntegrationTests/Functions/Enable-Templatesynchronization.ps1

@@ -0,0 +1,59 @@
+function Get-OnlineCertificate {
+
+    [cmdletbinding()]
+    param(
+        [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]
+        $CertificateTemplate,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]
+        $ConfigString,
+
+        [switch]
+        $MachineContext
+    )
+
+    begin {
+        $BASE64 = 0x1
+        $CR_IN_MACHINE = 0x100000
+        $CR_DISP_ISSUED = 3
+    }
+
+    process {
+
+        Write-Verbose -Message "Enrolling for $CertificateTemplate from $ConfigString"
+
+        $CertEnroll = New-Object -ComObject X509Enrollment.CX509Enrollment
+        $CertEnroll.InitializeFromTemplateName([bool]($MachineContext.IsPresent)+1, $CertificateTemplate)
+        $CertificateRequest = $CertEnroll.CreateRequest($BASE64)
+
+        $CertRequest = New-Object -ComObject CertificateAuthority.Request
+
+        $Flags = $BASE64
+
+        if ($MachineContext.IsPresent) {
+            $Flags = $Flags -bor $CR_IN_MACHINE
+        }
+
+        $Status = $CertRequest.Submit($Flags, $CertificateRequest, [string]::Empty, $ConfigString)
+
+        if ($Status -eq $CR_DISP_ISSUED) {
+
+            $CertEnroll.InstallResponse(0, $CertRequest.GetCertificate($BASE64), $BASE64, [String]::Empty)
+
+            $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+            $Certificate.Import([Convert]::FromBase64String($CertRequest.GetCertificate($BASE64)))
+            $Certificate
+        }
+        else {
+
+            Write-Error -Message (New-Object System.ComponentModel.Win32Exception($CertRequest.GetLastStatus())).Message
+        }
+
+        [System.Runtime.Interopservices.Marshal]::ReleaseComObject($CertEnroll) | Out-Null
+        [System.Runtime.Interopservices.Marshal]::ReleaseComObject($CertRequest) | Out-Null
+    }
+}