Merge branch 'main' into Yubi

Sleepw4lker · Nov 3, 2024 · 4a176cf · 4a176cf
2 parents 47a4cc1 + be1bc51
commit 4a176cf
Show file tree

Hide file tree

Showing 248 changed files with 14,977 additions and 8,988 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -13,18 +13,20 @@ jobs:
 
     steps:
 
-    - name: Checkout Code
-      uses: actions/checkout@v3
+    - uses: actions/checkout@v4
+
+    - name: Setup dotnet
+      uses: actions/setup-dotnet@v3
       with:
-        fetch-depth: 0
+        dotnet-version: '8.0.x'
 
-    - name: Setup VSTest
-      uses: darenm/[email protected]  
+    - name: Install dependencies
+      run: dotnet restore
 
     - name: Setup MSBuild Path
       uses: microsoft/[email protected]
       env:
         ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-        
+
     - name: Build Debug
-      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug
+      run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,22 +1,23 @@
 ## Changelog for the TameMyCerts policy module {#changelog}
 
-> TameMyCerts has developed into a reliable, secure and stable enterprise product. Many organizations around the world are relying on it to improve their security and their PKI workflows. Professional development, testing and documentation consumes a considerable amount of time and resources. Whilst still being fully committed on keeping source code available for the community, _digitally signed binaries_, a _print-optimized documentation_ and _priority support_ are benefits **only available for customers with an active maintenance contract**.
+> TameMyCerts has evolved into a reliable, secure and stable enterprise product. Many organizations around the world are relying on it to improve their security and their PKI workflows. Professional development, testing and documentation consumes a considerable amount of time and resources. Whilst still being fully committed on keeping source code available for the community, _digitally signed binaries_, a _print-optimized documentation_ and _priority support_ are benefits **only available for customers with an active maintenance contract**.
 
 ### Version 1.7.x.y
 
 _This version has not yet been released._
 
-This is mainly a quality improvement release, adding several non-essential functionality and fixes some minor bugs.
-
-- Fix the module denying certificate requests with error 0x80131500 when the certificate request contains a Subject Alternative Name extension with empty content (Issue #20).
-- Fix the installer script not removing the event source on uninstall (Issue #22).
+- The code base has been upgraded from .NET Framework 4.7.2 to .NET Core 8.0. Files are no longer installed into the System32 folder but unter the Program Files directory.
+- Fix the module denying certificate requests with error 0x80131500 when the certificate request contains a Subject Alternative Name extension with empty content (#20).
+- Fix the installer script not removing the event source on uninstall (#22).
+- Directory Services Mapping is now able to honor nested group memberships, if the certification authoritie's Active Directory Domain functional level is Windows 2012 R2 or newer (#38).
+- Directory Services Mapping now supports restricting certificate issuance based on remaining password validity time (#34).
 - Introducing (verbose) Event IDs 12 and 13 that indicate certificate requests getting issued or put into pending state.
 - Introduding Event 14 which will contain warnings that occurred during the processing of a certificate request.
     - Currently, the detection of the "san" request attribute will get logged regardless if the dangerous **EDITF\_ATTRIBUTESUBJECTALTNAME2** flag is enabled or not. This allows to silently detect attack attempts on the certification authority.
 - Introducing a _SupplementUnqualifiedNames_ switch to use in combination with supplementing of DNS names (both _SupplementDnsNames_ and _SupplementServicePrincipalNames_). To keep compatibility with the previous behavior, this setting defaults to _true_. If set to false, supplementation logic will not include DNS names that are not fully qualified.
 - Introducing global settings for TameMyCerts which allows to define behavior that applies globally, regardless of the defined certificate templates (the default behavior stays as before):
     - Allow to set the default behavior to globally deny a certificate request when no policy configuration file is found for the requested certificate template.
-    - Allow to certificate requests containing insecure request attribute and certification authority flag combinations to get issued (Only for testing purposes. Use at your own risk!).
+    - Allow to certificate requests containing insecure request attribute and certification authority flag combinations to get issued (**Only for testing purposes. Use at your own risk!**).
 - Improved documentation, especially description of event logs and use cases.
 
 ### Version 1.6.1045.1129

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,45 @@
+# Contributing to the TameMyCerts project
+
+Hello, and welcome.
+
+First of all, contributions of any kind are highly welcome.
+
+These may be...
+- Requesting or suggesting features and improvements
+- Supporting Users
+- Fixing Bugs
+- Implementing features or Tests
+- Writing Documentation
+- Security testing
+
+## Philosophy
+
+TameMyCerts aims to be of Enterprise grade quality, in terms of reliability, security and performance. Therefore, please ensure that all implemented features are of high quality, are documented and are backed by tests. If you implement advanced functionality, please also commit on supporting these on the long run.
+
+## Developing
+
+### Architecture decisions
+
+- Using the "older" .NET Framework 4.7.2 was done intentionally to avoid having to install any dependency on production servers. At the time of project start this was the default for Windows Server 2019, and (for now) is under Long-term support by Microsoft.
+- Same goes for the decision to not use external dependencies or 3rd party packages of any kind. If a function is not provided by the .NET Framework, you must implement it on your own.
+- It is OK to use Win32 COM APIs as the policy module will by nature always require to run on a Windows operating system.
+- The module aims to support all Windows Server (and Active Directory) deployments that are under [active support by Microsoft](https://learn.microsoft.com/en-us/lifecycle/products/) at time of release.
+- The code structure is split into a part that "can be Unit tested" and a part that cannot.
+    - Therefore, the parts that require to directly interact with the Server OS (Logging) or the CA Service (ICertPolicy, ICertPolicyManage, and ICertServerPolicy callbacks) should contain the least amount of code possible. To test these implementations, there is a set of Pester Tests and a Framework to reproducibly set up a virtual test environment under the `TameMyCerts.IntegrationTests` folder.
+    - The part that can be Unit-tested is mostly implemented in "Validators" that should not contain direct interaction with the CA service or logging.
+
+### Setting up the development environment
+
+> You can develop and and build the solution on an ordinary Windows client machine. No need to deploy Visual Studio on a CA server.
+
+TameMyCerts uses .NET Framework 4.7.2, so ensure you have the following installed in Visual Studio:
+
+- .NET Desktop Development
+- .NET Framework 4.7.2 SDK
+
+### Building the module
+
+If you want to build the module from source, call the supplied build scripts from the Visual Studio Developer command prompt:
+
+1. You will first have to run the included [make_il.cmd](TameMyCerts/make_il.cmd) to build the necessary interop-libraries, if you do not trust the included Interop DLL files.
+2. Running [make_debug.cmd](TameMyCerts/make_debug.cmd) will create a debug build (does not increment version number).