Allow output of YubiKey attestion data to eventlog (#50)

* Update EWT 4201 parameter ordering Update EWT 4204 parameter order and added YubiKey data. Added unit test * Added test to create full configuration for YubiKeyPolicy
Sleepw4lker · Jan 19, 2025 · 9d868aa · 9d868aa
1 parent 973a7c2
commit 9d868aa
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 30 deletions.
diff --git a/TameMyCerts.Tests/YubikeyValidatorTests.cs b/TameMyCerts.Tests/YubikeyValidatorTests.cs
@@ -776,5 +776,48 @@ public void Validate_Slot_incorrect_with_0x_10022()
 
             output.WriteLine(policy.SaveToString());
         }
+        [Fact]
+        public void Validate_YubiKeyObject_to_Human_readable_10023()
+        {
+            CertificateDatabaseRow dbRow = new CertificateDatabaseRow(_yubikey_valid_5_4_3_Once_Never_UsbAKeychain_9a_Normal_RSA_2048_CSR, CertCli.CR_IN_PKCS10, null, 10023);
+            var result = new CertificateRequestValidationResult(dbRow);
+            result = _YKvalidator.ExtractAttestion(result, _policy, dbRow, out var yubikeyInfo);
+
+            PrintResult(result);
+
+            output.WriteLine(yubikeyInfo.SaveToString());
+
+            Assert.Contains("19661687", yubikeyInfo.SaveToString());
+
+
+        }
+
+        [Fact]
+        public void Validate_all_configuration_options_10024()
+        {
+            CertificateDatabaseRow dbRow = new CertificateDatabaseRow(_yubikey_valid_5_4_3_Once_Never_UsbAKeychain_9a_Normal_RSA_2048_CSR, CertCli.CR_IN_PKCS10, null, 10024);
+            var policy = _policy;
+            policy.YubikeyPolicy[0].KeyAlgorithmFamilies = new List<KeyAlgorithmFamily> { KeyAlgorithmFamily.RSA, KeyAlgorithmFamily.ECC};
+            policy.YubikeyPolicy[0].MinimumFirmwareString = "0.0.0";
+            policy.YubikeyPolicy[0].MaximumFirmwareString = "9.9.9";
+            policy.YubikeyPolicy[0].Formfactor = new List<YubikeyFormFactor> { YubikeyFormFactor.UsbAKeychain, YubikeyFormFactor.UsbCKeychain, YubikeyFormFactor.UsbANano, YubikeyFormFactor.UsbCNano, YubikeyFormFactor.UsbCLightning, YubikeyFormFactor.UsbABiometricKeychain, YubikeyFormFactor.UsbCBiometricKeychain };
+            policy.YubikeyPolicy[0].Edition = new List<YubikeyEdition> { YubikeyEdition.FIPS, YubikeyEdition.Normal, YubikeyEdition.CSPN };
+            policy.YubikeyPolicy[0].Slot = new List<string> { "9a", "9c", "9d", "9e" };
+            policy.YubikeyPolicy[0].TouchPolicies = new List<YubikeyTouchPolicy> { YubikeyTouchPolicy.Always, YubikeyTouchPolicy.Never, YubikeyTouchPolicy.Cached };
+            policy.YubikeyPolicy[0].PinPolicies = new List<YubikeyPinPolicy> { YubikeyPinPolicy.Once, YubikeyPinPolicy.Never, YubikeyPinPolicy.Always, YubikeyPinPolicy.MatchOnce, YubikeyPinPolicy.MatchAlways };
+            policy.YubikeyPolicy[0].Action = YubikeyPolicyAction.Allow;
+
+            var result = new CertificateRequestValidationResult(dbRow);
+            result = _YKvalidator.ExtractAttestion(result, _policy, dbRow, out var yubikeyInfo);
+
+            PrintResult(result);
+
+            output.WriteLine(policy.SaveToString());
+
+            Assert.Contains("UsbANano", policy.SaveToString());
+
+
+        }
+
     }
 }
diff --git a/TameMyCerts/EWTLogger.cs b/TameMyCerts/EWTLogger.cs
@@ -120,11 +120,11 @@ public void TMC_94_XML_Parsing_error(string filename, string error)
 
         #region Yubico Validator events 4201-4399
         [Event(4201, Level = EventLevel.Warning, Channel = EventChannel.Operational, Task = Tasks.YubikeyValidator, Keywords = EventKeywords.None)]
-        public void YKVal_4201_Denied_by_Policy(string denyingPolicy, int requestID)
+        public void YKVal_4201_Denied_by_Policy(int requestID, string denyingPolicy)
         {
             if (IsEnabled())
             {
-                WriteEvent(4201, denyingPolicy, requestID);
+                WriteEvent(4201, requestID, denyingPolicy);
             }
         }
         [Event(4202, Level = EventLevel.Warning, Channel = EventChannel.Operational, Task = Tasks.YubikeyValidator, Keywords = EventKeywords.None)]
@@ -144,11 +144,11 @@ public void YKVal_4203_Denied_due_to_no_matching_policy_default_deny(int request
             }
         }
         [Event(4204, Level = EventLevel.Verbose, Channel = EventChannel.Operational, Task = Tasks.YubikeyValidator, Keywords = EventKeywords.None)]
-        public void YKVal_4204_Matching_policy(string policy, int requestID)
+        public void YKVal_4204_Matching_policy(int requestID, string policy, string yubiKey)
         {
             if (IsEnabled())
             {
-                WriteEvent(4204, policy, requestID);
+                WriteEvent(4204, requestID, policy, yubiKey);
             }
         }
         [Event(4205, Level = EventLevel.Error, Channel = EventChannel.Operational, Task = Tasks.YubikeyValidator, Keywords = EventKeywords.None)]

diff --git a/TameMyCerts/LocalizedStrings.Designer.cs b/TameMyCerts/LocalizedStrings.Designer.cs
diff --git a/TameMyCerts/LocalizedStrings.resx b/TameMyCerts/LocalizedStrings.resx
@@ -378,7 +378,7 @@
     <value>The certificate request has been denied due to incorrect certificate request.</value>
   </data>
   <data name="event_YKVal_4201_Denied_by_Policy" xml:space="preserve">
-    <value>The request {1}  was rejected due to policy: \r\n{0}</value>
+    <value>The request {0}  was rejected due to policy: \r\n{1}</value>
   </data>
   <data name="event_YKVal_4202_Denied_by_Policy" xml:space="preserve">
     <value>The request {0} was rejected as the Yubikey Attestion failed for the embedded attestion.</value>
@@ -387,8 +387,10 @@
     <value>The request {0} was denied due to not meeting any Grant policy in the Yubikey Validator.</value>
   </data>
   <data name="event_YKVal_4204_Matching_policy" xml:space="preserve">
-    <value>The request {1} is matching policy: 
-{0}</value>
+    <value>The request {0} is matching policy: 
+{1}
+YubiKey attestion data:
+{2}</value>
   </data>
   <data name="event_YKVal_4205_Failed_to_extract_Yubikey_Attestion" xml:space="preserve">
     <value>The request {0} contained an embedded Yubikey Attestion, but it failed to be extracted.</value>

diff --git a/TameMyCerts/Models/YubikeyObject.cs b/TameMyCerts/Models/YubikeyObject.cs
@@ -25,15 +25,19 @@
 using TameMyCerts.Enums;
 using System.Text.RegularExpressions;
 using System.Xml.Linq;
+using System.IO;
+using System.Xml.Serialization;
+using System.Xml;
 
 namespace TameMyCerts.Models
 {
-    internal class YubikeyObject
+    // Must be public due to XML serialization, otherwise 0x80131509 / System.InvalidOperationException
+    [XmlRoot(ElementName = "YubiKeyObject")]
+    public class YubikeyObject
     {
         private const StringComparison COMPARISON = StringComparison.InvariantCultureIgnoreCase;
-
         private static X509Certificate2 YubikeyValidationCA = new X509Certificate2(new byte[] { 0x30, 0x82, 0x3, 0x17, 0x30, 0x82, 0x1, 0xFF, 0xA0, 0x3, 0x2, 0x1, 0x2, 0x2, 0x3, 0x4, 0x6, 0x47, 0x30, 0xD, 0x6, 0x9, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0xD, 0x1, 0x1, 0xB, 0x5, 0x0, 0x30, 0x2B, 0x31, 0x29, 0x30, 0x27, 0x6, 0x3, 0x55, 0x4, 0x3, 0xC, 0x20, 0x59, 0x75, 0x62, 0x69, 0x63, 0x6F, 0x20, 0x50, 0x49, 0x56, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x41, 0x20, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6C, 0x20, 0x32, 0x36, 0x33, 0x37, 0x35, 0x31, 0x30, 0x20, 0x17, 0xD, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, 0xF, 0x32, 0x30, 0x35, 0x32, 0x30, 0x34, 0x31, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x2B, 0x31, 0x29, 0x30, 0x27, 0x6, 0x3, 0x55, 0x4, 0x3, 0xC, 0x20, 0x59, 0x75, 0x62, 0x69, 0x63, 0x6F, 0x20, 0x50, 0x49, 0x56, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x41, 0x20, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6C, 0x20, 0x32, 0x36, 0x33, 0x37, 0x35, 0x31, 0x30, 0x82, 0x1, 0x22, 0x30, 0xD, 0x6, 0x9, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0xD, 0x1, 0x1, 0x1, 0x5, 0x0, 0x3, 0x82, 0x1, 0xF, 0x0, 0x30, 0x82, 0x1, 0xA, 0x2, 0x82, 0x1, 0x1, 0x0, 0xC3, 0x76, 0x70, 0xC4, 0xCD, 0x47, 0xA6, 0x2, 0x75, 0xC4, 0xC5, 0x47, 0x1B, 0x8F, 0xCB, 0x7D, 0x4F, 0x69, 0xB4, 0x67, 0xE6, 0x6E, 0xA9, 0x27, 0xE9, 0xD2, 0x13, 0x41, 0xD1, 0x5A, 0x9A, 0x1A, 0x33, 0xC7, 0xDC, 0xF3, 0x1, 0xC2, 0xF9, 0x39, 0x9B, 0xF7, 0xC8, 0xE6, 0x36, 0xF8, 0x56, 0x34, 0x4D, 0x84, 0x8A, 0x55, 0x3C, 0xE6, 0xE6, 0xA, 0x7C, 0x41, 0x4F, 0xF5, 0xDE, 0x90, 0xD8, 0x69, 0xB2, 0xB6, 0xA0, 0x67, 0xC5, 0x9B, 0x0, 0x6B, 0x72, 0xAA, 0x66, 0x20, 0x82, 0xC7, 0x62, 0xF0, 0x43, 0x88, 0x98, 0x10, 0xE6, 0xF5, 0x96, 0x58, 0x28, 0xB5, 0x5A, 0xFF, 0xC2, 0x11, 0x29, 0x75, 0x53, 0xAA, 0x8E, 0x85, 0x34, 0x3F, 0x97, 0xB5, 0x8F, 0x5C, 0xBB, 0x39, 0xFC, 0xE, 0xBE, 0x4C, 0xBF, 0xF8, 0x5, 0xC8, 0x37, 0xFF, 0x57, 0xA7, 0x45, 0x45, 0x95, 0x84, 0x64, 0xDA, 0xD4, 0x3D, 0x19, 0xC7, 0x58, 0x28, 0x39, 0xAA, 0x53, 0xE7, 0x5B, 0xF6, 0x22, 0xB0, 0xA4, 0xC, 0xE2, 0x77, 0x8A, 0x7, 0x5, 0x52, 0xC8, 0x86, 0x60, 0xF7, 0xA6, 0xF9, 0x16, 0x69, 0x10, 0x36, 0x1F, 0x70, 0xC0, 0xF6, 0xDE, 0xC7, 0xFC, 0x73, 0x6A, 0xE6, 0xFD, 0xCE, 0x88, 0xED, 0x63, 0xC8, 0xB6, 0x5E, 0x2A, 0xA6, 0x68, 0x31, 0xB3, 0xCE, 0x6E, 0xBC, 0x6A, 0xE, 0xF, 0xBD, 0x7C, 0xE7, 0x52, 0x87, 0x38, 0x1F, 0xC0, 0x2A, 0xA0, 0x4F, 0x75, 0xD5, 0x99, 0x37, 0xA2, 0xC2, 0xF0, 0x52, 0x4D, 0xCB, 0x72, 0x8B, 0xD9, 0x87, 0x41, 0xF6, 0x1D, 0xD8, 0x3C, 0x24, 0x6A, 0xAC, 0x51, 0x9C, 0xB6, 0xCD, 0x57, 0x22, 0xBD, 0xCE, 0x5F, 0x83, 0xCE, 0x34, 0x86, 0xA7, 0xD2, 0x21, 0x54, 0xF8, 0x95, 0xB4, 0x67, 0xAD, 0x5F, 0x4D, 0x9D, 0xC6, 0x14, 0x27, 0x19, 0x2E, 0xCA, 0xE8, 0x13, 0xB4, 0x41, 0xEF, 0x2, 0x3, 0x1, 0x0, 0x1, 0xA3, 0x42, 0x30, 0x40, 0x30, 0x1D, 0x6, 0x3, 0x55, 0x1D, 0xE, 0x4, 0x16, 0x4, 0x14, 0xCA, 0x5F, 0xCA, 0xF2, 0xC4, 0xA2, 0x31, 0x9C, 0xE9, 0x22, 0x5F, 0xF1, 0xEC, 0xF4, 0xD5, 0xDF, 0x2, 0xBF, 0x83, 0xBF, 0x30, 0xF, 0x6, 0x3, 0x55, 0x1D, 0x13, 0x4, 0x8, 0x30, 0x6, 0x1, 0x1, 0xFF, 0x2, 0x1, 0x1, 0x30, 0xE, 0x6, 0x3, 0x55, 0x1D, 0xF, 0x1, 0x1, 0xFF, 0x4, 0x4, 0x3, 0x2, 0x1, 0x6, 0x30, 0xD, 0x6, 0x9, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0xD, 0x1, 0x1, 0xB, 0x5, 0x0, 0x3, 0x82, 0x1, 0x1, 0x0, 0x5C, 0xEC, 0x88, 0x7C, 0x5, 0xCD, 0x5F, 0x90, 0x2F, 0x85, 0xC8, 0xDD, 0x5F, 0x86, 0x35, 0xA2, 0xA0, 0x10, 0x8C, 0xAF, 0x7B, 0xE3, 0x9D, 0xE8, 0x7B, 0x30, 0xB6, 0xC0, 0xEA, 0x44, 0xA8, 0xC9, 0x61, 0x7B, 0xD0, 0xDD, 0xEC, 0x5E, 0x16, 0xD7, 0xBD, 0x3E, 0x1E, 0x46, 0x1D, 0x21, 0xBF, 0x1A, 0xAF, 0x31, 0x93, 0x63, 0x3D, 0x4F, 0xD5, 0x95, 0x19, 0xFA, 0x80, 0xB5, 0x6D, 0xA0, 0x48, 0xA4, 0xC, 0xBA, 0xD8, 0x15, 0x73, 0x7A, 0x1E, 0x1E, 0x96, 0x9B, 0x2C, 0xB5, 0x19, 0x39, 0xEC, 0xA6, 0x73, 0xAF, 0x32, 0xFC, 0xF6, 0x94, 0xB2, 0xAE, 0xCA, 0x6F, 0x4A, 0x61, 0xD6, 0xB, 0xE, 0x9, 0xE3, 0xDC, 0x17, 0x80, 0xBF, 0x32, 0x21, 0x57, 0x3C, 0xD8, 0x49, 0xE5, 0x3B, 0xEF, 0xF0, 0xAE, 0xA6, 0x87, 0xE3, 0xD3, 0xDD, 0xCE, 0xB8, 0xB, 0x30, 0x5B, 0x48, 0xD8, 0xBD, 0x7B, 0x6, 0x4F, 0x28, 0xB1, 0xE8, 0x1D, 0xDD, 0x6D, 0x6E, 0x72, 0x5A, 0xFC, 0x92, 0xF7, 0x33, 0x57, 0x6A, 0xA1, 0x9A, 0x52, 0x63, 0xF7, 0x53, 0xDF, 0xDB, 0xE8, 0x39, 0x47, 0x74, 0x3A, 0x20, 0x30, 0xBB, 0xB7, 0x54, 0xBA, 0x41, 0x7, 0xD6, 0xE6, 0xE5, 0xB8, 0xDA, 0x29, 0x65, 0x89, 0x62, 0x5, 0xA5, 0xB4, 0x25, 0x60, 0x51, 0xB1, 0x6A, 0x16, 0xAC, 0xA2, 0xE3, 0xE2, 0x44, 0xD3, 0x5E, 0x1C, 0x4A, 0x4, 0x79, 0xEC, 0x97, 0x2E, 0xDD, 0xD6, 0x62, 0x7A, 0x10, 0x7A, 0x52, 0xD0, 0xF, 0x81, 0xA7, 0x7D, 0x2F, 0x97, 0xD, 0xBE, 0xE6, 0xBF, 0x21, 0x64, 0x66, 0x9B, 0xE0, 0xD, 0xCB, 0x73, 0xB6, 0x2C, 0x7F, 0xBE, 0x3F, 0x29, 0x7C, 0x49, 0x11, 0x33, 0x53, 0xCA, 0x27, 0x6C, 0x1B, 0x23, 0x32, 0xF, 0x50, 0xE, 0x24, 0x9F, 0xE6, 0x82, 0x4B, 0x2A, 0xF7, 0x7F, 0x45, 0xE9, 0xFE, 0xCC, 0x66, 0x3B });
-
+        [XmlIgnore]
         public Dictionary<string, string> Attributes { get; } =
             new Dictionary<string, string>(StringComparer.InvariantCultureIgnoreCase);
 
@@ -102,7 +106,7 @@ public YubikeyObject(byte[] publicKey, X509Certificate2 AttestationCertificate,
             #endregion
             #region FormFactor
             byte FormFactor = AttestationCertificate.Extensions.Cast<X509Extension>().FirstOrDefault(x => x.Oid.Value == YubikeyX509Extensions.FORMFACTOR)?.RawData[0] ?? 0;
-            this.FormFactor = (YubikeyFormFactor)FormFactor;
+            this.FormFactor = (YubikeyFormFactor)(FormFactor & 0x0F); // Mask out the upper 4 bits, Those are used for CSPN and FIPS
             #endregion
             #region Firmware Version
             // Update the Firmware Version
@@ -125,7 +129,7 @@ public YubikeyObject(byte[] publicKey, X509Certificate2 AttestationCertificate,
             }
             #endregion
 
-            #region
+            #region FIPS / CSPN
             // Check for the FIPS extension
             if (IntermediateCertificate.Extensions.Cast<X509Extension>().Where(x => x.Oid.Value == YubikeyX509Extensions.FIPS_CERTIFIED).Any())
             {
@@ -157,21 +161,71 @@ public YubikeyObject(byte[] publicKey, X509Certificate2 AttestationCertificate,
             Attributes.Add("SerialNumber", this.SerialNumber);
         }
 
-
-        public YubikeyTouchPolicy TouchPolicy { get; }
-        public YubikeyPinPolicy PinPolicy { get; }
-        public YubikeyFormFactor FormFactor { get; }
-        public string Slot { get; } = "";
-        public string SerialNumber { get; } = "";
-        public Version FirmwareVersion { get; } = new Version(0, 0, 0);
-        public KeyAlgorithmFamily keyAlgorithm { get; }
-        public int KeyLength { get; }
-        public YubikeyEdition Edition { get; } = YubikeyEdition.Normal;
+        [XmlElement(ElementName = "TouchPolicy")]
+        public YubikeyTouchPolicy TouchPolicy { get; set; }
+        [XmlElement(ElementName = "PinPolicy")]
+        public YubikeyPinPolicy PinPolicy { get; set; }
+        [XmlElement(ElementName = "FormFactor")]
+        public YubikeyFormFactor FormFactor { get; set; }
+        [XmlElement(ElementName = "Slot")]
+        public string Slot { get; set; } = "";
+        [XmlElement(ElementName = "Serial")]
+        public string SerialNumber { get; set; } = "";
+        [XmlElement(ElementName = "FirmwareVersion")]
+        public string FirmwareVersionString { get { return this.FirmwareVersion.ToString(); } set { throw new Exception("String cannot be set."); } }
+        [XmlIgnore]
+        public Version FirmwareVersion { get; set; } = new Version(0, 0, 0);
+        [XmlElement(ElementName = "KeyAlgorithm")]
+        public KeyAlgorithmFamily keyAlgorithm { get; set; }
+        [XmlElement(ElementName = "KeyLength")]
+        public int KeyLength { get; set; }
+        [XmlElement(ElementName = "Edition")]
+        public YubikeyEdition Edition { get; set; } = YubikeyEdition.Normal;
+        [XmlIgnore]
         public X509Certificate2 AttestionCertificate { get; }
+        [XmlIgnore]
         public X509Certificate2 IntermediateCertificate { get; }
-
+        [XmlElement(ElementName = "Validated")]
         public bool? Validated { get; } = false;
-        private static string attestionSlotPattern = @"CN=YubiKey PIV Attestation (?<slot>[0-9A-Fa-f]{2})";
-
+        [XmlIgnore]
+        public static string attestionSlotPattern = @"CN=YubiKey PIV Attestation (?<slot>[0-9A-Fa-f]{2})";
+
+        public static string ConvertToHumanReadableXml(string inputString)
+        {
+            var xmlWriterSettings = new XmlWriterSettings
+            {
+                OmitXmlDeclaration = true,
+                Indent = true,
+                NewLineOnAttributes = true
+            };
+
+            var stringBuilder = new StringBuilder();
+
+            var xElement = XElement.Parse(inputString);
+
+            using (var xmlWriter = XmlWriter.Create(stringBuilder, xmlWriterSettings))
+            {
+                xElement.Save(xmlWriter);
+            }
+
+            return stringBuilder.ToString();
+        }
+
+        public string SaveToString()
+        {
+            var xmlSerializer = new XmlSerializer(typeof(YubikeyObject));
+
+            using (var stringWriter = new StringWriter())
+            {
+                using (var xmlWriter = XmlWriter.Create(stringWriter))
+                {
+                    xmlSerializer.Serialize(xmlWriter, this);
+                    var xmlData = stringWriter.ToString();
+
+                    return ConvertToHumanReadableXml(xmlData);
+                }
+            }
+        }
+
     }
 }
diff --git a/TameMyCerts/Validators/YubikeyValidator.cs b/TameMyCerts/Validators/YubikeyValidator.cs
@@ -61,12 +61,12 @@ public CertificateRequestValidationResult VerifyRequest(CertificateRequestValida
                 {
                     if (ykP.Action == YubikeyPolicyAction.Deny)
                     {
-                        ETWLogger.Log.YKVal_4201_Denied_by_Policy(ykP.SaveToString(), requestID);
+                        ETWLogger.Log.YKVal_4201_Denied_by_Policy(requestID, ykP.SaveToString());
                         result.SetFailureStatus(WinError.CERTSRV_E_TEMPLATE_DENIED, string.Format(
                         LocalizedStrings.YKVal_Policy_Matches_with_Reject, ykP.SaveToString()));
                         return result ;
                     }
-                    ETWLogger.Log.YKVal_4204_Matching_policy(ykP.SaveToString(), requestID);
+                    ETWLogger.Log.YKVal_4204_Matching_policy(requestID, ykP.SaveToString(), yubikey.SaveToString());
                     foundMatch = true;
 
                     // Store the AttestionData and Intermediate Certificate in the certificate, if requested