New-SelfSignedCertificateEx -Subject "CN=TestCA" -IsCA $true -ProviderName "Microsoft Software Key Storage Provider" -Exportable -customextension $extCollection

[ckrueger1979]

Hi Vadims,

is this a bug or is my extension wrong?

Import-Module pspki

$permittedSubtree = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeNameCollection
$dnsType = [System.Security.Cryptography.X509Certificates.X509AlternativeNamesEnum]::DnsName
$corpDomains = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeName $dnsType,"example.com"
$excludedSubtree = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeNameCollection
[void] $excludedSubtree.Add($corpDomains)
$nameConstraintExt = New-Object System.Security.Cryptography.X509Certificates.X509NameConstraintsExtension $permittedSubtree,$excludedSubtree
$nameConstraintExt.Critical = $true

$extCollection = New-Object System.Security.Cryptography.X509Certificates.X509ExtensionCollection
[void] $extCollection.Add($nameConstraintExt)

New-SelfSignedCertificateEx -Subject "CN=TestCA" -IsCA $true -ProviderName "Microsoft Software Key Storage Provider" -Exportable -customextension $extCollection

New-SelfSignedCertificateEx : Exception calling "Build" with "1" argument(s): "Index was outside the bounds of the array."
At line:1 char:1

[Crypt32]

Can you provide a full stack trace of the exception by calling the following line immediately after exception is thrown:

$error[0].Exception.InnerException.StackTrace

[ckrueger1979]

PS C:\> $error[0].Exception.InnerException.StackTrace
   at System.Security.Cryptography.X509Certificates.X509AlternativeName.decodeFromRawData(Byte[] asnData) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509AlternativeName.cs:line 426
   at System.Security.Cryptography.X509Certificates.X509NameConstraintsExtension.decodeNamesFromAsn(Byte[] rawData) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509NameConstraintsExtension.cs:line 103
   at System.Security.Cryptography.X509Certificates.X509NameConstraintsExtension.m_decode(Byte[] rawData) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509NameConstraintsExtension.cs:line 79
   at PKI.Utils.CryptographyUtils.ConvertExtension(X509Extension extension) in c:\temp\pkix.net\PKI\Utils\CryptographyUtils.cs:line 61
   at SysadminsLV.PKI.Cryptography.X509Certificates.X509CertificateBuilder.processExtensions() in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509CertificateBuilder.cs:line 130
   at SysadminsLV.PKI.Cryptography.X509Certificates.X509CertificateBuilder.Build(X509Certificate2 signer) in c:\temp\pkix.net\PKI\Cryptography\X509Certificates\X509CertificateBuilder.cs:line 217
   at CallSite.Target(Closure , CallSite , Object , X509Certificate2 )

[Crypt32]

Thanks, I will take a look into this.

[Crypt32]

I can confirm the bug. It is fixed in sources, see this commit: PKISolutions/pkix.net@8b808e0

[ckrueger1979]

Waow, that was fast. Thanks!

[Crypt32]

Fixed in v4.0.0