Bring back Certificate provider parameters

[iSazonov]

PR Summary

1. Bring back Certificate provider parameters:

   • DNSName
   • DocumentEncryptionCert
   • EKU
   • ExpiringInDays
   • SSLServerAuthentication

2. Add new tests and update existing tests. (There are many style issues - will fix in follow PR.)

3. Update test certificate for EKU and DNSName tests.

4. Remove old unneeded code.

PR Context

Related #3847

After removing undocumented certificate API in PR #3818 we lost some parameters in Certificate provider.

We need to review documentation because the parameters is not all documented and it seems they do not always documented correctly.
(For reference https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/about/about_certificate_provider?view=powershell-6)

PR Checklist

• PR has a meaningful title
  • Use the present tense and imperative mood when describing your changes
• Summarized changes
• Make sure all .h, .cpp, .cs, .ps1 and .psm1 files have the correct copyright header
• This PR is ready to merge and is not Work in Progress.
  • If the PR is work in progress, please add the prefix WIP: or [ WIP ] to the beginning of the title (the WIP bot will keep its status check at Pending while the prefix is present) and remove the prefix when the PR is ready.
• Breaking changes
  • None
  • OR
  • Experimental feature(s) needed
    • Experimental feature name(s):
• User-facing changes
  • Not Applicable
  • OR
  • Documentation needed
    • Issue filed: Need to document some Certificate provider parameters MicrosoftDocs/PowerShell-Docs#6059
• Testing - New and feature
  • N/A or can only be tested interactively
  • OR
  • Make sure you've added a new test if existing tests do not effectively test the code changed
• Tooling
  • I have considered the user experience from a tooling perspective and don't believe tooling will be impacted.
  • OR
  • I have considered the user experience from a tooling perspective and enumerated concerns in the summary. This may include:
    • Impact on PowerShell Editor Services which is used in the PowerShell extension for VSCode (which runs in a different PS Host).
    • Impact on Completions (both in the console and in editors) - one of PowerShell's most powerful features.
    • Impact on PSScriptAnalyzer (which provides linting & formatting in the editor extensions).
    • Impact on EditorSyntax (which provides syntax highlighting with in VSCode, GitHub, and many other editors).

[iSazonov]

It seems Get-PfxCertificate crush the pwsh process if open "GoodCertificate" which I updated. All works well on Windows and Linux but fail on MacOs. Looks like a bug on MacOs. At least pwsh should return an error and doesn't crush.
I haven't MacOs and can not investigate in depth. I need help to resolve the issue.

[TravisEz13]

This change requires a security review

[TravisEz13]

@iSazonov I don't have time to review now. Blocking this PR, until I can organize a security review.

[iSazonov]

Add WIP while waiting security review.

[TravisEz13]

Have you verified this will work with punycode?

[iSazonov]

Do you mean that Windows PowerShell support also punycode in dnsname filter? I did not find this in docs https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/about/about_certificate_provider?view=powershell-6

What is a scenario where it could be used?

[TravisEz13]

When the name in the cert is in punycode. This is a compliance requirement. you deleted the code to do this.

[iSazonov]

Clear about compliance. Not clear what code do you mean.
Also docs say:

DnsName <Microsoft.PowerShell.Commands.DnsNameRepresentation>
This parameter gets certificates that have the specified domain name or name pattern in the DNSNameList property of the certificate. The value of this parameter can either be "Unicode" or "ASCII". Punycode values are converted to Unicode. Wildcard characters (*) are permitted.

It is not clear how punycode converted to Unicode. It seems this did unpublic code (in P/Invoke) which we removed long ago.

[iSazonov]

I looked original code which was removed and see only one difference - DNSName parameter was DnsNameRepresentation type, now string.
In both cases DnsNameRepresentation is initialized by one constructor with string parameter which assigned to DNSname and punycode - no conversion. So new code works for punycode.
Question is should we change type from string to DnsNameRepresentation?

[PaulHigin]

LGTM

[TravisEz13]

macOS tests are hanging

  Describing CmsMessage cmdlets and Get-PfxCertificate basic tests
Certificate written to /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/protectedCert.pfx
Enter password:                                                                                                                                                                                                                                                                                                                                 
Execution of { & $powershell $PSFlags -c $command } by build.psm1: line 1231 failed with exit code 1
At /Users/vsts/agent/2.158.0/work/1/s/build.psm1:2074 char:17
+                 throw $errorMessage
+                 ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Execution of { & $p\u2026ed with exit code 1:String) [], RuntimeException
+ FullyQualifiedErrorId : Execution of { & $powershell $PSFlags -c $command } by build.psm1: line 1231 failed with exit code 1

[iSazonov]

@TravisEz13

macOS tests are hanging

I did not change anything except the certificate. I tend to think it's a bug outside PowerShell :-(
I haven't MacOs and I only can revert to old certificate and generate new for new tests to
minimize area.

[TravisEz13]

@PoshChan Please remind me in 24 hours

[PoshChan]

@TravisEz13, this is the reminder you requested 24 hours ago

[ghost]

This pull request has been automatically marked as Review Needed because it has been there has not been any activity for 7 days.
Mainainer, Please provide feedback and/or mark it as Waiting on Author

[TravisEz13]

Can you resolve the conflicts?

[TravisEz13]

@PoshChan Please remind me in 1 hour

[PoshChan]

@TravisEz13, this is the reminder you requested 1 hour ago

[ghost]

🎉v7.1.0-preview.4 has been released which incorporates this pull request.:tada:

Handy links:

• Release Notes