From a3a86c3e5deff0b2d60e56f1d7797b51bd80bcc8 Mon Sep 17 00:00:00 2001 From: Oscar Virot Date: Sun, 27 Jul 2025 13:42:58 +0200 Subject: [PATCH] Fixed bug where the copy was done using the size in bits instead of bytes. --- Module/Cmdlets/PIV/BuildYubikeyPIVSignCertificate.cs | 12 +++++++++++- Module/Cmdlets/Yubikey/ConnectYubikey.cs | 2 +- Module/Cmdlets/Yubikey/GetYubikey.cs | 2 +- Module/support/Yubico/YubiKeySignatureGenerator.cs | 2 +- build.ps1 | 2 +- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/Module/Cmdlets/PIV/BuildYubikeyPIVSignCertificate.cs b/Module/Cmdlets/PIV/BuildYubikeyPIVSignCertificate.cs index 9d94698..fcc324e 100644 --- a/Module/Cmdlets/PIV/BuildYubikeyPIVSignCertificate.cs +++ b/Module/Cmdlets/PIV/BuildYubikeyPIVSignCertificate.cs @@ -141,27 +141,37 @@ protected override void ProcessRecord() // If a subject name override is provided, create a new CertificateRequest if (Subjectname is null) { + WriteDebug("No Subjectname provided, using the submitted CertificateRequest as is."); _request = (CertificateRequest)CertificateRequest!.BaseObject; } else { if (((CertificateRequest)CertificateRequest!.BaseObject).PublicKey.Oid.FriendlyName == "RSA") { + WriteDebug("Subjectname submitted, building new RSA Certificate Request"); _request = new CertificateRequest(Subjectname, ((CertificateRequest)CertificateRequest!.BaseObject).PublicKey.GetRSAPublicKey()!, HashAlgorithm, RSASignaturePadding.Pkcs1); } - else + else if (((CertificateRequest)CertificateRequest!.BaseObject).PublicKey.Oid.FriendlyName == "ECDSA") { + WriteDebug("Subjectname submitted, building new ECDSA Certificate Request"); _request = new CertificateRequest(Subjectname, ((CertificateRequest)CertificateRequest!.BaseObject).PublicKey.GetECDsaPublicKey()!, HashAlgorithm); } + else + { + WriteError(new ErrorRecord(new Exception("Unknown public key algorithm in CertificateRequest"), "UnknownPublicKeyAlgorithm", ErrorCategory.InvalidArgument, null)); + return; + } } // Add certificate extensions if (CertificateAuthority.IsPresent) { + WriteDebug("Adding constraings for CA usage"); _request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 2, true)); } else { + WriteDebug("Adding constraints for non CA usage"); _request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true)); _request.CertificateExtensions.Add(new X509KeyUsageExtension(KeyUsage, true)); _request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), new Oid("1.3.6.1.5.5.7.3.2"), new Oid("1.3.6.1.4.1.311.20.2.2") }, false)); diff --git a/Module/Cmdlets/Yubikey/ConnectYubikey.cs b/Module/Cmdlets/Yubikey/ConnectYubikey.cs index 4a0591e..1f9afe1 100644 --- a/Module/Cmdlets/Yubikey/ConnectYubikey.cs +++ b/Module/Cmdlets/Yubikey/ConnectYubikey.cs @@ -72,7 +72,7 @@ protected override void ProcessRecord() if (yubikeys.Count() == 1) { _yubikey = (YubiKeyDevice)yubikeys.First(); - WriteDebug($"Found only one device, using {_yubikey.SerialNumber.ToString() ?? "N/A"}."); + WriteDebug($"[{MyInvocation.MyCommand.Name}] Found only one device, using {_yubikey.SerialNumber.ToString() ?? "N/A"}."); } break; diff --git a/Module/Cmdlets/Yubikey/GetYubikey.cs b/Module/Cmdlets/Yubikey/GetYubikey.cs index 09392b8..3ff88ff 100644 --- a/Module/Cmdlets/Yubikey/GetYubikey.cs +++ b/Module/Cmdlets/Yubikey/GetYubikey.cs @@ -23,7 +23,7 @@ protected override void BeginProcessing() // Check if a YubiKey is connected, if not attempt to connect if (YubiKeyModule._yubikey is null) { - WriteDebug("No YubiKey selected, calling Connect-Yubikey..."); + WriteDebug("[{MyInvocation.MyCommand.Name}]No YubiKey selected, calling Connect-Yubikey..."); try { // Create a new PowerShell instance to run Connect-Yubikey diff --git a/Module/support/Yubico/YubiKeySignatureGenerator.cs b/Module/support/Yubico/YubiKeySignatureGenerator.cs index 6e29805..2d7f2b0 100644 --- a/Module/support/Yubico/YubiKeySignatureGenerator.cs +++ b/Module/support/Yubico/YubiKeySignatureGenerator.cs @@ -177,7 +177,7 @@ private byte[] DigestData(byte[] data, HashAlgorithmName hashAlgorithm) } _ = digester.TransformFinalBlock(data, 0, data.Length); - Array.Copy(digester.Hash!, 0, digest, offset, digest.Length); + Array.Copy(digester.Hash!, 0, digest, offset, digester.Hash.Length); return digest; } diff --git a/build.ps1 b/build.ps1 index a554a80..65ba0df 100644 --- a/build.ps1 +++ b/build.ps1 @@ -19,7 +19,7 @@ dotnet publish module --nologo --framework 'net8.0' --output "$($Directory.fulln # Only Windows Powershell use format.ps1xml #& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe" sign /sha1 "8079DD82969461B1B7A8769B26262726AA0F6D89" /fd SHA256 /t http://timestamp.sectigo.com "$($Directory.fullname)\powershellYK.format.ps1xml" -& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe" sign /sha1 "8079DD82969461B1B7A8769B26262726AA0F6D89" /fd SHA256 /t http://timestamp.sectigo.com "$($Directory.fullname)\powershellYK.dll" +& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe" sign /sha1 "A502DF63C4109BE4BCAD42D8AFF43932709FB0C4" /fd SHA256 /t http://timestamp.sectigo.com "$($Directory.fullname)\powershellYK.dll" Read-Host -Prompt "Press Enter to continue"