diff --git a/src/CommonLib/Extensions.cs b/src/CommonLib/Extensions.cs index abd80dc3..07ad8171 100644 --- a/src/CommonLib/Extensions.cs +++ b/src/CommonLib/Extensions.cs @@ -67,8 +67,15 @@ public static string LdapValue(this Guid s) public static string GetSid(this DirectoryEntry result) { - if (!result.Properties.Contains(LDAPProperties.ObjectSID)) + try + { + if (!result.Properties.Contains(LDAPProperties.ObjectSID)) + return null; + } + catch + { return null; + } var s = result.Properties[LDAPProperties.ObjectSID][0]; return s switch diff --git a/src/CommonLib/LDAPProperties.cs b/src/CommonLib/LDAPProperties.cs index 5803c2a9..e2ea3ce1 100644 --- a/src/CommonLib/LDAPProperties.cs +++ b/src/CommonLib/LDAPProperties.cs @@ -64,6 +64,7 @@ public static class LDAPProperties public const string ApplicationPolicies = "mspki-ra-application-policies"; public const string IssuancePolicies = "mspki-ra-policies"; public const string CertificateApplicationPolicy = "mspki-certificate-application-policy"; + public const string CertificatePolicy = "mspki-certificate-policy"; public const string CACertificate = "cacertificate"; public const string CertificateTemplates = "certificatetemplates"; public const string CrossCertificatePair = "crosscertificatepair"; diff --git a/src/CommonLib/LDAPQueries/CommonProperties.cs b/src/CommonLib/LDAPQueries/CommonProperties.cs index 6dc2573b..c1644aac 100644 --- a/src/CommonLib/LDAPQueries/CommonProperties.cs +++ b/src/CommonLib/LDAPQueries/CommonProperties.cs @@ -83,7 +83,7 @@ public static class CommonProperties LDAPProperties.CertificateTemplates, LDAPProperties.Flags, LDAPProperties.DNSHostName, LDAPProperties.CACertificate, LDAPProperties.PKINameFlag, LDAPProperties.PKIEnrollmentFlag, LDAPProperties.DisplayName, LDAPProperties.Name, LDAPProperties.TemplateSchemaVersion, LDAPProperties.CertTemplateOID, LDAPProperties.PKIOverlappedPeriod, LDAPProperties.PKIExpirationPeriod, LDAPProperties.ExtendedKeyUsage, LDAPProperties.NumSignaturesRequired, - LDAPProperties.CertificateApplicationPolicy, LDAPProperties.IssuancePolicies, LDAPProperties.CrossCertificatePair, + LDAPProperties.CertificateApplicationPolicy, LDAPProperties.CertificatePolicy, LDAPProperties.IssuancePolicies, LDAPProperties.CrossCertificatePair, LDAPProperties.ApplicationPolicies, LDAPProperties.PKIPrivateKeyFlag, LDAPProperties.OIDGroupLink }; } diff --git a/src/CommonLib/Processors/LDAPPropertyProcessor.cs b/src/CommonLib/Processors/LDAPPropertyProcessor.cs index 5c1a7819..246bfcb7 100644 --- a/src/CommonLib/Processors/LDAPPropertyProcessor.cs +++ b/src/CommonLib/Processors/LDAPPropertyProcessor.cs @@ -508,8 +508,11 @@ public static Dictionary ReadCertTemplateProperties(ISearchResul var ekus = entry.GetArrayProperty(LDAPProperties.ExtendedKeyUsage); props.Add("ekus", ekus); - var certificateapplicationpolicy = entry.GetArrayProperty(LDAPProperties.CertificateApplicationPolicy); - props.Add("certificateapplicationpolicy", certificateapplicationpolicy); + var certificateApplicationPolicy = entry.GetArrayProperty(LDAPProperties.CertificateApplicationPolicy); + props.Add("certificateapplicationpolicy", certificateApplicationPolicy); + + var certificatePolicy = entry.GetArrayProperty(LDAPProperties.CertificatePolicy); + props.Add("certificatepolicy", certificatePolicy); if (entry.GetIntProperty(LDAPProperties.NumSignaturesRequired, out var authorizedSignatures)) props.Add("authorizedsignatures", authorizedSignatures); @@ -525,12 +528,12 @@ public static Dictionary ReadCertTemplateProperties(ISearchResul props.Add("issuancepolicies", entry.GetArrayProperty(LDAPProperties.IssuancePolicies)); // Construct effectiveekus - var effectiveekus = schemaVersion == 1 & ekus.Length > 0 ? ekus : certificateapplicationpolicy; + var effectiveekus = schemaVersion == 1 & ekus.Length > 0 ? ekus : certificateApplicationPolicy; props.Add("effectiveekus", effectiveekus); // Construct authenticationenabled - var authenticationenabled = effectiveekus.Intersect(Helpers.AuthenticationOIDs).Any() | effectiveekus.Length == 0; - props.Add("authenticationenabled", authenticationenabled); + var authenticationEnabled = effectiveekus.Intersect(Helpers.AuthenticationOIDs).Any() | effectiveekus.Length == 0; + props.Add("authenticationenabled", authenticationEnabled); return props; } diff --git a/test/unit/LDAPPropertyTests.cs b/test/unit/LDAPPropertyTests.cs index 5da83d68..7f1033af 100644 --- a/test/unit/LDAPPropertyTests.cs +++ b/test/unit/LDAPPropertyTests.cs @@ -2,6 +2,7 @@ using System.Collections.Generic; using System.Threading.Tasks; using CommonLibTest.Facades; +using SharpHoundCommonLib; using SharpHoundCommonLib.Enums; using SharpHoundCommonLib.OutputTypes; using SharpHoundCommonLib.Processors; @@ -714,9 +715,12 @@ public void LDAPPropertyProcessor_ReadCertTemplateProperties() {"ekus", new[] {"1.3.6.1.5.5.7.3.2"} }, - {"certificateapplicationpolicy", new[] + {LDAPProperties.CertificateApplicationPolicy, new[] {"1.3.6.1.5.5.7.3.2"} }, + {LDAPProperties.CertificatePolicy, new[] + {"1.3.6.1.5.5.7.3.2"} + }, {"authorizedsignatures", 1}, {"applicationpolicies", new[] { "1.3.6.1.4.1.311.20.2.1"} @@ -754,6 +758,12 @@ public void LDAPPropertyProcessor_ReadCertTemplateProperties() Assert.Contains("subjectrequireemail", keys); Assert.Contains("ekus", keys); Assert.Contains("certificateapplicationpolicy", keys); + var hasPolicy = test.TryGetValue("certificatepolicy", out var policies); + Assert.True(hasPolicy); + if (policies is string[] e) + { + Assert.Contains("1.3.6.1.5.5.7.3.2", e); + } Assert.Contains("authorizedsignatures", keys); Assert.Contains("applicationpolicies", keys); Assert.Contains("issuancepolicies", keys);