Add support for Microsoft cryptography extensions 1.3.6.1.4.1.311.21.…

…7 and 1.3.6.1.4.1.311.21.10.
MauAraujo · Mar 22, 2019 · ad1b88e · ad1b88e
1 parent 67c6030
commit ad1b88e
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 9 deletions.
diff --git a/package.json b/package.json
@@ -18,17 +18,17 @@
   },
   "homepage": "https://github.com/april/certainly-something#readme",
   "dependencies": {
-    "handlebars": "^4.0.12",
+    "handlebars": "^4.1.1",
     "license-webpack-plugin": "^1.5.0",
-    "pkijs": "^2.1.74"
+    "pkijs": "^2.1.76"
   },
   "devDependencies": {
     "babel-core": "^6.26.3",
     "babel-loader": "^7.1.5",
     "babel-preset-env": "^1.7.0",
     "copy-webpack-plugin": "^4.6.0",
     "handlebars-loader": "^1.7.1",
-    "webpack": "^4.28.4",
-    "webpack-cli": "^3.2.1"
+    "webpack": "^4.29.6",
+    "webpack-cli": "^3.3.0"
   }
 }
diff --git a/src/viewer/css/index.css b/src/viewer/css/index.css
@@ -18,6 +18,27 @@ h2 {
   margin: 0;
 }
 
+/* generic spacing utilities */
+.mt-1 {
+  margin-top: .25rem !important;
+}
+
+.mt-2 {
+  margin-top: .5rem !important;
+}
+
+.mt-3 {
+  margin-top: 1rem !important;
+}
+
+.mt-4 {
+  margin-top: 1.5rem !important;
+}
+
+.mt-5 {
+  margin-top: 3rem !important;
+}
+
 .certificate .panel-section-header {
   border: 0;
 }

diff --git a/src/viewer/helpers/truthy.js b/src/viewer/helpers/truthy.js
@@ -1,5 +1,5 @@
 export default (v) => {
-  if (v === undefined || v === null || v === 'none') {
+  if (v === undefined || v === null || v === 'none' || v === false) {
     return false;
   }
 

diff --git a/src/viewer/index.handlebars b/src/viewer/index.handlebars
@@ -370,12 +370,52 @@
             {{/each}}
           {{/if}}
 
+          {{! Microsoft cryptography }}
+          {{#if (truthy this.ext.msCrypto.exists)}}
+          <div class="panel-section-subsection mt-4">Microsoft Cryptographic Extensions</div>
+
+            {{! Certificate Policies }}
+            {{#if (truthy this.ext.msCrypto.certificatePolicies)}}
+              <div class="panel-section-subheader">
+                <span>
+                  {{#if this.ext.msCrypto.certificatePolicies.critical}}<img class="critical" alt="critical extension" title="This extension has been marked as critical, meaning that clients must reject the certificate if they don't understand it." src="../icons/critical.svg">{{/if~}}
+                  Certificate Policies
+                </span>
+              </div>
+              <div class="panel-list-item">
+                <div class="text">Purposes</div>
+                <div class="text">{{#each this.ext.msCrypto.certificatePolicies.purposes}}{{ this }}{{#unless @last}}, {{/unless}}{{/each}}</div>
+              </div>
+            {{/if}}
+
+            {{! Certificate Template }}
+            {{#if (truthy this.ext.msCrypto.certificateTemplate)}}
+              <div class="panel-section-subheader">
+                <span>
+                  {{#if this.ext.msCrypto.certificateTemplate.critical}}<img class="critical" alt="critical extension" title="This extension has been marked as critical, meaning that clients must reject the certificate if they don't understand it." src="../icons/critical.svg">{{/if~}}
+                  Certificate Template
+                </span>
+              </div>
+              <div class="panel-list-item">
+                <div class="text">Identifier</div>
+                <div class="text long-hex long-hex-box">{{this.ext.msCrypto.certificateTemplate.id}}</div>
+              </div>
+              <div class="panel-list-item">
+                <div class="text">Minor Version</div>
+                <div class="text">{{this.ext.msCrypto.certificateTemplate.minor}}</div>
+              </div>
+              <div class="panel-list-item">
+                <div class="text">Major Version</div>
+                <div class="text">{{this.ext.msCrypto.certificateTemplate.major}}</div>
+              </div>
+            {{/if}}
+
+          {{/if}}
+
           {{! Unsupported extensions }}
           {{#if (truthy this.unsupportedExtensions)}}
-            <div class="panel-section-subheader">
-              <span>Unknown Extensions</span>
-            </div>
-            <div class="panel-list-item">
+            <div class="panel-section-subsection">Unknown Extensions</div>
+            <div class="panel-list-item mt-3">
               <div class="text">Identifiers</div>
               <div class="text">{{#each this.unsupportedExtensions}}{{ this }}{{#unless @last}}, {{/unless}}{{/each}}</div>
             </div>

diff --git a/src/viewer/js/der.js b/src/viewer/js/der.js
@@ -58,6 +58,8 @@ const parseSubsidiary = (distinguishedNames) => {
 
 export const parse = async (der) => {
   const supportedExtensions = [
+    '1.3.6.1.4.1.311.21.7',     // microsoft certificate template
+    '1.3.6.1.4.1.311.21.10',    // microsoft certificate policies
     '1.3.6.1.4.1.11129.2.4.2',  // embedded scts
     '1.3.6.1.5.5.7.1.1',        // authority info access
     '1.3.6.1.5.5.7.1.24',       // ocsp stapling
@@ -335,6 +337,30 @@ export const parse = async (der) => {
     policies: cp,
   }
 
+  // now let's parse the Microsoft cryptographic extensions
+  let msCrypto = {
+    certificatePolicies: getX509Ext(x509.extensions, '1.3.6.1.4.1.311.21.10').parsedValue,
+    certificateTemplate: getX509Ext(x509.extensions, '1.3.6.1.4.1.311.21.7').parsedValue,
+  };
+
+  if (msCrypto.certificatePolicies) {
+    msCrypto.certificatePolicies = {
+      critical: criticalExtensions.includes('1.3.6.1.4.1.311.21.10'),
+      purposes: msCrypto.certificatePolicies.certificatePolicies.map(x => strings.eKU[x.policyIdentifier]),
+    };
+  }
+
+  if (msCrypto.certificateTemplate) {
+    msCrypto.certificateTemplate = {
+      critical: criticalExtensions.includes('1.3.6.1.4.1.311.21.7'),
+      id: msCrypto.certificateTemplate.extnID,
+      major: msCrypto.certificateTemplate.templateMajorVersion,
+      minor: msCrypto.certificateTemplate.templateMinorVersion,     
+    };
+  }
+
+  msCrypto.exists = (msCrypto.certificatePolicies || msCrypto.certificateTemplate) ? true : false;
+
   // determine which extensions weren't supported
   let unsupportedExtensions = [];
   x509.extensions.forEach(ext => {
@@ -355,6 +381,7 @@ export const parse = async (der) => {
       cp,
       eKeyUsages,
       keyUsages,
+      msCrypto,
       ocspStaple,
       scts: scts,
       sKID,

diff --git a/src/viewer/js/strings.js b/src/viewer/js/strings.js
@@ -30,6 +30,20 @@ export const strings = {
       long: 'Inc. Country',
     },
 
+    // microsoft cryptographic extensions
+    '1.3.6.1.4.1.311.21.7': {
+      name: {
+        short: 'Certificate Template',
+        long: 'Microsoft Certificate Template',
+      }
+    },
+    '1.3.6.1.4.1.311.21.10': {
+      name: {
+        short: 'Certificate Policies',
+        long: 'Microsoft Certificate Policies',
+      }
+    },
+
     // certificate extensions
     '1.3.6.1.4.1.11129.2.4.2': {
       name: {