|
| 1 | +from typing import Dict |
| 2 | + |
| 3 | +import regcertipy.utils |
| 4 | +from certipy.commands.find import filetime_to_str |
| 5 | +from certipy.lib.constants import ( |
| 6 | + CERTIFICATE_RIGHTS, |
| 7 | + EXTENDED_RIGHTS_NAME_MAP, |
| 8 | + MS_PKI_CERTIFICATE_NAME_FLAG, |
| 9 | + MS_PKI_ENROLLMENT_FLAG, |
| 10 | + OID_TO_STR_MAP, |
| 11 | +) |
| 12 | +from certipy.lib.security import CertifcateSecurity |
| 13 | + |
| 14 | + |
| 15 | +class CertTemplate: |
| 16 | + def __init__(self, name: str, data: Dict): |
| 17 | + self.data = data |
| 18 | + |
| 19 | + self.name = name |
| 20 | + self.display_name = self.data["DisplayName"] |
| 21 | + self.oid = ( |
| 22 | + self.data["msPKI-Cert-Template-OID"].decode("utf-16-le").rstrip("\0\0") |
| 23 | + ) |
| 24 | + self.validity_period = filetime_to_str(self.data["ValidityPeriod"]) |
| 25 | + self.renewal_period = filetime_to_str(self.data["RenewalOverlap"]) |
| 26 | + self.name_flags = MS_PKI_CERTIFICATE_NAME_FLAG( |
| 27 | + self.data["msPKI-Certificate-Name-Flag"] |
| 28 | + ) |
| 29 | + |
| 30 | + self.enrollment_flags = MS_PKI_ENROLLMENT_FLAG( |
| 31 | + self.data["msPKI-Enrollment-Flag"] |
| 32 | + ) |
| 33 | + self.signatures_required = self.data["msPKI-RA-Signature"] |
| 34 | + |
| 35 | + self.extended_key_usage = list( |
| 36 | + map( |
| 37 | + lambda x: OID_TO_STR_MAP[x] if x in OID_TO_STR_MAP else x, |
| 38 | + data["ExtKeyUsageSyntax"] |
| 39 | + .decode("utf-16-le") |
| 40 | + .rstrip("\0\0") |
| 41 | + .split("\0"), |
| 42 | + ) |
| 43 | + ) |
| 44 | + |
| 45 | + self.permissions = self._build_permissions(self.data["Security"]) |
| 46 | + |
| 47 | + @staticmethod |
| 48 | + def _build_permissions(security_dict: Dict): |
| 49 | + security = CertifcateSecurity(security_dict) |
| 50 | + |
| 51 | + enrollment_permissions = {} |
| 52 | + enrollment_rights = [] |
| 53 | + all_extended_rights = [] |
| 54 | + |
| 55 | + permissions = {} |
| 56 | + |
| 57 | + for sid, rights in security.aces.items(): |
| 58 | + if ( |
| 59 | + EXTENDED_RIGHTS_NAME_MAP["Enroll"] in rights["extended_rights"] |
| 60 | + or EXTENDED_RIGHTS_NAME_MAP["AutoEnroll"] in rights["extended_rights"] |
| 61 | + ): |
| 62 | + enrollment_rights.append(regcertipy.utils.sid_to_name(sid)) |
| 63 | + if ( |
| 64 | + EXTENDED_RIGHTS_NAME_MAP["All-Extended-Rights"] |
| 65 | + in rights["extended_rights"] |
| 66 | + ): |
| 67 | + all_extended_rights.append(regcertipy.utils.sid_to_name(sid)) |
| 68 | + |
| 69 | + if len(enrollment_rights) > 0: |
| 70 | + enrollment_permissions["Enrollment Rights"] = enrollment_rights |
| 71 | + |
| 72 | + if len(all_extended_rights) > 0: |
| 73 | + enrollment_permissions["All Extended Rights"] = all_extended_rights |
| 74 | + |
| 75 | + if len(enrollment_permissions) > 0: |
| 76 | + permissions["Enrollment Permissions"] = enrollment_permissions |
| 77 | + |
| 78 | + object_control_permissions = {"Owner": security.owner} |
| 79 | + |
| 80 | + rights_mapping = [ |
| 81 | + (CERTIFICATE_RIGHTS.GENERIC_ALL, [], "Full Control Principals"), |
| 82 | + (CERTIFICATE_RIGHTS.WRITE_OWNER, [], "Write Owner Principals"), |
| 83 | + (CERTIFICATE_RIGHTS.WRITE_DACL, [], "Write Dacl Principals"), |
| 84 | + ( |
| 85 | + CERTIFICATE_RIGHTS.WRITE_PROPERTY, |
| 86 | + [], |
| 87 | + "Write Property Principals", |
| 88 | + ), |
| 89 | + ] |
| 90 | + |
| 91 | + for sid, rights in security.aces.items(): |
| 92 | + rights = rights["rights"] |
| 93 | + sid = regcertipy.utils.sid_to_name(sid) |
| 94 | + |
| 95 | + for right, principal_list, _ in rights_mapping: |
| 96 | + if right in rights: |
| 97 | + principal_list.append(sid) |
| 98 | + |
| 99 | + for _, rights, name in rights_mapping: |
| 100 | + if len(rights) > 0: |
| 101 | + object_control_permissions[name] = rights |
| 102 | + |
| 103 | + if len(object_control_permissions) > 0: |
| 104 | + permissions["Object Control Permissions"] = object_control_permissions |
| 105 | + |
| 106 | + return permissions |
| 107 | + |
| 108 | + def to_dict(self): |
| 109 | + return { |
| 110 | + "Name": self.name, |
| 111 | + "Friendly Name": self.display_name, |
| 112 | + "Template OID": self.oid, |
| 113 | + "Validity Period": self.validity_period, |
| 114 | + "Renewal Period": self.renewal_period, |
| 115 | + "Name Flags": self.name_flags, |
| 116 | + "Enrollment Flags": self.enrollment_flags, |
| 117 | + "Signatures Required": self.signatures_required, |
| 118 | + "Extended Key Usage": self.extended_key_usage, |
| 119 | + "Permissions": self.permissions, |
| 120 | + } |
0 commit comments