Add Password parameter to Get-PfxCertificate cmdlet (#6113)

maybe-hello-world · iSazonov · commit 3ebe0a9cb0a8 · 2018-02-23T07:29:02.000+04:00
Add Password parameter to Get-PfxCertificate cmdlet to allow automatization instead of prompting for password every time.
diff --git a/src/Microsoft.PowerShell.Security/security/CertificateCommands.cs b/src/Microsoft.PowerShell.Security/security/CertificateCommands.cs
@@ -62,6 +62,18 @@ public string[] LiteralPath
         }
         private bool _isLiteralPath = false;
 
+        /// <summary>
+        /// Gets or sets the password for unlocking the certificate.
+        /// </summary>
+        [Parameter(Mandatory = false)]
+        public SecureString Password { get; set; }
+
+        /// <summary>
+        /// Do not prompt for password if not given.
+        /// </summary>
+        [Parameter(Mandatory = false)]
+        public SwitchParameter NoPromptForPassword { get; set; }
+
         //
         // list of files that were not found
         //
@@ -126,47 +138,35 @@ protected override void ProcessRecord()
                     }
                     else
                     {
+                        if (Password == null && !NoPromptForPassword.IsPresent) 
+                        {
+                            try 
+                            {
+                                cert = GetCertFromPfxFile(resolvedProviderPath, null);
+                                WriteObject(cert);
+                                continue;
+                            } 
+                            catch (CryptographicException) 
+                            {
+                                Password = SecurityUtils.PromptForSecureString(
+                                    Host.UI,
+                                    CertificateCommands.GetPfxCertPasswordPrompt);
+                            }                            
+                        }
+                        
                         try
                         {
-                            cert = GetCertFromPfxFile(resolvedProviderPath);
+                            cert = GetCertFromPfxFile(resolvedProviderPath, Password);
                         }
-                        catch (CryptographicException)
+                        catch (CryptographicException e)
                         {
-                            //
-                            // CryptographicException is thrown when any error
-                            // occurs inside the crypto class library. It has a
-                            // protected member HResult that indicates the exact
-                            // error but it is not available outside the class.
-                            // Thus we have to assume that the above exception
-                            // was thrown because the pfx file is password
-                            // protected.
-                            //
-                            SecureString password = null;
-
-                            string prompt = null;
-                            prompt = CertificateCommands.GetPfxCertPasswordPrompt;
-
-                            password = SecurityUtils.PromptForSecureString(Host.UI, prompt);
-                            try
-                            {
-                                cert = GetCertFromPfxFile(resolvedProviderPath,
-                                                          password);
-                            }
-                            catch (CryptographicException e)
-                            {
-                                //
-                                // since we cannot really figure out the
-                                // meaning of a given CryptographicException
-                                // we have to use NotSpecified category here
-                                //
-                                ErrorRecord er =
-                                    new ErrorRecord(e,
-                                                    "GetPfxCertificateUnknownCryptoError",
-                                                    ErrorCategory.NotSpecified,
-                                                    null);
-                                WriteError(er);
-                                continue;
-                            }
+                            ErrorRecord er =
+                                new ErrorRecord(e,
+                                                "GetPfxCertificateUnknownCryptoError",
+                                                ErrorCategory.NotSpecified,
+                                                null);
+                            WriteError(er);
+                            continue;
                         }
 
                         WriteObject(cert);
@@ -206,12 +206,6 @@ protected override void ProcessRecord()
             }
         }
 
-        private static X509Certificate2 GetCertFromPfxFile(string path)
-        {
-            X509Certificate2 cert = new X509Certificate2(path);
-            return cert;
-        }
-
         private static X509Certificate2 GetCertFromPfxFile(string path, SecureString password)
         {
             var cert = new X509Certificate2(path, password, X509KeyStorageFlags.DefaultKeySet);
diff --git a/test/powershell/Modules/Microsoft.PowerShell.Security/CmsMessage.Tests.ps1 b/test/powershell/Modules/Microsoft.PowerShell.Security/CmsMessage.Tests.ps1
@@ -3,10 +3,13 @@
 Import-Module (Join-Path -Path $PSScriptRoot 'certificateCommon.psm1') -Force
 
 Describe "CmsMessage cmdlets and Get-PfxCertificate basic tests" -Tags "CI" {
-    
+
     BeforeAll {
         $certLocation = New-GoodCertificate
         $certLocation | Should Not BeNullOrEmpty | Out-Null
+
+        $protectedCertLocation = New-ProtectedCertificate
+        $protectedCertLocation | Should Not BeNullOrEmpty | Out-Null
     }
 
     It "Verify Get-PfxCertificate -FilePath" {
@@ -24,6 +27,17 @@ Describe "CmsMessage cmdlets and Get-PfxCertificate basic tests" -Tags "CI" {
         $cert.Subject | Should Be "CN=MyDataEnciphermentCert"
     }
 
+    It "Verify Get-PfxCertificate right password" {
+        $pass = ConvertTo-SecureString "password" -AsPlainText -Force
+        $cert = Get-PfxCertificate $protectedCertLocation -Password $pass
+        $cert.Subject | Should Be "CN=localhost"
+    }
+
+    It "Verify Get-PfxCertificate wrong password" {
+        $pass = ConvertTo-SecureString "wrongpass" -AsPlainText -Force
+        $e = { Get-PfxCertificate $protectedCertLocation -Password $pass -ErrorAction Stop } | ShouldBeErrorId "GetPfxCertificateUnknownCryptoError,Microsoft.PowerShell.Commands.GetPfxCertificateCommand"
+    }
+
     It "Verify CMS message recipient resolution by path" -Skip:(!$IsWindows) {
         $errors = $null
         $recipient = [System.Management.Automation.CmsMessageRecipient] $certLocation
@@ -72,9 +86,9 @@ Describe "CmsMessage cmdlets thorough tests" -Tags "Feature" {
             # Skip for non-Windows platforms
             $defaultParamValues = $PSdefaultParameterValues.Clone()
             $PSdefaultParameterValues = @{ "it:skip" = $true }
-        }        
+        }
     }
-    
+
     AfterAll {
         if($IsWindows)
         {
@@ -319,7 +333,7 @@ Describe "CmsMessage cmdlets thorough tests" -Tags "Feature" {
 
         # Validate they all match the EKU
         $correctMatching = $foundCerts | Where-Object {
-            ($_.EnhancedKeyUsageList.Count -gt 0) -and 
+            ($_.EnhancedKeyUsageList.Count -gt 0) -and
             ($_.EnhancedKeyUsageList[0].ObjectId -eq '1.3.6.1.4.1.311.80.1')
         }
         # "All Document Encryption Cert should have had correct EKU"
diff --git a/test/powershell/Modules/Microsoft.PowerShell.Security/certificateCommon.psm1 b/test/powershell/Modules/Microsoft.PowerShell.Security/certificateCommon.psm1
@@ -68,6 +68,21 @@ OksttXT1kXf+aez9EzDlsgQU4ck78h0WTy01zHLwSKNWK4wFFQM=
     return $certLocation
 }
 
+Function New-ProtectedCertificate
+{
+    <#
+    .SYNOPSIS
+    Return existing password-protected pfx certificate
+
+    .NOTES
+    Password: "password"
+    #>
+
+    $certLocation = ".\test\tools\Modules\WebListener\ServerCert.pfx"
+
+    return $certLocation
+}
+
 Function New-BadCertificate
 {
     $codeSigningCert = "
@@ -166,4 +181,4 @@ function Remove-TestCertificates
     else {
         throw 'Not supported on non-windows platforms'
     }
-}
+}
