enabled certificate template ACL retrieval for certificate template i…

…nstances created from sources that doesn't support ACL, such as registry and CertEnroll.
PKISolutions · May 17, 2024 · 168c344 · 168c344
1 parent 0828c54
commit 168c344
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/src/SysadminsLV.PKI.Win/Management/ActiveDirectory/DsCertificateTemplate.cs b/src/SysadminsLV.PKI.Win/Management/ActiveDirectory/DsCertificateTemplate.cs
@@ -247,6 +247,14 @@ public sealed class DsCertificateTemplate : IAdcsCertificateTemplate {
  }
  }
 
+ /// <summary>
+ /// Gets LDAP path for specified certificate template.
+ /// </summary>
+ /// <param name="commonName">Template common name.</param>
+ /// <returns>LDAP path. Can be null if template with specified name doesn't exist.</returns>
+ internal static String GetLdapPath(String commonName) {
+ return DsUtils.Find(_baseDsPath, DsUtils.PropCN, commonName);
+ }
  /// <summary>
  /// Returns an instance of <see cref="IAdcsCertificateTemplate"/> interface from template common name.
  /// </summary>

diff --git a/src/SysadminsLV.PKI.Win/Security/AccessControl/CertTemplateSecurityDescriptor.cs b/src/SysadminsLV.PKI.Win/Security/AccessControl/CertTemplateSecurityDescriptor.cs
@@ -5,6 +5,7 @@
 using System.Security.AccessControl;
 using System.Security.Principal;
 using PKI.CertificateTemplates;
+using SysadminsLV.PKI.Management.ActiveDirectory;
 using SysadminsLV.PKI.Utils;
 
 namespace SysadminsLV.PKI.Security.AccessControl;
@@ -15,14 +16,22 @@ namespace SysadminsLV.PKI.Security.AccessControl;
 public sealed class CertTemplateSecurityDescriptor : CommonObjectSecurity {
  const String GUID_ENROLL = "0e10c968-78fb-11d2-90d4-00c04f79dc55";
  const String GUID_AUTOENROLL = "a05b8cc2-17bc-4802-a710-e7c15ab866a2";
- //readonly String _x500Name;
  readonly String _x500Path;
  readonly Int32 _schemaVersion;
 
  internal CertTemplateSecurityDescriptor(CertificateTemplate template) : base(false) {
  DisplayName = template.DisplayName;
  _schemaVersion = template.SchemaVersion;
- _x500Path = "LDAP:https://" + template.DistinguishedName;
+ String ldapPath;
+ if (String.IsNullOrEmpty(template.DistinguishedName)) {
+ ldapPath = DsCertificateTemplate.GetLdapPath(template.Name);
+ if (String.IsNullOrEmpty(ldapPath)) {
+ throw new ArgumentException($"Requested certificate template '{template.Name}' was not found in Active Directory or connection failed.");
+ }
+ } else {
+ ldapPath = template.DistinguishedName;
+ }
+ _x500Path = "LDAP:https://" + ldapPath;
  fromActiveDirectorySecurity();
  }