magnuswatn · November 3, 2020 19:17
diff --git a/Decode-NdesRequest.ps1 b/Decode-NdesRequest.ps1
 <# 
 Quick script to decrypt and decode a SCEP request, for debugging.

 The server certificate (and it's corresponding private key) needs to be
 avaiable to the user running this.
 #>

 Add-Type -AssemblyName System.Security

 function decodeNdesRequest ($request) {
    $decodedRequest = [system.convert]::FromBase64String(
        [System.Net.WebUtility]::UrlDecode($request)
    )

    $signedCms = [System.Security.Cryptography.Pkcs.SignedCms]::new()

    $signedCms.Decode($decodedRequest)

    $envelopedCms = [System.Security.Cryptography.Pkcs.EnvelopedCms]::new()

    $envelopedCms.Decode($signedCms.ContentInfo.Content)

    $envelopedCms.Decrypt()

    $csr = [System.Convert]::ToBase64String($envelopedCms.ContentInfo.Content)

    return $signedCms.SignerInfos, $csr
 }

 function decodeCsr ($encodedCsr) {

    $csr = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10

    $csr.InitializeDecode($encodedCsr)
    return $csr
 }

 function main () {

    $request = Read-Host "Enter request"

    if ($request -eq "") {
        throw "Empty request"
    }

    $signerInfos, $csrBytes = decodeNdesRequest($request)
    $csr = decodeCsr($csrBytes)

    if ($signerInfos[0].Certificate.issuer -eq $signerInfos[0].Certificate.subject) {
        "Certificate in signerInfos is self-signed, so must be initial enrollment"
        "The certificate is issued to `"$($signerInfos[0].Certificate.subject)`""
    } else {
        "Certificate in signerInfos is NOT self-signed, so must be re-enrollment"
        "The certificate is issued to `"$($signerInfos[0].Certificate.subject)`"" +
        "by `"$($signerInfos[0].Certificate.issuer)`""
    }

    "The CSR has subject `"$($csr.subject.name)`" and password `"$($csr.ChallengePassword)`""
 }

 main
	<#
	Quick script to decrypt and decode a SCEP request, for debugging.

	The server certificate (and it's corresponding private key) needs to be
	avaiable to the user running this.
	#>

	Add-Type -AssemblyName System.Security

	function decodeNdesRequest ($request) {
	$decodedRequest = [system.convert]::FromBase64String(
	[System.Net.WebUtility]::UrlDecode($request)
	)

	$signedCms = [System.Security.Cryptography.Pkcs.SignedCms]::new()

	$signedCms.Decode($decodedRequest)

	$envelopedCms = [System.Security.Cryptography.Pkcs.EnvelopedCms]::new()

	$envelopedCms.Decode($signedCms.ContentInfo.Content)

	$envelopedCms.Decrypt()

	$csr = [System.Convert]::ToBase64String($envelopedCms.ContentInfo.Content)

	return $signedCms.SignerInfos, $csr
	}

	function decodeCsr ($encodedCsr) {

	$csr = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10

	$csr.InitializeDecode($encodedCsr)
	return $csr
	}

	function main () {

	$request = Read-Host "Enter request"

	if ($request -eq "") {
	throw "Empty request"
	}

	$signerInfos, $csrBytes = decodeNdesRequest($request)
	$csr = decodeCsr($csrBytes)

	if ($signerInfos[0].Certificate.issuer -eq $signerInfos[0].Certificate.subject) {
	"Certificate in signerInfos is self-signed, so must be initial enrollment"
	"The certificate is issued to `"$($signerInfos[0].Certificate.subject)`""
	} else {
	"Certificate in signerInfos is NOT self-signed, so must be re-enrollment"
	"The certificate is issued to `"$($signerInfos[0].Certificate.subject)`"" +
	"by `"$($signerInfos[0].Certificate.issuer)`""
	}

	"The CSR has subject `"$($csr.subject.name)`" and password `"$($csr.ChallengePassword)`""
	}

	main