Class: AWSCDK::PCAConnectorAD::CfnTemplate::EnrollmentFlagsV3Property

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
pca_connector_ad/cfn_template.rb

Overview

Template configurations for v3 template schema.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(enable_key_reuse_on_nt_token_keyset_storage_full: nil, include_symmetric_algorithms: nil, no_security_extension: nil, remove_invalid_certificate_from_personal_store: nil, user_interaction_required: nil) ⇒ EnrollmentFlagsV3Property

Returns a new instance of EnrollmentFlagsV3Property.

Parameters:

  • enable_key_reuse_on_nt_token_keyset_storage_full (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Allow renewal using the same key.

  • include_symmetric_algorithms (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Include symmetric algorithms allowed by the subject.

  • no_security_extension (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.

  • remove_invalid_certificate_from_personal_store (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Delete expired or revoked certificates instead of archiving them.

  • user_interaction_required (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Require user interaction when the subject is enrolled and the private key associated with the certificate is used.



781
782
783
784
785
786
787
788
789
790
791
792
# File 'pca_connector_ad/cfn_template.rb', line 781

def initialize(enable_key_reuse_on_nt_token_keyset_storage_full: nil, include_symmetric_algorithms: nil, no_security_extension: nil, remove_invalid_certificate_from_personal_store: nil, user_interaction_required: nil)
  @enable_key_reuse_on_nt_token_keyset_storage_full = enable_key_reuse_on_nt_token_keyset_storage_full
  Jsii::Type.check_type(@enable_key_reuse_on_nt_token_keyset_storage_full, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "enableKeyReuseOnNtTokenKeysetStorageFull") unless @enable_key_reuse_on_nt_token_keyset_storage_full.nil?
  @include_symmetric_algorithms = include_symmetric_algorithms
  Jsii::Type.check_type(@include_symmetric_algorithms, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "includeSymmetricAlgorithms") unless @include_symmetric_algorithms.nil?
  @no_security_extension = no_security_extension
  Jsii::Type.check_type(@no_security_extension, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "noSecurityExtension") unless @no_security_extension.nil?
  @remove_invalid_certificate_from_personal_store = remove_invalid_certificate_from_personal_store
  Jsii::Type.check_type(@remove_invalid_certificate_from_personal_store, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "removeInvalidCertificateFromPersonalStore") unless @remove_invalid_certificate_from_personal_store.nil?
  @user_interaction_required = user_interaction_required
  Jsii::Type.check_type(@user_interaction_required, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "userInteractionRequired") unless @user_interaction_required.nil?
end

Instance Attribute Details

#enable_key_reuse_on_nt_token_keyset_storage_fullBoolean, ... (readonly)

Allow renewal using the same key.



798
799
800
# File 'pca_connector_ad/cfn_template.rb', line 798

def enable_key_reuse_on_nt_token_keyset_storage_full
  @enable_key_reuse_on_nt_token_keyset_storage_full
end

#include_symmetric_algorithmsBoolean, ... (readonly)

Include symmetric algorithms allowed by the subject.



803
804
805
# File 'pca_connector_ad/cfn_template.rb', line 803

def include_symmetric_algorithms
  @include_symmetric_algorithms
end

#no_security_extensionBoolean, ... (readonly)

This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.



808
809
810
# File 'pca_connector_ad/cfn_template.rb', line 808

def no_security_extension
  @no_security_extension
end

#remove_invalid_certificate_from_personal_storeBoolean, ... (readonly)

Delete expired or revoked certificates instead of archiving them.



813
814
815
# File 'pca_connector_ad/cfn_template.rb', line 813

def remove_invalid_certificate_from_personal_store
  @remove_invalid_certificate_from_personal_store
end

#user_interaction_requiredBoolean, ... (readonly)

Require user interaction when the subject is enrolled and the private key associated with the certificate is used.



818
819
820
# File 'pca_connector_ad/cfn_template.rb', line 818

def user_interaction_required
  @user_interaction_required
end

Class Method Details

.jsii_propertiesObject



820
821
822
823
824
825
826
827
828
# File 'pca_connector_ad/cfn_template.rb', line 820

def self.jsii_properties
  {
    :enable_key_reuse_on_nt_token_keyset_storage_full => "enableKeyReuseOnNtTokenKeysetStorageFull",
    :include_symmetric_algorithms => "includeSymmetricAlgorithms",
    :no_security_extension => "noSecurityExtension",
    :remove_invalid_certificate_from_personal_store => "removeInvalidCertificateFromPersonalStore",
    :user_interaction_required => "userInteractionRequired",
  }
end

Instance Method Details

#to_jsiiObject



830
831
832
833
834
835
836
837
838
839
840
# File 'pca_connector_ad/cfn_template.rb', line 830

def to_jsii
  result = {}
  result.merge!({
    "enableKeyReuseOnNtTokenKeysetStorageFull" => @enable_key_reuse_on_nt_token_keyset_storage_full,
    "includeSymmetricAlgorithms" => @include_symmetric_algorithms,
    "noSecurityExtension" => @no_security_extension,
    "removeInvalidCertificateFromPersonalStore" => @remove_invalid_certificate_from_personal_store,
    "userInteractionRequired" => @user_interaction_required,
  })
  result.compact
end