#--------------------------------------------------------------------------------------------------------------------
# Author: Hector Szabo
# Date:   Juin, 2015 / L2.2015
# versions
# 1.0 Validates root CA, issuing CA for Production and Partenaire environments
# 1.1 [HS]Juillet, 2015 Exposes machine name and implements -ver (describes version and validity of present certificates)
# 1.2 [HS]Août, 2015Mise à jour des certificats de production et prise en charge du contrôle de validité selon l'avis de sécurité de Microsoft 
#--------------------------------------------------------------------------------------------------------------------
<#
.SYNOPSIS 
   Script De validation des "chaînes de confiance" (selon le switch -essai ou -production)
   Valide que les certificats requis soient installés aux magasins de certificats nécessaires:
   
   . Syntax
   Chaines2.ps1 {-essai | -production} [-NTAuth] [-Ver]
   un paramètre est obligatoire

   .DESCRIPTION 
   Script De validation des "chaînes de confiance" (selon le switch -essai ou -production)
   Valide que les certificats requis soient installés aux magasins de certificats nécessaires:
   MAGASIN DES AUTORITÉS DE CERTIFICATION RACINE DE CONFIANCE
   - AC Racine G1 ([essais]/[prod]AC Racine.crt, SHA1, 2048)
   - AC Racine G2 ([essais]Ac Racine SecurSante RAMQ PARTE.crt, SHA1, 2048/ [prod] Non applicable)
   - AC Racine G3 ([essais]AC Racine SecurSante RAMQ PARTE G3.crt, SHA2, 4096/ [prod] AC Racine SecurSante G3.crt,SHA2,4096)
   MAGASIN DES AUTORITÉS DE CERTIFICATION INTERMÉDIAIRES
   - AC Racine G3 "croisé" ([essais]AC Racine SecurSante RAMQ PARTE G3X.crt, SHA1,4091,[prod])AC Racine SecurSante G3X.crt,SHA1,4096
   MAGASIN DES AUTORITÉS DE CERTIFICATION ÉMETTRICES
   - AC(s) émettrices G1([essais]AC Emettrice Dev.crt,SHA1,2048/[prod]AC Emettrice ProdA.crt, AC Emettrice ProdB.crt,SHA1,2028)
   - AC émettrice G2([essais]AC SecurSante RAMQ PARTE.crt,SHA1,2048/[prod]AC SecurSante.crt,SHA1,2048)
   - AC émettrice G3([essais]AC SecurSante RAMQ PARTE.crt,SHA2,2048/[prod]AC SecurSante.crt,SHA2,2048)
   
   .PARAMETER essai
   Valide les chaînes de confiance d'un poste prévu pour les environnements d'essai, maintenance corrective et formation

   .PARAMETER production
   Valide les chaînes de confiance d'un poste prévu pour l'environnement de production
   
   .PARAMETER NTAuth
   Valide les magasins d'entreprise NTAuth pour les machines controleur de domaine, IIS et toute machine sur laquelle on ouvre une session 
   Windows par carte à puce
  
   .EXAMPLE 
   .\chaines.ps1 -essai 
   Valide les chaînes de confiance d'un poste prévu pour les environnements d'essai, maintenance corrective et formation

   .EXAMPLE 
   .\chaines.ps1 -production 
   Valide les chaînes de confiance d'un poste prévu pour l'environnement de production
   
   .EXAMPLE
   
   
#>
[CmdletBinding()]Param(
    [Parameter(Mandatory=$True)][string]$mode,
    [Parameter(Mandatory=$False)][switch]$NtAuth,
    [Parameter(Mandatory=$False)][switch]$ver
    )
#--------------------------------------------------------------------------------------------------------------------
# Get script directory.
$ComputerName = $MachineName=[system.environment]::MachineName
$base = $MyInvocation.ScriptName
if (!$base) { $base = $MyInvocation.MyCommand.Definition }
$base = Split-Path -parent $base
if (!$base) { $base = Get-Location }
if($NtAuth -eq $True)
#if($NtAuth.toUpper() -eq "OUI" -or $NtAuth.toUpper() -eq "YES" -or $NtAuth.toUpper() -eq "1")
{
    $NtauthStr="NTAUTH";$NTAuthEval=$true
}
else
{
    $NtauthStr = "NONTAUTH";$NTAuthEval=$False
}
if($mode.toUpper() -eq "PRODUCTION" )
{
    $Palier = "Production"
}
else
{
    $Palier = "Essai"
}

#--------------------------------------------------------------------------------------------------------------------
# Constants
[string]$SOURCE = "SRC"               # source de l'eventlog prévue pour la sortie, si existante
[string]$Err="Error"                  # avis d'erreur 
[string]$Inf="Information"            # avis informatif, sans eventlog, en console et sur les fichiers de log si le mode est verbose
[string]$War="Warning"                # avis d'un potentiel problème qui pourrait causer des erreurs
[string]$Mut="Mute"                   # pas en console, pas en eventlog identique à info
[string]$Not="Notification"           # Information sur l'eventlog 
[int]$LineLength = 90
#--------------------------------------------------------------------------------------------------------------------
$script:ErrorActionPreference = "Stop"
[String]$hodFile = Get-Date -f "yyyyMMddhhmm"
[String]$ReportFile   = "C:\Temp\" + "SécurSanté_Rapport_des_Chaînes_de_confiance_le_"+ $hodFile + ".txt"
# -------------------------------------------------------------------------------------------------------------------
# Certificate data
# -------------------------------------------------------------------------------------------------------------------
[xml]$CertificateData = [xml] @"
<Validations>
    <SHA1Date Date="01/01/2017"/>
	<Certificates>
		<Certificate CodeName="ACRG1E" FriendlyName="AC Racine G1 ESSAI" From="‎30/04/‎2008 12:38:52" To="‎30/04/2020 12:42:06" TechTo="SHA1DATE" CN="AC Racine" Thumbprint="FAED0492C9D23A5294506662646E9F40B7B8C9DA"/>
		<Certificate CodeName="ACRG2E" FriendlyName="AC Racine G2 ESSAI" From="‎29/08/2012 14:33:33" To="‎29/08/2032 14:43:33" TechTo="SHA1DATE" CN="Ac Racine SecurSante RAMQ PARTE" Thumbprint="3D1665BB4588CABA902682307BBB97E30A960C91"/>
		<Certificate CodeName="ACRG3E" FriendlyName="AC Racine G3 ESSAI" From="‎10/03/‎2015 10:41:47" To="‎‎10/03/‎2037 10:51:46" TechTo="SAME" CN="AC Racine SecurSante RAMQ PARTE G3" Thumbprint="44C3D4011E86FB8FA55F9E60B39B644DB078D5B6"/>
		<Certificate CodeName="ACEG1E" FriendlyName="AC Émettrice G1 ESSAI" From="‎‎21/03/‎2012 10:31:14" To="‎‎21/03/2018 10:41:14" TechTo="SHA1DATE" CN="AC Emettrice Dev" Thumbprint="FC32D34DD0C5B9B1BB7D908C312F1EE3038CADC1"/>
		<Certificate CodeName="ACEG2E" FriendlyName="AC Émettrice G2 ESSAI" From="‎30/08/‎2012 07:45:48" To="‎30/08/2018 07:55:48" TechTo="SHA1DATE" CN="AC SecurSante RAMQ PARTE" Thumbprint="0B63837AC9725E4B43375FFA0EF4DF7B82F9EA4F"/>
		<Certificate CodeName="ACEG3E" FriendlyName="AC Émettrice G3 ESSAI" From="‎‎27/05/‎2015 18:36:41" To="‎‎27/05/‎2021 18:46:41" TechTo="SAME" CN="AC SecurSante RAMQ PARTE" Thumbprint="7BCD49F8E3CC3DED549D03536247C993248736BE"/>
		<Certificate CodeName="ACRG3XE" FriendlyName="AC Racine G3X ESSAI" From="‎‎12/05/‎2015 10:28:22" To="‎‎12/05/2021 10:38:22" TechTo="SHA1DATE" CN="AC Racine SecurSante RAMQ PARTE G3" Thumbprint="FAA095FD56953EF70B7A9AF87801CC8BE882D184"/>
		<Certificate CodeName="ACRG1P" FriendlyName="AC Racine G1 PRODUCTION" From="‎30/04/‎2008 12:38:52" To="‎30/04/2020 12:42:06" TechTo="SHA1DATE" CN="AC Racine" Thumbprint="FAED0492C9D23A5294506662646E9F40B7B8C9DA"/>
		<Certificate CodeName="ACRG2P" FriendlyName="AC Racine G2 PRODUCTION" From="‎30/04/‎2008 12:38:52" To="‎30/04/2020 12:42:06" TechTo="SHA1DATE" CN="AC Racine" Thumbprint="FAED0492C9D23A5294506662646E9F40B7B8C9DA"/>
		<Certificate CodeName="ACRG3P" FriendlyName="AC Racine G3 PRODUCTION" From="‎‎02/06/‎2015 14:52:25" To="02/06/‎2037 14:53:02" TechTo="SAME" CN="AC Racine SecurSante G3" Thumbprint="6F453665317AB255563B22B4EE957C0CD25E8383"/>
		<Certificate CodeName="ACEAG1P" FriendlyName="AC Émettrice A G1 PRODUCTION" From="21/03/2012 10:27:43" To="21/03/2018 10:37:43" TechTo="SHA1DATE" CN="AC Emettrice ProdA" Thumbprint="D1E3A15AACCEBBA6AEEE2FEBE4C25790345932EE"/>
		<Certificate CodeName="ACEBG1P" FriendlyName="AC Émettrice B G1 PRODUCTION" From="21/03/2012 10:30:00" To="‎21/03/‎2018 10:40:00" TechTo="SHA1DATE" CN="AC Emettrice ProdB" Thumbprint="9469ACC372FB1AC49C3061662EA05D28EA59D0B3"/>
		<Certificate CodeName="ACEG2P" FriendlyName="AC Émettrice G2 PRODUCTION" From="20/11/‎2012 16:10:47" To="‎‎20/11/2018 16:20:47" TechTo="SHA1DATE" CN="AC SecurSante" Thumbprint="A419DFCF19025C794E72C2403C36AC7D19B1E4CE"/>
		<Certificate CodeName="ACEG3P" FriendlyName="AC Émettrice G3 PRODUCTION" From="‎19/08/2015 10:20:34" To="‎‎19/08/2021 10:30:34" TechTo="SAME" CN="AC SecurSante" Thumbprint="609314C65017C2312BDA00C0A13FF46DB0383FAB"/>
		<Certificate CodeName="ACRG3XP" FriendlyName="AC Racine G3X PRODUCTION" From="‎19/08/2015 14:15:47" To="30/04/2020 12:42:06" TechTo="SHA1DATE" CN="AC Racine SecurSante G3" Thumbprint="2FF98EA678FE5ECC2FCA13779A84B637D4FF0D74"/>
	</Certificates>
	<Validation Context="Essai">
		<Checks>
			<Check CodeName="ACRM" FriendlyName="AC racines machine" StoreName="Root" StoreLocation="LocalMachine">
				<CertificateNameList>
					<Certificate CodeName="ACRG1E"/>
					<Certificate CodeName="ACRG2E"/>
					<Certificate CodeName="ACRG3E"/>
				</CertificateNameList>
			</Check>
			<Check CodeName="ACIM" FriendlyName="AC intermediaires machine" StoreName="Ca" StoreLocation="LocalMachine">
				<CertificateNameList>
					<Certificate CodeName="ACRG3XE"/>
					<Certificate CodeName="ACEG1E"/>
					<Certificate CodeName="ACEG2E"/>
					<Certificate CodeName="ACEG3E"/>
				</CertificateNameList>
			</Check>
			<Check CodeName="ACRU" FriendlyName="AC racines utilisateur" StoreName="Root" StoreLocation="CurrentUser">
				<CertificateNameList>
					<Certificate CodeName="ACRG1E"/>
					<Certificate CodeName="ACRG2E"/>
					<Certificate CodeName="ACRG3E"/>
				</CertificateNameList>
			</Check>
			<Check CodeName="ACIU" FriendlyName="AC intermediaires utilisateur" StoreName="Ca" StoreLocation="CurrentUser">
				<CertificateNameList>
					<Certificate CodeName="ACRG3XE"/>
					<Certificate CodeName="ACEG1E"/>
					<Certificate CodeName="ACEG2E"/>
					<Certificate CodeName="ACEG3E"/>
				</CertificateNameList>
			</Check>
		</Checks>
	</Validation>
	<Validation Context="Production">
		<Checks>
			<Check CodeName="ACRM" FriendlyName="AC racines machine" StoreName="Root" StoreLocation="LocalMachine">
				<CertificateNameList>
					<Certificate CodeName="ACRG1P"/>
					<Certificate CodeName="ACRG2P"/>
					<Certificate CodeName="ACRG3P"/>
				</CertificateNameList>
			</Check>
			<Check CodeName="ACIM" FriendlyName="AC intermediaires machine" StoreName="Ca" StoreLocation="LocalMachine">
				<CertificateNameList>
					<Certificate CodeName="ACRG3XP"/>
					<Certificate CodeName="ACEAG1P"/>
					<Certificate CodeName="ACEBG1P"/>
					<Certificate CodeName="ACEG2P"/>
					<Certificate CodeName="ACEG3P"/>
				</CertificateNameList>
			</Check>
			<Check CodeName="ACRU" FriendlyName="AC racines utilisateur" StoreName="Root" StoreLocation="CurrentUser">
				<CertificateNameList>
					<Certificate CodeName="ACRG1P"/>
					<Certificate CodeName="ACRG2P"/>
					<Certificate CodeName="ACRG3P"/>
				</CertificateNameList>
			</Check>
			<Check CodeName="ACIU" FriendlyName="AC intermediaires utilisateur" StoreName="Ca" StoreLocation="CurrentUser">
				<CertificateNameList>
					<Certificate CodeName="ACRG3XP"/>
					<Certificate CodeName="ACEAG1P"/>
					<Certificate CodeName="ACEBG1P"/>
					<Certificate CodeName="ACEG2P"/>
					<Certificate CodeName="ACEG3P"/>
				</CertificateNameList>
			</Check>
		</Checks>
	</Validation>
	<NtAuth Context="Production">
		<Checks>
			<Check CodeName="NTAUTH" FriendlyName="Magasin d'entreprise NTAUTH">
				<CertificateNameList>
					<Certificate CodeName="ACEAG1P"/>
					<Certificate CodeName="ACEBG1P"/>
					<Certificate CodeName="ACEG2P"/>
					<Certificate CodeName="ACEG3P"/>
				</CertificateNameList>
			</Check>
		</Checks>
	</NtAuth>
	<NtAuth Context="Essai">
		<Checks>
			<Check CodeName="NTAUTH" FriendlyName="Magasin d'entreprise NTAUTH">
				<CertificateNameList>
					<Certificate CodeName="ACEG1E"/>
					<Certificate CodeName="ACEG2E"/>
					<Certificate CodeName="ACEG3E"/>
				</CertificateNameList>
			</Check>
		</Checks>
	</NtAuth>
</Validations>
"@
Function Process-Trap([System.Management.Automation.ErrorRecord]$ex)
{
	Try {
		$ii = $ex.InvocationInfo
		if ($script:RAMQAux_logStarted) {
			RAMQ-Log "FATAL: $($ii.MyCommand.Name): $($ex.Exception.Message)`r`n$($ii.ScriptName):$($ii.ScriptLineNumber)" $Err 199
		} else {
			Write-Host "FATAL: $($ii.MyCommand.Name): $($ex.Exception.Message)`r`n$($ii.ScriptName):$($ii.ScriptLineNumber)" -foregroundColor Magenta
		}
	} Catch {
		$ErrorMessage = $_.Exception.Message
		Write-EventLog -logname Application -source Application -EventId 1001 -message "FATAL:$($ErrorMessage)" -EntryType Error
	} Finally {
		exit 1
	}   
}
function RAMQ-Write([string]$msg, [string]$Just, [string]$PaddingChar, [string]$Fcolor, [string]$Bcolor)
{

   $hod = ("{0:yyyy-MM-dd HH:mm:ss}" -f $(Get-Date))
   if ($Just -eq "" -or $Just -eq $null){$Just = "Left"} 
   $opts = @{}
   if ($Fcolor -ne $null -and $Fcolor -ne "" -and $Fcolor -ne "DEF"){$opts= $opts + @{ForegroundColor=$Fcolor} }
   if ($Bcolor -ne $null -and $Bcolor -ne "" -and $Bcolor -ne "DEF"){$opts= $opts + @{BackgroundColor=$Bcolor} }
   if ($PaddingChar -eq "" -or $PaddingChar -eq $null -OR $PaddingChar -eq "DEF"){$PaddingChar = " "} 
   if($msg.Trim() -ne "") {$msg = $msg.Trim()}
   $LeftPadding = ""
   $RightPadding = ""
   if($Just -ne "Left")
   {
       [int] $LeftPaddingLength = ($LineLength - $msg.length) / 2
       if($LeftPaddingLength -gt 0) {$LeftPadding = $PaddingChar * $LeftPaddingLength}
   }
   else
   {
       $LeftPaddingLength = 0
       $LeftPadding = ""
   }
   $RigthPaddingLength = $LineLength - ($msg.length + $LeftPaddingLength)
   if($RigthPaddingLength -gt 0) {$RigthPadding = $PaddingChar * $RigthPaddingLength}
   $Line = "[$hod] !"+$LeftPadding+$msg+$RigthPadding+"!"
   #$opts = @{ForegroundColor=$Fcolor; BackgroundColor=$Bcolor}
   Write-Host @opts $Line 
   if(test-Path $ReportFile){
      write-output "$Line"  >> $ReportFile
   }else{
      write-output "$Line"  > $ReportFile
   }
}
function RAMQ-Log([string]$msg, [string]$severity, [int]$eventID)
{    
   $hod = ("{0:HH:mm:ss}" -f $(Get-Date)) 
   if ($severity -eq $Err) 
   {
    	Write-Host "[$hod][$severity][$eventID][$msg]" -foregroundColor Red
    	Write-Eventlog -Logname Application -EntryType $severity -eventID $eventID -message $msg -source $SOURCE
   }
   if ($severity -eq $War) 
   {
    	Write-Host "[$hod][$severity][$eventID][$msg]" -foregroundColor Yellow
    	Write-Eventlog -Logname Application -EntryType $severity -eventID $eventID -message $msg -source $SOURCE
   }
   if (($severity -eq $Inf) -or ($severity -eq $Mut)) 
   {
    	$severity=$Inf   
    	Write-Verbose "[$hod][$severity][$eventID][$msg]" -foregroundColor Green
   } 
   if ($severity -eq $Not) 
   {
    	Write-Host "[$hod][$severity][$eventID][$msg]" -foregroundColor Blue
    	Write-Eventlog -Logname Application -EntryType $Inf -eventID $eventID -message $msg -source $SOURCE

   } 
   $msgSeverity = $severity.Substring(0,4)
   if(test-Path $LogFileName){
      write-output "[$hod][$msgSeverity][$eventID][$msg]"  >> $LogFileName
   }else{
      write-output "[$hod][$msgSeverity][$eventID][$msg]"  > $LogFileName
   }
}
#-------------------------------------------------------------------------------------------------------------
$today=$(Get-Date)
$SHA1Date = [DateTime]$CertificateData.Validations.SHA1Date.Date
#-------------------------------------------------------------------------------------------------------------
RAMQ-Write "-" "Center" "-"
RAMQ-Write "Rapport de validation d'état des magasins de certificat - certificats requis pour DSQ" "Center" " "
RAMQ-Write "-" "Center" "-"
RAMQ-Write "-[$Computername]-[$Palier]-" "Center" " "
RAMQ-Write "-" "Center" "-"
#if($today -ge $SHA1Date)
#{
#RAMQ-Write "ATTENTION - ATTENTION : Certains des certificats " "Center" " "
#RAMQ-Write "-" "Center" "-"
#RAMQ-Write "-[$Computername]-[$Palier]-" "Center" " "
#RAMQ-Write "-" "Center" "-"
#}
foreach ($Val in ($CertificateData.Validations.Validation | where-object {$_.Context -eq $Palier}))
{
    foreach ($Chk in $Val.Checks.Check)
    {
        $msg = "Validation du magasin:[" + $Chk.StoreName + "/" + $Chk.StoreLocation + "]  ("+ $Chk.FriendlyName+")"
        RAMQ-Write $msg  "Center"
        RAMQ-Write "-" "Center" "-"
        $st = $null
        $st = New-Object Security.Cryptography.X509Certificates.X509Store $Chk.StoreName,$Chk.StoreLocation
        $st.Open("ReadOnly")
        foreach ($CertCode in ($Chk.CertificateNameList.Certificate | %{$_.CodeName}))
        {
            #echo $CertCode
            $Cert = ($CertificateData.Validations.Certificates.Certificate | where {$_.Codename -eq $CertCode})
            $ThumbPrint = $Cert.Thumbprint
            $Res=$null
            $Res=$st.Certificates.Find("FindByThumbprint", $ThumbPrint, $false)
            if($Res.count -eq 0)
            {
                $msg="[ERREUR] Certificat:"+$Cert.FriendlyName +" manquant"
                RAMQ-Write $msg "Left" " " "Red" 
            }
            else
            {
                $msg="[OK    ] Certificat:"+$Cert.FriendlyName +" présent"
                RAMQ-Write $msg

            }           
        }
        $st.Close()
        $st=$null
        RAMQ-Write "-" "Center" "-"
    }
}

if($NTAuthEval)
{
   $st = $null
   $st = New-Object Security.Cryptography.X509Certificates.X509Store "NTAuth"
   $st.Open("ReadOnly")
   RAMQ-Write "-" "Center" "-"
   RAMQ-Write "Validation des magasins NTAUTH [pour AD, IIS et consoles]-Certificats requis pour DSQ" "Center" " "
   RAMQ-Write "-" "Center" "-"
   RAMQ-Write "-[Enterprise NTAuth Store] -$Palier-" "Center" " "
   RAMQ-Write "-" "Center" "-"
    foreach ($Val in ($CertificateData.Validations.NtAuth | where-object {$_.Context -eq $Palier}))
    {
        foreach ($Chk in $Val.Checks.Check)
        {
            $msg = "Validation du "+$Chk.FriendlyName
            RAMQ-Write $msg  "Center"
            $msg = " vérification des certificats requis pour l'environnement: "+$Palier
            RAMQ-Write $msg  "Center"
            RAMQ-Write "-" "Center" "-"
            foreach ($CertCode in ($Chk.CertificateNameList.Certificate | %{$_.CodeName}))
            {
                $Cert = ($CertificateData.Validations.Certificates.Certificate | where {$_.Codename -eq $CertCode})
                $ThumbPrint = $Cert.Thumbprint
                $Res=$null
                $Res=$st.Certificates.Find("FindByThumbprint", $ThumbPrint, $false)
                if($Res.count -eq 0)
                {
                    $msg="[ERREUR] Certificat:"+$Cert.FriendlyName +" manquant"
                    RAMQ-Write $msg "Left" " " "Red" 
                }
                else
                {
                    $msg="[OK    ] Certificat:"+$Cert.FriendlyName +" présent"
                    RAMQ-Write $msg
                }
            }
            RAMQ-Write "-" "Center" "-"
        }
    }
}
RAMQ-Write "-FIN DU RAPPORT -[$Computername]-[$Palier]-" "Center" " "
RAMQ-Write "-" "Center" "-"