chef 17.10.0 → 17.10.95

data/lib/chef/resource/windows_certificate.rb

@@ -29,7 +29,6 @@ require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 class Chef
   class Resource
     class WindowsCertificate < Chef::Resource
-      unified_mode true
 
       provides :windows_certificate
 
@@ -129,14 +128,14 @@ class Chef
       end
 
       action :delete, description: "Deletes a certificate." do
-        cert_obj = fetch_cert
+        cert_is_valid = verify_cert
 
-        if cert_obj
+        if cert_is_valid == true
           converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do
             delete_cert
           end
         else
-          Chef::Log.debug("Certificate not found")
+          Chef::Log.debug("Certificate Not Found")
         end
       end
 
@@ -146,17 +145,25 @@ class Chef
         end
 
         if ::File.extname(new_resource.output_path) == ".pfx"
-          powershell_exec!(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
+
+          validated_thumbprint = validate_thumbprint(new_resource.source)
+          if validated_thumbprint != false # is the thumbprint valid
+            cert_obj = powershell_exec!(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password ))
+          else
+            message = "While fetching the certificate, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
+            raise Chef::Exceptions::InvalidKeyAttribute, message
+          end
+
         else
           cert_obj = fetch_cert
         end
 
-        if cert_obj
+        if cert_obj != false && cert_obj != "Certificate Not Found"
           converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do
             export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password)
           end
         else
-          Chef::Log.debug("Certificate not found")
+          Chef::Log.debug("Certificate Not Found")
         end
       end
 
@@ -187,7 +194,7 @@ class Chef
 
         def delete_cert
           store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
-          store.delete(resolve_thumbprint(new_resource.source))
+          store.delete(validate_thumbprint(new_resource.source))
         end
 
         def fetch_cert
@@ -196,17 +203,16 @@ class Chef
             fetch_key
 
           else
-            store.get(resolve_thumbprint(new_resource.source), store_name: new_resource.store_name, store_location: native_cert_location)
+            store.get(validate_thumbprint(new_resource.source))
           end
         end
 
         def fetch_key
           require "openssl" unless defined?(OpenSSL)
           file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path))
-          directory = ::File.dirname(new_resource.output_path)
           pfx_file = file_name + ".pfx"
           new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file)
-          powershell_exec(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
+          powershell_exec(pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password ))
           pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password)
           f = ::File.open(new_resource.output_path, "w")
           f.write(pkcs12.key.to_s)
@@ -245,10 +251,6 @@ class Chef
           ::File.file?(source)
         end
 
-        def is_file?(source)
-          ::File.file?(source)
-        end
-
         # Thumbprints should be exactly 40 Hex characters
         def valid_thumbprint?(string)
           string.match?(/[0-9A-Fa-f]/) && string.length == 40
@@ -261,29 +263,29 @@ class Chef
           GETTHUMBPRINTCODE
         end
 
-        def resolve_thumbprint(thumbprint)
-          return thumbprint if valid_thumbprint?(thumbprint)
-
-          powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result
+        def validate_thumbprint(thumbprint)
+          # valid_thumbprint can return false under at least 2 conditions:
+          # one is that the thumbprint is in fact busted
+          # the second is that the thumbprint is valid but belongs to an expired certificate already installed
+          results = valid_thumbprint?(thumbprint)
+          results == true ? thumbprint : false
         end
 
-        # Checks whether a certificate with the given thumbprint
-        # is already present and valid in certificate store
-        # If the certificate is not present, verify_cert returns a String: "Certificate not found"
-        # But if it is present but expired, it returns a Boolean: false
-        # Otherwise, it returns a Boolean: true
-        # updated this method to accept either a subject name or a thumbprint - 1/29/2021
-
+        # Checks to make sure whether the cert is found or not
+        # if it IS found, is it still valid - has it expired?
         def verify_cert(thumbprint = new_resource.source)
           store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
-          if new_resource.pfx_password.nil?
-            store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name )
+          validated_thumbprint = validate_thumbprint(thumbprint)
+          if validated_thumbprint != false
+            result = store.valid?(thumbprint)
+            result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
           else
-            store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name)
+            message = "While verifying the certificate, was passed the following invalid certificate thumbprint : #{thumbprint}\n"
+            raise Chef::Exceptions::InvalidKeyAttribute, message
           end
         end
 
-        # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
+        # this structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
         # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
         def ps_cert_location
           new_resource.user_store ? "CurrentUser" : "LocalMachine"
@@ -436,7 +438,7 @@ class Chef
         end
 
         def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:)
-          # Delete the cert if it exists. This is non-destructive in that it only removes the file and not the entire path.
+          # Delete the cert if it exists on disk already.
           # We want to ensure we're not randomly loading an old stinky cert.
           if ::File.exists?(output_path)
             ::File.delete(output_path)
@@ -460,7 +462,20 @@ class Chef
             cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout
             out_file.puts(cert_out)
           when ".pfx"
-            pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
+            validated_thumbprint = validate_thumbprint(new_resource.source)
+            if validated_thumbprint != false # is the thumbprint valid
+              store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+              result = store.valid?(new_resource.source) # is there a cert in the store matching that thumbprint
+              temp = result == ( "Certificate Not Found" || "Certificate Has Expired" ) ? false : true
+              if temp == true
+                pfx_ps_cmd(validate_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password )
+              else
+                Chef::Log.debug("The requested certificate is not found or has expired")
+              end
+            else
+              message = "While exporting the pfx, was passed the following invalid certificate thumbprint : #{new_resource.source}\n"
+              raise Chef::Exceptions::InvalidKeyAttribute, message
+            end
           when ".p7b"
             cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout
             out_file.puts(cert_out)
@@ -481,14 +496,11 @@ class Chef
         #
         def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location)
           [cert_objs].flatten.each do |cert_obj|
-            # thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
-            # pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password)
-            # cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem)
             thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s
-            if is_pfx
-              if verify_cert(thumbprint) == true
-                Chef::Log.debug("Certificate is already present")
-              else
+            if verify_cert(thumbprint) == true
+              Chef::Log.debug("Certificate is already present")
+            elsif verify_cert(thumbprint) == false # Not found already in the CertStore
+              if is_pfx
                 if is_file?(new_resource.source)
                   converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do
                     add_pfx_cert(new_resource.source)
@@ -502,15 +514,14 @@ class Chef
                   message << exception.message
                   raise Chef::Exceptions::ArgumentError, message
                 end
-              end
-            else
-              if verify_cert(thumbprint) == true
-                Chef::Log.debug("Certificate is already present")
               else
                 converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do
                   add_cert(cert_obj)
                 end
               end
+            else
+              message = "Certificate could not be imported"
+              raise Chef::Exceptions::CertificateNotImportable, message
             end
           end
         end

data/lib/chef/resource/windows_pagefile.rb

@@ -88,7 +88,7 @@ class Chef
         if automatic_managed
           set_automatic_managed unless automatic_managed?
         elsif automatic_managed == false
-          unset_automatic_managed if automatic_managed?
+          unset_automatic_managed
         else
           pagefile = clarify_pagefile_name
           initial_size = new_resource.initial_size
@@ -149,10 +149,12 @@ class Chef
         def exists?(pagefile)
           @exists ||= begin
             logger.trace("Checking if #{pagefile} exists by running: Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($pagefile)} ")
-            cmd =  "$page_file_name = '#{pagefile}';"
-            cmd << "$pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)};"
-            cmd << "if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }"
-            powershell_exec!(cmd).result
+            powershell_code = <<~CODE
+              $page_file_name = '#{pagefile}';
+              $pagefile = Get-CimInstance Win32_PagefileSetting | Where-Object { $_.name -eq $($page_file_name)}
+              if ([string]::IsNullOrEmpty($pagefile)) { return $false } else { return $true }
+            CODE
+            powershell_exec!(powershell_code).result
           end
         end
 
@@ -164,13 +166,17 @@ class Chef
         # @return [Boolean]
         def max_and_min_set?(pagefile, min, max)
           logger.trace("Checking if #{pagefile} has max and initial disk size values set")
-          cmd =  "$page_file = '#{pagefile}';"
-          cmd << "$driveLetter = $page_file.split(':')[0];"
-          cmd << "$page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter \"SettingID='pagefile.sys @ $($driveLetter):'\" -Property * -ErrorAction Stop;"
-          cmd << "if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})"
-          cmd << "{ return $true }"
-          cmd << "else { return $false }"
-          powershell_exec!(cmd).result
+
+          powershell_code = <<-CODE
+            $page_file = '#{pagefile}';
+            $driveLetter = $page_file.split(':')[0];
+            $page_file_settings = Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -Property * -ErrorAction Stop;
+            if ($page_file_settings.InitialSize -eq #{min} -and $page_file_settings.MaximumSize -eq #{max})
+              { return $true }
+            else
+              { return $false }
+          CODE
+          powershell_exec!(powershell_code).result
         end
 
         # create a pagefile
@@ -225,12 +231,14 @@ class Chef
 
         # turn off automatic management of all pagefiles by Windows
         def unset_automatic_managed
-          converge_by("Turn off Automatically Managed on pagefiles") do
-            logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
-            powershell_exec! <<~EOH
-              $sys = Get-CimInstance Win32_ComputerSystem -Property *
-              Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
-            EOH
+          if automatic_managed?
+            converge_by("Turn off Automatically Managed on pagefiles") do
+              logger.trace("Running Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru")
+              powershell_exec! <<~EOH
+                $sys = Get-CimInstance Win32_ComputerSystem -Property *
+                Set-CimInstance -InputObject $sys -Property @{AutomaticManagedPagefile=$false} -PassThru
+              EOH
+            end
           end
         end
 
@@ -240,14 +248,13 @@ class Chef
         # @param [String] min the minimum size of the pagefile
         # @param [String] max the minimum size of the pagefile
         def set_custom_size(pagefile, min, max)
+          unset_automatic_managed
           converge_by("set #{pagefile} to InitialSize=#{min} & MaximumSize=#{max}") do
             logger.trace("Set-CimInstance -Property @{InitialSize = #{min} MaximumSize = #{max}")
             powershell_exec! <<~EOD
               $page_file = "#{pagefile}"
               $driveLetter = $page_file.split(':')[0]
-              Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{
-              InitialSize = #{min}
-              MaximumSize = #{max}}
+              Get-CimInstance -ClassName Win32_PageFileSetting -Filter "SettingID='pagefile.sys @ $($driveLetter):'" -ErrorAction Stop | Set-CimInstance -Property @{InitialSize = #{min}; MaximumSize = #{max};}
             EOD
           end
         end

data/lib/chef/resource/windows_user_privilege.rb

@@ -24,7 +24,7 @@ class Chef
       unified_mode true
 
       provides :windows_user_privilege
-      description "The windows_user_privilege resource allows to add and set principal (User/Group) to the specified privilege.\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
+      description "The windows_user_privilege resource allows to add a privilege to a principal or (User/Group).\n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
 
       introduced "16.0"
 
@@ -39,23 +39,32 @@ class Chef
       end
       ```
 
-      **Add the SeDenyRemoteInteractiveLogonRight Privilege to the Builtin Guests and Local Accounts User Groups**:
+      **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
+
+      ```ruby
+      windows_user_privilege 'Create Pagefile' do
+        privilege      'SeCreatePagefilePrivilege'
+        users          ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
+        action         :set
+      end
+      ```
+
+      **Add the SeDenyRemoteInteractiveLogonRight Privilege to the 'Remote interactive logon' principal**:
 
       ```ruby
       windows_user_privilege 'Remote interactive logon' do
         privilege      'SeDenyRemoteInteractiveLogonRight'
-        users          ['Builtin\\Guests', 'NT AUTHORITY\\Local Account']
         action         :add
       end
       ```
 
-      **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
+      **Add to the Builtin Guests Group the SeCreatePageFile Privilege**:
 
       ```ruby
-      windows_user_privilege 'Create Pagefile' do
+      windows_user_privilege 'Guests add Create Pagefile' do
+        principal      'BUILTIN\\Guests'
         privilege      'SeCreatePagefilePrivilege'
-        users          ['BUILTIN\\Guests', 'BUILTIN\\Administrators']
-        action         :set
+        action         :add
       end
       ```
 
@@ -90,6 +99,7 @@ class Chef
                            SeCreateSymbolicLinkPrivilege
                            SeCreateTokenPrivilege
                            SeDebugPrivilege
+                           SeDelegateSessionUserImpersonatePrivilege
                            SeDenyBatchLogonRight
                            SeDenyInteractiveLogonRight
                            SeDenyNetworkLogonRight
@@ -126,20 +136,20 @@ class Chef
                           }.freeze
 
       property :principal, String,
-        description: "An optional property to add the user to the given privilege. Use only with add and remove action.",
-        name_property: true
+               description: "An optional property to add the privilege for given principal. Use only with add and remove action. Principal can either be a User/Group or one of special identities found here Ref: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities",
+               name_property: true
 
       property :users, [Array, String],
-        description: "An optional property to set the privilege for given users. Use only with set action.",
-        coerce: proc { |v| Array(v) }
+               description: "An optional property to set the privilege for given users. Use only with set action.",
+               coerce: proc { |v| Array(v) }
 
       property :privilege, [Array, String],
-        description: "One or more privileges to set for users.",
-        required: true,
-        coerce: proc { |v| Array(v) },
-        callbacks: {
-          "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
-        }, identity: true
+               description: "One or more privileges to set for principal or users/groups. For more information on what each privilege does Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment",
+               required: true,
+               coerce: proc { |v| Array(v) },
+               callbacks: {
+                 "Privilege property restricted to the following values: #{PRIVILEGE_OPTS}" => lambda { |n| (n - PRIVILEGE_OPTS).empty? },
+               }, identity: true
 
       load_current_value do |new_resource|
         if new_resource.principal && (new_resource.action.include?(:add) || new_resource.action.include?(:remove))
@@ -147,15 +157,15 @@ class Chef
         end
       end
 
-      action :add, description: "Add a user privilege." do
-        ([*new_resource.privilege] - [*current_resource.privilege]).each do |user_right|
-          converge_by("adding user '#{new_resource.principal}' privilege #{user_right}") do
-            Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, user_right)
+      action :add, description: "Add a privileges to a principal." do
+        ([*new_resource.privilege] - [*current_resource.privilege]).each do |principal_right|
+          converge_by("adding principal '#{new_resource.principal}' privilege #{principal_right}") do
+            Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, principal_right)
           end
         end
       end
 
-      action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property." do
+      action :set, description: "Set the privileges that are listed in the `privilege` property for only the users listed in the `users` property. All other users not listed with given privilege will be have the privilege removed." do
         if new_resource.users.nil? || new_resource.users.empty?
           raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
         end
@@ -204,7 +214,7 @@ class Chef
         end
       end
 
-      action :remove, description: "Remove a user privilege" do
+      action :remove, description: "Remove a principal privilege" do
         curr_res_privilege = current_resource.privilege
         missing_res_privileges = (new_resource.privilege - curr_res_privilege)
 
@@ -212,9 +222,9 @@ class Chef
           Chef::Log.info("User \'#{new_resource.principal}\' for Privilege: #{missing_res_privileges.join(", ")} not found. Nothing to remove.")
         end
 
-        (new_resource.privilege - missing_res_privileges).each do |user_right|
-          converge_by("removing user #{new_resource.principal} from privilege #{user_right}") do
-            Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, user_right)
+        (new_resource.privilege - missing_res_privileges).each do |principal_right|
+          converge_by("removing principal #{new_resource.principal} from privilege #{principal_right}") do
+            Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, principal_right)
           end
         end
       end

data/lib/chef/resource.rb

@@ -660,7 +660,8 @@ class Chef
       text << "#{resource_name}(\"#{name}\") do\n"
 
       all_props = {}
-      self.class.state_properties.map do |p|
+
+      self.class.sensitive_properties.map do |p|
 
         all_props[p.name.to_s] = p.sensitive? ? '"*sensitive value suppressed*"' : value_to_text(p.get(self))
       rescue Chef::Exceptions::ValidationFailed

data/lib/chef/run_context.rb

@@ -145,6 +145,16 @@ class Chef
     #
     attr_accessor :input_collection
 
+    #
+    # @return [Symbol, nil]
+    #
+    attr_accessor :default_secret_service
+
+    #
+    # @return [Hash<Symbol,Object>]
+    #
+    attr_accessor :default_secret_config
+
     # Pointer back to the Chef::Runner that created this
     #
     attr_accessor :runner
@@ -222,6 +232,8 @@ class Chef
       @input_collection = Chef::Compliance::InputCollection.new(events)
       @waiver_collection = Chef::Compliance::WaiverCollection.new(events)
       @profile_collection = Chef::Compliance::ProfileCollection.new(events)
+      @default_secret_service = nil
+      @default_secret_config = {}
 
       initialize_child_state
     end
@@ -693,6 +705,10 @@ class Chef
         cookbook_collection
         cookbook_collection=
         cookbook_compiler
+        default_secret_config
+        default_secret_config=
+        default_secret_service
+        default_secret_service=
         definitions
         events
         events=

data/lib/chef/secret_fetcher/hashi_vault.rb

@@ -112,7 +112,7 @@ class Chef
             raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
           end
 
-          Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
+          Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address)
         else
           raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided.  You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
         end

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.10.0")
+  VERSION = Chef::VersionString.new("17.10.95")
 end
 
 #

data/lib/chef/win32/version.rb

@@ -51,7 +51,8 @@ class Chef
       WIN_VERSIONS = {
         "Windows Server 2022" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 20348 } },
         "Windows Server 2019" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number >= 17763 && build_number < 20348 } },
-        "Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
+        "Windows 11" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 22000 } },
+        "Windows 10" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION && build_number >= 19044 && build_number < 22000 } },
         "Windows Server 2016" => { major: 10, minor: 0, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION && build_number <= 14393 } },
         "Windows 8.1" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type == VER_NT_WORKSTATION } },
         "Windows Server 2012 R2" => { major: 6, minor: 3, callable: lambda { |product_type, suite_mask, build_number| product_type != VER_NT_WORKSTATION } },

data/spec/data/trusted_certs/example.crt

@@ -1,22 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIIDkjCCAnoCCQDihI8kxGYTFTANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRAwDgYDVQQKEwdZb3VD
-b3JwMRMwEQYDVQQLEwpPcGVyYXRpb25zMRYwFAYDVQQDEw1leGFtcGxlLmxvY2Fs
-MR0wGwYJKoZIhvcNAQkBFg5tZUBleGFtcGxlLmNvbTAeFw0xMzEwMTcxODAxMzVa
-Fw0yMzEwMTUxODAxMzVaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAO
-BgNVBAcTB1NlYXR0bGUxEDAOBgNVBAoTB1lvdUNvcnAxEzARBgNVBAsTCk9wZXJh
-dGlvbnMxFjAUBgNVBAMTDWV4YW1wbGUubG9jYWwxHTAbBgkqhkiG9w0BCQEWDm1l
-QGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyKBo
-U+Bdni0xZK/NCzdLdi2X+TyW5eahbYMx+r1GDcVqCICvrthBCVLVFsQ8rvOHwTPi
-AxQJGxb9TLSXRgXQSlH6FLjIUceuOtpan3qYVJ1v7AxY4DgNvYBpbtJz5MQedJnT
-g2F+rXzkwaD6CWBqWHeGU0oP3r7bq1AMD6XEsK2w2/zHtG7TEnL45ARv1PsyrU5M
-ZAW/XyoMyq1k2Lpv7YR5kAvTq1+4RSt/it2RFE7R0AVbaQ0MeAnllfySiHHHlaOT
-FVd/qPSiGISxsUmmzA3Z08+0sfJwkrnJXbLscCBYndd7gMGgtczGjJtul0Ch3GFa
-/Pn5McjwF272+usJ1wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzPePWifWNECsG
-nL8on1AtFMkczE1/pdRS4YUl/Tc926MpezptSja8rL31+4Bom37/wYPG7HygtAQl
-R4FHpAtuqJKPOfjUmDNsIXRFnytrnflTpctDu/Nbj4PDCy01k/sTDUQt+s+lEBL8
-M8ArmfLZ8PCfAwnXmJQ5rggDFKqegjt6z1RsSglbMiASE7+KkpBnzaqH6fET6IQz
-WgAjv6WdRfwgfJjOTSX4XMpCSet9KaWmXExKrxiVng2Uu6E+ShVAyKaGMuc1B7VA
-oxnnVaVapFv5lOWucQr4KkC7EgaUZnyt8duOc8+Yvd+y3Xd2dcHUnmegRxly4jRV
-/lXbFAUb
+MIIFPTCCAyWgAwIBAgIUPv2sKSZA+KW0a4LxgUhiZG48AkswDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMZXhhbXBsZS4uY29tMB4XDTIzMTAxNjE2MzM1M1oXDTMz
+MTAxMzE2MzM1M1owFzEVMBMGA1UEAwwMZXhhbXBsZS4uY29tMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA1NKZJQY7B8xGnaERMX4laepq3u00q1nSDS6j
+03qd1zZkW+ofMFlH5plBvULNO1jdAH9WwyMAwLu87R1QOx9fEz06J81Wtu7jheOU
+EHzn6NwWkUaX+j1oaIHIXrYnrUn5sW8w2wFEky82gPEG5SiZ6otKV2whX1ckSa3W
+ReFihEO/2/zxOEA0QzfIxFDW92wyAMDNM2/O/AMQB2jVxtWhYiqePXVUfQrIrLW1
+ytNmIWl7hoIHfVPgEoGLRe7kbT/QMTCd/lNrzF/rxUo+Aohq3WmVOdUCL4KdDnKS
+tlQFf8L4+9t19KiM9xX4GRMk9WWONk8rHln842ziv00bgD0rB3yZHlHJfGpkLdKv
+VZgcMHp31ZqVFzHapqHmXBVyEqxRIZSkZX4PN5bEdigz3Exf/vys+NAZKyJw35tn
+kF0+V/+vLlbvqZz98DDj+/KGgy7vaF3tBYBAC4px5yvnicDlBZS0GlrF1fufWQRQ
+94n8LVcG47XjaEOufpzj5Xm6ZzTYDyiqO1+mszU6BQH8W8N+sZ+q7hPBkgRZ/WJF
+gXzNh5KPeDv47oXadYXOqNzXR7wkC11H5hmgQFrDCjuc0zTi/y7Iq+NxpkuQJIDD
+/4yNVTHM6GZSeBDH7rpkjL6coShU6fu2QxSofltpz4QxNtbquRtt3A2Se7obhC9g
+OeZfIqsCAwEAAaOBgDB+MB0GA1UdDgQWBBQ8JrC+u1bsL4QTJuIkH4MyZ2+ZWzAf
+BgNVHSMEGDAWgBQ8JrC+u1bsL4QTJuIkH4MyZ2+ZWzAPBgNVHRMBAf8EBTADAQH/
+MCsGA1UdEQQkMCKCC2V4YW1wbGUuY29tgg0qLmV4YW1wbGUuY29thwQKAAABMA0G
+CSqGSIb3DQEBCwUAA4ICAQAVFkQdpfoxzNu2VyhCtrCT8a1PA7Ko+ziPR0GWBxag
+kB3NRGzCVXENuX8OjLAsBRrYDTeUwIZJD2MWLqkhqs+8Bw08c9jdyezeWmgAL0I8
+aTiPET3CwVME78JPvxAJjmdayYFanniAbE3GMk+Bf2pvFTdPI8etY6Brv+uqBbyb
+9pFspp2U05KRqTukVW2YJnWKfMR4VIBzOEA1maGwVMgnC3YPm3qsYqxXqr/jLDCg
+/EFoozne5/mNmvhSKWOUB1gsuv+3wiUOL6aZETY7RJPQADpHhJntCSeapb5DWhyr
+ZzUPGHbAyWqbfwmt7b9Pga4fQOihxi4Nf2ZnnMy32HQVqz2sOU7Fo/5rfejEQfGP
+jxt9b69Hydc3MQJF+eQVYS+NzaZyCX05kLqcGmIP4WKhjx3BkMaZVwjmYfE9WgKR
+Lcwq0aoz4Guh7Q0yICUc0PvxWLAkiXYFhthg05ZplTd+HgY3XCdO4DyG7lgL4b9t
+T6oqZv/7ivJbwTrvQXr6gGPhVq+120/mEw2qsdaQAp8v1ac5UgdCTViDkT45Ivox
+dS8VaqlVymvnLWAXtN92kQeb7bAhRmMZMNpFicFm8VS+alfijQDwhW5kOGpqtCrO
+f3QWYOehrqmHIuKw4ZhCYIy/OWkHR2j5iiZl8RFN2KhHZwLcmQTyxLaBk3SX1kCl
+qA==
 -----END CERTIFICATE-----

data/spec/data/trusted_certs/example_no_cn.crt

@@ -1,36 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIIGPzCCBCegAwIBAgIJAKwtLqBeqNzfMA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEQMA4GA1UEChMH
-WW91Q29ycDETMBEGA1UECxMKT3BlcmF0aW9uczEdMBsGCSqGSIb3DQEJARYObWVA
-ZXhhbXBsZS5jb20wHhcNMTYxMDMxMTkxMzQ2WhcNMjYxMDI5MTkxMzQ2WjByMQsw
-CQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEDAOBgNV
-BAoTB1lvdUNvcnAxEzARBgNVBAsTCk9wZXJhdGlvbnMxHTAbBgkqhkiG9w0BCQEW
-Dm1lQGV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
-s1OiWnMV3shxVccqzenDBww5rSou9Ab/VqujKisJ54dXyHukYMxh9MJwlRDsy0FB
-uKRAyNfhM43hSMYhtF7NS//D1lI/LDvIQkBaH8R834bvK102Avmsx7zKPOo/CUkd
-g7uuL2eRzRszEuAREH1E7/PpTj11CjirG9i7FlbKj7vDA1Nqvtb0kHdiQuH2Cojy
-Uf1uVFyE5UliFXtePDrxpOAfJUbcSdOLsK8olKHGCb0cfN/tCfbyEY8rHGsAUK2A
-afuHRTR7pRQwfqJ5EK3DBbbFz+GSi+9zWFOudfqTsczS/HtpMbF8HBwqBAa+mpU/
-UjmhpTYQ+rgVtWtEcttboeK6jvFBFLyQ6VRcrDi/8lmAnm1Q+RZk5g3GwZMhIMNU
-5XQZf6jsUsIFBuOaRyLn9dXkgyO7gOy8n8Yw+YdIFt29kaqZ6pu9kpS0jquxzSKj
-MVS4OrThLwgazfQu/BlOvJpQfcNPI/VP9c41yHKpeoIh6oxNDc/212/wwgwPgD83
-8YXddupaSuE++h9Z10CCZgwux8deTlMjzETIMiIo8R3KV0pJgZ11akeJ8USr+QQ2
-+fO/GdpNUa5nNTgF3t4zTF3DPToqj6KDgxLhUdXopF1hLYgwr8FKOtn9KXP+I0hz
-hWzZoX9gwFLEPrUy265Gpw8TVTmNuSiiZtgJDSDKTBcCAwEAAaOB1zCB1DAdBgNV
-HQ4EFgQUr5Y6dxhyVxfhwFsEKLDIXxQ2zBswgaQGA1UdIwSBnDCBmYAUr5Y6dxhy
-VxfhwFsEKLDIXxQ2zBuhdqR0MHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQ
-MA4GA1UEBxMHU2VhdHRsZTEQMA4GA1UEChMHWW91Q29ycDETMBEGA1UECxMKT3Bl
-cmF0aW9uczEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBsZS5jb22CCQCsLS6gXqjc
-3zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQBYXgqXAnocH6i8o47c
-BZPMGO9y4LCB4YNIrZPKRNFvRl2aolA5KiBxr6WJp1iczxVA4lCmXU1LGfvRPHec
-nHtVax3+Q1JCZhBSv/txQTjgn72qoJyCsPmjyWifbE1jFdRj0g74/Eu/0ku3L0vV
-jTlqzJXQIzRkQm+Y5OrZo92tXaOgO+C0qdd6gaEaIIya6bzrBpW95NtVymhXi2Qf
-7G7Z/yw8XhoQiDJaPHF6XavC3dYvi51cehnPR4E6Jok23kbJEe3Qw5Yh747JjSsS
-Sz07CKqTFcFjHI2f1sFdDjw34lj5mtOf3pEpRGGmvzkF8zm/sVQQ2rCKnqEe7zPy
-Bg9guzVpORG+g76hGFZcYnz78LLNrIYcuYoLcbbZh404wjmifVKO5OC1dRgmJTuc
-VnJe92568Y9cUAjrLztxp5gwXgYUllsXweJ2UGiHxSBqUfCCGG5vK5sYs52HR6wJ
-wRSvwk/VHifYPxJ54RRB51ebYjmD1j41tRseHdFq21qpXSvr9DFLUJBvdN9zA/6t
-xCBlXAdYxD0n0/bruUYNoXBeMhLp+WKSAQvTlVIyqoNQCo1OBBzBVNg9otl3jw5d
-1QOhodRqmS5UQAJptuXtk8WN8OZqMCCeogIfdpa5tJG+/fxFML9EvqedS4c05Wf/
-oYdVLVWSjyoA2l4Xb4LdexAgCg==
+MIIFkzCCA3ugAwIBAgIUFwXNNBdNYJ9+hvGdKqTqEF+XwiMwDQYJKoZIhvcNAQEL
+BQAwQjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkZMMRQwEgYDVQQKDAtFeGFtcGxl
+IENvbTEQMA4GA1UECwwHVW5rbm93bjAeFw0yMzEwMTYxNjQ1NTlaFw0zMzEwMTMx
+NjQ1NTlaMEIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJGTDEUMBIGA1UECgwLRXhh
+bXBsZSBDb20xEDAOBgNVBAsMB1Vua25vd24wggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQC+Hzs1xpvg7sPFIry6LO0IIvERaP2ncmQd3lPhQ1nRHqAv2Tkq
+dSNxJ0kadXw015Ze6n7+L5o8PXqPwFooaFLHqJv/iBWQvEBBCoaRoKF1mNMaaQ7c
+dD22bSeG5R01Silnewzt6fG2TdQ3hVjLMsApLEzYCUpqWXvYy/+Aqixfg9nTN+sH
+3xHTibNS69LDD+xDQ3q1IDAqLxvF7zBir5UQ7XbK2D2QrgEQ+OM5rXbkcM3KFIh0
+bGKN7NyP202drGwcTy3DDq5ojfyC9fIRT2YuAAAZO6UFRmc9Dr59F1ukGe6m4lxq
+4u4Pj0LlLdB8ufbCb5wr7bRXuGCWfwGAQrK9z5YlTxoCb9wmA80spM7xSQRewAb6
+ibJB9FwdjItwZf2YkMmSy3lt63HunN62DvlfvHzQBd5sfNSOX09i/VCxuy2xget2
+F2ToOyWpjLt/+Vqni8S8ZiD9M8X0lWApwtkDWDxFMFPSAPlerqCcQANhGN3PKSMj
+jHxU20oNxs6LkxQJPLJZCkBz2Y2ND6dXY0B9UuxM5HsFQb6CdYhsdWUPYUXMf1Jy
+zlXHb6j6XCFvrx9Wf5WVw1ubEWMVBZEqHpLsR4p0gnHwcZFGa0PcQj2LncevRglt
+qTWfHnupxlzAjkZefahG9Lp0WJgG3y2kMiTIL2sSsJGvybbatAvw83RBrwIDAQAB
+o4GAMH4wHQYDVR0OBBYEFEhnFG/xXEKQa/jFbs4EZKh2r1vCMB8GA1UdIwQYMBaA
+FEhnFG/xXEKQa/jFbs4EZKh2r1vCMA8GA1UdEwEB/wQFMAMBAf8wKwYDVR0RBCQw
+IoILZXhhbXBsZS5jb22CDSouZXhhbXBsZS5jb22HBAoAAAEwDQYJKoZIhvcNAQEL
+BQADggIBAFItDIIoQLS377pgmAcTMADW4b4T5SL7cqhukgvg81l0hAJLzE5cCdqu
+8UTR3N+uvwVq0SnP5fuNoyBfcL52NeCaQZMO8N4IEd1VDjwu1XXxav+AbWwaT4Yo
+OPDWIGGjkCtf2xZsXWFQ0xW+68bZvD6hN9yKp+W2bu1UFqcKCiY/Klhol+2t3eLX
+xP/fM4nMo6iMZhY4FQCWI/NKbuFPwzHLtrrBURCoX50+fvekOdfRHq771mJvzZKE
+AAIKAvYoYdFfeuaX5N9/UNjMhZ92mw1IIsdbmsCxvHrWsrczmXeP3u1lvxQnkjWL
+vg3Zpdv2a0vpYx6nSunko0XA7qnoE+0gdP/uRhMaGiE9QCu3KdZji62gKHuxgc+u
+/i23kmyqOTC36o/a725eb6fMnGFVSxQ0DXlPSPQnJ2tsGMAM37fxoPfF9IamrmdD
+Q0Usia+XzBckD0sSG8j50x2of9NS3vFFgWM1Cas55XWzlkDGbIJMlrKOj01bUYNq
+ltmMfavmpMPA86p8QHRmWlQhtgu+OK/8RxmGtQdtBi8Gdk3mNMkokSQCVcDWvNhX
+pVFCGya51orBgbWqxbAsIeiv7Pl85edXm8KolJ389xkXqFvX31hme5KnyBhCcRrv
+EZbXRhY3O58t7SlKWVCnx/JmEkJcRJtZaEReF1LbBayExYNnj/sD
 -----END CERTIFICATE-----