DSCResources/Grani_PfxImport/Grani_PfxImport.psm1

#region Initialize

function Initialize {
    # Cert Store Location
    $script:certStoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine

    # Cert Path
    $script:certStoreLocationPath = "Cert:\{0}\{1}"

    # Enum for Ensure
    try {
        Add-Type -TypeDefinition @"
        public enum EnsureType
        {
            Present,
            Absent
        }
"@

    }
    catch {
    }
}

Initialize

#endregion

#region Message Definition

$debugMessage = DATA {
    ConvertFrom-StringData -StringData "
        ImportPfx = Importing certificate PFX '{0}' to CertStoreLocation '{1}', CertStore '{2}'.
        RemovePfx = Removing pfx from Cert path '{0}'.
    "

}

$verboseMessage = DATA {
    ConvertFrom-StringData -StringData "
    "

}

$exceptionMessage = DATA {
    ConvertFrom-StringData -StringData "
        CertificateFileNotFoundException = Certificate not found in '{0}'. Make sure you have been already place it.
    "

}

#endregion


#region *-TargetResource

function Set-TargetResource {
    [CmdletBinding()]
    [OutputType([Void])]
    param
    (
        [parameter(Mandatory = $true)]
        [System.String]$ThumbPrint,

        [parameter(Mandatory = $true)]
        [ValidateSet("Present", "Absent")]
        [System.String]$Ensure,

        [parameter(Mandatory = $false)]
        [System.String]$PfxFilePath,

        [parameter(Mandatory = $false)]
        [System.Security.Cryptography.X509Certificates.StoreName]$CertStoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My,

        [parameter(Mandatory = $false)]
        [System.Management.Automation.PSCredential]$Credential
    )

    # Ensure = Absent
    if ($Ensure -eq [EnsureType]::Absent.ToString()) {
        $certPath = GetCertPath -CertStoreName $CertStoreName
        $pfx = Get-ChildItem -Path $certPath | where ThumbPrint -eq $ThumbPrint
        if ($pfx -ne $null) {
            Write-Debug ($debugMessage.RemovePfx -f $pfx.PSPath)
            Remove-Item -Path $pfx.PSPath -Force > $null
        }
        return
    }

    # Ensure = Present
    if (-not (Test-Path $PfxFilePath)) {
        throw New-Object System.IO.FileNotFoundException ($exceptionMessage.CertificateFileNotFoundException -f $PfxFilePath)
    }

    # pfx identification
    $flags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet
    $pfxToImport = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxFilePath, $Credential.GetNetworkCredential().Password, $flags
    $pfxStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $CertStoreName, $script:certStoreLocation

    try {
        # Import pfx
        Write-Debug ($debugMessage.ImportPfx -f $PfxFilePath, $script:certStoreLocation, $CertStoreName)
        $pfxStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::MaxAllowed)
        $pfxStore.Add($pfxToImport) > $null
    }
    finally {
        $PFXStore.Close()
    }    
}

function Get-TargetResource {
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [parameter(Mandatory = $true)]
        [System.String]$ThumbPrint,

        [parameter(Mandatory = $true)]
        [ValidateSet("Present", "Absent")]
        [System.String]$Ensure,

        [parameter(Mandatory = $false)]
        [System.String]$PfxFilePath,

        [parameter(Mandatory = $false)]
        [System.Security.Cryptography.X509Certificates.StoreName]$CertStoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My,

        [parameter(Mandatory = $false)]
        [System.Management.Automation.PSCredential]$Credential
    )

    $certPath = GetCertPath -CertStoreName $CertStoreName
    $pfx = Get-ChildItem -Path $certPath | where ThumbPrint -eq $ThumbPrint

    $ensureResult = if ($pfx -eq $null) {
        [EnsureType]::Absent
    }
    else {
        [EnsureType]::Present
    }

    $returnValue = @{
        ThumbPrint        = $ThumbPrint
        Ensure            = $ensureResult
        PfxFilePath       = $PfxFilePath
        CertStoreLocation = $script:certStoreLocation
        CertStoreName     = $CertStoreName
        Credential        = New-CimInstance -ClassName MSFT_Credential -Property @{Username = [string]$Credential.UserName; Password = [string]$null} -Namespace root/microsoft/windows/desiredstateconfiguration -ClientOnly
    }
    return $returnValue
}

function Test-TargetResource {
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [parameter(Mandatory = $true)]
        [System.String]$ThumbPrint,

        [parameter(Mandatory = $true)]
        [ValidateSet("Present", "Absent")]
        [System.String]$Ensure,

        [parameter(Mandatory = $false)]
        [System.String]$PfxFilePath,

        [parameter(Mandatory = $false)]
        [System.Security.Cryptography.X509Certificates.StoreName]$CertStoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My,

        [parameter(Mandatory = $false)]
        [System.Management.Automation.PSCredential]$Credential
    )
    
    $result = Get-TargetResource -ThumbPrint $ThumbPrint -Ensure $Ensure -CertStoreName $CertStoreName
    return $result.Ensure -eq $Ensure
}

#endregion

#region Cert Helper

function GetCertPath {
    [CmdletBinding()]
    [OutputType([System.String])]
    param
    (
        [parameter(Mandatory = $false)]
        [System.Security.Cryptography.X509Certificates.StoreName]$CertStoreName
    )

    return $script:certStoreLocationPath -f $script:certStoreLocation, $CertStoreName.ToString()
}

#endregion

Export-ModuleMember -Function *-TargetResource