Merge pull request #18 from Keyfactor/revokebug

Revokebug fixes ab#58448

Author: fiddlermikey

CHANGELOG.md

@@ -1,3 +1,6 @@
+v1.1.1
+- Fix Revoke Serial Number Mismatch KF 10.1 and 22.1.0 GW combination
+- Only Syncing and GetSingleRecord on End Entity Cert to prevent errors.
 
 v1.1.0
 - Add Support for CNAME Domain Validation 

CscGlobalCaProxy/CscGlobalCaProxy.cs

@@ -34,24 +34,34 @@ public CscGlobalCaProxy()
         public override int Revoke(string caRequestId, string hexSerialNumber, uint revocationReason)
         {
 
-            Logger.Trace($"Staring Revoke Method");
-            var revokeResponse =
-                Task.Run(async () =>
-                        await CscGlobalClient.SubmitRevokeCertificateAsync(caRequestId.Substring(0, 36)))
-                    .Result; //todo fix to use pipe delimiter
+            try
+            {
+                Logger.Trace($"Staring Revoke Method");
+                var revokeResponse =
+                    Task.Run(async () =>
+                            await CscGlobalClient.SubmitRevokeCertificateAsync(caRequestId.Substring(0, 36)))
+                        .Result; //todo fix to use pipe delimiter
 
-            Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}");
-            Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
+                Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}");
+                Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
+
+                var revokeResult = _requestManager.GetRevokeResult(revokeResponse);
 
-            var revokeResult = _requestManager.GetRevokeResult(revokeResponse);
+                if (revokeResult == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.FAILED))
+                {
+                    if (!string.IsNullOrEmpty(revokeResponse?.RegistrationError?.Description))
+                    {
+                        throw new UnsuccessfulRequestException($"Revoke Failed with message {revokeResponse?.RegistrationError?.Description}", 30);
+                    }
+                }
 
-            if (revokeResult == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.FAILED))
+                return revokeResult;
+            }
+            catch(Exception e)
             {
-                return -1;
+                throw new Exception($"Revoke Failed with message {e?.Message}");
             }
 
-            return revokeResult;
-
         }
 
         [Obsolete]
@@ -96,27 +106,24 @@ public override void Synchronize(ICertificateDataReader certificateDataReader,
 
                             if (fileContent.Length > 0)
                             {
+                                Logger.Trace($"File Content {fileContent}");
                                 var certData = fileContent.Replace("\r\n", string.Empty);
-                                var splitCerts =
-                                    certData.Split(new[] { "-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----" },
-                                        StringSplitOptions.RemoveEmptyEntries);
-                                foreach (var cert in splitCerts)
-                                    if (!cert.Contains(".crt"))
+                                var certString = GetEndEntityCertificate(certData);
+                                var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(certString));
+
+                                if (certString.Length > 0)
+                                {
+                                    blockingBuffer.Add(new CAConnectorCertificate
                                     {
-                                        Logger.Trace($"Split Cert Value: {cert}");
-
-                                        var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(cert));
-                                        blockingBuffer.Add(new CAConnectorCertificate
-                                        {
-                                            CARequestID = $"{currentResponseItem?.Uuid}",
-                                            Certificate = cert,
-                                            SubmissionDate = currentResponseItem?.OrderDate == null
-                                                ? Convert.ToDateTime(currentCert.NotBefore)
-                                                : Convert.ToDateTime(currentResponseItem.OrderDate),
-                                            Status = certStatus,
-                                            ProductID = productId
-                                        }, cancelToken);
-                                    }
+                                        CARequestID = $"{currentResponseItem?.Uuid}",
+                                        Certificate = certString,
+                                        SubmissionDate = currentResponseItem?.OrderDate == null
+                                            ? Convert.ToDateTime(currentCert.NotBefore)
+                                            : Convert.ToDateTime(currentResponseItem.OrderDate),
+                                        Status = certStatus,
+                                        ProductID = productId
+                                    }, cancelToken);
+                                }
                             }
                         }
                     }
@@ -134,6 +141,41 @@ public override void Synchronize(ICertificateDataReader certificateDataReader,
             Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
         }
 
+        private string GetEndEntityCertificate(string certData)
+        {
+            var splitCerts =
+                certData.Split(new[] {"-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----"},
+                    StringSplitOptions.RemoveEmptyEntries);
+            
+            X509Certificate2Collection col = new X509Certificate2Collection();
+            foreach (var cert in splitCerts)
+            {
+                Logger.Trace($"Split Cert Value: {cert}");
+
+                //skip these headers that came with the split function
+                if (!cert.Contains(".crt"))
+                {
+                    col.Import(Encoding.UTF8.GetBytes(cert));
+                }
+            }
+
+            Logger.Trace("Getting End Entity Certificate");
+            var currentCert = CSS.PKI.X509.X509Utilities.GetEndEntityCertificate(col);
+            Logger.Trace("Converting to Byte Array");
+            var byteArray = currentCert?.Export(X509ContentType.Cert);
+            Logger.Trace("Initializing empty string");
+
+            var certString = string.Empty;
+            if (byteArray != null)
+            {
+                certString = Convert.ToBase64String(byteArray);
+            }
+
+            Logger.Trace($"Got certificate {certString}");
+            
+            return certString;
+        }
+
         [Obsolete]
         public override EnrollmentResult Enroll(string csr, string subject, Dictionary<string, string[]> san,
             EnrollmentProductInfo productInfo,
@@ -239,22 +281,42 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe
 
         public override CAConnectorCertificate GetSingleRecord(string caRequestId)
         {
-            Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug);
-            var keyfactorCaId = caRequestId.Substring(0, 36); //todo fix to use pipe delimiter
-            Logger.Trace($"Keyfactor Ca Id: {keyfactorCaId}");
-            var certificateResponse =
-                Task.Run(async () => await CscGlobalClient.SubmitGetCertificateAsync(keyfactorCaId))
-                    .Result;
+            try
+            {
+                Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug);
+                var keyfactorCaId = caRequestId?.Substring(0, 36); //todo fix to use pipe delimiter
+                Logger.Trace($"Keyfactor Ca Id: {keyfactorCaId}");
+                var certificateResponse =
+                    Task.Run(async () => await CscGlobalClient.SubmitGetCertificateAsync(keyfactorCaId))
+                        .Result;
+                
+                Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}");
+
+                var fileContent =
+                    Encoding.ASCII.GetString(
+                        Convert.FromBase64String(certificateResponse?.Certificate ?? string.Empty));
+
+                Logger.Trace($"File Content {fileContent}");
+                var certData = fileContent?.Replace("\r\n", string.Empty);
+                var certString = String.Empty;
+                if (!string.IsNullOrEmpty(certData))
+                    certString = GetEndEntityCertificate(certData);
+                Logger.Trace($"Cert String Content {certString}");
 
-            Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}");
-            Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
-            return new CAConnectorCertificate
+                Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
+
+                return new CAConnectorCertificate
+                {
+                    CARequestID = keyfactorCaId,
+                    Certificate = certString,
+                    Status = _requestManager.MapReturnStatus(certificateResponse?.Status),
+                    SubmissionDate = Convert.ToDateTime(certificateResponse?.OrderDate)
+                };
+            }
+            catch(Exception e)
             {
-                CARequestID = keyfactorCaId,
-                Certificate = certificateResponse.Certificate,
-                Status = _requestManager.MapReturnStatus(certificateResponse.Status),
-                SubmissionDate = Convert.ToDateTime(certificateResponse.OrderDate)
-            };
+                throw new Exception($"Error Occurred getting single cert {e.Message}");
+            }
         }
 
         public override void Initialize(ICAConnectorConfigProvider configProvider)

CscGlobalCaProxy/RequestManager.cs

@@ -160,6 +160,12 @@ private string GetCertificateType(string productId)
                     return "2";
                 case "CSC TrustedSecure Premium Wildcard Certificate":
                     return "1";
+                case "CSC Trusted Secure Domain Validated SSL":
+                    return "4";
+                case "CSC Trusted Secure Domain Validated Wildcard SSL":
+                    return "5";
+                case "CSC Trusted Secure Domain Validated UC Certificate":
+                    return "6";
                 case "CSC TrustedSecure Domain Validated SSL":
                     return "4";
                 case "CSC TrustedSecure Domain Validated Wildcard SSL":

README.md

@@ -1,28 +1,39 @@
+
 # CSC Global
 
 Csc Global operates a PKI as a service platform for customers around the globe.  The AnyGateway solution for CscGlobal is designed to allow Keyfactor Command the ability to: - Sync certificates issued from the CA - Request new certificates from the CA - Revoke certificates directly from Keyfactor Command
 
 #### Integration status: Production - Ready for use in production environments.
 
+## About the Keyfactor AnyCA Gateway DCOM Connector
 
-## About the Keyfactor AnyGateway CA Connector
-
-This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.
-
+This repository contains an AnyCA Gateway Connector, which is a plugin to the Keyfactor AnyGateway. AnyCA Gateway Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.
 
 ## Support for CSC Global
 
 CSC Global is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
+---
+
 
 ---
 
 
 
 
 
+## Keyfactor AnyCA Gateway Framework Supported
+The Keyfactor gateway framework implements common logic shared across various gateway implementations and handles communication with Keyfactor Command. The gateway framework hosts gateway implementations or plugins that understand how to communicate with specific CAs. This allows you to integrate your third-party CAs with Keyfactor Command such that they behave in a manner similar to the CAs natively supported by Keyfactor Command.
+
+
+
+
+This gateway extension was compiled against version  of the AnyCA Gateway DCOM Framework.  You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly.
+
+
+[Keyfactor CAGateway Install Guide](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm)
 
 
 
@@ -464,3 +475,4 @@ Set-KeyfactorGatewayConfig -LogicalName "CSCGlobal" -FilePath [path to json file
 ### License
 [Apache](https://apache.org/licenses/LICENSE-2.0)
 
+