Keyfactor · bhillkeyfactor · Oct 17, 2024 · Jan 10, 2024 · Jan 11, 2024 · May 21, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+v1.1.1
+- Fix Revoke Serial Number Mismatch KF 10.1 and 22.1.0 GW combination
+- Only Syncing and GetSingleRecord on End Entity Cert to prevent errors.
 
 v1.1.0
 - Add Support for CNAME Domain Validation 

diff --git a/CscGlobalCaProxy/CscGlobalCaProxy.cs b/CscGlobalCaProxy/CscGlobalCaProxy.cs
@@ -34,24 +34,34 @@ public CscGlobalCaProxy()
         public override int Revoke(string caRequestId, string hexSerialNumber, uint revocationReason)
         {
 
-            Logger.Trace($"Staring Revoke Method");
-            var revokeResponse =
-                Task.Run(async () =>
-                        await CscGlobalClient.SubmitRevokeCertificateAsync(caRequestId.Substring(0, 36)))
-                    .Result; //todo fix to use pipe delimiter
+            try
+            {
+                Logger.Trace($"Staring Revoke Method");
+                var revokeResponse =
+                    Task.Run(async () =>
+                            await CscGlobalClient.SubmitRevokeCertificateAsync(caRequestId.Substring(0, 36)))
+                        .Result; //todo fix to use pipe delimiter
 
-            Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}");
-            Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
+                Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}");
+                Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
+
+                var revokeResult = _requestManager.GetRevokeResult(revokeResponse);
 
-            var revokeResult = _requestManager.GetRevokeResult(revokeResponse);
+                if (revokeResult == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.FAILED))
+                {
+                    if (!string.IsNullOrEmpty(revokeResponse?.RegistrationError?.Description))
+                    {
+                        throw new UnsuccessfulRequestException($"Revoke Failed with message {revokeResponse?.RegistrationError?.Description}", 30);
+                    }
+                }
 
-            if (revokeResult == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.FAILED))
+                return revokeResult;
+            }
+            catch(Exception e)
             {
-                return -1;
+                throw new Exception($"Revoke Failed with message {e?.Message}");
             }
 
-            return revokeResult;
-
         }
 
         [Obsolete]
@@ -96,27 +106,24 @@ public override void Synchronize(ICertificateDataReader certificateDataReader,
 
                             if (fileContent.Length > 0)
                             {
+                                Logger.Trace($"File Content {fileContent}");
                                 var certData = fileContent.Replace("\r\n", string.Empty);
-                                var splitCerts =
-                                    certData.Split(new[] { "-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----" },
-                                        StringSplitOptions.RemoveEmptyEntries);
-                                foreach (var cert in splitCerts)
-                                    if (!cert.Contains(".crt"))
+                                var certString = GetEndEntityCertificate(certData);
+                                var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(certString));
+
+                                if (certString.Length > 0)
+                                {
+                                    blockingBuffer.Add(new CAConnectorCertificate
                                     {
-                                        Logger.Trace($"Split Cert Value: {cert}");
-
-                                        var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(cert));
-                                        blockingBuffer.Add(new CAConnectorCertificate
-                                        {
-                                            CARequestID = $"{currentResponseItem?.Uuid}",
-                                            Certificate = cert,
-                                            SubmissionDate = currentResponseItem?.OrderDate == null
-                                                ? Convert.ToDateTime(currentCert.NotBefore)
-                                                : Convert.ToDateTime(currentResponseItem.OrderDate),
-                                            Status = certStatus,
-                                            ProductID = productId
-                                        }, cancelToken);
-                                    }
+                                        CARequestID = $"{currentResponseItem?.Uuid}",
+                                        Certificate = certString,
+                                        SubmissionDate = currentResponseItem?.OrderDate == null
+                                            ? Convert.ToDateTime(currentCert.NotBefore)
+                                            : Convert.ToDateTime(currentResponseItem.OrderDate),
+                                        Status = certStatus,
+                                        ProductID = productId
+                                    }, cancelToken);
+                                }
                             }
                         }
                     }
@@ -134,6 +141,41 @@ public override void Synchronize(ICertificateDataReader certificateDataReader,
             Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
         }
 
+        private string GetEndEntityCertificate(string certData)
+        {
+            var splitCerts =
+                certData.Split(new[] {"-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----"},
+                    StringSplitOptions.RemoveEmptyEntries);
+
+            X509Certificate2Collection col = new X509Certificate2Collection();
+            foreach (var cert in splitCerts)
+            {
+                Logger.Trace($"Split Cert Value: {cert}");
+
+                //skip these headers that came with the split function
+                if (!cert.Contains(".crt"))
+                {
+                    col.Import(Encoding.UTF8.GetBytes(cert));
+                }
+            }
+
+            Logger.Trace("Getting End Entity Certificate");
+            var currentCert = CSS.PKI.X509.X509Utilities.GetEndEntityCertificate(col);
+            Logger.Trace("Converting to Byte Array");
+            var byteArray = currentCert?.Export(X509ContentType.Cert);
+            Logger.Trace("Initializing empty string");
+
+            var certString = string.Empty;
+            if (byteArray != null)
+            {
+                certString = Convert.ToBase64String(byteArray);
+            }
+
+            Logger.Trace($"Got certificate {certString}");
+
+            return certString;
+        }
+
         [Obsolete]
         public override EnrollmentResult Enroll(string csr, string subject, Dictionary<string, string[]> san,
             EnrollmentProductInfo productInfo,
@@ -239,22 +281,42 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe
 
         public override CAConnectorCertificate GetSingleRecord(string caRequestId)
         {
-            Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug);
-            var keyfactorCaId = caRequestId.Substring(0, 36); //todo fix to use pipe delimiter
-            Logger.Trace($"Keyfactor Ca Id: {keyfactorCaId}");
-            var certificateResponse =
-                Task.Run(async () => await CscGlobalClient.SubmitGetCertificateAsync(keyfactorCaId))
-                    .Result;
+            try
+            {
+                Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug);
+                var keyfactorCaId = caRequestId?.Substring(0, 36); //todo fix to use pipe delimiter
+                Logger.Trace($"Keyfactor Ca Id: {keyfactorCaId}");
+                var certificateResponse =
+                    Task.Run(async () => await CscGlobalClient.SubmitGetCertificateAsync(keyfactorCaId))
+                        .Result;
+
+                Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}");
+
+                var fileContent =
+                    Encoding.ASCII.GetString(
+                        Convert.FromBase64String(certificateResponse?.Certificate ?? string.Empty));
+
+                Logger.Trace($"File Content {fileContent}");
+                var certData = fileContent?.Replace("\r\n", string.Empty);
+                var certString = String.Empty;
+                if (!string.IsNullOrEmpty(certData))
+                    certString = GetEndEntityCertificate(certData);
+                Logger.Trace($"Cert String Content {certString}");
 
-            Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}");
-            Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
-            return new CAConnectorCertificate
+                Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug);
+
+                return new CAConnectorCertificate
+                {
+                    CARequestID = keyfactorCaId,
+                    Certificate = certString,
+                    Status = _requestManager.MapReturnStatus(certificateResponse?.Status),
+                    SubmissionDate = Convert.ToDateTime(certificateResponse?.OrderDate)
+                };
+            }
+            catch(Exception e)
             {
-                CARequestID = keyfactorCaId,
-                Certificate = certificateResponse.Certificate,
-                Status = _requestManager.MapReturnStatus(certificateResponse.Status),
-                SubmissionDate = Convert.ToDateTime(certificateResponse.OrderDate)
-            };
+                throw new Exception($"Error Occurred getting single cert {e.Message}");
+            }
         }
 
         public override void Initialize(ICAConnectorConfigProvider configProvider)

diff --git a/CscGlobalCaProxy/RequestManager.cs b/CscGlobalCaProxy/RequestManager.cs
@@ -160,6 +160,12 @@ private string GetCertificateType(string productId)
                     return "2";
                 case "CSC TrustedSecure Premium Wildcard Certificate":
                     return "1";
+                case "CSC Trusted Secure Domain Validated SSL":
+                    return "4";
+                case "CSC Trusted Secure Domain Validated Wildcard SSL":
+                    return "5";
+                case "CSC Trusted Secure Domain Validated UC Certificate":
+                    return "6";
                 case "CSC TrustedSecure Domain Validated SSL":
                     return "4";
                 case "CSC TrustedSecure Domain Validated Wildcard SSL":

diff --git a/README.md b/README.md
@@ -5,9 +5,9 @@ Csc Global operates a PKI as a service platform for customers around the globe.
 
 #### Integration status: Production - Ready for use in production environments.
 
-## About the Keyfactor AnyGateway CA Connector
+## About the Keyfactor AnyCA Gateway DCOM Connector
 
-This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.
+This repository contains an AnyCA Gateway Connector, which is a plugin to the Keyfactor AnyGateway. AnyCA Gateway Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.
 
 ## Support for CSC Global
 
@@ -24,9 +24,16 @@ CSC Global is supported by Keyfactor for Keyfactor customers. If you have a supp
 
 
 
-## Keyfactor AnyGateway Framework Supported
+## Keyfactor AnyCA Gateway Framework Supported
+The Keyfactor gateway framework implements common logic shared across various gateway implementations and handles communication with Keyfactor Command. The gateway framework hosts gateway implementations or plugins that understand how to communicate with specific CAs. This allows you to integrate your third-party CAs with Keyfactor Command such that they behave in a manner similar to the CAs natively supported by Keyfactor Command.
 
-This gateway was compiled against version  of the AnyGateway Framework.  You will need at least this version of the AnyGateway Framework Installed.  If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly.
+
+
+
+This gateway extension was compiled against version  of the AnyCA Gateway DCOM Framework.  You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly.
+
+
+[Keyfactor CAGateway Install Guide](https://software.keyfactor.com/Guides/AnyGateway_Generic/Content/AnyGateway/Introduction.htm)
 
 
 
@@ -468,3 +475,4 @@ Set-KeyfactorGatewayConfig -LogicalName "CSCGlobal" -FilePath [path to json file
 ### License
 [Apache](https://apache.org/licenses/LICENSE-2.0)
 
+