dns updates

Author: bhillkeyfactor

AcmeCaPlugin/AcmeCaPlugin.cs

@@ -1,27 +1,28 @@
 // Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0
-using System;
-using System.Collections.Generic;
-using System.Threading.Tasks;
+using ACMESharp.Authorizations;
+using ACMESharp.Protocol;
+using ACMESharp.Protocol.Resources;
 using Keyfactor.AnyGateway.Extensions;
+using Keyfactor.Extensions.CAPlugin.Acme.Clients.Acme;
+using Keyfactor.Extensions.CAPlugin.Acme.Clients.DNS;
 using Keyfactor.Logging;
 using Keyfactor.PKI.Enums.EJBCA;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
-using System.Linq;
-using System.Net.Http;
-using ACMESharp.Authorizations;
-using Keyfactor.Extensions.CAPlugin.Acme.Clients.Acme;
-using System.Threading;
-using ACMESharp.Protocol.Resources;
-using ACMESharp.Protocol;
-using System.Text;
-using Keyfactor.Extensions.CAPlugin.Acme.Clients.DNS;
-using System.Text.RegularExpressions;
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.Pkcs;
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Pkcs;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Text;
+using System.Text.RegularExpressions;
+using System.Threading;
+using System.Threading.Tasks;
+using static Org.BouncyCastle.Math.EC.ECCurve;
 
 namespace Keyfactor.Extensions.CAPlugin.Acme
 {
@@ -62,6 +63,7 @@ public class AcmeCaPlugin : IAnyCAPlugin
     {
         private static readonly ILogger _logger = LogHandler.GetClassLogger<AcmeCaPlugin>();
         private IAnyCAPluginConfigProvider Config { get; set; }
+        private IDomainValidator _domainValidator;
 
         // Constants for better maintainability
         private const string DEFAULT_PRODUCT_ID = "default";
@@ -76,6 +78,8 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa
         {
             _logger.MethodEntry();
             Config = configProvider ?? throw new ArgumentNullException(nameof(configProvider));
+            _domainValidator = new Dns01DomainValidator();
+            _domainValidator.Initialize(new DomainValidatorConfigProvider(configProvider.CAConnectionData));
             _logger.MethodExit();
         }
 
@@ -230,6 +234,7 @@ public async Task<EnrollmentResult> Enroll(
         {
             _logger.MethodEntry();
 
+
             if (string.IsNullOrWhiteSpace(csr))
                 throw new ArgumentException("CSR cannot be null or empty", nameof(csr));
             if (string.IsNullOrWhiteSpace(subject))
@@ -471,74 +476,47 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord
             var dnsVerifier = new DnsVerificationHelper(_logger, config.DnsVerificationServer);
             var pendingChallenges = new List<(Authorization authz, Challenge challenge, Dns01ChallengeValidationDetails validation)>();
 
-            // First pass: Create all DNS records
+            // First pass: Create all DNS records using IDomainValidator
             foreach (var authzUrl in payload.Authorizations)
             {
                 var authz = await acmeClient.GetAuthorizationAsync(authzUrl);
 
-                // Skip if authorization is already valid (cached)
                 if (authz.Status == "valid")
                 {
                     _logger.LogInformation("Using cached authorization for {Domain}", authz.Identifier.Value);
                     continue;
                 }
 
-                // Find DNS-01 challenge
                 var challenge = authz.Challenges.FirstOrDefault(c => c.Type == DNS_CHALLENGE_TYPE);
                 if (challenge == null)
                     throw new InvalidOperationException($"{DNS_CHALLENGE_TYPE} challenge not available");
 
-                // Decode challenge validation details
                 var validation = acmeClient.DecodeChallengeValidation(authz, challenge) as Dns01ChallengeValidationDetails;
                 if (validation == null)
                     throw new InvalidOperationException($"Failed to decode {DNS_CHALLENGE_TYPE} challenge validation details");
 
-                // Create DNS record (will throw exception with details if it fails)
-                var dnsProvider = DnsProviderFactory.Create(config, _logger);
-                await dnsProvider.CreateRecordAsync(validation.DnsRecordName, validation.DnsRecordValue);
+                // Use IDomainValidator instead of DnsProviderFactory directly
+                var result = await _domainValidator.StageValidation(
+                    validation.DnsRecordName,
+                    validation.DnsRecordValue,
+                    CancellationToken.None);
+
+                if (!result.Success)
+                    throw new InvalidOperationException($"Failed to stage DNS validation: {result.ErrorMessage}");
 
                 _logger.LogInformation("Created DNS record {RecordName} for domain {Domain}",
                     validation.DnsRecordName, authz.Identifier.Value);
 
                 pendingChallenges.Add((authz, challenge, validation));
             }
 
-            // Second pass: Wait for DNS propagation and submit challenges
+            // Second pass: Wait for propagation and submit challenges
+            // ... rest of your existing code ...
+
+            // Optional: Cleanup after challenges complete
             foreach (var (authz, challenge, validation) in pendingChallenges)
             {
-                // Skip external DNS verification for Infoblox since it cannot ping external DNS providers
-                bool isInfoblox = config.DnsProvider?.Trim().Equals("infoblox", StringComparison.OrdinalIgnoreCase) ?? false;
-
-                if (isInfoblox)
-                {
-                    _logger.LogInformation("Skipping external DNS propagation check for Infoblox provider for {Domain}. Adding short delay...", authz.Identifier.Value);
-                    // Add a short delay to allow Infoblox to process the record internally
-                    await Task.Delay(TimeSpan.FromSeconds(5));
-                }
-                else
-                {
-                    _logger.LogInformation("Waiting for DNS propagation for {Domain}...", authz.Identifier.Value);
-
-                    // Wait for DNS propagation with verification
-                    var propagated = await dnsVerifier.WaitForDnsPropagationAsync(
-                        validation.DnsRecordName,
-                        validation.DnsRecordValue,
-                        minimumServers: 3 // Require at least 3 DNS servers to confirm
-                    );
-
-                    if (!propagated)
-                    {
-                        _logger.LogWarning("DNS record may not have fully propagated for {Domain}. Proceeding anyway...",
-                            authz.Identifier.Value);
-
-                        // Optional: Add a final delay as fallback
-                        await Task.Delay(TimeSpan.FromSeconds(30));
-                    }
-                }
-
-                // Submit challenge response
-                _logger.LogInformation("Submitting challenge for {Domain}", authz.Identifier.Value);
-                await acmeClient.AnswerChallengeAsync(challenge);
+                await _domainValidator.CleanupValidation(validation.DnsRecordName, CancellationToken.None);
             }
         }
 

AcmeCaPlugin/AcmeCaPlugin.csproj

@@ -9,23 +9,26 @@
         <AssemblyName>AcmeCaPlugin</AssemblyName>
     </PropertyGroup>
     <ItemGroup>
-        <PackageReference Include="ACMESharpCore" Version="2.2.0.148"/>
-        <PackageReference Include="Autofac" Version="8.3.0"/>
-        <PackageReference Include="AWSSDK.Route53" Version="4.0.1"/>
-        <PackageReference Include="Azure.Identity" Version="1.14.0"/>
-        <PackageReference Include="Azure.ResourceManager.Cdn" Version="1.4.0"/>
-        <PackageReference Include="Azure.ResourceManager.Dns" Version="1.1.1"/>
-        <PackageReference Include="DnsClient" Version="1.8.0"/>
-        <PackageReference Include="ARSoft.Tools.Net" Version="3.6.0"/>
-        <PackageReference Include="Google.Apis.Dns.v1" Version="1.69.0.3753"/>
-        <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.0.0"/>
-        <PackageReference Include="Keyfactor.Logging" Version="1.1.1"/>
-        <PackageReference Include="Keyfactor.PKI" Version="5.5.0"/>
-        <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.5"/>
-        <PackageReference Include="Nager.PublicSuffix" Version="3.5.0"/>
-        <PackageReference Include="Newtonsoft.Json" Version="13.0.3"/>
-        <PackageReference Include="System.Net.Http.WinHttpHandler" Version="9.0.5"/>
-        <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="9.0.5"/>
+        <PackageReference Include="ACMESharpCore" Version="2.2.0.148" />
+        <PackageReference Include="Autofac" Version="8.3.0" />
+        <PackageReference Include="AWSSDK.Core" Version="4.0.3.11" />
+        <PackageReference Include="AWSSDK.Route53" Version="4.0.8.8" />
+        <PackageReference Include="Azure.Identity" Version="1.14.0" />
+        <PackageReference Include="Azure.ResourceManager.Cdn" Version="1.4.0" />
+        <PackageReference Include="Azure.ResourceManager.Dns" Version="1.1.1" />
+        <PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
+        <PackageReference Include="DnsClient" Version="1.8.0" />
+        <PackageReference Include="ARSoft.Tools.Net" Version="3.6.0" />
+        <PackageReference Include="Google.Apis.Dns.v1" Version="1.69.0.3753" />
+        <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.3.0-PRERELEASE-78770-979f582005" />
+        <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
+        <PackageReference Include="Keyfactor.PKI" Version="5.5.0" />
+        <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.5" />
+        <PackageReference Include="Nager.PublicSuffix" Version="3.5.0" />
+        <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+        <PackageReference Include="System.Drawing.Common" Version="10.0.2" />
+        <PackageReference Include="System.Net.Http.WinHttpHandler" Version="9.0.5" />
+        <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="9.0.5" />
     </ItemGroup>
     <ItemGroup>
         <None Update="manifest.json">

AcmeCaPlugin/Dns01DomainValidator.cs

@@ -0,0 +1,103 @@
+using Keyfactor.AnyGateway.Extensions;
+using Keyfactor.Extensions.CAPlugin.Acme.Clients.DNS;
+using Keyfactor.Logging;
+using Microsoft.Extensions.Logging;
+using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Keyfactor.Extensions.CAPlugin.Acme
+{
+    public class Dns01DomainValidator : IDomainValidator
+    {
+        private static readonly ILogger _logger = LogHandler.GetClassLogger<Dns01DomainValidator>();
+        private AcmeClientConfig _config;
+        private IDnsProvider _dnsProvider;
+
+        public void Initialize(IDomainValidatorConfigProvider configProvider)
+        {
+            if (configProvider?.DomainValidationConfiguration == null)
+                throw new ArgumentNullException(nameof(configProvider));
+
+            var raw = JsonConvert.SerializeObject(configProvider.DomainValidationConfiguration);
+            _config = JsonConvert.DeserializeObject<AcmeClientConfig>(raw);
+
+            // Create the DNS provider using your existing factory
+            _dnsProvider = DnsProviderFactory.Create(_config, _logger);
+
+            _logger.LogInformation("Dns01DomainValidator initialized with provider: {Provider}",
+                _config.DnsProvider ?? "default");
+        }
+
+        public async Task<DomainValidationResult> StageValidation(string key, string value, CancellationToken cancellationToken)
+        {
+            _logger.LogInformation("Staging DNS-01 validation: {Key} -> {Value}", key, value);
+
+            try
+            {
+                var success = await _dnsProvider.CreateRecordAsync(key, value);
+
+                return new DomainValidationResult
+                {
+                    Success = success,
+                    ErrorMessage = success ? null : $"Failed to create DNS TXT record for {key}"
+                };
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Failed to stage DNS validation for {Key}", key);
+                return new DomainValidationResult
+                {
+                    Success = false,
+                    ErrorMessage = ex.Message
+                };
+            }
+        }
+
+        public async Task<DomainValidationResult> CleanupValidation(string key, CancellationToken cancellationToken)
+        {
+            _logger.LogInformation("Cleaning up DNS-01 validation: {Key}", key);
+
+            try
+            {
+                // Use the overload without value if available, or pass empty string
+                var success = await _dnsProvider.DeleteRecordAsync(key);
+
+                return new DomainValidationResult
+                {
+                    Success = success,
+                    ErrorMessage = success ? null : $"Failed to delete DNS TXT record for {key}"
+                };
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Failed to cleanup DNS validation for {Key}", key);
+                return new DomainValidationResult
+                {
+                    Success = false,
+                    ErrorMessage = ex.Message
+                };
+            }
+        }
+
+        public Task ValidateConfiguration(Dictionary<string, object> configuration)
+        {
+            // Reuse existing validation logic or add specific checks
+            if (configuration == null)
+                throw new ArgumentNullException(nameof(configuration));
+
+            return Task.CompletedTask;
+        }
+
+        public Dictionary<string, PropertyConfigInfo> GetDomainValidatorAnnotations()
+        {
+            // Return DNS-related annotations from your existing config
+            // Or return a subset specific to domain validation
+            return AcmeCaPluginConfig.GetPluginAnnotations();
+        }
+
+        public string GetValidationType() => "dns-01";
+    }
+}

AcmeCaPlugin/DomainValidatorConfigProvider.cs

@@ -0,0 +1,15 @@
+using Keyfactor.AnyGateway.Extensions;
+using System.Collections.Generic;
+
+namespace Keyfactor.Extensions.CAPlugin.Acme
+{
+    public class DomainValidatorConfigProvider : IDomainValidatorConfigProvider
+    {
+        public Dictionary<string, object> DomainValidationConfiguration { get; }
+
+        public DomainValidatorConfigProvider(Dictionary<string, object> config)
+        {
+            DomainValidationConfiguration = config;
+        }
+    }
+}

TestProgram/TestProgram.csproj

@@ -8,10 +8,15 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.0.0" />
+    <PackageReference Include="AWSSDK.Core" Version="4.0.3.11" />
+    <PackageReference Include="AWSSDK.Route53" Version="4.0.8.8" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
+    <PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
+    <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.3.0-PRERELEASE-78770-979f582005" />
     <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
     <PackageReference Include="Keyfactor.PKI" Version="5.5.0" />
     <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="9.0.5" />
+    <PackageReference Include="System.Drawing.Common" Version="10.0.2" />
   </ItemGroup>
 
   <ItemGroup>