Added a special per template setting of SignatureAlgorithm. Added appropriate docs.

Author: mkachk

.gitignore

@@ -360,4 +360,5 @@ MigrationBackup/
 .ionide/
 
 # Fody - auto-generated XML schema
-FodyWeavers.xsd
+FodyWeavers.xsd
+/README.md

README.md

@@ -5,9 +5,9 @@
 <p align="center">
   <!-- Badges -->
 <img src="https://img.shields.io/badge/integration_status-pilot-3D1973?style=flat-square" alt="Integration Status: pilot" />
-<a href="https://github.com/Keyfactor/aws-pca-caplugin/releases"><img src="https://img.shields.io/github/v/release/Keyfactor/aws-pca-caplugin?style=flat-square" alt="Release" /></a>
-<img src="https://img.shields.io/github/issues/Keyfactor/aws-pca-caplugin?style=flat-square" alt="Issues" />
-<img src="https://img.shields.io/github/downloads/Keyfactor/aws-pca-caplugin/total?style=flat-square&label=downloads&color=28B905" alt="GitHub Downloads (all assets, all releases)" />
+<a href="https://github.com/Keyfactor/aws-pca-caplugin-dev/releases"><img src="https://img.shields.io/github/v/release/Keyfactor/aws-pca-caplugin-dev?style=flat-square" alt="Release" /></a>
+<img src="https://img.shields.io/github/issues/Keyfactor/aws-pca-caplugin-dev?style=flat-square" alt="Issues" />
+<img src="https://img.shields.io/github/downloads/Keyfactor/aws-pca-caplugin-dev/total?style=flat-square&label=downloads&color=28B905" alt="GitHub Downloads (all assets, all releases)" />
 </p>
 
 <p align="center">
@@ -53,7 +53,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 
 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
 
-2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [AWSPCA CA  Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/aws-pca-caplugin/releases/latest) from GitHub.
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [AWSPCA CA  Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/aws-pca-caplugin-dev/releases/latest) from GitHub.
 
 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory:
 
@@ -107,6 +107,11 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 
 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
 
+4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters:
+
+    * **LifetimeDays** - OPTIONAL: The number of days of validity to use when requesting certs. If not provided, default is 365 
+    * **SigningAlgorithm** - Required: Signing Algorithm to use with the PCA. 
+
 
 ## Authentication (Access Key + Secret)
 
@@ -291,6 +296,47 @@ The following examples are intended as **copy/adapt templates**.
   ]
 }
 ```
+---
+
+## Signing algorithm selection (ACM PCA)
+
+The gateway supports an optional CAConnection setting `SigningAlgorithm` that controls the **certificate signature algorithm**
+passed to AWS ACM PCA `IssueCertificate`.
+
+- If **not set**, the plugin will **auto-select** a compatible default based on the CA `KeyAlgorithm` returned by
+  `DescribeCertificateAuthority`.
+- If **set**, the plugin validates the value and **rejects incompatible combinations** before calling AWS.
+
+### Valid `SigningAlgorithm` values (AWS PCA)
+
+- RSA family: `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA`
+- ECDSA family: `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA`
+- SM2: `SM3WITHSM2`
+- ML-DSA (post-quantum): `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`
+
+### Allowed CA key algorithm and signing algorithm combinations
+
+The CA key algorithm is the PCA CA **KeyAlgorithm** (not the subject key in the CSR). The signing algorithm must match the CA key family.
+
+| CA KeyAlgorithm | Allowed SigningAlgorithm values |
+|---|---|
+| `RSA_2048`, `RSA_3072`, `RSA_4096` | `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA` |
+| `EC_prime256v1`, `EC_secp384r1`, `EC_secp521r1` | `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA` |
+| `SM2` | `SM3WITHSM2` |
+| `ML_DSA_44` | `ML_DSA_44` |
+| `ML_DSA_65` | `ML_DSA_65` |
+| `ML_DSA_87` | `ML_DSA_87` |
+
+### Auto-selection defaults
+
+When `SigningAlgorithm` is omitted, the plugin selects:
+
+- RSA CAs -> `SHA256WITHRSA`
+- EC P-256 -> `SHA256WITHECDSA`
+- EC P-384 -> `SHA384WITHECDSA`
+- EC P-521 -> `SHA512WITHECDSA`
+- SM2 -> `SM3WITHSM2`
+- ML-DSA -> exact-match (`ML_DSA_44/65/87`)
 
 
 ## License

aws-pca-caplugin/AWSPCACAPlugin.cs

@@ -358,6 +358,15 @@ public async Task<EnrollmentResult> Enroll(
                 parsed > 0)
                 days = parsed;
 
+
+            // Optional signing algorithm override (template parameter)
+            string? signingAlgorithm = null;
+            if (productInfo.ProductParameters != null &&
+                productInfo.ProductParameters.TryGetValue(EnrollmentConfigConstants.SigningAlgorithm,
+                    out var algoStr) &&
+                !string.IsNullOrWhiteSpace(algoStr))
+                signingAlgorithm = algoStr.Trim();
+
             // Normalize CSR to PEM (keeps your existing behavior)
             csr = PemUtilities.DERToPEM(PemUtilities.PEMToDER(csr), PemUtilities.PemObjectType.CertRequest);
 
@@ -369,6 +378,7 @@ public async Task<EnrollmentResult> Enroll(
                             csr,
                             productInfo.ProductID,
                             days,
+                            signingAlgorithm,
                             "Certificate Issued")
                         .ConfigureAwait(false);
                 }
@@ -627,6 +637,15 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
                 Hidden = false,
                 DefaultValue = 365,
                 Type = "Number"
+            },
+            // this is used to passdown csr details/prefill. will be overridden by commmand if not present. 
+            [EnrollmentConfigConstants.SigningAlgorithm] = new()
+            {
+                Comments =
+                    "Required: AWS ACM PCA certificate signature algorithm to use when issuing certificates. Value is an AWS PCA SigningAlgorithm enum name (case-insensitive), e.g. SHA256WITHRSA, SHA384WITHRSA, SHA256WITHECDSA. If omitted, the plugin selects a default compatible with the CA key algorithm.",
+                Hidden = false,
+                DefaultValue = "SHA256WITHRSA",
+                Type = "String"
             }
         };
     }
@@ -641,6 +660,7 @@ private async Task<EnrollmentResult> IssueAndFetchAsync(
         string csrPem,
         string productId,
         int validityDays,
+        string? signingAlgorithm,
         string statusMessageOnSuccess,
         string? idempotencyToken = null)
     {
@@ -650,6 +670,7 @@ private async Task<EnrollmentResult> IssueAndFetchAsync(
             CsrPem = csrPem,
             ProductId = productId,
             ValidityDays = validityDays,
+            SigningAlgorithm = signingAlgorithm,
             IdempotencyToken = idempotencyToken ?? Guid.NewGuid().ToString("N")
         };
 

aws-pca-caplugin/AWSPCACAPlugin.csproj

@@ -13,7 +13,8 @@
 
 
 	<Target Name="CustomPostBuild" AfterTargets="PostBuildEvent">
-		<Exec Condition="'$(Configuration)'=='DebugAndPush'" Command="PowerShell -ExecutionPolicy Bypass -File &quot;C:\Users\mkachkaev\source\repos\scripts\SyncScriptAWS_GT.ps1&quot;&#xA;" />
+		<Exec Condition="'$(Configuration)'=='DebugAndPush'"
+		      Command="PowerShell -ExecutionPolicy Bypass -File &quot;C:\Users\mkachkaev\source\repos\scripts\SyncScriptAWS_GT.ps1&quot;&#xA;" />
 	</Target>
 
 

aws-pca-caplugin/CHANGELOG.md

@@ -39,6 +39,8 @@ public sealed class AwsPcaClient : IAwsPcaClient
     private const string ENHANCED_KEY_USAGE_OID = "2.5.29.37";
     private const string SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
     private const string CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
+
+    private readonly SemaphoreSlim _caInfoLock = new(1, 1);
     private readonly AWSCredentials AwsCredentials;
     private readonly string CaArn;
     private readonly ILogger Logger;
@@ -47,6 +49,7 @@ public sealed class AwsPcaClient : IAwsPcaClient
     private readonly RegionEndpoint Region;
     private readonly string RoleArn;
     private readonly string S3Bucket;
+    private string? _caKeyAlgorithmName;
     private IAmazonS3? S3Client;
 
     public AwsPcaClient(IAnyCAPluginConfigProvider configProvider)
@@ -127,11 +130,18 @@ public async Task<IssueCertificateResponse> SubmitIssueCertificateAsync(
             var csrBytes = PemUtilities.DERToPEM(PemUtilities.PEMToDER(request.CsrPem),
                 PemUtilities.PemObjectType.CertRequest);
 
+
+            var signingAlgoRes = await ResolveSigningAlgorithmAsync(request.SigningAlgorithm, cancellationToken)
+                .ConfigureAwait(false);
+            if (signingAlgoRes.Error != null)
+                return new IssueCertificateResponse { RegistrationError = signingAlgoRes.Error };
+
+            var signingAlgorithm = signingAlgoRes.Value!;
             var issueReq = new Amazon.ACMPCA.Model.IssueCertificateRequest
             {
                 CertificateAuthorityArn = CaArn,
                 Csr = new MemoryStream(Encoding.ASCII.GetBytes(csrBytes)),
-                SigningAlgorithm = SigningAlgorithm.SHA256WITHRSA,
+                SigningAlgorithm = signingAlgorithm,
                 IdempotencyToken = request.IdempotencyToken ?? Guid.NewGuid().ToString("N"),
                 Validity = new Validity
                 {
@@ -578,6 +588,163 @@ public static string InferAndValidateTemplateTypeKey(X509Certificate2 cert)
         return Constants.TemplateARNs.ContainsKey(key) ? key : "Unknown";
     }
 
+
+    private async Task<(string? Value, RegistrationError? Error)> GetCaKeyAlgorithmAsync(
+        CancellationToken cancellationToken)
+    {
+        if (!string.IsNullOrWhiteSpace(_caKeyAlgorithmName))
+            return (_caKeyAlgorithmName, null);
+
+        await _caInfoLock.WaitAsync(cancellationToken).ConfigureAwait(false);
+        try
+        {
+            if (!string.IsNullOrWhiteSpace(_caKeyAlgorithmName))
+                return (_caKeyAlgorithmName, null);
+
+            try
+            {
+                var resp = await PcaClient.DescribeCertificateAuthorityAsync(
+                    new DescribeCertificateAuthorityRequest { CertificateAuthorityArn = CaArn },
+                    cancellationToken).ConfigureAwait(false);
+
+                // KeyAlgorithm is represented as a string in the service model; some SDK surfaces expose it as a string.
+                // Use reflection to remain tolerant across AWSSDK.ACMPCA versions.
+                var cfg = resp?.CertificateAuthority?.CertificateAuthorityConfiguration;
+                if (cfg == null)
+                    return (null,
+                        new RegistrationError
+                        {
+                            ErrorCode = "AwsDescribeCaFailed",
+                            Description = "DescribeCertificateAuthority returned no configuration."
+                        });
+
+                var prop = cfg.GetType().GetProperty("KeyAlgorithm");
+                var val = prop?.GetValue(cfg)?.ToString();
+                if (string.IsNullOrWhiteSpace(val))
+                    return (null,
+                        new RegistrationError
+                        {
+                            ErrorCode = "AwsDescribeCaFailed",
+                            Description = "Unable to read CA KeyAlgorithm from DescribeCertificateAuthority response."
+                        });
+
+                _caKeyAlgorithmName = val.Trim();
+                return (_caKeyAlgorithmName, null);
+            }
+            catch (Exception ex)
+            {
+                return (null,
+                    new RegistrationError
+                        { ErrorCode = "AwsDescribeCaFailed", Description = "Failed to query CA KeyAlgorithm." });
+            }
+        }
+        finally
+        {
+            _caInfoLock.Release();
+        }
+    }
+
+    private static bool IsKnownSigningAlgorithm(SigningAlgorithm alg)
+    {
+        var v = alg.Value;
+        return v == SigningAlgorithm.SHA256WITHRSA.Value
+               || v == SigningAlgorithm.SHA384WITHRSA.Value
+               || v == SigningAlgorithm.SHA512WITHRSA.Value
+               || v == SigningAlgorithm.SHA256WITHECDSA.Value
+               || v == SigningAlgorithm.SHA384WITHECDSA.Value
+               || v == SigningAlgorithm.SHA512WITHECDSA.Value
+               || v == SigningAlgorithm.SM3WITHSM2.Value
+               || v == SigningAlgorithm.ML_DSA_44.Value
+               || v == SigningAlgorithm.ML_DSA_65.Value
+               || v == SigningAlgorithm.ML_DSA_87.Value;
+    }
+
+    private static bool IsSigningAlgorithmCompatible(string caKeyAlgorithmName, SigningAlgorithm signingAlgorithm)
+    {
+        var ka = caKeyAlgorithmName.Trim();
+        var sig = signingAlgorithm.Value;
+
+        if (ka.StartsWith("RSA_", StringComparison.OrdinalIgnoreCase))
+            return sig.EndsWith("WITHRSA", StringComparison.OrdinalIgnoreCase);
+
+        if (ka.StartsWith("EC_", StringComparison.OrdinalIgnoreCase))
+            return sig.EndsWith("WITHECDSA", StringComparison.OrdinalIgnoreCase);
+
+        if (ka.Equals("SM2", StringComparison.OrdinalIgnoreCase))
+            return sig.Equals(SigningAlgorithm.SM3WITHSM2.Value, StringComparison.OrdinalIgnoreCase);
+
+        if (ka.StartsWith("ML_DSA_", StringComparison.OrdinalIgnoreCase))
+            return sig.Equals(ka, StringComparison.OrdinalIgnoreCase);
+
+        return false;
+    }
+
+    private static SigningAlgorithm DefaultSigningAlgorithmForCaKey(string caKeyAlgorithmName)
+    {
+        var ka = caKeyAlgorithmName.Trim();
+
+        if (ka.StartsWith("RSA_", StringComparison.OrdinalIgnoreCase))
+            return SigningAlgorithm.SHA256WITHRSA;
+
+        if (ka.StartsWith("EC_", StringComparison.OrdinalIgnoreCase))
+        {
+            if (ka.Equals("EC_secp384r1", StringComparison.OrdinalIgnoreCase))
+                return SigningAlgorithm.SHA384WITHECDSA;
+
+            if (ka.Equals("EC_secp521r1", StringComparison.OrdinalIgnoreCase))
+                return SigningAlgorithm.SHA512WITHECDSA;
+
+            return SigningAlgorithm.SHA256WITHECDSA;
+        }
+
+        if (ka.Equals("SM2", StringComparison.OrdinalIgnoreCase))
+            return SigningAlgorithm.SM3WITHSM2;
+
+        if (ka.Equals("ML_DSA_44", StringComparison.OrdinalIgnoreCase))
+            return SigningAlgorithm.ML_DSA_44;
+        if (ka.Equals("ML_DSA_65", StringComparison.OrdinalIgnoreCase))
+            return SigningAlgorithm.ML_DSA_65;
+        if (ka.Equals("ML_DSA_87", StringComparison.OrdinalIgnoreCase))
+            return SigningAlgorithm.ML_DSA_87;
+
+        // Fallback
+        return SigningAlgorithm.SHA256WITHRSA;
+    }
+
+    private async Task<(SigningAlgorithm? Value, RegistrationError? Error)> ResolveSigningAlgorithmAsync(
+        string? requestedSigningAlgorithm,
+        CancellationToken cancellationToken)
+    {
+        var caKeyRes = await GetCaKeyAlgorithmAsync(cancellationToken).ConfigureAwait(false);
+        if (caKeyRes.Error != null)
+            return (null, caKeyRes.Error);
+
+        var caKey = caKeyRes.Value!;
+        if (!string.IsNullOrWhiteSpace(requestedSigningAlgorithm))
+        {
+            var resolved = SigningAlgorithm.FindValue(requestedSigningAlgorithm.Trim());
+            if (!IsKnownSigningAlgorithm(resolved))
+                return (null, new RegistrationError
+                {
+                    ErrorCode = "InvalidConfiguration",
+                    Description =
+                        $"SigningAlgorithm '{requestedSigningAlgorithm}' is not a supported AWS ACM PCA SigningAlgorithm value."
+                });
+
+            if (!IsSigningAlgorithmCompatible(caKey, resolved))
+                return (null, new RegistrationError
+                {
+                    ErrorCode = "InvalidConfiguration",
+                    Description =
+                        $"SigningAlgorithm '{requestedSigningAlgorithm}' is not compatible with CA KeyAlgorithm '{caKey}'."
+                });
+
+            return (resolved, null);
+        }
+
+        return (DefaultSigningAlgorithmForCaKey(caKey), null);
+    }
+
     private static class ConfigKeys
     {
         public const string CaArn = "CAArn";

aws-pca-caplugin/Client/ACMPCAClient.cs

@@ -72,4 +72,5 @@ public static List<string> GetTemplateTypes()
 public class EnrollmentConfigConstants
 {
     public const string LifetimeDays = "LifetimeDays";
+    public const string SigningAlgorithm = "SigningAlgorithm";
 }

aws-pca-caplugin/Constants.cs

@@ -42,12 +42,19 @@ public sealed class IssueCertificateRequest
     /// <summary>Optional desired term in days. If null, defaults to 365.</summary>
     public int? ValidityDays { get; set; }
 
+    /// <summary>
+    ///     Optional override for ACM PCA IssueCertificate.SigningAlgorithm.
+    ///     If null/empty, the client auto-selects a compatible default based on the CA KeyAlgorithm.
+    /// </summary>
+    public string? SigningAlgorithm { get; set; }
+
     /// <summary>Optional idempotency token.</summary>
     public string? IdempotencyToken { get; set; }
 }
 
 /// <summary>
-///     Mirrors the CSC plugin expectations: contains the certificate payload + a Keyfactor-accepted numeric status.
+///     Response wrapper that carries the issued certificate payload and status.: contains the certificate payload + a
+///     Keyfactor-accepted numeric status.
 /// </summary>
 public sealed class CertificateResponse
 {