Merge e7871c3 into 9187539

Author: mkachk

.gitignore

@@ -360,4 +360,4 @@ MigrationBackup/
 .ionide/
 
 # Fody - auto-generated XML schema
-FodyWeavers.xsd
+FodyWeavers.xsd

CHANGELOG.md

@@ -1,11 +1,3 @@
-v.1.0.2
-- Warning: enrollment field/template parameter with the name "CN DCV Email (admin@boingy.com)" has been renamed to "CN DCV Email" to make it compatible with the REST gateway. "Aplicant Pgone (+nn.nnnnnnnn)" has also been renamed to "Applicant Phone".
-- Updated dependencies.
-- Added support for default values via enrollment parameters configured in the AnyGateway REST certificate template.
-- Fixed issue with non-ASCII characters breaking the gateway.
-
-v1.0.1 
-- Fixed issue with SANs not being read correctly.
-
 v1.0
-- Initial Release.
+
+- Initial Release.

README.md

@@ -76,7 +76,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 
     * **Gateway Registration**
 
-        TODO Gateway Registration is a required section
+        Download the **PCA root certificate** from AWS and have it ready to import into the Gateway **in `.pem` format**.
 
     * **CA Connection**
 
@@ -98,6 +98,7 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
         * **IAMUserAccessKey** - IAM user access key (secret). 
         * **IAMUserAccessSecret** - IAM user access secret (secret). 
         * **ExternalId** - Optional sts:ExternalId to supply on AssumeRole calls. 
+        * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. 
 
 2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The AWSPCA CA  Gateway plugin supports the following product IDs:
 
@@ -107,6 +108,11 @@ This integration is tested and confirmed as working for Anygateway REST 24.4 and
 
 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
 
+4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters:
+
+    * **LifetimeDays** - OPTIONAL: The number of days of validity to use when requesting certs. If not provided, default is 365 
+    * **SigningAlgorithm** - Required: AWS ACM PCA certificate signature algorithm to use when issuing certificates. Value is an AWS PCA SigningAlgorithm enum name (case-insensitive), e.g. SHA256WITHRSA, SHA384WITHRSA, SHA256WITHECDSA. If omitted, the plugin selects a default compatible with the CA key algorithm. 
+
 
 ## Authentication (Access Key + Secret)
 
@@ -121,7 +127,7 @@ Before configuring the CAPlugin, have the following prepared:
 - **Access Key ID** (example format: `AKIAIOSFODNN7EXAMPLE`)
 - **Secret Access Key** (example format: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`)
 
-#### 2) A target IAM Role the connector will run as (recommended)
+#### 2) A target IAM Role the Gateway will run as (recommended)
 Example:
 - `arn:aws:iam::123456789012:role/Keyfactor-AnyGateway-AcmPcaRole`
 
@@ -292,6 +298,52 @@ The following examples are intended as **copy/adapt templates**.
 }
 ```
 
+---
+
+## Signing algorithm selection (ACM PCA)
+
+The connector supports an optional **template / product parameter** named `SigningAlgorithm` that controls the **certificate signature algorithm**
+passed to AWS ACM PCA `IssueCertificate`.
+
+- If **not set**, the plugin will **auto-select** a compatible default based on the CA `KeyAlgorithm` returned by
+  `DescribeCertificateAuthority`.
+- If **set**, the plugin validates the value and **rejects incompatible combinations** before calling AWS.
+
+### Where to configure
+
+Set `SigningAlgorithm` on the **AnyGateway template** (product parameters), alongside `LifetimeDays`.
+
+### Valid `SigningAlgorithm` values (AWS PCA)
+
+- RSA family: `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA`
+- ECDSA family: `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA`
+- SM2: `SM3WITHSM2`
+- ML-DSA (post-quantum): `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`
+
+### Allowed CA key algorithm <-> signing algorithm combinations
+
+The CA key algorithm is the PCA CA **KeyAlgorithm** (not the subject key in the CSR). The signing algorithm must match the CA key family.
+
+| CA KeyAlgorithm | Allowed SigningAlgorithm values |
+|---|---|
+| `RSA_2048`, `RSA_3072`, `RSA_4096` | `SHA256WITHRSA`, `SHA384WITHRSA`, `SHA512WITHRSA` |
+| `EC_prime256v1`, `EC_secp384r1`, `EC_secp521r1` | `SHA256WITHECDSA`, `SHA384WITHECDSA`, `SHA512WITHECDSA` |
+| `SM2` | `SM3WITHSM2` |
+| `ML_DSA_44` | `ML_DSA_44` |
+| `ML_DSA_65` | `ML_DSA_65` |
+| `ML_DSA_87` | `ML_DSA_87` |
+
+### Auto-selection defaults
+
+When `SigningAlgorithm` is omitted, the plugin selects:
+
+- RSA CAs -> `SHA256WITHRSA`
+- EC P-256 -> `SHA256WITHECDSA`
+- EC P-384 -> `SHA384WITHECDSA`
+- EC P-521 -> `SHA512WITHECDSA`
+- SM2 -> `SM3WITHSM2`
+- ML-DSA -> exact-match (`ML_DSA_44/65/87`)
+
 
 ## License
 

aws-pca-caplugin/AWSPCACAPlugin.cs

@@ -5,11 +5,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
-using System.Collections.Concurrent;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
-using System.Text;
-using System.Text.RegularExpressions;
 using Amazon.ACMPCA;
 using Keyfactor.AnyGateway.Extensions;
 using Keyfactor.Extensions.CAPlugin.AWS.Client;
@@ -19,6 +14,12 @@
 using Keyfactor.PKI.Enums.EJBCA;
 using Keyfactor.PKI.PEM;
 using Microsoft.Extensions.Logging;
+using System.Collections.Concurrent;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using System.Text.RegularExpressions;
+using static Org.BouncyCastle.Math.EC.ECCurve;
 
 namespace Keyfactor.Extensions.CAPlugin.AWS;
 
@@ -33,15 +34,23 @@ public AWSPCACAPlugin()
     }
 
     private IAwsPcaClient AwsClient { get; set; }
-
+    private bool _enabled = false;
 
     //done
     public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDataReader certificateDataReader)
     {
         Logger.MethodEntry(LogLevel.Debug);
         _certificateDataReader = certificateDataReader;
+        var _enabled = bool.Parse(GetRequiredString(configProvider, "Enabled"));
+        if (!_enabled)
+        {
+            Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and AWS PCA Client creation...");
+            Logger.MethodExit();
+            return;
+        }
         AwsClient = new AwsPcaClient(configProvider);
         Logger.MethodExit(LogLevel.Debug);
+
     }
 
     //done
@@ -358,6 +367,15 @@ public async Task<EnrollmentResult> Enroll(
                 parsed > 0)
                 days = parsed;
 
+
+            // Optional signing algorithm override (template parameter)
+            string? signingAlgorithm = null;
+            if (productInfo.ProductParameters != null &&
+                productInfo.ProductParameters.TryGetValue(EnrollmentConfigConstants.SigningAlgorithm,
+                    out var algoStr) &&
+                !string.IsNullOrWhiteSpace(algoStr))
+                signingAlgorithm = algoStr.Trim();
+
             // Normalize CSR to PEM (keeps your existing behavior)
             csr = PemUtilities.DERToPEM(PemUtilities.PEMToDER(csr), PemUtilities.PemObjectType.CertRequest);
 
@@ -369,6 +387,7 @@ public async Task<EnrollmentResult> Enroll(
                             csr,
                             productInfo.ProductID,
                             days,
+                            signingAlgorithm,
                             "Certificate Issued")
                         .ConfigureAwait(false);
                 }
@@ -445,6 +464,12 @@ public async Task<EnrollmentResult> Enroll(
     public async Task Ping()
     {
         Logger.MethodEntry();
+        if (!_enabled)
+        {
+            Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and AWS PCA Client creation...");
+            Logger.MethodExit();
+            return;
+        }
         try
         {
             Logger.LogInformation("Ping request received");
@@ -460,12 +485,27 @@ public async Task Ping()
     }
 
     //do
-    public async Task ValidateCAConnectionInfo(Dictionary<string, object> connectionInfo)
+    public Task ValidateCAConnectionInfo(Dictionary<string, object> connectionInfo)
     {
+        try
+        {
+            if (!(bool)connectionInfo["Enabled"])
+            {
+                Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation...");
+                Logger.MethodExit(LogLevel.Trace);
+                return Task.CompletedTask;
+            }
+        }
+        catch (Exception ex)
+        {
+            Logger.LogError($"Exception: {LogHandler.FlattenException(ex)}");
+        }
+
+        return Task.CompletedTask;
     }
 
     //do
-    public async Task ValidateProductInfo(EnrollmentProductInfo productInfo,
+    public Task ValidateProductInfo(EnrollmentProductInfo productInfo,
         Dictionary<string, object> connectionInfo)
     {
         var certType = Constants.GetTemplateTypes().Find(x =>
@@ -474,6 +514,7 @@ public async Task ValidateProductInfo(EnrollmentProductInfo productInfo,
         if (certType == null) throw new ArgumentException($"Cannot find {productInfo.ProductID}", "ProductId");
 
         Logger.LogInformation($"Validated {certType} ({certType})configured for AnyGateway");
+        return Task.CompletedTask;
     }
 
     //done
@@ -610,6 +651,13 @@ public Dictionary<string, PropertyConfigInfo> GetCAConnectorAnnotations()
                 Hidden = false,
                 DefaultValue = "",
                 Type = "String"
+            },
+            [Constants.Enabled] = new ()
+            {
+                Comments = "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available.",
+                Hidden = false,
+                DefaultValue = true,
+                Type = "Boolean"
             }
         };
     }
@@ -627,6 +675,15 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
                 Hidden = false,
                 DefaultValue = 365,
                 Type = "Number"
+            },
+            // this is used to passdown csr details/prefill. will be overridden by commmand if not present. 
+            [EnrollmentConfigConstants.SigningAlgorithm] = new()
+            {
+                Comments =
+                    "Required: AWS ACM PCA certificate signature algorithm to use when issuing certificates. Value is an AWS PCA SigningAlgorithm enum name (case-insensitive), e.g. SHA256WITHRSA, SHA384WITHRSA, SHA256WITHECDSA. If omitted, the plugin selects a default compatible with the CA key algorithm.",
+                Hidden = false,
+                DefaultValue = "SHA256WITHRSA",
+                Type = "String"
             }
         };
     }
@@ -641,6 +698,7 @@ private async Task<EnrollmentResult> IssueAndFetchAsync(
         string csrPem,
         string productId,
         int validityDays,
+        string? signingAlgorithm,
         string statusMessageOnSuccess,
         string? idempotencyToken = null)
     {
@@ -650,6 +708,7 @@ private async Task<EnrollmentResult> IssueAndFetchAsync(
             CsrPem = csrPem,
             ProductId = productId,
             ValidityDays = validityDays,
+            SigningAlgorithm = signingAlgorithm,
             IdempotencyToken = idempotencyToken ?? Guid.NewGuid().ToString("N")
         };
 
@@ -1069,6 +1128,17 @@ private string PreparePemTextFromApi(string? base64)
 
         return text;
     }
+    private static string GetRequiredString(IAnyCAPluginConfigProvider provider, string key)
+    {
+        if (!provider.CAConnectionData.TryGetValue(key, out var obj) || obj == null)
+            throw new InvalidOperationException($"Missing required configuration value '{key}'.");
+
+        var str = obj.ToString();
+        if (string.IsNullOrWhiteSpace(str))
+            throw new InvalidOperationException($"Configuration value '{key}' is empty.");
+
+        return str!;
+    }
 
     #endregion
 }

aws-pca-caplugin/AWSPCACAPlugin.csproj

@@ -13,7 +13,8 @@
 
 
 	<Target Name="CustomPostBuild" AfterTargets="PostBuildEvent">
-		<Exec Condition="'$(Configuration)'=='DebugAndPush'" Command="PowerShell -ExecutionPolicy Bypass -File &quot;C:\Users\mkachkaev\source\repos\scripts\SyncScriptAWS_GT.ps1&quot;&#xA;" />
+		<Exec Condition="'$(Configuration)'=='DebugAndPush'"
+		      Command="PowerShell -ExecutionPolicy Bypass -File &quot;C:\Users\mkachkaev\source\repos\scripts\SyncScriptAWS_GT.ps1&quot;&#xA;" />
 	</Target>