client cert support

Author: dgaley

digicert-certcentral-caplugin/API/OrderCertificate.cs

@@ -84,6 +84,9 @@ public class CertificateRequest
 		[JsonProperty("dns_names")]
 		public List<string> DNSNames { get; set; }
 
+		[JsonProperty("emails")]
+		public List<String> Emails { get; set; }
+
 		[JsonProperty("csr")]
 		public string CSR { get; set; }
 

digicert-certcentral-caplugin/CertCentralCAPlugin.cs

@@ -11,6 +11,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.VisualBasic;
+using Microsoft.Win32.SafeHandles;
 
 using Newtonsoft.Json;
 
@@ -70,11 +71,12 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 			CertCentralCertType certType = CertCentralCertType.GetAllTypes(_config).FirstOrDefault(x => x.ProductCode.Equals(productInfo.ProductID));
 			OrderRequest orderRequest = new OrderRequest(certType);
 
-			//var days = (productInfo.ProductParameters.ContainsKey("LifetimeDays") && !st) ? int.Parse(productInfo.ProductParameters["LifetimeDays"]) : 365;
+			string typeOfCert = (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.CERT_TYPE)) ? productInfo.ProductParameters[CertCentralConstants.Config.CERT_TYPE].ToLower() : "ssl";
+
 			var days = 365;
-			if (productInfo.ProductParameters.ContainsKey("LifetimeDays") && !string.IsNullOrEmpty(productInfo.ProductParameters["LifetimeDays"]))
+			if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.LIFETIME) && !string.IsNullOrEmpty(productInfo.ProductParameters[CertCentralConstants.Config.LIFETIME]))
 			{
-				days = int.Parse(productInfo.ProductParameters["LifetimeDays"]);
+				days = int.Parse(productInfo.ProductParameters[CertCentralConstants.Config.LIFETIME]);
 			}
 			int validityYears = 0;
 			DateTime? customExpirationDate = null;
@@ -90,16 +92,31 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 					break;
 			}
 
+			// Convert to case-insensitive dictionary
+			Dictionary<string, string[]> sandict = new Dictionary<string, string[]>(StringComparer.OrdinalIgnoreCase);
+			foreach (var s in san)
+			{
+				sandict.Add(s.Key, s.Value);
+			}
+
 			List<string> dnsNames = new List<string>();
-			if (san.ContainsKey("Dns"))
+			List<string> emails = new List<string>();
+			if (sandict.ContainsKey("Dns"))
 			{
 				dnsNames = new List<string>(san["Dns"]);
 			}
-
-			if (san.ContainsKey("dnsname"))
+			if (sandict.ContainsKey("dnsname"))
 			{
 				dnsNames = new List<string>(san["dnsname"]);
 			}
+			if (sandict.ContainsKey("Email"))
+			{
+				emails = new List<string>(san["Email"]);
+			}
+			if (sandict.ContainsKey("Rfc822Name"))
+			{
+				emails = new List<string>(san["Rfc822Name"]);
+			}
 
 			X509Name subjectParsed = null;
 			string commonName = null, organization = null, orgUnit = null;
@@ -114,13 +131,24 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 
 			if (commonName == null)
 			{
-				if (dnsNames.Count > 0)
+				if (typeOfCert.Equals("ssl") && dnsNames.Count > 0)
 				{
 					commonName = dnsNames[0];
 				}
+				else if (typeOfCert.Equals("client") && emails.Count > 0)
+				{
+					commonName = emails[0];
+				}
 				else
 				{
-					throw new Exception("No Common Name or DNS SAN provided, unable to enroll");
+					throw new Exception("No Common Name or SAN provided, unable to enroll");
+				}
+			}
+			else
+			{
+				if (typeOfCert.Equals("client") && emails.Count == 0)
+				{
+					emails.Add(commonName);
 				}
 			}
 
@@ -190,7 +218,14 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 			orderRequest.Certificate.CommonName = commonName;
 			orderRequest.Certificate.CSR = csr;
 			orderRequest.Certificate.SignatureHash = signatureHash;
-			orderRequest.Certificate.DNSNames = dnsNames;
+			if (typeOfCert.Equals("ssl"))
+			{
+				orderRequest.Certificate.DNSNames = dnsNames;
+			}
+			else if (typeOfCert.Equals("client"))
+			{
+				orderRequest.Certificate.Emails = emails;
+			}
 			orderRequest.Certificate.CACertID = caCertId;
 			orderRequest.SetOrganization(organizationId);
 			if (!string.IsNullOrEmpty(orgUnit))
@@ -524,6 +559,13 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
 					Hidden = false,
 					DefaultValue = 90,
 					Type = "Number"
+				},
+				[CertCentralConstants.Config.CERT_TYPE] = new PropertyConfigInfo()
+				{
+					Comments = "OPTIONAL: The type of cert to enroll for. Valid values are 'ssl' and 'client'. The value provided here must be consistant with the ProductID. If not provided, default is 'ssl'.",
+					Hidden = false,
+					DefaultValue = "ssl",
+					Type = "String"
 				}
 			};
 		}
@@ -864,6 +906,15 @@ public async Task ValidateProductInfo(EnrollmentProductInfo productInfo, Diction
 			}
 			CertCentralClient client = new CertCentralClient(apiKey, region);
 
+			if (connectionInfo.ContainsKey(CertCentralConstants.Config.CERT_TYPE))
+			{
+				var typeOfCert = (string)connectionInfo[CertCentralConstants.Config.CERT_TYPE];
+				if (!(typeOfCert.Equals("ssl") || typeOfCert.Equals("client")))
+				{
+					throw new Exception("Invalid Cert Type specified. Valid options are 'ssl' or 'client'");
+				}
+			}
+
 			// Get the available types and check that it's one of them.
 			// We're doing this because to get the list of valid product IDs in a comment, the user must have at least one correct product/template mapping.
 			// We therefore need to have some way of telling them what the valid product IDs are to begin with.

digicert-certcentral-caplugin/Constants.cs

@@ -30,6 +30,7 @@ public class Config
 			public const string SYNC_CA_FILTER = "SyncCAFilter";
 			public const string FILTER_EXPIRED = "FilterExpiredOrders";
 			public const string SYNC_EXPIRATION_DAYS = "SyncExpirationDays";
+			public const string CERT_TYPE = "CertType";
 		}
 
 		public class RequestAttributes