Merge pull request #42 from Keyfactor/duplicates

add duplicate support

Author: dgaley

CHANGELOG.md

@@ -20,4 +20,7 @@
 ### 2.1.2  
 * Hotfix for incremental sync to default to a 6 day window if no previous incremental sync has run  
 * Workaround for DigiCert API issue where retrieving the PEM data of multiple certificates in the same order can occasionally return duplicate data rather than the correct cert  
-* Remove caching of product ID lookups from DigiCert account  
+* Remove caching of product ID lookups from DigiCert account  
+
+### 2.2.0  
+* Add support for duplicating certs

README.md

@@ -116,6 +116,10 @@ An API Key within your Digicert account that has the necessary permissions to en
     * **UsageDesignation** - Required for secure_email_* types, ignored otherwise. The primary usage of the certificate. Valid values are: signing, key_management, dual_use 
 
 
+## Certificate Duplicates
+
+DigiCert supports the ability to duplicate existing certificate orders. To take advantage of this functionality, in Keyfactor Command, under the enrollment pattern you're using, create an Enrollment Field named 'Duplicate' of type Multiple Choice, and the values 'False', 'True'. When performing a renew operation against that enrollment pattern, set the value to True to tell the gateway to duplicate instead of renew. The field will be ignored on new enrollments.
+
 
 ## License
 

digicert-certcentral-caplugin/API/Duplicate.cs

@@ -0,0 +1,70 @@
+using Keyfactor.Extensions.CAPlugin.DigiCert.Models;
+using Newtonsoft.Json;
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Keyfactor.Extensions.CAPlugin.DigiCert.API
+{
+	[Serializable]
+	public class DuplicateRequest : CertCentralBaseRequest
+	{
+		public DuplicateRequest(uint orderId)
+		{
+			Method = "POST";
+			OrderId = orderId;
+			Resource = $"services/v2/order/certificate/{OrderId}/duplicate";
+			Certificate = new CertificateDuplicateRequest();
+		}
+
+		[JsonProperty("certificate")]
+		public CertificateDuplicateRequest Certificate { get; set; }
+
+		[JsonProperty("order_id")]
+		public uint OrderId { get; set; }
+
+		[JsonProperty("skip_approval")]
+		public bool SkipApproval { get; set; }
+	}
+
+	public class CertificateDuplicateRequest
+	{
+		[JsonProperty("common_name")]
+		public string CommonName { get; set; }
+
+		[JsonProperty("dns_names")]
+		public List<string> DnsNames { get; set; }
+
+		[JsonProperty("csr")]
+		public string CSR { get; set; }
+
+		[JsonProperty("server_platform")]
+		public Server_platform ServerPlatform { get; set; }
+
+		[JsonProperty("signature_hash")]
+		public string SignatureHash { get; set; }
+
+		[JsonProperty("ca_cert_id")]
+		public string CACertID { get; set; }
+	}
+
+	public class DuplicateResponse : CertCentralBaseResponse
+	{
+		public DuplicateResponse()
+		{
+			Requests = new List<Requests>();
+		}
+
+		[JsonProperty("id")]
+		public int OrderId { get; set; }
+
+		[JsonProperty("requests")]
+		public List<Requests> Requests { get; set; }
+
+		[JsonProperty("certificate_chain")]
+		public List<CertificateChainElement> CertificateChain { get; set; }
+	}
+}

digicert-certcentral-caplugin/CertCentralCAPlugin.cs

@@ -16,6 +16,7 @@
 using Newtonsoft.Json;
 
 using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Pqc.Crypto.Falcon;
 
 using System.Collections.Concurrent;
 using System.Runtime.InteropServices;
@@ -300,33 +301,56 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 				_logger.LogWarning($"{CertCentralConstants.Config.INCLUDE_CLIENT_AUTH}: Ability to include client auth EKU in SSL certs is currently planned to cease in May 2026. Make sure any workflows that depend on this feature are updated before then to avoid interruptions.");
 			}
 
-			// Current gateway core leaves it up to the integration to determine if it is a renewal or a reissue
+			bool dupe = false;
+			// Current gateway core leaves it up to the integration to determine if it is a renewal, a reissue, or a duplicate
 			if (enrollmentType == EnrollmentType.RenewOrReissue)
 			{
-				//// Determine if we're going to do a renew or a reissue.
+				//// Determine if we're going to do a renew, reissue, or duplicate.
 				priorCertSnString = productInfo.ProductParameters["PriorCertSN"];
 				_logger.LogTrace($"Attempting to retrieve the certificate with serial number {priorCertSnString}.");
-				var reqId = _certificateDataReader.GetRequestIDBySerialNumber(priorCertSnString).Result;
-				if (string.IsNullOrEmpty(reqId))
+				priorCertReqID = await _certificateDataReader.GetRequestIDBySerialNumber(priorCertSnString);
+				if (string.IsNullOrEmpty(priorCertReqID))
 				{
 					throw new Exception($"No certificate with serial number '{priorCertSnString}' could be found.");
 				}
-				var expDate = _certificateDataReader.GetExpirationDateByRequestId(reqId);
 
-				var renewCutoff = DateTime.Now.AddDays(renewWindow * -1);
-
-				if (expDate > renewCutoff)
+				if (productInfo.ProductParameters.ContainsKey(CertCentralConstants.Config.DUPLICATE))
+				{
+					string dupStr = productInfo.ProductParameters[CertCentralConstants.Config.DUPLICATE].ToString();
+					if (!bool.TryParse(dupStr, out dupe))
+					{
+						_logger.LogError($"Could not parse 'Duplicate' field as true or false. Check configuration. Value: {dupStr}");
+						throw new Exception($"Could not parse 'Duplicate' field as true or false. Check configuration");
+					}
+				}
+				if (!dupe)
 				{
-					_logger.LogTrace($"Certificate with serial number {priorCertSnString} is within renewal window");
-					enrollmentType = EnrollmentType.Renew;
+					var expDate = _certificateDataReader.GetExpirationDateByRequestId(priorCertReqID);
+
+					var renewCutoff = DateTime.Now.AddDays(renewWindow * -1);
+
+					if (expDate > renewCutoff)
+					{
+						_logger.LogTrace($"Certificate with serial number {priorCertSnString} is within renewal window");
+						enrollmentType = EnrollmentType.Renew;
+					}
+					else
+					{
+						_logger.LogTrace($"Certificate with serial number {priorCertSnString} is not within renewal window. Reissuing...");
+						enrollmentType = EnrollmentType.Reissue;
+					}
 				}
 				else
 				{
-					_logger.LogTrace($"Certificate with serial number {priorCertSnString} is not within renewal window. Reissuing...");
-					enrollmentType = EnrollmentType.Reissue;
+					_logger.LogTrace($"'Duplicate' flag set, performing duplication");
 				}
 			}
 
+			if (dupe)
+			{
+				return await Duplicate(client, productInfo, priorCertReqID, commonName, csr, dnsNames, signatureHash, caCertId);
+			}
+
 			// Check if the order has more validity in it (multi-year cert). If so, do a reissue instead of a renew
 			if (enrollmentType == EnrollmentType.Renew)
 			{
@@ -1459,6 +1483,46 @@ private async Task<EnrollmentResult> Reissue(CertCentralClient client, Enrollmen
 			return await ExtractEnrollmentResult(client, client.ReissueCertificate(reissueRequest), commonName);
 		}
 
+		/// <summary>
+		/// Duplicates a certificate.
+		/// </summary>
+		/// <param name="client">The client used to contact DigiCert.</param>
+		/// <param name="request">The <see cref="OrderRequest"/>.</param>
+		/// <param name="enrollmentProductInfo">Information about the DigiCert product this certificate uses.</param>
+		/// <returns></returns>
+		private async Task<EnrollmentResult> Duplicate(CertCentralClient client, EnrollmentProductInfo enrollmentProductInfo, string caRequestId, string commonName, string csr, List<string> dnsNames, string signatureHash, string caCertId)
+		{
+			CheckProductExistence(enrollmentProductInfo.ProductID);
+
+			// Get order ID
+			_logger.LogTrace("Attempting to parse the order ID from the AnyGateway certificate.");
+			uint orderId = 0;
+			try
+			{
+				orderId = uint.Parse(caRequestId.Split('-').First());
+			}
+			catch (Exception e)
+			{
+				throw new Exception($"There was an error parsing the order ID from the certificate: {e.Message}", e);
+			}
+
+			// Duplicate certificate.
+			DuplicateRequest duplicateRequest = new DuplicateRequest(orderId)
+			{
+				Certificate = new CertificateDuplicateRequest
+				{
+					CommonName = commonName,
+					CSR = csr,
+					DnsNames = dnsNames,
+					SignatureHash = signatureHash,
+					CACertID = caCertId
+				}
+			};
+
+			_logger.LogTrace("Attempting to duplicate certificate.");
+			return await ExtractEnrollmentResult(client, client.DuplicateCertificate(duplicateRequest), commonName);
+		}
+
 		/// <summary>
 		/// Verify that the given product ID is valid
 		/// </summary>

digicert-certcentral-caplugin/Client/CertCentralClient.cs

@@ -357,6 +357,28 @@ public OrderResponse ReissueCertificate(ReissueRequest request)
 			return reissueResponse;
 		}
 
+		public OrderResponse DuplicateCertificate(DuplicateRequest request)
+		{
+			string jsonRequest = JsonConvert.SerializeObject(request, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore });
+			Logger.LogTrace($"Duplicate request:\n{jsonRequest}");
+
+			CertCentralResponse response = Request(request, jsonRequest);
+
+			OrderResponse duplicateResponse = new OrderResponse();
+			if (!response.Success)
+			{
+				Errors errors = JsonConvert.DeserializeObject<Errors>(response.Response);
+				duplicateResponse.Status = CertCentralBaseResponse.StatusType.ERROR;
+				duplicateResponse.Errors = errors.errors;
+			}
+			else
+			{
+				duplicateResponse = JsonConvert.DeserializeObject<OrderResponse>(response.Response);
+			}
+
+			return duplicateResponse;
+		}
+
 		public RevokeCertificateResponse RevokeCertificate(RevokeCertificateRequest request)
 		{
 			CertCentralResponse response = Request(request, JsonConvert.SerializeObject(request, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }));

digicert-certcentral-caplugin/Constants.cs

@@ -25,6 +25,7 @@ public class Config
 			public const string LIFETIME = "LifetimeDays";
 			public const string CA_CERT_ID = "CACertId";
 			public const string RENEWAL_WINDOW = "RenewalWindowDays";
+			public const string DUPLICATE = "Duplicate";
 			public const string REVOKE_CERT = "RevokeCertificateOnly";
 			public const string ENABLED = "Enabled";
 			public const string SYNC_CA_FILTER = "SyncCAFilter";

docsource/configuration.md

@@ -18,3 +18,7 @@ In order to enroll for certificates the Keyfactor Command server must trust the
 
 Note for SMIME product types (Secure Email types): The template configuration fields provided for those are not required to be filled out in the gateway config. Many of those values would change on a per-enrollment basis. The way to handle that is to create Enrollment fields in Command with the same name (for example: CommonNameIndicator) and then any values populated in those fields will override any static values provided in the configuration.
 
+## Certificate Duplicates
+
+DigiCert supports the ability to duplicate existing certificate orders. To take advantage of this functionality, in Keyfactor Command, under the enrollment pattern you're using, create an Enrollment Field named 'Duplicate' of type Multiple Choice, and the values 'False', 'True'. When performing a renew operation against that enrollment pattern, set the value to True to tell the gateway to duplicate instead of renew. The field will be ignored on new enrollments.
+