Feature/86120 revocation reason 0 (#9)

bhillkeyfactor · Keyfactor · indrora · web-flow · commit 635d22f0ee84 · 2026-05-19T09:49:34.000-07:00
* feat: release 1.0 (#1) The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: * **CA Sync**: * Download all certificates issued by the HydrantId CA * Support for incremental and full synchronization * Automatic extraction of end-entity certificates from PEM chains * **Certificate Enrollment**: * Support certificate enrollment with new key pairs * Dynamic policy (profile) discovery from the CA * Intelligent renewal vs. re-issue logic based on certificate expiration * Support for PKCS#10 CSR format * Configurable certificate validity periods * **Certificate Revocation**: * Request revocation of previously issued certificates * Support for standard CRL revocation reasons --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Merge 1.0.1 to main (#4) * feat: release 1.0 (#1) The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: * **CA Sync**: * Download all certificates issued by the HydrantId CA * Support for incremental and full synchronization * Automatic extraction of end-entity certificates from PEM chains * **Certificate Enrollment**: * Support certificate enrollment with new key pairs * Dynamic policy (profile) discovery from the CA * Intelligent renewal vs. re-issue logic based on certificate expiration * Support for PKCS#10 CSR format * Configurable certificate validity periods * **Certificate Revocation**: * Request revocation of previously issued certificates * Support for standard CRL revocation reasons --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * release: 1.0.1 --------- Co-authored-by: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Merge 1.0.2 to main (#7) * feat: release 1.0 (#1) The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: * **CA Sync**: * Download all certificates issued by the HydrantId CA * Support for incremental and full synchronization * Automatic extraction of end-entity certificates from PEM chains * **Certificate Enrollment**: * Support certificate enrollment with new key pairs * Dynamic policy (profile) discovery from the CA * Intelligent renewal vs. re-issue logic based on certificate expiration * Support for PKCS#10 CSR format * Configurable certificate validity periods * **Certificate Revocation**: * Request revocation of previously issued certificates * Support for standard CRL revocation reasons --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * release: 1.0.1 * release 1.0.2 * feat: release 1.0 (#1) The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: * **CA Sync**: * Download all certificates issued by the HydrantId CA * Support for incremental and full synchronization * Automatic extraction of end-entity certificates from PEM chains * **Certificate Enrollment**: * Support certificate enrollment with new key pairs * Dynamic policy (profile) discovery from the CA * Intelligent renewal vs. re-issue logic based on certificate expiration * Support for PKCS#10 CSR format * Configurable certificate validity periods * **Certificate Revocation**: * Request revocation of previously issued certificates * Support for standard CRL revocation reasons --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Merge 1.0.1 to main (#4) * feat: release 1.0 (#1) The HID Global HydrantId AnyCA Gateway REST plugin extends the capabilities of HydrantId Certificate Authority Service to Keyfactor Command via the Keyfactor AnyCA Gateway. This plugin leverages the HydrantId REST API with Hawk authentication to provide comprehensive certificate lifecycle management. The plugin represents a fully featured AnyCA Plugin with the following capabilities: * **CA Sync**: * Download all certificates issued by the HydrantId CA * Support for incremental and full synchronization * Automatic extraction of end-entity certificates from PEM chains * **Certificate Enrollment**: * Support certificate enrollment with new key pairs * Dynamic policy (profile) discovery from the CA * Intelligent renewal vs. re-issue logic based on certificate expiration * Support for PKCS#10 CSR format * Configurable certificate validity periods * **Certificate Revocation**: * Request revocation of previously issued certificates * Support for standard CRL revocation reasons --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * release: 1.0.1 --------- Co-authored-by: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> * Hydrant Failed Status Issues and Logging * fixed changelog * Add .NET 10 target framework support Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Change FlowLogger from LogTrace to LogDebug/LogWarning The Keyfactor gateway framework sets the Microsoft.Extensions.Logging minimum level above Trace, causing all LogTrace calls to be silently dropped before reaching NLog. Flow diagram and step logging now uses LogDebug (visible), and failure steps use LogWarning for visibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Revert FlowLogger back to LogTrace LogTrace works in the CSC Global plugin with the same gateway framework, so the MEL minimum level is not the issue. Reverting to match the established pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fixed package vulns --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fixed revoke reason * Revert "Fixed revoke reason" This reverts commit 2569ae1. * ADO 86120: Add support for revocation reason 0 (Unspecified) HydrantID now supports CRL revocation reason 0 (Unspecified) following the CAB change. The plugin previously rejected this reason in RequestManager.GetMapRevokeReasons with RevokeReasonNotSupportedException. - Add Unspecified = 0 to the RevocationReasons enum - Map keyfactorRevokeReason == 0 to RevocationReasons.Unspecified - Update the unsupported-reason error message to list reason 0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Restore missing closing brace for switch in GetMapRevokeReasons The release-1.0 merge dropped the closing } of the switch block. * masked senstive config data * change log --------- Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.gitignore b/.gitignore
@@ -330,3 +330,5 @@ ASALocalRun/
 .mfractor/
 .claude/settings.local.json
 sample change.txt
+.claude/settings.json
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.0.3
+* Added support for revocation reason 0 (Unspecified) now that HydrantId accepts it
+* Fixed sensitive credentials (HydrantIdAuthId, HydrantIdAuthKey) being written to trace logs in plain text; raw config JSON is now masked before logging
+
 # v1.0.2
 * Fixed revocation status handling - failed revocations no longer incorrectly set certificate status to FAILED; certificate retains its current active status
 * Added FlowLogger utility for structured flow diagrams across all public plugin methods
diff --git a/HydrantCAProxy/Client/Models/Enums/RevocationReasons.cs b/HydrantCAProxy/Client/Models/Enums/RevocationReasons.cs
@@ -16,6 +16,7 @@ namespace Keyfactor.HydrantId.Client.Models.Enums
     [JsonConverter(typeof(StringEnumConverter))]
     public enum RevocationReasons
     {
+        [EnumMember(Value = "0")] Unspecified = 0,
         [EnumMember(Value = "1")] KeyCompromise = 1,
         [EnumMember(Value = "3")] AffiliationChanged = 3,
         [EnumMember(Value = "4")] Superseded = 4,
diff --git a/HydrantCAProxy/HydrantIdCAPlugin.cs b/HydrantCAProxy/HydrantIdCAPlugin.cs
@@ -52,7 +52,7 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa
                     certDataReader = certificateDataReader;
                     Config = configProvider;
                     var rawData = JsonConvert.SerializeObject(configProvider.CAConnectionData);
-                    _logger.LogTrace("Initialize: raw config JSON: {Json}", rawData);
+                    _logger.LogTrace("Initialize: config JSON (sensitive keys masked): {Json}", MaskConfigForLog(rawData));
                     _config = JsonConvert.DeserializeObject<HydrantIdCAPluginConfig.Config>(rawData);
                 });
 
@@ -78,6 +78,38 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa
             }
         }
 
+        private static readonly HashSet<string> _sensitiveConfigKeys = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            HydrantIdCAPluginConfig.ConfigConstants.HydrantIdAuthId,
+            HydrantIdCAPluginConfig.ConfigConstants.HydrantIdAuthKey
+        };
+
+        private static string MaskConfigForLog(string rawJson)
+        {
+            if (string.IsNullOrEmpty(rawJson)) return rawJson;
+            try
+            {
+                var token = Newtonsoft.Json.Linq.JToken.Parse(rawJson);
+                if (token is Newtonsoft.Json.Linq.JObject obj)
+                {
+                    foreach (var prop in obj.Properties())
+                    {
+                        if (_sensitiveConfigKeys.Contains(prop.Name) &&
+                            prop.Value.Type != Newtonsoft.Json.Linq.JTokenType.Null)
+                        {
+                            prop.Value = "***REDACTED***";
+                        }
+                    }
+                    return obj.ToString(Newtonsoft.Json.Formatting.None);
+                }
+                return token.ToString(Newtonsoft.Json.Formatting.None);
+            }
+            catch
+            {
+                return "***REDACTED***";
+            }
+        }
+
         private static List<string> CheckRequiredValues(Dictionary<string, object> connectionInfo, params string[] args)
         {
             List<string> errors = new List<string>();
@@ -135,7 +167,7 @@ public Task ValidateCAConnectionInfo(Dictionary<string, object> connectionInfo)
 
             _logger.LogDebug("Validating HydrantId CA Connection properties");
             var rawData = JsonConvert.SerializeObject(connectionInfo);
-            _logger.LogTrace("ValidateCAConnectionInfo: raw connectionInfo JSON: {Json}", rawData);
+            _logger.LogTrace("ValidateCAConnectionInfo: connectionInfo JSON (sensitive keys masked): {Json}", MaskConfigForLog(rawData));
 
             _config = JsonConvert.DeserializeObject<HydrantIdCAPluginConfig.Config>(rawData);
 
diff --git a/HydrantCAProxy/RequestManager.cs b/HydrantCAProxy/RequestManager.cs
@@ -78,6 +78,9 @@ public RevocationReasons GetMapRevokeReasons(uint keyfactorRevokeReason)
                 RevocationReasons returnStatus;
                 switch (keyfactorRevokeReason)
                 {
+                    case 0:
+                        returnStatus = RevocationReasons.Unspecified;
+                        break;
                     case 1:
                         returnStatus = RevocationReasons.KeyCompromise;
                         break;
@@ -92,7 +95,7 @@ public RevocationReasons GetMapRevokeReasons(uint keyfactorRevokeReason)
                         break;
                     default:
                         Log.LogError("GetMapRevokeReasons: unsupported revoke reason {Reason}", keyfactorRevokeReason);
-                        throw new RevokeReasonNotSupportedException($"Revoke reason {keyfactorRevokeReason} is not supported. Supported values: 1 (KeyCompromise), 3 (AffiliationChanged), 4 (Superseded), 5 (CessationOfOperation).");
+                        throw new RevokeReasonNotSupportedException($"Revoke reason {keyfactorRevokeReason} is not supported. Supported values: 0 (Unspecified), 1 (KeyCompromise), 3 (AffiliationChanged), 4 (Superseded), 5 (CessationOfOperation).");
                 }
 
                 Log.LogTrace("GetMapRevokeReasons: {Input} -> {Mapped}", keyfactorRevokeReason, returnStatus);

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ namespace Keyfactor.HydrantId.Client.Models.Enums`
`16`	`16`	`[JsonConverter(typeof(StringEnumConverter))]`
`17`	`17`	`public enum RevocationReasons`
`18`	`18`	`{`
	`19`	`+ [EnumMember(Value = "0")] Unspecified = 0,`
`19`	`20`	`[EnumMember(Value = "1")] KeyCompromise = 1,`
`20`	`21`	`[EnumMember(Value = "3")] AffiliationChanged = 3,`
`21`	`22`	`[EnumMember(Value = "4")] Superseded = 4,`