allow for cert upload as well as store or filepath

Author: dgaley

sectigo-scm-caplugin/Client/SectigoClient.cs

@@ -1,4 +1,5 @@
-using Keyfactor.Extensions.CAPlugin.Sectigo.API;
+using Keyfactor.AnyGateway.Extensions;
+using Keyfactor.Extensions.CAPlugin.Sectigo.API;
 using Keyfactor.Extensions.CAPlugin.Sectigo.Models;
 using Keyfactor.Logging;
 
@@ -305,7 +306,7 @@ private static async Task<T> ProcessResponse<T>(HttpResponseMessage response)
 			}
 		}
 
-		public static SectigoClient InitializeClient(SectigoConfig config)
+		public static SectigoClient InitializeClient(SectigoConfig config, ICertificateResolver certResolver)
 		{
 			Logger.MethodEntry(LogLevel.Debug);
 
@@ -314,7 +315,7 @@ public static SectigoClient InitializeClient(SectigoConfig config)
 			if (config.AuthenticationType.ToLower() == "certificate")
 			{
 				clientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
-				X509Certificate2 authCert = GetClientCertificate(config);
+				X509Certificate2 authCert = certResolver.ResolveCertificate(config.Certificate);
 				if (authCert == null)
 				{
 					Logger.MethodExit(LogLevel.Debug);
@@ -348,58 +349,6 @@ public static SectigoClient InitializeClient(SectigoConfig config)
 			return new SectigoClient(restClient);
 		}
 
-		private static X509Certificate2 GetClientCertificate(SectigoConfig config)
-		{
-			Logger.MethodEntry(LogLevel.Debug);
-			//Dictionary<string, object> caConnectionCertificateDetail = config["ClientCertificate"] as Dictionary<string, object>;
-			X509Certificate2 clientCert = null;
-
-			if (!string.IsNullOrEmpty(config.Certificate.Thumbprint))
-			{
-				StoreName sn;
-				StoreLocation sl;
-				string thumbprint = config.Certificate.Thumbprint;
-
-				if (String.IsNullOrEmpty(thumbprint) ||
-					!Enum.TryParse(config.Certificate.StoreName, out sn) ||
-					!Enum.TryParse(config.Certificate.StoreLocation, out sl))
-				{
-					throw new Exception("Unable to find client authentication certificate");
-				}
-
-				X509Certificate2Collection foundCerts;
-				using (X509Store currentStore = new X509Store(sn, sl))
-				{
-					Logger.LogTrace($"Search for client auth certificates with Thumprint {thumbprint} in the {sn}{sl} certificate store");
-
-					currentStore.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
-					foundCerts = currentStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, true);
-					Logger.LogTrace($"Found {foundCerts.Count} certificates in the {currentStore.Name} store");
-					currentStore.Close();
-				}
-				if (foundCerts.Count > 1)
-				{
-					throw new Exception($"Multiple certificates with Thumprint {thumbprint} found in the {sn}{sl} certificate store");
-				}
-				if (foundCerts.Count > 0)
-					clientCert = foundCerts[0];
-			}
-			else
-			{
-				// Cert is provided via pfx file instead of cert store
-				try
-				{
-					X509Certificate2 cert = new X509Certificate2(config.Certificate.CertificatePath, config.Certificate.CertificatePassword);
-					clientCert = cert;
-				}
-				catch (Exception ex)
-				{
-					throw new Exception($"Unable to open the client certificate file with the given password. Error: {ex.Message}");
-				}
-			}
-			Logger.MethodExit(LogLevel.Debug);
-			return clientCert;
-		}
 		#endregion
 	}
 }

sectigo-scm-caplugin/SectigoCAPlugin.cs

@@ -33,10 +33,12 @@ public class SectigoCAPlugin : IAnyCAPlugin
 		private SectigoConfig _config;
 		private readonly ILogger _logger;
 		private ICertificateDataReader _certificateDataReader;
+		private ICertificateResolver _certificateResolver;
 
-		public SectigoCAPlugin()
+		public SectigoCAPlugin(ICertificateResolver certResolver)
 		{
 			_logger = LogHandler.GetClassLogger<SectigoCAPlugin>();
+			_certificateResolver = certResolver;
 		}
 
 		public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDataReader certificateDataReader)
@@ -88,7 +90,7 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
 					department = productInfo.ProductParameters["Department"];
 					_logger.LogTrace($"Department: {department}");
 				}
-				var client = SectigoClient.InitializeClient(_config);
+				var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 				var fieldList = Task.Run(async () => await client.ListCustomFields()).Result;
 				var allFields = fieldList.CustomFields?.Select(f => f);
 
@@ -370,7 +372,7 @@ public async Task<AnyCAPluginCertificate> GetSingleRecord(string caRequestID)
 			_logger.LogTrace($"Get Single Certificate Detail from Sectigo (sslId: {caRequestID})");
 			int sslId = int.Parse(caRequestID.Split('-')[0]);
 
-			var client = SectigoClient.InitializeClient(_config);
+			var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 			var singleCert = Task.Run(async () => await client.GetCertificate(sslId)).Result;
 			_logger.LogTrace($"{singleCert.CommonName} ({singleCert.status}) retrieved from Sectigo.");
 
@@ -446,7 +448,7 @@ public async Task Ping()
 			try
 			{
 				_logger.LogDebug("Attempting to ping Sectigo API");
-				var client = SectigoClient.InitializeClient(_config);
+				var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 				_ = Task.Run(async () => await client.ListOrganizations()).Result;
 			}
 			catch (Exception ex)
@@ -462,7 +464,7 @@ public async Task<int> Revoke(string caRequestID, string hexSerialNumber, uint r
 
 			try
 			{
-				var client = SectigoClient.InitializeClient(_config);
+				var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 				var response = Task.Run(async () => await client.RevokeSslCertificateById(int.Parse(caRequestID), (int)revocationReason, RevokeReasonToString(revocationReason))).Result;
 
 				_logger.MethodExit(LogLevel.Debug);
@@ -501,7 +503,7 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
 					string[] filterProfileIds = _config.SyncFilterProfileId.Split(',');
 					filter.Add("sslTypeId", filterProfileIds);
 				}
-				var client = SectigoClient.InitializeClient(_config);
+				var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 				producerTask = client.CertificateListProducer(certsToAdd, newCancelToken.Token, _config.PageSize, filter);
 
 				foreach (Certificate certToAdd in certsToAdd.GetConsumingEnumerable())
@@ -654,7 +656,7 @@ public async Task ValidateProductInfo(EnrollmentProductInfo productInfo, Diction
 			_logger.MethodEntry(LogLevel.Debug);
 			string rawConfig = JsonConvert.SerializeObject(connectionInfo);
 			var parsedConfig = JsonConvert.DeserializeObject<SectigoConfig>(rawConfig);
-			SectigoClient localClient = SectigoClient.InitializeClient(parsedConfig);
+			SectigoClient localClient = SectigoClient.InitializeClient(parsedConfig, _certificateResolver);
 
 			var profileList = Task.Run(async () => await localClient.ListSslProfiles()).Result;
 			if (profileList.SslProfiles.Where(p => p.id == int.Parse(productInfo.ProductID)).Count() == 0)
@@ -667,28 +669,28 @@ public async Task ValidateProductInfo(EnrollmentProductInfo productInfo, Diction
 
 		private async Task<Organization> GetOrganizationAsync(string orgName)
 		{
-			var client = SectigoClient.InitializeClient(_config);
+			var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 			var orgList = await client.ListOrganizations();
 			return orgList.Organizations.Where(x => x.name.ToLower().Equals(orgName.ToLower())).FirstOrDefault();
 		}
 
 		private async Task<int> GetProfileTerm(int profileId)
 		{
-			var client = SectigoClient.InitializeClient(_config);
+			var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 			var profileList = await client.ListSslProfiles();
 			return profileList.SslProfiles.Where(x => x.id == profileId).FirstOrDefault().terms[0];
 		}
 
 		private async Task<Profile> GetProfile(int profileId)
 		{
-			var client = SectigoClient.InitializeClient(_config);
+			var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 			var profileList = await client.ListSslProfiles();
 			return profileList.SslProfiles.Where(x => x.id == profileId).FirstOrDefault();
 		}
 
 		private async Task<List<int>> GetProfileIds()
 		{
-			var client = SectigoClient.InitializeClient(_config);
+			var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 			var profileList = await client.ListSslProfiles();
 			return profileList.SslProfiles.Select(x => x.id).ToList();
 		}
@@ -730,7 +732,7 @@ private async Task<EnrollmentResult> PickUpEnrolledCertificate(int sslId, string
 			while (retryCounter < _config.PickupRetries)
 			{
 				_logger.LogDebug($"Try number {retryCounter + 1} to pickup enrolled certificate");
-				var client = SectigoClient.InitializeClient(_config);
+				var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 				var certificate = Task.Run(async () => await client.PickupCertificate(sslId, subject)).Result;
 				if (certificate != null && !String.IsNullOrEmpty(certificate.Subject))
 				{
@@ -765,7 +767,7 @@ public X509Certificate2 PickupSingleCert(int sslId, string subject)
 			while (retryCounter < _config.PickupRetries)
 			{
 				_logger.LogDebug($"Try number {retryCounter + 1} to pickup single certificate");
-				var client = SectigoClient.InitializeClient(_config);
+				var client = SectigoClient.InitializeClient(_config, _certificateResolver);
 				var certificate = Task.Run(async () => await client.PickupCertificate(sslId, subject)).Result;
 				if (certificate != null && !String.IsNullOrEmpty(certificate.Subject))
 				{

sectigo-scm-caplugin/SectigoConfig.cs

@@ -1,4 +1,6 @@
-using Newtonsoft.Json;
+using Keyfactor.AnyGateway.Extensions;
+
+using Newtonsoft.Json;
 
 using System;
 using System.Collections.Generic;
@@ -54,13 +56,4 @@ public SectigoConfig()
 		[JsonProperty("ClientCertificate")]
 		public ClientCertificate Certificate { get; set; }
 	}
-
-	public class ClientCertificate
-	{
-		public string StoreName { get; set; }
-		public string StoreLocation { get; set; }
-		public string Thumbprint { get; set; }
-		public string CertificatePath { get; set; }
-		public string CertificatePassword { get; set; }
-	}
 }

sectigo-scm-caplugin/sectigo-scm-caplugin.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <RootNamespace>Keyfactor.Extensions.CAPlugin.Sectigo</RootNamespace>
     <ImplicitUsings>disable</ImplicitUsings>
     <Nullable>disable</Nullable>
@@ -10,7 +10,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.0.0" />
+    <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.1.0" />
     <PackageReference Include="Keyfactor.Common" Version="2.5.0" />
     <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
     <PackageReference Include="Keyfactor.PKI" Version="5.5.0" />