Merge to main

.github/workflows/keyfactor-starter-workflow.yml

@@ -13,7 +13,7 @@ jobs:
   call-starter-workflow:
     uses: keyfactor/actions/.github/workflows/starter.yml@v2
     secrets:
-      token: ${{ secrets.V2BUILDTOKEN}}
-      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
+      token: ${{ secrets.V2BUILDTOKEN }}
+      APPROVE_README_PUSH: ${{ secrets.V2BUILDTOKEN }}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}

CHANGELOG.md

@@ -31,4 +31,9 @@ Hotfixes for BaseOption flag for Renewal workflow
 Hotfix for domain lookup  
 
 1.1.2
-Hotfix for renewal workflow
+Hotfix for renewal workflow  
+
+1.2.0
+Add SyncProducts config to filter certificate sync by product ID  
+Add ability to manually specify MSSLProfileID per template to use for domain lookup  
+Bugfix: Treat SANs that match the base domain of a wildcard CN as identical for the purpose of removing duplicates  

README.md

@@ -94,15 +94,18 @@ The following sections will breakdown the required configurations for the AnyGat
 ## Templates
 The Template section will map the CA's SSL profile to an AD template. The Lifetime parameter is required and represents the certificate duration in months. 
 * ```ContactName```
-The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.
+The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.  
+* ```MSSLProfileID```
+OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com).
 
  ```json
   "Templates": {
 	"WebServer": {
       "ProductID": "PV_SHA2",
       "Parameters": {
 		"Lifetime":"12",
-		"ContactName":"John Doe"
+		"ContactName":"John Doe",
+		"MSSLProfileID":"123456"
       }
    }
 }
@@ -194,14 +197,19 @@ This is the password that will be used to connect to the GlobalSign API
 OPTIONAL: If provided, full syncs will start at the specified date.
 * ```SyncIntervalDays```  
 OPTIONAL: Required if SyncStartDate is used. Specifies how to page the certificate sync. Should be a value such that no interval of that length contains > 500 certificate enrollments.
+* ```SyncProducts```  
+OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs.
 
 ```json
   "CAConnection": {
 	"IsTest":"false",
 	"PickupRetries":5,
 	"PickupDelay":150,
 	"Username":"PAR12344_apiuser",
-	"Password":"password"
+	"Password":"password",
+	"SyncStartDate":"2020-01-01",
+	"SyncIntervalDays":30,
+	"SyncProducts":"PV_SHA2, PEV_SHA2"
   },
 ```
 ## GatewayRegistration

globalsign-mssl-cagateway.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.31129.286
+# Visual Studio Version 17
+VisualStudioVersion = 17.10.35122.118
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignCAProxy", "src\GlobalSignCAProxy\GlobalSignCAProxy.csproj", "{8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}"
 EndProject
@@ -13,8 +13,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 	ProjectSection(SolutionItems) = preProject
 		CHANGELOG.md = CHANGELOG.md
 		integration-manifest.json = integration-manifest.json
-		.github\workflows\keyfactor-extension-generate-readme.yml = .github\workflows\keyfactor-extension-generate-readme.yml
-		.github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml
+		.github\workflows\keyfactor-starter-workflow.yml = .github\workflows\keyfactor-starter-workflow.yml
 		README.md.tpl = README.md.tpl
 		readme_source.md = readme_source.md
 	EndProjectSection

integration-manifest.json

@@ -5,7 +5,8 @@
   "status": "production",
   "update_catalog": true,
   "link_github": true,
-  "release_dir": "src\\GlobalSignCAProxy\\bin\\Release",
+  "release_dir": "src/GlobalSignCAProxy/bin/Release",
+  "release_project":  "src/GlobalSignCAProxy/GlobalSignCAProxy.csproj",
   "support_level": "kf-supported",
   "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center."
 }

readme_source.md

@@ -52,15 +52,18 @@ The following sections will breakdown the required configurations for the AnyGat
 ## Templates
 The Template section will map the CA's SSL profile to an AD template. The Lifetime parameter is required and represents the certificate duration in months. 
 * ```ContactName```
-The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.
+The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.  
+* ```MSSLProfileID```
+OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com).
 
  ```json
   "Templates": {
 	"WebServer": {
       "ProductID": "PV_SHA2",
       "Parameters": {
 		"Lifetime":"12",
-		"ContactName":"John Doe"
+		"ContactName":"John Doe",
+		"MSSLProfileID":"123456"
       }
    }
 }
@@ -152,14 +155,19 @@ This is the password that will be used to connect to the GlobalSign API
 OPTIONAL: If provided, full syncs will start at the specified date.
 * ```SyncIntervalDays```  
 OPTIONAL: Required if SyncStartDate is used. Specifies how to page the certificate sync. Should be a value such that no interval of that length contains > 500 certificate enrollments.
+* ```SyncProducts```  
+OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs.
 
 ```json
   "CAConnection": {
 	"IsTest":"false",
 	"PickupRetries":5,
 	"PickupDelay":150,
 	"Username":"PAR12344_apiuser",
-	"Password":"password"
+	"Password":"password",
+	"SyncStartDate":"2020-01-01",
+	"SyncIntervalDays":30,
+	"SyncProducts":"PV_SHA2, PEV_SHA2"
   },
 ```
 ## GatewayRegistration

src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs

@@ -7,18 +7,18 @@
 
 using CSS.Common.Logging;
 
-using Keyfactor.Extensions.AnyGateway.GlobalSign.Services.Order;
+using Keyfactor.Extensions.AnyGateway.GlobalSign.Services.Order;
 
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Linq;
-using System.Text;
-
-namespace Keyfactor.Extensions.AnyGateway.GlobalSign.Api
-{
+using System.Text;
+
+namespace Keyfactor.Extensions.AnyGateway.GlobalSign.Api
+{
 	public class GlobalSignEnrollRequest : LoggingClientBase
 	{
 		internal GlobalSignCAConfig Config;
-
+
 		public GlobalSignEnrollRequest(GlobalSignCAConfig config)
 		{
 			Config = config;
@@ -90,6 +90,29 @@ public BmV2PvOrderRequest Request
 								Logger.Info($"SAN Entry {item} matches CN, removing from request");
 								continue;
 							}
+							string trimCN = CommonName, trimItem = item;
+							if (CommonName.StartsWith("*."))
+							{
+								trimCN = CommonName.Substring(2).ToLower();
+								trimItem = item.ToLower();
+								List<string> equivs = new List<string> { $"*.{trimCN}", $"www.{trimCN}", $"{trimCN}" };
+								if (equivs.Contains(trimItem))
+								{
+									Logger.Info($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request");
+									continue;
+								}
+							}
+							else if (CommonName.StartsWith("www."))
+							{
+								trimCN = CommonName.Substring(4).ToLower();
+								trimItem = item.ToLower();
+								List<string> equivs = new List<string> { $"www.{trimCN}", $"{trimCN}" };
+								if (equivs.Contains(trimItem))
+								{
+									Logger.Info($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request");
+									continue;
+								}
+							}
 							SANEntry entry = new SANEntry();
 							entry.SubjectAltName = item;
 							StringBuilder sb = new StringBuilder();
@@ -134,9 +157,12 @@ public BmV2PvOrderRequest Request
 				{
 					request.OrderRequestParameter.BaseOption = BaseOption;
 				}
-
+
 				return request;
 			}
 		}
-	}
-}
+
+	}
+}
+
+

src/GlobalSignCAProxy/Api/GlobalSignRenewRequest.cs

@@ -44,6 +44,28 @@ public GlobalSignRenewRequest(GlobalSignCAConfig config) : base(config) { }
 								Logger.Info($"SAN Entry {item} matches CN, removing from request");
 								continue;
 							}
+							string trimCN = CommonName, trimItem = item;
+							if (trimCN.StartsWith("*."))
+							{
+								trimCN = trimCN.Substring(2);
+							}
+							else if (trimCN.StartsWith("www."))
+							{
+								trimCN = trimCN.Substring(4);
+							}
+							if (trimItem.StartsWith("*."))
+							{
+								trimItem = trimItem.Substring(2);
+							}
+							else if (trimItem.StartsWith("www."))
+							{
+								trimItem = trimItem.Substring(4);
+							}
+							if (string.Equals(trimCN, trimItem, System.StringComparison.OrdinalIgnoreCase))
+							{
+								Logger.Info($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request");
+								continue;
+							}
 							SANEntry entry = new SANEntry();
 							entry.SubjectAltName = item;
 							StringBuilder sb = new StringBuilder();

src/GlobalSignCAProxy/Client/GlobalSignApiClient.cs

@@ -298,7 +298,7 @@ public EnrollmentResult Enroll(GlobalSignEnrollRequest enrollRequest)
 				{
 					Logger.Trace($"Order Base Option: {rawRequest.OrderRequestParameter.BaseOption}");
 				}
-				var response = OrderService.PVOrder(enrollRequest.Request);
+				var response = OrderService.PVOrder(rawRequest);
 				if (response.OrderResponseHeader.SuccessCode == 0)
 				{
 					Logger.Debug($"Enrollment request successfully submitted");
@@ -365,7 +365,7 @@ public EnrollmentResult Renew(GlobalSignRenewRequest renewRequest)
 					Logger.Trace($"Order Base Option: {rawRequest.OrderRequestParameter.BaseOption}");
 				}
 				Logger.Trace($"Renewal Target: {rawRequest.OrderRequestParameter.RenewalTargetOrderID}");
-				var response = OrderService.PVOrder(renewRequest.Request);
+				var response = OrderService.PVOrder(rawRequest);
 				if (response.OrderResponseHeader.SuccessCode == 0)
 				{
 					Logger.Debug($"Renewal request successfully submitted");

src/GlobalSignCAProxy/GlobalSignCAConfig.cs

@@ -25,6 +25,7 @@ public class GlobalSignCAConfig
 
 		public string SyncStartDate { get; set; }
 		public int SyncIntervalDays { get; set; }
+		public string SyncProducts { get; set; }
 
         public string GetUrl(GlobalSignServiceType queryType)
         {

src/GlobalSignCAProxy/GlobalSignCAProxy.cs

@@ -19,6 +19,7 @@
 
 using Newtonsoft.Json;
 
+using Org.BouncyCastle.Asn1.IsisMtt.X509;
 using Org.BouncyCastle.Crypto.Tls;
 
 using System;
@@ -27,6 +28,7 @@
 using System.Linq;
 using System.Security.Policy;
 using System.Text;
+using System.Text.RegularExpressions;
 using System.Threading;
 using System.Web.Services.Configuration;
 
@@ -97,6 +99,7 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe
 				// If no CN is found, go through the DNS Name SANs in order, and find a domain that maches the end of one of those SANs
 				// If a match is found, set the common name to that SAN (GlobalSign API requires the CommonName field be populated)
 				string commonName = null;
+				List<DomainDetail> matchedDomains = null;
 				DomainDetail domain = null;
 				var allDomains = apiClient.GetDomains();
 				// Only acccept domains that are able to issue certificates
@@ -131,28 +134,46 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe
 
 				var sanDict = new Dictionary<string, string[]>(san, StringComparer.OrdinalIgnoreCase);
 				Logger.Trace($"DNS SAN Count: {sanDict["dns"].Count()}");
+
 				if (commonName == null)
 				{
-					foreach (string dnsSan in sanDict["dns"])
+					if (sanDict["dns"].Count() > 0)
 					{
-						var tempDomain = validDomains.Where(d => dnsSan.EndsWith($".{d.DomainName}", StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
-						if (tempDomain != null)
-						{
-							Logger.Debug($"SAN Domain match found for SAN: {dnsSan}");
-							domain = tempDomain;
-							commonName = dnsSan;
-							break;
-						}
+						string dnsSan = sanDict["dns"][0];
+						matchedDomains = validDomains.Where(d => dnsSan.Equals(d.DomainName, StringComparison.OrdinalIgnoreCase)
+								|| dnsSan.EndsWith($".{d.DomainName}", StringComparison.OrdinalIgnoreCase)).ToList();
+						commonName = dnsSan;
 					}
 				}
 				else
 				{
-					domain = validDomains.Where(d => commonName.EndsWith($".{d.DomainName}", StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
+					matchedDomains = validDomains.Where(d => commonName.Equals(d.DomainName, StringComparison.OrdinalIgnoreCase)
+							|| commonName.EndsWith($".{d.DomainName}", StringComparison.OrdinalIgnoreCase)).ToList();
 				}
 
-				if (domain == null)
+				if (matchedDomains.Count == 1)
 				{
-					throw new Exception("Unable to determine GlobalSign domain");
+					domain = matchedDomains[0];
+				}
+				else
+				{
+					if (productInfo.ProductParameters.ContainsKey("MSSLProfileID"))
+					{
+						var profID = productInfo.ProductParameters["MSSLProfileID"];
+						var tempDomain = matchedDomains.Where(d => d.MSSLProfileID.Equals(profID, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
+						if (tempDomain != null)
+						{
+							domain = tempDomain;
+						}
+						else
+						{
+							throw new Exception($"No domain matching common name {commonName} has provided MSSLProfileID of {profID}. Check configuration.");
+						}
+					}
+					else
+					{
+						throw new Exception("Unable to determine GlobalSign domain, and no MSSLProfileID provided.");
+					}
 				}
 
 				Logger.Debug($"Domain info:\nDomain Name: {domain?.DomainName}\nMsslDomainId: {domain?.DomainID}\nMsslProfileId: {domain?.MSSLProfileID}");
@@ -272,8 +293,31 @@ public override void Synchronize(ICertificateDataReader certificateDataReader, B
 				DateTime? syncFrom = certificateAuthoritySyncInfo.DoFullSync ? fullSyncFrom : certificateAuthoritySyncInfo.OverallLastSync;
 				var certs = apiClient.GetCertificatesForSync(certificateAuthoritySyncInfo.DoFullSync, syncFrom, fullSyncFrom, Config.SyncIntervalDays);
 
-				foreach (var c in certs)
+				bool productFilter = false;
+				List<string> products = null;
+				if (!string.IsNullOrEmpty(Config.SyncProducts))
 				{
+					products = Config.SyncProducts.Split(',').ToList();
+					products.ForEach(p => p.ToUpper());
+					productFilter = true;
+                }
+
+				foreach (var c in certs)
+				{	
+					if (productFilter)
+					{
+						bool prodMatch = false;
+						if (c.OrderInfo?.ProductCode != null && products.Contains(c.OrderInfo.ProductCode.ToUpper()))
+						{
+							prodMatch = true;
+						}
+						if (!prodMatch)
+						{
+							Logger.Info($"Found certificate with product code {c.OrderInfo?.ProductCode}, which does not match the filter criteria. Skipping.");
+							continue;
+						}
+					}
+
 					GlobalSignOrderStatus orderStatus = (GlobalSignOrderStatus)Enum.Parse(typeof(GlobalSignOrderStatus), c.CertificateInfo.CertificateStatus);
 					DateTime? subDate = DateTime.TryParse(c.OrderInfo?.OrderDate, out DateTime orderDate) ? orderDate : (DateTime?)null;
 					DateTime? resDate = DateTime.TryParse(c.OrderInfo?.OrderCompleteDate, out DateTime completeDate) ? completeDate : (DateTime?)null;
@@ -433,4 +477,5 @@ private static string ParseSubject(string subject, string rdn)
 
 		#endregion Private Methods
 	}
-}
+
+}