From 1cbfabe89d81bc30850679a29dfc3c65b79d1e3b Mon Sep 17 00:00:00 2001 From: Hayden Date: Mon, 21 Oct 2024 23:48:59 +0000 Subject: [PATCH 1/7] chore(grpc): Set grpc.max_receive_message_length to -1 --- src/GoogleCAProxy/GoogleCAProxy.cs | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/GoogleCAProxy/GoogleCAProxy.cs b/src/GoogleCAProxy/GoogleCAProxy.cs index ce6b0c5..c628e5a 100644 --- a/src/GoogleCAProxy/GoogleCAProxy.cs +++ b/src/GoogleCAProxy/GoogleCAProxy.cs @@ -11,6 +11,7 @@ using CAProxy.Common; using CSS.PKI; using Google.Api.Gax; +using Google.Api.Gax.Grpc; using Google.Cloud.Security.PrivateCA.V1; using Google.Protobuf.WellKnownTypes; using Grpc.Core; @@ -644,12 +645,19 @@ private CAConnectorCertificate ProcessCAResponse(Certificate caCertificate) /// private static CertificateAuthorityServiceClient BuildClient() { - CertificateAuthorityServiceClientBuilder caClient = new CertificateAuthorityServiceClientBuilder + string credentialsPath = Environment.GetEnvironmentVariable(AuthEnvVariableName, EnvironmentVariableTarget.Machine); + + // Set the gRPC buffer size to -1 for "no limit" + // https://grpc.github.io/grpc/core/group__grpc__arg__keys.html#ga813f94f9ac3174571dd712c96cdbbdc1 + GrpcChannelOptions grpcChannelOptions = GrpcChannelOptions.Empty.WithMaxReceiveMessageSize(-1); + + CertificateAuthorityServiceClientBuilder caClientBuilder = new CertificateAuthorityServiceClientBuilder { - CredentialsPath = - Environment.GetEnvironmentVariable(AuthEnvVariableName, EnvironmentVariableTarget.Machine) + CredentialsPath = credentialsPath, + GrpcChannelOptions = grpcChannelOptions, }; - return caClient.Build(); + + return caClientBuilder.Build(); } #endregion From adccfee70ff34c996605a5a79d18fbbe3ecebcf7 Mon Sep 17 00:00:00 2001 From: Hayden Date: Mon, 21 Oct 2024 23:56:27 +0000 Subject: [PATCH 2/7] chore(docs): Changelog & Doctool --- CHANGELOG.md | 5 ++++- readme_source.md => docsource/content.md | 14 +++++++------- 2 files changed, 11 insertions(+), 8 deletions(-) rename readme_source.md => docsource/content.md (96%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7667ec3..12df884 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ -# v2.0.0 +# v2.0.1 +* Set `grpc.max_receive_message_length` to -1 on `CertificateAuthorityServiceClientBuilder` + +# v2.0.0 * Migrate `packages.config` to `PackageReference` format * Upgrade packages to support Keyfactor AnyCA Gateway DCOM v24.2 * Upgrade `Keyfactor.AnyGateway.SDK` to `24.2.0-PRERELEASE-47446` diff --git a/readme_source.md b/docsource/content.md similarity index 96% rename from readme_source.md rename to docsource/content.md index e7b6074..8ab81fa 100644 --- a/readme_source.md +++ b/docsource/content.md @@ -1,4 +1,4 @@ -## Overview +## Overview The [Google Cloud Platform (GCP) CA Services (CAS)](https://cloud.google.com/security/products/certificate-authority-service) AnyCA Gateway DCOM plugin extends the capabilities of connected GCP CAS CAs to [Keyfactor Command](https://www.keyfactor.com/products/command/) via the Keyfactor AnyCA Gateway DCOM. The plugin represents a fully featured AnyCA DCOM Plugin with the following capabilies: @@ -11,7 +11,7 @@ The [Google Cloud Platform (GCP) CA Services (CAS)](https://cloud.google.com/sec * Request revocation of a previously issued certificate. > The GCP CAS AnyCA Gateway DCOM plugin is **not** supported for [DevOps Tier](https://cloud.google.com/certificate-authority-service/docs/tiers) Certificate Authority Pools. -> +> > DevOps tier CA Pools don't offer listing, describing, or revoking certificates. ## Compatibility @@ -32,7 +32,7 @@ Please refer to [Google's documentation](https://cloud.google.com/docs/authentic > > 1. The service account that the AnyCA Gateway REST runs under must have read permission to the GCP credential JSON file. > 2. You must set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable for the Windows Service running the AnyCA Gateway REST using the [Windows registry editor](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users). -> * Refer to the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment](https://learn.microsoft.com/en-us/windows/win32/procthread/environment-variables) docs. + > * Refer to the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment](https://learn.microsoft.com/en-us/windows/win32/procthread/environment-variables) docs. If the selected ADC mechanism is [Service Account Key](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif-key), it's recommended that a [custom role is created](https://cloud.google.com/iam/docs/creating-custom-roles) that has the following minimum permissions: @@ -51,7 +51,7 @@ If the selected ADC mechanism is [Service Account Key](https://cloud.google.com/ Both the Keyfactor Command and AnyCA Gateway DCOM servers must trust the root CA, and if applicable, any subordinate CAs for all features to work as intended. Download the CA Certificate (and chain, if applicable) from GCP [CAS](https://console.cloud.google.com/security/cas), and import them into the appropriate certificate store on the AnyCA Gateway DCOM server. -* **Windows** - The root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell. +* **Windows** - The root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell. * Certificates can be imported in MMC by "File" -> "Add/Remove Snap-in" -> "Certificates" -> "Add >" -> "Computer account" -> "Local computer". * Root CAs must go in the `Trusted Root Certification Authorities` certificate store. * Subordinate CAs must go in the `Intermediate Certification Authorities` certificate store. @@ -106,14 +106,14 @@ The GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](h ``` - > Depending on additional environment-specific factors, additional binding redirects may need to be applied to `CAProxyServer.config`. + > Depending on additional environment-specific factors, additional binding redirects may need to be applied to `CAProxyServer.config`. ## Configuration -The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the Google CA. +The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the Google CA. ### Templates -As discussed in the [Template Identification](#template-identification), the GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls). The Keyfactor AnyCA Gateway DCOM maps [AD Certificate Templates](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-template-concepts) to GCP Certificate Templates via the `ProductID` property in the `Templates` section of configuration files. +As discussed in the [Template Identification](#template-identification), the GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls). The Keyfactor AnyCA Gateway DCOM maps [AD Certificate Templates](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-template-concepts) to GCP Certificate Templates via the `ProductID` property in the `Templates` section of configuration files. _At least one_ Certificate Template must be defined in this section with the `ProductID` set to `Default`. This Product ID corresponds to no Certificate Template for the [CreateCertificate RPC](https://cloud.google.com/certificate-authority-service/docs/reference/rpc/google.cloud.security.privateca.v1#google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCertificate). From 07b58672d38ae5aa4c502d54e292fed6d5df300c Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 21 Oct 2024 23:57:15 +0000 Subject: [PATCH 3/7] Update generated docs --- README.md | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index b37667f..37012db 100644 --- a/README.md +++ b/README.md @@ -31,22 +31,6 @@ The GCP CAS AnyCA Gateway DCOM plugin is open source and there is **no SLA**. Ke > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. -## Overview - -The [Google Cloud Platform (GCP) CA Services (CAS)](https://cloud.google.com/security/products/certificate-authority-service) AnyCA Gateway DCOM plugin extends the capabilities of connected GCP CAS CAs to [Keyfactor Command](https://www.keyfactor.com/products/command/) via the Keyfactor AnyCA Gateway DCOM. The plugin represents a fully featured AnyCA DCOM Plugin with the following capabilies: - -* CA Sync: - * Download all certificates issued by connected Enterprise tier CAs in GCP CAS (full sync). - * Download all certificates issued by connected Enterprise tier CAs in GCP CAS issued after a specified time (incremental sync). -* Certificate enrollment for all published GoDaddy Certificate SKUs: - * Support certificate enrollment (new keys/certificate). -* Certificate revocation: - * Request revocation of a previously issued certificate. - -> The GCP CAS AnyCA Gateway DCOM plugin is **not** supported for [DevOps Tier](https://cloud.google.com/certificate-authority-service/docs/tiers) Certificate Authority Pools. -> -> DevOps tier CA Pools don't offer listing, describing, or revoking certificates. - ## Compatibility This AnyGateway is designed to be used with version 24.2 of the Keyfactor AnyCA Gateway DCOM Framework. @@ -65,7 +49,7 @@ Please refer to [Google's documentation](https://cloud.google.com/docs/authentic > > 1. The service account that the AnyCA Gateway REST runs under must have read permission to the GCP credential JSON file. > 2. You must set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable for the Windows Service running the AnyCA Gateway REST using the [Windows registry editor](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users). -> * Refer to the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment](https://learn.microsoft.com/en-us/windows/win32/procthread/environment-variables) docs. + > * Refer to the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment](https://learn.microsoft.com/en-us/windows/win32/procthread/environment-variables) docs. If the selected ADC mechanism is [Service Account Key](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif-key), it's recommended that a [custom role is created](https://cloud.google.com/iam/docs/creating-custom-roles) that has the following minimum permissions: @@ -84,7 +68,7 @@ If the selected ADC mechanism is [Service Account Key](https://cloud.google.com/ Both the Keyfactor Command and AnyCA Gateway DCOM servers must trust the root CA, and if applicable, any subordinate CAs for all features to work as intended. Download the CA Certificate (and chain, if applicable) from GCP [CAS](https://console.cloud.google.com/security/cas), and import them into the appropriate certificate store on the AnyCA Gateway DCOM server. -* **Windows** - The root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell. +* **Windows** - The root CA and applicable subordinate CAs must be imported into the Windows certificate store. The certificates can be imported using the Microsoft Management Console (MMC) or PowerShell. * Certificates can be imported in MMC by "File" -> "Add/Remove Snap-in" -> "Certificates" -> "Add >" -> "Computer account" -> "Local computer". * Root CAs must go in the `Trusted Root Certification Authorities` certificate store. * Subordinate CAs must go in the `Intermediate Certification Authorities` certificate store. @@ -139,14 +123,14 @@ The GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](h ``` - > Depending on additional environment-specific factors, additional binding redirects may need to be applied to `CAProxyServer.config`. + > Depending on additional environment-specific factors, additional binding redirects may need to be applied to `CAProxyServer.config`. ## Configuration -The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the Google CA. +The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the Google CA. ### Templates -As discussed in the [Template Identification](#template-identification), the GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls). The Keyfactor AnyCA Gateway DCOM maps [AD Certificate Templates](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-template-concepts) to GCP Certificate Templates via the `ProductID` property in the `Templates` section of configuration files. +As discussed in the [Template Identification](#template-identification), the GCP CAS AnyCA Gateway DCOM plugin supports [GCP CAS Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/policy-controls). The Keyfactor AnyCA Gateway DCOM maps [AD Certificate Templates](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-template-concepts) to GCP Certificate Templates via the `ProductID` property in the `Templates` section of configuration files. _At least one_ Certificate Template must be defined in this section with the `ProductID` set to `Default`. This Product ID corresponds to no Certificate Template for the [CreateCertificate RPC](https://cloud.google.com/certificate-authority-service/docs/reference/rpc/google.cloud.security.privateca.v1#google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCertificate). From e66af2ae2de2cf0c8909dfdec427692138216418 Mon Sep 17 00:00:00 2001 From: David Galey Date: Tue, 28 Jan 2025 08:38:21 -0500 Subject: [PATCH 4/7] Support subject/SANs outside of CSR --- src/GoogleCAProxy/GoogleCAProxy.cs | 67 ++++++++++++++++++++++++++---- 1 file changed, 60 insertions(+), 7 deletions(-) diff --git a/src/GoogleCAProxy/GoogleCAProxy.cs b/src/GoogleCAProxy/GoogleCAProxy.cs index c628e5a..e8b543c 100644 --- a/src/GoogleCAProxy/GoogleCAProxy.cs +++ b/src/GoogleCAProxy/GoogleCAProxy.cs @@ -101,13 +101,47 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe $"LifetimeKey not found in Product Parameters for Product Id {productInfo.ProductID}. Using default value of 365 days."); } - Log.LogDebug($"Configuring {typeof(Certificate)} for {subject} with {lifetimeInDays} days validity"); + CertificateConfig certConfig = new CertificateConfig(); + certConfig.SubjectConfig = new CertificateConfig.Types.SubjectConfig(); + bool useConfig = false; + if (!string.IsNullOrEmpty(subject)) + { + certConfig.SubjectConfig.Subject = new Subject + { + CommonName = ParseSubject(subject, "CN=", false), + Organization = ParseSubject(subject, "O=", false), + OrganizationalUnit = ParseSubject(subject, "OU=", false), + CountryCode = ParseSubject(subject, "C=", false), + Locality = ParseSubject(subject, "L=", false) + }; + useConfig = true; + } + var dnsSans = new List(); + if (san != null & san.Count > 0) + { + var dnsKeys = san.Keys.Where(k => k.IndexOf("dns", StringComparison.OrdinalIgnoreCase) >= 0); + foreach (var key in dnsKeys) + { + dnsSans.AddRange(san[key]); + } + } + if (dnsSans.Count > 0) + { + certConfig.SubjectConfig.SubjectAltName = new SubjectAltNames + { + DnsNames = { dnsSans } + }; + useConfig = true; + } + + Log.LogDebug($"Configuring {typeof(Certificate)} for {subject} with {lifetimeInDays} days validity"); Certificate certificate = new Certificate { PemCsr = $"-----BEGIN NEW CERTIFICATE REQUEST-----\n{pemify(csr)}\n-----END NEW CERTIFICATE REQUEST-----", Lifetime = Duration.FromTimeSpan(new TimeSpan(lifetimeInDays, 0, 0, 0, - 0)) //365 day default or defined by config + 0)), //365 day default or defined by config + Config = (useConfig) ? certConfig : null }; if (productInfo.ProductID == NoTemplateProductId) @@ -660,11 +694,30 @@ private static CertificateAuthorityServiceClient BuildClient() return caClientBuilder.Build(); } - #endregion - - #region Obsolete Methods - - [Obsolete] + private static string ParseSubject(string subject, string rdn, bool required = true) + { + string escapedSubject = subject.Replace("\\,", "|"); + string rdnString = escapedSubject.Split(',').ToList().Where(x => x.Contains(rdn)).FirstOrDefault(); + + if (!string.IsNullOrEmpty(rdnString)) + { + return rdnString.Replace(rdn, "").Replace("|", ",").Trim(); + } + else if (required) + { + throw new Exception($"The request is missing a {rdn} value"); + } + else + { + return null; + } + } + + #endregion + + #region Obsolete Methods + + [Obsolete] public override EnrollmentResult Enroll(string csr, string subject, Dictionary san, EnrollmentProductInfo productInfo, PKIConstants.X509.RequestFormat requestFormat, RequestUtilities.EnrollmentType enrollmentType) From e5d09a9995b16d34aa2f77ab64c1cfd9aec66234 Mon Sep 17 00:00:00 2001 From: David Galey Date: Tue, 28 Jan 2025 08:43:09 -0500 Subject: [PATCH 5/7] Change CertificateID to be unique --- src/GoogleCAProxy/GoogleCAProxy.cs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/GoogleCAProxy/GoogleCAProxy.cs b/src/GoogleCAProxy/GoogleCAProxy.cs index e8b543c..09f9ab4 100644 --- a/src/GoogleCAProxy/GoogleCAProxy.cs +++ b/src/GoogleCAProxy/GoogleCAProxy.cs @@ -166,8 +166,7 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe ParentAsCaPoolName = caPoolAsTypedName, Certificate = certificate, //RequestId="",//if used, this needs to be durable between reties - CertificateId = - $"{now:yyyy}{now:MM}{now:dd}-{now:HH}{now:mm}{now:ss}" //ID is required for Enterprise tier CAs and ignored for other. + CertificateId = Guid.NewGuid().ToString() //ID is required for Enterprise tier CAs and ignored for other. }; if (!string.IsNullOrEmpty(CaId)) From 76cb56540e3a7b847bd79f07d2f2dfebaff3d7d0 Mon Sep 17 00:00:00 2001 From: Dave Galey <89407235+dgaley@users.noreply.github.com> Date: Wed, 29 Jan 2025 00:27:03 -0500 Subject: [PATCH 6/7] Update content.md --- docsource/content.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docsource/content.md b/docsource/content.md index 8ab81fa..0a5c55b 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -7,6 +7,7 @@ The [Google Cloud Platform (GCP) CA Services (CAS)](https://cloud.google.com/sec * Download all certificates issued by connected Enterprise tier CAs in GCP CAS issued after a specified time (incremental sync). * Certificate enrollment for all published GoDaddy Certificate SKUs: * Support certificate enrollment (new keys/certificate). + * Support auto-enrollment (subject/SANs supplied outside of CSR) * Certificate revocation: * Request revocation of a previously issued certificate. From bc5eac9a8c7e0427768849ad5655fe3990d17444 Mon Sep 17 00:00:00 2001 From: Dave Galey <89407235+dgaley@users.noreply.github.com> Date: Wed, 29 Jan 2025 06:57:34 -0500 Subject: [PATCH 7/7] Update CHANGELOG.md --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12df884..38be5c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ -# v2.0.1 +# v2.1.0 +* Support external SANs/subject (not in CSR) +* Change Certificate ID on enrollment to use a GUID for uniqueness + + # v2.0.1 * Set `grpc.max_receive_message_length` to -1 on `CertificateAuthorityServiceClientBuilder` # v2.0.0