Combine chain certs

.gitignore

@@ -8,3 +8,4 @@
 /hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj.user
 .vs
 *.licenseheader
+README.md

CHANGELOG.md

@@ -1,10 +1,20 @@
 2.0.1
+
 * Added support for storing certs in sub-paths
 * Updated documentation to specify storing the token as a secret.
 
+* **Breaking Change**: the properties have been renamed from:
+    * `PUBLIC_KEY` to `certificate`
+    * `PRIVATE_KEY` to `private_key`
+    * `PUBLIC_KEY_<n>` has been removed.  Now the chain is stored in `certificate` if the option is selected.
+
+* **Breaking Change**: Added a flag on the Keyfactor Certificate store definition to indicate whether to store the full CA chain along with the certificate
+
 2.0
+
 * Added inventory job support for the Hashicorp PKI secrets engine
 * Added inventory job support for the Keyfactor secrets engine
+
 * **Breaking Change**: the cert store types are now:
     * **HCVPKI** for the PKI and Keyfactor secrets engine
-    * **HCVKV** for the Key-Value secrets engine
+    * **HCVKV** for the Key-Value secrets engine

README.md

@@ -81,11 +81,10 @@ This integration was built on the .NET Core 3.1 target framework and are compati
 
 1. For the Key-Value secrets engine, the certificates are stored as an entry with these fields.  
 
-- `PUBLIC_KEY` - The certificate public key
-- `PUBLIC_KEY_<n>` - The nth certificate in the chain
-- `PRIVATE_KEY` - The certificate private key
+- `certificate` - The PEM formatted certificate and intermediate CA chain (if selected)
+- `private_key` - The certificate private key
 
-**Note**: Key/Value secrets that do not include these keys (PUBLIC_KEY, and PRIVATE_KEY), will be ignored during inventory scans. 
+**Note**: Key/Value secrets that do not include the keys `certificate` and `private_key` will be ignored during inventory scans. 
 
 ## Extension Configuration
 

hashicorp-vault-orchestrator/HcvKeyValueClient.cs

@@ -87,6 +87,7 @@ public async Task<CurrentInventoryItem> GetCertificate(string key)
             Secret<SecretData> res;
             var fullPath = _storePath + key;
             var relativePath = fullPath.Substring(_storePath.Length);
+
             try
             {
                 try
@@ -102,7 +103,8 @@ public async Task<CurrentInventoryItem> GetCertificate(string key)
                 }
                 catch (Exception ex)
                 {
-                    logger.LogWarning($"Error getting certificate (deleted?) {fullPath}", ex);
+                    logger.LogError($"Error getting certificate {fullPath}", ex);
+
                     return null;
                 }
 
@@ -116,42 +118,49 @@ public async Task<CurrentInventoryItem> GetCertificate(string key)
 
             try
             {
-                string publicKey;
-                bool hasPrivateKey;
+                string certificate = null;                
 
-                //Validates if the "PUBLIC_KEY" and "PRIVATE_KEY" keys exist in certData
-                if (certData.TryGetValue("PUBLIC_KEY", out object publicKeyObj))
+                //Validates if the "certificate" and "private_key" keys exist in certData
+                if (certData.TryGetValue("certificate", out object publicKeyObj))
                 {
-                    publicKey = publicKeyObj?.ToString();
+                    certificate = publicKeyObj as string;
                 }
-                else
-                {
-                    publicKey = null;
+
+                var certs = new List<string>() { certificate };
+
+                certData.TryGetValue("private_key", out object privateKeyObj);
+
+                // if either field is missing, don't include it in inventory
+
+                if (publicKeyObj == null || privateKeyObj == null) return null; 
+
+                //split the chain entries (if chain is included)
+
+                var certFooter = "\n-----END CERTIFICATE-----";
+
+                certs = certificate.Split(new string[] { certFooter }, StringSplitOptions.RemoveEmptyEntries).ToList();
+
+                for (int i = 0; i<certs.Count(); i++) {
+                    certs[i] = certs[i] + certFooter;
                 }
 
-                if (certData.TryGetValue("PRIVATE_KEY", out object privateKeyObj))
+                // if the certs have not been revoked, include them
+
+                if (certs.Count() > 0)
                 {
-                    hasPrivateKey = true;
+                    return new CurrentInventoryItem()
+                    {
+                        Alias = key,
+                        PrivateKeyEntry = privateKeyObj != null,
+                        ItemStatus = OrchestratorInventoryItemStatus.Unknown,
+                        UseChainLevel = certs.Count() > 1,
+                        Certificates = certs
+                    };
                 }
                 else
                 {
-                    hasPrivateKey = false;
+                    return null;
                 }
-
-                var certs = new List<string>() { publicKey };
-
-                var keys = certData.Keys.Where(k => k.StartsWith("PUBLIC_KEY_")).ToList();
-
-                keys.ForEach(k => certs.Add(certData[k].ToString()));
-
-                return new CurrentInventoryItem()
-                {
-                    Alias = relativePath,
-                    PrivateKeyEntry = hasPrivateKey,
-                    ItemStatus = OrchestratorInventoryItemStatus.Unknown,
-                    UseChainLevel = true,
-                    Certificates = certs.ToArray()
-                };
             }
             catch (Exception ex)
             {
@@ -190,7 +199,7 @@ public async Task PutCertificate(string certName, string contents, string pfxPas
         {
             VaultClient.V1.Auth.ResetVaultToken();
 
-            var certDict = new Dictionary<string, string>();
+            var certDict = new Dictionary<string, object>();
 
             var pfxBytes = Convert.FromBase64String(contents);
             Pkcs12Store p;
@@ -225,7 +234,7 @@ public async Task PutCertificate(string certName, string contents, string pfxPas
                     streamWriter.Flush();
                     privateKeyString = Encoding.ASCII.GetString(memoryStream.GetBuffer()).Trim()
                         .Replace("\r", "").Replace("\0", "");
-                    // logger.LogTrace($"Got Private Key String {privateKeyString}");
+
                     logger.LogTrace($"Got Private Key String");
                     memoryStream.Close();
                     streamWriter.Close();
@@ -250,21 +259,17 @@ public async Task PutCertificate(string certName, string contents, string pfxPas
 
             try
             {
-                certDict.Add("PRIVATE_KEY", privateKeyString);
-                certDict.Add("PUBLIC_KEY", pubCertPem);
+                certDict.Add("private_key", privateKeyString);
+
+                // certDict.Add("revocation_time", 0);
 
                 if (includeChain)
                 {
-                    var i = 1;
-                    pemChain.ForEach(pc =>
-                    {
-                        if (pc != pubCertPem)
-                        {
-                            certDict.Add($"PUBLIC_KEY_{i}", pc);
-                            i++;
-                        }
-                    });
 
+                    certDict.Add("certificate", String.Join("\n", pemChain));
+                }
+                else {
+                    certDict.Add("certificate", pubCertPem);
                 }
             }
             catch (Exception ex)

hashicorp-vault-orchestrator/HcvKeyfactorClient.cs

@@ -55,42 +55,48 @@ public async Task<CurrentInventoryItem> GetCertificate(string key)
                     req.Method = WebRequestMethods.Http.Get;
                     var res = await req.GetResponseAsync();
                     CertResponse content = JsonConvert.DeserializeObject<CertResponse>(new StreamReader(res.GetResponseStream()).ReadToEnd());
-                    string cert;
-                    content.data.TryGetValue("certificate", out cert);
+
+                    content.data.TryGetValue("certificate", out object cert);                                        
+                    content.data.TryGetValue("ca_chain", out object caChain);                                        
+                    content.data.TryGetValue("private_key", out object privateKey);                                        
+                    content.data.TryGetValue("revocation_time", out object revokeTime);
 
-                    string issuingCA;
-                    content.data.TryGetValue("issuing_ca", out issuingCA);
+                    List<string> certList = new List<string>() { cert as string };
 
-                    string privateKey;
-                    content.data.TryGetValue("private_key", out privateKey);
+                    // if the chain is available, include all certs
 
-                    string revokeTime;
-                    content.data.TryGetValue("revocation_time", out revokeTime);
-
+                    if (!string.IsNullOrEmpty(caChain as string))
+                    {
+                        string fullChain = caChain.ToString();
+                        certList = fullChain.Split(new string[] { "\n\n" }, StringSplitOptions.RemoveEmptyEntries).ToList();
+                    }
+
+                    // don't include them in inventory unless they haven't been revoked
 
-                    if (revokeTime.Equals("0"))
+                    if (revokeTime == null || Equals(revokeTime.ToString(), "0"))
                     {
                         var inventoryItem = new CurrentInventoryItem()
                         {
                             Alias = key,
-                            Certificates = new string[] { cert },
+                            Certificates = certList,
                             ItemStatus = OrchestratorInventoryItemStatus.Unknown,
-                            PrivateKeyEntry = !string.IsNullOrEmpty(privateKey),
-                            UseChainLevel = !string.IsNullOrEmpty(issuingCA),
+                            PrivateKeyEntry = !string.IsNullOrEmpty(privateKey as string),
+                            UseChainLevel = !string.IsNullOrEmpty(caChain as string),
                         };
                         return inventoryItem;
                     }
                     return null;
                 }
                 catch (Exception ex)
                 {
-                    logger.LogWarning("Error getting certificate (deleted?)", ex);
+                    logger.LogWarning($"Error getting certificate \"{fullPath}\" from Vault", ex);
+
                     return null;
                 }
             }
             catch (Exception ex)
             {
-                logger.LogError("Error getting certificate from Vault", ex);
+                logger.LogError($"Error getting certificate \"{fullPath}\" from Vault", ex);
                 throw;
             }
         }
@@ -153,7 +159,7 @@ public class HashiResponse
 
         public class CertResponse : HashiResponse
         {
-            public Dictionary<string, string> data { get; set; }
+            public Dictionary<string, object> data { get; set; }
         }
 
         public class ListResponse : HashiResponse

readme_source.md

@@ -38,11 +38,10 @@ This integration was built on the .NET Core 3.1 target framework and are compati
 
 1. For the Key-Value secrets engine, the certificates are stored as an entry with these fields.  
 
-- `PUBLIC_KEY` - The certificate public key
-- `PUBLIC_KEY_<n>` - The nth certificate in the chain
-- `PRIVATE_KEY` - The certificate private key
+- `certificate` - The PEM formatted certificate and intermediate CA chain (if selected)
+- `private_key` - The certificate private key
 
-**Note**: Key/Value secrets that do not include these keys (PUBLIC_KEY, and PRIVATE_KEY), will be ignored during inventory scans. 
+**Note**: Key/Value secrets that do not include the keys `certificate` and `private_key` will be ignored during inventory scans. 
 
 ## Extension Configuration