Merge pull request #37 from Keyfactor/full-chain-inclusion-bug-fix

Full chain inclusion bug fix

Author: fiddlermikey

.github/workflows/keyfactor-starter-workflow.yml

@@ -1,34 +1,19 @@
-name: Starter Workflow
-on: [workflow_dispatch, push, pull_request]
+name: Keyfactor Bootstrap Workflow
 
-jobs:
-  call-create-github-release-workflow:
-    uses: Keyfactor/actions/.github/workflows/github-release.yml@main
-
-  call-assign-from-json-workflow:
-    uses: Keyfactor/actions/.github/workflows/assign-env-from-json.yml@main
-
-  call-dotnet-build-and-release-workflow:
-    needs: [call-create-github-release-workflow, call-assign-from-json-workflow]
-    uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main
-    with:
-      release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }}
-      release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }}
-      release_dir: ${{ needs.call-assign-from-json-workflow.outputs.release_dir }}
-
-    secrets: 
-      token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }}
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, closed, synchronize, edited, reopened]
+  push:
+  create:
+    branches:
+      - 'release-*.*'
 
-  call-generate-readme-workflow:
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-    uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main
+jobs:
+  call-starter-workflow:
+    uses: keyfactor/actions/.github/workflows/starter.yml@v2
     secrets:
-      token: ${{ secrets.APPROVE_README_PUSH }}
-
-  call-update-catalog-workflow:
-    needs: call-assign-from-json-workflow
-    if: needs.call-assign-from-json-workflow.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
-    uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main
-    secrets: 
-      token: ${{ secrets.SDK_SYNC_PAT }}
-
+      token: ${{ secrets.V2BUILDTOKEN}}
+      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
+      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
+      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}

AzureKeyVault/AzureClient.cs

@@ -18,6 +18,7 @@
 using Azure.ResourceManager.KeyVault.Models;
 using Azure.ResourceManager.Resources;
 using Azure.Security.KeyVault.Certificates;
+using Azure.Security.KeyVault.Secrets;
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;
@@ -28,7 +29,7 @@ namespace Keyfactor.Extensions.Orchestrator.AzureKeyVault
     public class AzureClient
     {
         internal protected virtual AkvProperties VaultProperties { get; set; }
-
+        private SecretClient _secretClient;
         private Uri AzureCloudEndpoint
         {
             get
@@ -82,7 +83,7 @@ private protected virtual CertificateClient CertClient
                     cred = new ClientSecretCredential(VaultProperties.TenantId, VaultProperties.ClientId, VaultProperties.ClientSecret, new ClientSecretCredentialOptions() { AuthorityHost = AzureCloudEndpoint, AdditionallyAllowedTenants = { "*" } });
                     logger.LogTrace("generated credentials", cred);
                 }
-
+                _secretClient = new SecretClient(new Uri(VaultProperties.VaultURL), credential: cred);
                 _certClient = new CertificateClient(new Uri(VaultProperties.VaultURL), credential: cred);
 
                 return _certClient;
@@ -211,10 +212,21 @@ public virtual async Task<KeyVaultCertificateWithPolicy> ImportCertificateAsync(
                 }
                 logger.LogTrace("begin creating x509 certificate from contents.");
                 var bytes = Convert.FromBase64String(contents);
-                var x509 = new X509Certificate2(bytes, pfxPassword, X509KeyStorageFlags.Exportable);
-                var certWithKey = x509.Export(X509ContentType.Pkcs12);
+
+                var x509Collection = new X509Certificate2Collection();//(bytes, pfxPassword, X509KeyStorageFlags.Exportable);
+                
+                x509Collection.Import(bytes, pfxPassword, X509KeyStorageFlags.Exportable);
+
+                var certWithKey = x509Collection.Export(X509ContentType.Pkcs12);
+
+                
                 logger.LogTrace($"importing created x509 certificate named {1}", certName);
+                logger.LogTrace($"There are {x509Collection.Count} certificates in the chain.");
                 var cert = await CertClient.ImportCertificateAsync(new ImportCertificateOptions(certName, certWithKey));
+                                
+                // var fullCert = _secretClient.GetSecret(certName);
+                // The certificate must be retrieved as a secret from AKV in order to have the full chain included.
+                
                 return cert;
             }
             catch (Exception ex)

AzureKeyVault/AzureKeyVault.csproj

@@ -29,6 +29,7 @@
 		<PackageReference Include="Azure.ResourceManager.Resources" Version="1.4.0" />
 		<PackageReference Include="Azure.Security.KeyVault.Administration" Version="4.3.0" />
 		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.5.1" />
+		<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
 		<PackageReference Include="Azure.Storage.Blobs" Version="12.16.0" />
 		<PackageReference Include="CSS.Common" Version="1.7.0" />
 		<PackageReference Include="Keyfactor.Common" Version="2.3.7" />

AzureKeyVault/Jobs/Inventory.cs

@@ -35,7 +35,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
             try
             {
-                logger.LogDebug($"Making Request for {0}...", VaultProperties.VaultURL);
+                logger.LogDebug($"Making Request for {VaultProperties.VaultURL}...");
 
                 inventoryItems = AzClient.GetCertificatesAsync().Result?.ToList();
 

CHANGELOG.md

@@ -1,3 +1,8 @@
+- 3.1.2
+  - Fixed bug that was preventing the full certificate chain from being sent to the Azure Keyvault API endpoint. 
+
+- 3.1.1
+  - Updated documentation to clarify required orchestrator access.
 
 - 3.1.1
   - Documentation updates 

README.md

@@ -16,7 +16,7 @@ The Universal Orchestrator is the successor to the Windows Orchestrator. This Or
 
 ## Support for Azure Key Vault Orchestrator
 
-Azure Key Vault Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.
+Azure Key Vault Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 

integration-manifest.json

@@ -7,10 +7,12 @@
   "link_github": true,
   "release_dir": "AzureKeyVault\\bin\\Release",
   "support_level": "kf-supported",
+  "release_dir": "AzureKeyVault\\bin\\Release",
   "description": "This integration allows the orchestrator to act as a client with access to an instance of the Azure Key Vault; allowing you to manage your certificates stored in the Azure Keyvault via Keyfactor.",
   "about": {
     "orchestrator": {
       "UOFramework": "10.1",
+      "keyfactor_platform_version": "9.1",
       "pam_support": true,
       "win": {
         "supportsCreateStore": true,
@@ -32,17 +34,20 @@
       },
       "store_types": [
         {
-          "Name": "Azure Keyvault",
-          "ShortName": "AKV",
+          "BlueprintAllowed": false,
           "Capability": "AKV",
+          "CustomAliasAllowed": "Optional",
+          "EntryParameters": null,
+          "JobProperties": [],
           "LocalStore": false,
-          "SupportedOperations": {
-            "Add": true,
-            "Create": true,
-            "Discovery": true,
-            "Enrollment": false,
-            "Remove": true
+          "Name": "Azure Keyvault",
+          "PasswordOptions": {
+            "EntrySupported": false,
+            "StoreRequired": false,
+            "Style": "Default"
           },
+          "PowerShell": false,
+          "PrivateKeyAllowed": "Optional",
           "Properties": [
             {
               "Name": "TenantId",
@@ -85,20 +90,17 @@
               "Required": false
             }
           ],
-          "EntryParameters": null,
-          "PasswordOptions": {
-            "EntrySupported": false,
-            "StoreRequired": false,
-            "Style": "Default"
-          },
+          "ServerRequired": true,
+          "ShortName": "AKV",
           "StorePathType": "",
           "StorePathValue": "",
-          "PrivateKeyAllowed": "Optional",
-          "JobProperties": [],
-          "ServerRequired": true,
-          "PowerShell": false,
-          "BlueprintAllowed": false,
-          "CustomAliasAllowed": "Optional"
+          "SupportedOperations": {
+            "Add": true,
+            "Create": true,
+            "Discovery": true,
+            "Enrollment": false,
+            "Remove": true
+          }
         }
 
       ]