feat(api): Added Workflow/Certificates/ endpoint

feat(api): Added enrollment V2 api endpoint
feat(api): Added ability to filter certs by a given `CertRequestId`. *Note* this only works with Microsoft CA certs.

Author: spbsoluble

v2/api/certificate.go

@@ -90,6 +90,79 @@ func (c *Client) EnrollPFX(ea *EnrollPFXFctArgs) (*EnrollResponse, error) {
 	return jsonResp, nil
 }
 
+func (c *Client) EnrollPFXV2(ea *EnrollPFXFctArgsV2) (*EnrollResponseV2, error) {
+	log.Println("[INFO] Enrolling PFX certificate with Keyfactor")
+
+	/* Ensure required inputs exist */
+	var missingFields []string
+
+	// TODO: Probably a better way to express these if blocks
+	if ea.Template == "" {
+		missingFields = append(missingFields, "Template")
+	}
+	if ea.CertificateAuthority == "" {
+		missingFields = append(missingFields, "CertificateAuthority")
+	}
+	if ea.CertFormat == "" {
+		missingFields = append(missingFields, "CertFormat")
+	}
+	//if ea.Password == "" {
+	//	missingFields = append(missingFields, "Password")
+	//}
+
+	if len(missingFields) > 0 {
+		return nil, errors.New("Required field(s) missing: " + strings.Join(missingFields, ", "))
+	}
+
+	// Set Keyfactor-specific headers
+	headers := &apiHeaders{
+		Headers: []StringTuple{
+			{"x-keyfactor-api-version", "2"},
+			{"x-keyfactor-requested-with", "APIClient"},
+			{"x-certificateformat", ea.CertFormat},
+		},
+	}
+
+	if ea.Timestamp == "" {
+		ea.Timestamp = getTimestamp()
+	}
+
+	if ea.SubjectString == "" {
+		if ea.Subject != nil {
+			subject, err := createSubject(*ea.Subject)
+			if err != nil {
+				return nil, err
+			}
+			ea.SubjectString = subject
+		} else {
+			return nil, fmt.Errorf("subject is required to use enrollpfx(). Please configure either SubjectString or Subject")
+		}
+	}
+
+	keyfactorAPIStruct := &request{
+		Method:   "POST",
+		Endpoint: "Enrollment/PFX",
+		Headers:  headers,
+		Payload:  &ea,
+	}
+
+	resp, err := c.sendRequest(keyfactorAPIStruct)
+	if err != nil {
+		return nil, err
+	}
+
+	jsonResp := &EnrollResponseV2{}
+	err = json.NewDecoder(resp.Body).Decode(&jsonResp)
+	if err != nil {
+		return nil, err
+	}
+	//err = decodePKCS12Blob(jsonResp)
+	//if err != nil {
+	//	return nil, err
+	//}
+	return jsonResp, nil
+}
+
 // DownloadCertificate takes arguments for DownloadCertArgs to facilitate a call to Keyfactor
 // that downloads a certificate from Keyfactor.
 // The download certificate endpoint requires one of the following to retrieve a cert:
@@ -321,7 +394,7 @@ func (c *Client) DeployPFXCertificate(args *DeployPFXArgs) (*DeployPFXResp, erro
 // and include locations add additional data, but can be set to false if they are unneeded. A pointer to a
 // GetCertificateResponse structure is returned, containing the certificate context.
 func (c *Client) GetCertificateContext(gca *GetCertificateContextArgs) (*GetCertificateResponse, error) {
-	if gca.Id <= 0 && gca.Thumbprint == "" && gca.CommonName == "" {
+	if gca.Id <= 0 && gca.Thumbprint == "" && gca.CommonName == "" && gca.RequestId <= 0 {
 		return nil, errors.New("keyfactor certificate id, common name, or thumbprint are required to get certificate")
 	}
 
@@ -371,6 +444,11 @@ func (c *Client) GetCertificateContext(gca *GetCertificateContextArgs) (*GetCert
 			"pq.queryString", fmt.Sprintf(`IssuedCN -eq "%s"`, gca.CommonName),
 		})
 		endpoint = "Certificates"
+	} else if (gca.Id <= 0 && gca.CommonName == "" && gca.Thumbprint == "") && gca.RequestId > 0 {
+		query.Query = append(query.Query, StringTuple{
+			"pq.queryString", fmt.Sprintf(`CertRequestId -eq %d`, gca.RequestId),
+		})
+		endpoint = "Certificates"
 	} else {
 		endpoint = "Certificates/" + fmt.Sprintf("%d", gca.Id)
 	}
@@ -402,6 +480,13 @@ func (c *Client) GetCertificateContext(gca *GetCertificateContextArgs) (*GetCert
 		if len(lCerts) > 1 {
 			var newestCert GetCertificateResponse
 			for _, cert := range lCerts {
+
+				if gca.RequestId > 0 && cert.CertRequestId == gca.RequestId {
+					return &cert, nil
+				} else if gca.Thumbprint == cert.Thumbprint {
+					return &cert, nil
+				}
+
 				importDate, _ := time.Parse(time.RFC3339, cert.ImportDate)
 				// Check if newestCert is empty, if it is set it to the first cert in the list
 				if newestCert.ImportDate == "" {

v2/api/certificate_models.go

@@ -30,6 +30,30 @@ type EnrollPFXFctArgs struct {
 	CertFormat           string                 `json:"-"`
 }
 
+type EnrollPFXFctArgsV2 struct {
+	Stores                      []CertificateStore `json:"Stores,omitempty"`
+	CustomFriendlyName          string             `json:"CustomFriendlyName,omitempty"`
+	Password                    string             `json:"Password"`
+	PopulateMissingValuesFromAD bool               `json:"PopulateMissingValuesFromAD"`
+	// Configure the SubjectString field as the full string subject for the certificate. For example, if you don't have
+	// subject fields individually separated, and the subject is already in the format required by RFC5280, use the SubjectString field.
+	SubjectString string `json:"Subject"`
+
+	// If the certificate subject is not already in the format required by RFC5280, configure the subject fields using a CertificateSubject
+	// struct, and EnrollPFX will automatically compile this information into a proper subject.
+	Subject                              *CertificateSubject    `json:"-"`
+	IncludeChain                         bool                   `json:"IncludeChain"`
+	RenewalCertificateId                 int                    `json:"RenewalCertificateId,omitempty"`
+	CertificateAuthority                 string                 `json:"CertificateAuthority"`
+	Timestamp                            string                 `json:"Timestamp"`
+	Template                             string                 `json:"Template"`
+	SANs                                 *SANs                  `json:"SANs,omitempty"`
+	Metadata                             map[string]interface{} `json:"Metadata,omitempty"`
+	CertFormat                           string                 `json:"-"`
+	InstallIntoExistingCertificateStores bool                   `json:"InstallIntoExistingCertificateStores,omitempty"`
+	ChainOrder                           string                 `json:"ChainOrder,omitempty"`
+}
+
 // EnrollCSRFctArgs holds the function arguments used for calling the EnrollCSR method.
 type EnrollCSRFctArgs struct {
 	CSR                  string
@@ -60,6 +84,7 @@ type GetCertificateContextArgs struct {
 	CommonName           string // Query
 	Id                   int    // Query
 	IncludeHasPrivateKey *bool
+	RequestId            int
 }
 
 // DeployPFXArgs holds the function arguments used for calling the DeployPFXCertificate method.
@@ -122,6 +147,12 @@ type EnrollResponse struct {
 	CertificateInformation CertificateInformation `json:"CertificateInformation"`
 }
 
+type EnrollResponseV2 struct {
+	SuccessfulStores       []string               `json:"SuccessfulStores"`
+	CertificateInformation CertificateInformation `json:"CertificateInformation"`
+	Metadata               interface{}            `json:"Metadata,omitempty"`
+}
+
 // CertificateInformation contains response data from the Enroll methods.
 type CertificateInformation struct {
 	SerialNumber       string      `json:"SerialNumber"`
@@ -136,6 +167,22 @@ type CertificateInformation struct {
 	EnrollmentContext  interface{} `json:"EnrollmentContext"`
 }
 
+type CertificateInformationV2 struct {
+	SerialNumber              string        `json:"SerialNumber"`
+	IssuerDN                  string        `json:"IssuerDN"`
+	Thumbprint                string        `json:"Thumbprint"`
+	KeyfactorId               int           `json:"KeyfactorId"`
+	Pkcs12Blob                string        `json:"Pkcs12Blob"`
+	Password                  interface{}   `json:"Password"`
+	WorkflowInstanceId        string        `json:"WorkflowInstanceId"`
+	WorkflowReferenceId       int           `json:"WorkflowReferenceId"`
+	StoreIdsInvalidForRenewal []interface{} `json:"StoreIdsInvalidForRenewal"`
+	KeyfactorRequestId        int           `json:"KeyfactorRequestId"`
+	RequestDisposition        string        `json:"RequestDisposition"`
+	DispositionMessage        string        `json:"DispositionMessage"`
+	EnrollmentContext         interface{}   `json:"EnrollmentContext"`
+}
+
 // GetCertificateResponse contains the response elements returned from the GetCertificateContext method.
 type GetCertificateResponse struct {
 	Id                       int    `json:"Id"`

v2/api/constants.go

@@ -0,0 +1,6 @@
+package api
+
+const (
+	MAX_ITERATIONS   = 100000
+	MAX_WAIT_SECONDS = 30
+)

v2/api/workflow.go

@@ -0,0 +1,55 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+func (c *Client) ListPendingCertificates(q map[string]string) ([]WorkflowCertificate, error) {
+	return c.ListWorkflowCert("Pending")
+}
+
+func (c *Client) ListDeniedCertificates(q map[string]string) ([]WorkflowCertificate, error) {
+	return c.ListWorkflowCert("Denied")
+}
+
+func (c *Client) ListExternalValidationPendingCertificates(q map[string]string) ([]WorkflowCertificate, error) {
+	return c.ListWorkflowCert("ExternalValidation")
+}
+
+func (c *Client) ListWorkflowCert(endpoint string) ([]WorkflowCertificate, error) {
+	// Set Keyfactor-specific headers
+	headers := &apiHeaders{
+		Headers: []StringTuple{
+			{"x-keyfactor-api-version", "1"},
+			{"x-keyfactor-requested-with", "APIClient"},
+		},
+	}
+	query := apiQuery{
+		Query: []StringTuple{},
+	}
+	query.Query = append(query.Query, StringTuple{
+		"pagedQuery.returnLimit", "1000",
+	})
+
+	keyfactorAPIStruct := &request{
+		Method:   "GET",
+		Endpoint: fmt.Sprintf("Workflow/Certificates/%s", endpoint),
+		Headers:  headers,
+		Query:    &query,
+		Payload:  nil,
+	}
+
+	resp, err := c.sendRequest(keyfactorAPIStruct)
+	if err != nil {
+		return nil, err
+	}
+
+	var jsonResp []WorkflowCertificate
+	err = json.NewDecoder(resp.Body).Decode(&jsonResp)
+	if err != nil {
+		return nil, err
+	}
+	return jsonResp, err
+
+}

v2/api/workflow_models.go

@@ -0,0 +1,49 @@
+package api
+
+import "time"
+
+type WorkflowCertificate struct {
+	Id                   int               `json:"Id"`
+	CARequestId          string            `json:"CARequestId"`
+	CommonName           string            `json:"CommonName"`
+	DistinguishedName    string            `json:"DistinguishedName"`
+	SubmissionDate       time.Time         `json:"SubmissionDate"`
+	CertificateAuthority string            `json:"CertificateAuthority"`
+	Template             string            `json:"Template"`
+	Requester            string            `json:"Requester"`
+	State                int               `json:"State"`
+	StateString          string            `json:"StateString"`
+	Metadata             map[string]string `json:"Metadata"`
+}
+
+type WorkflowActionResponse struct {
+	Failures []struct {
+		CARowId            int    `json:"CARowId"`
+		CARequestId        string `json:"CARequestId"`
+		CAHost             string `json:"CAHost"`
+		CALogicalName      string `json:"CALogicalName"`
+		KeyfactorRequestId int    `json:"KeyfactorRequestId"`
+		Comment            string `json:"Comment"`
+	} `json:"Failures"`
+	Denials []struct {
+		CARowId            int    `json:"CARowId"`
+		CARequestId        string `json:"CARequestId"`
+		CAHost             string `json:"CAHost"`
+		CALogicalName      string `json:"CALogicalName"`
+		KeyfactorRequestId int    `json:"KeyfactorRequestId"`
+		Comment            string `json:"Comment"`
+	} `json:"Denials"`
+	Successes []struct {
+		CARowId            int    `json:"CARowId"`
+		CARequestId        string `json:"CARequestId"`
+		CAHost             string `json:"CAHost"`
+		CALogicalName      string `json:"CALogicalName"`
+		KeyfactorRequestId int    `json:"KeyfactorRequestId"`
+		Comment            string `json:"Comment"`
+	} `json:"Successes"`
+}
+
+type WorkflowDenyCertificateRequest struct {
+	Comment               string `json:"Comment"`
+	CertificateRequestIds []int  `json:"CertificateRequestIds"`
+}