Upgrade track2 cert API version to 7.5 and Add PolicyPath in Add-AzKeyVaultCertificate (#24642)

* use track2sdk version 7.5 to merge cert

* code refactor

* add PolicyPath in Add-AzKeyVaultCertificate

* add default parameter set for add-azkeyvaultcertificate

Author: BethanyZhou

src/KeyVault/KeyVault.Test/PesterTests/Certificate.Tests.ps1

@@ -39,5 +39,12 @@ Describe "Import Certificate with policy" {
         $cert = Import-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -CertificateCollection $certCollection -PolicyPath $policyPath
         $cert.Policy.SecretContentType | Should -Be "application/x-pkcs12"
     }
+    It "MergePendingCert" {
+        Add-AzKeyVaultCertificate -VaultName bez-kv -Name bez-pending-cert0417 -PolicyPath C:\Azure\fork\azure-powershell\src\KeyVault\KeyVault.Test\Resources\pendingCertPolicy.json
+        # openssl genrsa -out ca.key 2048
+        # openssl req -x509 -new -nodes -key ca.key -days 360 -out ca.crt
+        # openssl x509 -req -days 360 -in pending-cert01_7e2879b5255044c5aa624bdaab7e1d94.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
+        Import-AzKeyVaultCertificate -VaultName bez-kv -Name bez-pending-cert0417 -FilePath C:\Azure\bezFile\20240417\server.crt
+    }
 }
 

src/KeyVault/KeyVault.Test/Resources/pendingCertPolicy.json

@@ -0,0 +1,32 @@
+{
+  "attributes": {
+    "enabled": true,
+    "expires": null,
+    "not_before": null
+  },
+  "issuer_parameters": {
+    "name": "Unknown"
+  },
+  "key_properties": {
+    "exportable": true,
+    "key_size": 2048,
+    "key_type": "RSA",
+    "reuse_key": false
+  },
+  "secret_properties": {
+    "content_type": "application/x-pkcs12"
+  },
+  "x509_certificate_properties": {
+    "ekus": null,
+    "key_usage": [
+      "digitalSignature",
+      "nonRepudiation",
+      "keyEncipherment",
+      "keyAgreement",
+      "keyCertSign"
+    ],
+    "subject": "C=US, ST=WA, L=Redmond, O=TestO, OU=TestOU, CN=www.bez.com",
+    "subject_alternative_names": null,
+    "validity_in_months": 50
+  }
+}

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Added parameter `PolicyPath` in `Add-AzKeyVaultCertificate` to support custom policy in the process of certificate enrollment. 
+* Upgraded the API version of merging certificate to 7.5. [#24323]
 
 ## Version 5.2.2
 * Introduced secrets detection feature to safeguard sensitive data.

src/KeyVault/KeyVault/Commands/Certificate/AddAzureKeyVaultCertificate.cs

@@ -16,16 +16,26 @@
 using Microsoft.Azure.Commands.KeyVault.Models;
 using System.Management.Automation;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.Common.Exceptions;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System.IO;
+using Microsoft.Azure.Commands.KeyVault.Properties;
 
 namespace Microsoft.Azure.Commands.KeyVault
 {
     /// <summary>
     /// Starts the process for enrolling for a certificate in Azure Key Vault
     /// </summary>
-    [Cmdlet("Add", ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultCertificate",SupportsShouldProcess = true)]
+    [Cmdlet("Add", ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultCertificate", SupportsShouldProcess = true, DefaultParameterSetName = EnrollCertWithPolicyPath)]
     [OutputType(typeof(PSKeyVaultCertificateOperation))]
     public class AddAzureKeyVaultCertificate : KeyVaultCmdletBase
     {
+        #region ParameterSet definitions
+        const string EnrollCertWithPolicyObject = "EnrollCertWithPolicyObject";
+        const string EnrollCertWithPolicyPath = "EnrollCertWithPolicyPath";
+
+        #endregion
+
         #region Input Parameter Definitions
 
         /// <summary>
@@ -52,12 +62,24 @@ public class AddAzureKeyVaultCertificate : KeyVaultCmdletBase
         /// CertificatePolicy
         /// </summary>
         [Parameter(Mandatory = true,
+            ParameterSetName = EnrollCertWithPolicyObject,
             ValueFromPipeline = true,
             Position = 2,
             HelpMessage = "Specifies the certificate policy.")]
         [ValidateNotNull]
         public PSKeyVaultCertificatePolicy CertificatePolicy { get; set; }
 
+        /// <summary>
+        /// PolicyPath
+        /// </summary>
+        [Parameter(Mandatory = true,
+            ParameterSetName = EnrollCertWithPolicyPath,
+            ValueFromPipeline = true,
+            Position = 2,
+            HelpMessage = "A file path to specify management policy for the certificate that contains JSON encoded policy definition.")]
+        [ValidateNotNull]
+        public string PolicyPath { get; set; }
+
         /// <summary>
         /// Certificate tags
         /// </summary>
@@ -67,9 +89,27 @@ public class AddAzureKeyVaultCertificate : KeyVaultCmdletBase
         public Hashtable Tag { get; set; }
         #endregion
 
+        protected override void BeginProcessing()
+        {
+            PolicyPath = this.TryResolvePath(PolicyPath);
+            base.BeginProcessing();
+        }
+
+        private void ValidateParameters()
+        {   if (this.IsParameterBound(c => c.PolicyPath))
+            {
+                if (!File.Exists(PolicyPath))
+                {
+                    throw new AzPSArgumentException(string.Format(Resources.FileNotFound, this.PolicyPath), nameof(PolicyPath));
+                }
+                CertificatePolicy = new PSKeyVaultCertificatePolicy(PolicyPath);
+            }
+        }
+
         public override void ExecuteCmdlet()
         {
             if (ShouldProcess(Name, Properties.Resources.AddCertificate)) {
+                ValidateParameters();
                 var certificateOperation = this.DataServiceClient.EnrollCertificate(VaultName, Name, CertificatePolicy == null ? null : CertificatePolicy.ToCertificatePolicy(), Tag == null ? null : Tag.ConvertToDictionary());
                 this.WriteObject(certificateOperation);
             }

src/KeyVault/KeyVault/Commands/Certificate/ImportAzureKeyVaultCertificate.cs

@@ -12,20 +12,21 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
+using Microsoft.Azure.Commands.Common.Exceptions;
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+
 using System;
 using System.Collections;
-using System.IO;
-using System.Security;
 using System.Collections.Generic;
+using System.IO;
 using System.Management.Automation;
+using System.Security;
 using System.Security.Cryptography.X509Certificates;
-using Microsoft.Azure.Commands.KeyVault.Models;
+
 using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties;
-using Microsoft.Azure.KeyVault.Models;
-using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
-using Microsoft.WindowsAzure.Commands.Utilities.Common;
-using Microsoft.Azure.Commands.Common.Exceptions;
-using Microsoft.Azure.Commands.KeyVault.Properties;
 
 namespace Microsoft.Azure.Commands.KeyVault
 {
@@ -201,16 +202,16 @@ public override void ExecuteCmdlet()
                 switch (ParameterSetName)
                 {
                     case ImportCertificateFromFileParameterSet:
-                        // Pem file can't be handled by X509Certificate2Collection in dotnet standard
-                        // Just read it as raw data and pass it to service side
+                        byte[] base64Bytes = File.ReadAllBytes(FilePath);
+                        bool doImport = false;
+
                         if (IsPemFile(FilePath))
                         {
-                            byte[] pemBytes = File.ReadAllBytes(FilePath);
-                            certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, pemBytes, Password, Tag?.ConvertToDictionary(), Constants.PemContentType, certPolicy: PolicyObject);
+                            doImport = true;
                         }
                         else
                         {
-                            bool doImport = false;
+
                             X509Certificate2Collection userProvidedCertColl = InitializeCertificateCollection();
 
                             // look for at least one certificate which contains a private key
@@ -220,22 +221,23 @@ public override void ExecuteCmdlet()
                                 if (doImport)
                                     break;
                             }
+                        }               
 
-                            if (doImport)
-                            {
-                                
-                                byte[] base64Bytes = userProvidedCertColl.Export(X509ContentType.Pfx, Password?.ConvertToString());
-                                certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, base64Bytes, Password, Tag?.ConvertToDictionary(), certPolicy: PolicyObject);
-                            }
-                            else
-                            {
-                                certBundle = this.DataServiceClient.MergeCertificate(
+                        certBundle = doImport ?
+                                this.Track2DataClient.ImportCertificate(
                                     VaultName,
                                     Name,
-                                    userProvidedCertColl,
-                                    Tag == null ? null : Tag.ConvertToDictionary());
-                            }
-                        }
+                                    base64Bytes,
+                                    Password,
+                                    Tag?.ConvertToDictionary(),
+                                    IsPemFile(FilePath) ? Constants.PemContentType : Constants.Pkcs12ContentType,
+                                    PolicyObject) :
+                                this.Track2DataClient.MergeCertificate(
+                                VaultName,
+                                Name,
+                                new List<byte[]> { base64Bytes },
+                                Tag == null ? null : Tag.ConvertToDictionary());
+
                         break;
 
                     case ImportWithPrivateKeyFromCollectionParameterSet:
@@ -257,6 +259,12 @@ private bool IsPemFile(string filePath)
             return ".pem".Equals(Path.GetExtension(filePath), StringComparison.OrdinalIgnoreCase);
         }
 
+        /// <summary>
+        /// Initialize certificate collection from FilePath
+        /// </summary>
+        /// <returns></returns>
+        /// <exception cref="FileNotFoundException"></exception>
+
         internal X509Certificate2Collection InitializeCertificateCollection()
         {
             FileInfo certFile = new FileInfo(ResolveUserPath(this.FilePath));

src/KeyVault/KeyVault/KeyVault.csproj

@@ -14,7 +14,7 @@
   <ItemGroup>
     <PackageReference Include="Azure.Security.KeyVault.Administration" Version="4.4.0-beta.1" />
     <PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.6.0-beta.1" />
-    <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.3.0" />
+    <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.6.0" />
     <PackageReference Include="Portable.BouncyCastle" Version="1.8.8" />
     <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.1" />
     <PackageReference Include="Microsoft.Azure.KeyVault.WebKey" Version="3.0.1" />

src/KeyVault/KeyVault/Models/Certificate/PSKeyVaultCertificateOperation.cs

@@ -13,8 +13,11 @@
 // ----------------------------------------------------------------------------------
 
 using Microsoft.Azure.KeyVault.Models;
+
 using System;
 
+using Track2Sdk = Azure.Security.KeyVault.Certificates;
+
 namespace Microsoft.Azure.Commands.KeyVault.Models
 {
     public class PSKeyVaultCertificateOperation
@@ -33,36 +36,59 @@ public class PSKeyVaultCertificateOperation
         public string Name { get; set; }
         public string VaultName { get; set; }
 
-        internal static PSKeyVaultCertificateOperation FromCertificateOperation(CertificateOperation certificateOperation)
+        public PSKeyVaultCertificateOperation(){}
+
+        internal PSKeyVaultCertificateOperation(Track2Sdk.CertificateOperation certificateOperation)
         {
-            if (certificateOperation == null)
+            if (certificateOperation == null) return;
+
+            Id = certificateOperation.Id;
+            Status = certificateOperation.Properties?.Status;
+            StatusDetails = certificateOperation.Properties?.StatusDetails;
+            RequestId = certificateOperation.Properties.RequestId;
+            Target = certificateOperation.Properties?.Target;
+            Issuer = certificateOperation.Properties?.IssuerName;
+            CancellationRequested = certificateOperation.Properties?.CancellationRequested;
+
+            if (certificateOperation.Properties?.Csr != null && certificateOperation.Properties?.Csr?.Length != 0)
             {
-                return null;
+                CertificateSigningRequest = Convert.ToBase64String(certificateOperation.Properties?.Csr);
             }
 
-            var kvCertificateOperation = new PSKeyVaultCertificateOperation
+            if (certificateOperation.Properties?.Error != null)
             {
-                Id = certificateOperation.Id,
-                Status = certificateOperation.Status,
-                StatusDetails = certificateOperation.StatusDetails,
-                RequestId = certificateOperation.RequestId,
-                Target = certificateOperation.Target,
-                Issuer = certificateOperation.IssuerParameters.Name,
-                CancellationRequested = certificateOperation.CancellationRequested,
-            };
+                ErrorCode = certificateOperation.Properties?.Error.Code;
+                ErrorMessage = certificateOperation.Properties?.Error.Message;
+            }
+        }
+
+        internal PSKeyVaultCertificateOperation(CertificateOperation certificateOperation)
+        {
+            if (certificateOperation == null) return;
+
+            Id = certificateOperation.Id;
+            Status = certificateOperation.Status;
+            StatusDetails = certificateOperation.StatusDetails;
+            RequestId = certificateOperation.RequestId;
+            Target = certificateOperation.Target;
+            Issuer = certificateOperation.IssuerParameters.Name;
+            CancellationRequested = certificateOperation.CancellationRequested;
 
             if (certificateOperation.Csr != null && certificateOperation.Csr.Length != 0)
             {
-                kvCertificateOperation.CertificateSigningRequest = Convert.ToBase64String(certificateOperation.Csr);
+                CertificateSigningRequest = Convert.ToBase64String(certificateOperation.Csr);
             }
 
             if (certificateOperation.Error != null)
             {
-                kvCertificateOperation.ErrorCode = certificateOperation.Error.Code;
-                kvCertificateOperation.ErrorMessage = certificateOperation.Error.Message;
+                ErrorCode = certificateOperation.Error.Code;
+                ErrorMessage = certificateOperation.Error.Message;
             }
+        }
 
-            return kvCertificateOperation;
+        internal static PSKeyVaultCertificateOperation FromCertificateOperation(CertificateOperation certificateOperation)
+        {
+            return new PSKeyVaultCertificateOperation(certificateOperation);
         }
     }
 }