Save local changes

Author: efiocca

AxisIPCamera/Client/AxisHttpClient.cs

@@ -6,7 +6,6 @@
 // and limitations under the License.
 
 using System;
-using System.Collections.Generic;
 using System.Reflection;
 using System.IO;
 using System.Linq;
@@ -286,7 +285,8 @@ public Constants.Keystore GetDefaultKeystore()
         /// <param name="keyType">Combination of key algorithm and key size</param>
         /// <param name="keystore">Default keystore for the device</param>
         /// <param name="subject">Subject provided for the certificate</param>
-        public void CreateSelfSignedCert(string alias, string keyType, string keystore, string subject)
+        /// <param name="sans">Subject Alternative Names</param>
+        public void CreateSelfSignedCert(string alias, string keyType, string keystore, string subject, string[] sans)
         {
             try
             {
@@ -303,7 +303,7 @@ public void CreateSelfSignedCert(string alias, string keyType, string keystore,
                         KeyType = keyType,
                         Keystore = keystore,
                         Subject = subject,
-                        SANS = [],
+                        SANS = sans,
                         ValidFrom = 0, // Cert validity period will be determined by the template
                         ValidTo = 0 // Cert validity period will be determined by the template
                     }
@@ -347,45 +347,25 @@ public void CreateSelfSignedCert(string alias, string keyType, string keystore,
         }
 
         /// <summary>
-        /// Obtains a CSR for the self-signed or existing certificate with private key on the device.
-        /// Fields from the certificate will be copied into the CSR.
-        /// SANs will be added to the CSR.
+        /// Obtains a CSR for the self-signed certificate with private key on the device.
+        /// Fields from the self-signed certificate will be copied into the CSR. 
         /// </summary>
         /// <param name="alias">Unique identifier for the cert to be generated from the CSR</param>
-        /// <param name="subject">Subject provided for the certificate</param>
-        /// <param name="sans">Subject Alternative Names</param>
         /// <returns>CSR string</returns>
-        public string ObtainCSR(string alias, string subject, List<string> sans)
+        public string ObtainCSR(string alias)
         {
             try
             {
                 Logger.MethodEntry();
 
                 var postCSRResource = $"{Constants.RestApiEntryPoint}/certificates/{alias}/get_csr";
 
-                // Compose the body --- This is required.
-                // All information obtained in the self-signed or existing cert will be used to create the CSR.
+                // Compose the body --- This is required, but leaving the contents blank.
+                // All information obtained in the self-signed cert will be used to create the CSR.
                 // If there are attributes assigned by the CA, those will override the attributes that end up
                 // in the certificate signed by the CA. 
-                // 1. If a field is filled out, that value will be used in the CSR
-                // 2. If a field is NOT filled out, the existing value from the existing certificate will be copied into the CSR
-                // 3. If a field is filled out with a blank value, that field is not copied from the existing certificate nor added to the CSR
-                var jsonBody = new StringBuilder(@"{""data"":{");
-
-                if (sans.Count == 0)
-                {
-                    jsonBody.Append(@"""subject"":""").Append(subject).Append("}}");
-                }
-                else
-                {
-                    jsonBody.Append(@"""subject"":""").Append(subject).Append(@""",""subject_alt_names"": [");
-                    string result = string.Join(",", sans);
-                    jsonBody.Append(result).Append("]}}");
-                }
-                
-                Logger.LogDebug($"POST Request Body: {jsonBody}");
-                
-                var httpResponse = ExecuteHttp(postCSRResource, Method.Post, Constants.ApiType.Rest, jsonBody.ToString());
+                string jsonBody = @"{""data"":{}}";
+                var httpResponse = ExecuteHttp(postCSRResource, Method.Post, Constants.ApiType.Rest, jsonBody);
 
                 // Decode the HTTP response if failed
                 if (httpResponse is {IsSuccessful:false})
@@ -544,30 +524,83 @@ public void RemoveCACertificate(string alias)
                     Logger.LogError($"HTTP Request unsuccessful - HTTP Response: {DecodeHttpStatus(httpResponse)}");
                     throw new Exception($"HTTP Request unsuccessful.");
                 }
+                
                 // Decode the API response when HTTP response is successful
+                if (httpResponse != null && string.IsNullOrEmpty(httpResponse.Content))
+                {
+                    throw new Exception("No content returned from HTTP Response");
+                }
+
+                RestApiResponse apiResponse = JsonConvert.DeserializeObject<RestApiResponse>(httpResponse.Content);
+                if (apiResponse.Status == Constants.Status.Success)
+                {
+                    Logger.MethodExit();
+                }
                 else
                 {
-                    if (httpResponse != null && string.IsNullOrEmpty(httpResponse.Content))
-                    {
-                        throw new Exception("No content returned from HTTP Response");
-                    }
+                    ErrorData error = JsonConvert.DeserializeObject<ErrorData>(httpResponse.Content);
+                    throw new Exception(
+                        $"API error encountered - {error.ErrorInfo.Message} - (Code: {error.ErrorInfo.Code})");
+                }
+            }
+            catch (Exception e)
+            {
+                Logger.LogError("Error completing CA certificate remove: " + LogHandler.FlattenException(e));
+                throw new Exception(e.Message);
+            }
+        }
+        
+        /// <summary>
+        /// Removes a certificate with private key from the device.
+        /// </summary>
+        /// <param name="alias">Unique identifier of the CA certificate to be removed</param>
+        public void RemoveCertificate(string alias)
+        {
+            try
+            {
+                Logger.MethodEntry();
 
-                    RestApiResponse apiResponse = JsonConvert.DeserializeObject<RestApiResponse>(httpResponse.Content);
-                    if (apiResponse.Status == Constants.Status.Success)
+                var deleteCertResource = $"{Constants.RestApiEntryPoint}/certificates/{alias}";
+                var httpResponse = ExecuteHttp(deleteCertResource, Method.Delete);
+                
+                // Decode the HTTP response if failed
+                if (httpResponse is { IsSuccessful: false })
+                {
+                    Logger.LogError($"HTTP Request unsuccessful - HTTP Response: {DecodeHttpStatus(httpResponse)}");
+                    throw new Exception($"HTTP Request unsuccessful.");
+                }
+                
+                // Decode the API response when HTTP response is successful
+                if (httpResponse != null && string.IsNullOrEmpty(httpResponse.Content))
+                {
+                    throw new Exception("No content returned from HTTP Response");
+                }
+
+                RestApiResponse apiResponse = JsonConvert.DeserializeObject<RestApiResponse>(httpResponse.Content);
+                if (apiResponse.Status == Constants.Status.Success)
+                {
+                    Logger.MethodExit();
+                }
+                else
+                {
+                    ErrorData error = JsonConvert.DeserializeObject<ErrorData>(httpResponse.Content);
+
+                    // Check for error code 5 - "Validation error: Certificate is in use" or "Validation error: Certificate is not deletable" --- 
+                    // This will capture all device ID certs, which we do not want to delete anyway
+                    if (error.ErrorInfo is { Code: 5, Message: "Validation error: Certificate is not deletable" or "Validation error: Certificate is in use"})
                     {
-                        Logger.MethodExit();
+                        Logger.LogWarning($"API warning encountered - {error.ErrorInfo.Message} - (Code: {error.ErrorInfo.Code})");
                     }
                     else
                     {
-                        ErrorData error = JsonConvert.DeserializeObject<ErrorData>(httpResponse.Content);
                         throw new Exception(
                             $"API error encountered - {error.ErrorInfo.Message} - (Code: {error.ErrorInfo.Code})");
                     }
                 }
             }
             catch (Exception e)
             {
-                Logger.LogError("Error completing CA certificate remove: " + LogHandler.FlattenException(e));
+                Logger.LogError("Error completing certificate remove: " + LogHandler.FlattenException(e));
                 throw new Exception(e.Message);
             }
         }

AxisIPCamera/Helpers/SANBuilder.cs

@@ -13,7 +13,7 @@ namespace Keyfactor.Extensions.Orchestrator.AxisIPCamera.Helpers
 {
     public static class SANBuilder
     {
-        public static List<string> BuildSANString(Dictionary<string, string[]> sans, ILogger logger)
+        public static List<string> BuildSANList(Dictionary<string, string[]> sans, ILogger logger)
         {
             var parts = new List<string>();
 
@@ -39,7 +39,7 @@ public static List<string> BuildSANString(Dictionary<string, string[]> sans, ILo
                 parts.AddRange(
                     entry.Value
                         .Where(v => !string.IsNullOrWhiteSpace(v))
-                        .Select(v => $@"""{key}:{v.Trim()}""")
+                        .Select(v => $"{key}:{v.Trim()}")
                     );
             }
 

AxisIPCamera/Model/Constants.cs

@@ -1,12 +1,14 @@
-// Copyright 2025 Keyfactor
+// Copyright 2026 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
 using System;
+using System.Globalization;
 using System.IO;
+using System.Text.RegularExpressions;
 using Newtonsoft.Json;
 using Org.BouncyCastle.OpenSsl;
 using Org.BouncyCastle.Pkcs;
@@ -16,7 +18,7 @@ namespace Keyfactor.Extensions.Orchestrator.AxisIPCamera.Model
     public static class Constants
     {
         // This is the API entry point for the REST VAPIX Cert Management API
-        public static string RestApiEntryPoint = "/config/rest/cert/v1beta";
+        public static string RestApiEntryPoint = "/config/rest/cert/v1";
 
         // This is the API entry point for the SOAP Cert Management API
         public static string SoapApiEntryPoint = "/vapix/services";
@@ -248,4 +250,31 @@ public override void WriteJson(
             }
         }
     }
+    
+    public static class CertificateName
+    {
+        /// <summary>
+        /// Returns a UTC-based suffix, i.e. "2602171544"
+        /// </summary>
+        public static string GetUtcSuffix() =>
+            DateTime.UtcNow.ToString("yyMMddHHmm", CultureInfo.InvariantCulture);
+
+        /// <summary>
+        /// Creates a unique certificate name by appending ['_' + Utc DateTime suffix] to the end of the user-supplied certificate name.
+        /// Example: "_2602171544"
+        /// </summary>
+        public static string CreateUniqueCertName(string certName)
+        {
+            // check to see if the old cert name had a previously appended timestamp
+            // EDGE CASE: Scenario under which this could happen - Cert name bound to usage is known and used to schedule an ODKG job
+            Regex rgx = new Regex(@"_[0-9]{10}$",RegexOptions.CultureInvariant);
+            var m = Regex.Match(certName,@"_[0-9]{10}$");
+            if (m.Success)
+            {
+                return certName.Remove(m.Index, m.Length) + "_" + GetUtcSuffix();
+            }
+
+            return certName + "_" + GetUtcSuffix();
+        }
+    }
 }