Allow CSR string values in CSRPath parameters

[rmbolger]

In issue #503, a request was made to add a -CSRString parameter to New-PACertificate (and New-PAOrder) that would function similarly to -CSRPath but allow the caller to pass a PEM formatted string rather than filesystem path to a PEM formatted file.

Instead of complicating the parameter sets and help for those functions with a new parameter, I decided to try making the existing -CSRPath parameter smart enough to accept a PEM string or a file path. The BouncyCastle PEM parser we're using under the hood requires that the CSR header and footer lines exist on their own line within the string. But it doesn't seem to care about the char width of the inner Base64 lines. So that means both of these would work:

-----BEGIN CERTIFICATE REQUEST-----
MIIDEjCCAfoCAQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
DzANBgNVBAoMBk15IE9yZzEUMBIGA1UECwwLTXkgT3JnIFVuaXQwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpwQnrdap6nSNIYvcGGZR7+V+c12lgw8aK
S1hKSk1eKnnLWL/wNaUm6hLz1GUPaKlgfab/QY0/1ot2SKVJAJYxWuX+O3nNYkru
3lxrX6gQk6HBKUH2NknZVLZVQMPvJl8Hrw9SpitK9b7clfZkMnWRkbAucnM0bwEe
ABNTJ4c61qpHJZ7iMPmUPv7AbZRVdejEj4HCokz9YJjq/2CoODtJSSxMpQfEnvho
orO4ccU3ESV96dsImSV8Jp8IQWn7uKZ0DdAsXJgOtag/e+5y7rc5u2cDZ6IYHuqt
D+HveOOmQRAuK7xHd6Gh6dpJgNPyDbXhyDnv4W2gXHrwL1OYQEAPAgMBAAGggYMw
gYAGCSqGSIb3DQEJDjFzMHEwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUu
Y29tMB0GA1UdDgQWBBQDYeQovaLI41PVK3YP0qEUAcBGyDANBgkqhkiG9w0BAQsF
AAOCAQEADq6AGKdkofda3fdgmJowfEI6/oRyywKHcERSTfl8XtldzpGlRqPgz3NX
dSljW97y/r3pJo/d3a28nZ5ZnWReLvpIX6rw4VhWuWa1I1FOKP2WDO4F8GeCXPXU
xkzGJlBm4X+U317bcCh12d1gwkLU6KIqRoHDwmGamazmzL4ZwvspTq4jjg57Mith
oBkkr1lDUfq2tvAor481NodWp6ST/NDKySFjCTMAerDIiFlbMufdOg+yAB4PMW68
9Zu9Zk45v8DekQkpzN8n/jfhkbbBnrl/SJj6aWA6DHrIegWzbzEmgX9nvblDA8mC
wXIErP47ikmZ+PCFCjZokP1uq0JKBg==
-----END CERTIFICATE REQUEST-----

-----BEGIN CERTIFICATE REQUEST-----
MIIDEjCCAfoCAQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoMBk15IE9yZzEUMBIGA1UECwwLTXkgT3JnIFVuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpwQnrdap6nSNIYvcGGZR7+V+c12lgw8aKS1hKSk1eKnnLWL/wNaUm6hLz1GUPaKlgfab/QY0/1ot2SKVJAJYxWuX+O3nNYkru3lxrX6gQk6HBKUH2NknZVLZVQMPvJl8Hrw9SpitK9b7clfZkMnWRkbAucnM0bwEeABNTJ4c61qpHJZ7iMPmUPv7AbZRVdejEj4HCokz9YJjq/2CoODtJSSxMpQfEnvhoorO4ccU3ESV96dsImSV8Jp8IQWn7uKZ0DdAsXJgOtag/e+5y7rc5u2cDZ6IYHuqtD+HveOOmQRAuK7xHd6Gh6dpJgNPyDbXhyDnv4W2gXHrwL1OYQEAPAgMBAAGggYMwgYAGCSqGSIb3DQEJDjFzMHEwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQDYeQovaLI41PVK3YP0qEUAcBGyDANBgkqhkiG9w0BAQsFAAOCAQEADq6AGKdkofda3fdgmJowfEI6/oRyywKHcERSTfl8XtldzpGlRqPgz3NXdSljW97y/r3pJo/d3a28nZ5ZnWReLvpIX6rw4VhWuWa1I1FOKP2WDO4F8GeCXPXUxkzGJlBm4X+U317bcCh12d1gwkLU6KIqRoHDwmGamazmzL4ZwvspTq4jjg57MithoBkkr1lDUfq2tvAor481NodWp6ST/NDKySFjCTMAerDIiFlbMufdOg+yAB4PMW689Zu9Zk45v8DekQkpzN8n/jfhkbbBnrl/SJj6aWA6DHrIegWzbzEmgX9nvblDA8mCwXIErP47ikmZ+PCFCjZokP1uq0JKBg==
-----END CERTIFICATE REQUEST-----

But neither of these would work:

MIIDEjCCAfoCAQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoMBk15IE9yZzEUMBIGA1UECwwLTXkgT3JnIFVuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpwQnrdap6nSNIYvcGGZR7+V+c12lgw8aKS1hKSk1eKnnLWL/wNaUm6hLz1GUPaKlgfab/QY0/1ot2SKVJAJYxWuX+O3nNYkru3lxrX6gQk6HBKUH2NknZVLZVQMPvJl8Hrw9SpitK9b7clfZkMnWRkbAucnM0bwEeABNTJ4c61qpHJZ7iMPmUPv7AbZRVdejEj4HCokz9YJjq/2CoODtJSSxMpQfEnvhoorO4ccU3ESV96dsImSV8Jp8IQWn7uKZ0DdAsXJgOtag/e+5y7rc5u2cDZ6IYHuqtD+HveOOmQRAuK7xHd6Gh6dpJgNPyDbXhyDnv4W2gXHrwL1OYQEAPAgMBAAGggYMwgYAGCSqGSIb3DQEJDjFzMHEwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQDYeQovaLI41PVK3YP0qEUAcBGyDANBgkqhkiG9w0BAQsFAAOCAQEADq6AGKdkofda3fdgmJowfEI6/oRyywKHcERSTfl8XtldzpGlRqPgz3NXdSljW97y/r3pJo/d3a28nZ5ZnWReLvpIX6rw4VhWuWa1I1FOKP2WDO4F8GeCXPXUxkzGJlBm4X+U317bcCh12d1gwkLU6KIqRoHDwmGamazmzL4ZwvspTq4jjg57MithoBkkr1lDUfq2tvAor481NodWp6ST/NDKySFjCTMAerDIiFlbMufdOg+yAB4PMW689Zu9Zk45v8DekQkpzN8n/jfhkbbBnrl/SJj6aWA6DHrIegWzbzEmgX9nvblDA8mCwXIErP47ikmZ+PCFCjZokP1uq0JKBg==

-----BEGIN CERTIFICATE REQUEST-----MIIDEjCCAfoCAQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoMBk15IE9yZzEUMBIGA1UECwwLTXkgT3JnIFVuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpwQnrdap6nSNIYvcGGZR7+V+c12lgw8aKS1hKSk1eKnnLWL/wNaUm6hLz1GUPaKlgfab/QY0/1ot2SKVJAJYxWuX+O3nNYkru3lxrX6gQk6HBKUH2NknZVLZVQMPvJl8Hrw9SpitK9b7clfZkMnWRkbAucnM0bwEeABNTJ4c61qpHJZ7iMPmUPv7AbZRVdejEj4HCokz9YJjq/2CoODtJSSxMpQfEnvhoorO4ccU3ESV96dsImSV8Jp8IQWn7uKZ0DdAsXJgOtag/e+5y7rc5u2cDZ6IYHuqtD+HveOOmQRAuK7xHd6Gh6dpJgNPyDbXhyDnv4W2gXHrwL1OYQEAPAgMBAAGggYMwgYAGCSqGSIb3DQEJDjFzMHEwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQDYeQovaLI41PVK3YP0qEUAcBGyDANBgkqhkiG9w0BAQsFAAOCAQEADq6AGKdkofda3fdgmJowfEI6/oRyywKHcERSTfl8XtldzpGlRqPgz3NXdSljW97y/r3pJo/d3a28nZ5ZnWReLvpIX6rw4VhWuWa1I1FOKP2WDO4F8GeCXPXUxkzGJlBm4X+U317bcCh12d1gwkLU6KIqRoHDwmGamazmzL4ZwvspTq4jjg57MithoBkkr1lDUfq2tvAor481NodWp6ST/NDKySFjCTMAerDIiFlbMufdOg+yAB4PMW689Zu9Zk45v8DekQkpzN8n/jfhkbbBnrl/SJj6aWA6DHrIegWzbzEmgX9nvblDA8mCwXIErP47ikmZ+PCFCjZokP1uq0JKBg==-----END CERTIFICATE REQUEST-----

For now, the determination on whether the input parameter is a PEM string or file path is just a fairly simplistic case-sensitive string match on *CERTIFICATE REQUEST*. So there's a potential edge case bug if a user who wants to use a file path names their file something like MY CERTIFICATE REQUEST.csr. But this can also be made more picky if folks start complaining about that.

To keep the overall code churn low, a filesystem copy of the CSR will still be written in the order folder as request.csr even when the CSR is passed in as a string. That should ensure renewal processes run just like they would previously.

[cloudflare-workers-and-pages[bot]]

Deploying with    Cloudflare Pages

Latest commit:	45b73d5
Status:	✅  Deploy successful!
Preview URL:	https://b7a392fd.posh-acme-docs.pages.dev
Branch Preview URL:	https://allow-csrstring.posh-acme-docs.pages.dev

View logs