Skip to content

feat: add DigiCert code-sign support#7059

Merged
carlosmonastyrski merged 7 commits into
mainfrom
feat/PKI-152
Jul 1, 2026
Merged

feat: add DigiCert code-sign support#7059
carlosmonastyrski merged 7 commits into
mainfrom
feat/PKI-152

Conversation

@carlosmonastyrski

Copy link
Copy Markdown
Contributor

Context

Screenshots

Steps to verify the change

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@linear

linear Bot commented Jun 27, 2026

Copy link
Copy Markdown

PKI-152

@infisical-review-police

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-infisical-7059-feat-add-digicert-code-sign-support

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@greptile-apps

greptile-apps Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR extends the existing DigiCert integration to support code-signing certificates, wiring a new DigiCertCaPurpose.CodeSigning CA type through the signer issuance pipeline (HSM-backed CSR → DigiCert CS order → async polling → certificate attachment). A renew/reissue lifecycle is also introduced, with idempotent order placement via alternative_order_id and a fallback from renewal to reissue when a subscription slot is unavailable.

  • New DigiCert API client methods (reissueOrder, getOrganizationValidations, getOrdersByAlternativeId) and richer error classification (4xx terminal vs transient), plus new connection-layer endpoints for org validation status and existing order listing.
  • A reissueFromExternalOrderId field on both the create-signer and reissue-signer routes lets callers target an existing DigiCert order slot; the value is validated (integer, positive) and bound-checked against the CA's org/product before use.
  • assertCsOrgValidatedOrContactProvided checks upfront at CA creation/update time whether the organization has passed DigiCert's code-signing validation; on error it silently allows the operation through (fail-open).

Confidence Score: 4/5

The feature is well-structured with correct auth checks, HSM enforcement, and order-ownership validation before reissue. The main rough edge is that productSlug goes into a URL path without encoding, which could reach unintended DigiCert endpoints if a CA admin sets a path-traversal product name.

The implementation is thorough — idempotent order placement, correct integer validation for external order IDs, ownership checks before reissue, and 4xx vs transient error classification. The unencoded productSlug in the POST URL is the primary concern and warrants a fix before production, even though exploitability requires CA admin access and the blast radius is constrained to DigiCert's own API domain.

backend/src/services/certificate-authority/digicert/digicert-api-client.ts (unencoded productSlug) and backend/src/services/certificate-authority/digicert/digicert-certificate-authority-fns.ts (fail-open org validation) deserve another look before merge.

Security Review

  • Path injection in placeOrder URL (digicert-api-client.ts line 49): productSlug is interpolated into the POST URL without encodeURIComponent. A CA admin who stores a path-traversal value as productNameId could cause Infisical to POST to an unintended DigiCert API endpoint using the stored API key. alternativeOrderId on line 99 is correctly encoded; the inconsistency is the issue.
  • No classic SSRF: The baseURL is always one of two hardcoded DigiCert endpoints resolved from a region enum — no user-controlled URL origin.

Important Files Changed

Filename Overview
backend/src/services/certificate-authority/digicert/digicert-api-client.ts Adds reissueOrder, getOrganizationValidations, and getOrdersByAlternativeId API methods; improves error classification (4xx terminal vs transient). productSlug is inserted into the POST URL without encodeURIComponent, inconsistent with alternativeOrderId which is encoded.
backend/src/services/certificate-authority/digicert/digicert-certificate-authority-fns.ts Large addition implementing code-signing order placement, reissue (with org/product ownership validation), status polling, and certificate download. The fail-open catch in assertCsOrgValidatedOrContactProvided is the main design concern; otherwise the logic is thorough.
backend/src/services/signer/signer-issuance-service.ts Adds DigiCert code-signing issuance step with renew/reissue lifecycle, idempotent order placement via alternative_order_id, and a fallback from renew-with-no-slot to reissue. Logic is well-structured with appropriate retry and error handling.
backend/src/services/signer/signer-service.ts Adds reissueFromExternalOrderId handling with correct integer validation and CA-type guard. The create and reissue paths both convert the string to a number safely before forwarding as digicertLifecycle.
backend/src/services/app-connection/digicert/digicert-connection-fns.ts Adds code-signing validation check and order listing endpoints; refactors getDigiCertApiBaseUrl to accept an object. Hardcoded limit: 1000 in listDigiCertCodeSigningOrders could return large payloads for heavy accounts.
backend/src/server/routes/v1/app-connection-routers/digicert-connection-router.ts Registers two new GET routes for code-signing validation and order listing. Auth, rate-limiting, and schema validation look correct.
backend/src/services/certificate-authority/digicert/digicert-certificate-authority-schemas.ts Adds DigiCertCaPurpose enum, purpose and verifiedContact fields to CA configuration schema. Validation looks complete.
backend/src/services/app-connection/digicert/digicert-connection-service.ts Adds getCodeSigningValidation and listCodeSigningOrders service methods; errors are caught and logged, returning safe defaults.
backend/src/server/routes/v1/signer-routers/certificate-router.ts Adds optional reissueFromExternalOrderId top-level field to the issue-certificate request body. Schema is correct.
backend/src/server/routes/v1/signer-routers/lifecycle-router.ts Adds optional externalConfiguration.reissueFromExternalOrderId to the create-signer request body. Schema and forwarding look correct.
docs/documentation/platform/pki/ca/digicert-direct.mdx New documentation for DigiCert code-signing CA setup with UI and API tabs; content is clear and accurate.

Reviews (1): Last reviewed commit: "Add DigiCert code-sign support" | Re-trigger Greptile

Comment thread backend/src/services/certificate-authority/digicert/digicert-api-client.ts Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 772c34df83

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread frontend/src/pages/cert-manager/components/SignerKeyStep.tsx Outdated
Comment thread backend/src/services/signer/signer-issuance-service.ts
@veria-ai

veria-ai Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 5 · PR risk: 0/10

@mintlify

mintlify Bot commented Jun 27, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
infisical 🟢 Ready View Preview Jun 27, 2026, 7:05 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Comment thread backend/src/services/signer/signer-issuance-service.ts
Comment thread backend/src/services/app-connection/digicert/digicert-connection-fns.ts Outdated
Comment thread backend/src/ee/services/audit-log/audit-log-types.ts Outdated
Comment thread backend/src/ee/services/audit-log/audit-log-types.ts
Comment thread backend/src/services/app-connection/digicert/digicert-connection-fns.ts Outdated
Comment thread backend/src/services/certificate/certificate-dal.ts Outdated
Comment thread backend/src/services/signer/signer-issuance-service.ts
Comment thread backend/src/services/signer/signer-issuance-service.ts
Comment thread backend/src/services/signer/signer-service.ts
Comment thread backend/src/services/signer/signer-service.ts
Comment thread backend/src/services/signer/signer-service.ts
Comment thread backend/src/services/signer/signer-types.ts Outdated
Comment thread docs/documentation/platform/pki/ca/digicert-direct.mdx
Comment thread docs/documentation/platform/pki/code-signing/signers.mdx
Comment thread docs/documentation/platform/pki/code-signing/signers.mdx Outdated
Comment thread backend/src/ee/services/audit-log/audit-log-types.ts
Comment thread backend/src/server/routes/v1/signer-routers/lifecycle-router.ts Outdated
# Conflicts:
#	frontend/src/pages/cert-manager/CodeSigningPage/components/CreateSignerWizard/CertificateStep.tsx
Comment thread docs/docs.json Outdated
@carlosmonastyrski carlosmonastyrski merged commit 11d80cd into main Jul 1, 2026
17 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants