diff --git a/src/main/java/io/github/jopenlibs/vault/api/pki/Pki.java b/src/main/java/io/github/jopenlibs/vault/api/pki/Pki.java index 24b288e..312304f 100644 --- a/src/main/java/io/github/jopenlibs/vault/api/pki/Pki.java +++ b/src/main/java/io/github/jopenlibs/vault/api/pki/Pki.java @@ -329,7 +329,110 @@ public PkiResponse issue( final String ttl, final CredentialFormat format) throws VaultException { - return issue(roleName, commonName, altNames, ipSans, ttl, format, ""); + return issue(roleName, commonName, altNames, ipSans, ttl, format, "", PrivateKeyFormat.DER); + } + + /** + *
Operation to generate a new set of credentials (private key and certificate) based on a + * given role using the PKI backend. The issuing CA certificate is returned as well, so that + * only the root CA need be in a client's trust store.
+ * + *A successful operation will return a 204 HTTP status. A VaultException
will
+ * be thrown if the role does not exist, or if any other problem occurs. Credential information
+ * will be populated in the credential
field of the PkiResponse
return
+ * value. Example usage:
+ *+ * + * @param roleName The role on which the credentials will be based. + * @param commonName The requested CN for the certificate. If the CN is allowed by role policy, + * it will be issued. + * @param altNames (optional) Requested Subject Alternative Names, in a comma-delimited list. + * These can be host names or email addresses; they will be parsed into their respective fields. + * If any requested names do not match role policy, the entire request will be denied. + * @param ipSans (optional) Requested IP Subject Alternative Names, in a comma-delimited list. + * Only valid if the role allows IP SANs (which is the default). + * @param ttl (optional) Requested Time To Live. Cannot be greater than the role's max_ttl + * value. If not provided, the role's ttl value will be used. Note that the role values default + * to system values if not explicitly set. + * @param format (optional) Format for returned data. Can be pem, der, or pem_bundle; defaults + * to pem. If der, the output is base64 encoded. If pem_bundle, the certificate field will + * contain the private key, certificate, and issuing CA, concatenated. + * @param privateKeyFormat (optional) Specifies the format for marshaling the + * private key. Defaults to `der` which will return either base64-encoded DER or + * PEM-encoded DER, depending on the value of `format`. The other option is + * `pkcs8` which will return the key marshalled as PEM-encoded PKCS8 + * @return A container for the information returned by Vault + * @throws VaultException If any error occurs or unexpected response is received from Vault + */ + public PkiResponse issue( + final String roleName, + final String commonName, + final List{@code + * final VaultConfig config = new VaultConfig.address(...).token(...).build(); + * final Vault vault = Vault.create(config); + * + * final PkiResponse response = vault.pki().deleteRole("testRole"); + * assertEquals(204, response.getRestResponse().getStatus(); + * }+ *
Operation to generate a new set of credentials (private key and certificate) based on a + * given role using the PKI backend. The issuing CA certificate is returned as well, so that + * only the root CA need be in a client's trust store.
+ * + *A successful operation will return a 204 HTTP status. A VaultException
will
+ * be thrown if the role does not exist, or if any other problem occurs. Credential information
+ * will be populated in the credential
field of the PkiResponse
return
+ * value. Example usage:
+ *+ * + * @param roleName The role on which the credentials will be based. + * @param commonName The requested CN for the certificate. If the CN is allowed by role policy, + * it will be issued. + * @param altNames (optional) Requested Subject Alternative Names, in a comma-delimited list. + * These can be host names or email addresses; they will be parsed into their respective fields. + * If any requested names do not match role policy, the entire request will be denied. + * @param ipSans (optional) Requested IP Subject Alternative Names, in a comma-delimited list. + * Only valid if the role allows IP SANs (which is the default). + * @param ttl (optional) Requested Time To Live. Cannot be greater than the role's max_ttl + * value. If not provided, the role's ttl value will be used. Note that the role values default + * to system values if not explicitly set. + * @param format (optional) Format for returned data. Can be pem, der, or pem_bundle; defaults + * to pem. If der, the output is base64 encoded. If pem_bundle, the certificate field will + * contain the private key, certificate, and issuing CA, concatenated. + * @param csr (optional) PEM Encoded CSR + * @return A container for the information returned by Vault + * @throws VaultException If any error occurs or unexpected response is received from Vault + */ + public PkiResponse issue( + final String roleName, + final String commonName, + final List{@code + * final VaultConfig config = new VaultConfig.address(...).token(...).build(); + * final Vault vault = Vault.create(config); + * + * final PkiResponse response = vault.pki().deleteRole("testRole"); + * assertEquals(204, response.getRestResponse().getStatus(); + * }+ *
Possible format options for private key issued by the PKI backend.
+ * + *See: {@link Pki#issue(String, String, List, List, String, CredentialFormat)}
+ */ +public enum PrivateKeyFormat { + DER, + PKCS8; + + public static PrivateKeyFormat fromString(final String text) { + if (text != null) { + for (final PrivateKeyFormat format : PrivateKeyFormat.values()) { + if (text.equalsIgnoreCase(format.toString())) { + return format; + } + } + } + return null; + } + + @Override + public String toString() { + return super.toString().toLowerCase(); + } +} diff --git a/src/test-integration/java/io/github/jopenlibs/vault/api/AuthBackendPkiTests.java b/src/test-integration/java/io/github/jopenlibs/vault/api/AuthBackendPkiTests.java index f653691..347c20a 100644 --- a/src/test-integration/java/io/github/jopenlibs/vault/api/AuthBackendPkiTests.java +++ b/src/test-integration/java/io/github/jopenlibs/vault/api/AuthBackendPkiTests.java @@ -3,6 +3,8 @@ import io.github.jopenlibs.vault.Vault; import io.github.jopenlibs.vault.VaultException; import io.github.jopenlibs.vault.api.pki.CredentialFormat; +import io.github.jopenlibs.vault.api.pki.Pki; +import io.github.jopenlibs.vault.api.pki.PrivateKeyFormat; import io.github.jopenlibs.vault.api.pki.RoleOptions; import io.github.jopenlibs.vault.response.PkiResponse; import io.github.jopenlibs.vault.rest.RestResponse; @@ -16,6 +18,8 @@ import java.security.PrivateKey; import java.security.PublicKey; import java.util.ArrayList; +import java.util.function.BiFunction; +import java.util.function.Function; import junit.framework.TestCase; import org.junit.Before; import org.junit.BeforeClass; @@ -82,8 +86,7 @@ public void testDeleteRole() throws VaultException { TestCase.assertEquals(404, getResponse.getRestResponse().getStatus()); } - @Test - public void testIssueCredential() throws VaultException, InterruptedException { + void issueCredentialTemplate(Function