Cloud Recommended setting support (#10)

* Cloud Recommended setting support
* Remove obsolete file
* Bump library version and fix tests failure
* Fix import package
* Fix prepare certificate request when no key type in request
* Change type of error args to be Object as they are not always string

Author: knikolov82

examples/com/venafi/vcert/sdk/example/CloudClient.java

@@ -11,7 +11,7 @@
 import com.venafi.vcert.sdk.certificate.CertificateRequest;
 import com.venafi.vcert.sdk.certificate.KeyType;
 import com.venafi.vcert.sdk.certificate.PEMCollection;
-import com.venafi.vcert.sdk.connectors.tpp.ZoneConfiguration;
+import com.venafi.vcert.sdk.connectors.ZoneConfiguration;
 import com.venafi.vcert.sdk.endpoint.Authentication;
 import com.venafi.vcert.sdk.endpoint.ConnectorType;
 

examples/com/venafi/vcert/sdk/example/TppClient.java

@@ -11,7 +11,7 @@
 import com.venafi.vcert.sdk.certificate.CertificateRequest;
 import com.venafi.vcert.sdk.certificate.KeyType;
 import com.venafi.vcert.sdk.certificate.PEMCollection;
-import com.venafi.vcert.sdk.connectors.tpp.ZoneConfiguration;
+import com.venafi.vcert.sdk.connectors.ZoneConfiguration;
 import com.venafi.vcert.sdk.endpoint.Authentication;
 import com.venafi.vcert.sdk.endpoint.ConnectorType;
 

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.venafi.vcert.sdk</groupId>
     <artifactId>vcert-java</artifactId>
-    <version>0.1.2</version>
+    <version>0.1.3</version>
 
     <properties>
         <lombok.version>1.18.6</lombok.version>

src/main/java/com/venafi/vcert/sdk/VCertClient.java

@@ -12,11 +12,11 @@
 import com.venafi.vcert.sdk.certificate.RevocationRequest;
 import com.venafi.vcert.sdk.connectors.Connector;
 import com.venafi.vcert.sdk.connectors.Policy;
+import com.venafi.vcert.sdk.connectors.ZoneConfiguration;
 import com.venafi.vcert.sdk.connectors.cloud.Cloud;
 import com.venafi.vcert.sdk.connectors.cloud.CloudConnector;
 import com.venafi.vcert.sdk.connectors.tpp.Tpp;
 import com.venafi.vcert.sdk.connectors.tpp.TppConnector;
-import com.venafi.vcert.sdk.connectors.tpp.ZoneConfiguration;
 import com.venafi.vcert.sdk.endpoint.Authentication;
 import com.venafi.vcert.sdk.endpoint.ConnectorType;
 

src/main/java/com/venafi/vcert/sdk/VCertException.java

@@ -10,6 +10,7 @@
 import lombok.Data;
 
 public class VCertException extends Exception {
+  private static final long serialVersionUID = 1L;
 
   public VCertException() {
     super();
@@ -71,6 +72,6 @@ private static class VenafiTppErrorResponse {
   private static class VenafiServerError {
     private int code;
     private String message;
-    private Collection<String> args;
+    private Collection<Object> args;
   }
 }

src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java

@@ -54,7 +54,7 @@ public class CertificateRequest {
   private Collection<AttributeTypeAndValueSET> attributes;
   private SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.UnknownSignatureAlgorithm;
   private String friendlyName;
-  private KeyType keyType = KeyType.defaultKeyType();
+  private KeyType keyType;
   private int keyLength;
   private EllipticCurve keyCurve;
   private byte[] csr;
@@ -242,6 +242,7 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
         KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
 
     if (keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
+      keyType = keyType == null ? KeyType.defaultKeyType() : keyType;
       if (keyType.X509Type() != publicKeyAlgorithm) {
         throw new VCertException(
             format("unmatched key type: %s, %s", keyType.X509Type(), publicKeyAlgorithm.name()));

src/main/java/com/venafi/vcert/sdk/connectors/Connector.java

@@ -7,7 +7,6 @@
 import com.venafi.vcert.sdk.certificate.PEMCollection;
 import com.venafi.vcert.sdk.certificate.RenewalRequest;
 import com.venafi.vcert.sdk.certificate.RevocationRequest;
-import com.venafi.vcert.sdk.connectors.tpp.ZoneConfiguration;
 import com.venafi.vcert.sdk.endpoint.Authentication;
 import com.venafi.vcert.sdk.endpoint.ConnectorType;
 

src/main/java/com/venafi/vcert/sdk/connectors/ServerPolicy.java

@@ -15,7 +15,6 @@
 import com.venafi.vcert.sdk.SignatureAlgorithm;
 import com.venafi.vcert.sdk.certificate.EllipticCurve;
 import com.venafi.vcert.sdk.certificate.KeyType;
-import com.venafi.vcert.sdk.connectors.tpp.ZoneConfiguration;
 import com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration;
 import com.venafi.vcert.sdk.utils.Is;
 

…dk/connectors/tpp/ZoneConfiguration.java …rt/sdk/connectors/ZoneConfiguration.javasrc/main/java/com/venafi/vcert/sdk/connectors/tpp/ZoneConfiguration.java renamed to src/main/java/com/venafi/vcert/sdk/connectors/ZoneConfiguration.java src/main/java/com/venafi/vcert/sdk/connectors/tpp/ZoneConfiguration.java renamed to src/main/java/com/venafi/vcert/sdk/connectors/ZoneConfiguration.java

@@ -1,4 +1,4 @@
-package com.venafi.vcert.sdk.connectors.tpp;
+package com.venafi.vcert.sdk.connectors;
 
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
 import java.util.Collection;
@@ -15,7 +15,6 @@
 import com.venafi.vcert.sdk.certificate.CertificateRequest;
 import com.venafi.vcert.sdk.certificate.EllipticCurve;
 import com.venafi.vcert.sdk.certificate.KeyType;
-import com.venafi.vcert.sdk.connectors.Policy;
 import com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration;
 import com.venafi.vcert.sdk.utils.Is;
 
@@ -36,14 +35,15 @@ public class ZoneConfiguration {
                                                                        // empty map
 
   private String zoneId;
+  private AllowedKeyConfiguration keyConfig;
 
   /**
    * UpdateCertificateRequest updates a certificate request based on the zone configuration
    * retrieved from the remote endpoint
    * 
    * @return
    */
-  public void updateCertificateRequest(CertificateRequest request) {
+  public void applyCertificateRequestDefaultSettingsIfNeeded(CertificateRequest request) {
     CertificateRequest.PKIXName subject = request.subject();
     subject.organization(Entity.of(subject.organization(), organization).resolve());
     if (Is.blank(subject.organizationalUnit()) && !Is.blank(organizationalUnit)) {
@@ -55,7 +55,8 @@ public void updateCertificateRequest(CertificateRequest request) {
 
     // apply defaults for settings that weren't specified and then make sure they comply with policy
     if (request.keyType() == null) {
-      request.keyType(KeyType.defaultKeyType());
+      request
+          .keyType(keyConfig != null && keyConfig.keyType() != null ? keyConfig.keyType() : KeyType.defaultKeyType());
     }
 
     switch (request.keyType()) {
@@ -69,8 +70,10 @@ public void updateCertificateRequest(CertificateRequest request) {
         break;
 
       default:
-        if (request.keyLength() < 2048) {
-          request.keyLength(2048);
+        if (request.keyLength() < KeyType.defaultRsaLength()) {
+          request.keyLength(keyConfig != null && !Is.blank(keyConfig.keySizes())
+              && keyConfig.keySizes().get(0) >= KeyType.defaultRsaLength() ? keyConfig.keySizes().get(0)
+                  : KeyType.defaultRsaLength());
         }
         if (request.signatureAlgorithm() == SignatureAlgorithm.UnknownSignatureAlgorithm) {
           request.signatureAlgorithm(SignatureAlgorithm.SHA256WithRSA);
@@ -126,42 +129,37 @@ static Entity of(List<String> target, String source) {
     }
 
     List<String> resolve() {
-      if (Is.blank(target) && isNotBlank(source)) {
-        return Collections.singletonList(source);
-      } else if (!Is.blank(target) && isNotBlank(source) && !Is.equalsFold(target.get(0), source)) {
-        return Collections.singletonList(source);
-      }
-      return target;
+      return Is.blank(target) && isNotBlank(source) ? Collections.singletonList(source) : target;
     }
   }
 
   public boolean validateCertificateRequest(CertificateRequest request) throws VCertException {
     if (!isComponentValid(policy.subjectCNRegexes(),
-        Collections.singletonList(request.subject().commonName()))) {
+        Collections.singletonList(request.subject().commonName()), false)) {
       throw new VCertException(
           "The requested CN does not match any of the allowed CN regular expressions");
     }
-    if (!isComponentValid(policy.subjectORegexes(), request.subject().organization())) {
+    if (!isComponentValid(policy.subjectORegexes(), request.subject().organization(), false)) {
       throw new VCertException(
           "The requested Organization does not match any of the allowed Organization regular expressions");
     }
-    if (!isComponentValid(policy.subjectOURegexes(), request.subject().organizationalUnit())) {
+    if (!isComponentValid(policy.subjectOURegexes(), request.subject().organizationalUnit(), false)) {
       throw new VCertException(
           "The requested Organizational Unit does not match any of the allowed Organization Unit regular expressions");
     }
-    if (!isComponentValid(policy.subjectSTRegexes(), request.subject().province())) {
+    if (!isComponentValid(policy.subjectSTRegexes(), request.subject().province(), false)) {
       throw new VCertException(
           "The requested State/Province does not match any of the allowed State/Province regular expressions");
     }
-    if (!isComponentValid(policy.subjectLRegexes(), request.subject().locality())) {
+    if (!isComponentValid(policy.subjectLRegexes(), request.subject().locality(), false)) {
       throw new VCertException(
           "The requested Locality does not match any of the allowed Locality regular expressions");
     }
-    if (!isComponentValid(policy.subjectCRegexes(), request.subject().country())) {
+    if (!isComponentValid(policy.subjectCRegexes(), request.subject().country(), false)) {
       throw new VCertException(
           "The requested Country does not match any of the allowed Country regular expressions");
     }
-    if (!isComponentValid(policy.dnsSanRegExs(), request.dnsNames())) {
+    if (!isComponentValid(policy.dnsSanRegExs(), request.dnsNames(), true)) {
       throw new VCertException(
           "The requested Subject Alternative Name does not match any of the allowed Country regular expressions");
     }
@@ -188,26 +186,28 @@ public boolean validateCertificateRequest(CertificateRequest request) throws VCe
     return true;
   }
 
-  private boolean isComponentValid(Collection<String> regexes, Collection<String> components) {
-    if (regexes.size() == 0 || components.size() == 0) {
+  private boolean isComponentValid(Collection<String> regexes, Collection<String> components, boolean optional) {
+    if (regexes.isEmpty() || (optional && Is.blank(components))) {
       return true;
     }
 
-    for (String regex : regexes) {
-      Pattern pattern;
-      try {
-        pattern = Pattern.compile(regex);
-      } catch (PatternSyntaxException e) {
-        // TODO log error
-        return false;
-      }
-      for (String component : components) {
-        Matcher m = pattern.matcher(component);
-        if (m.matches()) {
-          return true; // todo: that seems wrong. Check if all policy rules need to be matched, or
-                       // any one? (E.g.: Policy says location is [0]:Madrid,[1]:London - does it
-                       // need to match either or both?) Also, if we have locations 0:London, 1:
-                       // Brussels, 2: Madrid, won't this pass? Should it?
+    if (components != null) {
+      for (String regex : regexes) {
+        Pattern pattern;
+        try {
+          pattern = Pattern.compile(regex);
+        } catch (PatternSyntaxException e) {
+          // TODO log error
+          return false;
+        }
+        for (String component : components) {
+          Matcher m = pattern.matcher(component);
+          if (m.matches()) {
+            return true; // todo: that seems wrong. Check if all policy rules need to be matched, or
+                         // any one? (E.g.: Policy says location is [0]:Madrid,[1]:London - does it
+                         // need to match either or both?) Also, if we have locations 0:London, 1:
+                         // Brussels, 2: Madrid, won't this pass? Should it?
+          }
         }
       }
     }