Fixed private key missing from PEM collection when using local generation

tr1ck3r · tr1ck3r · commit ab7ae633c16c · 2019-06-14T17:49:26.000-07:00
diff --git a/src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java b/src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java
@@ -5,7 +5,6 @@
 import com.venafi.vcert.sdk.VCertException;
 import lombok.Data;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.eac.ECDSAPublicKey;
 import org.bouncycastle.asn1.x500.X500NameBuilder;
 import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.bouncycastle.jce.PKCS10CertificationRequest;
@@ -27,6 +26,7 @@
 import java.security.*;
 import java.security.cert.Certificate;
 import java.security.interfaces.RSAPublicKey;
+import java.security.interfaces.ECPublicKey;
 import java.security.spec.ECGenParameterSpec;
 import java.time.Duration;
 import java.util.Collection;
@@ -82,6 +82,12 @@ public ChainOption chainOption() {
                 :ChainOption.ChainOptionRootFirst;
     }
 
+    public PrivateKey privateKey() {
+        return (!Objects.isNull(keyPair))
+                ?keyPair.getPrivate()
+                :null;
+    }
+
     public void generatePrivateKey() throws VCertException {
         if(keyPair != null) {
             return;
@@ -110,11 +116,9 @@ public void generateCSR() throws VCertException {
             for ( String san : dnsNames ) {
                 sans.add(new GeneralName(GeneralName.dNSName, san));
             }
-
             for ( InetAddress san : ipAddresses ) {
                 sans.add(new GeneralName(GeneralName.iPAddress, new DEROctetString(san.getAddress())));
             }
-
             for ( String san : emailAddresses ) {
                 sans.add(new GeneralName(GeneralName.rfc822Name, san));
             }
@@ -232,8 +236,7 @@ public static class AttributeTypeAndValueSET {
     }
 
     public boolean checkCertificate(Certificate certificate) throws VCertException {
-        // TODO handle enum exception
-        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.valueOf(certificate.getPublicKey().getAlgorithm());
+        PublicKeyAlgorithm publicKeyAlgorithm = KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
 
         if(keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
             if( keyType.X509Type() != publicKeyAlgorithm) {
@@ -249,11 +252,22 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
                     }
                     break;
                 case ECDSA:
-                    ECDSAPublicKey certEcdsaPublicKey = (ECDSAPublicKey) certificate.getPublicKey();
-                    ECDSAPublicKey reqEcdsaPublicKey = (ECDSAPublicKey) keyPair.getPublic();
-                    // TODO make sure comparison is valid
-                    if(certEcdsaPublicKey.getPrimeModulusP().compareTo(reqEcdsaPublicKey.getPrimeModulusP()) != 0) {
-                        throw new VCertException("unmatched X for eliptic keys");
+                    ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
+                    ECPublicKey reqEcPublicKey = (ECPublicKey) keyPair.getPublic();
+
+                    // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
+                    java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
+                    java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
+                    java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
+                    if ( certSpec != csrSpec //
+                            && ( certSpec.getCofactor() != csrSpec.getCofactor() //
+                            || ! certSpec.getOrder().equals( csrSpec.getOrder() ) //
+                        || ! certSpec.getGenerator().equals( csrSpec.getGenerator() ) //
+                        || certCurve != csrCurve //
+                            && ( ! certCurve.getA().equals( csrCurve.getA() ) //
+                            || ! certCurve.getB().equals( csrCurve.getB() ) //
+                        || certField.getFieldSize() != csrField.getFieldSize() ) ) ) {
+                        throw new VCertException("unmatched parameters for elliptic keys");
                     }
                     break;
                 default:
@@ -279,11 +293,22 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
                         }
                         break;
                     case ECDSA:
-                        ECDSAPublicKey certEcdsaPublicKey = (ECDSAPublicKey) certificate.getPublicKey();
-                        ECDSAPublicKey reqEcdsaPublicKey = (ECDSAPublicKey) csr.getPublicKey();
-                        // TODO make sure comparison is valid
-                        if(certEcdsaPublicKey.getPrimeModulusP().compareTo(reqEcdsaPublicKey.getPrimeModulusP()) != 0) {
-                            throw new VCertException("unmatched X for eliptic keys");
+                        ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
+                        ECPublicKey reqEcPublicKey = (ECPublicKey) csr.getPublicKey();
+
+                        // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
+                        java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
+                        java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
+                        java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
+                        if ( certSpec != csrSpec //
+                                && ( certSpec.getCofactor() != csrSpec.getCofactor() //
+                                || ! certSpec.getOrder().equals( csrSpec.getOrder() ) //
+                            || ! certSpec.getGenerator().equals( csrSpec.getGenerator() ) //
+                            || certCurve != csrCurve //
+                                && ( ! certCurve.getA().equals( csrCurve.getA() ) //
+                                || ! certCurve.getB().equals( csrCurve.getB() ) //
+                            || certField.getFieldSize() != csrField.getFieldSize() ) ) ) {
+                            throw new VCertException("unmatched parameters for elliptic keys");
                         }
                         break;
                 }
diff --git a/src/main/java/com/venafi/vcert/sdk/certificate/PEMCollection.java b/src/main/java/com/venafi/vcert/sdk/certificate/PEMCollection.java
@@ -7,6 +7,11 @@
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemWriter;
 
 import java.io.IOException;
 import java.io.StringReader;
@@ -15,16 +20,20 @@
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;
+import java.io.ByteArrayOutputStream;
+import java.io.OutputStreamWriter;
+import java.security.cert.CertificateEncodingException;
+
 
 @Data
 public class PEMCollection {
     private Certificate certificate;
     private PrivateKey privateKey;
     private List<Certificate> chain = new ArrayList<>();
 
-    public static PEMCollection fromResponse(String body, ChainOption chainOption) throws VCertException {
+    public static PEMCollection fromResponse(String body, ChainOption chainOption, PrivateKey privateKey) throws VCertException {
         List<Certificate> chain = new ArrayList<>();
-        PrivateKey privateKey = null;
 
         PEMParser pemParser = new PEMParser(new StringReader(body));
         JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
@@ -73,6 +82,10 @@ public static PEMCollection fromResponse(String body, ChainOption chainOption) t
         return pemCollection;
     }
 
+    public static PEMCollection fromResponse(String body, ChainOption chainOption) throws VCertException {
+        return fromResponse(body, chainOption, null);
+    }
+
     // TODO deal with password? is it required?
     public static PEMCollection newPemCollection(Certificate certificate, PrivateKey privateKey, byte[] privateKeyPassword) {
         PEMCollection pemCollection = new PEMCollection();
@@ -82,4 +95,67 @@ public static PEMCollection newPemCollection(Certificate certificate, PrivateKey
         }
         return pemCollection;
     }
+
+    public String pemCertificate() {
+        String pem = null;
+        if (!Objects.isNull(this.certificate)) {
+            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+            try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStream))) {
+                pemWriter.writeObject(new PemObject("CERTIFICATE", this.certificate.getEncoded()));
+            } catch (CertificateEncodingException e) {
+                throw new RuntimeException(e);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+            pem = new String(outputStream.toByteArray());
+        }
+        return pem;
+    }
+
+    public String pemPrivateKey() {
+        String pem = null;
+        if (!Objects.isNull(this.privateKey)) {
+            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+            switch(KeyType.from(this.privateKey.getAlgorithm())) {
+                case RSA:
+                    try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStream))) {   
+                        PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(this.privateKey.getEncoded());
+                        ASN1Encodable privateKeyPKCS1ASN1Encodable = pkInfo.parsePrivateKey();
+                        ASN1Primitive privateKeyPKCS1ASN1 = privateKeyPKCS1ASN1Encodable.toASN1Primitive();
+                        pemWriter.writeObject(new PemObject("RSA PRIVATE KEY", privateKeyPKCS1ASN1.getEncoded()));
+                    } catch (IOException e) {
+                        throw new RuntimeException(e);
+                    }
+                    pem = new String(outputStream.toByteArray());
+                    break;
+                case ECDSA:
+                    try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStream))) {
+                        pemWriter.writeObject(new PemObject("EC PRIVATE KEY", this.privateKey.getEncoded())); 
+                    } catch (IOException e) {
+                        throw new RuntimeException(e);
+                    }
+                    pem = new String(outputStream.toByteArray());
+                    break;
+            }
+        }
+        return pem;
+    }
+
+    public String pemCertificateChain() {
+        StringBuilder pem = new StringBuilder();
+        if (!Objects.isNull(this.chain)) {
+            for(Certificate cert : this.chain) {
+                ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+                try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStream))) {
+                    pemWriter.writeObject(new PemObject("CERTIFICATE", cert.getEncoded()));
+                } catch (CertificateEncodingException e) {
+                    throw new RuntimeException(e);
+                } catch (IOException e) {
+                    throw new RuntimeException(e);
+                }
+                pem.append(new String(outputStream.toByteArray()));
+            }
+        }
+        return pem.toString();
+    }
 }
diff --git a/src/main/java/com/venafi/vcert/sdk/certificate/PublicKeyAlgorithm.java b/src/main/java/com/venafi/vcert/sdk/certificate/PublicKeyAlgorithm.java
@@ -4,6 +4,5 @@ public enum PublicKeyAlgorithm {
     Unknown,
     RSA,
     DSA,
-    ECDSA,
-    EC
+    ECDSA
 }
diff --git a/src/main/java/com/venafi/vcert/sdk/connectors/cloud/CloudConnector.java b/src/main/java/com/venafi/vcert/sdk/connectors/cloud/CloudConnector.java
@@ -213,7 +213,7 @@ public PEMCollection retrieveCertificate(CertificateRequest request) throws VCer
                     break;
             }
             String body = certificateViaCSR(request.pickupId(), chainOption);
-            PEMCollection pemCollection = PEMCollection.fromResponse(body, request.chainOption());
+            PEMCollection pemCollection = PEMCollection.fromResponse(body, request.chainOption(), request.privateKey());
             request.checkCertificate(pemCollection.certificate());
             return pemCollection;
         } else {
diff --git a/src/main/java/com/venafi/vcert/sdk/connectors/tpp/TppConnector.java b/src/main/java/com/venafi/vcert/sdk/connectors/tpp/TppConnector.java
@@ -257,7 +257,7 @@ public PEMCollection retrieveCertificate(CertificateRequest request) throws VCer
             if(isNotBlank(retrieveResponse.certificateData())) {
                 PEMCollection pemCollection = PEMCollection.fromResponse(
                         org.bouncycastle.util.Strings.fromByteArray(Base64.getDecoder().decode(retrieveResponse.certificateData())),
-                        request.chainOption());
+                        request.chainOption(), request.privateKey());
                 request.checkCertificate(pemCollection.certificate());
                 return pemCollection;
             }

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,5 @@ public enum PublicKeyAlgorithm {`
`4`	`4`	`Unknown,`
`5`	`5`	`RSA,`
`6`	`6`	`DSA,`
`7`		`- ECDSA,`
`8`		`- EC`
	`7`	`+ ECDSA`
`9`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -213,7 +213,7 @@ public PEMCollection retrieveCertificate(CertificateRequest request) throws VCer`
`213`	`213`	`break;`
`214`	`214`	`}`
`215`	`215`	`String body = certificateViaCSR(request.pickupId(), chainOption);`
`216`		`- PEMCollection pemCollection = PEMCollection.fromResponse(body, request.chainOption());`
	`216`	`+ PEMCollection pemCollection = PEMCollection.fromResponse(body, request.chainOption(), request.privateKey());`
`217`	`217`	`request.checkCertificate(pemCollection.certificate());`
`218`	`218`	`return pemCollection;`
`219`	`219`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -257,7 +257,7 @@ public PEMCollection retrieveCertificate(CertificateRequest request) throws VCer`
`257`	`257`	`if(isNotBlank(retrieveResponse.certificateData())) {`
`258`	`258`	`PEMCollection pemCollection = PEMCollection.fromResponse(`
`259`	`259`	`org.bouncycastle.util.Strings.fromByteArray(Base64.getDecoder().decode(retrieveResponse.certificateData())),`
`260`		`- request.chainOption());`
	`260`	`+ request.chainOption(), request.privateKey());`
`261`	`261`	`request.checkCertificate(pemCollection.certificate());`
`262`	`262`	`return pemCollection;`
`263`	`263`	`}`