Venafi
diff --git a/‎README.md‎
Lines changed: 99 additions & 66 deletions b/‎README.md‎
Lines changed: 99 additions & 66 deletions
diff --git a/‎src/main/java/com/venafi/vcert/sdk/Config.java‎
Lines changed: 0 additions & 2 deletions b/‎src/main/java/com/venafi/vcert/sdk/Config.java‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎src/main/java/com/venafi/vcert/sdk/SignatureAlgorithm.java‎
Lines changed: 0 additions & 1 deletion b/‎src/main/java/com/venafi/vcert/sdk/SignatureAlgorithm.java‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java‎
Lines changed: 76 additions & 16 deletions b/‎src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java‎
Lines changed: 76 additions & 16 deletions
@@ -1,12 +1,13 @@
-# VCert-Java
+# VCert Java
 
 <img src="https://www.venafi.com/sites/default/files/content/body/Light_background_logo.png" width="330px" height="69px"/>  
 
 VCert is a Java library, SDK, designed to simplify key generation and enrollment of machine identities
 (also known as SSL/TLS certificates and keys) that comply with enterprise security policy by using the
 [Venafi Platform](https://www.venafi.com/platform/trust-protection-platform) or [Venafi Cloud](https://pki.venafi.com/venafi-cloud/).
 
-
+#### Compatibility
+VCert releases are tested using the latest version of Trust Protection Platform.  The [latest VCert release](../../releases/latest) should be compatible with Trust Protection Platform 17.3 or higher based on the subset of API methods it consumes.
 
 
 ## Installation
@@ -20,71 +21,103 @@ mvn install
 
 ## Usage
 
-A basic example of createing a certificate using the VCert java implementation.
+A basic example of creating a certificate using VCert Java:
 
 ```
-    final Config config = Config.builder()
-            .connectorType(ConnectorType.CLOUD)
-            .zone("Default")
-            .build();
-
-    final VCertClient client = new VCertClient(config);
-    final Authentication auth = Authentication.builder()
-            .apiKey("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
-            .build();
-
-    client.authenticate(auth);
-    final ZoneConfiguration zoneConfiguration = client.readZoneConfiguration("Public");
-
-
-
-        // Generate a certificate
-        CertificateRequest certificateRequest = new CertificateRequest().subject(
-                new CertificateRequest.PKIXName()
-                        .commonName("opencredo.test")
-                        .organization(Collections.singletonList("Venafi, Inc."))
-                        .organizationalUnit(Arrays.asList("Engineering"))
-                        .country(Collections.singletonList("US"))
-                        .locality(Collections.singletonList("SLC"))
-                        .province(Collections.singletonList("Utah")))
-
-                .keyType(KeyType.RSA);
-        certificateRequest = client.generateRequest(zoneConfiguration, certificateRequest);
-
-
-        // Submit the certificate request
-        String newCertId = client.requestCertificate(certificateRequest, "Default");
-
-
-        // Retrieve PEM collection from Venafi
-        final CertificateRequest pickupRequest = new CertificateRequest().pickupId(newCertId);
-        PEMCollection pemCollection = client.retrieveCertificate(pickupRequest);
-        System.out.println(pemCollection.certificate());
-
-        // Renew the certificate
-        X509Certificate cert = (X509Certificate) pemCollection.certificate();
-        String thumbprint = DigestUtils.sha1Hex(cert.getEncoded()).toUpperCase();
-        final CertificateRequest certificateRequestToRenew = new CertificateRequest().subject(
-                new CertificateRequest.PKIXName()
-                        .commonName("opencredo.test")
-                        .organization(Collections.singletonList("Venafi, Inc."))
-                        .organizationalUnit(Arrays.asList("Engineering"))
-                        .country(Collections.singletonList("US"))
-                        .locality(Collections.singletonList("SLC"))
-                        .province(Collections.singletonList("Utah")));
-
-        client.generateRequest(zoneConfiguration, certificateRequestToRenew);
-
-        final RenewalRequest renewalRequest = new RenewalRequest()
-                .thumbprint(thumbprint)
-                .request(certificateRequestToRenew);
-        final String renewedCertificate = client.renewCertificate(renewalRequest);
-
-        // Retrieve PEM collection from Venafi
-        final CertificateRequest renewPickupRequest = new CertificateRequest().pickupId(renewedCertificate);
-        PEMCollection pemCollectionRenewed = client.retrieveCertificate(pickupRequest);
-        System.out.println(pemCollectionRenewed.certificate());
-
+final Config config = Config.builder()
+        .connectorType(ConnectorType.TPP)
+        .baseUrl("https://tpp.venafi.example/vedsdk")
+        .build();
+        
+/* or for Venafi Cloud
+final Config config = Config.builder()
+        .connectorType(ConnectorType.CLOUD)
+        .build();
+*/
+
+final VCertClient client = new VCertClient(config);
+
+final Authentication auth = Authentication.builder()
+        .user("local:apiuser")
+        .password("password")
+        .build();
+
+/* or for Venafi Cloud
+final Authentication auth = Authentication.builder()
+        .apiKey("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee")
+        .build();
+*/
+
+client.authenticate(auth);
+
+//////////////////////////////////////
+///// Local Generated CSR - RSA //////
+//////////////////////////////////////
+
+// Generate a key pair and certificate signing request
+CertificateRequest certificateRequest = new CertificateRequest().subject(
+        new CertificateRequest.PKIXName()
+                .commonName("vcert-java.venafi.example")
+                .organization(Collections.singletonList("Example Company"))
+                .organizationalUnit(Arrays.asList("Example Division"))
+                .country(Collections.singletonList("US"))
+                .locality(Collections.singletonList("Salt Lake City"))
+                .province(Collections.singletonList("Utah")))
+        .dnsNames(Arrays.asList("alfa.venafi.example", "bravo.venafi.example", "charlie.venafi.example"))
+        .ipAddresses(Arrays.asList(InetAddress.getByName("10.20.30.40"),InetAddress.getByName("172.16.172.16")))
+        .emailAddresses(Arrays.asList("larry@venafi.example", "moe@venafi.example", "curly@venafi.example"))
+        .keyType(KeyType.RSA);
+        
+ZoneConfiguration zoneConfiguration = client.readZoneConfiguration("Certificates\\VCert");
+certificateRequest = client.generateRequest(zoneConfiguration, certificateRequest);   
+
+// Submit the certificate request
+client.requestCertificate(certificateRequest, "Certificates\\VCert");
+
+// Retrieve PEM collection from Venafi
+PEMCollection pemCollection = client.retrieveCertificate(certificateRequest);
+
+System.out.println(pemCollection.pemPrivateKey());
+System.out.println(pemCollection.pemCertificate());
+System.out.println(pemCollection.pemCertificateChain());
+
+/////////////////////////////
+///// User Provided CSR /////
+/////////////////////////////
+        
+String csr = "-----BEGIN CERTIFICATE REQUEST-----\n" +
+        "MIIC8DCCAdgCAQAwgY4xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYD\n" +
+        "VQQHEw5TYWx0IExha2UgQ2l0eTEYMBYGA1UEChMPRXhhbXBsZSBDb21wYW55MRkw\n" +
+        "FwYDVQQLExBFeGFtcGxlIERpdmlzaW9uMSIwIAYDVQQDExl2Y2VydC1qYXZhLnZl\n" +
+        "bmFmaS5leGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9PHk\n" +
+        "bR5i0pV6M08XXi+Z0tAJkIU3TLG0Hr0n5tY6JIcP3Sc8wrodgMN66WUP6oLV/yqR\n" +
+        "2lKom+dc9dIN9iaVUfnpPwhjyuIMyd0svmU2hnZj3InG5kvqnMnzQvRfWx0OKmMB\n" +
+        "c652qZsgR3d6I+YufhIsuMxkWMev2njXGZAnThGVMv/iD9dLTO+0lTwwSbvM1lxw\n" +
+        "YxAwdVFX1+vl0ORyOs4OUqUFv3i6qvS/U/RI45TrgR+XA2/8xPlo5gfGrnFfiyJJ\n" +
+        "jMctOak2mOVrR/2kXYcOw+37zkpJEADSZBgm/YzqdYtrI8t/M4uClkn9WQgTijC1\n" +
+        "eN4hFKyTGeOGIqKI/QIDAQABoBwwGgYJKoZIhvcNAQkOMQ0wCzAJBgNVHRMEAjAA\n" +
+        "MA0GCSqGSIb3DQEBCwUAA4IBAQDOxsP3fFsx/UOLudVm6MAuAFZfZxm7P1sZrYhb\n" +
+        "tgshSXDlruiO7/ovb8rDrRrKJjAx4+tXlQRsDfxIpvuNcAd7//WCjjIfAoNlGRW4\n" +
+        "cMtWfvCN1p7XsVer+JJHtM5UZ+oKS06hdPppDP4rfjyhTM5Y0M8JAgMcGsm7lrWU\n" +
+        "w1ly6k8k5NzadWGOZwvz75qrn0ufHuI96sPsL5wmqty34BfnBy4iMddU3m/Y1qQb\n" +
+        "VfKV2CRWybwV/QeCtogXvI7Nou2LZQDWI57498Nzif1Zvfy0/ab8XBkX2vMUXcnm\n" +
+        "1A7/9ezwgYTZvy1rbBSKBSjAx/MAOPUM93OcjT6tKtEeEnI8\n" +
+        "-----END CERTIFICATE REQUEST-----";
+
+certificateRequest = new CertificateRequest().csr(csr.getBytes())
+        .csrOrigin(com.venafi.vcert.sdk.certificate.CsrOriginOption.UserProvidedCSR)
+        .dnsNames(Arrays.asList("alfa.venafi.example", "bravo.venafi.example", "charlie.venafi.example"))
+        .ipAddresses(Arrays.asList(InetAddress.getByName("10.20.30.40"),InetAddress.getByName("172.16.172.16")))
+        .emailAddresses(Arrays.asList("larry@venafi.example", "moe@venafi.example", "curly@venafi.example"));
+
+// Submit the certificate request
+client.requestCertificate(certificateRequest, "Certificates\\VCert");
+
+// Retrieve PEM collection from Venafi
+pemCollection = client.retrieveCertificate(certificateRequest);
+
+System.out.println(pemCollection.pemCertificate());
+System.out.println(pemCollection.pemCertificateChain());
 
 ```
 
@@ -132,7 +165,7 @@ mvn "-Dtest=*AT" test
 4. Implement and test your changes
 5. Commit your changes (`git commit -am 'Added some cool functionality'`)
 6. Push to the branch (`git push origin your-branch-name`)
-7. Create a new Pull Request (https://github.com/youracct/vcert-java/pull/new/working-branch)
+7. Create a new Pull Request (https://github.com/youracct/vcert-java/pull/new/your-branch-name)
 
 
 ## License
 
@@ -9,10 +9,8 @@
 
 import java.io.IOException;
 import java.nio.file.Path;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
-import java.util.Set;
 
 import static java.util.Arrays.asList;
 
 
@@ -6,7 +6,6 @@ public enum SignatureAlgorithm {
 
     UnknownSignatureAlgorithm(""),
     MD2withRSA("MD2withRSA"),
-
     MD5WithRSA("MD5withRSA"),
     SHA1WithRSA("SHA1withRSA"),
     SHA256WithRSA("SHA256withRSA"),
 
@@ -5,12 +5,18 @@
 import com.venafi.vcert.sdk.VCertException;
 import lombok.Data;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.eac.ECDSAPublicKey;
 import org.bouncycastle.asn1.x500.X500NameBuilder;
 import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.bouncycastle.jce.PKCS10CertificationRequest;
 import org.bouncycastle.util.io.pem.PemReader;
-import java.util.Base64;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.X509Extension;
+import org.bouncycastle.asn1.x509.X509Extensions;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.Attribute;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERSet;
 
 import javax.security.auth.x500.X500Principal;
 import java.io.ByteArrayOutputStream;
@@ -20,11 +26,15 @@
 import java.security.*;
 import java.security.cert.Certificate;
 import java.security.interfaces.RSAPublicKey;
+import java.security.interfaces.ECPublicKey;
 import java.security.spec.ECGenParameterSpec;
 import java.time.Duration;
 import java.util.Collection;
 import java.util.List;
 import java.util.Objects;
+import java.util.ArrayList;
+import java.util.Vector;
+import java.util.Base64;
 
 import static java.lang.String.format;
 import static java.time.temporal.ChronoUnit.MINUTES;
@@ -72,6 +82,12 @@ public ChainOption chainOption() {
                 :ChainOption.ChainOptionRootFirst;
     }
 
+    public PrivateKey privateKey() {
+        return (!Objects.isNull(keyPair))
+                ?keyPair.getPrivate()
+                :null;
+    }
+
     public void generatePrivateKey() throws VCertException {
         if(keyPair != null) {
             return;
@@ -95,17 +111,40 @@ public void generatePrivateKey() throws VCertException {
 
     public void generateCSR() throws VCertException {
         try {
+            List<GeneralName> sans = new ArrayList<GeneralName>();
+
+            for ( String san : dnsNames ) {
+                sans.add(new GeneralName(GeneralName.dNSName, san));
+            }
+            for ( InetAddress san : ipAddresses ) {
+                sans.add(new GeneralName(GeneralName.iPAddress, new DEROctetString(san.getAddress())));
+            }
+            for ( String san : emailAddresses ) {
+                sans.add(new GeneralName(GeneralName.rfc822Name, san));
+            }
+
+            GeneralNames names = new GeneralNames(sans.toArray(new GeneralName[] {}));
+            Vector oids = new Vector();
+            Vector values = new Vector();
+
+            oids.add(X509Extensions.SubjectAlternativeName);
+            values.add(new X509Extension(false, new DEROctetString(names)));
+
+            X509Extensions extensions = new X509Extensions(oids, values);
+            Attribute attribute = new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new DERSet(extensions));
+
             PKCS10CertificationRequest certificationRequest = new PKCS10CertificationRequest(
                     signatureAlgorithm.standardName(),
                     subject.toX500Principal(),
                     keyPair.getPublic(),
-                    null,
+                    new DERSet(attribute),
                     keyPair.getPrivate());
 
             ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
             outputStream.write("-----BEGIN CERTIFICATE REQUEST-----".getBytes());
             outputStream.write(System.lineSeparator().getBytes());
-            outputStream.write(Base64.getEncoder().encode(certificationRequest.getEncoded()));
+            outputStream.write(Base64.getMimeEncoder().encode(certificationRequest.getEncoded()));
+            outputStream.write(System.lineSeparator().getBytes());
             outputStream.write("-----END CERTIFICATE REQUEST-----".getBytes());
             csr = outputStream.toByteArray();
         } catch(Exception e) {
@@ -197,8 +236,7 @@ public static class AttributeTypeAndValueSET {
     }
 
     public boolean checkCertificate(Certificate certificate) throws VCertException {
-        // TODO handle enum exception
-        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.valueOf(certificate.getPublicKey().getAlgorithm());
+        PublicKeyAlgorithm publicKeyAlgorithm = KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
 
         if(keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
             if( keyType.X509Type() != publicKeyAlgorithm) {
@@ -214,11 +252,22 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
                     }
                     break;
                 case ECDSA:
-                    ECDSAPublicKey certEcdsaPublicKey = (ECDSAPublicKey) certificate.getPublicKey();
-                    ECDSAPublicKey reqEcdsaPublicKey = (ECDSAPublicKey) keyPair.getPublic();
-                    // TODO make sure comparison is valid
-                    if(certEcdsaPublicKey.getPrimeModulusP().compareTo(reqEcdsaPublicKey.getPrimeModulusP()) != 0) {
-                        throw new VCertException("unmatched X for eliptic keys");
+                    ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
+                    ECPublicKey reqEcPublicKey = (ECPublicKey) keyPair.getPublic();
+
+                    // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
+                    java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
+                    java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
+                    java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
+                    if ( certSpec != csrSpec //
+                            && ( certSpec.getCofactor() != csrSpec.getCofactor() //
+                            || ! certSpec.getOrder().equals( csrSpec.getOrder() ) //
+                        || ! certSpec.getGenerator().equals( csrSpec.getGenerator() ) //
+                        || certCurve != csrCurve //
+                            && ( ! certCurve.getA().equals( csrCurve.getA() ) //
+                            || ! certCurve.getB().equals( csrCurve.getB() ) //
+                        || certField.getFieldSize() != csrField.getFieldSize() ) ) ) {
+                        throw new VCertException("unmatched parameters for elliptic keys");
                     }
                     break;
                 default:
@@ -244,11 +293,22 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
                         }
                         break;
                     case ECDSA:
-                        ECDSAPublicKey certEcdsaPublicKey = (ECDSAPublicKey) certificate.getPublicKey();
-                        ECDSAPublicKey reqEcdsaPublicKey = (ECDSAPublicKey) csr.getPublicKey();
-                        // TODO make sure comparison is valid
-                        if(certEcdsaPublicKey.getPrimeModulusP().compareTo(reqEcdsaPublicKey.getPrimeModulusP()) != 0) {
-                            throw new VCertException("unmatched X for eliptic keys");
+                        ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
+                        ECPublicKey reqEcPublicKey = (ECPublicKey) csr.getPublicKey();
+
+                        // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
+                        java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
+                        java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
+                        java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
+                        if ( certSpec != csrSpec //
+                                && ( certSpec.getCofactor() != csrSpec.getCofactor() //
+                                || ! certSpec.getOrder().equals( csrSpec.getOrder() ) //
+                            || ! certSpec.getGenerator().equals( csrSpec.getGenerator() ) //
+                            || certCurve != csrCurve //
+                                && ( ! certCurve.getA().equals( csrCurve.getA() ) //
+                                || ! certCurve.getB().equals( csrCurve.getB() ) //
+                            || certField.getFieldSize() != csrField.getFieldSize() ) ) ) {
+                            throw new VCertException("unmatched parameters for elliptic keys");
                         }
                         break;
                 }