Merge pull request #67 from Venafi/VaaS-Keystore

Support for VaaS keystore

Author: marcos-albornoz

pom.xml

@@ -61,7 +61,7 @@
 	</distributionManagement>
 
     <properties>
-        <lombok.version>1.18.6</lombok.version>
+        <lombok.version>1.18.20</lombok.version>
         <bouncycastle.version>1.67</bouncycastle.version>
         <feign.version>10.4.0</feign.version>
         <guava.version>30.1.1-jre</guava.version>
@@ -76,6 +76,7 @@
         <httpclient.version>4.5.13</httpclient.version>
         <httpcore.version>4.4.14</httpcore.version>
         <maverick-base.version>3.0.3-FINAL</maverick-base.version>
+        <tweetnacl-java.version>1.1.2</tweetnacl-java.version>
     </properties>
 
     <dependencies>
@@ -191,6 +192,11 @@
 			<version>${maverick-base.version}</version>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.purejava</groupId>
+			<artifactId>tweetnacl-java</artifactId>
+			<version>${tweetnacl-java.version}</version>
+		</dependency>
     </dependencies>
 
 	<build>
@@ -200,8 +206,8 @@
 				<artifactId>maven-compiler-plugin</artifactId>
                 <version>3.6.1</version>
                 <configuration>
-                    <source>8</source>
-                    <target>8</target>
+                    <source>11</source>
+                    <target>11</target>
                 </configuration>
             </plugin>
 

src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java

@@ -64,6 +64,7 @@ public class CertificateRequest {
   private KeyPair keyPair;
   private CsrOriginOption csrOrigin = CsrOriginOption.defaultCsrOrigin();
   private String pickupId;
+  private String certId;
   private ChainOption chainOption;
   private String keyPassword;
   private boolean fetchPrivateKey;

src/main/java/com/venafi/vcert/sdk/certificate/PEMCollection.java

@@ -41,12 +41,15 @@
 import org.bouncycastle.openssl.bc.BcPEMDecryptorProvider;
 import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
 import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder;
+import org.bouncycastle.operator.InputDecryptorProvider;
 import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.operator.OutputEncryptor;
 import org.bouncycastle.pkcs.PKCS12PfxPdu;
 import org.bouncycastle.pkcs.PKCS12PfxPduBuilder;
 import org.bouncycastle.pkcs.PKCS12SafeBag;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
 import org.bouncycastle.pkcs.PKCSException;
 import org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder;
 import org.bouncycastle.pkcs.jcajce.JcePKCS12MacCalculatorBuilder;
@@ -329,6 +332,14 @@ public static SecretKeySpec passwordToCipherSecretKey(char[] password, byte[] iv
     byte[] key = keyFactory.generateSecret(spec).getEncoded();
     return new SecretKeySpec(key, SECRET_KEY_ALGORITHM);
   }
+  
+  public static PrivateKey decryptPKCS8PrivateKey(PEMParser pemParser, String keyPassword) throws IOException, OperatorCreationException, PKCSException{
+	  PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) pemParser.readObject();
+	  InputDecryptorProvider pkcs8Prov = new JceOpenSSLPKCS8DecryptorProviderBuilder().build(keyPassword.toCharArray());
+	  JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+	  PrivateKeyInfo decryptedPrivateKeyInfo = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(pkcs8Prov);
+	  return converter.getPrivateKey(decryptedPrivateKeyInfo);
+  }
 
   @Data
   public static class RawPrivateKey {

src/main/java/com/venafi/vcert/sdk/connectors/ConnectorException.java

@@ -6,6 +6,8 @@
 import static java.lang.String.format;
 
 import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import com.venafi.vcert.sdk.VCertException;
 import com.venafi.vcert.sdk.certificate.CsrOriginOption;
@@ -384,5 +386,57 @@ public CAOrGUIDNotProvidedException() {
 			super("CA template or GUID are not specified");
 		}
 	}
+	
+	public static class PolicyMatchException extends ConnectorException {
+		
+		private static final long serialVersionUID = 1L;
+		
+		private static String formatArrayToString(String[] arrayOfStrings) {
+			return Stream.of(arrayOfStrings).collect(Collectors.joining(",","[","]"));
+		}
+		
+		String policySpecificationAttribute;
+		String[] policySpecificationAttributeValues;
+		String policyAttribute;
+		String[] policyAttributeValues;
+		
+		public PolicyMatchException(String policySpecificationAttribute, String policySpecificationAttributeValues
+				, String policyAttribute, String[] policyAttributeValues) {
+			this(policySpecificationAttribute, new String[] {policySpecificationAttributeValues}, policyAttribute, policyAttributeValues);
+		}
+		
+		public PolicyMatchException(String policySpecificationAttribute, String[] policySpecificationAttributeValues
+				, String policyAttribute, String[] policyAttributeValues) {
+			
+			super(format("Specified %s %s, doesn't match with policy's specified %s %s"
+					, policySpecificationAttribute, formatArrayToString(policySpecificationAttributeValues)
+					, policyAttribute, formatArrayToString(policyAttributeValues)));
+			
+			this.policySpecificationAttribute = policySpecificationAttribute;
+			this.policySpecificationAttributeValues = policySpecificationAttributeValues;
+			this.policyAttribute = policyAttribute;
+			this.policyAttributeValues = policyAttributeValues;
+		}
+	}
+	
+	public static class UndeterminedCertIdException extends ConnectorException {
+		
+		private static final long serialVersionUID = 1L;
+		
+		public UndeterminedCertIdException() {
+			super("It wasn't possible to determine the certificate Id using the pickupId "
+					+ "or the thumbprint from the CertificateRequest.");
+		}
+	}
+	
+	public static class PickupIdOrThumbprintNotSetToGetCertIdException extends ConnectorException {
+		
+		private static final long serialVersionUID = 1L;
+		
+		public PickupIdOrThumbprintNotSetToGetCertIdException() {
+			super("It's not being provided neither the pickupId or thumbprint "
+					+ "in the CertificateRequest to determine the certificate Id.");
+		}
+	}
 
 }

src/main/java/com/venafi/vcert/sdk/connectors/cloud/Cloud.java

@@ -12,6 +12,7 @@
 import com.venafi.vcert.sdk.connectors.cloud.domain.Application;
 import com.venafi.vcert.sdk.connectors.cloud.domain.CertificateDetails;
 import com.venafi.vcert.sdk.connectors.cloud.domain.CertificateIssuingTemplate;
+import com.venafi.vcert.sdk.connectors.cloud.domain.EdgeEncryptionKey;
 import com.venafi.vcert.sdk.connectors.cloud.domain.UserDetails;
 import com.venafi.vcert.sdk.connectors.cloud.endpoint.*;
 import com.venafi.vcert.sdk.utils.FeignUtils;
@@ -58,7 +59,7 @@ CloudConnector.CertificateRequestsResponse certificateRequest(@Param("apiKey") S
 
   @Headers("tppl-api-key: {apiKey}")
   @RequestLine("GET /outagedetection/v1/certificates/{id}/contents?chainOrder={chainOrder}&format=PEM")
-  Response certificateViaCSR(@Param("id") String id, @Param("apiKey") String apiKey,
+  Response retrieveCertificate(@Param("id") String id, @Param("apiKey") String apiKey,
       @Param("chainOrder") String chainOrder);
 
   @Headers({"tppl-api-key: {apiKey}"})
@@ -100,6 +101,14 @@ Response certificateViaCSR(@Param("id") String id, @Param("apiKey") String apiKe
   @Headers({"tppl-api-key: {apiKey}", "Content-Type: application/json"})
   @RequestLine("PUT /outagedetection/v1/applications/{id}")
   Application updateApplication(Application application, @Param("id") String id, @Param("apiKey") String apiKey);
+  
+  @Headers({"tppl-api-key: {apiKey}"})
+  @RequestLine("GET /v1/edgeencryptionkeys/{id}")
+  EdgeEncryptionKey retrieveEdgeEncryptionKey(@Param("id") String id, @Param("apiKey") String apiKey);
+  
+  @Headers({"tppl-api-key: {apiKey}", "Content-Type: application/json"})
+  @RequestLine("POST /outagedetection/v1/certificates/{id}/keystore")
+  Response retrieveKeystore(@Param("id") String id, KeystoreRequest keystoreRequest, @Param("apiKey") String apiKey);
 
   static Cloud connect(String baseUrl) {
     return FeignUtils.client(Cloud.class,