Add subject alt names to CSR when local generated

Fix defaults for keyType, keyLength, keyCurve, signatureAlgorithm

Author: tr1ck3r

src/main/java/com/venafi/vcert/sdk/SignatureAlgorithm.java

@@ -6,7 +6,6 @@ public enum SignatureAlgorithm {
 
     UnknownSignatureAlgorithm(""),
     MD2withRSA("MD2withRSA"),
-
     MD5WithRSA("MD5withRSA"),
     SHA1WithRSA("SHA1withRSA"),
     SHA256WithRSA("SHA256withRSA"),

src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java

@@ -10,7 +10,14 @@
 import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.bouncycastle.jce.PKCS10CertificationRequest;
 import org.bouncycastle.util.io.pem.PemReader;
-import java.util.Base64;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.X509Extension;
+import org.bouncycastle.asn1.x509.X509Extensions;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.Attribute;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERSet;
 
 import javax.security.auth.x500.X500Principal;
 import java.io.ByteArrayOutputStream;
@@ -25,6 +32,9 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Objects;
+import java.util.ArrayList;
+import java.util.Vector;
+import java.util.Base64;
 
 import static java.lang.String.format;
 import static java.time.temporal.ChronoUnit.MINUTES;
@@ -95,17 +105,42 @@ public void generatePrivateKey() throws VCertException {
 
     public void generateCSR() throws VCertException {
         try {
+            List<GeneralName> sans = new ArrayList<GeneralName>();
+
+            for ( String san : dnsNames ) {
+                sans.add(new GeneralName(GeneralName.dNSName, san));
+            }
+
+            for ( InetAddress san : ipAddresses ) {
+                sans.add(new GeneralName(GeneralName.iPAddress, new DEROctetString(san.getAddress())));
+            }
+
+            for ( String san : emailAddresses ) {
+                sans.add(new GeneralName(GeneralName.rfc822Name, san));
+            }
+
+            GeneralNames names = new GeneralNames(sans.toArray(new GeneralName[] {}));
+            Vector oids = new Vector();
+            Vector values = new Vector();
+
+            oids.add(X509Extensions.SubjectAlternativeName);
+            values.add(new X509Extension(false, new DEROctetString(names)));
+
+            X509Extensions extensions = new X509Extensions(oids, values);
+            Attribute attribute = new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new DERSet(extensions));
+
             PKCS10CertificationRequest certificationRequest = new PKCS10CertificationRequest(
                     signatureAlgorithm.standardName(),
                     subject.toX500Principal(),
                     keyPair.getPublic(),
-                    null,
+                    new DERSet(attribute),
                     keyPair.getPrivate());
 
             ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
             outputStream.write("-----BEGIN CERTIFICATE REQUEST-----".getBytes());
             outputStream.write(System.lineSeparator().getBytes());
-            outputStream.write(Base64.getEncoder().encode(certificationRequest.getEncoded()));
+            outputStream.write(Base64.getMimeEncoder().encode(certificationRequest.getEncoded()));
+            outputStream.write(System.lineSeparator().getBytes());
             outputStream.write("-----END CERTIFICATE REQUEST-----".getBytes());
             csr = outputStream.toByteArray();
         } catch(Exception e) {

src/main/java/com/venafi/vcert/sdk/certificate/PublicKeyAlgorithm.java

@@ -4,5 +4,6 @@ public enum PublicKeyAlgorithm {
     Unknown,
     RSA,
     DSA,
-    ECDSA
+    ECDSA,
+    EC
 }

src/main/java/com/venafi/vcert/sdk/connectors/ServerPolicy.java

@@ -145,7 +145,6 @@ public Policy toPolicy() {
     public ZoneConfiguration toZoneConfig() {
         return new ZoneConfiguration()
                 .customAttributeValues(new HashMap<>())
-                .hashAlgorithm(SignatureAlgorithm.MD2withRSA)
                 .country(subject.country().value())
                 .organization(subject.organization().value())
                 .organizationalUnit(subject.organizationalUnit().values())

src/main/java/com/venafi/vcert/sdk/connectors/cloud/CloudConnector.java

@@ -103,7 +103,7 @@ public CertificateRequest generateRequest(ZoneConfiguration config, CertificateR
                 request.csr(null);
                 break;
             default:
-                throw new VCertException(format("Unreconginised request CSR origin %s", request.csrOrigin()));
+                throw new VCertException(format("Unrecognized request CSR origin %s", request.csrOrigin()));
         }
 
         return request;
@@ -118,7 +118,7 @@ public String requestCertificate(CertificateRequest request, String zone) throws
             throw new VCertException("service generated CSR is not supported by Saas service");
         }
         if (user == null || user.company() == null) {
-            throw new VCertException("Must be autheticated to request a certificate");
+            throw new VCertException("Must be authenticated to request a certificate");
         }
         Zone z = getZoneByTag(zone);
         CertificateRequestsResponse response = cloud.certificateRequest(
@@ -141,7 +141,7 @@ public PEMCollection retrieveCertificate(CertificateRequest request) throws VCer
             String certificateRequestId = null;
             Cloud.CertificateSearchResponse certificateSearchResponse = searchCertificatesByFingerprint(request.thumbprint());
             if(certificateSearchResponse.certificates().size() == 0) {
-                throw new VCertException(format("No certifiate found using fingerprint %s", request.thumbprint()));
+                throw new VCertException(format("No certificate found using fingerprint %s", request.thumbprint()));
             }
 
             List<String> reqIds = new ArrayList<>();
@@ -195,7 +195,7 @@ public PEMCollection retrieveCertificate(CertificateRequest request) throws VCer
         }
 
         if(user == null || user.company() == null) {
-            throw new VCertException("Must be autheticated to retieve certificate");
+            throw new VCertException("Must be authenticated to retieve certificate");
         }
 
         if(isNotBlank(request.pickupId())) {

src/main/java/com/venafi/vcert/sdk/connectors/tpp/Tpp.java

@@ -82,7 +82,6 @@ class CertificateSearchResponse {
 
     @Data
     class Certificate {
-
         @SerializedName("DN") private String certificateRequestId;
     }
 

src/main/java/com/venafi/vcert/sdk/connectors/tpp/TppConnector.java

@@ -22,6 +22,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.net.InetAddress;
 
 import static java.lang.String.format;
 import static java.time.Duration.ZERO;
@@ -134,7 +135,6 @@ public CertificateRequest generateRequest(ZoneConfiguration config, CertificateR
                 if("0".equals(config.customAttributeValues().get(tppAttributeManualCSR))) {
                     throw new VCertException("Unable to request certificate with user provided CSR when zone configuration is 'Manual Csr' = 0");
                 }
-                request.generatePrivateKey();
                 if(Is.blank(request.csr())) {
                     throw new VCertException("CSR was supposed to be provided by user, but it's empty");
                 }
@@ -164,11 +164,18 @@ private CertificateRequestsPayload prepareRequest(CertificateRequest request, St
         CertificateRequestsPayload payload;
         switch(request.csrOrigin()) {
             case LocalGeneratedCSR:
+                payload = new CertificateRequestsPayload()
+                    .policyDN(getPolicyDN(zone))
+                    .pkcs10(new String(request.csr()))
+                    .objectName(request.friendlyName())
+                    .disableAutomaticRenewal(true);
+                break;
             case UserProvidedCSR:
                 payload = new CertificateRequestsPayload()
                         .policyDN(getPolicyDN(zone))
                         .pkcs10(new String(request.csr()))
                         .objectName(request.friendlyName())
+                        .subjectAltNames(wrapAltNames(request))
                         .disableAutomaticRenewal(true);
                 break;
             case ServiceGeneratedCSR:
@@ -191,7 +198,7 @@ private CertificateRequestsPayload prepareRequest(CertificateRequest request, St
             }
             case ECDSA: {
                 payload.keyAlgorithm("ECC");
-                payload.ellipticCurve(request.keyCurve().name());
+                payload.ellipticCurve(request.keyCurve().value());
                 break;
             }
         }
@@ -212,7 +219,7 @@ private List<SANItem> toSanItems(Collection<?> collection, int type) {
                 .orElse(Collections.emptyList())
                 .stream()
                 .filter(Objects::nonNull)
-                .map(entry -> new SANItem().type(type).name(entry.toString()))
+                .map(entry -> new SANItem().type(type).name( type == 7 ? ((InetAddress)entry).getHostAddress() : entry.toString()) )
                 .collect(toList());
     }
 
@@ -224,7 +231,7 @@ public PEMCollection retrieveCertificate(CertificateRequest request) throws VCer
         if(isNotBlank(request.pickupId()) && isNotBlank(request.thumbprint())) {
             Tpp.CertificateSearchResponse searchResult = searchCertificatesByFingerprint(request.thumbprint());
             if(searchResult.certificates().size() == 0) {
-                throw new VCertException(format("No certifiate found using fingerprint %s", request.thumbprint()));
+                throw new VCertException(format("No certificate found using fingerprint %s", request.thumbprint()));
             }
             if(searchResult.certificates().size() > 1) {
                 throw new VCertException(format("Error: more than one CertificateRequestId was found with the same thumbprint %s", request.thumbprint()));
@@ -418,6 +425,7 @@ static class CertificateRequestsPayload {
         private String city;
         private String state;
         private String country;
+        @SerializedName("SubjectAltNames")
         private Collection<SANItem> subjectAltNames;
         private String contact;
         @SerializedName("CASpecificAttributes")

src/main/java/com/venafi/vcert/sdk/connectors/tpp/ZoneConfiguration.java

@@ -45,23 +45,42 @@ public void updateCertificateRequest(CertificateRequest request) {
         subject.country(Entity.of(subject.country(), country).resolve());
         subject.province(Entity.of(subject.province(), province).resolve());
         subject.locality(Entity.of(subject.locality(), locality).resolve());
-        if(hashAlgorithm != SignatureAlgorithm.UnknownSignatureAlgorithm) {
-            request.signatureAlgorithm(hashAlgorithm);
-        } else {
-            request.signatureAlgorithm(SignatureAlgorithm.SHA256WithRSA);
+
+       // apply defaults for settings that weren't specified and then make sure they comply with policy
+       if (request.keyType() == null) {
+            request.keyType(KeyType.defaultKeyType());
+        }
+
+        switch (request.keyType())
+        {
+            case ECDSA:
+                if (request.keyCurve() == null) {
+                    request.keyCurve(EllipticCurve.ellipticCurveDefault());
+                }
+                if (request.signatureAlgorithm() == SignatureAlgorithm.UnknownSignatureAlgorithm) {
+                    request.signatureAlgorithm(SignatureAlgorithm.ECDSAWithSHA256);
+                }
+                break;
+
+            default:
+                if (request.keyLength() < 2048) {
+                    request.keyLength(2048);
+                }
+                if (request.signatureAlgorithm() == SignatureAlgorithm.UnknownSignatureAlgorithm) {
+                    request.signatureAlgorithm(SignatureAlgorithm.SHA256WithRSA);
+                }
+                break;
         }
 
         if(!Is.blank(policy.allowedKeyConfigurations())) {
-            boolean foundMatch = false;
             for(AllowedKeyConfiguration keyConf : policy.allowedKeyConfigurations()) {
                 if(keyConf.keyType() == request.keyType()) {
-                    foundMatch = true;
                     switch (request.keyType()) {
                         case ECDSA: {
                             if(!Is.blank(keyConf.keyCurves())) {
-                                request.keyCurve(keyConf.keyCurves().get(0));
-                            } else {
-                                request.keyCurve(EllipticCurve.ellipticCurveDefault());
+                                if (!keyConf.keyCurves().contains(request.keyCurve())) {
+                                    request.keyCurve(keyConf.keyCurves().get(0));
+                                }
                             }
                             break;
                         }
@@ -74,47 +93,14 @@ public void updateCertificateRequest(CertificateRequest request) {
                                     }
                                 }
                                 if(!sizeOK) {
-                                    List<Integer> reversedKeySizes = new ArrayList<>(keyConf.keySizes()); // not reversing the original
-                                    reversedKeySizes.sort(Collections.reverseOrder());
-                                    request.keyLength(reversedKeySizes.get(0));
+                                    request.keyLength(keyConf.keySizes().get(0));
                                 }
-                            } else {
-                                request.keyLength(keyConf.keySizes().get(0));
                             }
                             break;
                         }
                     }
                 }
             }
-            if(!foundMatch) {
-                AllowedKeyConfiguration configuration = policy.allowedKeyConfigurations().get(0);
-                request.keyType(configuration.keyType());
-                switch (request.keyType()) {
-                    case ECDSA: {
-                        if(!Is.blank(configuration.keyCurves())) {
-                            request.keyCurve(configuration.keyCurves().get(0));
-                        } else {
-                            request.keyCurve(EllipticCurve.ellipticCurveDefault());
-                        }
-                        break;
-                    }
-                    case RSA: {
-                        if(!Is.blank(configuration.keySizes())) {
-                            List<Integer> reversedKeySizes = new ArrayList<>(configuration.keySizes());
-                            reversedKeySizes.sort(Comparator.reverseOrder());
-                            request.keyLength(reversedKeySizes.get(0));
-                        } else {
-                            request.keyLength(2048);
-                        }
-                        break;
-                    }
-                }
-            }
-        } else {
-            // Zone config has no key length parameters, so we just pass user's -key-size or fall to default 2048
-            if(KeyType.RSA.equals(request.keyType()) && request.keyLength() == 0) {
-                request.keyLength(2048);
-            }
         }
     }