Fix for issues #79, #80, #81, #82, #83 and #84

Author: marcos-albornoz

src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java

@@ -73,6 +73,7 @@ public class CertificateRequest {
   private int validityHours;
   private String issuerHint;
   private Collection<CustomField> customFields;
+  private DataFormat dataFormat;
 
   public CertificateRequest() {
     this.dnsNames = emptyList();
@@ -92,6 +93,10 @@ public ChainOption chainOption() {
   public PrivateKey privateKey() {
     return (!Objects.isNull(keyPair)) ? keyPair.getPrivate() : null;
   }
+  
+  public DataFormat dataFormat() {
+	  return (!Objects.isNull(dataFormat)) ? dataFormat : DataFormat.PKCS8;
+  }
 
   public void generatePrivateKey() throws VCertException {
     if (keyPair != null) {

src/main/java/com/venafi/vcert/sdk/certificate/DataFormat.java

@@ -0,0 +1,25 @@
+/**
+ * 
+ */
+package com.venafi.vcert.sdk.certificate;
+
+/**
+ * @author Marcos E. Albornoz
+ *
+ */
+public enum DataFormat {
+	
+	LEGACY("LEGACY"), PKCS8("PKCS#8");
+	
+	private String id;
+	
+	DataFormat(String id) {
+		this.id = id;
+	}
+
+	@Override
+	public String toString() {
+		return id.toString();
+	}
+
+}

src/main/java/com/venafi/vcert/sdk/certificate/PEMCollection.java

@@ -34,14 +34,18 @@
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
 import org.bouncycastle.openssl.PEMEncryptor;
+import org.bouncycastle.openssl.PEMException;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.openssl.bc.BcPEMDecryptorProvider;
 import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
 import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
+import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder;
 import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder;
 import org.bouncycastle.operator.InputDecryptorProvider;
 import org.bouncycastle.operator.OperatorCreationException;
@@ -55,6 +59,7 @@
 import org.bouncycastle.pkcs.jcajce.JcePKCS12MacCalculatorBuilder;
 import org.bouncycastle.pkcs.jcajce.JcePKCSPBEOutputEncryptorBuilder;
 import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemObjectGenerator;
 import org.bouncycastle.util.io.pem.PemWriter;
 import lombok.Data;
 import com.venafi.vcert.sdk.VCertException;
@@ -79,35 +84,52 @@ public class PEMCollection {
   private PrivateKey privateKey;
   private String privateKeyPassword;
   private List<X509Certificate> chain = new ArrayList<>();
-
+  private DataFormat dataFormat;
+  
+  /**
+   * @deprecated Use {@link #fromStringPEMCollection(String, ChainOption, PrivateKey, String) } instead of it.
+   * @param body
+   * @param chainOption
+   * @param privateKey
+   * @param privateKeyPassword
+   * @return
+   * @throws VCertException
+   */
   public static PEMCollection fromResponse(String body, ChainOption chainOption,
-      PrivateKey privateKey, String privateKeyPassword) throws VCertException {
+	      PrivateKey privateKey, String privateKeyPassword) throws VCertException {
+	  return fromStringPEMCollection(body, chainOption, privateKey, privateKeyPassword);
+  }
+  
+  public static PEMCollection fromStringPEMCollection(String stringPemCollection, ChainOption chainOption,
+	      PrivateKey privateKey, String privateKeyPassword) throws VCertException {
+	  return fromStringPEMCollection(stringPemCollection, chainOption, privateKey, privateKeyPassword, DataFormat.PKCS8);
+  }
+
+  public static PEMCollection fromStringPEMCollection(String stringPemCollection, ChainOption chainOption,
+      PrivateKey privateKey, String privateKeyPassword, DataFormat dataFormat) throws VCertException {
     List<X509Certificate> chain = new ArrayList<>();
 
-    PEMParser pemParser = new PEMParser(new StringReader(body));
+    //1. Extracting the Certificates and PrivateKey
+    PEMParser pemParser = new PEMParser(new StringReader(stringPemCollection));
     JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
-    JcaPEMKeyConverter keyConverter = new JcaPEMKeyConverter();
     try {
       Object object = pemParser.readObject();
       while (object != null) {
         if (object instanceof X509CertificateHolder) {
           Certificate certificate =
               certificateConverter.getCertificate((X509CertificateHolder) object);
           chain.add((X509Certificate) certificate);
-        } else if (object instanceof PEMKeyPair) {
-          privateKey = keyConverter.getPrivateKey(((PEMKeyPair) object).getPrivateKeyInfo());
-        } else if (object instanceof PEMEncryptedKeyPair) {
-          PEMKeyPair keyPair = ((PEMEncryptedKeyPair) object).decryptKeyPair(
-            new BcPEMDecryptorProvider(privateKeyPassword.toCharArray()));
-          privateKey = keyConverter.getPrivateKey(keyPair.getPrivateKeyInfo());
+        } else {
+        	privateKey = parsePrivateKey(object, privateKeyPassword);
         }
 
         object = pemParser.readObject();
       }
-    } catch (IOException | CertificateException e) {
+    } catch (IOException | CertificateException | PKCSException | OperatorCreationException e) {
       throw new VCertException("Unable to parse certificate from response", e);
     }
 
+    //2. Ordering the Certificates chain
     PEMCollection pemCollection;
     if (chain.size() > 0) {
       switch (chainOption) {
@@ -135,6 +157,7 @@ public static PEMCollection fromResponse(String body, ChainOption chainOption,
     }
     pemCollection.privateKey(privateKey);
     pemCollection.privateKeyPassword(privateKeyPassword);
+    pemCollection.dataFormat(dataFormat);
 
     return pemCollection;
   }
@@ -162,20 +185,38 @@ public String pemPrivateKey() {
 
     ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
     try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStream))) {
-      PEMEncryptor encryptor = null;
-
-      if (privateKeyPassword != null) {
-        encryptor = new JcePEMEncryptorBuilder(BOUNCY_CASTLE_ENCRYPTION_ALGORITHM)
-          .build(privateKeyPassword.toCharArray());
-      }
-
-      JcaMiscPEMGenerator gen = new JcaMiscPEMGenerator(this.privateKey, encryptor);
-      pemWriter.writeObject(gen.generate());
-    } catch (IOException e) {
+    	pemWriter.writeObject(getPemObjectGenerator(privateKey, privateKeyPassword));
+    } catch (IOException | OperatorCreationException e) {
       throw new RuntimeException(e);
     }
     return new String(outputStream.toByteArray());
   }
+  
+  private PemObjectGenerator getPemObjectGenerator(PrivateKey privateKey, String password) throws OperatorCreationException, IOException {
+	  
+	  boolean toEncrypt = (privateKeyPassword != null && privateKeyPassword.length() > 0);
+
+	  if (dataFormat == DataFormat.PKCS8) {
+		  OutputEncryptor encryptor = null;
+		  if (toEncrypt) {
+			  encryptor = new JceOpenSSLPKCS8EncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC)
+					  .setProvider(BouncyCastleProvider.PROVIDER_NAME)
+					  .setRandom(new SecureRandom())
+					  .setPassword(privateKeyPassword.toCharArray())
+					  .build();
+		  }
+
+		  return new JcaPKCS8Generator(privateKey, encryptor);
+	  } else {
+		  PEMEncryptor encryptor = null;
+		  if (toEncrypt) {
+			  encryptor = new JcePEMEncryptorBuilder(BOUNCY_CASTLE_ENCRYPTION_ALGORITHM)
+					  .build(privateKeyPassword.toCharArray());
+		  }
+
+		  return new JcaMiscPEMGenerator(this.privateKey, encryptor);
+	  }
+  }
 
   public String pemCertificateChain() {
     StringBuilder pem = new StringBuilder();
@@ -335,11 +376,53 @@ public static SecretKeySpec passwordToCipherSecretKey(char[] password, byte[] iv
 
   public static PrivateKey decryptPKCS8PrivateKey(PEMParser pemParser, String keyPassword) throws IOException, OperatorCreationException, PKCSException{
 	  PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) pemParser.readObject();
+	  return decryptPKCS8PrivateKey(encryptedPrivateKeyInfo, keyPassword);
+  }
+  
+  public static PrivateKey decryptPKCS8PrivateKey(PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo, String keyPassword) throws PEMException, OperatorCreationException, PKCSException{
 	  InputDecryptorProvider pkcs8Prov = new JceOpenSSLPKCS8DecryptorProviderBuilder().build(keyPassword.toCharArray());
 	  JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
 	  PrivateKeyInfo decryptedPrivateKeyInfo = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(pkcs8Prov);
 	  return converter.getPrivateKey(decryptedPrivateKeyInfo);
   }
+  
+  /**
+   * This method returns the PrivateKey from the Object passed as argument. which was read by {@link PEMParser#readObject()}
+   * @param object The managed types are {@link org.bouncycastle.openssl.PEMKeyPair PEMKeyPair}
+   * , {@link org.bouncycastle.openssl.PEMEncryptedKeyPair PEMEncryptedKeyPair} 
+   * and {@link org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo PKCS8EncryptedPrivateKeyInfo}. These kind of objects are returned 
+   * by {@link PEMParser#readObject()} when it reads a PEM PrivateKey.
+   * @param privateKeyPassword Only required if the object is a wrapper of an encrypted private key
+   * ({@link org.bouncycastle.openssl.PEMEncryptedKeyPair PEMEncryptedKeyPair} or {@link org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo PKCS8EncryptedPrivateKeyInfo})
+   * @return returns the PrivateKey decrypted. Null if the object argument was not one of the expected types.
+   * @throws IOException
+   * @throws OperatorCreationException
+   * @throws PKCSException
+   */
+  private static PrivateKey parsePrivateKey(Object object, String privateKeyPassword) throws IOException, OperatorCreationException, PKCSException {
+	  PrivateKey privateKey = null;
+	  //If it's an RSA Private Key instance
+	  if (object instanceof PEMKeyPair) {
+		  privateKey = getPrivateKey((PEMKeyPair)object);
+	  } else {
+		  //If it's an Encrypted RSA/EC Private Key instance
+		  if (object instanceof PEMEncryptedKeyPair) {
+			  PEMKeyPair keyPair = ((PEMEncryptedKeyPair) object).decryptKeyPair(
+					  new BcPEMDecryptorProvider(privateKeyPassword.toCharArray()));
+			  privateKey = getPrivateKey(keyPair);
+		  } else {
+			  //If it's an Encrypted PKCS#8 Private Key instance
+			  if (object instanceof PKCS8EncryptedPrivateKeyInfo) {
+				  privateKey = decryptPKCS8PrivateKey((PKCS8EncryptedPrivateKeyInfo)object, privateKeyPassword);
+			  }
+		  }
+	  }
+	  return privateKey;
+  }
+  
+  private static PrivateKey getPrivateKey(PEMKeyPair keyPair) throws PEMException {
+	  return new JcaPEMKeyConverter().getPrivateKey(keyPair.getPrivateKeyInfo());
+  }
 
   @Data
   public static class RawPrivateKey {

src/main/java/com/venafi/vcert/sdk/connectors/ServerPolicy.java

@@ -120,7 +120,7 @@ public Policy toPolicy() {
     if (keyPair.keyAlgorithm().locked()) {
       KeyType keyType = KeyType.from(keyPair.keyAlgorithm().value());
       AllowedKeyConfiguration key =
-          new AllowedKeyConfiguration().keyType(keyType).keySizes(new ArrayList<>());
+          new AllowedKeyConfiguration().keyType(keyType).keySizes(new ArrayList<Integer>()).keyCurves(new ArrayList<EllipticCurve>());
       if (KeyType.RSA.equals(keyType)) {
         if (keyPair.keySize().locked()) {
           for (Integer keySize : KeyType.allSupportedKeySizes()) {

src/main/java/com/venafi/vcert/sdk/connectors/cloud/Cloud.java

@@ -110,17 +110,22 @@ Response retrieveCertificate(@Param("id") String id, @Param("apiKey") String api
   @RequestLine("POST /outagedetection/v1/certificates/{id}/keystore")
   Response retrieveKeystore(@Param("id") String id, KeystoreRequest keystoreRequest, @Param("apiKey") String apiKey);
 
+  static Cloud connect() {
+	  return connect((Config)null);
+  }
+
   static Cloud connect(String baseUrl) {
-    return FeignUtils.client(Cloud.class, 
-        Config.builder().baseUrl(
-          normalizeUrl(isNotBlank(baseUrl) ? baseUrl : "https://api.venafi.cloud")).build());
+	  return connect(Config.builder().baseUrl(baseUrl).build());
   }
 
   static Cloud connect(Config config) {
-    config.baseUrl(
-        normalizeUrl(isNotBlank(config.baseUrl()) ? config.baseUrl() : "https://api.venafi.cloud"));
 
-    return FeignUtils.client(Cloud.class, config);
+	  if(config == null)
+		  config =  Config.builder().build();
+
+	  config.baseUrl(isNotBlank(config.baseUrl()) ? normalizeUrl(config.baseUrl()) : "https://api.venafi.cloud/");
+
+	  return FeignUtils.client(Cloud.class, config);
   }
 
   static String normalizeUrl(String url) {

src/main/java/com/venafi/vcert/sdk/connectors/cloud/CloudConnector.java

@@ -330,13 +330,12 @@ private String getCertificateIdFromPickupId(CertificateRequest request) throws V
 		  try {
 			  TimeUnit.SECONDS.sleep(2);
 		  } catch (InterruptedException e) {
-			  e.printStackTrace();
 			  throw new AttemptToRetryException(e);
 		  }
 	  }
 
 	  if (user == null || user.company() == null) {
-		  throw new UserNotAuthenticatedException("Must be authenticated to retieve certificate");
+		  throw new UserNotAuthenticatedException("Must be authenticated to retrieve certificate");
 	  }
 
 	  if(certificateStatus == null) {
@@ -403,7 +402,7 @@ private PEMCollection retrieveCertificateAsPemCollectionFromCSRProvided(Certific
 		  }
 	  }
 
-	  return PEMCollection.fromResponse(
+	  return PEMCollection.fromStringPEMCollection(
 			  certificateAsPemString, 
 			  request.chainOption(), 
 			  request.privateKey(),
@@ -434,7 +433,7 @@ private PEMCollection retrieveCertificateAsPemCollectionFromCSRServiceGenerated(
 		  throw new VCertException(e);
 	  }
 
-	  return CloudConnectorUtils.getPEMCollectionFromKeyStoreAsStream(keyStoreAsStream, request.chainOption(), request.keyPassword());
+	  return CloudConnectorUtils.getPEMCollectionFromKeyStoreAsStream(keyStoreAsStream, request.chainOption(), request.keyPassword(), request.dataFormat());
   }
 
   /**

src/main/java/com/venafi/vcert/sdk/connectors/cloud/CloudConnectorUtils.java

@@ -3,6 +3,7 @@
 import com.venafi.vcert.sdk.VCertException;
 import com.venafi.vcert.sdk.certificate.CertificateRequest;
 import com.venafi.vcert.sdk.certificate.ChainOption;
+import com.venafi.vcert.sdk.certificate.DataFormat;
 import com.venafi.vcert.sdk.certificate.PEMCollection;
 import com.venafi.vcert.sdk.connectors.ConnectorException.PolicyMatchException;
 import com.venafi.vcert.sdk.connectors.cloud.CloudConnector.CsrAttributes;
@@ -389,7 +390,7 @@ public static String getVaaSChainOption(ChainOption chainOption) {
     	}
     }
 
-    public static PEMCollection getPEMCollectionFromKeyStoreAsStream(InputStream keyStoreAsInputStream, ChainOption chainOption, String keyPassword) throws VCertException {
+    public static PEMCollection getPEMCollectionFromKeyStoreAsStream(InputStream keyStoreAsInputStream, ChainOption chainOption, String keyPassword, DataFormat dataFormat) throws VCertException {
     	String certificateAsPem = null;
 
     	String pemFileSuffix = null;
@@ -406,22 +407,25 @@ public static PEMCollection getPEMCollectionFromKeyStoreAsStream(InputStream key
     		while ((zipEntry = zis.getNextEntry())!= null) {
     			String fileName = zipEntry.getName();
     			if(fileName.endsWith(".key")) {
+    				//Getting the PrivateKey in PKCS8 and decrypting it
     				PEMParser pemParser = new PEMParser(new InputStreamReader(zis));
     				privateKey = PEMCollection.decryptPKCS8PrivateKey(pemParser, keyPassword);
     			} else {
-    				if(fileName.endsWith(pemFileSuffix)) 
+    				if(fileName.endsWith(pemFileSuffix)) {
     					certificateAsPem = new String(zis.readAllBytes());
+    				}
     			}
     		}
     	} catch (Exception e) {
     		throw new VCertException(e);
     	}
 
-    	return PEMCollection.fromResponse(
+    	return PEMCollection.fromStringPEMCollection(
     			certificateAsPem, 
     			chainOption, 
     			privateKey,
-    			keyPassword);
+    			keyPassword,
+    			dataFormat);
     }
 
     @Data

src/main/java/com/venafi/vcert/sdk/connectors/tpp/AbstractTppConnector.java

@@ -36,6 +36,8 @@ public abstract class AbstractTppConnector {
     protected static final String MISSING_ACCESS_TOKEN_MESSAGE = FAILED_TO_AUTHENTICATE_MESSAGE + "missing access token";
     protected static final String TPP_ATTRIBUTE_MANAGEMENT_TYPE = "Management Type";
     protected static final String TPP_ATTRIBUTE_MANUAL_CSR = "Manual Csr";
+    protected static final String LEGACY_DATA_FORMAT = "base64";
+    protected static final String PKCS8_DATA_FORMAT = "base64 (PKCS #8)";
 
     // TODO can be enum
     @SuppressWarnings("serial")