Polishing.

Reorder methods. Reformat code. Add since tags. Convert revocation timestamp into instant.

See: gh-477
Original pull request: gh-820

Author: mp911de

spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiOperations.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2022 the original author or authors.
+ * Copyright 2016-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@
  * provide the verification functionality.
  *
  * @author Mark Paluch
+ * @author Nanne Baars
  * @see <a href=
  * "https://www.vaultproject.io/docs/secrets/pki/index.html">https://www.vaultproject.io/docs/secrets/pki/index.html</a>
  */
@@ -66,10 +67,10 @@ VaultCertificateResponse issueCertificate(String roleName, VaultCertificateReque
 	 * @param certificateRequest must not be {@literal null}.
 	 * @return the {@link VaultCertificateResponse} containing a
 	 * {@link org.springframework.vault.support.Certificate} .
-	 * @since 2.0
 	 * @see <a href=
 	 * "https://www.vaultproject.io/docs/secrets/pki/index.html#pki-issue">POST
 	 * /pki/sign/[role name]</a>
+	 * @since 2.0
 	 */
 	VaultSignCertificateRequestResponse signCertificateRequest(String roleName, String csr,
 			VaultCertificateRequest certificateRequest) throws VaultException;
@@ -79,10 +80,10 @@ VaultSignCertificateRequestResponse signCertificateRequest(String roleName, Stri
 	 * standard method of revoking using Vault lease IDs. A successful revocation will
 	 * rotate the CRL
 	 * @param serialNumber must not be empty or {@literal null}.
-	 * @since 2.0
 	 * @see <a href=
 	 * "https://www.vaultproject.io/docs/secrets/pki/index.html#revoke-certificate">POST
 	 * /pki/revoke</a>
+	 * @since 2.0
 	 */
 	void revoke(String serialNumber) throws VaultException;
 
@@ -96,43 +97,56 @@ VaultSignCertificateRequestResponse signCertificateRequest(String roleName, Stri
 	 * is {@literal null}.
 	 * @return {@link java.io.InputStream} containing the encoded CRL or {@literal null}
 	 * if Vault responds with 204 No Content.
-	 * @since 2.0
 	 * @see <a href="https://www.vaultproject.io/api/secret/pki/index.html#read-crl">GET
 	 * /pki/crl</a>
+	 * @since 2.0
 	 */
 	@Nullable
 	InputStream getCrl(Encoding encoding) throws VaultException;
 
-	enum Encoding {
-
-		DER, PEM,
-
-	}
-
 	/**
-	 * Retrieves the specified issuer's certificate. Includes the full ca_chain of the
-	 * issuer.
+	 * Retrieves the specified issuer's certificate. Includes the full {@code ca_chain} of
+	 * the issuer.
 	 * @param issuer reference to an existing issuer, either by Vault-generated
-	 * identifier, or the name assigned to an issuer. Pass the literal string 'default' to
-	 * refer to the currently configured issuer.
+	 * identifier, or the name assigned to an issuer. Pass the literal string
+	 * {@code default} to refer to the currently configured issuer.
 	 * @return the {@link VaultIssuerCertificateRequestResponse} containing a
 	 * {@link org.springframework.vault.support.Certificate}
 	 * @see <a href=
 	 * "https://www.vaultproject.io/api/secret/pki/#read-issuer-certificate">GET *
 	 * /pki/issuer/:issuer_ref/json</a>
-	 *
+	 * @since 3.1
 	 */
 	VaultIssuerCertificateRequestResponse getIssuerCertificate(String issuer) throws VaultException;
 
 	/**
-	 * Retrieves the specified issuer's certificate. Includes the full ca_chain of the
-	 * issuer.
-	 * @return {@link java.io.InputStream} containing the encoded certificate or
-	 * {@literal null}
+	 * Retrieves the specified issuer's certificate. Includes the full {@code ca_chain} of
+	 * the issuer.
+	 * @param issuer reference to an existing issuer, either by Vault-generated
+	 * identifier, or the name assigned to an issuer. Pass the literal string
+	 * {@code default} to refer to the currently configured issuer.
+	 * @param encoding encoding to use.
+	 * @return {@link java.io.InputStream} containing the encoded certificate.
 	 * @see <a href=
 	 * "https://www.vaultproject.io/api/secret/pki/#read-issuer-certificate">GET
 	 * /pki/issuer/:issuer_ref/{der, pem}</a>
+	 * @since 3.1
 	 */
 	InputStream getIssuerCertificate(String issuer, Encoding encoding) throws VaultException;
 
+	enum Encoding {
+
+		/**
+		 * DER (Distinguished Encoding Rules) format in its binary representation, see
+		 * X.690.
+		 */
+		DER,
+
+		/**
+		 * Privacy-Enhanced Mail (PEM) format in base64.
+		 */
+		PEM;
+
+	}
+
 }

spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiTemplate.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2022 the original author or authors.
+ * Copyright 2016-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,9 +17,11 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
+import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Locale;
 import java.util.Map;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.Assert;
@@ -165,12 +167,14 @@ public VaultIssuerCertificateRequestResponse getIssuerCertificate(String issuer)
 
 	@Override
 	public InputStream getIssuerCertificate(String issuer, Encoding encoding) throws VaultException {
+
 		Assert.hasText(issuer, "Issuer must not be empty");
 		Assert.notNull(encoding, "Encoding must not be null");
 
 		return this.vaultOperations.doWithSession(restOperations -> {
 
-			String requestPath = encoding == Encoding.DER ? "{path}/issuer/{issuer}/der" : "{path}/issuer/{issuer}/pem";
+			String requestPath = String.format("{path}/issuer/{issuer}/%s", encoding.name().toLowerCase(Locale.ROOT));
+
 			try {
 				ResponseEntity<byte[]> response = restOperations.getForEntity(requestPath, byte[].class, this.path,
 						issuer);
@@ -224,7 +228,7 @@ private static Map<String, Object> createIssueRequest(VaultCertificateRequest ce
 			.to("exclude_cn_from_sans", request);
 		mapper.from(certificateRequest::getFormat).whenHasText().to("format", request);
 		mapper.from(certificateRequest::getPrivateKeyFormat).whenHasText().to("private_key_format", request);
-		mapper.from(certificateRequest::getNotAfter).whenHasText().as(i -> i.toString()).to("not_after", request);
+		mapper.from(certificateRequest::getNotAfter).whenHasText().as(Instant::toString).to("not_after", request);
 		mapper.from(certificateRequest::getUserIds).whenHasText().to("user_ids", request);
 
 		return request;

spring-vault-core/src/main/java/org/springframework/vault/support/Certificate.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2022 the original author or authors.
+ * Copyright 2017-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
 import java.security.KeyStore;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -36,9 +37,9 @@
  * encoded. Certificates can be obtained as {@link X509Certificate}.
  *
  * @author Mark Paluch
- * @since 2.0
  * @see #getX509Certificate()
  * @see #getIssuingCaCertificate()
+ * @since 2.0
  */
 public class Certificate {
 
@@ -50,17 +51,18 @@ public class Certificate {
 
 	private final List<String> caChain;
 
-	private final Long revocationTime;
+	@Nullable
+	private final Instant revocationTime;
 
 	Certificate(@JsonProperty("serial_number") String serialNumber, @JsonProperty("certificate") String certificate,
 			@JsonProperty("issuing_ca") String issuingCaCertificate, @JsonProperty("ca_chain") List<String> caChain,
-			@JsonProperty("revocation_time") Long revocationTime) {
+			@Nullable @JsonProperty("revocation_time") Long revocationTime) {
 
 		this.serialNumber = serialNumber;
 		this.certificate = certificate;
 		this.issuingCaCertificate = issuingCaCertificate;
 		this.caChain = caChain;
-		this.revocationTime = revocationTime;
+		this.revocationTime = revocationTime != null ? Instant.ofEpochMilli(revocationTime * 1000) : null;
 	}
 
 	/**
@@ -87,7 +89,8 @@ public static Certificate of(String serialNumber, String certificate, String iss
 	 * @param certificate must not be empty or {@literal null}.
 	 * @param issuingCaCertificate must not be empty or {@literal null}.
 	 * @param caChain empty list allowed
-	 * @return the {@link Certificate}
+	 * @return the {@link Certificate}.
+	 * @since 3.1
 	 */
 	public static Certificate of(String serialNumber, String certificate, String issuingCaCertificate,
 			List<String> caChain) {
@@ -107,8 +110,9 @@ public static Certificate of(String serialNumber, String certificate, String iss
 	 * @param certificate must not be empty or {@literal null}.
 	 * @param issuingCaCertificate must not be empty or {@literal null}.
 	 * @param caChain empty list allowed
-	 * @param revocationTime revocation time, must not be {@literal null}
-	 * @return the {@link Certificate}
+	 * @param revocationTime revocation time, must not be {@literal null}.
+	 * @return the {@link Certificate}.
+	 * @since 3.1
 	 */
 	public static Certificate of(String serialNumber, String certificate, String issuingCaCertificate,
 			List<String> caChain, Long revocationTime) {
@@ -250,8 +254,13 @@ public List<X509Certificate> getX509IssuerCertificates() {
 		return certificates;
 	}
 
-	public @Nullable Long getRevocationTime() {
+	@Nullable
+	public Instant getRevocationTime() {
 		return this.revocationTime;
 	}
 
+	public boolean isRevoked() {
+		return this.revocationTime != null;
+	}
+
 }