Add notAfter and userIds to the certificate request.

Closes: gh-477
Original pull request: gh-820

Author: Nanne Baars

spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiOperations.java

@@ -22,6 +22,7 @@
 import org.springframework.vault.support.CertificateBundle;
 import org.springframework.vault.support.VaultCertificateRequest;
 import org.springframework.vault.support.VaultCertificateResponse;
+import org.springframework.vault.support.VaultIssuerCertificateRequestResponse;
 import org.springframework.vault.support.VaultSignCertificateRequestResponse;
 
 /**
@@ -108,4 +109,30 @@ enum Encoding {
 
 	}
 
+	/**
+	 * Retrieves the specified issuer's certificate. Includes the full ca_chain of the
+	 * issuer.
+	 * @param issuer reference to an existing issuer, either by Vault-generated
+	 * identifier, or the name assigned to an issuer. Pass the literal string 'default' to
+	 * refer to the currently configured issuer.
+	 * @return the {@link VaultIssuerCertificateRequestResponse} containing a
+	 * {@link org.springframework.vault.support.Certificate}
+	 * @see <a href=
+	 * "https://www.vaultproject.io/api/secret/pki/#read-issuer-certificate">GET *
+	 * /pki/issuer/:issuer_ref/json</a>
+	 *
+	 */
+	VaultIssuerCertificateRequestResponse getIssuerCertificate(String issuer) throws VaultException;
+
+	/**
+	 * Retrieves the specified issuer's certificate. Includes the full ca_chain of the
+	 * issuer.
+	 * @return {@link java.io.InputStream} containing the encoded certificate or
+	 * {@literal null}
+	 * @see <a href=
+	 * "https://www.vaultproject.io/api/secret/pki/#read-issuer-certificate">GET
+	 * /pki/issuer/:issuer_ref/{der, pem}</a>
+	 */
+	InputStream getIssuerCertificate(String issuer, Encoding encoding) throws VaultException;
+
 }

spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiTemplate.java

@@ -21,15 +21,14 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
-
-import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.vault.VaultException;
 import org.springframework.vault.client.VaultResponses;
 import org.springframework.vault.support.VaultCertificateRequest;
 import org.springframework.vault.support.VaultCertificateResponse;
+import org.springframework.vault.support.VaultIssuerCertificateRequestResponse;
 import org.springframework.vault.support.VaultSignCertificateRequestResponse;
 import org.springframework.web.client.HttpStatusCodeException;
 
@@ -147,6 +146,47 @@ public InputStream getCrl(Encoding encoding) throws VaultException {
 		});
 	}
 
+	@Override
+	public VaultIssuerCertificateRequestResponse getIssuerCertificate(String issuer) throws VaultException {
+
+		Assert.hasText(issuer, "Issuer must not be empty");
+
+		return this.vaultOperations.doWithSession(restOperations -> {
+
+			try {
+				return restOperations.getForObject("{path}/issuer/{issuer}/json",
+						VaultIssuerCertificateRequestResponse.class, this.path, issuer);
+			}
+			catch (HttpStatusCodeException e) {
+				throw VaultResponses.buildException(e);
+			}
+		});
+	}
+
+	@Override
+	public InputStream getIssuerCertificate(String issuer, Encoding encoding) throws VaultException {
+		Assert.hasText(issuer, "Issuer must not be empty");
+		Assert.notNull(encoding, "Encoding must not be null");
+
+		return this.vaultOperations.doWithSession(restOperations -> {
+
+			String requestPath = encoding == Encoding.DER ? "{path}/issuer/{issuer}/der" : "{path}/issuer/{issuer}/pem";
+			try {
+				ResponseEntity<byte[]> response = restOperations.getForEntity(requestPath, byte[].class, this.path,
+						issuer);
+
+				if (response.getStatusCode().is2xxSuccessful() && response.hasBody()) {
+					return new ByteArrayInputStream(response.getBody());
+				}
+
+				return null;
+			}
+			catch (HttpStatusCodeException e) {
+				throw VaultResponses.buildException(e);
+			}
+		});
+	}
+
 	/**
 	 * Create a request body stub for {@code pki/issue} and {@code pki/sign} from
 	 * {@link VaultCertificateRequest}.
@@ -184,6 +224,8 @@ private static Map<String, Object> createIssueRequest(VaultCertificateRequest ce
 			.to("exclude_cn_from_sans", request);
 		mapper.from(certificateRequest::getFormat).whenHasText().to("format", request);
 		mapper.from(certificateRequest::getPrivateKeyFormat).whenHasText().to("private_key_format", request);
+		mapper.from(certificateRequest::getNotAfter).whenHasText().as(i -> i.toString()).to("not_after", request);
+		mapper.from(certificateRequest::getUserIds).whenHasText().to("user_ids", request);
 
 		return request;
 	}

spring-vault-core/src/main/java/org/springframework/vault/support/Certificate.java

@@ -25,6 +25,7 @@
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
+import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.util.Base64Utils;
 import org.springframework.vault.VaultException;
@@ -47,12 +48,19 @@ public class Certificate {
 
 	private final String issuingCaCertificate;
 
+	private final List<String> caChain;
+
+	private final Long revocationTime;
+
 	Certificate(@JsonProperty("serial_number") String serialNumber, @JsonProperty("certificate") String certificate,
-			@JsonProperty("issuing_ca") String issuingCaCertificate) {
+			@JsonProperty("issuing_ca") String issuingCaCertificate, @JsonProperty("ca_chain") List<String> caChain,
+			@JsonProperty("revocation_time") Long revocationTime) {
 
 		this.serialNumber = serialNumber;
 		this.certificate = certificate;
 		this.issuingCaCertificate = issuingCaCertificate;
+		this.caChain = caChain;
+		this.revocationTime = revocationTime;
 	}
 
 	/**
@@ -69,7 +77,49 @@ public static Certificate of(String serialNumber, String certificate, String iss
 		Assert.hasText(certificate, "Certificate must not be empty");
 		Assert.hasText(issuingCaCertificate, "Issuing CA certificate must not be empty");
 
-		return new Certificate(serialNumber, certificate, issuingCaCertificate);
+		return new Certificate(serialNumber, certificate, issuingCaCertificate, List.of(), null);
+	}
+
+	/**
+	 * Create a {@link Certificate} given a private key with certificates and the serial
+	 * number.
+	 * @param serialNumber must not be empty or {@literal null}.
+	 * @param certificate must not be empty or {@literal null}.
+	 * @param issuingCaCertificate must not be empty or {@literal null}.
+	 * @param caChain empty list allowed
+	 * @return the {@link Certificate}
+	 */
+	public static Certificate of(String serialNumber, String certificate, String issuingCaCertificate,
+			List<String> caChain) {
+
+		Assert.hasText(serialNumber, "Serial number must not be empty");
+		Assert.hasText(certificate, "Certificate must not be empty");
+		Assert.hasText(issuingCaCertificate, "Issuing CA certificate must not be empty");
+		Assert.notNull(caChain, "CA chain must not be null");
+
+		return new Certificate(serialNumber, certificate, issuingCaCertificate, caChain, null);
+	}
+
+	/**
+	 * Create a {@link Certificate} given a private key with certificates and the serial
+	 * number.
+	 * @param serialNumber must not be empty or {@literal null}.
+	 * @param certificate must not be empty or {@literal null}.
+	 * @param issuingCaCertificate must not be empty or {@literal null}.
+	 * @param caChain empty list allowed
+	 * @param revocationTime revocation time, must not be {@literal null}
+	 * @return the {@link Certificate}
+	 */
+	public static Certificate of(String serialNumber, String certificate, String issuingCaCertificate,
+			List<String> caChain, Long revocationTime) {
+
+		Assert.hasText(serialNumber, "Serial number must not be empty");
+		Assert.hasText(certificate, "Certificate must not be empty");
+		Assert.hasText(issuingCaCertificate, "Issuing CA certificate must not be empty");
+		Assert.notNull(caChain, "CA chain must not be null");
+		Assert.notNull(revocationTime, "Revocation time");
+
+		return new Certificate(serialNumber, certificate, issuingCaCertificate, caChain, revocationTime);
 	}
 
 	/**
@@ -130,9 +180,27 @@ private X509Certificate doGetCertificate(String cert) {
 	 * @return the {@link KeyStore} containing the private key and certificate chain.
 	 */
 	public KeyStore createTrustStore() {
+		return createTrustStore(false);
+	}
 
+	/**
+	 * Create a trust store as {@link KeyStore} from this {@link Certificate} containing *
+	 * the certificate chain.
+	 * @param includeCaChain whether to include the certificate authority chain instead of
+	 * just the issuer certificate.
+	 * @return the {@link KeyStore} containing the certificate and certificate chain.
+	 */
+	public KeyStore createTrustStore(boolean includeCaChain) {
 		try {
-			return KeystoreUtil.createKeyStore(getX509Certificate(), getX509IssuerCertificate());
+			List<X509Certificate> certificates = new ArrayList<>();
+			certificates.add(getX509Certificate());
+			if (includeCaChain) {
+				certificates.addAll(getX509IssuerCertificates());
+			}
+			else {
+				certificates.add(getX509IssuerCertificate());
+			}
+			return KeystoreUtil.createKeyStore(certificates.toArray(new X509Certificate[0]));
 		}
 		catch (GeneralSecurityException | IOException e) {
 			throw new VaultException("Cannot create KeyStore", e);
@@ -161,4 +229,29 @@ static List<X509Certificate> getCertificates(String certificates) throws Certifi
 		return result;
 	}
 
+	/**
+	 * Retrieve the issuing CA certificates as list of {@link X509Certificate}.
+	 * @return the issuing CA {@link X509Certificate}.
+	 * @since 2.3.3
+	 */
+	public List<X509Certificate> getX509IssuerCertificates() {
+
+		List<X509Certificate> certificates = new ArrayList<>();
+
+		for (String data : this.caChain) {
+			try {
+				certificates.addAll(getCertificates(data));
+			}
+			catch (CertificateException e) {
+				throw new VaultException("Cannot create Certificate from issuing CA certificate", e);
+			}
+		}
+
+		return certificates;
+	}
+
+	public @Nullable Long getRevocationTime() {
+		return this.revocationTime;
+	}
+
 }

spring-vault-core/src/main/java/org/springframework/vault/support/CertificateBundle.java

@@ -18,7 +18,6 @@
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.security.spec.KeySpec;
 import java.util.ArrayList;
@@ -58,8 +57,6 @@ public class CertificateBundle extends Certificate {
 	@Nullable
 	private final String privateKeyType;
 
-	private final List<String> caChain;
-
 	/**
 	 * Create a new {@link CertificateBundle}.
 	 * @param serialNumber the serial number.
@@ -72,12 +69,12 @@ public class CertificateBundle extends Certificate {
 	CertificateBundle(@JsonProperty("serial_number") String serialNumber,
 			@JsonProperty("certificate") String certificate, @JsonProperty("issuing_ca") String issuingCaCertificate,
 			@JsonProperty("ca_chain") List<String> caChain, @JsonProperty("private_key") String privateKey,
-			@Nullable @JsonProperty("private_key_type") String privateKeyType) {
+			@Nullable @JsonProperty("private_key_type") String privateKeyType,
+			@JsonProperty("revocation_time") Long revocationTime) {
 
-		super(serialNumber, certificate, issuingCaCertificate);
+		super(serialNumber, certificate, issuingCaCertificate, caChain, revocationTime);
 		this.privateKey = privateKey;
 		this.privateKeyType = privateKeyType;
-		this.caChain = caChain;
 	}
 
 	/**
@@ -98,7 +95,7 @@ public static CertificateBundle of(String serialNumber, String certificate, Stri
 		Assert.hasText(privateKey, "Private key must not be empty");
 
 		return new CertificateBundle(serialNumber, certificate, issuingCaCertificate,
-				Collections.singletonList(issuingCaCertificate), privateKey, null);
+				Collections.singletonList(issuingCaCertificate), null, privateKey, null);
 	}
 
 	/**
@@ -122,7 +119,33 @@ public static CertificateBundle of(String serialNumber, String certificate, Stri
 		Assert.hasText(privateKeyType, "Private key type must not be empty");
 
 		return new CertificateBundle(serialNumber, certificate, issuingCaCertificate,
-				Collections.singletonList(issuingCaCertificate), privateKey, privateKeyType);
+				Collections.singletonList(issuingCaCertificate), privateKey, privateKeyType, null);
+	}
+
+	/**
+	 * Create a {@link CertificateBundle} given a private key with certificates and the
+	 * serial number.
+	 * @param serialNumber must not be empty or {@literal null}.
+	 * @param certificate must not be empty or {@literal null}.
+	 * @param issuingCaCertificate must not be empty or {@literal null}.
+	 * @param privateKey must not be empty or {@literal null}.
+	 * @param privateKeyType must not be empty or {@literal null}.
+	 * @param revocationTime the revocation time.
+	 * @return the {@link CertificateBundle}
+	 * @since 2.4
+	 */
+	public static CertificateBundle of(String serialNumber, String certificate, String issuingCaCertificate,
+			String privateKey, @Nullable String privateKeyType, Long revocationTime) {
+
+		Assert.hasText(serialNumber, "Serial number must not be empty");
+		Assert.hasText(certificate, "Certificate must not be empty");
+		Assert.hasText(issuingCaCertificate, "Issuing CA certificate must not be empty");
+		Assert.hasText(privateKey, "Private key must not be empty");
+		Assert.hasText(privateKeyType, "Private key type must not be empty");
+		Assert.notNull(revocationTime, "Revocation time must not be null");
+
+		return new CertificateBundle(serialNumber, certificate, issuingCaCertificate,
+				Collections.singletonList(issuingCaCertificate), privateKey, privateKeyType, revocationTime);
 	}
 
 	/**
@@ -276,27 +299,6 @@ public KeyStore createKeyStore(String keyAlias, boolean includeCaChain, char[] p
 		}
 	}
 
-	/**
-	 * Retrieve the issuing CA certificates as list of {@link X509Certificate}.
-	 * @return the issuing CA {@link X509Certificate}.
-	 * @since 2.3.3
-	 */
-	public List<X509Certificate> getX509IssuerCertificates() {
-
-		List<X509Certificate> certificates = new ArrayList<>();
-
-		for (String data : this.caChain) {
-			try {
-				certificates.addAll(getCertificates(data));
-			}
-			catch (CertificateException e) {
-				throw new VaultException("Cannot create Certificate from issuing CA certificate", e);
-			}
-		}
-
-		return certificates;
-	}
-
 	private static KeySpec getPrivateKey(String privateKey, String keyType)
 			throws GeneralSecurityException, IOException {