Support PEM encoded certificates and EC for private keys.

We now support PEM, PEM-bundle and DER-encoded certificate bundles along with RSA and EC key types. Keys can be provided either in their plain representation or wrapped within a PKCS8 container.

Original pull request: gh-688.
Closes gh-678
Closes gh-683

Author: mp911de

spring-vault-core/pom.xml

@@ -260,6 +260,12 @@
 			<scope>test</scope>
 		</dependency>
 
+		<dependency>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter-params</artifactId>
+			<scope>test</scope>
+		</dependency>
+
 		<dependency>
 			<groupId>org.junit.jupiter</groupId>
 			<artifactId>junit-jupiter-engine</artifactId>

spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiOperations.java

@@ -44,7 +44,7 @@ public interface VaultPkiOperations {
 	 * Requests a certificate bundle (private key and certificate) from Vault's PKI
 	 * backend given a {@code roleName} and {@link VaultCertificateRequest}. The issuing
 	 * CA certificate is returned as well, so that only the root CA need be in a client's
-	 * trust store. Certificates use DER format and are base64 encoded.
+	 * trust store.
 	 * @param roleName must not be empty or {@literal null}.
 	 * @param certificateRequest must not be {@literal null}.
 	 * @return the {@link VaultCertificateResponse} containing a {@link CertificateBundle}
@@ -59,8 +59,7 @@ VaultCertificateResponse issueCertificate(String roleName, VaultCertificateReque
 	/**
 	 * Signs a CSR using Vault's PKI backend given a {@code roleName}, {@code csr} and
 	 * {@link VaultCertificateRequest}. The issuing CA certificate is returned as well, so
-	 * that only the root CA need be in a client's trust store. Certificates use DER
-	 * format and are base64 encoded.
+	 * that only the root CA need be in a client's trust store.
 	 * @param roleName must not be empty or {@literal null}.
 	 * @param csr must not be empty or {@literal null}.
 	 * @param certificateRequest must not be {@literal null}.

spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiTemplate.java

@@ -88,7 +88,7 @@ public VaultSignCertificateRequestResponse signCertificateRequest(String roleNam
 	private <T> T requestCertificate(String roleName, String requestPath, Map<String, Object> request,
 			Class<T> responseType) {
 
-		request.put("format", "der");
+		request.putIfAbsent("format", "der");
 
 		T response = this.vaultOperations.doWithSession(restOperations -> {
 

spring-vault-core/src/main/java/org/springframework/vault/support/Certificate.java

@@ -20,6 +20,8 @@
 import java.security.KeyStore;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
@@ -29,8 +31,8 @@
 
 /**
  * Value object representing a certificate consisting of the certificate and the issuer
- * certificate. Certificate and keys can be either DER or PEM encoded. DER-encoded
- * certificates can be converted to a {@link X509Certificate}.
+ * certificate. Certificate and keys can be either DER or PEM (including PEM bundle) encoded.
+ * Certificates can be obtained as {@link X509Certificate}.
  *
  * @author Mark Paluch
  * @since 2.0
@@ -92,40 +94,39 @@ public String getIssuingCaCertificate() {
 	}
 
 	/**
-	 * Retrieve the certificate as {@link X509Certificate}. Only supported if certificate
-	 * is DER-encoded.
+	 * Retrieve the certificate as {@link X509Certificate}.
 	 * @return the {@link X509Certificate}.
+	 * @throws IllegalStateException if there is no X.509 certificate available.
 	 */
 	public X509Certificate getX509Certificate() {
-
-		try {
-			byte[] bytes = Base64Utils.decodeFromString(getCertificate());
-			return KeystoreUtil.getCertificate(bytes);
-		}
-		catch (CertificateException e) {
-			throw new VaultException("Cannot create Certificate from certificate", e);
-		}
+		return doGetCertificate(getCertificate());
 	}
 
 	/**
-	 * Retrieve the issuing CA certificate as {@link X509Certificate}. Only supported if
-	 * certificate is DER-encoded.
+	 * Retrieve the issuing CA certificate as {@link X509Certificate}.
 	 * @return the issuing CA {@link X509Certificate}.
 	 */
 	public X509Certificate getX509IssuerCertificate() {
+		return doGetCertificate(getIssuingCaCertificate());
+	}
+
+	private X509Certificate doGetCertificate(String cert) {
 
 		try {
-			byte[] bytes = Base64Utils.decodeFromString(getIssuingCaCertificate());
-			return KeystoreUtil.getCertificate(bytes);
+			List<X509Certificate> certificates = getCertificates(cert);
+			if (certificates.isEmpty()) {
+				throw new IllegalStateException("No certificate found");
+			}
+			return certificates.get(0);
 		}
 		catch (CertificateException e) {
-			throw new VaultException("Cannot create Certificate from issuing CA certificate", e);
+			throw new VaultException("Cannot create Certificate from certificate", e);
 		}
 	}
 
 	/**
 	 * Create a trust store as {@link KeyStore} from this {@link Certificate} containing
-	 * the certificate chain. Only supported if certificate is DER-encoded.
+	 * the certificate chain.
 	 * @return the {@link KeyStore} containing the private key and certificate chain.
 	 */
 	public KeyStore createTrustStore() {
@@ -138,4 +139,26 @@ public KeyStore createTrustStore() {
 		}
 	}
 
+	static List<X509Certificate> getCertificates(String certificates) throws CertificateException {
+
+		Assert.hasText(certificates, "Certificates must not be empty");
+
+		List<X509Certificate> result = new ArrayList<>(1);
+		if (PemObject.isPemEncoded(certificates)) {
+
+			List<PemObject> pemObjects = PemObject.parse(certificates);
+
+			for (PemObject pemObject : pemObjects) {
+				if (pemObject.isCertificate()) {
+					result.add(pemObject.getCertificate());
+				}
+			}
+		}
+		else {
+			result.addAll(KeystoreUtil.getCertificates(Base64Utils.decodeFromString(certificates)));
+		}
+
+		return result;
+	}
+
 }

spring-vault-core/src/main/java/org/springframework/vault/support/CertificateBundle.java

@@ -24,7 +24,9 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Locale;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 import org.springframework.lang.Nullable;
@@ -35,15 +37,19 @@
 /**
  * Value object representing a certificate bundle consisting of a private key, the
  * certificate and the issuer certificate. Certificate and keys can be either DER or PEM
- * encoded. DER-encoded certificates can be converted to a {@link KeySpec} and
- * {@link X509Certificate}.
+ * encoded. RSA and Elliptic Curve keys and certificates can be converted to a
+ * {@link KeySpec} respective {@link X509Certificate} object. Supports creation of
+ * {@link #createKeyStore(String) key stores} that contain the key and the certificate
+ * chain.
  *
  * @author Mark Paluch
  * @author Alex Bremora
  * @see #getPrivateKeySpec()
  * @see #getX509Certificate()
  * @see #getIssuingCaCertificate()
+ * @see PemObject
  */
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class CertificateBundle extends Certificate {
 
 	private final String privateKey;
@@ -135,26 +141,39 @@ public String getPrivateKeyType() {
 	}
 
 	/**
-	 * Retrieve the private key as {@link KeySpec}. Only supported if private key is
-	 * DER-encoded.
+	 * @return the required private key type, can be {@literal null}.
+	 * @since 2.4
+	 * @throws IllegalStateException if the private key type is {@literal null}
+	 */
+	public String getRequiredPrivateKeyType() {
+
+		String privateKeyType = getPrivateKeyType();
+
+		if (privateKeyType == null) {
+			throw new IllegalStateException("Private key type is not set");
+		}
+
+		return privateKeyType;
+	}
+
+	/**
+	 * Retrieve the private key as {@link KeySpec}.
 	 * @return the private {@link KeySpec}. {@link java.security.KeyFactory} can generate
 	 * a {@link java.security.PrivateKey} from this {@link KeySpec}.
 	 */
 	public KeySpec getPrivateKeySpec() {
 
 		try {
-			byte[] bytes = Base64Utils.decodeFromString(getPrivateKey());
-			return KeystoreUtil.getRSAPrivateKeySpec(bytes);
+			return getPrivateKey(getPrivateKey(), getRequiredPrivateKeyType());
 		}
-		catch (IOException e) {
+		catch (IOException | GeneralSecurityException e) {
 			throw new VaultException("Cannot create KeySpec from private key", e);
 		}
 	}
 
 	/**
 	 * Create a {@link KeyStore} from this {@link CertificateBundle} containing the
-	 * private key and certificate chain. Only supported if certificate and private key
-	 * are DER-encoded.
+	 * private key and certificate chain.
 	 * @param keyAlias the key alias to use.
 	 * @return the {@link KeyStore} containing the private key and certificate chain.
 	 */
@@ -164,8 +183,7 @@ public KeyStore createKeyStore(String keyAlias) {
 
 	/**
 	 * Create a {@link KeyStore} from this {@link CertificateBundle} containing the
-	 * private key and certificate chain. Only supported if certificate and private key
-	 * are DER-encoded.
+	 * private key and certificate chain.
 	 * @param keyAlias the key alias to use.
 	 * @param includeCaChain whether to include the certificate authority chain instead of
 	 * just the issuer certificate.
@@ -197,8 +215,7 @@ public KeyStore createKeyStore(String keyAlias, boolean includeCaChain) {
 	}
 
 	/**
-	 * Retrieve the issuing CA certificates as list of {@link X509Certificate}. Only
-	 * supported if certificates are DER-encoded.
+	 * Retrieve the issuing CA certificates as list of {@link X509Certificate}.
 	 * @return the issuing CA {@link X509Certificate}.
 	 * @since 2.3.3
 	 */
@@ -208,8 +225,7 @@ public List<X509Certificate> getX509IssuerCertificates() {
 
 		for (String data : caChain) {
 			try {
-				byte[] bytes = Base64Utils.decodeFromString(data);
-				certificates.add(KeystoreUtil.getCertificate(bytes));
+				certificates.addAll(getCertificates(data));
 			}
 			catch (CertificateException e) {
 				throw new VaultException("Cannot create Certificate from issuing CA certificate", e);
@@ -219,4 +235,41 @@ public List<X509Certificate> getX509IssuerCertificates() {
 		return certificates;
 	}
 
+	private static KeySpec getPrivateKey(String privateKey, String keyType)
+			throws GeneralSecurityException, IOException {
+
+		Assert.hasText(privateKey, "Private key must not be empty");
+		Assert.hasText(keyType, "Private key type must not be empty");
+
+		if (PemObject.isPemEncoded(privateKey)) {
+
+			List<PemObject> pemObjects = PemObject.parse(privateKey);
+
+			for (PemObject pemObject : pemObjects) {
+
+				if (pemObject.isPrivateKey()) {
+					return getPrivateKey(pemObject.getContent(), keyType);
+				}
+			}
+
+			throw new IllegalArgumentException("No private key found in PEM-encoded key spec");
+		}
+
+		return getPrivateKey(Base64Utils.decodeFromString(privateKey), keyType);
+	}
+
+	private static KeySpec getPrivateKey(byte[] privateKey, String keyType)
+			throws GeneralSecurityException, IOException {
+
+		switch (keyType.toLowerCase(Locale.ROOT)) {
+		case "rsa":
+			return KeyFactories.RSA_PRIVATE.getKey(privateKey);
+		case "ec":
+			return KeyFactories.EC.getKey(privateKey);
+		}
+
+		throw new IllegalArgumentException(
+				String.format("Key type %s not supported. Supported types are: rsa, ec.", keyType));
+	}
+
 }