diff --git a/src/main/java/com/bettercloud/vault/api/pki/Pki.java b/src/main/java/com/bettercloud/vault/api/pki/Pki.java index 1074c2be..2c0ac293 100644 --- a/src/main/java/com/bettercloud/vault/api/pki/Pki.java +++ b/src/main/java/com/bettercloud/vault/api/pki/Pki.java @@ -374,7 +374,7 @@ public PkiResponse issue( final String ttl, final CredentialFormat format) throws VaultException { - return issue(roleName, commonName, altNames, ipSans, ttl, format, ""); + return issue(roleName, commonName, altNames, ipSans, ttl, format, "", null); } /** @@ -407,8 +407,6 @@ public PkiResponse issue( * @return A container for the information returned by Vault * @throws VaultException If any error occurs or unexpected response is received from Vault */ - - public PkiResponse issue( final String roleName, final String commonName, @@ -417,6 +415,50 @@ public PkiResponse issue( final String ttl, final CredentialFormat format, final String csr + ) throws VaultException { + return issue(roleName,commonName,altNames,ipSans, ttl, format, csr, null); + } + + /** + *

Operation to allow a format to be set for the private key.

+ * + *
+ * 
{@code
+     * final VaultConfig config = new VaultConfig.address(...).token(...).build();
+     * final Vault vault = new Vault(config);
+     *
+     * final PkiResponse response = vault.pki().issue(
+     *         "roleName",
+     *         "commonName",
+     *         null,
+     *         null,
+     *         null,
+     *         CredentialFormat.PEM, null, PrivateKeyFormat.PKCS8
+     *     ));
+     * assertEquals(200, response.getRestResponse().getStatus();
+     * }
+ *
+ * + * @param roleName The role on which the credentials will be based. + * @param commonName The requested CN for the certificate. If the CN is allowed by role policy, it will be issued. + * @param altNames (optional) Requested Subject Alternative Names, in a comma-delimited list. These can be host names or email addresses; they will be parsed into their respective fields. If any requested names do not match role policy, the entire request will be denied. + * @param ipSans (optional) Requested IP Subject Alternative Names, in a comma-delimited list. Only valid if the role allows IP SANs (which is the default). + * @param ttl (optional) Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set. + * @param format (optional) Format for returned data. Can be pem, der, or pem_bundle; defaults to pem. If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the private key, certificate, and issuing CA, concatenated. + * @param csr (optional) PEM Encoded CSR + * @param privateKeyFormat (optional) der, pem, or pkcs8 + * @return A container for the information returned by Vault + * @throws VaultException If any error occurs or unexpected response is received from Vault + */ + public PkiResponse issue( + final String roleName, + final String commonName, + final List altNames, + final List ipSans, + final String ttl, + final CredentialFormat format, + final String csr, + final PrivateKeyFormat privateKeyFormat ) throws VaultException { int retryCount = 0; while (true) { @@ -454,6 +496,9 @@ public PkiResponse issue( if (csr != null) { jsonObject.add("csr", csr); } + if (privateKeyFormat != null) { + jsonObject.add("private_key_format", privateKeyFormat.toString()); + } final String requestJson = jsonObject.toString(); // Make an HTTP request to Vault diff --git a/src/main/java/com/bettercloud/vault/api/pki/PrivateKeyFormat.java b/src/main/java/com/bettercloud/vault/api/pki/PrivateKeyFormat.java new file mode 100644 index 00000000..ee8b4183 --- /dev/null +++ b/src/main/java/com/bettercloud/vault/api/pki/PrivateKeyFormat.java @@ -0,0 +1,23 @@ +package com.bettercloud.vault.api.pki; + +public enum PrivateKeyFormat { + DER, + PEM, + PKCS8; + + public static PrivateKeyFormat fromString(final String text) { + if (text != null) { + for (final PrivateKeyFormat format : PrivateKeyFormat.values()) { + if (text.equalsIgnoreCase(format.toString())) { + return format; + } + } + } + return null; + } + + @Override + public String toString() { + return super.toString().toLowerCase(); + } +} diff --git a/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java b/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java index a5f9e337..2a3ab548 100644 --- a/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java +++ b/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java @@ -9,7 +9,6 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import java.util.Arrays; -import java.util.List; import java.util.UUID; import org.junit.BeforeClass; import org.junit.ClassRule; diff --git a/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java b/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java index 5f215dfb..05b9ff67 100644 --- a/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java +++ b/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java @@ -7,14 +7,12 @@ import com.bettercloud.vault.response.LogicalResponse; import com.bettercloud.vault.vault.VaultTestUtils; import com.bettercloud.vault.vault.mock.MockVault; +import java.util.Collections; +import java.util.Optional; import org.eclipse.jetty.server.Server; import org.junit.After; -import org.junit.Before; import org.junit.Test; -import java.util.Collections; -import java.util.Optional; - import static org.junit.Assert.assertEquals; public class TransitApiTest {