Add support to obtain PEM-encoded certificates as `X509Certificate`

spring-projects / spring-vault

Provides familiar Spring abstractions for HashiCorp Vault

https://spring.io/projects/spring-vault

Apache License 2.0

283 stars 186 forks source link

Add support to obtain PEM-encoded certificates as `X509Certificate` #678

Closed abremora closed 2 years ago

abremora commented 2 years ago

Certificate.getX509Certificate() and Certificate.getX509IssuerCertificate() do not support conversion of PEM-encoded string to X509Certificate.

abremora commented 2 years ago

It's odd in that the default of the returned data is PEM.

format (string: "") – Specifies the format for returned data. Can be pem, der, or pem_bundle; defaults to pem. If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the private key and certificate, concatenated; if the issuing CA is not a Vault-derived self-signed root, this will be included as well.

https://www.vaultproject.io/api-docs/secret/pki#generate-certificate

mp911de commented 2 years ago

As per the documentation:

https://github.com/spring-projects/spring-vault/blob/2e02491e8e7b6176cce24763aa482e320bf5edd4/spring-vault-core/src/main/java/org/springframework/vault/support/Certificate.java#L32-L33

Feel free to submit a pull request to introduce PEM to X509Certificate decoding.

abremora commented 2 years ago

Same issue affects CertificateBundle.createKeyStore() & CertificateBundle.getPrivateKeySpec(), too. (Already mentioned in the documentation)

java.lang.IllegalArgumentException: Illegal base64 character 2d
    at java.base/java.util.Base64$Decoder.decode0(Base64.java:746) ~[na:na]
    at java.base/java.util.Base64$Decoder.decode(Base64.java:538) ~[na:na]
    at org.springframework.util.Base64Utils.decode(Base64Utils.java:59) ~[spring-core-5.3.13.jar:5.3.13]
    at org.springframework.util.Base64Utils.decodeFromString(Base64Utils.java:111) ~[spring-core-5.3.13.jar:5.3.13]
    at org.springframework.vault.support.CertificateBundle.getPrivateKeySpec(CertificateBundle.java:89) ~[spring-vault-core-2.3.2.jar:2.3.2]
    at org.springframework.vault.support.CertificateBundle.createKeyStore(CertificateBundle.java:109) ~[spring-vault-core-2.3.2.jar:2.3.2]

abremora commented 2 years ago

Just for clarification: For Vault the default is PEM but for spring-vault the default is DER:

https://github.com/spring-projects/spring-vault/blob/26a77a2199ecd5186f04c930c2062ef7bb4711ee/spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiTemplate.java#L91

I will fix this issue within the next days.

abremora commented 2 years ago

Of course we cannot change the behavior of vault-spring but we have to support other formats and improve documentation.