Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to obtain PEM-encoded certificates as X509Certificate #678

Closed
abremora opened this issue Jan 4, 2022 · 5 comments
Closed

Add support to obtain PEM-encoded certificates as X509Certificate #678

abremora opened this issue Jan 4, 2022 · 5 comments
Labels
status: ideal-for-contribution An issue that a contributor can help us with type: enhancement A general enhancement

Comments

@abremora
Copy link
Contributor

abremora commented Jan 4, 2022

Certificate.getX509Certificate() and Certificate.getX509IssuerCertificate() do not support conversion of PEM-encoded string to X509Certificate.
@abremora
Copy link
Contributor Author

abremora commented Jan 4, 2022

It's odd in that the default of the returned data is PEM.

format (string: "") – Specifies the format for returned data. Can be pem, der, or pem_bundle; defaults to pem.
If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the private key and certificate,
concatenated; if the issuing CA is not a Vault-derived self-signed root, this will be included as well.

https://www.vaultproject.io/api-docs/secret/pki#generate-certificate

@mp911de
Copy link
Member

mp911de commented Jan 5, 2022

As per the documentation:

spring-vault/spring-vault-core/src/main/java/org/springframework/vault/support/Certificate.java

Lines 32 to 33 in 2e02491

* certificate. Certificate and keys can be either DER or PEM encoded. DER-encoded
* certificates can be converted to a {@link X509Certificate}.

Feel free to submit a pull request to introduce PEM to X509Certificate decoding.

@mp911de mp911de changed the title Conversion of PEM-encoded certificates to X509Certificate types fails Add support to obtain PEM-encoded certificates as X509Certificate Jan 5, 2022
@mp911de mp911de added status: ideal-for-contribution An issue that a contributor can help us with type: enhancement A general enhancement labels Jan 5, 2022
@abremora
Copy link
Contributor Author

abremora commented Jan 5, 2022

Same issue affects CertificateBundle.createKeyStore() & CertificateBundle.getPrivateKeySpec(), too. (Already mentioned in the documentation)

java.lang.IllegalArgumentException: Illegal base64 character 2d
	at java.base/java.util.Base64$Decoder.decode0(Base64.java:746) ~[na:na]
	at java.base/java.util.Base64$Decoder.decode(Base64.java:538) ~[na:na]
	at org.springframework.util.Base64Utils.decode(Base64Utils.java:59) ~[spring-core-5.3.13.jar:5.3.13]
	at org.springframework.util.Base64Utils.decodeFromString(Base64Utils.java:111) ~[spring-core-5.3.13.jar:5.3.13]
	at org.springframework.vault.support.CertificateBundle.getPrivateKeySpec(CertificateBundle.java:89) ~[spring-vault-core-2.3.2.jar:2.3.2]
	at org.springframework.vault.support.CertificateBundle.createKeyStore(CertificateBundle.java:109) ~[spring-vault-core-2.3.2.jar:2.3.2]

@abremora
Copy link
Contributor Author

abremora commented Jan 5, 2022

Just for clarification: For Vault the default is PEM but for spring-vault the default is DER:

spring-vault/spring-vault-core/src/main/java/org/springframework/vault/core/VaultPkiTemplate.java

Line 91 in 26a77a2

request.put("format", "der");

I will fix this issue within the next days.

@abremora
Copy link
Contributor Author

abremora commented Jan 5, 2022

Of course we cannot change the behavior of vault-spring but we have to support other formats and improve documentation.

@abremora abremora mentioned this issue Mar 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: ideal-for-contribution An issue that a contributor can help us with type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support PEM encoded certificates and EC for private keys abremora/spring-vault
2 participants
@mp911de @abremora