spring-vault icon indicating copy to clipboard operation
spring-vault copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Improvement: Enhance PKI API - reading and writing certificates

Open Vity01 opened this issue 6 years ago • 7 comments

It looks like the implementation support is far behind current Hashicorp Vault functionality. Eg. see https://www.vaultproject.io/api/secret/pki/index.html#read-ca-certificate Also the current functionality of generateCertificates is not feature complete - see https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate the server response contains property "ca_chain" - at this time it's not possible to read it.

Sadly there is no way how to bypass missing implementation. Eg.:

final VaultResponseSupport<byte[]> read = vaultOperations.read("/pki/ca/pem", byte[].class);

will throw

.RestClientException: Could not extract response: no suitable HttpMessageConverter found for response type [org.springframework.vault.client.VaultResponses$1@5c6fae3c] and content type [application/pkix-cert]

and there is no easy way to add custom implementation of HttpMessageConverter into the rest client, since the only 3 converters are hardcoded (why not use the app context default ones?) - see org.springframework.vault.client.VaultClients#createRestTemplate()

Vity01 avatar Sep 27 '19 06:09 Vity01

We haven't updated the PKI functionality for quite a while. Feel free to submit a pull request.

mp911de avatar Sep 27 '19 07:09 mp911de

Do you see any workaround how to read application/pkix-cert response from the Vault? I don't see any. It's impossible to reuse or to touch the RestTemplate instances inside of VaultTemplate in the clean way. I guess the resttemplates/webclients clients should be converted into beans to be able to adapt them. Static generations inside of VaultClients don't help... Also it's practically impossible to create own instance of VaultTemplate without massive code copying and hacking/coding. :-(

Vity01 avatar Sep 27 '19 09:09 Vity01

VaultTemplate exposes callback methods doWithVault and doWithSession(…) (invocation without/with a session token) to expose a RestTemplate associated with the Vault client.

Have you tried the following:

byte[] bytes = vaultOperations.doWithSession(restOperations -> restOperations
		.getForObject("/pki/ca/pem", byte[].class));

Reading a VaultResponseSupport<byte[]> isn't possible as VaultResponse expects the standard-response format which is JSON carrying auth, data and other fields.

I guess the resttemplates/webclients clients should be converted into beans to be able to adapt them.

That approach isn't practical as each RestTemplate is associated with a UriBuilderFactory for relative URL expansion and endpoint selection. Also, each request targeting an authenticated request gets the Vault token injected.

mp911de avatar Sep 27 '19 09:09 mp911de

Thank you Mark for the suggestion. It's working.

Does Pivotal/VMware provide some type of grant for working on the project? I suppose there is about 2-3 mandays work to implement new features properly with testing, documentation and reactive stuff...

Vity01 avatar Sep 27 '19 10:09 Vity01

That's not how open source works. Either we are able to contribute to projects when we have time and we agree that we want to implement a certain feature or the community contributes to projects in the form of pull requests, bug reports or other kinds of contribution.

mp911de avatar Sep 27 '19 11:09 mp911de

I would like to split this issue into smaller ones to get a better overview of current tasks. Further, some issues are already fixed (e.g. ca_chain is available in CertificateBundle). Afterwards this issue can be closed.

New issues can look like:

1. Update VaultCertificateRequest and usage in VaultPkiOperations

Used for VaultPkiOperations.issueCertificate() and VaultPkiOperations.signCertificateRequest()

common_name
alt_names
ip_sans
uri_sans
other_sans           <-- missing
ttl
format               <-- missing
private_key_format   <-- missing
exclude_cn_from_sans

~~2. Update VaultCertificateResponse used in VaultPkiOperations~~

!! No need for a new issue !!

VaultCertificateResponse issueCertificate(String roleName, VaultCertificateRequest certificateRequest)

VaultCertificateResponse extends VaultResponseSupport<CertificateBundle> and CertificateBundle extends Certificate

CertificateBundle misses:

  • "private_key_type" (see #676)

Note: "ca_chain" is already implemented. See: https://github.com/spring-projects/spring-vault/blob/2e02491e8e7b6176cce24763aa482e320bf5edd4/spring-vault-core/src/main/java/org/springframework/vault/support/CertificateBundle.java#L49

~~3. Update VaultSignCertificateRequestResponse used in VaultPkiOperations~~

!! No need for a new issue !!

VaultSignCertificateRequestResponse signCertificateRequest(String roleName, String csr, VaultCertificateRequest certificateRequest)

VaultSignCertificateRequestResponse extends VaultResponseSupport<Certificate>

Nothing to do here. Will be fixed with issue above.

4. Implement missing API for reading CA Certificate Chain

See: https://www.vaultproject.io/api/secret/pki#read-ca-certificate

5. Improve templates to make updates easier

For example:

  • Return a map or full JSON as text to get all response data even if the response type is not up to date
  • Allow extension of request types

abremora avatar Jan 04 '22 17:01 abremora

Return a map or full JSON as text to get all response data even if the response type is not up to date

For this case, you can use the VaultTemplate.read/write methods.

Other than that, feel free to submit pull requests.

mp911de avatar Jan 05 '22 08:01 mp911de