Skip to content

Latest commit

 

History

History
771 lines (559 loc) · 21.9 KB

Certsv2.md

File metadata and controls

771 lines (559 loc) · 21.9 KB

CertificateAsyncClient

public class CertificateAsyncClient extends ServiceClient
{
    // constructors
    private CertificateAsyncClient(String vaultUrl, HttpPipeline pipeline);
    public static CertificateAsyncClientBuilder builder() {
        return new CertificateAsyncClientBuilder();
    }

    // methods
    // The Get Certificate method , the REST API returns Certificate operation for Get Certificate - check with Scott.
    public Mono<Response<Certificate>> getCertificate(String name);
    public Mono<Response<Certificate>> getCertificate(String name, String version);

    // Rerturning certificate operation in async api is not intuitive and natural.
    public Mono<Response<CertificateOperation>> createCertificate(String name);
    public Mono<Response<CertificateOperation>> createCertificate(Certificate certificate);
    
    public Mono<Response<Certificate>> createCertificate(Certificate certificate);
    public Mono<Response<Certificate>> createCertificate(String name);


    public Mono<Response<Certificate>> importCertificate( String certificateName, String certificateFilePath);
    public Mono<Response<Certificate>> importCertificate(CertificateImport certificateImport);

    public Flux<CertificateBase> listCertificateVersions(String name);
    public Flux<CertificateBase> listCertificates();
    public Flux<DeletedCertificate> listDeletedCertificates();
    
    //Update works to only update tags and enabled attrbiutes.    
    public Mono<Response<Certificate>> updateCertificateTags(String certificateName, Map<String, String> tags);
    public Mono<Response<Certificate>> updateCertificateEnabled(String certificateName, boolean enabled);

    public Mono<Response<DeletedCertificate>> deleteCertificate(String name);
    public Mono<Response<DeletedCertificate>> getDeletedCertificate(String name);
    public Mono<Response<Certificate>> recoverDeletedCertificate(String name);
    public Mono<VoidResponse> purgeDeletedCertificate(String name);

    public Mono<Response<byte[]>> backupCertificate(String name);
    public Mono<Response<Certificate>> restoreCertificte(byte[] backup);

    public Mono<Response<byte[]>> getPendingCertificateSigningRequest(String certificateName);

    // Q: In what scenarios is a list of byte[] passed in?
    public Mono<Response<String>> mergeCertificate(String name, List<byte[]> x509Certificates);

    public Mono<Response<Certificate>> mergeCertificate(MergeCertificateConfig mergeCertificateConfig);
    

    // Certificate Issuer methods

    public Mono<Response<Issuer>> createCertificateIssuer(String name, String provider);
    public Mono<Response<Issuer>> createCertificateIssuer(Issuer issuer);

    public Mono<Response<Issuer>> getCertificateIssuer(String name);

    public Mono<Response<Issuer>> deleteCertificateIssuer(String name);

    public Flux<IssuerBase> listCertificateIssuers();

    public Mono<Response<Issuer>> updateIssuer(Issuer issuer);

    // Certificate Contacts methods
    public Flux<Contact> setCertificateContacts(List<Contact>);
    public Flux<Contact> listCertificateContacts();
    public Flux<Contact> deleteCertificateContacts();


    // Certificate Policy methods
    public Mono<Response<CertificatePolicy>> getCertificatePolicy(String certificateName);
    public Mono<Response<CertificatePolicy>> updateCertificatePolicy(String certificateName, CertificatePolicy policy);


    // Certificate Operation methods
    public Mono<Response<CertificateOperation>> getCertificateOperation(String certificateName);
    
     public Mono<Response<CertificateOperation>> deleteCertificateOperation(String certificateName);
     public Mono<Response<CertificateOperation>> updateCertificateOperation(String certificateName, boolean cancellationRequested);
       
}

public final class CertificateAsyncClientBuilder {

    private CertificateAsyncClientBuilder() {
    }

    public CertificateAsyncClient build() {
       //Validate and Build the Client
    }

    public CertificateAsyncClientBuilder vaultEndpoint(String vaultEndpoint) {}
    public CertificateAsyncClientBuilder credentials(ServiceClientCredentials credentials) {}
    public CertificateAsyncClientBuilder httpLogDetailLevel(HttpLogDetailLevel logLevel) {}
    public CertificateAsyncClientBuilder addPolicy(HttpPipelinePolicy policy) {}
    public CertificateAsyncClientBuilder httpClient(HttpClient client) {}
}

Create a SelfSigned Pkcs12 Certificate valid for 1 year.

// TODO: Implement and Verify the usage.
CertificateAsyncClient certificateAsyncClient = CertificateAsyncClient.builder()
                            .vaultEndpoint("https://myvault.vault.azure.net/")
                            .credentials(AzureCredential.DEFAULT)
                            .build();       


Certificate cert2 = Certificate.builder("securityCert1")
                        .subjectName(""CN=SelfSignedJavaPkcs12")
                        .validityInMonths(12)
                        .issuerConfig("Self")
                            .done()
                        .secretContentType(SecretContentType.MIME_PKCS12)
                        .build();



CertificateOperation certOp2 = certificateAsyncClient.createCertificate(cert2).block().value();

Create a SelfSigned Pem Certificate valid for 1 year.

// TODO: Implement and Verify the usage.
CertificateAsyncClient certificateAsyncClient = CertificateAsyncClient.builder()
                            .vaultEndpoint("https://myvault.vault.azure.net/")
                            .credentials(AzureCredential.DEFAULT)
                            .build();       



Certificate cert2 = Certificate.builder("securityCert1")
                        .x509SubjectName("CN=SelfSignedJavaPem")
                        .validityInMonths(12)
                        .secretContentType(SecretContentType.MIME_PEM)
                        .issuerConfig("Self")
                          .done()
                        .build();


CertificateOperation certOp2 = certificateAsyncClient.createCertificate(cert2).block().value();

Create a test-issuer issued certificate in PKCS12 format

// TODO: Implement and Verify the usage.

Issuer issuer = new Issuer("createCertificateJavaPkcs12Issuer01")
                        .credentials("accountId", "password")
                        .addAdmin("John", "doe", "[email protected]")
                            .phoneNumber("123324324")
                        .addAdmin("Ben", "doe", "[email protected]");

Issuer createdIssuer = keyVaultClient.setCertificateIssuer(issuer).block().value();


Certificate cert3 = Certificate.builder("createTestJavaPkcs12")
                    .x509SubjectName("CN=TestJavaPkcs12")
                    .validityInMonths(12)
                    .secretContentType(SecretContentType.MIME_PKCS12)
                    .issuerConfig(createdIssuer.name())
                      .certificateTransparency(true)
                      .done()
                    .build()


certificateAsyncClient.createCertificate(cert3).block().value();

Create a SelfSigned Pem Certificate valid for 1 year with RSA Key of size 4076.

// TODO: Implement and Verify the usage.
CertificateAsyncClient certificateAsyncClient = CertificateAsyncClient.builder()
                            .vaultEndpoint("https://myvault.vault.azure.net/")
                            .credentials(AzureCredential.DEFAULT)
                            .build();       



Certificate cert2 = Certificate.builder("securityCert1")
                        .x509subjectName("CN=SelfSignedJavaPem2")
                        .validityInMonths(12)
                        .secretContentType(SecretContentType.MIME_PEM)
                        .keyConfig(JsonWebKeyType.RSA)
                          .keySize(4076)
                          .exportable(true)
                          .reuseKey(true)
                          .done()
                        .issuerConfig("Self")
                          .certificateTransparency(true)
                          .done()
                        .build();


CertificateOperation certOp2 = certificateAsyncClient.createCertificate(cert2).block().value();

Create a SelfSigned Pem Certificate valid for 1 year with EC Key and AutoRenewal set for 1 month before expiry using the same key.

// TODO: Implement and Verify the usage.
CertificateAsyncClient certificateAsyncClient = CertificateAsyncClient.builder()
                            .vaultEndpoint("https://myvault.vault.azure.net/")
                            .credentials(AzureCredential.DEFAULT)
                            .build();       



Certificate cert2 = Certificate.builder("securityCert1")
                        .x509subjectName("CN=SelfSignedJavaPem2")
                        .validityInMonths(12)
                        .secretContentType(SecretContentType.MIME_PEM)
                        .issuerConfig("Self")
                          .certificateTransparency(true)
                          .done()
                        .keyConfig(JsonWebKeyType.EC)
                          .reuseKey(true)
                          .keyCurve(JsonWenKeyCurve.P_384)
                          .exportable(true)
                          .done()
                        .addLifeTimeAction(ActionType.AUTO_RENEW)
                            .renewDaysBeforeExpiry(30)
                            .activatingLifetimeStage(50)
                            .done()
                        .build();


CertificateOperation certOp2 = certificateAsyncClient.createCertificate(cert2).block().value();

Import a pkcs certificate witg exportable RSA key of size 2048.

// TODO: Implement and Verify the usage.
CertificateAsyncClient certificateAsyncClient = CertificateAsyncClient.builder()
                            .vaultEndpoint("https://myvault.vault.azure.net/")
                            .credentials(AzureCredential.DEFAULT)
                            .build();       


CertificateImport certImport = CertificateImport.builder("securityCert1", certificateFilePath)
                        .secretContentType(SecretContentType.PKCS12)
                        .keyConfig(JsonWebKeyType.RSA)
                          .keySize(2048)
                          .exportable(true)
                          .reuseKey(true)
                          .done()
                        .addLifeTimeAction(ActionType.AUTO_RENEW)
                            .renewDaysBeforeExpiry(30)
                            .done()
                        .build();
                        
Certificate importedCertificate = certificateAsyncClient.importCertificate(certImport).block().value();

DataStructures:

/**
 * The contact information for the vault certificates.
 */
public class Contact {
    /**
     * Email addresss.
     */
    @JsonProperty(value = "email")
    private String emailAddress;

    /**
     * Name.
     */
    @JsonProperty(value = "name")
    private String name;

    /**
     * Phone number.
     */
    @JsonProperty(value = "phone")
    private String phone;
}


public class IssuerBase {
    
    /**
     * Identifier for the issuer object.
     */
    @JsonProperty(value = "id", access = JsonProperty.Access.WRITE_ONLY)
    private String id;

    /**
     * The issuer provider.
     */
    @JsonProperty(value = "provider")
    private String provider;

    /**
     * Determines whether the issuer is enabled.
     */
    @JsonProperty(value = "enabled")
    private Boolean enabled;

    /**
     * Creation time in UTC.
     */
    @JsonProperty(value = "created", access = JsonProperty.Access.WRITE_ONLY)
    private Long created;

    /**
     * Last updated time in UTC.
     */
    @JsonProperty(value = "updated", access = JsonProperty.Access.WRITE_ONLY)
    private Long updated;

    String name;

}


public class Issuer extends IssuerBase {

    /**
     * The user name/account name/account id.
     */
    @JsonProperty(value = "account_id")
    private String accountId;

    /**
     * The password/secret/account key.
     */
    @JsonProperty(value = "pwd")
    private String password;


    /**
     * Id of the organization.
     */
    @JsonProperty(value = "id")
    private String id;

    /**
     * Details of the organization administrator.
     */
    @JsonProperty(value = "admin_details")
    private List<AdministratorDetails> adminDetails;


    public Issuer()
}


public class CertificateBase {
    
    /**
     * Determines whether the object is enabled.
     */
    private Boolean enabled;

    /**
     * Not before date in UTC.
     */
    private OffsetDateTime notBefore;

    /**
     * The secret version.
     */
    String version;

    /**
     * Expiry date in UTC.
     */
    private OffsetDateTime expires;

    /**
     * Creation time in UTC.
     */
    private OffsetDateTime created;

    /**
     * Last updated time in UTC.
     */
    private OffsetDateTime updated;

    /**
     * Reflects the deletion recovery level currently in effect for certificates in
     * the current vault. If it contains 'Purgeable', the certificate can be
     * permanently deleted by a privileged user; otherwise, only the system can
     * purge the certificate, at the end of the retention interval. Possible values
     * include: 'Purgeable', 'Recoverable+Purgeable', 'Recoverable',
     * 'Recoverable+ProtectedSubscription'.
     */
    private String recoveryLevel;

    /**
     * The Certificate name.
     */
    String name;

    /**
     * The certificate id.
     */
    @JsonProperty(value = "id", access = JsonProperty.Access.WRITE_ONLY)
    private String id;

    /**
     * Type of the certificate.
     */
    @JsonProperty(value = "contentType")
    private String contentType;

    /**
     * Application specific metadata in the form of key-value pairs.
     */
    @JsonProperty(value = "tags")
    private Map<String, String> tags;

    /**
     * True if the certificate's lifetime is managed by key vault. If this is a key
     * backing a certificate, then managed will be true.
     */
    @JsonProperty(value = "managed", access = JsonProperty.Access.WRITE_ONLY)
    private Boolean managed;
    
    /**
     * Thumbprint of the certificate.
     */
    @JsonProperty(value = "x5t", access = JsonProperty.Access.WRITE_ONLY)
    private Base64Url x509Thumbprint;



}

public class Certificate extends CertificateBase {
    

    /**
     * CER contents of x509 certificate.
     */
    @JsonProperty(value = "cer")
    private byte[] cer;

    /**
     * The secret id.
     */
    @JsonProperty(value = "sid", access = JsonProperty.Access.WRITE_ONLY)
    private String sid;
    
    private CertificatePolicy certificatePolicy;


    public Certificate(String name){
        super.name = name;
    }
    
    /**
     * The key id.
     */
    @JsonProperty(value = "kid", access = JsonProperty.Access.WRITE_ONLY)
    private String keyId;



}


public class CertificateImport extends CertificateBase {
    
    /**
     * Base64 encoded representation of the certificate object to import. This
     * certificate needs to contain the private key.
     */
    @JsonProperty(value = "value", required = true)
    private String base64EncodedCertificate;

    /**
     * If the private key in base64EncodedCertificate is encrypted, the
     * password used for encryption.
     */
    @JsonProperty(value = "pwd")
    private String password;
    
    private CertificatePolicy policy;


    public CertificateImport(String name, String certificateFilePath){
        super.name = name;
    }


}


/**
 * Management policy for a certificate.
 */
public class CertificatePolicy extends CertificateBase {
    /**
     * The certificate id.
     */
    @JsonProperty(value = "id", access = JsonProperty.Access.WRITE_ONLY)
    private String id;

    /**
     * The type of key pair to be used for the certificate. Possible values
     * include: 'EC', 'EC-HSM', 'RSA', 'RSA-HSM', 'oct'.
     */
    @JsonProperty(value = "kty")
    private JsonWebKeyType keyType;

    /**
     * The key size in bits. For example: 2048, 3072, or 4096 for RSA.
     */
    @JsonProperty(value = "key_size")
    private Integer keySize;

    /**
     * Indicates if the same key pair will be used on certificate renewal.
     */
    @JsonProperty(value = "reuse_key")
    private Boolean reuseKey;

    /**
     * Elliptic curve name. For valid values, see JsonWebKeyCurveName. Possible
     * values include: 'P-256', 'P-384', 'P-521', 'P-256K'.
     */
    @JsonProperty(value = "crv")
    private JsonWebKeyCurveName keyCurve;

    /**
     * Properties of the secret backing a certificate.
     */
    @JsonProperty(value = "secret_props")
    private String secretContentType;

    /**
     * The subject name. Should be a valid X509 distinguished Name.
     */
    @JsonProperty(value = "subject")
    private String subject;

    /**
     * The enhanced key usage.
     */
    @JsonProperty(value = "ekus")
    private List<String> ekus;

    /**
     * The subject alternative names.
     */
    @JsonProperty(value = "sans")
    private SubjectAlternativeNames subjectAlternativeNames;

    /**
     * List of key usages.
     */
    @JsonProperty(value = "key_usage")
    private List<KeyUsageType> keyUsage;

    /**
     * The duration that the ceritifcate is valid in months.
     */
    @JsonProperty(value = "validity_months")
    private Integer validityInMonths;

    /**
     * Actions that will be performed by Key Vault over the lifetime of a
     * certificate.
     */
    @JsonProperty(value = "lifetime_actions")
    private List<LifetimeAction> lifetimeActions;

    /**
     * Name of the referenced issuer object or reserved names; for example,
     * 'Self' or 'Unknown'.
     */
    @JsonProperty(value = "name")
    private String issuerName;

    /**
     * Type of certificate to be requested from the issuer provider.
     */
    @JsonProperty(value = "cty")
    private String certificateType;

    /**
     * Indicates if the certificates generated under this policy should be
     * published to certificate transparency logs.
     */
    @JsonProperty(value = "cert_transparency")
    private Boolean certificateTransparency;


    /**
     * Get the id value.
     *
     * @return the id value
     */
    public String id() {
        return this.id;
    }
}

public class CertificateOperation {
    /**
     * The certificate id.
     */
    @JsonProperty(value = "id", access = JsonProperty.Access.WRITE_ONLY)
    private String id;

    /**
     * Name of the referenced issuer object or reserved names; for example,
     * 'Self' or 'Unknown'.
     */
    @JsonProperty(value = "name")
    private String issuerName;

    /**
     * Type of certificate to be requested from the issuer provider.
     */
    @JsonProperty(value = "cty")
    private String certificateType;

    /**
     * Indicates if the certificates generated under this policy should be
     * published to certificate transparency logs.
     */
    @JsonProperty(value = "cert_transparency")
    private Boolean certificateTransparency;


    /**
     * The certificate signing request (CSR) that is being used in the
     * certificate operation.
     */
    @JsonProperty(value = "csr")
    private byte[] csr;

    /**
     * Indicates if cancellation was requested on the certificate operation.
     */
    @JsonProperty(value = "cancellation_requested")
    private Boolean cancellationRequested;

    /**
     * Status of the certificate operation.
     */
    @JsonProperty(value = "status")
    private String status;

    /**
     * The status details of the certificate operation.
     */
    @JsonProperty(value = "status_details")
    private String statusDetails;

    /**
     * Error encountered, if any, during the certificate operation.
     */
    @JsonProperty(value = "error")
    private Error error;

    /**
     * Location which contains the result of the certificate operation.
     */
    @JsonProperty(value = "target")
    private String target;

    /**
     * Identifier for the certificate operation.
     */
    @JsonProperty(value = "request_id")
    private String requestId;

}

public MergeCertificateConfig extends CertificateBase {

  private String certificateName;
  private List<Byte[]> x509Certs;
  
  public MergeCertificateConfig(String certificateName, List<Byte[]> x509Certs);

}

Fluent Interfaces:

public interface ICertificateBuilder {

    public ICertificateBuilder secretType(String secretType);

    public ICertificateBuilder x509SubjectName(String subjectName);

    public ICertificateBuilder validityInMonths(Integer months);

    public ICertificateBuilder alternativeSubjectEmails(String ... emails);

    public ICertificateBuilder alternativeSubjectDns(String ... domainNames);

    public IKeyConfiguration keyConfiguration(JsonWebKeyType webKeyType);

    public IIssuerConfiguration issuerConfiguration(String issuerName);

    public ICertificateBuilder addLifeTimeAction(ActionType actionType, Integer lifetimeActivatingStage, Integer renewDaysBeforeExpiry);

}

public interface ICertificateImportBuilder extends ICertificateBuilder {

    public ICertificateBuilder password(String password);

}

public interface IECKeyConfiguration extends IKeyConfiguration {

    public IECKeyConfiguration keyCurve(JsonWebKeyCurveName keyCurveName);
}

public interface IIssuerConfiguration {

    public IIssuerConfiguration issuerName(String subjectName);

    public IIssuerConfiguration certificateTypeRequest(String certificateTypeRequest);
    
    //Q: Move this to certificate properties.
    public IIssuerConfiguration certificateTransparency(Boolean transparency);

    public ICertificateBuilder done();

}


public interface IKeyConfiguration {


    public IKeyConfiguration enhancedKeyUsage(String ... enhancedKeyUsage);

    public IKeyConfiguration keyUsage(KeyUsageType... keyUsages);

    public IKeyConfiguration exportable(Boolean exportable);

    public IKeyConfiguration reuseKey(Boolean reuseKey);

    public ICertificateBuilder done();

}

public interface IRSAKeyConfiguration extends IKeyConfiguration {

    public IRSAKeyConfiguration keySize(Integer keySize);

}