From 2a7393a2d57a54b0e06393f9a22af7e68c353e59 Mon Sep 17 00:00:00 2001
From: Jim Baugh <jim.baugh@oracle.com>
Date: Fri, 21 Sep 2018 11:31:34 -0600
Subject: [PATCH 1/2] PKI Issue Supports PrivateKeyFormat

Adding support to set the private_key_format on an PKI issue command.
---
 .../com/bettercloud/vault/api/pki/Pki.java    | 51 +++++++++++++++++--
 .../vault/api/pki/PrivateKeyFormat.java       | 23 +++++++++
 .../vault/api/AuthBackendPkiTests.java        |  2 +-
 3 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/com/bettercloud/vault/api/pki/PrivateKeyFormat.java

diff --git a/src/main/java/com/bettercloud/vault/api/pki/Pki.java b/src/main/java/com/bettercloud/vault/api/pki/Pki.java
index b792410e..7e5fe278 100644
--- a/src/main/java/com/bettercloud/vault/api/pki/Pki.java
+++ b/src/main/java/com/bettercloud/vault/api/pki/Pki.java
@@ -360,7 +360,7 @@ public PkiResponse issue(
             final String ttl,
             final CredentialFormat format) throws VaultException {
 
-        return issue(roleName,commonName,altNames,ipSans, ttl, format, "");
+        return issue(roleName,commonName,altNames,ipSans, ttl, format, "", null);
     }
     /**
      * <p>Operation to generate a new set of credentials or sign the embedded CSR, in the PKI backend. If CSR is passed the
@@ -392,8 +392,6 @@ public PkiResponse issue(
      * @return A container for the information returned by Vault
      * @throws VaultException If any error occurs or unexpected response is received from Vault
      */
-
-
     public PkiResponse issue(
             final String roleName,
             final String commonName,
@@ -402,6 +400,50 @@ public PkiResponse issue(
             final String ttl,
             final CredentialFormat format,
             final String csr
+    ) throws VaultException {
+        return issue(roleName,commonName,altNames,ipSans, ttl, format, "", null);
+    }
+
+    /**
+     * <p>Operation to allow a format to be set for the private key.</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final VaultConfig config = new VaultConfig.address(...).token(...).build();
+     * final Vault vault = new Vault(config);
+     *
+     * final PkiResponse response = vault.pki().issue(
+     *         "roleName",
+     *         "commonName",
+     *         null,
+     *         null,
+     *         null,
+     *         CredentialFormat.PEM, null, PrivateKeyFormat.PKCS8
+     *     ));
+     * assertEquals(200, response.getRestResponse().getStatus();
+     * }</pre>
+     * </blockquote>
+     *
+     * @param roleName The role on which the credentials will be based.
+     * @param commonName The requested CN for the certificate. If the CN is allowed by role policy, it will be issued.
+     * @param altNames (optional) Requested Subject Alternative Names, in a comma-delimited list. These can be host names or email addresses; they will be parsed into their respective fields. If any requested names do not match role policy, the entire request will be denied.
+     * @param ipSans (optional) Requested IP Subject Alternative Names, in a comma-delimited list. Only valid if the role allows IP SANs (which is the default).
+     * @param ttl (optional) Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
+     * @param format (optional) Format for returned data. Can be pem, der, or pem_bundle; defaults to pem. If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the private key, certificate, and issuing CA, concatenated.
+     * @param csr (optional) PEM Encoded CSR
+     * @param privateKeyFormat (optional) der, pem, or pkcs8
+     * @return A container for the information returned by Vault
+     * @throws VaultException If any error occurs or unexpected response is received from Vault
+     */
+    public PkiResponse issue(
+            final String roleName,
+            final String commonName,
+            final List<String> altNames,
+            final List<String> ipSans,
+            final String ttl,
+            final CredentialFormat format,
+            final String csr,
+            final PrivateKeyFormat privateKeyFormat
     ) throws VaultException {
         int retryCount = 0;
         while (true) {
@@ -439,6 +481,9 @@ public PkiResponse issue(
             if (csr != null) {
                 jsonObject.add("csr", csr.toString());
             }
+            if (privateKeyFormat != null) {
+                jsonObject.add("private_key_format", privateKeyFormat.toString());
+            }
             final String requestJson = jsonObject.toString();
 
             // Make an HTTP request to Vault
diff --git a/src/main/java/com/bettercloud/vault/api/pki/PrivateKeyFormat.java b/src/main/java/com/bettercloud/vault/api/pki/PrivateKeyFormat.java
new file mode 100644
index 00000000..ee8b4183
--- /dev/null
+++ b/src/main/java/com/bettercloud/vault/api/pki/PrivateKeyFormat.java
@@ -0,0 +1,23 @@
+package com.bettercloud.vault.api.pki;
+
+public enum PrivateKeyFormat {
+    DER,
+    PEM,
+    PKCS8;
+
+    public static PrivateKeyFormat fromString(final String text) {
+        if (text != null) {
+            for (final PrivateKeyFormat format : PrivateKeyFormat.values()) {
+                if (text.equalsIgnoreCase(format.toString())) {
+                    return format;
+                }
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public String toString() {
+        return super.toString().toLowerCase();
+    }
+}
diff --git a/src/test-integration/java/com/bettercloud/vault/api/AuthBackendPkiTests.java b/src/test-integration/java/com/bettercloud/vault/api/AuthBackendPkiTests.java
index e5ea4ec1..2f770307 100644
--- a/src/test-integration/java/com/bettercloud/vault/api/AuthBackendPkiTests.java
+++ b/src/test-integration/java/com/bettercloud/vault/api/AuthBackendPkiTests.java
@@ -126,7 +126,7 @@ public void testIssueCredentialWithCsr() throws VaultException, InterruptedExcep
         Thread.sleep(3000);
 
         // Issue cert
-        final PkiResponse issueResponse = vault.pki().issue("testRole", "test.myvault.com", null, null, "1h", CredentialFormat.PEM, csr);
+        final PkiResponse issueResponse = vault.pki().issue("testRole", "test.myvault.com", null, null, "1h", CredentialFormat.PEM, csr, null);
         assertNotNull(issueResponse.getCredential().getCertificate());
         assertNull(issueResponse.getCredential().getPrivateKey());
         assertNotNull(issueResponse.getCredential().getSerialNumber());

From b303c3f900770aae000a86d916e509a3c0cd4520 Mon Sep 17 00:00:00 2001
From: Jim Baugh <jim.baugh@oracle.com>
Date: Mon, 22 Jun 2020 10:23:58 -0600
Subject: [PATCH 2/2] Spaces fix

---
 src/main/java/com/bettercloud/vault/api/pki/Pki.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/bettercloud/vault/api/pki/Pki.java b/src/main/java/com/bettercloud/vault/api/pki/Pki.java
index 24c2d1a2..9f687484 100644
--- a/src/main/java/com/bettercloud/vault/api/pki/Pki.java
+++ b/src/main/java/com/bettercloud/vault/api/pki/Pki.java
@@ -374,7 +374,7 @@ public PkiResponse issue(
             final String ttl,
             final CredentialFormat format) throws VaultException {
 
-        return issue(roleName,commonName,altNames,ipSans, ttl, format, "", null);
+        return issue(roleName, commonName, altNames, ipSans, ttl, format, "", null);
     }
 
     /**