Update pki ca-cert-issue to support CRMF

The pki ca-cert-issue has been modified to support submitting
an existing CRMF request, approving the request, and retrieving
the issued cert in one step.

Some KRA tests have been simplified using this command.

Author: edewata

.github/workflows/kra-basic-test.yml

@@ -357,31 +357,19 @@ jobs:
 
           docker exec pki cat testuser.csr
 
-          # submit cert request
-          # https://github.com/dogtagpki/pki/wiki/Submitting-Certificate-Request-with-Key-Archival
-          docker exec pki pki \
-              ca-cert-request-submit \
-              --request-type crmf \
-              --csr-file testuser.csr \
-              --profile caUserCert \
-              --subject UID=testuser | tee output
-
-          REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
-          echo "Request ID: $REQUEST_ID"
-
           # issue cert
+          # https://github.com/dogtagpki/pki/wiki/Issuing-Certificates
           docker exec pki pki \
               -u caadmin \
               -w Secret.123 \
-              ca-cert-request-approve \
-              --force \
-              $REQUEST_ID | tee output
-
-          CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
-          echo "Cert ID: $CERT_ID"
+              ca-cert-issue \
+              --request-type crmf \
+              --profile caUserCert \
+              --subject UID=testuser \
+              --csr-file testuser.csr \
+              --output-file testuser.crt
 
           # import cert into NSS database
-          docker exec pki pki ca-cert-export --output-file testuser.crt $CERT_ID
           docker exec pki pki nss-cert-import --cert testuser.crt testuser
 
           # the cert should match the key (trust flags must be u,u,u)

.github/workflows/kra-container-test.yml

@@ -514,42 +514,21 @@ jobs:
 
           docker exec client cat testuser.csr
 
-          # submit cert request
-          # https://github.com/dogtagpki/pki/wiki/Submitting-Certificate-Request-with-Key-Archival
-          docker exec client pki \
-              -U https://ca.example.com:8443 \
-              ca-cert-request-submit \
-              --request-type crmf \
-              --csr-file testuser.csr \
-              --profile caUserCert \
-              --subject UID=testuser | tee output
-
-          REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
-          echo "Request ID: $REQUEST_ID"
-          echo "$REQUEST_ID" > request.id
-
       - name: Issue cert with key archival
         run: |
-          REQUEST_ID=$(cat request.id)
-
           # issue cert
+          # https://github.com/dogtagpki/pki/wiki/Issuing-Certificates
           docker exec client pki \
               -U https://ca.example.com:8443 \
               -n admin \
-              ca-cert-request-approve \
-              --force \
-              $REQUEST_ID | tee output
-
-          CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
-          echo "Cert ID: $CERT_ID"
+              ca-cert-issue \
+              --request-type crmf \
+              --profile caUserCert \
+              --subject UID=testuser \
+              --csr-file testuser.csr \
+              --output-file testuser.crt
 
           # import cert into NSS database
-          docker exec client pki \
-              -U https://ca.example.com:8443 \
-              ca-cert-export \
-              --output-file testuser.crt \
-              $CERT_ID
-
           docker exec client pki nss-cert-import --cert testuser.crt testuser
 
           # the cert should match the key (trust flags must be u,u,u)

.github/workflows/kra-migration-test.yml

@@ -109,31 +109,19 @@ jobs:
 
           docker exec pki1 cat testuser.csr
 
-          # submit cert request
-          # https://github.com/dogtagpki/pki/wiki/Submitting-Certificate-Request-with-Key-Archival
-          docker exec pki1 pki \
-              ca-cert-request-submit \
-              --request-type crmf \
-              --csr-file testuser.csr \
-              --profile caUserCert \
-              --subject UID=testuser | tee output
-
-          REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)\s*$/\1/p" output)
-          echo "Request ID: $REQUEST_ID"
-
           # issue cert
+          # https://github.com/dogtagpki/pki/wiki/Issuing-Certificates
           docker exec pki1 pki \
               -u caadmin \
               -w Secret.123 \
-              ca-cert-request-approve \
-              --force \
-              $REQUEST_ID | tee output
-
-          CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)\s*$/\1/p" output)
-          echo "Cert ID: $CERT_ID"
+              ca-cert-issue \
+              --request-type crmf \
+              --profile caUserCert \
+              --subject UID=testuser \
+              --csr-file testuser.csr \
+              --output-file $SHARED/testuser.crt
 
           # import cert into NSS database
-          docker exec pki1 pki ca-cert-export --output-file $SHARED/testuser.crt $CERT_ID
           docker exec pki1 pki nss-cert-import --cert $SHARED/testuser.crt testuser
 
           # the cert should match the key (trust flags must be u,u,u)

base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java

@@ -85,10 +85,14 @@ public void createOptions() {
         option.setArgName("profile");
         options.addOption(option);
 
-        option = new Option(null, "request-type", true, "Request type (default: pkcs10)");
+        option = new Option(null, "request-type", true, "Request type: pkcs10 (default), crmf");
         option.setArgName("type");
         options.addOption(option);
 
+        option = new Option(null, "request-format", true, "Request type: PEM (default), DER");
+        option.setArgName("format");
+        options.addOption(option);
+
         option = new Option(null, "renewal", false, "Submit renewal request");
         options.addOption(option);
 
@@ -251,8 +255,6 @@ public byte[] issueCert(
     @Override
     public void execute(CommandLine cmd) throws Exception {
 
-        String[] cmdArgs = cmd.getArgs();
-
         String inputFile = cmd.getOptionValue("input-file");
         String profileID = cmd.getOptionValue("profile");
 
@@ -330,14 +332,32 @@ public void execute(CommandLine cmd) throws Exception {
 
         if (csrFilename != null) {
 
-            csr = loadFile(csrFilename);
-            logger.debug("CSR:\n" + csr);
+            byte[] bytes = Files.readAllBytes(Paths.get(csrFilename));
+
+            String requestFormat = cmd.getOptionValue("request-format");
+            if (requestFormat == null || "PEM".equalsIgnoreCase(requestFormat)) {
+                bytes = CertUtil.parseCSR(new String(bytes));
+
+            } else if ("DER".equalsIgnoreCase(requestFormat)) {
+                // nothing to do
+
+            } else {
+                throw new Exception("Unsupported request format: " + requestFormat);
+            }
 
-            byte[] bytes = CertUtil.parseCSR(csr);
             if ("pkcs10".equals(requestType)) {
                 pkcs10 = new PKCS10(bytes);
+                csr = CertUtil.toPEM(pkcs10);
+
+            } else if ("crmf".equals(requestType)) {
+                csr = CertUtil.encodeCRMF(bytes);
+
+            } else {
+                throw new Exception("Unsupported request type: " + requestType);
             }
 
+            logger.debug("CSR:\n" + csr);
+
             for (ProfileInput input : request.getInputs()) {
                 ProfileAttribute csrAttr = input.getAttribute("cert_request");
                 if (csrAttr != null) {