Modify ExternalProcessKeyRetriever to read JSON

The ExternalProcessKeyRetriever currently uses a hackish format
where the certificate and PKIArchiveOptions data are separated by a
null byte.  Update the code to expect JSON instead.

No backwards compatibility is provided because at time of writing
the ExternalProcessKeyRetriever is only used in a FreeIPA feature
still under development.

Fixes: https://fedorahosted.org/pki/ticket/2351

1 files changed, 22 insertions, 15 deletions

diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
index 6aee9716e..a1b774852 100644
--- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
+++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
@@ -18,6 +18,8 @@
 
 package com.netscape.ca;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.lang.Process;
 import java.lang.ProcessBuilder;
 import java.util.Collection;
@@ -26,6 +28,9 @@ import java.util.Stack;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.ArrayUtils;
 
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.JsonNode;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -65,21 +70,7 @@ public class ExternalProcessKeyRetriever implements KeyRetriever {
                 int exitValue = p.waitFor();
                 if (exitValue != 0)
                     continue;
-
-                /* Read a PEM-encoded certificate and a base64-encoded
-                 * PKIArchiveOptions containing the wrapped private key,
-                 * separated by a null byte.
-                 */
-                byte[] output = IOUtils.toByteArray(p.getInputStream());
-                int splitIndex = ArrayUtils.indexOf(output, (byte) 0);
-                if (splitIndex == ArrayUtils.INDEX_NOT_FOUND) {
-                    CMS.debug("Invalid output: null byte not found");
-                    continue;
-                }
-                return new Result(
-                    ArrayUtils.subarray(output, 0, splitIndex),
-                    ArrayUtils.subarray(output, splitIndex + 1, output.length)
-                );
+                return parseResult(p.getInputStream());
             } catch (Throwable e) {
                 CMS.debug("Caught exception while executing command: " + e);
             } finally {
@@ -89,4 +80,20 @@ public class ExternalProcessKeyRetriever implements KeyRetriever {
         CMS.debug("Failed to retrieve key from any host.");
         return null;
     }
+
+    /* Read a PEM-encoded certificate and a base64-encoded
+     * PKIArchiveOptions containing the wrapped private key.
+     * Data is expected to be a JSON object with keys "certificate"
+     * and "wrapped_key".
+     */
+    private Result parseResult(InputStream in) throws IOException {
+        JsonNode root = (new ObjectMapper()).readTree(in);
+        String cert = root.path("certificate").getTextValue();
+        byte[] pao = root.path("wrapped_key").getBinaryValue();
+        if (cert == null)
+            throw new RuntimeException("missing \"certificate\" field");
+        if (pao == null)
+            throw new RuntimeException("missing \"wrapped_key\" field");
+        return new Result(cert.getBytes(), pao);
+    }
 }