From ce7e4f1b108fd30a03401d712693b8a7992ee5d5 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@gmail.com>
Date: Mon, 9 Oct 2023 13:29:55 +0300
Subject: [PATCH] Allow using uninitialized CA for generating CRL (#18)

---
 .../protonode/certy/CertificateRevocationList.java   |  6 +++++-
 .../certy/TestCertificateRevocationList.java         | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/src/main/java/fi/protonode/certy/CertificateRevocationList.java b/lib/src/main/java/fi/protonode/certy/CertificateRevocationList.java
index 0c70d48..aee07ab 100644
--- a/lib/src/main/java/fi/protonode/certy/CertificateRevocationList.java
+++ b/lib/src/main/java/fi/protonode/certy/CertificateRevocationList.java
@@ -145,11 +145,15 @@ public CertificateRevocationList writeAsPem(Path out) throws IOException, Certif
     private X509CRLHolder generateCrl() throws CertificateException, NoSuchAlgorithmException {
         if (this.issuer == null) {
             if (this.revoked.isEmpty()) {
-                throw new IllegalArgumentException("issuer not known: either set issuer or add certificates to the CRL");
+                throw new IllegalArgumentException(
+                        "issuer not known: either set issuer or add certificates to the CRL");
             }
             this.issuer = this.revoked.get(0).issuer;
         }
 
+        // Ensure that the issuer has a key pair.
+        this.issuer.ensureGenerated();
+
         Date effectiveRevocationTime = new Date();
         if (this.thisUpdate != null) {
             effectiveRevocationTime = this.thisUpdate;
diff --git a/lib/src/test/java/fi/protonode/certy/TestCertificateRevocationList.java b/lib/src/test/java/fi/protonode/certy/TestCertificateRevocationList.java
index fc6188c..64250f4 100644
--- a/lib/src/test/java/fi/protonode/certy/TestCertificateRevocationList.java
+++ b/lib/src/test/java/fi/protonode/certy/TestCertificateRevocationList.java
@@ -127,4 +127,16 @@ public void testWritingPem(@TempDir Path tempDir) throws Exception {
         assertFalse(got.isRevoked(notRevokedCert.getCertificate()));
     }
 
+    @Test
+    public void testUninitializedCaCertificate(@TempDir Path tempDir) throws Exception {
+        Credential uninitialized = new Credential().subject("cn=ca"); // We have not called generate() yet.
+        assertDoesNotThrow(() -> new CertificateRevocationList().issuer(uninitialized).writeAsPem(tempDir.resolve("crl.pem")));
+    }
+
+    @Test
+    public void testUninitializedRevokedCertificate(@TempDir Path tempDir) throws Exception {
+        Credential uninitialized = new Credential().issuer(ca).subject("cn=uninitialized");  // We have not called generate() yet.
+        assertDoesNotThrow(() -> new CertificateRevocationList().issuer(ca).add(uninitialized).writeAsPem(tempDir.resolve("crl.pem")));
+    }
+
 }