Class PkiCredentialCollection
java.lang.Object
se.swedenconnect.security.credential.PkiCredentialCollection
A collection of
PkiCredential instances.
This class may be used as a bean for a system that uses several different keys, for example a SAML IdP that has a
signature key, an encryption key and possibly other keys. By using the predefined Predicates, a credential
having the desired properties can be located.
- Author:
- Martin Lindström
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic Predicate<PkiCredential> Predicatethat checks if the credential has thePkiCredential.Metadata.USAGE_ENCRYPTIONusage.static Predicate<PkiCredential> Predicatethat tells if a credential is intended to be the signing credential in the future.static Predicate<PkiCredential> Predicatethat checks if the credential is "active", meaning that the current time is within thePkiCredential.Metadata.ACTIVE_FROM_PROPERTYandPkiCredential.Metadata.ACTIVE_TO_PROPERTYproperties.static Predicate<PkiCredential> Predicatethat tells whether a credential holds an EC key.static Predicate<PkiCredential> Predicatethat tells whether a credential is a hardware credential, i.e., stored on an HSM.static Predicate<PkiCredential> Predicatethat tells whether the credential is "not yet active", meaning that thePkiCredential.Metadata.ACTIVE_FROM_PROPERTYsetting is after the current time.static Predicate<PkiCredential> Predicatethat tells whether a credential holds an RSA key.static Predicate<PkiCredential> Predicatethat checks if the credential is no longer active, meaning that aPkiCredential.Metadata.ACTIVE_TO_PROPERTYsetting is before the current time.static Predicate<PkiCredential> Predicatethat checks if the credential has thePkiCredential.Metadata.USAGE_SIGNINGusage.static Predicate<PkiCredential> Predicatethat checks if the credential does not have a specified usage. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidaddCredential(PkiCredential credential) Adds a credential to the collection.getCredential(Predicate<PkiCredential> predicate) Returns the first credential of the collection whose properties meet the suppliedPredicate.Method that finds a credential suitable for signing.Gets an unmodifiable list of all credentials held in the collection.getCredentials(Predicate<PkiCredential> predicate) Returns all credentials whose properties meet the suppliedPredicate.Method that finds credentials suitable for encryption (and decryption).static Predicate<PkiCredential> Method that returns aPredicatethat checks if a credential has a given key ID.removeCredentials(Predicate<PkiCredential> predicate) Removes all credentials matching the suppliedPredicate.static Predicate<PkiCredential> Method that returns aPredicatethat checks if a credential has a given usage.
-
Field Details
-
isRsa
Predicatethat tells whether a credential holds an RSA key. -
isEc
Predicatethat tells whether a credential holds an EC key. -
isHardwareCredential
Predicatethat tells whether a credential is a hardware credential, i.e., stored on an HSM. -
signatureUsage
Predicatethat checks if the credential has thePkiCredential.Metadata.USAGE_SIGNINGusage. -
encryptionUsage
Predicatethat checks if the credential has thePkiCredential.Metadata.USAGE_ENCRYPTIONusage. -
unspecifiedUsage
Predicatethat checks if the credential does not have a specified usage. -
isActive
Predicatethat checks if the credential is "active", meaning that the current time is within thePkiCredential.Metadata.ACTIVE_FROM_PROPERTYandPkiCredential.Metadata.ACTIVE_TO_PROPERTYproperties. If no such properties are set, the credential is assumed to be active. -
noLongerActive
Predicatethat checks if the credential is no longer active, meaning that aPkiCredential.Metadata.ACTIVE_TO_PROPERTYsetting is before the current time. -
isNotYetActive
Predicatethat tells whether the credential is "not yet active", meaning that thePkiCredential.Metadata.ACTIVE_FROM_PROPERTYsetting is after the current time. -
forFutureSigning
Predicatethat tells if a credential is intended to be the signing credential in the future.
-
-
Constructor Details
-
PkiCredentialCollection
Constructor.- Parameters:
credentials- the credentials to store in the collection
-
-
Method Details
-
getCredentials
Gets an unmodifiable list of all credentials held in the collection.- Returns:
- the credentials
-
getCredential
Returns the first credential of the collection whose properties meet the suppliedPredicate.- Parameters:
predicate- thePredicate- Returns:
- the first credential whose properties meet the supplied predicate, or
nullif no match is found
-
getCredentials
Returns all credentials whose properties meet the suppliedPredicate.- Parameters:
predicate- thePredicate- Returns:
- a unmodifiable list of all matching credentials (may be empty)
-
addCredential
Adds a credential to the collection.- Parameters:
credential- the credential to add
-
removeCredentials
Removes all credentials matching the suppliedPredicate.- Parameters:
predicate- thePredicate- Returns:
- a list of the credentials that were removed from the collection
-
keyId
Method that returns aPredicatethat checks if a credential has a given key ID.The implementation will look for the credential metadata entry "key-id".
- Parameters:
kid- the key ID to check for- Returns:
- a
Predicate
-
usage
Method that returns aPredicatethat checks if a credential has a given usage.The implementation will look for the credential metadata entry
PkiCredential.Metadata.USAGE_PROPERTY.- Parameters:
usage- the usage to check- Returns:
- a
Predicate
-
getCredentialForSigning
Method that finds a credential suitable for signing. It first tries to find an active credential with the usage set toPkiCredential.Metadata.USAGE_SIGNING, and if no such credential is found, an active credential with no specified usage.- Returns:
- a
PkiCredentialornull
-
getCredentialsForEncryption
Method that finds credentials suitable for encryption (and decryption).- Returns:
- a (possibly empty) list of credentials
-