Class AbstractKeyStorePkiCredentialContainer

java.lang.Object
se.swedenconnect.security.credential.container.AbstractPkiCredentialContainer
se.swedenconnect.security.credential.container.AbstractKeyStorePkiCredentialContainer
All Implemented Interfaces:
PkiCredentialContainer
Direct Known Subclasses:
HsmPkiCredentialContainer, SoftPkiCredentialContainer

public abstract class AbstractKeyStorePkiCredentialContainer extends AbstractPkiCredentialContainer
Abstract implementation of the PkiCredentialContainer interface for implementations that rely on an underlying Java KeyStore.

This abstract implementation implements all functions that can be implemented independent of whether the actual key store is provided in software or in a HSM.

Author:
Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
  • Constructor Details

    • AbstractKeyStorePkiCredentialContainer

      public AbstractKeyStorePkiCredentialContainer(Provider provider, String password) throws KeyStoreException
      Constructor for the multi credential key store.
      Parameters:
      provider - the provider that is used to create and manage keys
      password - the pin for the associated key container (may be null if a container that does not require a password is used)
      Throws:
      KeyStoreException - error initiating the key store
  • Method Details

    • createKeyStore

      protected abstract KeyStore createKeyStore(Provider provider, char[] password) throws KeyStoreException
      Creates the key store used to store generated keys.
      Parameters:
      provider - the provider for the key store
      password - the password for the key store
      Returns:
      key store
      Throws:
      KeyStoreException - error creating the key store
    • generateCredential

      public String generateCredential(String keyTypeName) throws KeyException, NoSuchAlgorithmException, CertificateException
      Generates a key pair and self-issued certificate for a new credential in the container.

      Note that self-issued certificates may be replaced after a credential has been generated. This is typically done after a CA has issued a certificate for the key pair.

      Parameters:
      keyTypeName - the id of the type of key to generate as provided by KeyGenType
      Returns:
      the alias for the generated key
      Throws:
      KeyException - on errors generating the key
      NoSuchAlgorithmException - if the requested algorithm or key type is not supported
      CertificateException - on errors creating a certificate for the generated key
    • getCredential

      public final PkiCredential getCredential(String alias) throws PkiCredentialContainerException
      Gets the credential for a specific alias from the credential container.
      Parameters:
      alias - the alias of the credential to get
      Returns:
      credential for the specified alias
      Throws:
      PkiCredentialContainerException - for errors obtaining the requested credential
    • getCredentialFromAlias

      protected abstract PkiCredential getCredentialFromAlias(String alias) throws PkiCredentialContainerException
      Gets the credential for a specific alias from the credential container.
      Parameters:
      alias - the alias of the credential to get
      Returns:
      credential for the specified alias
      Throws:
      PkiCredentialContainerException - for errors obtaining the requested credential
    • deleteCredential

      public void deleteCredential(String alias) throws PkiCredentialContainerException
      Deletes the credential specified by the supplied alias.

      The "normal" way of deleting a credential is to invoke its DisposableBean.destroy() method. The {code deleteCredential} method is mainly for internal (and external) container maintenance.

      Parameters:
      alias - the alias of the credential to delete
      Throws:
      PkiCredentialContainerException - error deleting the credential
    • getExpiryTime

      public Instant getExpiryTime(String alias) throws PkiCredentialContainerException
      Gets the expiry time of the credential specified by alias.
      Parameters:
      alias - alias of the requested credential
      Returns:
      expiry time for the specified credential or null if the credential never expires
      Throws:
      PkiCredentialContainerException - error obtaining the expiry time
    • listCredentials

      public List<String> listCredentials() throws PkiCredentialContainerException
      Gets all available credential aliases from the multi credential key store.
      Returns:
      list of credential aliases
      Throws:
      PkiCredentialContainerException - error listing available credentials
    • getPassword

      protected char[] getPassword()
      Gets the password for accessing the key store keys.
      Returns:
      the password
    • getKeyStore

      protected KeyStore getKeyStore()
      Gets the key store instance where all generated keys are stored.
      Returns:
      the key store
    • getAlgorithmName

      protected String getAlgorithmName(KeyPair keyPair)
      Overridable method to provide the certificate signing JCA algorithm name of the algorithm used to sign the self-signed certificate associated with a generated key.
      Parameters:
      keyPair - generated key pair
      Returns:
      the JCA algorithm name suitable for used with the key pair
    • getX500Name

      protected org.bouncycastle.asn1.x500.X500Name getX500Name(BigInteger alias)
      Overridable function to produce the issuer and subject name for the self issued certificate. By default this is a common name that includes the key alias as commonName.
      Parameters:
      alias - the alias of the key for which the certificate is being issued
      Returns:
      X500Name representing the alias