Package se.swedenconnect.security.credential.container

Class AbstractKeyStorePkiCredentialContainer

java.lang.Object
se.swedenconnect.security.credential.container.AbstractPkiCredentialContainer
se.swedenconnect.security.credential.container.AbstractKeyStorePkiCredentialContainer
All Implemented Interfaces:
PkiCredentialContainer
Direct Known Subclasses:
HsmPkiCredentialContainer, SoftPkiCredentialContainer
public abstract class AbstractKeyStorePkiCredentialContainer extends AbstractPkiCredentialContainer
Abstract implementation of the PkiCredentialContainer interface for implementations that rely on an underlying Java KeyStore.

This abstract implementation implements all functions that can be implemented independent of whether the actual key store is provided in software or in a HSM.

Author:
Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)

  • Constructor Details

    • AbstractKeyStorePkiCredentialContainer

      public AbstractKeyStorePkiCredentialContainer(@Nonnull Provider provider, @Nullable String password) throws KeyStoreException
      Constructor for the multi credential key store.
      Parameters:
      provider - the provider that is used to create and manage keys
      password - the pin for the associated key container (may be null if a container that does not require a password is used)
      Throws:
      KeyStoreException - error initiating the key store

  • Method Details

    • createKeyStore

      @Nonnull protected abstract KeyStore createKeyStore(@Nonnull Provider provider, @Nullable char[] password) throws KeyStoreException
      Creates the key store used to store generated keys.
      Parameters:
      provider - the provider for the key store
      password - the password for the key store
      Returns:
      key store
      Throws:
      KeyStoreException - error creating the key store

    • generateCredential

      @Nonnull public String generateCredential(@Nonnull String keyTypeName) throws KeyException, NoSuchAlgorithmException, CertificateException
      Generates a key pair and self-issued certificate for a new credential in the container.

      Note that self-issued certificates may be replaced after a credential has been generated. This is typically done after a CA has issued a certificate for the key pair.

      Parameters:
      keyTypeName - the id of the type of key to generate as provided by KeyGenType
      Returns:
      the alias for the generated key
      Throws:
      KeyException - on errors generating the key
      NoSuchAlgorithmException - if the requested algorithm or key type is not supported
      CertificateException - on errors creating a certificate for the generated key

    • getCredential

      @Nonnull public final ManagedPkiCredential getCredential(@Nonnull String alias) throws PkiCredentialContainerException
      Gets the credential for a specific alias from the credential container.
      Parameters:
      alias - the alias of the credential to get
      Returns:
      credential for the specified alias
      Throws:
      PkiCredentialContainerException - for errors obtaining the requested credential

    • getCredentialFromAlias

      @Nonnull protected abstract PkiCredential getCredentialFromAlias(@Nonnull String alias) throws PkiCredentialContainerException
      Gets the credential for a specific alias from the credential container.
      Parameters:
      alias - the alias of the credential to get
      Returns:
      credential for the specified alias
      Throws:
      PkiCredentialContainerException - for errors obtaining the requested credential

    • deleteCredential

      public void deleteCredential(@Nonnull String alias) throws PkiCredentialContainerException
      Deletes the credential specified by the supplied alias.
      Parameters:
      alias - the alias of the credential to delete
      Throws:
      PkiCredentialContainerException - error deleting the credential

    • getExpiryTime

      @Nullable public Instant getExpiryTime(@Nonnull String alias) throws PkiCredentialContainerException
      Gets the expiry time of the credential specified by alias.
      Parameters:
      alias - alias of the requested credential
      Returns:
      expiry time for the specified credential or null if the credential never expires
      Throws:
      PkiCredentialContainerException - error obtaining the expiry time

    • listCredentials

      @Nonnull public List<String> listCredentials()
      Gets all available credential aliases from the multi credential key store.
      Returns:
      list of credential aliases

    • getPassword

      @Nullable protected char[] getPassword()
      Gets the password for accessing the key store keys.
      Returns:
      the password

    • getKeyStore

      @Nonnull protected KeyStore getKeyStore()
      Gets the key store instance where all generated keys are stored.
      Returns:
      the key store

    • getAlgorithmName

      @Nonnull protected String getAlgorithmName(@Nonnull KeyPair keyPair)
      Overridable method to provide the certificate signing JCA algorithm name of the algorithm used to sign the self-signed certificate associated with a generated key.
      Parameters:
      keyPair - generated key pair
      Returns:
      the JCA algorithm name suitable for used with the key pair

    • getX500Name

      @Nonnull protected org.bouncycastle.asn1.x500.X500Name getX500Name(@Nonnull BigInteger alias)
      Overridable function to produce the issuer and subject name for the self issued certificate. By default, this is a common name that includes the key alias as commonName.
      Parameters:
      alias - the alias of the key for which the certificate is being issued
      Returns:
      X500Name representing the alias