Class AbstractKeyStorePkiCredentialContainer
java.lang.Object
se.swedenconnect.security.credential.container.AbstractPkiCredentialContainer
se.swedenconnect.security.credential.container.AbstractKeyStorePkiCredentialContainer
- All Implemented Interfaces:
PkiCredentialContainer
- Direct Known Subclasses:
HsmPkiCredentialContainer
,SoftPkiCredentialContainer
Abstract implementation of the
PkiCredentialContainer
interface for implementations that rely on an
underlying Java KeyStore.
This abstract implementation implements all functions that can be implemented independent of whether the actual key store is provided in software or in a HSM.
- Author:
- Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
-
Field Summary
Fields inherited from class se.swedenconnect.security.credential.container.AbstractPkiCredentialContainer
DEFAULT_SUPPORTED_KEY_TYPES
-
Constructor Summary
ConstructorDescriptionAbstractKeyStorePkiCredentialContainer
(Provider provider, String password) Constructor for the multi credential key store. -
Method Summary
Modifier and TypeMethodDescriptionprotected abstract KeyStore
createKeyStore
(Provider provider, char[] password) Creates the key store used to store generated keys.void
deleteCredential
(String alias) Deletes the credential specified by the supplied alias.generateCredential
(String keyTypeName) Generates a key pair and self-issued certificate for a new credential in the container.protected String
getAlgorithmName
(KeyPair keyPair) Overridable method to provide the certificate signing JCA algorithm name of the algorithm used to sign the self-signed certificate associated with a generated key.final PkiCredential
getCredential
(String alias) Gets the credential for a specific alias from the credential container.protected abstract PkiCredential
getCredentialFromAlias
(String alias) Gets the credential for a specific alias from the credential container.getExpiryTime
(String alias) Gets the expiry time of the credential specified by alias.protected KeyStore
Gets the key store instance where all generated keys are stored.protected char[]
Gets the password for accessing the key store keys.protected org.bouncycastle.asn1.x500.X500Name
getX500Name
(BigInteger alias) Overridable function to produce the issuer and subject name for the self issued certificate.Gets all available credential aliases from the multi credential key store.Methods inherited from class se.swedenconnect.security.credential.container.AbstractPkiCredentialContainer
cleanup, generateAlias, getKeyGeneratorFactory, getKeyValidity, getProvider, isExpired, setKeyValidity, setSupportedKeyTypes
-
Constructor Details
-
AbstractKeyStorePkiCredentialContainer
public AbstractKeyStorePkiCredentialContainer(Provider provider, String password) throws KeyStoreException Constructor for the multi credential key store.- Parameters:
provider
- the provider that is used to create and manage keyspassword
- the pin for the associated key container (may be null if a container that does not require a password is used)- Throws:
KeyStoreException
- error initiating the key store
-
-
Method Details
-
createKeyStore
protected abstract KeyStore createKeyStore(Provider provider, char[] password) throws KeyStoreException Creates the key store used to store generated keys.- Parameters:
provider
- the provider for the key storepassword
- the password for the key store- Returns:
- key store
- Throws:
KeyStoreException
- error creating the key store
-
generateCredential
public String generateCredential(String keyTypeName) throws KeyException, NoSuchAlgorithmException, CertificateException Generates a key pair and self-issued certificate for a new credential in the container.Note that self-issued certificates may be replaced after a credential has been generated. This is typically done after a CA has issued a certificate for the key pair.
- Parameters:
keyTypeName
- the id of the type of key to generate as provided byKeyGenType
- Returns:
- the alias for the generated key
- Throws:
KeyException
- on errors generating the keyNoSuchAlgorithmException
- if the requested algorithm or key type is not supportedCertificateException
- on errors creating a certificate for the generated key
-
getCredential
Gets the credential for a specific alias from the credential container.- Parameters:
alias
- the alias of the credential to get- Returns:
- credential for the specified alias
- Throws:
PkiCredentialContainerException
- for errors obtaining the requested credential
-
getCredentialFromAlias
protected abstract PkiCredential getCredentialFromAlias(String alias) throws PkiCredentialContainerException Gets the credential for a specific alias from the credential container.- Parameters:
alias
- the alias of the credential to get- Returns:
- credential for the specified alias
- Throws:
PkiCredentialContainerException
- for errors obtaining the requested credential
-
deleteCredential
Deletes the credential specified by the supplied alias.The "normal" way of deleting a credential is to invoke its
DisposableBean.destroy()
method. The {code deleteCredential} method is mainly for internal (and external) container maintenance.- Parameters:
alias
- the alias of the credential to delete- Throws:
PkiCredentialContainerException
- error deleting the credential
-
getExpiryTime
Gets the expiry time of the credential specified by alias.- Parameters:
alias
- alias of the requested credential- Returns:
- expiry time for the specified credential or null if the credential never expires
- Throws:
PkiCredentialContainerException
- error obtaining the expiry time
-
listCredentials
Gets all available credential aliases from the multi credential key store.- Returns:
- list of credential aliases
- Throws:
PkiCredentialContainerException
- error listing available credentials
-
getPassword
protected char[] getPassword()Gets the password for accessing the key store keys.- Returns:
- the password
-
getKeyStore
Gets the key store instance where all generated keys are stored.- Returns:
- the key store
-
getAlgorithmName
Overridable method to provide the certificate signing JCA algorithm name of the algorithm used to sign the self-signed certificate associated with a generated key.- Parameters:
keyPair
- generated key pair- Returns:
- the JCA algorithm name suitable for used with the key pair
-
getX500Name
Overridable function to produce the issuer and subject name for the self issued certificate. By default this is a common name that includes the key alias as commonName.- Parameters:
alias
- the alias of the key for which the certificate is being issued- Returns:
X500Name
representing the alias
-