Interface PkiCredentialContainer

All Known Implementing Classes:
AbstractKeyStorePkiCredentialContainer, AbstractPkiCredentialContainer, HsmPkiCredentialContainer, InMemoryPkiCredentialContainer, SoftPkiCredentialContainer

public interface PkiCredentialContainer
This interface defines the function of a multi credential container with keys that are contained and managed inside the container for its entire lifetime.

The primary use-case for this credential container is to be used with a HSM for generating ephemeral key credentials that are generated inside the HSM and used for a short period of time and then deleted without ever leaving the HSM. A typical use-case for this scenario is the generation and destruction of signing keys in a signature service where the signing key is used only once and then destroyed in order to guarantee that the key can never be used in any other process for any other purpose.

While the primary use-case for this credential container is for use with HSM, it may also be implemented using a software based key store for implementations with less demands for security or for the purpose of testing and prototyping.

Author:
Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
  • Method Summary

    Modifier and Type
    Method
    Description
    void
    Traverses through all credentials in the multi credential key store and delets the expired ones.
    void
    Deletes the credential specified by the supplied alias.
    Generates a key pair and self-issued certificate for a new credential in the container.
    Gets the credential for a specific alias from the credential container.
    Gets the expiry time of the credential specified by alias.
    Gets all available credential aliases from the multi credential key store.
    void
    setKeyValidity(Duration keyValidity)
    Assigns the duration for the validity of generated credentials.
    void
    setSupportedKeyTypes(List<String> supportedKeyTypes)
    Assigns the key types that this container supports.
  • Method Details

    • generateCredential

      String generateCredential(String keyTypeName) throws KeyException, NoSuchAlgorithmException, CertificateException
      Generates a key pair and self-issued certificate for a new credential in the container.

      Note that self-issued certificates may be replaced after a credential has been generated. This is typically done after a CA has issued a certificate for the key pair.

      Parameters:
      keyTypeName - the id of the type of key to generate as provided by KeyGenType
      Returns:
      the alias for the generated key
      Throws:
      KeyException - on errors generating the key
      NoSuchAlgorithmException - if the requested algorithm or key type is not supported
      CertificateException - on errors creating a certificate for the generated key
    • getCredential

      Gets the credential for a specific alias from the credential container.
      Parameters:
      alias - the alias of the credential to get
      Returns:
      credential for the specified alias
      Throws:
      PkiCredentialContainerException - for errors obtaining the requested credential
    • deleteCredential

      void deleteCredential(String alias) throws PkiCredentialContainerException
      Deletes the credential specified by the supplied alias.

      The "normal" way of deleting a credential is to invoke its DisposableBean.destroy() method. The {code deleteCredential} method is mainly for internal (and external) container maintenance.

      Parameters:
      alias - the alias of the credential to delete
      Throws:
      PkiCredentialContainerException - error deleting the credential
    • getExpiryTime

      Instant getExpiryTime(String alias) throws PkiCredentialContainerException
      Gets the expiry time of the credential specified by alias.
      Parameters:
      alias - alias of the requested credential
      Returns:
      expiry time for the specified credential or null if the credential never expires
      Throws:
      PkiCredentialContainerException - error obtaining the expiry time
    • listCredentials

      List<String> listCredentials() throws PkiCredentialContainerException
      Gets all available credential aliases from the multi credential key store.
      Returns:
      list of credential aliases
      Throws:
      PkiCredentialContainerException - error listing available credentials
    • cleanup

      void cleanup() throws PkiCredentialContainerException
      Traverses through all credentials in the multi credential key store and delets the expired ones.
      Throws:
      PkiCredentialContainerException - error performing cleanup
    • setKeyValidity

      void setKeyValidity(Duration keyValidity)
      Assigns the duration for the validity of generated credentials.
      Parameters:
      keyValidity - the validity
    • setSupportedKeyTypes

      void setSupportedKeyTypes(List<String> supportedKeyTypes)
      Assigns the key types that this container supports.
      Parameters:
      supportedKeyTypes - a list of supported key types