Interface PkiCredentialContainer
- All Known Implementing Classes:
AbstractKeyStorePkiCredentialContainer
,AbstractPkiCredentialContainer
,HsmPkiCredentialContainer
,InMemoryPkiCredentialContainer
,SoftPkiCredentialContainer
The primary use-case for this credential container is to be used with a HSM for generating ephemeral key credentials that are generated inside the HSM and used for a short period of time and then deleted without ever leaving the HSM. A typical use-case for this scenario is the generation and destruction of signing keys in a signature service where the signing key is used only once and then destroyed in order to guarantee that the key can never be used in any other process for any other purpose.
While the primary use-case for this credential container is for use with HSM, it may also be implemented using a software based key store for implementations with less demands for security or for the purpose of testing and prototyping.
- Author:
- Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
-
Method Summary
Modifier and TypeMethodDescriptionvoid
cleanup()
Traverses through all credentials in the multi credential key store and delets the expired ones.void
deleteCredential
(String alias) Deletes the credential specified by the supplied alias.generateCredential
(String keyTypeName) Generates a key pair and self-issued certificate for a new credential in the container.getCredential
(String alias) Gets the credential for a specific alias from the credential container.getExpiryTime
(String alias) Gets the expiry time of the credential specified by alias.Gets all available credential aliases from the multi credential key store.void
setKeyValidity
(Duration keyValidity) Assigns the duration for the validity of generated credentials.void
setSupportedKeyTypes
(List<String> supportedKeyTypes) Assigns the key types that this container supports.
-
Method Details
-
generateCredential
String generateCredential(String keyTypeName) throws KeyException, NoSuchAlgorithmException, CertificateException Generates a key pair and self-issued certificate for a new credential in the container.Note that self-issued certificates may be replaced after a credential has been generated. This is typically done after a CA has issued a certificate for the key pair.
- Parameters:
keyTypeName
- the id of the type of key to generate as provided byKeyGenType
- Returns:
- the alias for the generated key
- Throws:
KeyException
- on errors generating the keyNoSuchAlgorithmException
- if the requested algorithm or key type is not supportedCertificateException
- on errors creating a certificate for the generated key
-
getCredential
Gets the credential for a specific alias from the credential container.- Parameters:
alias
- the alias of the credential to get- Returns:
- credential for the specified alias
- Throws:
PkiCredentialContainerException
- for errors obtaining the requested credential
-
deleteCredential
Deletes the credential specified by the supplied alias.The "normal" way of deleting a credential is to invoke its
DisposableBean.destroy()
method. The {code deleteCredential} method is mainly for internal (and external) container maintenance.- Parameters:
alias
- the alias of the credential to delete- Throws:
PkiCredentialContainerException
- error deleting the credential
-
getExpiryTime
Gets the expiry time of the credential specified by alias.- Parameters:
alias
- alias of the requested credential- Returns:
- expiry time for the specified credential or null if the credential never expires
- Throws:
PkiCredentialContainerException
- error obtaining the expiry time
-
listCredentials
Gets all available credential aliases from the multi credential key store.- Returns:
- list of credential aliases
- Throws:
PkiCredentialContainerException
- error listing available credentials
-
cleanup
Traverses through all credentials in the multi credential key store and delets the expired ones.- Throws:
PkiCredentialContainerException
- error performing cleanup
-
setKeyValidity
Assigns the duration for the validity of generated credentials.- Parameters:
keyValidity
- the validity
-
setSupportedKeyTypes
Assigns the key types that this container supports.- Parameters:
supportedKeyTypes
- a list of supported key types
-