Class AbstractKeyAndCertificateHandler
java.lang.Object
se.swedenconnect.signservice.core.AbstractSignServiceHandler
se.swedenconnect.signservice.certificate.base.AbstractKeyAndCertificateHandler
- All Implemented Interfaces:
KeyAndCertificateHandler
,SignServiceHandler
- Direct Known Subclasses:
AbstractCaEngineKeyAndCertificateHandler
public abstract class AbstractKeyAndCertificateHandler
extends AbstractSignServiceHandler
implements KeyAndCertificateHandler
Abstract base class for the
KeyAndCertificateHandler
interface.-
Field Summary
Modifier and TypeFieldDescriptionThe default mappings from key type to algorithm key generator type. -
Constructor Summary
ConstructorDescriptionAbstractKeyAndCertificateHandler
(PkiCredentialContainer keyProvider, Map<String, String> algorithmKeyTypes, AttributeMapper attributeMapper, se.swedenconnect.security.algorithms.AlgorithmRegistry algorithmRegistry) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionprotected abstract void
assertCertificateProfileSupported
(String certificateProfile) Test if the requested certificate profile is supported.protected void
checkCertificateType
(SigningCertificateRequirements certificateRequirements) Checks that the requested certificate type is consistent with supported certificate types.void
checkRequirements
(SignRequestMessage signRequest, SignServiceContext context) Verifies that the requirements put in the supplied SignRequest is correct and the handler can process the request.generateSigningCredential
(SignRequestMessage signRequest, IdentityAssertion assertion, SignServiceContext context) Generates a signing (private) key and issues a signing certificate given the supplied parameters.protected se.swedenconnect.security.algorithms.AlgorithmRegistry
Gets the algorithm registry providing information about supported algorithms.protected AttributeMapper
Gets the attribute mapper.protected List
<CertificateType> Gets the type of certificates that the underlying CA issues.protected String
Gets the service name placed in AuthnContextExtensions.protected abstract List
<X509Certificate> issueSigningCertificateChain
(PkiCredential signingKeyPair, SignRequestMessage signRequest, IdentityAssertion assertion, List<AttributeMappingData> certAttributes, String certificateProfile, SignServiceContext context) Issues the signing certificate for the signing credentials.void
setCaSupportedCertificateTypes
(List<CertificateType> caSupportedCertificateTypes) Assigns the type of certificates that the underlying CA issues.void
setServiceName
(String serviceName) Assigns the service name placed in AuthnContextExtensions.protected void
specificRequirementTests
(SignRequestMessage signRequest, SignServiceContext context) Implementation specific requirements tests in addition to the basic tests performed by the abstract implementation.Methods inherited from class se.swedenconnect.signservice.core.AbstractSignServiceHandler
getName, setName
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface se.swedenconnect.signservice.core.SignServiceHandler
getName
-
Field Details
-
DEFAULT_ALGORITHM_KEY_TYPES
The default mappings from key type to algorithm key generator type.
-
-
Constructor Details
-
AbstractKeyAndCertificateHandler
public AbstractKeyAndCertificateHandler(@Nonnull PkiCredentialContainer keyProvider, @Nullable Map<String, String> algorithmKeyTypes, @Nonnull AttributeMapper attributeMapper, @Nullable se.swedenconnect.security.algorithms.AlgorithmRegistry algorithmRegistry) Constructor. ThealgorithmKeyTypes
is optional. If not assigned, the algorithm key types will be NIST P256 for Elliptic curve algorithms and RSA 3072 bit keys for RSA. If thealgorithmRegistry
is not assigned, the registry will be set toAlgorithmRegistrySingleton.getInstance()
.- Parameters:
keyProvider
- aPkiCredentialContainer
acting as the source of generated signing keysalgorithmKeyTypes
- a map of the selected key type for each supported algorithmattributeMapper
- the attribute mapperalgorithmRegistry
- algorithm registry
-
-
Method Details
-
checkRequirements
public void checkRequirements(@Nonnull SignRequestMessage signRequest, @Nonnull SignServiceContext context) throws InvalidRequestException Verifies that the requirements put in the supplied SignRequest is correct and the handler can process the request. If not aInvalidRequestException
is thrown.- Specified by:
checkRequirements
in interfaceKeyAndCertificateHandler
- Parameters:
signRequest
- the request to checkcontext
- the SignService context- Throws:
InvalidRequestException
- if the requirements cannot be met
-
checkCertificateType
protected void checkCertificateType(@Nonnull SigningCertificateRequirements certificateRequirements) throws InvalidRequestException Checks that the requested certificate type is consistent with supported certificate types.- Parameters:
certificateRequirements
- certificate requirements from the certificate request- Throws:
InvalidRequestException
- illegal certificate type requirements
-
specificRequirementTests
protected void specificRequirementTests(@Nonnull SignRequestMessage signRequest, @Nonnull SignServiceContext context) throws InvalidRequestException Implementation specific requirements tests in addition to the basic tests performed by the abstract implementation. The default implementation does nothing.- Parameters:
signRequest
- the request to checkcontext
- the SignService context- Throws:
InvalidRequestException
- if the requirements cannot be met
-
generateSigningCredential
public PkiCredential generateSigningCredential(@Nonnull SignRequestMessage signRequest, @Nonnull IdentityAssertion assertion, @Nonnull SignServiceContext context) throws CertificateException, KeyException Generates a signing (private) key and issues a signing certificate given the supplied parameters.- Specified by:
generateSigningCredential
in interfaceKeyAndCertificateHandler
- Parameters:
signRequest
- the SignRequestassertion
- the identity assertion (from the user authentication phase)context
- the SignService context- Returns:
- the generated private key and signing certificate packaged in a
PkiCredential
- Throws:
CertificateException
- for certificate issuance errorsKeyException
- for key generation errors
-
issueSigningCertificateChain
protected abstract List<X509Certificate> issueSigningCertificateChain(@Nonnull PkiCredential signingKeyPair, @Nonnull SignRequestMessage signRequest, @Nonnull IdentityAssertion assertion, @Nonnull List<AttributeMappingData> certAttributes, @Nullable String certificateProfile, @Nonnull SignServiceContext context) throws CertificateException Issues the signing certificate for the signing credentials.- Parameters:
signingKeyPair
- signing key pairsignRequest
- sign requestassertion
- assertion providing asserted user identitycertAttributes
- the certificate attributes to include in the certificatecertificateProfile
- the certificate profile (may be null)context
- signature context providing additional information- Returns:
- the certificate chain where the signer certificate is placed first
- Throws:
CertificateException
- error obtaining a certificate for the signer
-
assertCertificateProfileSupported
protected abstract void assertCertificateProfileSupported(@Nullable String certificateProfile) throws InvalidRequestException Test if the requested certificate profile is supported.- Parameters:
certificateProfile
- the profile requested for the certificate or null- Throws:
InvalidRequestException
- if the requested certificate profile is not supported
-
getServiceName
Gets the service name placed in AuthnContextExtensions. If this value is null, then the service name is set according to local policy which by default should be to use the requesting client ID.- Returns:
- the service name or null
-
setServiceName
Assigns the service name placed in AuthnContextExtensions. If this value is null, then the service name is set according to local policy which by default should be to use the requesting client ID.- Parameters:
serviceName
- service name for inclusion in AuthnContextExtensions
-
getCaSupportedCertificateTypes
Gets the type of certificates that the underlying CA issues.- Returns:
- the certificate type
-
setCaSupportedCertificateTypes
public void setCaSupportedCertificateTypes(@Nonnull List<CertificateType> caSupportedCertificateTypes) Assigns the type of certificates that the underlying CA issues.- Parameters:
caSupportedCertificateTypes
- the supported certificate type(s)
-
getAlgorithmRegistry
protected se.swedenconnect.security.algorithms.AlgorithmRegistry getAlgorithmRegistry()Gets the algorithm registry providing information about supported algorithms.- Returns:
- the algorithm registry
-
getAttributeMapper
Gets the attribute mapper.- Returns:
- the attribute mapper
-