Class AbstractKeyAndCertificateHandler

java.lang.Object
se.swedenconnect.signservice.core.AbstractSignServiceHandler
se.swedenconnect.signservice.certificate.base.AbstractKeyAndCertificateHandler
All Implemented Interfaces:
KeyAndCertificateHandler, SignServiceHandler
Direct Known Subclasses:
AbstractCaEngineKeyAndCertificateHandler

public abstract class AbstractKeyAndCertificateHandler extends AbstractSignServiceHandler implements KeyAndCertificateHandler
Abstract base class for the KeyAndCertificateHandler interface.
  • Field Details

    • DEFAULT_ALGORITHM_KEY_TYPES

      public static final Map<String,String> DEFAULT_ALGORITHM_KEY_TYPES
      The default mappings from key type to algorithm key generator type.
  • Constructor Details

    • AbstractKeyAndCertificateHandler

      public AbstractKeyAndCertificateHandler(@Nonnull PkiCredentialContainer keyProvider, @Nullable Map<String,String> algorithmKeyTypes, @Nonnull AttributeMapper attributeMapper, @Nullable se.swedenconnect.security.algorithms.AlgorithmRegistry algorithmRegistry)
      Constructor. The algorithmKeyTypes is optional. If not assigned, the algorithm key types will be NIST P256 for Elliptic curve algorithms and RSA 3072 bit keys for RSA. If the algorithmRegistry is not assigned, the registry will be set to AlgorithmRegistrySingleton.getInstance().
      Parameters:
      keyProvider - a PkiCredentialContainer acting as the source of generated signing keys
      algorithmKeyTypes - a map of the selected key type for each supported algorithm
      attributeMapper - the attribute mapper
      algorithmRegistry - algorithm registry
  • Method Details

    • checkRequirements

      public void checkRequirements(@Nonnull SignRequestMessage signRequest, @Nonnull SignServiceContext context) throws InvalidRequestException
      Verifies that the requirements put in the supplied SignRequest is correct and the handler can process the request. If not a InvalidRequestException is thrown.
      Specified by:
      checkRequirements in interface KeyAndCertificateHandler
      Parameters:
      signRequest - the request to check
      context - the SignService context
      Throws:
      InvalidRequestException - if the requirements cannot be met
    • checkCertificateType

      protected void checkCertificateType(@Nonnull SigningCertificateRequirements certificateRequirements) throws InvalidRequestException
      Checks that the requested certificate type is consistent with supported certificate types.
      Parameters:
      certificateRequirements - certificate requirements from the certificate request
      Throws:
      InvalidRequestException - illegal certificate type requirements
    • specificRequirementTests

      protected void specificRequirementTests(@Nonnull SignRequestMessage signRequest, @Nonnull SignServiceContext context) throws InvalidRequestException
      Implementation specific requirements tests in addition to the basic tests performed by the abstract implementation. The default implementation does nothing.
      Parameters:
      signRequest - the request to check
      context - the SignService context
      Throws:
      InvalidRequestException - if the requirements cannot be met
    • generateSigningCredential

      public PkiCredential generateSigningCredential(@Nonnull SignRequestMessage signRequest, @Nonnull IdentityAssertion assertion, @Nonnull SignServiceContext context) throws CertificateException, KeyException
      Generates a signing (private) key and issues a signing certificate given the supplied parameters.
      Specified by:
      generateSigningCredential in interface KeyAndCertificateHandler
      Parameters:
      signRequest - the SignRequest
      assertion - the identity assertion (from the user authentication phase)
      context - the SignService context
      Returns:
      the generated private key and signing certificate packaged in a PkiCredential
      Throws:
      CertificateException - for certificate issuance errors
      KeyException - for key generation errors
    • issueSigningCertificateChain

      protected abstract List<X509Certificate> issueSigningCertificateChain(@Nonnull PkiCredential signingKeyPair, @Nonnull SignRequestMessage signRequest, @Nonnull IdentityAssertion assertion, @Nonnull List<AttributeMappingData> certAttributes, @Nullable String certificateProfile, @Nonnull SignServiceContext context) throws CertificateException
      Issues the signing certificate for the signing credentials.
      Parameters:
      signingKeyPair - signing key pair
      signRequest - sign request
      assertion - assertion providing asserted user identity
      certAttributes - the certificate attributes to include in the certificate
      certificateProfile - the certificate profile (may be null)
      context - signature context providing additional information
      Returns:
      the certificate chain where the signer certificate is placed first
      Throws:
      CertificateException - error obtaining a certificate for the signer
    • assertCertificateProfileSupported

      protected abstract void assertCertificateProfileSupported(@Nullable String certificateProfile) throws InvalidRequestException
      Test if the requested certificate profile is supported.
      Parameters:
      certificateProfile - the profile requested for the certificate or null
      Throws:
      InvalidRequestException - if the requested certificate profile is not supported
    • getServiceName

      @Nullable protected String getServiceName()
      Gets the service name placed in AuthnContextExtensions. If this value is null, then the service name is set according to local policy which by default should be to use the requesting client ID.
      Returns:
      the service name or null
    • setServiceName

      public void setServiceName(@Nullable String serviceName)
      Assigns the service name placed in AuthnContextExtensions. If this value is null, then the service name is set according to local policy which by default should be to use the requesting client ID.
      Parameters:
      serviceName - service name for inclusion in AuthnContextExtensions
    • getCaSupportedCertificateTypes

      @Nonnull protected List<CertificateType> getCaSupportedCertificateTypes()
      Gets the type of certificates that the underlying CA issues.
      Returns:
      the certificate type
    • setCaSupportedCertificateTypes

      public void setCaSupportedCertificateTypes(@Nonnull List<CertificateType> caSupportedCertificateTypes)
      Assigns the type of certificates that the underlying CA issues.
      Parameters:
      caSupportedCertificateTypes - the supported certificate type(s)
    • getAlgorithmRegistry

      protected se.swedenconnect.security.algorithms.AlgorithmRegistry getAlgorithmRegistry()
      Gets the algorithm registry providing information about supported algorithms.
      Returns:
      the algorithm registry
    • getAttributeMapper

      protected AttributeMapper getAttributeMapper()
      Gets the attribute mapper.
      Returns:
      the attribute mapper