Package org.forgerock.secrets

Interface SecretConstraint<T extends Secret>

  • Type Parameters:
    T - the type of secrets that are being constrained.
    public interface SecretConstraint<T extends Secret>
    Interface for constraints on a secret that must be satisfied for a given Purpose. This allows using a single root purpose (e.g. signing.key) and then deriving more specific requirements (e.g., only allowing RSA keys).

    • Method Detail

      • isSatisfiedBy

        boolean isSatisfiedBy​(T secret)
        Determines whether this constraint is satisfied by the given secret.
        Parameters:
        secret - the secret to test.
        Returns:
        whether the secret satisfies the constraint.

      • keyAlgorithm

        static SecretConstraint<CryptoKey> keyAlgorithm​(String keyAlgorithm)
        Enforces a particular key algorithm (case insensitive).
        Parameters:
        keyAlgorithm - the key algorithm.
        Returns:
        a constraint that enforces that keys have a certain key algorithm.

      • allowedKeyUsages

        static SecretConstraint<CryptoKey> allowedKeyUsages​(Set<KeyUsage> keyUsages)
        Enforces that the key satisfies at least one of the given key usage constraints.
        Parameters:
        keyUsages - the allowed key usages.
        Returns:
        a constraint that enforces the key usage restrictions.

      • allowedKeyUsages

        static SecretConstraint<CryptoKey> allowedKeyUsages​(KeyUsage first,
                                                    KeyUsage... rest)
        Enforces that the key satisfies at least one of the given key usage constraints.
        Parameters:
        first - the first allowed key usage.
        rest - the remaining allowed key usages.
        Returns:
        a constraint that enforces the key usage restrictions.

      • requiredKeyUsages

        static SecretConstraint<CryptoKey> requiredKeyUsages​(Set<KeyUsage> keyUsages)
        Enforces that the key satisfies all of the given key usage constraints.
        Parameters:
        keyUsages - the required key usages.
        Returns:
        a constraint that enforces the key usage restrictions.

      • requiredKeyUsages

        static SecretConstraint<CryptoKey> requiredKeyUsages​(KeyUsage first,
                                                     KeyUsage... rest)
        Enforces that the key satisfies all of the given key usage constraints.
        Parameters:
        first - the first required key usage.
        rest - the remaining required key usages.
        Returns:
        a constraint that enforces the key usage restrictions.

      • ellipticCurveKeyParameters

        static SecretConstraint<CryptoKey> ellipticCurveKeyParameters​(ECParameterSpec requiredParameters)
        Enforces that the key is an elliptic curve key with the given parameters.
        Parameters:
        requiredParameters - the required elliptic curve parameters.
        Returns:
        a constraint that enforces the required curve parameters.

      • allowedAlgorithm

        static SecretConstraint<CryptoKey> allowedAlgorithm​(String algorithm)
        Enforces that the key is allowed to be used with the given algorithm. The format of the algorithm name is unspecified and could be, for example, a JWE/JWS algorithm name or a Java algorithm name.
        Parameters:
        algorithm - the name of the algorithm to check compatibility with.
        Returns:
        a constraint that enforces that keys are allowed to be used with the given algorithm.