Package org.forgerock.secrets

Interface SecretConstraint<T extends Secret>

Type Parameters:
T - the type of secrets that are being constrained.
public interface SecretConstraint<T extends Secret>
Interface for constraints on a secret that must be satisfied for a given Purpose. This allows using a single root purpose (e.g. signing.key) and then deriving more specific requirements (e.g., only allowing RSA keys).

  • Method Details

    • isSatisfiedBy

      boolean isSatisfiedBy(T secret)
      Determines whether this constraint is satisfied by the given secret.
      Parameters:
      secret - the secret to test.
      Returns:
      whether the secret satisfies the constraint.

    • keyAlgorithm

      static SecretConstraint<CryptoKey> keyAlgorithm(String keyAlgorithm)
      Enforces a particular key algorithm (case insensitive).
      Parameters:
      keyAlgorithm - the key algorithm.
      Returns:
      a constraint that enforces that keys have a certain key algorithm.

    • allowedKeyUsages

      static SecretConstraint<CryptoKey> allowedKeyUsages(Set<KeyUsage> keyUsages)
      Enforces that the key satisfies at least one of the given key usage constraints.
      Parameters:
      keyUsages - the allowed key usages.
      Returns:
      a constraint that enforces the key usage restrictions.

    • allowedKeyUsages

      static SecretConstraint<CryptoKey> allowedKeyUsages(KeyUsage first, KeyUsage... rest)
      Enforces that the key satisfies at least one of the given key usage constraints.
      Parameters:
      first - the first allowed key usage.
      rest - the remaining allowed key usages.
      Returns:
      a constraint that enforces the key usage restrictions.

    • requiredKeyUsages

      static SecretConstraint<CryptoKey> requiredKeyUsages(Set<KeyUsage> keyUsages)
      Enforces that the key satisfies all of the given key usage constraints.
      Parameters:
      keyUsages - the required key usages.
      Returns:
      a constraint that enforces the key usage restrictions.

    • requiredKeyUsages

      static SecretConstraint<CryptoKey> requiredKeyUsages(KeyUsage first, KeyUsage... rest)
      Enforces that the key satisfies all of the given key usage constraints.
      Parameters:
      first - the first required key usage.
      rest - the remaining required key usages.
      Returns:
      a constraint that enforces the key usage restrictions.

    • ellipticCurveKeyParameters

      static SecretConstraint<CryptoKey> ellipticCurveKeyParameters(ECParameterSpec requiredParameters)
      Enforces that the key is an elliptic curve key with the given parameters.
      Parameters:
      requiredParameters - the required elliptic curve parameters.
      Returns:
      a constraint that enforces the required curve parameters.

    • allowedAlgorithm

      static SecretConstraint<CryptoKey> allowedAlgorithm(String algorithm)
      Enforces that the key is allowed to be used with the given algorithm. The format of the algorithm name is unspecified and could be, for example, a JWE/JWS algorithm name or a Java algorithm name.
      Parameters:
      algorithm - the name of the algorithm to check compatibility with.
      Returns:
      a constraint that enforces that keys are allowed to be used with the given algorithm.