Package org.forgerock.secrets.keys
Class CryptoKey
java.lang.Object
org.forgerock.secrets.Secret
org.forgerock.secrets.keys.CryptoKey
- All Implemented Interfaces:
AutoCloseable
- Direct Known Subclasses:
CertificateVerificationKey
,DataDecryptionKey
,DataEncryptionKey
,KeyAgreementKey
,KeyDecryptionKey
,KeyEncryptionKey
,SigningKey
,VerificationKey
Base class for all secrets that are used as keys for cryptographic operations. This class roughly corresponds to
the CryptoKey interface in the WebCrypto
standard.
-
Method Summary
Modifier and TypeMethodDescriptionboolean
allowsAlgorithm
(String algorithm) Checks whether this key is allowed to be used with the given algorithm.void
close()
Marks this CryptoKey as closed, without relinquishing any underlying resources.<T> T
Exports the key material in the given format.Returns any certificate associated with this key.<T extends Certificate>
Optional<T>getCertificate
(Class<T> certificateType) Returns the certificate of the given type if one is available.List<? extends Certificate>
Gets the certificate chain associated with this secret.<T extends Certificate>
List<T>getCertificateChain
(Class<T> certificateType) Gets the certificate chain associated with this secret as a list of the given certificate type.Returns the algorithm used by the underlying key, for instance "RSA" or "EC".Returns an indication of the type of key this is.Returns the key usages that the key can be used for.Returns the public key associated with this secret, if one is available.getPublicKey
(Class<T> keyType) Returns the public key associated with this secret, if one is available.boolean
isClosed()
Indicates whether this secret has been closed by calling theSecret.close()
method.boolean
Indicates whether the raw key material can be extracted for this key.<T> T
Reveals the secret'sKey
temporarily, allowing it to be used for its intended purpose.<T> T
revealAndClose
(Function<Key, T> function) Reveals the secret temporarily and then scrubs the secret material from memory.Converts the key back into aSecretBuilder
, pre-initialized with the fields of this CryptoKey object.toString()
Methods inherited from class org.forgerock.secrets.Secret
equals, getExpiryTime, getStableId, hashCode, isExpired
-
Method Details
-
getKeyType
Returns an indication of the type of key this is.- Returns:
- the type of key.
-
getKeyAlgorithm
Returns the algorithm used by the underlying key, for instance "RSA" or "EC".- Returns:
- the key algorithm.
-
export
Exports the key material in the given format.- Type Parameters:
T
- the type of result returned.- Parameters:
format
- the format to export the key material in.- Returns:
- the exported key material.
- Throws:
NoSuchSecretException
- if the secret could not be exported.
-
revealAndClose
Reveals the secret temporarily and then scrubs the secret material from memory.- Type Parameters:
T
- the type of object returned by the consumer.- Parameters:
function
- the consumer function to reveal the secret to.- Returns:
- the result of the consumer function.
- See Also:
-
reveal
Reveals the secret'sKey
temporarily, allowing it to be used for its intended purpose. Note that the consumer should not make any assumptions about the availability of the key after the function returns. They may be cleared or destroyed. The CryptoKey object is not destroyed by this method and so can be reused. UserevealAndClose(Function)
to also close the CryptoKey itself after the method completes.- Type Parameters:
T
- the type of object returned by the consumer.- Parameters:
function
- the consumer function to reveal the key to.- Returns:
- the result of the consumer function.
-
getCertificate
Returns the certificate of the given type if one is available. This is the first certificate in thecertificate chain
if one exists and the certificate is of the correct type.- Type Parameters:
T
- the type of certificate.- Parameters:
certificateType
- the type of certificate to get.- Returns:
- the certificate of the given type, or empty if none available.
-
getCertificate
Returns any certificate associated with this key. This is the first certificate in thecertificate chain
if one exists.- Returns:
- the certificate associated with this key, if one is available.
-
getCertificateChain
Gets the certificate chain associated with this secret. If non-empty then the first certificate in the chain is always identical to the result ofgetCertificate()
.- Returns:
- the certificate chain associated with this secret, or an empty list if not available.
-
getCertificateChain
Gets the certificate chain associated with this secret as a list of the given certificate type. If any certificate in the chain is not of the required type then an empty result is returned. If the result is non-empty then the first certificate will be identical to the result ofgetCertificate()
.- Type Parameters:
T
- The generic type of certificates.- Parameters:
certificateType
- The type of certificates expected.- Returns:
- the certificate chain associated with this secret, or empty if not available or if all certificates in the chain are not of the given type.
-
getPublicKey
Returns the public key associated with this secret, if one is available. Note that if a public key has not been directly associated with this key then currently no attempt is made to derive it from any secret key material.- Type Parameters:
T
- the type of public key.- Parameters:
keyType
- the type of public key to return.- Returns:
- the public key, if available.
-
getPublicKey
Returns the public key associated with this secret, if one is available. Note that if a public key has not been directly associated with this key then currently no attempt is made to derive it from any secret key material.- Returns:
- the public key, if available.
-
getKeyUsages
Returns the key usages that the key can be used for.- Returns:
- the set of key usages that are allowed for this key.
-
allowsAlgorithm
Checks whether this key is allowed to be used with the given algorithm. The algorithm name is application-specific, such as a JWS signing algorithm (e.g.,ES256
) or a Java Cipher algorithm name (e.g.,RSA/ECB/PKCS1Padding
).- Parameters:
algorithm
- the algorithm to check if this key can be used with.- Returns:
- true if the algorithm is allowed to be used with this key.
-
isExtractable
public boolean isExtractable()Indicates whether the raw key material can be extracted for this key. Note that some aspects of the key may still beexported
even if the key itself is not extractable, for instance a public certificate. The main reason why a key is not extractable is because it is stored in secure storage such as a Hardware Security Module (HSM) or on a remote server.- Returns:
- whether the raw key material can be extracted or not.
-
close
public void close()Marks this CryptoKey as closed, without relinquishing any underlying resources. This method is invoked automatically on objects managed by thetry
-with-resources statement.In this implementation the resource is marked as closed, allowing calling code to determine the state using the method
isClosed()
thereby maintaining the original API contract.In the original design this method called
Destroyable.destroy()
, if applicable, on the underlying key. This feature of closing secrets has been removed to avoid synchronization issues where the Secret may be accessed by multiple threads.In a future release it is anticipated that
Secret
will no longer implementAutoCloseable
and therefore this method will be deprecated.- Specified by:
close
in interfaceAutoCloseable
- Overrides:
close
in classSecret
-
isClosed
public boolean isClosed()Description copied from class:Secret
Indicates whether this secret has been closed by calling theSecret.close()
method. A secret that has been closed should be considered invalid and re-fetched from the SecretsProvider. -
toBuilder
Converts the key back into aSecretBuilder
, pre-initialized with the fields of this CryptoKey object.- Returns:
- a
SecretBuilder
that can be used to build a copy of this key.
-
toString
-