Package org.forgerock.secrets.propertyresolver

Class PemPropertyFormat

  • All Implemented Interfaces:
    SecretPropertyFormat, SecretDecoder
    public final class PemPropertyFormat
extends Object
implements SecretPropertyFormat
    Supports decoding keys and certificates in PEM format. Technically, the format now used by lots of software is not quite the same as PEM, but the name has stuck. This implements the format that everyone uses.

    The following specific types of objects can be loaded:

    • X.509 certificates (BEGIN CERTIFICATE).
    • PKCS#8 format public keys (BEGIN PUBLIC KEY).
    • PKCS#8 format private keys (BEGIN PRIVATE KEY.
    • PKCS#1 format RSA public/private keys (BEGIN RSA PUBLIC KEY).
    • "PKCS#1-style" encoded EC and DSA private keys (BEGIN EC PRIVATE KEY).
    • Encrypted PKCS#8 private keys (BEGIN ENCRYPTED PRIVATE KEY.
    • Encrypted legacy OpenSSL private keys (BEGIN RSA PRIVATE KEY with additional Proc-Type and DEK-Info header fields).
    • Raw HMAC or AES secret keys (BEGIN AES/HMAC SECRET KEY). This is a non-standard ForgeRock addition.
    • Generic secrets such as passwords or API keys (BEGIN GENERIC SECRET). This is a non-standard ForgeRock addition.
    See Also:
    RFC 7468.

    • Constructor Detail

      • PemPropertyFormat

        public PemPropertyFormat​(SecretsProvider secretsProvider,
                         Purpose<GenericSecret> decryptionPasswordPurpose,
                         Supplier<SecretBuilder> secretBuilderSupplier)
        Initializes the property format with the given secrets provider and purpose for decrypting password-encrypted PEM files. All valid passwords for the given purpose will be tried in turn to attempt to decrypt private key files.
        Parameters:
        secretsProvider - the secrets provider to retrieve decryption passwords from.
        decryptionPasswordPurpose - the purpose to use for retrieving passwords.
        secretBuilderSupplier - a supplier for new SecretBuilder objects when parsing the pem.

      • PemPropertyFormat

        public PemPropertyFormat​(SecretsProvider secretsProvider,
                         Purpose<GenericSecret> decryptionPasswordPurpose)
        Initializes the property format with the given secrets provider and purpose for decrypting password-encrypted PEM files. All valid passwords for the given purpose will be tried in turn to attempt to decrypt private key files.
        Parameters:
        secretsProvider - the secrets provider to retrieve decryption passwords from.
        decryptionPasswordPurpose - the purpose to use for retrieving passwords.

      • PemPropertyFormat

        public PemPropertyFormat​(Supplier<SecretBuilder> secretBuilderSupplier)
        Initializes the property format without any support for decrypting private key files. Only unencrypted private keys are supported in this mode. Use PemPropertyFormat(SecretsProvider, Purpose) for encryption support.
        Parameters:
        secretBuilderSupplier - a supplier for new SecretBuilder objects when parsing the pem.

      • PemPropertyFormat

        public PemPropertyFormat()
        Initializes the property format without any support for decrypting private key files. Only unencrypted private keys are supported in this mode. Use PemPropertyFormat(SecretsProvider, Purpose) for encryption support.