Package org.forgerock.secrets.keys

Enum KeyUsage

    • Enum Constant Detail

      • ENCRYPT

        public static final KeyUsage ENCRYPT
        Key is intended for encrypting data directly.

      • DECRYPT

        public static final KeyUsage DECRYPT
        Key is intended for decrypting data directly.

      • SIGN

        public static final KeyUsage SIGN
        Key is intended for signing messages with digital signatures.

      • VERIFY

        public static final KeyUsage VERIFY
        Key is intended for verifying signatures on messages.

      • AGREE_KEY

        public static final KeyUsage AGREE_KEY
        Key is intended for deriving a key via a key agreement protocol such as Diffie-Hellman. The WebCrypto spec treats this as a special-case of the "deriveKey" and/or "deriveBits" usages, but we treat it separately as there are significant differences in how key agreement is used compared to key derivation functions such as HKDF or PBKDF2.

      • WRAP_KEY

        public static final KeyUsage WRAP_KEY
        Key is intended for encrypting (wrapping) other keys. This is the typical mode when using public key cryptography where typically a temporary symmetric key will be generated and used to encrypt the message with a fast symmetric block cipher, such as AES, and then just this temporary key is encrypted using the expensive encryption such as RSA.

      • UNWRAP_KEY

        public static final KeyUsage UNWRAP_KEY
        Key is intended for decrypting (unwrapping) other keys.

      • VERIFY_CERTIFICATE

        public static final KeyUsage VERIFY_CERTIFICATE
        Key is intended for verifying certificate signatures.

    • Method Detail

      • values

        public static KeyUsage[] values()
        Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows: 
        for (KeyUsage c : KeyUsage.values())
    System.out.println(c);
        Returns:
        an array containing the constants of this enum type, in the order they are declared

      • valueOf

        public static KeyUsage valueOf​(String name)
        Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)
        Parameters:
        name - the name of the enum constant to be returned.
        Returns:
        the enum constant with the specified name
        Throws:
        IllegalArgumentException - if this enum type has no constant with the specified name
        NullPointerException - if the argument is null

      • fromCertificate

        public static EnumSet<KeyUsage> fromCertificate​(Certificate certificate)
        Determines what usages are allowed for a public key based on the associated certificate. For X.509 certificates, this checks the KeyUsage extension. If it is not possible to determine what constraints are applied to the key, then this returns all usages as valid. This is because in the absence of constraints it is not possible to say what should be forbidden and it makes validation checks easier to perform as the validator can just assert the presence of desired usages.
        Parameters:
        certificate - the certificate to check for usage constraints.
        Returns:
        the set of allowed key usages.

      • fromX509KeyUsageBits

        public static EnumSet<KeyUsage> fromX509KeyUsageBits​(boolean[] bits)
        Converts an X.509 KeyUsage bit vector into a corresponding set of usage values.
        Parameters:
        bits - the X.509 KeyUsage bit vector.
        Returns:
        the corresponding usage values.

      • forKeyType

        public static EnumSet<KeyUsage> forKeyType​(Class<? extends CryptoKey> keyType)
        Returns the set of all key usages that are applicable to the given key type.
        Parameters:
        keyType - the type of key.
        Returns:
        the set of all key usages that that key type is applicable to.

      • toX509KeyUsageBits

        public static boolean[] toX509KeyUsageBits​(Set<KeyUsage> usages)
        Converts a set of key usage values to an X.509 KeyUsage constraint bit string.
        Parameters:
        usages - the allowed usages.
        Returns:
        the X.509 key usage bit string.
        See Also:
        X509Certificate.getKeyUsage()

      • forWebCryptoName

        public static Optional<KeyUsage> forWebCryptoName​(String keyOperation)
        Converts a Web Crypto/JWK key operation name into the equivalent key usage constant.
        Parameters:
        keyOperation - a Web Crypto/JWK key operation name.
        Returns:
        the equivalent key usage, or empty if this key operation does not correspond to any known key usage.

      • getX509StandardName

        public String getX509StandardName()
        The standard name of this key usage in the X.509 standard.
        Returns:
        the X.509 standard name for this usage, or null if no equivalent.

      • getWebCryptoName

        public String getWebCryptoName()
        The standard WebCrypto KeyUsage name for this usage.
        Returns:
        the WebCrypto KeyUsage name or null if this KeyUsage does not have a WebCrypto name.

      • getX509BitPosition

        public int getX509BitPosition()
        The bit position of this usage in the X.509 KeyUsage extension.
        Returns:
        the bit position of this usage in the X.509 KeyUsage extension.

      • getKeyType

        public Class<? extends CryptoKey> getKeyType()
        The key type corresponding to this key usage.
        Returns:
        the key type corresponding to this usage.