java.lang.Object
- org.forgerock.openig.heap.GenericHeaplet
- - org.forgerock.openig.secrets.SecretsTrustManagerHeaplet

All Implemented Interfaces:: Heaplet

public class SecretsTrustManagerHeaplet
extends GenericHeaplet

A SecretsTrustManagerHeaplet acts as a factory of SecretsTrustManager.

It is meant to be used when certificates that are to be trusted are available through the ForgeRock Secrets API (when using KeyStoreSecretStore for instance).

 {
       "type": "SecretsTrustManager",
       "config": {
         "verificationSecretId":             secret-id          [ REQUIRED - Secret ID used to retrieve
                                                                             trusted certificates. (1)]
         "certificateVerificationSecretId":  secret-id          [ REQUIRED - Secret ID used to retrieve
                                                                             trusted CA certificates. (1)]
         "secretsProvider"     :             Secrets Provider   [ REQUIRED - Resolves trusted certificates. ]
         "checkRevocation"     :             boolean            [ OPTIONAL - Enable/Disable revocation check
                                                                             (default to true) ]
       }
    }

(1) At least one of verificationSecretId or certificateVerificationSecretId is REQUIRED.

When to use these 2 attributes:

verificationSecretId secrets will select certificates usable to verify signed data.
Certificates loaded from keystores must have the digitalSignature bit set, or no extension bit set at all (usual for self-signed and client certificates).
Certificates loaded from JWK/JWKSet must have use = sig or unset AND key_ops containing 'verify' or unset.
certificateVerificationSecretId secrets will select certificates usable to verify signed certificate.
Certificates loaded from keystores must have the keyCertSign bit set, or no extension bit set at all (usual for CA certificates).
Certificates loaded from JWK/JWKSet must have both 'key_ops' and 'use' unset
Note that certificates loaded from PEM have no usage constraints and can be used for both verificationSecretId or certificateVerificationSecretId indistinctly.

Usage example with a keystore

Trusts a list of certificates found in a given keystore

 {
      "type": "SecretsTrustManager",
      "config": {
        "verificationSecretId": [ "trust.manager.secret.id" ],
        "secretsProvider": {
          "type": "KeyStoreSecretStore",
          "config": {
            "file": "&{ig.instance.dir}/certs/truststore.p12",
            "storePassword": "keystore.pass",
            "secretsProvider": "SecretsPasswords",
            "mappings": [{
              "secretId": "trust.manager.secret.id",
              "aliases": [ "alias-of-trusted-cert-1", "alias-of-trusted-cert-2" ]
            }]
          }
        }
      }
   }

Trusts certificates signed by certificate authorities whose certificate are found in a given keystore

 {
      "type": "SecretsTrustManager",
      "config": {
        "certificateVerificationSecretId": [ "ca.secret.id" ],
        "secretsProvider": {
          "type": "KeyStoreSecretStore",
          "config": {
            "file": "&{ig.instance.dir}/certs/truststore.p12",
            "storePassword": "keystore.pass",
            "secretsProvider": "SecretsPasswords",
            "mappings": [{
              "secretId": "ca.secret.id",
              "aliases": [ "alias-of-trusted-cacert-1", "alias-of-trusted-cacert-2" ]
            }]
          }
        }
      }
   }

See Also:: SecretsTrustManager, SecretsProvider.getTrustManager(Purpose, Options), RFC-5280 / Certificate Key Usage

- Field Summary
  - Fields inherited from class org.forgerock.openig.heap.GenericHeaplet
    config, heap, name, object, qualified
- Constructor Summary
  
  Constructors
  Constructor Description
  
  SecretsTrustManagerHeaplet()
- Method Summary
  
  All Methods Instance Methods Concrete Methods
  Modifier and Type Method Description
  
  Object create()
  Called to request the heaplet create an object.
  - Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
    create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getSecretService, getSecretsProvider, getType, initialBindings, meterRegistryHolder, start
  - Methods inherited from class java.lang.Object
    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - SecretsTrustManagerHeaplet
```
public SecretsTrustManagerHeaplet()
```
- Method Detail
  - create
```
public Object create()
              throws HeapException
```
    Description copied from class: GenericHeaplet
    
    Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.
    
    Specified by:
    
    create in class GenericHeaplet
    
    Returns:
    
    The created object.
    
    Throws:
    
    HeapException - if an exception occurred during creation of the heap object or any of its dependencies.

Class SecretsTrustManagerHeaplet

Usage example with a keystore

Trusts a list of certificates found in a given keystore

Trusts certificates signed by certificate authorities whose certificate are found in a given keystore

Field Summary

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

Constructor Summary

Method Summary

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

Methods inherited from class java.lang.Object

Constructor Detail

SecretsTrustManagerHeaplet

Method Detail

create