Package org.forgerock.secrets.keystore

Class KeyStoreSecretStore

java.lang.Object

org.forgerock.secrets.keystore.KeyStoreSecretStore

All Implemented Interfaces:

SecretStore<Secret>

public class KeyStoreSecretStore
extends Object
implements SecretStore<Secret>

A secret store for cryptographic keys based on a standard Java KeyStore. Typically this will either be a file-based PKCS#12 keystore or a PKCS#11 Hardware Security Module (HSM). Legacy proprietary key store formats such as JKS and JCEKS are also supported, but should not be used for any new functionality as they implement weak encryption and integrity protection mechanisms.

The password for the keystore and for all entries within the keystore can be provided as a GenericSecret allowing it to come from another secrets backend, such as an environment variable, encrypted file, KMS, etc.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	KeyStoreSecretStore.AliasSpec	Specifies an alias with its validity for use in the store.
static interface	KeyStoreSecretStore.AliasSpecProvider	Permits to retrieve the list of usable AliasSpecs of a specific KeyStore.
static class	KeyStoreSecretStore.CompositeAliasSpecProvider	Aggregates multiple AliasSpecProviders results to serve the list of AliasSpec for a KeyStore.
class	KeyStoreSecretStore.KeyDetails	Details of a key that comes from the keystore.
static class	KeyStoreSecretStore.PredicateAliasSpecProvider	Serves a matching subset of the aliases present in a KeyStore based on a predicate.
static interface	KeyStoreSecretStore.StableIdProvider	An interface to allow the consuming application to provide the stable ID for the secret.
static class	KeyStoreSecretStore.StaticAliasSpecProvider	Serves a static list of AliasSpecs, without looking at the real content of a KeyStore.

Field Summary

Fields inherited from interface org.forgerock.secrets.SecretStore

CLOCK, LEASE_EXPIRY_DURATION

Constructor Summary

Constructors

Constructor	Description
KeyStoreSecretStore(Function<char[],KeyStore,KeyStoreException> keyStoreLoader, SecretReference<GenericSecret> keyStorePassword)	Initialises the keystore using the same password for the keystore and all keys and default configuration options.
KeyStoreSecretStore(Function<char[],KeyStore,KeyStoreException> keyStoreLoader, SecretReference<GenericSecret> keyStorePassword, SecretReference<GenericSecret> keyEntryPassword, Options options, KeyStoreSecretStore.StableIdProvider stableIdProvider)	Initialises the key store.
KeyStoreSecretStore(Function<char[],KeyStore,KeyStoreException> keyStoreLoader, SecretReference<GenericSecret> keyStorePassword, Options options)	Initialises the keystore using the same password for the keystore and all keys.

Method Summary

Modifier and Type	Method	Description
<S extends Secret> Promise<S,NoSuchSecretException>	getActive(Purpose<S> purpose)	Returns the active secret for the given purpose.
<S extends Secret> Promise<S,NoSuchSecretException>	getNamed(Purpose<S> purpose, String id)	Returns the named secret from this store.
Class<Secret>	getStoredType()	The top-level class that this store is capable of storing.
<S extends Secret> Promise<Stream<S>,NeverThrowsException>	getValid(Purpose<S> purpose)	Returns all valid secrets for the given purpose from this store.
void	refresh()	Indicates that the store should refresh its secrets from the backing storage mechanism.
void	retire(Purpose<? extends Secret> purpose, String oldAlias)	Retires a key previously used for a given purpose.
void	revoke(String alias)	Revokes a key from all purposes.
void	rotate(Purpose<? extends Secret> purpose, String newAlias)	Rotates the key associated with a given purpose.
void	setAliasSpecProviderForPurposes(Map<String,KeyStoreSecretStore.AliasSpecProvider> keysForPurposes)	Set the keys that are used for different purposes.
void	setKeysForPurposes(Map<String,List<KeyStoreSecretStore.AliasSpec>> keysForPurposes)	Set the keys that are used for different purposes.
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

KeyStoreSecretStore

public KeyStoreSecretStore(Function<char[],KeyStore,KeyStoreException> keyStoreLoader,
                           SecretReference<GenericSecret> keyStorePassword,
                           SecretReference<GenericSecret> keyEntryPassword,
                           Options options,
                           KeyStoreSecretStore.StableIdProvider stableIdProvider)

Initialises the key store.

Parameters:

keyStoreLoader - the loader for the keystore. A function that takes the keystore password and returns the loaded keystore.

keyStorePassword - the keystore password.

keyEntryPassword - the key entry password. The same password will be used for all key entries.

options - the configuration options.

stableIdProvider - The implementation that will provide stable IDs for a given key.

KeyStoreSecretStore

public KeyStoreSecretStore(Function<char[],KeyStore,KeyStoreException> keyStoreLoader,
                           SecretReference<GenericSecret> keyStorePassword,
                           Options options)

Initialises the keystore using the same password for the keystore and all keys. Uses a default KeyStoreSecretStore.StableIdProvider that just returns KeyStoreSecretStore.KeyDetails.getAlias().

Parameters:

keyStoreLoader - the keystore loader.

keyStorePassword - the keystore password.

options - the configuration options.

KeyStoreSecretStore

public KeyStoreSecretStore(Function<char[],KeyStore,KeyStoreException> keyStoreLoader,
                           SecretReference<GenericSecret> keyStorePassword)

Initialises the keystore using the same password for the keystore and all keys and default configuration options. Uses a default KeyStoreSecretStore.StableIdProvider that just returns KeyStoreSecretStore.KeyDetails.getAlias().

Parameters:

keyStoreLoader - the keystore loader.

keyStorePassword - the keystore password.

Method Detail

setKeysForPurposes

public void setKeysForPurposes(Map<String,List<KeyStoreSecretStore.AliasSpec>> keysForPurposes)

Set the keys that are used for different purposes.

Parameters:

keysForPurposes - a map from purpose label to a list of key aliases.

setAliasSpecProviderForPurposes

public void setAliasSpecProviderForPurposes(Map<String,KeyStoreSecretStore.AliasSpecProvider> keysForPurposes)

Set the keys that are used for different purposes.

Parameters:

keysForPurposes - a map from purpose label to a provider of aliases.

rotate

public void rotate(Purpose<? extends Secret> purpose,
                   String newAlias)

Rotates the key associated with a given purpose.

Specified by:

rotate in interface SecretStore<Secret>

Parameters:

purpose - the purpose to install a new key for.

newAlias - the new key alias.

retire

public void retire(Purpose<? extends Secret> purpose,
                   String oldAlias)

Retires a key previously used for a given purpose. The key will no longer be used for that purpose.

Specified by:

retire in interface SecretStore<Secret>

Parameters:

purpose - the key purpose.

oldAlias - the key alias.

revoke

public void revoke(String alias)

Revokes a key from all purposes. The given key will no longer be usable for any purpose within this store.

Specified by:

revoke in interface SecretStore<Secret>

Parameters:

alias - the alias to remove.

getStoredType

public Class<Secret> getStoredType()

Description copied from interface: SecretStore

The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.

Specified by:

getStoredType in interface SecretStore<Secret>

Returns:

the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

refresh

public void refresh()

Description copied from interface: SecretStore

Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.

Specified by:

refresh in interface SecretStore<Secret>

getActive

public <S extends Secret> Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns the active secret for the given purpose.

Specified by:

getActive in interface SecretStore<Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose for which a secret is required.

Returns:

the active secret from this store.

getNamed

public <S extends Secret> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose,
                                                                          String id)

Description copied from interface: SecretStore

Returns the named secret from this store. The default implementation calls SecretStore.getValid(Purpose) and then returns the first valid key with a matching stable ID.

Specified by:

getNamed in interface SecretStore<Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the secret purpose.

id - the name (stable id) of the secret.

Returns:

a promise for the named secret, or a NoSuchSecretException promise if no such secret exists.

getValid

public <S extends Secret> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns all valid secrets for the given purpose from this store.

Specified by:

getValid in interface SecretStore<Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose.

Returns:

a stream of all valid secrets of the given type from this store, or an empty stream if none exist.

toString

public String toString()

Overrides:

toString in class Object