Package org.forgerock.openig.secrets

Interface SecretsService

public interface SecretsService
Interface for the SecretsService. MUST cover all methods declared in SecretsProvider class for compatibility when using deprecated secrets service. Javadoc is duplicated from the SecretsProvider's class.

  • Method Details

    • getActiveSecret

      <S extends Secret> Promise<S,NoSuchSecretException> getActiveSecret(Purpose<S> purpose)
      Gets the currently active secret for the given purpose. If more than one secret exists for this purpose, then this method returns the secret that is currently active and should be used for new operations. The returned secret is guaranteed to be within the valid periods specified by its validFrom and expiry times. If no valid secret is configured for the purpose then a NoSuchSecretException is thrown instead.

      The active secret is found by first consulting the currently active store for the purpose label. If no active stores exist for the purpose, all default stores are consulted, and the first matching secret is used.

      This method is usually used for encryption and signature operations, where you need to use the active (not rotated) crypto material.

      Type Parameters:
      S - the type of secret to return.
      Parameters:
      purpose - the purpose for which the secret is intended to be used.
      Returns:
      A promise containing either the active secret for this purpose, or a NoSuchSecretException if one cannot be found.

    • getNamedSecret

      <S extends Secret> Promise<S,NoSuchSecretException> getNamedSecret(Purpose<S> purpose, String id)
      Gets the secret for the given purpose with the given stable secret id.

      This method is usually used for decryption and signature verification operations, where you may have a hint for selecting the crypto material to use for the operation. Because the verified signature may have been generated with a rotated secret (at time of verification), #getActiveSecret cannot be used.

      Type Parameters:
      S - the type of secret to return
      Parameters:
      purpose - the purpose for which the secret is intended to be used.
      id - the stable id of the particular secret to get.
      Returns:
      the secret with that id, or an empty result if no such secret exists.
      See Also:

    • getValidSecrets

      <S extends Secret> Promise<Stream<S>,NeverThrowsException> getValidSecrets(Purpose<S> purpose)
      Returns all secrets for the given purpose which have not yet expired. This can be used, for instance, to get a list of all signature validation keys that are still trusted. The secrets will be returned in the order of preference of the store they are from: secrets from the active store will be first, then the most recent previously active store, and so on.
      Type Parameters:
      S - the type of secret to return.
      Parameters:
      purpose - the purpose for which the secrets are intended for.
      Returns:
      a stream of all valid secrets for the given purpose, or an empty stream if not configured.

    • createActiveReference

      <S extends Secret> SecretReference<S> createActiveReference(Purpose<S> purpose)
      Create a SecretReference for the given Purpose.
      Type Parameters:
      S - The type of the SecretReference to return.
      Parameters:
      purpose - The Purpose for the SecretReference.
      Returns:
      A SecretReference of the given Purpose.

    • createNamedReference

      <S extends Secret> SecretReference<S> createNamedReference(Purpose<S> purpose, String name)
      Creates a reference to a secret with the given name (stable id) for the given purpose.
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the purpose.
      name - the name (stable id) of the secret.
      Returns:
      a reference to the named secret in this secrets provider.

    • useSpecificSecretForPurpose

      <S extends Secret> SecretsProvider useSpecificSecretForPurpose(Purpose<S> purpose, S secret)
      Configures this SecretsProvider to always return the specific given secret for the given purpose. This removes any other secret stores configured for this purpose and configures the provider to only ever return this specific secret as the active and only valid secret for this purpose, until the secret expires or is manually reconfigured.
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the purpose to configure the secret for.
      secret - the specific secret to use for this purpose.
      Returns:
      this provider after updating the configuration.

    • setDefaultStores

      SecretsProvider setDefaultStores(SecretStore<?> activeStore, SecretStore<?>... defaultStores)
      Sets the default store(s) to use if there is no specific store configured for a particular purpose.
      Parameters:
      activeStore - the store to use for all requests for active secrets.
      defaultStores - remaining valid stores to consult for existing named/valid secrets.
      Returns:
      the updated secrets provider object.

    • asKeyStore

      <T extends CryptoKey> KeyStore asKeyStore(Purpose<T> purpose)
      Returns a view of this secrets provider as a keystore for the given purpose.
      Type Parameters:
      T - the type of keys.
      Parameters:
      purpose - the purpose that the keystore will be used for.
      Returns:
      the keystore view of this secrets provider.

    • getKeyManager

      X509ExtendedKeyManager getKeyManager(Purpose<? extends CryptoKey> purpose)
      Returns a KeyManager that can be used to initialize an SSLContext, allowing certificates and private keys to be retrieved from this secrets provider.
      Parameters:
      purpose - the purpose to use for retrieving TLS certificates and keys.
      Returns:
      a KeyManager that obtains keys and certificates from this secrets provider.

    • getKeyManager

      X509ExtendedKeyManager getKeyManager(Purpose<? extends CryptoKey> purpose, Options options)
      Returns a KeyManager that can be used to initialize an SSLContext, allowing certificates and private keys to be retrieved from this secrets provider.
      Parameters:
      purpose - the purpose to use for retrieving TLS certificates and keys.
      options - the options to configure the key manager. See SecretsKeyManager.KEY_MANAGER_ALGORITHM.
      Returns:
      a KeyManager that obtains keys and certificates from this secrets provider.

    • getNamedOrValidSecrets

      <S extends Secret> Promise<Stream<S>,NeverThrowsException> getNamedOrValidSecrets(Purpose<S> purpose, String id)
      If the given id is not null, then this returns the single named secret that corresponds to that stable id (or a stream of valid secrets for the given purpose if no such secret exists), otherwise it returns all valid secrets for the given purpose. This is a convenience method for a frequent case where you want to process an incoming message (e.g., to decrypt or verify it) and the message may or may not have a secret/key identifier.
      Type Parameters:
      S - the type of secrets to return.
      Parameters:
      purpose - the purpose for which the secrets are intended.
      id - the optional stable id of the secret, or null if not known.
      Returns:
      a stream of all secrets to try, or an empty stream if none are applicable.

    • getTrustManager

      SecretsTrustManager getTrustManager(Purpose<? extends CryptoKey> purpose)
      Constructs an X509ExtendedTrustManager that will retrieve certificates from this secrets provider for the provided purpose. This can be used to configured SSL connections via SSLContext.init(KeyManager[], TrustManager[], SecureRandom). Default options will be used to configure the trust manager.
      Parameters:
      purpose - the purpose to use to lookup trusted certificates.
      Returns:
      the trust manager to use

    • getTrustManager

      SecretsTrustManager getTrustManager(Purpose<? extends CryptoKey> purpose, Options options)
      Constructs an X509ExtendedTrustManager that will retrieve certificates from this secrets provider for the provided purpose. This can be used to configured SSL connections via SSLContext.init(KeyManager[], TrustManager[], SecureRandom).
      Parameters:
      purpose - the purpose to use to lookup trusted certificates.
      options - the trust manager options - see SecretsTrustManager for details.
      Returns:
      the trust manager to use