PemPropertyFormat

The format of a secret used with a mappings configuration in FileSystemSecretStore and SystemAndEnvSecretStore. Privacy-Enhanced Mail (PEM) is a file format for storing and sending cryptographic keys, certificates, and other data, based on standards in Textual Encodings of PKIX, PKCS, and CMS Structures. By default, OpenSSL generates keys using the PEM format.

Encryption methods and ciphers used for PEM encryption must be supported by the Java Cryptography Extension.

PEM keys have the following format, where the PEM label is associated to the type of stored cryptographic material:

-----BEGIN {PEM label}-----
Base64-encoded cryptographic material
-----END {PEM label}-----

PEM Label Stored Cryptographic Material

PEM Label	Stored Cryptographic Material
`CERTIFICATE`	X.509 Certificate
`PUBLIC KEY`	X.509 SubjectPublicKeyInfo
`PRIVATE KEY`	PKCS#8 Private Key
`ENCRYPTED PRIVATE KEY`	Encrypted PKCS#8 Private Key
`EC PRIVATE KEY`	EC Private Key
`RSA PRIVATE KEY`	PKCS#1 RSA Private Key
`RSA PUBLIC KEY`	PKCS#1 RSA Public Keys
`DSA PRIVATE KEY`	PKCS#1-style DSA Private Key
`HMAC SECRET KEY`	HMAC Secret Keys
`AES SECRET KEY`	AES Secret Keys
`GENERIC SECRET`	Generic Secrets (passwords, API keys, etc)

CERTIFICATE

X.509 Certificate

PUBLIC KEY

X.509 SubjectPublicKeyInfo

PRIVATE KEY

PKCS#8 Private Key

ENCRYPTED PRIVATE KEY

Encrypted PKCS#8 Private Key

EC PRIVATE KEY

EC Private Key

RSA PRIVATE KEY

PKCS#1 RSA Private Key

RSA PUBLIC KEY

PKCS#1 RSA Public Keys

DSA PRIVATE KEY

PKCS#1-style DSA Private Key

HMAC SECRET KEY

HMAC Secret Keys

AES SECRET KEY

AES Secret Keys

GENERIC SECRET

Generic Secrets (passwords, API keys, etc)

Note the following points about the key formats:

PKCS#1 is the standard that defines RSA. For more information, refer to RFC 8017: RSA Public Key Syntax.
PKCS#1-style DSA and EC keys are not defined in any standard, but are adapted from the RSA format.
HMAC SECRET KEY, AES SECRET KEY, and GENERIC SECRET are a ForgeRock extension, and not currently supported by any other tools.

The following example is non-standard PEM encoding of an HMAC symmetric secret key. The payload is base64-encoded random bytes that are the key material, with no extra encoding.
```
-----BEGIN HMAC SECRET KEY-----
Pj/Vel...thB0U=
-----END HMAC SECRET KEY-----
```
Run the following example command to create the key:
```
cat <<EOF
-----BEGIN HMAC SECRET KEY-----
$(head -c32 /dev/urandom | base64)
-----END HMAC SECRET KEY-----
EOF
```

Usage

{
  "name": string,
  "type": "PemPropertyFormat",
  "config": {
   "decryptionSecretId": configuration expression<secret-id>,
   "secretsProvider": SecretsProvider reference
  }
}

Properties

"decryptionSecretId": configuration expression<secret-id>, optional: The secret ID for the secret to decrypt a PKCS#8 private key.

This secret ID must point to a GenericSecret.
"secretsProvider": SecretsProvider reference, required when decryptionSecretId is used: The SecretsProvider to query for the decryption secret.

Example

For examples of use, see Pass runtime data in a JWT signed with a PEM and Pass runtime data in a JWT signed and encrypted with a PEM.

More information

org.forgerock.openig.secrets.PemPropertyFormatHeaplet

Identity Gateway 2024.3

PemPropertyFormat

Usage

Properties

Example

More information