Class SecretsTrustManagerHeaplet

java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.secrets.SecretsTrustManagerHeaplet
All Implemented Interfaces:
Heaplet

public class SecretsTrustManagerHeaplet extends GenericHeaplet
A SecretsTrustManagerHeaplet acts as a factory of SecretsTrustManager.

It is meant to be used when certificates that are to be trusted are available through the ForgeRock Secrets API (when using KeyStoreSecretStore for instance).

 {
       "type": "SecretsTrustManager",
       "config": {
         "verificationSecretId":             secret-id          [ REQUIRED - Secret ID used to retrieve
                                                                             trusted certificates. (1)]
         "certificateVerificationSecretId":  secret-id          [ REQUIRED - Secret ID used to retrieve
                                                                             trusted CA certificates. (1)]
         "secretsProvider"     :             Secrets Provider   [ REQUIRED - Resolves trusted certificates. ]
         "checkRevocation"     :             boolean            [ OPTIONAL - Enable/Disable revocation check
                                                                             (default to true) ]
       }
    }
 

(1) At least one of verificationSecretId or certificateVerificationSecretId is REQUIRED.

When to use these 2 attributes:

  • verificationSecretId secrets will select certificates usable to verify signed data.
    Certificates loaded from keystores must have the digitalSignature bit set, or no extension bit set at all (usual for self-signed and client certificates).
    Certificates loaded from JWK/JWKSet must have use = sig or unset AND key_ops containing 'verify' or unset.
  • certificateVerificationSecretId secrets will select certificates usable to verify signed certificate.
    Certificates loaded from keystores must have the keyCertSign bit set, or no extension bit set at all (usual for CA certificates).
    Certificates loaded from JWK/JWKSet must have both 'key_ops' and 'use' unset
  • Note that certificates loaded from PEM have no usage constraints and can be used for both verificationSecretId or certificateVerificationSecretId indistinctly.

Usage example with a keystore

Trusts a list of certificates found in a given keystore

 {
      "type": "SecretsTrustManager",
      "config": {
        "verificationSecretId": [ "trust.manager.secret.id" ],
        "secretsProvider": {
          "type": "KeyStoreSecretStore",
          "config": {
            "file": "&{ig.instance.dir}/certs/truststore.p12",
            "storePassword": "keystore.pass",
            "secretsProvider": "SecretsPasswords",
            "mappings": [{
              "secretId": "trust.manager.secret.id",
              "aliases": [ "alias-of-trusted-cert-1", "alias-of-trusted-cert-2" ]
            }]
          }
        }
      }
   }
 

Trusts certificates signed by certificate authorities whose certificate are found in a given keystore

 {
      "type": "SecretsTrustManager",
      "config": {
        "certificateVerificationSecretId": [ "ca.secret.id" ],
        "secretsProvider": {
          "type": "KeyStoreSecretStore",
          "config": {
            "file": "&{ig.instance.dir}/certs/truststore.p12",
            "storePassword": "keystore.pass",
            "secretsProvider": "SecretsPasswords",
            "mappings": [{
              "secretId": "ca.secret.id",
              "aliases": [ "alias-of-trusted-cacert-1", "alias-of-trusted-cacert-2" ]
            }]
          }
        }
      }
   }
 
See Also:
  • Field Details

  • Constructor Details

    • SecretsTrustManagerHeaplet

      public SecretsTrustManagerHeaplet()
  • Method Details