Package org.certificateservices.messages

Class SimpleMessageSecurityProvider

java.lang.Object

org.certificateservices.messages.SimpleMessageSecurityProvider

All Implemented Interfaces:

ContextMessageSecurityProvider, MessageSecurityProvider

public class SimpleMessageSecurityProvider
extends java.lang.Object
implements ContextMessageSecurityProvider

Simple PKI Message provider that is configured with two soft key stores. One key store used as a client key store signing messages and One trust store where accepted end entity certificates are stored.

Nested Class Summary

Nested classes/interfaces inherited from interface org.certificateservices.messages.ContextMessageSecurityProvider

ContextMessageSecurityProvider.Context

Field Summary

Fields

Modifier and Type	Field	Description
static EncryptionAlgorithmScheme	DEFAULT_ENCRYPTION_ALGORITHM_SCHEME
static SigningAlgorithmScheme	DEFAULT_SIGNATURE_ALGORITHM_SCHEME
static java.lang.String	SETTING_DECRYPTKEYSTORE_DEFAULTKEY_ALIAS	Setting indicating the alias of the decryption key to use if no specific key is known.
static java.lang.String	SETTING_DECRYPTKEYSTORE_PASSWORD	Setting indicating the password to the decrypt key store (required, if encrypt key store is specified.)
static java.lang.String	SETTING_DECRYPTKEYSTORE_PATH	Setting indicating the path to the decrypt JKS key store (optional, if not set is signing keystore used for both signing and encryption)
static java.lang.String	SETTING_ENCRYPTION_ALGORITHM_SCHEME	Setting indicating the Encryption algorithm scheme to use, possible values are: RSA_OAEP_WITH_AES256 (Default if not set).
static java.lang.String	SETTING_PREFIX
static java.lang.String	SETTING_SIGNATURE_ALGORITHM_SCHEME	Setting indicating the Signature algorithm scheme to use, possible values are: RSAWithSHA256 (Default if not set).
static java.lang.String	SETTING_SIGNINGKEYSTORE_ALIAS	Setting indicating the alias of the certificate to use in the signing key store (required)
static java.lang.String	SETTING_SIGNINGKEYSTORE_PASSWORD	Setting indicating the password to the signing key store (required)
static java.lang.String	SETTING_SIGNINGKEYSTORE_PATH	Setting indicating the path to the signing JKS key store (required)
static java.lang.String	SETTING_TRUSTKEYSTORE_PASSWORD	Setting indicating the password to the trust JKS key store (required)
static java.lang.String	SETTING_TRUSTKEYSTORE_PATH	Setting indicating the path to the trust JKS key store (required)
protected TruststoreHelper	truststoreHelper

Fields inherited from interface org.certificateservices.messages.ContextMessageSecurityProvider

DEFAULT_CONTEXT

Fields inherited from interface org.certificateservices.messages.MessageSecurityProvider

DEFAULT_DECRYPTIONKEY

Constructor Summary

Constructors

Constructor	Description
SimpleMessageSecurityProvider(java.util.Properties config)	Configures and set's up the security provider with truststore from configuration.
SimpleMessageSecurityProvider(java.util.Properties config, java.security.KeyStore trustStore)	Configures and set's up the security provider with a given truststore.

Method Summary

Modifier and Type	Method	Description
java.security.cert.X509Certificate	getDecryptionCertificate(java.lang.String keyId)	Fetches the decryption certificate of related key id.
java.security.cert.X509Certificate	getDecryptionCertificate(ContextMessageSecurityProvider.Context context, java.lang.String keyId)	Fetches the decryption certificate of related key id.
java.security.cert.X509Certificate[]	getDecryptionCertificateChain(java.lang.String keyId)	Fetches the decryption certificate chain of related key id can be one or more in size..
java.security.cert.X509Certificate[]	getDecryptionCertificateChain(ContextMessageSecurityProvider.Context context, java.lang.String keyId)	Fetches the decryption certificate chain of related key id can be one or more in size..
java.security.PrivateKey	getDecryptionKey(java.lang.String keyId)	Fetches a private key given it's unique identifier.
java.security.PrivateKey	getDecryptionKey(ContextMessageSecurityProvider.Context context, java.lang.String keyId)	Fetches a private key given it's unique identifier.
java.util.Set<java.lang.String>	getDecryptionKeyIds()	Returns key identifiers of all available decryption keys.
java.util.Set<java.lang.String>	getDecryptionKeyIds(ContextMessageSecurityProvider.Context context)	Returns key identifiers of all available decryption keys.
protected java.security.KeyStore	getDecryptionKeyStore(java.util.Properties config)	Method that that reads in the configured decryption keystore and if no specific decryption keystore is exists uses the singing keystore.
protected char[]	getDecryptionKeyStorePassword(java.util.Properties config)	Method that that reads in the configured decryption keystore and if no specific decryption keystore is exists uses the singing keystore.
protected java.lang.String	getDefaultDecryptionAlias(java.util.Properties config)	Help method that reads default key alias and failbacks on signature keystore alias.
EncryptionAlgorithmScheme	getEncryptionAlgorithmScheme()	Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.
EncryptionAlgorithmScheme	getEncryptionAlgorithmScheme(ContextMessageSecurityProvider.Context context)	Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.
static java.security.KeyStore	getKeyStore(java.util.Properties config, java.lang.String pathSetting, java.lang.String passwordSetting)	Help method reading a JKS keystore from configuration and specified settings.
java.lang.String	getProvider()	Method to retrieve JCE provider that should be used with keys provided by this provider.
java.lang.String	getProvider(ContextMessageSecurityProvider.Context context)	Method to retrieve JCE provider that should be used with keys provided by this provider.
SigningAlgorithmScheme	getSigningAlgorithmScheme()	Method to fetch the SigningAlgorithmScheme to use when signing messages.
SigningAlgorithmScheme	getSigningAlgorithmScheme(ContextMessageSecurityProvider.Context context)	Method to fetch the SigningAlgorithmScheme to use when signing messages.
java.security.cert.X509Certificate	getSigningCertificate()	Fetches the signing certificate used to create the digital signatures of the XML file.
java.security.cert.X509Certificate	getSigningCertificate(ContextMessageSecurityProvider.Context context)	Fetches the signing certificate used to create the digital signatures of the XML file.
java.security.PrivateKey	getSigningKey()	Fetches the signing key used to create the digital signatures of the XML file.
java.security.PrivateKey	getSigningKey(ContextMessageSecurityProvider.Context context)	Fetches the signing key used to create the digital signatures of the XML file.
protected java.security.KeyStore	getSigningKeyStore(java.util.Properties config)	Method that that reads in the configured signing keystore.
boolean	isValidAndAuthorized(java.security.cert.X509Certificate signCertificate, java.lang.String organisation)	Method that checks if a sign certificate is in the trust store, the certificate itself have to be imported and not just the CA certificate.
boolean	isValidAndAuthorized(ContextMessageSecurityProvider.Context context, java.security.cert.X509Certificate signCertificate, java.lang.String organisation)	Method in charge of validating a certificate used to sign a PKI message and also check if the certificate is authorized to generate messages.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SETTING_PREFIX

public static final java.lang.String SETTING_PREFIX

See Also:

Constant Field Values

SETTING_SIGNINGKEYSTORE_PATH

public static final java.lang.String SETTING_SIGNINGKEYSTORE_PATH

Setting indicating the path to the signing JKS key store (required)

See Also:

Constant Field Values

SETTING_SIGNINGKEYSTORE_PASSWORD

public static final java.lang.String SETTING_SIGNINGKEYSTORE_PASSWORD

Setting indicating the password to the signing key store (required)

See Also:

Constant Field Values

SETTING_SIGNINGKEYSTORE_ALIAS

public static final java.lang.String SETTING_SIGNINGKEYSTORE_ALIAS

Setting indicating the alias of the certificate to use in the signing key store (required)

See Also:

Constant Field Values

SETTING_DECRYPTKEYSTORE_PATH

public static final java.lang.String SETTING_DECRYPTKEYSTORE_PATH

Setting indicating the path to the decrypt JKS key store (optional, if not set is signing keystore used for both signing and encryption)

See Also:

Constant Field Values

SETTING_DECRYPTKEYSTORE_PASSWORD

public static final java.lang.String SETTING_DECRYPTKEYSTORE_PASSWORD

Setting indicating the password to the decrypt key store (required, if encrypt key store is specified.)

See Also:

Constant Field Values

SETTING_DECRYPTKEYSTORE_DEFAULTKEY_ALIAS

public static final java.lang.String SETTING_DECRYPTKEYSTORE_DEFAULTKEY_ALIAS

Setting indicating the alias of the decryption key to use if no specific key is known. (optional, if not set is same as signing keystore alias used.)

See Also:

Constant Field Values

SETTING_TRUSTKEYSTORE_PATH

public static final java.lang.String SETTING_TRUSTKEYSTORE_PATH

Setting indicating the path to the trust JKS key store (required)

See Also:

Constant Field Values

SETTING_TRUSTKEYSTORE_PASSWORD

public static final java.lang.String SETTING_TRUSTKEYSTORE_PASSWORD

Setting indicating the password to the trust JKS key store (required)

See Also:

Constant Field Values

SETTING_SIGNATURE_ALGORITHM_SCHEME

public static final java.lang.String SETTING_SIGNATURE_ALGORITHM_SCHEME

Setting indicating the Signature algorithm scheme to use, possible values are:

RSAWithSHA256 (Default if not set).

See Also:

Constant Field Values

DEFAULT_SIGNATURE_ALGORITHM_SCHEME

public static final SigningAlgorithmScheme DEFAULT_SIGNATURE_ALGORITHM_SCHEME

SETTING_ENCRYPTION_ALGORITHM_SCHEME

public static final java.lang.String SETTING_ENCRYPTION_ALGORITHM_SCHEME

Setting indicating the Encryption algorithm scheme to use, possible values are:

RSA_OAEP_WITH_AES256 (Default if not set). RSA_PKCS1_5_WITH_AES256

See Also:

Constant Field Values

DEFAULT_ENCRYPTION_ALGORITHM_SCHEME

public static final EncryptionAlgorithmScheme DEFAULT_ENCRYPTION_ALGORITHM_SCHEME

truststoreHelper

protected TruststoreHelper truststoreHelper

Constructor Detail

SimpleMessageSecurityProvider

public SimpleMessageSecurityProvider(java.util.Properties config)
                              throws MessageProcessingException

Configures and set's up the security provider with truststore from configuration.

Parameters:

config - provider configuration.

Throws:

MessageProcessingException - if not all required settings were set correctly.

SimpleMessageSecurityProvider

public SimpleMessageSecurityProvider(java.util.Properties config,
                                     java.security.KeyStore trustStore)
                              throws MessageProcessingException

Configures and set's up the security provider with a given truststore.

Parameters:

config - provider configuration.

Throws:

MessageProcessingException - if not all required settings were set correctly.

Method Detail

getSigningKey

public java.security.PrivateKey getSigningKey()
                                       throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Fetches the signing key used to create the digital signatures of the XML file.

Specified by:

getSigningKey in interface MessageSecurityProvider

Returns:

the signing key used.

Throws:

MessageProcessingException - if key isn't accessible or activated.

See Also:

MessageSecurityProvider.getSigningKey()

getSigningKey

public java.security.PrivateKey getSigningKey(ContextMessageSecurityProvider.Context context)
                                       throws MessageProcessingException

Fetches the signing key used to create the digital signatures of the XML file.

Specified by:

getSigningKey in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

Returns:

the signing key used.

Throws:

MessageProcessingException - if key isn't accessible or activated.

getSigningCertificate

public java.security.cert.X509Certificate getSigningCertificate()
                                                         throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Fetches the signing certificate used to create the digital signatures of the XML file.

Specified by:

getSigningCertificate in interface MessageSecurityProvider

Returns:

the signing certificate used.

Throws:

MessageProcessingException - if certificate isn't accessible.

See Also:

MessageSecurityProvider.getSigningCertificate()

getSigningCertificate

public java.security.cert.X509Certificate getSigningCertificate(ContextMessageSecurityProvider.Context context)
                                                         throws MessageProcessingException

Fetches the signing certificate used to create the digital signatures of the XML file.

Specified by:

getSigningCertificate in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

Returns:

the signing certificate used.

Throws:

MessageProcessingException - if certificate isn't accessible.

isValidAndAuthorized

public boolean isValidAndAuthorized(java.security.cert.X509Certificate signCertificate,
                                    java.lang.String organisation)
                             throws java.lang.IllegalArgumentException,
                                    MessageProcessingException

Method that checks if a sign certificate is in the trust store, the certificate itself have to be imported and not just the CA certificate.

The certificate also have to have key usage digital signature

Organisation name is ignored

Specified by:

isValidAndAuthorized in interface MessageSecurityProvider

Parameters:

signCertificate - the certificate used to sign the message.

organisation - the related organisation to the message, null if no organisation lookup should be done.

Returns:

true if the sign certificate is valid and authorized to sign messages.

Throws:

java.lang.IllegalArgumentException - if arguments were invalid.

MessageProcessingException - if internal error occurred validating the certificate.

See Also:

MessageSecurityProvider.isValidAndAuthorized(java.security.cert.X509Certificate, java.lang.String)

isValidAndAuthorized

public boolean isValidAndAuthorized(ContextMessageSecurityProvider.Context context,
                                    java.security.cert.X509Certificate signCertificate,
                                    java.lang.String organisation)
                             throws java.lang.IllegalArgumentException,
                                    MessageProcessingException

Method in charge of validating a certificate used to sign a PKI message and also check if the certificate is authorized to generate messages.

Specified by:

isValidAndAuthorized in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

signCertificate - the certificate used to sign the message.

organisation - the related organisation to the message, null if no organisation lookup should be done.

Returns:

true if the sign certificate is valid and authorized to sign messages.

Throws:

java.lang.IllegalArgumentException - if arguments were invalid.

MessageProcessingException - if internal error occurred validating the certificate.

getDecryptionKey

public java.security.PrivateKey getDecryptionKey(java.lang.String keyId)
                                          throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Fetches a private key given it's unique identifier.

Specified by:

getDecryptionKey in interface MessageSecurityProvider

Parameters:

keyId - unique identifier of the key, if null should a default key be retrieved

Returns:

the related decryption key.

Throws:

MessageProcessingException

See Also:

MessageSecurityProvider.getDecryptionKey(String)

getDecryptionKey

public java.security.PrivateKey getDecryptionKey(ContextMessageSecurityProvider.Context context,
                                                 java.lang.String keyId)
                                          throws MessageProcessingException

Fetches a private key given it's unique identifier.

Specified by:

getDecryptionKey in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

keyId - unique identifier of the key, if null should a default key be retrieved

Returns:

the related decryption key.

Throws:

MessageProcessingException

getDecryptionCertificate

public java.security.cert.X509Certificate getDecryptionCertificate(java.lang.String keyId)
                                                            throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Fetches the decryption certificate of related key id.

Specified by:

getDecryptionCertificate in interface MessageSecurityProvider

Parameters:

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate.

Throws:

MessageProcessingException - if certificate isn't accessible.

See Also:

MessageSecurityProvider.getDecryptionCertificate(String)

getDecryptionCertificate

public java.security.cert.X509Certificate getDecryptionCertificate(ContextMessageSecurityProvider.Context context,
                                                                   java.lang.String keyId)
                                                            throws MessageProcessingException

Fetches the decryption certificate of related key id.

Specified by:

getDecryptionCertificate in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate.

Throws:

MessageProcessingException - if certificate isn't accessible.

getDecryptionCertificateChain

public java.security.cert.X509Certificate[] getDecryptionCertificateChain(java.lang.String keyId)
                                                                   throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Fetches the decryption certificate chain of related key id can be one or more in size..

Specified by:

getDecryptionCertificateChain in interface MessageSecurityProvider

Parameters:

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate chain

Throws:

MessageProcessingException - if certificate isn't accessible.

See Also:

MessageSecurityProvider.getDecryptionCertificateChain(String)

getDecryptionCertificateChain

public java.security.cert.X509Certificate[] getDecryptionCertificateChain(ContextMessageSecurityProvider.Context context,
                                                                          java.lang.String keyId)
                                                                   throws MessageProcessingException

Fetches the decryption certificate chain of related key id can be one or more in size..

Specified by:

getDecryptionCertificateChain in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate chain

Throws:

MessageProcessingException - if certificate isn't accessible.

getDecryptionKeyIds

public java.util.Set<java.lang.String> getDecryptionKeyIds()
                                                    throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Returns key identifiers of all available decryption keys.

Specified by:

getDecryptionKeyIds in interface MessageSecurityProvider

Returns:

key identifiers of all available decryption keys.

Throws:

MessageProcessingException

See Also:

MessageSecurityProvider.getDecryptionKeyIds()

getDecryptionKeyIds

public java.util.Set<java.lang.String> getDecryptionKeyIds(ContextMessageSecurityProvider.Context context)
                                                    throws MessageProcessingException

Returns key identifiers of all available decryption keys.

Specified by:

getDecryptionKeyIds in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

Returns:

key identifiers of all available decryption keys.

Throws:

MessageProcessingException

getEncryptionAlgorithmScheme

public EncryptionAlgorithmScheme getEncryptionAlgorithmScheme()
                                                       throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.

Specified by:

getEncryptionAlgorithmScheme in interface MessageSecurityProvider

Returns:

Configured EncryptionAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

See Also:

MessageSecurityProvider.getEncryptionAlgorithmScheme()

getEncryptionAlgorithmScheme

public EncryptionAlgorithmScheme getEncryptionAlgorithmScheme(ContextMessageSecurityProvider.Context context)
                                                       throws MessageProcessingException

Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.

Specified by:

getEncryptionAlgorithmScheme in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

Returns:

Configured EncryptionAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

getSigningAlgorithmScheme

public SigningAlgorithmScheme getSigningAlgorithmScheme()
                                                 throws MessageProcessingException

Description copied from interface: MessageSecurityProvider

Method to fetch the SigningAlgorithmScheme to use when signing messages.

Specified by:

getSigningAlgorithmScheme in interface MessageSecurityProvider

Returns:

Configured SigningAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

See Also:

MessageSecurityProvider.getSigningAlgorithmScheme()

getProvider

public java.lang.String getProvider()

Method to retrieve JCE provider that should be used with keys provided by this provider.

Specified by:

getProvider in interface MessageSecurityProvider

Returns:

name of an JCE Provider that should be installed prior to usage of this MessageSecurityProvider if null should the JRE configured list of security providers be used.

getSigningAlgorithmScheme

public SigningAlgorithmScheme getSigningAlgorithmScheme(ContextMessageSecurityProvider.Context context)
                                                 throws MessageProcessingException

Method to fetch the SigningAlgorithmScheme to use when signing messages.

Specified by:

getSigningAlgorithmScheme in interface ContextMessageSecurityProvider

Parameters:

context - is currently ignored.

Returns:

Configured SigningAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

getProvider

public java.lang.String getProvider(ContextMessageSecurityProvider.Context context)

Method to retrieve JCE provider that should be used with keys provided by this provider.

Specified by:

getProvider in interface ContextMessageSecurityProvider

Returns:

name of an JCE Provider that should be installed prior to usage of this MessageSecurityProvider if null should the JRE configured list of security providers be used.

getSigningKeyStore

protected java.security.KeyStore getSigningKeyStore(java.util.Properties config)
                                             throws MessageProcessingException

Method that that reads in the configured signing keystore.

Parameters:

config - the provider configuration

Returns:

the specified keystore from configuration.

Throws:

MessageProcessingException - if configuration of security provider was faulty.

getDecryptionKeyStore

protected java.security.KeyStore getDecryptionKeyStore(java.util.Properties config)
                                                throws MessageProcessingException

Method that that reads in the configured decryption keystore and if no specific decryption keystore is exists uses the singing keystore.

Parameters:

config - the provider configuration

Returns:

the specified keystore from configuration.

Throws:

MessageProcessingException - if configuration of security provider was faulty.

getDecryptionKeyStorePassword

protected char[] getDecryptionKeyStorePassword(java.util.Properties config)
                                        throws MessageProcessingException

Method that that reads in the configured decryption keystore and if no specific decryption keystore is exists uses the singing keystore.

Parameters:

config - the provider configuration

Returns:

the specified keystore from configuration.

Throws:

MessageProcessingException - if configuration of security provider was faulty.

getDefaultDecryptionAlias

protected java.lang.String getDefaultDecryptionAlias(java.util.Properties config)
                                              throws MessageProcessingException

Help method that reads default key alias and failbacks on signature keystore alias.

Throws:

MessageProcessingException

getKeyStore

public static java.security.KeyStore getKeyStore(java.util.Properties config,
                                                 java.lang.String pathSetting,
                                                 java.lang.String passwordSetting)
                                          throws MessageProcessingException

Help method reading a JKS keystore from configuration and specified settings.

Throws:

MessageProcessingException