Class KeyStoreCredentialStore
- java.lang.Object
-
- org.wildfly.security.credential.store.CredentialStoreSpi
-
- org.wildfly.security.credential.store.impl.KeyStoreCredentialStore
-
public final class KeyStoreCredentialStore extends CredentialStoreSpi
A flexible credential store which is backed by a key store. The key store holds the credentials, encoding identifying information into the alias to allow multiple credentials to be stored under each alias (something keystores generally do not support).This credential store cannot convert an arbitrary key store into a credential store; it can only understand entries that it itself has added. Entries not understood by this credential store will be ignored (and a log message will be generated indicating the presence of unknown credentials).
The following configuration parameters are supported:
location
: specifies the location of the key store (none means, use an in-memory store and do not store changes)modifiable
: specifies whether the credential store should be modifiablecreate
: specifies to automatically create storage file for this credential store (defaults tofalse
).If
external
is true, the storage file will be created calling theflush()
method. Ifexternal
is false and the storage file does not exist yet, then an empty credential store is created wheninitialize(java.util.Map<java.lang.String, java.lang.String>, org.wildfly.security.credential.store.CredentialStore.ProtectionParameter, java.security.Provider[])
method is invoked.keyStoreType
: specifies the key store type to use (defaults toKeyStore.getDefaultType()
)keyAlias
: specifies the secret key alias within the key store to use for encrypt/decrypt of data in external storage (defaults tocs_key
)external
: specifies whether to store data to external storage and encrypted bykeyAlias
key (defaults tofalse
)externalPath
: specifies path to the external storage. It has to be used in conjunction withexternal=true
cryptoAlg
: cryptographic algorithm name to be used to encrypt decrypt entries at external storage (external
has to be set totrue
)
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description (package private) static class
KeyStoreCredentialStore.BottomEntry
private class
KeyStoreCredentialStore.ExternalStorage
(package private) static interface
KeyStoreCredentialStore.Hold
(package private) static class
KeyStoreCredentialStore.MidEntry
(package private) static class
KeyStoreCredentialStore.ParamKey
(package private) static class
KeyStoreCredentialStore.TopEntry
-
Field Summary
-
Fields inherited from class org.wildfly.security.credential.store.CredentialStoreSpi
initialized
-
-
Constructor Summary
Constructors Constructor Description KeyStoreCredentialStore()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private String
calculateNewAlias(String alias, Class<? extends Credential> credentialType, String algorithm, AlgorithmParameterSpec parameterSpec)
private KeyStore.ProtectionParameter
convertParameter(CredentialStore.ProtectionParameter protectionParameter)
void
flush()
Flush the credential store contents to storage.Set<String>
getAliases()
Returns credential aliases stored in this store asSet<String>
.Set<String>
getCredentialTypesForAlias(String credentialAlias)
Returns credential types stored in this store with given alias asSet<String>
.private KeyStore
getKeyStoreInstance(String type)
private static char[]
getStorePassword(CredentialStore.ProtectionParameter protectionParameter)
void
initialize(Map<String,String> attributes, CredentialStore.ProtectionParameter protectionParameter, Provider[] providers)
Initialize credential store service with given attributes.boolean
isModifiable()
Check if credential store service supports modification of its storeprivate void
load(String type)
private KeyStoreCredentialStore.Hold
lockForRead()
private KeyStoreCredentialStore.Hold
lockForWrite()
private void
remove(String ksAlias)
void
remove(String credentialAlias, Class<? extends Credential> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec)
Remove the credentialType with from given alias from the credential store service.private void
remove(KeyStoreCredentialStore.BottomEntry bottomEntry, AlgorithmParameterSpec parameterSpec)
private void
remove(KeyStoreCredentialStore.MidEntry midEntry, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec)
<C extends Credential>
Cretrieve(String credentialAlias, Class<C> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec, CredentialStore.ProtectionParameter protectionParameter)
Retrieve the credential stored in the store under the given alias, matching the given criteria.private void
setupExternalStorage(String keyContainingKeyStoreType, Path keyContainingKeyStoreLocation)
SetskeyStore
to JCEKS type keyStore to be used as external storage.void
store(String credentialAlias, Credential credential, CredentialStore.ProtectionParameter protectionParameter)
Store credential to the credential store service under the given alias.private static String
toLowercase(String str)
-
Methods inherited from class org.wildfly.security.credential.store.CredentialStoreSpi
exists, isInitialized, validateAttribute
-
-
-
-
Field Detail
-
DATA_OID
private static final String DATA_OID
- See Also:
- Constant Field Values
-
KEY_STORE_CREDENTIAL_STORE
public static final String KEY_STORE_CREDENTIAL_STORE
The name of this credential store implementation.
-
X_509
private static final String X_509
- See Also:
- Constant Field Values
-
CREATE
private static final String CREATE
- See Also:
- Constant Field Values
-
CRYPTOALG
private static final String CRYPTOALG
- See Also:
- Constant Field Values
-
EXTERNAL
private static final String EXTERNAL
- See Also:
- Constant Field Values
-
EXTERNALPATH
private static final String EXTERNALPATH
- See Also:
- Constant Field Values
-
KEYALIAS
private static final String KEYALIAS
- See Also:
- Constant Field Values
-
KEYSTORETYPE
private static final String KEYSTORETYPE
- See Also:
- Constant Field Values
-
LOCATION
private static final String LOCATION
- See Also:
- Constant Field Values
-
MODIFIABLE
private static final String MODIFIABLE
- See Also:
- Constant Field Values
-
readWriteLock
private final ReadWriteLock readWriteLock
-
cache
private final HashMap<String,KeyStoreCredentialStore.TopEntry> cache
-
modifiable
private volatile boolean modifiable
-
keyStore
private KeyStore keyStore
-
location
private Path location
-
externalPath
private Path externalPath
-
create
private boolean create
-
protectionParameter
private CredentialStore.ProtectionParameter protectionParameter
-
providers
private Provider[] providers
-
encryptionKeyAlias
private String encryptionKeyAlias
-
useExternalStorage
private boolean useExternalStorage
-
externalStorage
private KeyStoreCredentialStore.ExternalStorage externalStorage
-
cryptographicAlgorithm
private String cryptographicAlgorithm
-
INDEX_PATTERN
private static final Pattern INDEX_PATTERN
-
CREDENTIAL_TYPES
private static final Map<String,Class<? extends Credential>> CREDENTIAL_TYPES
-
-
Method Detail
-
initialize
public void initialize(Map<String,String> attributes, CredentialStore.ProtectionParameter protectionParameter, Provider[] providers) throws CredentialStoreException
Description copied from class:CredentialStoreSpi
Initialize credential store service with given attributes. This procedure should setCredentialStoreSpi.initialized
after successful initialization.- Specified by:
initialize
in classCredentialStoreSpi
- Parameters:
attributes
- attributes to used to pass information to credential store serviceprotectionParameter
- the store-wide protection parameter to apply, ornull
for noneproviders
- providers to be injected into SPI implementation to get custom object instances of various type from, ornull
for none- Throws:
CredentialStoreException
- if initialization fails due to any reason
-
isModifiable
public boolean isModifiable()
Description copied from class:CredentialStoreSpi
Check if credential store service supports modification of its store- Specified by:
isModifiable
in classCredentialStoreSpi
- Returns:
true
in case of modification of the store is supported,false
otherwise
-
store
public void store(String credentialAlias, Credential credential, CredentialStore.ProtectionParameter protectionParameter) throws CredentialStoreException
Description copied from class:CredentialStoreSpi
Store credential to the credential store service under the given alias. If given alias already contains specific credential type type the credential replaces older one. Note:CredentialStoreSpi
supports storing of multiple entries (credential types) per alias. Each must be of different credential type, or differing algorithm, or differing parameters.- Specified by:
store
in classCredentialStoreSpi
- Parameters:
credentialAlias
- to store the credential to the storecredential
- instance ofCredential
to storeprotectionParameter
- the protection parameter to apply to the entry, ornull
for none- Throws:
CredentialStoreException
- when the credential cannot be storedUnsupportedCredentialTypeException
- when the credentialType is not supported
-
retrieve
public <C extends Credential> C retrieve(String credentialAlias, Class<C> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec, CredentialStore.ProtectionParameter protectionParameter) throws CredentialStoreException
Description copied from class:CredentialStoreSpi
Retrieve the credential stored in the store under the given alias, matching the given criteria.- Specified by:
retrieve
in classCredentialStoreSpi
- Type Parameters:
C
- the credential type- Parameters:
credentialAlias
- to find the credential in the storecredentialType
- the credential type class (must not benull
)credentialAlgorithm
- the credential algorithm to match, ornull
to match any algorithmparameterSpec
- the parameter specification to match, ornull
to match any parametersprotectionParameter
- the protection parameter to use to access the entry, ornull
for none- Returns:
- instance of
Credential
stored in the store, ornull
if the credential is not found - Throws:
CredentialStoreException
- if the credential cannot be retrieved due to an error
-
convertParameter
private KeyStore.ProtectionParameter convertParameter(CredentialStore.ProtectionParameter protectionParameter) throws CredentialStoreException
- Throws:
CredentialStoreException
-
remove
public void remove(String credentialAlias, Class<? extends Credential> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec) throws CredentialStoreException
Description copied from class:CredentialStoreSpi
Remove the credentialType with from given alias from the credential store service.- Specified by:
remove
in classCredentialStoreSpi
- Parameters:
credentialAlias
- alias to removecredentialType
- the credential type class to match (must not benull
)credentialAlgorithm
- the credential algorithm to match, ornull
to match all algorithmsparameterSpec
- the credential parameters to match, ornull
to match all parameters- Throws:
CredentialStoreException
- if the credential cannot be removed due to an error
-
remove
private void remove(KeyStoreCredentialStore.MidEntry midEntry, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec) throws KeyStoreException
- Throws:
KeyStoreException
-
remove
private void remove(KeyStoreCredentialStore.BottomEntry bottomEntry, AlgorithmParameterSpec parameterSpec) throws KeyStoreException
- Throws:
KeyStoreException
-
remove
private void remove(String ksAlias) throws KeyStoreException
- Throws:
KeyStoreException
-
flush
public void flush() throws CredentialStoreException
Description copied from class:CredentialStoreSpi
Flush the credential store contents to storage. If the credential store does not support or require explicit flushing, this method should do nothing and simply return.- Overrides:
flush
in classCredentialStoreSpi
- Throws:
CredentialStoreException
- if the flush fails for some reason.
-
getAliases
public Set<String> getAliases() throws UnsupportedOperationException, CredentialStoreException
Returns credential aliases stored in this store asSet<String>
.It is not mandatory to override this method (throws
UnsupportedOperationException
by default).- Overrides:
getAliases
in classCredentialStoreSpi
- Returns:
Set<String>
of all keys stored in this store- Throws:
UnsupportedOperationException
- when this method is not supported by the underlying credential storeCredentialStoreException
- if there is any problem with internal store
-
getCredentialTypesForAlias
public Set<String> getCredentialTypesForAlias(String credentialAlias)
Description copied from class:CredentialStoreSpi
Returns credential types stored in this store with given alias asSet<String>
. It is not mandatory to override this method (throwsUnsupportedOperationException
by default).- Overrides:
getCredentialTypesForAlias
in classCredentialStoreSpi
- Parameters:
credentialAlias
- to find the credentials types in the store- Returns:
Set<String>
of all credential types stored in this store with credential alias
-
lockForRead
private KeyStoreCredentialStore.Hold lockForRead()
-
lockForWrite
private KeyStoreCredentialStore.Hold lockForWrite()
-
load
private void load(String type) throws CredentialStoreException
- Throws:
CredentialStoreException
-
getKeyStoreInstance
private KeyStore getKeyStoreInstance(String type) throws CredentialStoreException
- Throws:
CredentialStoreException
-
setupExternalStorage
private void setupExternalStorage(String keyContainingKeyStoreType, Path keyContainingKeyStoreLocation) throws CredentialStoreException
SetskeyStore
to JCEKS type keyStore to be used as external storage. SetsexternalStorage
used to dump/load stored secret data.- Throws:
CredentialStoreException
-
getStorePassword
private static char[] getStorePassword(CredentialStore.ProtectionParameter protectionParameter) throws IOException, CredentialStoreException
- Throws:
IOException
CredentialStoreException
-
calculateNewAlias
private String calculateNewAlias(String alias, Class<? extends Credential> credentialType, String algorithm, AlgorithmParameterSpec parameterSpec) throws CredentialStoreException
- Throws:
CredentialStoreException
-
-