Class KeyStoreCredentialStore
- java.lang.Object
-
- org.wildfly.security.credential.store.CredentialStoreSpi
-
- org.wildfly.security.credential.store.impl.KeyStoreCredentialStore
-
public final class KeyStoreCredentialStore extends CredentialStoreSpi
A flexible credential store which is backed by a key store. The key store holds the credentials, encoding identifying information into the alias to allow multiple credentials to be stored under each alias (something keystores generally do not support).This credential store cannot convert an arbitrary key store into a credential store; it can only understand entries that it itself has added. Entries not understood by this credential store will be ignored (and a log message will be generated indicating the presence of unknown credentials).
The following configuration parameters are supported:
location: specifies the location of the key store (none means, use an in-memory store and do not store changes)modifiable: specifies whether the credential store should be modifiablecreate: specifies to automatically create storage file for this credential store (defaults tofalse).If
externalis true, the storage file will be created calling theflush()method. Ifexternalis false and the storage file does not exist yet, then an empty credential store is created wheninitialize(java.util.Map<java.lang.String, java.lang.String>, org.wildfly.security.credential.store.CredentialStore.ProtectionParameter, java.security.Provider[])method is invoked.keyStoreType: specifies the key store type to use (defaults toKeyStore.getDefaultType())keyAlias: specifies the secret key alias within the key store to use for encrypt/decrypt of data in external storage (defaults tocs_key)external: specifies whether to store data to external storage and encrypted bykeyAliaskey (defaults tofalse)externalPath: specifies path to the external storage. It has to be used in conjunction withexternal=truecryptoAlg: cryptographic algorithm name to be used to encrypt decrypt entries at external storage (externalhas to be set totrue)
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description (package private) static classKeyStoreCredentialStore.BottomEntryprivate classKeyStoreCredentialStore.ExternalStorage(package private) static interfaceKeyStoreCredentialStore.Hold(package private) static classKeyStoreCredentialStore.MidEntry(package private) static classKeyStoreCredentialStore.ParamKey(package private) static classKeyStoreCredentialStore.TopEntry
-
Field Summary
-
Fields inherited from class org.wildfly.security.credential.store.CredentialStoreSpi
initialized
-
-
Constructor Summary
Constructors Constructor Description KeyStoreCredentialStore()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private StringcalculateNewAlias(String alias, Class<? extends Credential> credentialType, String algorithm, AlgorithmParameterSpec parameterSpec)private KeyStore.ProtectionParameterconvertParameter(CredentialStore.ProtectionParameter protectionParameter)voidflush()Flush the credential store contents to storage.Set<String>getAliases()Returns credential aliases stored in this store asSet<String>.Set<String>getCredentialTypesForAlias(String credentialAlias)Returns credential types stored in this store with given alias asSet<String>.private KeyStoregetKeyStoreInstance(String type)private static char[]getStorePassword(CredentialStore.ProtectionParameter protectionParameter)voidinitialize(Map<String,String> attributes, CredentialStore.ProtectionParameter protectionParameter, Provider[] providers)Initialize credential store service with given attributes.booleanisModifiable()Check if credential store service supports modification of its storeprivate voidload(String type)private KeyStoreCredentialStore.HoldlockForRead()private KeyStoreCredentialStore.HoldlockForWrite()private voidremove(String ksAlias)voidremove(String credentialAlias, Class<? extends Credential> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec)Remove the credentialType with from given alias from the credential store service.private voidremove(KeyStoreCredentialStore.BottomEntry bottomEntry, AlgorithmParameterSpec parameterSpec)private voidremove(KeyStoreCredentialStore.MidEntry midEntry, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec)<C extends Credential>
Cretrieve(String credentialAlias, Class<C> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec, CredentialStore.ProtectionParameter protectionParameter)Retrieve the credential stored in the store under the given alias, matching the given criteria.private voidsetupExternalStorage(String keyContainingKeyStoreType, Path keyContainingKeyStoreLocation)SetskeyStoreto JCEKS type keyStore to be used as external storage.voidstore(String credentialAlias, Credential credential, CredentialStore.ProtectionParameter protectionParameter)Store credential to the credential store service under the given alias.private static StringtoLowercase(String str)-
Methods inherited from class org.wildfly.security.credential.store.CredentialStoreSpi
exists, isInitialized, validateAttribute
-
-
-
-
Field Detail
-
DATA_OID
private static final String DATA_OID
- See Also:
- Constant Field Values
-
KEY_STORE_CREDENTIAL_STORE
public static final String KEY_STORE_CREDENTIAL_STORE
The name of this credential store implementation.
-
X_509
private static final String X_509
- See Also:
- Constant Field Values
-
CREATE
private static final String CREATE
- See Also:
- Constant Field Values
-
CRYPTOALG
private static final String CRYPTOALG
- See Also:
- Constant Field Values
-
EXTERNAL
private static final String EXTERNAL
- See Also:
- Constant Field Values
-
EXTERNALPATH
private static final String EXTERNALPATH
- See Also:
- Constant Field Values
-
KEYALIAS
private static final String KEYALIAS
- See Also:
- Constant Field Values
-
KEYSTORETYPE
private static final String KEYSTORETYPE
- See Also:
- Constant Field Values
-
LOCATION
private static final String LOCATION
- See Also:
- Constant Field Values
-
MODIFIABLE
private static final String MODIFIABLE
- See Also:
- Constant Field Values
-
readWriteLock
private final ReadWriteLock readWriteLock
-
cache
private final HashMap<String,KeyStoreCredentialStore.TopEntry> cache
-
modifiable
private volatile boolean modifiable
-
keyStore
private KeyStore keyStore
-
location
private Path location
-
externalPath
private Path externalPath
-
create
private boolean create
-
protectionParameter
private CredentialStore.ProtectionParameter protectionParameter
-
providers
private Provider[] providers
-
encryptionKeyAlias
private String encryptionKeyAlias
-
useExternalStorage
private boolean useExternalStorage
-
externalStorage
private KeyStoreCredentialStore.ExternalStorage externalStorage
-
cryptographicAlgorithm
private String cryptographicAlgorithm
-
INDEX_PATTERN
private static final Pattern INDEX_PATTERN
-
CREDENTIAL_TYPES
private static final Map<String,Class<? extends Credential>> CREDENTIAL_TYPES
-
-
Method Detail
-
initialize
public void initialize(Map<String,String> attributes, CredentialStore.ProtectionParameter protectionParameter, Provider[] providers) throws CredentialStoreException
Description copied from class:CredentialStoreSpiInitialize credential store service with given attributes. This procedure should setCredentialStoreSpi.initializedafter successful initialization.- Specified by:
initializein classCredentialStoreSpi- Parameters:
attributes- attributes to used to pass information to credential store serviceprotectionParameter- the store-wide protection parameter to apply, ornullfor noneproviders- providers to be injected into SPI implementation to get custom object instances of various type from, ornullfor none- Throws:
CredentialStoreException- if initialization fails due to any reason
-
isModifiable
public boolean isModifiable()
Description copied from class:CredentialStoreSpiCheck if credential store service supports modification of its store- Specified by:
isModifiablein classCredentialStoreSpi- Returns:
truein case of modification of the store is supported,falseotherwise
-
store
public void store(String credentialAlias, Credential credential, CredentialStore.ProtectionParameter protectionParameter) throws CredentialStoreException
Description copied from class:CredentialStoreSpiStore credential to the credential store service under the given alias. If given alias already contains specific credential type type the credential replaces older one. Note:CredentialStoreSpisupports storing of multiple entries (credential types) per alias. Each must be of different credential type, or differing algorithm, or differing parameters.- Specified by:
storein classCredentialStoreSpi- Parameters:
credentialAlias- to store the credential to the storecredential- instance ofCredentialto storeprotectionParameter- the protection parameter to apply to the entry, ornullfor none- Throws:
CredentialStoreException- when the credential cannot be storedUnsupportedCredentialTypeException- when the credentialType is not supported
-
retrieve
public <C extends Credential> C retrieve(String credentialAlias, Class<C> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec, CredentialStore.ProtectionParameter protectionParameter) throws CredentialStoreException
Description copied from class:CredentialStoreSpiRetrieve the credential stored in the store under the given alias, matching the given criteria.- Specified by:
retrievein classCredentialStoreSpi- Type Parameters:
C- the credential type- Parameters:
credentialAlias- to find the credential in the storecredentialType- the credential type class (must not benull)credentialAlgorithm- the credential algorithm to match, ornullto match any algorithmparameterSpec- the parameter specification to match, ornullto match any parametersprotectionParameter- the protection parameter to use to access the entry, ornullfor none- Returns:
- instance of
Credentialstored in the store, ornullif the credential is not found - Throws:
CredentialStoreException- if the credential cannot be retrieved due to an error
-
convertParameter
private KeyStore.ProtectionParameter convertParameter(CredentialStore.ProtectionParameter protectionParameter) throws CredentialStoreException
- Throws:
CredentialStoreException
-
remove
public void remove(String credentialAlias, Class<? extends Credential> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec) throws CredentialStoreException
Description copied from class:CredentialStoreSpiRemove the credentialType with from given alias from the credential store service.- Specified by:
removein classCredentialStoreSpi- Parameters:
credentialAlias- alias to removecredentialType- the credential type class to match (must not benull)credentialAlgorithm- the credential algorithm to match, ornullto match all algorithmsparameterSpec- the credential parameters to match, ornullto match all parameters- Throws:
CredentialStoreException- if the credential cannot be removed due to an error
-
remove
private void remove(KeyStoreCredentialStore.MidEntry midEntry, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec) throws KeyStoreException
- Throws:
KeyStoreException
-
remove
private void remove(KeyStoreCredentialStore.BottomEntry bottomEntry, AlgorithmParameterSpec parameterSpec) throws KeyStoreException
- Throws:
KeyStoreException
-
remove
private void remove(String ksAlias) throws KeyStoreException
- Throws:
KeyStoreException
-
flush
public void flush() throws CredentialStoreExceptionDescription copied from class:CredentialStoreSpiFlush the credential store contents to storage. If the credential store does not support or require explicit flushing, this method should do nothing and simply return.- Overrides:
flushin classCredentialStoreSpi- Throws:
CredentialStoreException- if the flush fails for some reason.
-
getAliases
public Set<String> getAliases() throws UnsupportedOperationException, CredentialStoreException
Returns credential aliases stored in this store asSet<String>.It is not mandatory to override this method (throws
UnsupportedOperationExceptionby default).- Overrides:
getAliasesin classCredentialStoreSpi- Returns:
Set<String>of all keys stored in this store- Throws:
UnsupportedOperationException- when this method is not supported by the underlying credential storeCredentialStoreException- if there is any problem with internal store
-
getCredentialTypesForAlias
public Set<String> getCredentialTypesForAlias(String credentialAlias)
Description copied from class:CredentialStoreSpiReturns credential types stored in this store with given alias asSet<String>. It is not mandatory to override this method (throwsUnsupportedOperationExceptionby default).- Overrides:
getCredentialTypesForAliasin classCredentialStoreSpi- Parameters:
credentialAlias- to find the credentials types in the store- Returns:
Set<String>of all credential types stored in this store with credential alias
-
lockForRead
private KeyStoreCredentialStore.Hold lockForRead()
-
lockForWrite
private KeyStoreCredentialStore.Hold lockForWrite()
-
load
private void load(String type) throws CredentialStoreException
- Throws:
CredentialStoreException
-
getKeyStoreInstance
private KeyStore getKeyStoreInstance(String type) throws CredentialStoreException
- Throws:
CredentialStoreException
-
setupExternalStorage
private void setupExternalStorage(String keyContainingKeyStoreType, Path keyContainingKeyStoreLocation) throws CredentialStoreException
SetskeyStoreto JCEKS type keyStore to be used as external storage. SetsexternalStorageused to dump/load stored secret data.- Throws:
CredentialStoreException
-
getStorePassword
private static char[] getStorePassword(CredentialStore.ProtectionParameter protectionParameter) throws IOException, CredentialStoreException
- Throws:
IOExceptionCredentialStoreException
-
calculateNewAlias
private String calculateNewAlias(String alias, Class<? extends Credential> credentialType, String algorithm, AlgorithmParameterSpec parameterSpec) throws CredentialStoreException
- Throws:
CredentialStoreException
-
-