abstract class JCACryptoService<T : AuthenticationCredentials, U : KeyConfig> : CryptoService<T, U>
This is the base class that facilitates easy integration of further HSM vendors that provide a JCA provider. For every vendor we want to support there has to be a new CryptoService that implements CryptoService and optionally inherits from this class if it makes sense. Not all vendors fully implement the JCA API and some of the methods of this class will have to be overridden with vendor-specific implementations.
It is required that @keyStore is initialized.
JCACryptoService(keyStore: KeyStore, provider: Provider, ctx: <ERROR CLASS> = LoggingContext(pathName = "CryptoService"))
This is the base class that facilitates easy integration of further HSM vendors that provide a JCA provider. For every vendor we want to support there has to be a new CryptoService that implements CryptoService and optionally inherits from this class if it makes sense. Not all vendors fully implement the JCA API and some of the methods of this class will have to be overridden with vendor-specific implementations. |
open fun containsKey(alias: String): Boolean
Check if this CryptoService contains an entry for the given alias. |
|
open fun delete(alias: String): Unit |
|
open fun <T> ensureAuthenticated(block: () -> T): T |
|
open fun generateRandomLong(): Long
Generate a random Long using the underlying Provider. |
|
open fun getCertificate(alias: String): Certificate
Returns the Certificate of the entry for the given alias. |
|
open fun getPublicKey(alias: String): PublicKey
Returns the PublicKey of the entry for the given alias. |
|
open fun getSigner(alias: String, password: String?): <ERROR CLASS>
Returns ContentSigner for the key identified by the input alias. |
|
open fun sign(alias: String, data: ByteArray, signAlgorithm: String?, password: String?): ByteArray
Sign a ByteArray using the private key identified by the input alias. Returns the signature bytes formatted according to the signature scheme. The signAlgorithm if specified determines the signature scheme used for signing, if not specified then the signature scheme is based on the private key scheme. |
abstract fun authenticate(credentials: T): Unit
Authenticate a user against the underlying crypto provider using given credentials. |
|
abstract fun generateAndStoreKeyPair(keyConfig: U): PublicKey
Generate a key pair and a basic self-signed certificate and store within the underlying key store. |
|
abstract fun getAuthenticatedUsers(): List<String>
Return the list of users currently authenticated against the underlying crypto provider. |
|
abstract fun isAuthenticated(): Boolean
Boolean flag indicating whether further authentication is needed to use stored keys. |
|
abstract fun logOut(): Unit
Reset the authentication state for the underlying crypto provider. |
|
abstract fun updateCertificate(keyConfig: U, certificateChain: List<X509Certificate>): Unit
Update the certificate chain within the underlying key store. |
class AmazonCloudHsmCryptoService : JCACryptoService<CloudHsmPasswordCredentials, AmazonCloudHsmKeyConfig> |
|
class GemaltoLunaCryptoService : JCACryptoService<GemaltoAuthenticationCredentials, GemaltoLunaKeyConfig>
Implementation of a CryptoService that is backed by a Gemalto Luna HSM. |
|
class SecurosysPrimusXCryptoService : JCACryptoService<SecurosysAuthenticationCredentials, SecurosysKeyConfig> |