public KeyManagementService
The KMS is responsible for storing and using private keys to sign things. An implementation of this may, for example, call out to a hardware security module that enforces various auditing and frequency-of-use requirements.
Modifier and Type | Method and Description |
---|---|
java.lang.Iterable<java.security.PublicKey> |
filterMyKeys(java.lang.Iterable<? extends java.security.PublicKey> candidateKeys)
Filter some keys down to the set that this node owns (has private keys for).
|
java.security.PublicKey |
freshKey()
Generates a new random KeyPair and adds it to the internal key storage. Returns the public part of the pair.
|
java.security.PublicKey |
freshKey(java.util.UUID externalId)
Generates a new random KeyPair and adds it to the internal key storage. Associates the public key to an external ID. Returns the
public key part of the pair.
|
PartyAndCertificate |
freshKeyAndCert(PartyAndCertificate identity,
boolean revocationEnabled)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding X509Certificate and adds it
to the identity service. Associates the public key to an external ID. Returns the public part of the pair.
|
PartyAndCertificate |
freshKeyAndCert(PartyAndCertificate identity,
boolean revocationEnabled,
java.util.UUID externalId)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding
X509Certificate and adds it to the identity service.
|
java.util.Set<java.security.PublicKey> |
getKeys()
Returns a snapshot of the current signing PublicKeys.
For each of these keys a PrivateKey is available, that can be used later for signing.
|
DigitalSignature.WithKey |
sign(byte[] bytes,
java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the data.
|
TransactionSignature |
sign(SignableData signableData,
java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the
class SignableData . |
java.util.Set<java.security.PublicKey> getKeys()
Returns a snapshot of the current signing PublicKeys. For each of these keys a PrivateKey is available, that can be used later for signing.
java.security.PublicKey freshKey()
Generates a new random KeyPair and adds it to the internal key storage. Returns the public part of the pair.
java.security.PublicKey freshKey(java.util.UUID externalId)
Generates a new random KeyPair and adds it to the internal key storage. Associates the public key to an external ID. Returns the public key part of the pair.
PartyAndCertificate freshKeyAndCert(PartyAndCertificate identity, boolean revocationEnabled)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding X509Certificate and adds it to the identity service. Associates the public key to an external ID. Returns the public part of the pair.
identity
- identity to generate a key and certificate for. Must be an identity this node has CA privileges for.revocationEnabled
- whether to check revocation status of certificates in the certificate path.PartyAndCertificate freshKeyAndCert(PartyAndCertificate identity, boolean revocationEnabled, java.util.UUID externalId)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding X509Certificate and adds it to the identity service.
identity
- identity to generate a key and certificate for. Must be an identity this node has CA privileges for.revocationEnabled
- whether to check revocation status of certificates in the certificate path.externalId
- ID to associate the newly created PublicKey with.java.lang.Iterable<java.security.PublicKey> filterMyKeys(java.lang.Iterable<? extends java.security.PublicKey> candidateKeys)
Filter some keys down to the set that this node owns (has private keys for).
candidateKeys
- keys which this node may own.DigitalSignature.WithKey sign(byte[] bytes, java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the data.
bytes
- The data to sign over using the chosen key.publicKey
- The PublicKey partner to an internally held PrivateKey, either derived from the node's primary identity,
or previously generated via the KeyManagementService.freshKey
method.
If the PublicKey is actually a class CompositeKey
the first leaf signing key hosted by the node is used.KeyManagementService.getKeys
.TransactionSignature sign(SignableData signableData, java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the class SignableData
.
signableData
- a wrapper over transaction id (Merkle root) and signature metadata.publicKey
- The PublicKey partner to an internally held PrivateKey, either derived from the node's primary identity,
or previously generated via the KeyManagementService.freshKey
method.
If the PublicKey is actually a class CompositeKey
the first leaf signing key hosted by the node is used.KeyManagementService.getKeys
.class SignableData