@DoNotImplement public KeyManagementService
The KMS is responsible for storing and using private keys to sign things. An implementation of this may, for example, call out to a hardware security module that enforces various auditing and frequency-of-use requirements.
@NotNull java.util.Set<java.security.PublicKey> getKeys()
Returns a snapshot of the current signing PublicKeys. For each of these keys a PrivateKey is available, that can be used later for signing.
@Suspendable @NotNull java.security.PublicKey freshKey()
Generates a new random KeyPair and adds it to the internal key storage. Returns the public part of the pair.
@Suspendable @NotNull java.security.PublicKey freshKey(@NotNull java.util.UUID externalId)
Generates a new random KeyPair and adds it to the internal key storage. Associates the public key to an external ID. Returns the public key part of the pair.
@Suspendable @NotNull PartyAndCertificate freshKeyAndCert(@NotNull PartyAndCertificate identity, boolean revocationEnabled)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding X509Certificate and adds it to the identity service. Associates the public key to an external ID. Returns the public part of the pair.
identity
- identity to generate a key and certificate for. Must be an identity this node has CA privileges for.revocationEnabled
- whether to check revocation status of certificates in the certificate path.@Suspendable @NotNull PartyAndCertificate freshKeyAndCert(@NotNull PartyAndCertificate identity, boolean revocationEnabled, @NotNull java.util.UUID externalId)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding X509Certificate and adds it to the identity service.
identity
- identity to generate a key and certificate for. Must be an identity this node has CA privileges for.revocationEnabled
- whether to check revocation status of certificates in the certificate path.externalId
- ID to associate the newly created PublicKey with.@NotNull java.lang.Iterable<java.security.PublicKey> filterMyKeys(@NotNull java.lang.Iterable<? extends java.security.PublicKey> candidateKeys)
Filter some keys down to the set that this node owns (has private keys for).
candidateKeys
- keys which this node may own.@Suspendable @NotNull net.corda.core.crypto.DigitalSignature.WithKey sign(@NotNull kotlin.Array[] bytes, @NotNull java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the data.
bytes
- The data to sign over using the chosen key.publicKey
- The PublicKey partner to an internally held PrivateKey, either derived from the node's primary identity,or previously generated via the freshKey
method.If the PublicKey is actually a class CompositeKey
the first leaf signing key hosted by the node is used.IllegalArgumentException
- if the input key is not a member of keys
.@Suspendable @NotNull TransactionSignature sign(@NotNull SignableData signableData, @NotNull java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the class SignableData
.
signableData
- a wrapper over transaction id (Merkle root) and signature metadata.publicKey
- The PublicKey partner to an internally held PrivateKey, either derived from the node's primary identity,or previously generated via the freshKey
method.If the PublicKey is actually a class CompositeKey
the first leaf signing key hosted by the node is used.IllegalArgumentException
- if the input key is not a member of keys
.class SignableData