@DoNotImplement public KeyManagementService
The KMS is responsible for storing and using private keys to sign things. An implementation of this may, for example, call out to a hardware security module that enforces various auditing and frequency-of-use requirements.
@NotNull java.util.Set<java.security.PublicKey> getKeys()
Returns a snapshot of the current signing PublicKeys. For each of these keys a PrivateKey is available, that can be used later for signing.
@Suspendable @NotNull java.security.PublicKey freshKey()
Generates a new random KeyPair and adds it to the internal key storage. Returns the public part of the pair.
@Suspendable
@NotNull
java.security.PublicKey freshKey(@NotNull
java.util.UUID externalId)
Generates a new random KeyPair and adds it to the internal key storage. Associates the public key to an external ID. Returns the public key part of the pair.
@Suspendable @NotNull PartyAndCertificate freshKeyAndCert(@NotNull PartyAndCertificate identity, boolean revocationEnabled)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding X509Certificate and adds it to the identity service. Associates the public key to an external ID. Returns the public part of the pair.
identity - identity to generate a key and certificate for. Must be an identity this node has CA privileges for.revocationEnabled - whether to check revocation status of certificates in the certificate path.@Suspendable @NotNull PartyAndCertificate freshKeyAndCert(@NotNull PartyAndCertificate identity, boolean revocationEnabled, @NotNull java.util.UUID externalId)
Generates a new random KeyPair, adds it to the internal key storage, then generates a corresponding X509Certificate and adds it to the identity service.
identity - identity to generate a key and certificate for. Must be an identity this node has CA privileges for.revocationEnabled - whether to check revocation status of certificates in the certificate path.externalId - ID to associate the newly created PublicKey with.@NotNull
java.lang.Iterable<java.security.PublicKey> filterMyKeys(@NotNull
java.lang.Iterable<? extends java.security.PublicKey> candidateKeys)
Filter some keys down to the set that this node owns (has private keys for).
candidateKeys - keys which this node may own.@Suspendable
@NotNull
net.corda.core.crypto.DigitalSignature.WithKey sign(@NotNull
kotlin.Array[] bytes,
@NotNull
java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the data.
bytes - The data to sign over using the chosen key.publicKey - The PublicKey partner to an internally held PrivateKey, either derived from the node's primary identity,or previously generated via the freshKey method.If the PublicKey is actually a class CompositeKey the first leaf signing key hosted by the node is used.IllegalArgumentException - if the input key is not a member of keys.@Suspendable @NotNull TransactionSignature sign(@NotNull SignableData signableData, @NotNull java.security.PublicKey publicKey)
Using the provided signing PublicKey internally looks up the matching PrivateKey and signs the class SignableData.
signableData - a wrapper over transaction id (Merkle root) and signature metadata.publicKey - The PublicKey partner to an internally held PrivateKey, either derived from the node's primary identity,or previously generated via the freshKey method.If the PublicKey is actually a class CompositeKey the first leaf signing key hosted by the node is used.IllegalArgumentException - if the input key is not a member of keys.class SignableData