Package net.shibboleth.shared.security.impl

Class BasicKeystoreKeyStrategy

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
net.shibboleth.shared.security.impl.BasicKeystoreKeyStrategy
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, DataSealerKeyStrategy
public class BasicKeystoreKeyStrategy extends AbstractInitializableComponent implements DataSealerKeyStrategy
Implements a strategy for access to versioned symmetric keys using a keystore, and a standalone file for tracking the latest key version, to compensate for the lack of extensible attribute support in the pre-Java 8 KeyStore API.

The separate resource must be a Java properties file containing a CURRENT_VERSION_PROP property pointing to the latest key version.

  • Field Details

    • CURRENT_VERSION_PROP

      @Nonnull @NotEmpty public static final String CURRENT_VERSION_PROP
      Name of property representing current key version.
      See Also:

    • log

      @Nonnull private org.slf4j.Logger log
      Class logger.

    • keystoreType

      @NonnullAfterInit private String keystoreType
      Type of keystore to use for access to keys.

    • keystoreResource

      @NonnullAfterInit private Resource keystoreResource
      Keystore resource.

    • keyVersionResource

      @NonnullAfterInit private Resource keyVersionResource
      Version resource.

    • keystorePassword

      @NonnullAfterInit private String keystorePassword
      Password for keystore.

    • keyAlias

      @NonnullAfterInit private String keyAlias
      Keystore base alias for encryption keys.

    • keyPassword

      @NonnullAfterInit private String keyPassword
      Password for encryption key(s).

    • currentAlias

      @NonnullAfterInit private String currentAlias
      Current key alias loaded.

    • defaultKey

      @NonnullAfterInit private SecretKey defaultKey
      Current default key loaded.

    • updateInterval

      @Nonnull private Duration updateInterval
      Time between key update checks. Default value: (PT15M).

    • updateTaskTimer

      private Timer updateTaskTimer
      Timer used to schedule update tasks.

    • internalTaskTimer

      private Timer internalTaskTimer
      Timer used to schedule update tasks if no external one set.

    • updateTask

      private TimerTask updateTask
      Task that checks for updated key version.

  • Constructor Details

    • BasicKeystoreKeyStrategy

      public BasicKeystoreKeyStrategy()
      Constructor.

  • Method Details

    • setKeystoreType

      public void setKeystoreType(@Nonnull @NotEmpty String type)
      Set the keystore type.
      Parameters:
      type - the keystore type

    • setKeystoreResource

      public void setKeystoreResource(@Nonnull @NotEmpty Resource resource)
      Set the keystore resource.
      Parameters:
      resource - the keystore resource

    • setKeyVersionResource

      public void setKeyVersionResource(@Nonnull @NotEmpty Resource resource)
      Set the key version resource.
      Parameters:
      resource - the key version resource

    • setKeystorePassword

      public void setKeystorePassword(@Nullable String password)
      Set the keystore password.
      Parameters:
      password - the keystore password

    • setKeyAlias

      public void setKeyAlias(@Nonnull @NotEmpty String alias)
      Set the encryption key alias base name.
      Parameters:
      alias - the encryption key alias base

    • setKeyPassword

      public void setKeyPassword(@Nullable String password)
      Set the encryption key password.
      Parameters:
      password - the encryption key password

    • setUpdateInterval

      public void setUpdateInterval(@Nonnull Duration interval)
      Set the time between key update checks. A value of 0 indicates that no updates will be performed. This setting cannot be changed after the service has been initialized.
      Parameters:
      interval - time between key update checks

    • setUpdateTaskTimer

      public void setUpdateTaskTimer(@Nullable Timer timer)
      Set the timer used to schedule update tasks. This setting cannot be changed after the service has been initialized.
      Parameters:
      timer - timer used to schedule update tasks

    • doInitialize

      public void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException

    • doDestroy

      protected void doDestroy()
      Overrides:
      doDestroy in class AbstractInitializableComponent

    • getDefaultKey

      @Nonnull public Pair<String,SecretKey> getDefaultKey() throws KeyException
      Get the default/current key to use for new operations, returned along with an identifier for it.
      Specified by:
      getDefaultKey in interface DataSealerKeyStrategy
      Returns:
      the key
      Throws:
      KeyException - if the key cannot be returned

    • getDefaultKeyRecord

      @Nonnull public DataSealerKeyStrategy.NamedKey getDefaultKeyRecord() throws KeyException
      Get an immutable record of the default named key.
      Specified by:
      getDefaultKeyRecord in interface DataSealerKeyStrategy
      Returns:
      default key record
      Throws:
      KeyException - if the key is unobtainable

    • getKey

      @Nonnull public SecretKey getKey(@Nonnull @NotEmpty String name) throws KeyException
      Get a specifically named key.
      Specified by:
      getKey in interface DataSealerKeyStrategy
      Parameters:
      name - name of the key to retrieve
      Returns:
      the key
      Throws:
      KeyException - if the key cannot be returned, does not exist, etc.

    • updateDefaultKey

      private void updateDefaultKey() throws KeyException
      Update the loaded copy of the default key based on the current key version if it's out of date (loading key version from scratch if need be).
      Throws:
      KeyException - if the key cannot be updated