Package org.wildfly.security.credential.store.impl

Class KeyStoreCredentialStore

java.lang.Object

org.wildfly.security.credential.store.CredentialStoreSpi

org.wildfly.security.credential.store.impl.KeyStoreCredentialStore

public final class KeyStoreCredentialStore
extends CredentialStoreSpi

A flexible credential store which is backed by a key store. The key store holds the credentials, encoding identifying information into the alias to allow multiple credentials to be stored under each alias (something keystores generally do not support).

This credential store cannot convert an arbitrary key store into a credential store; it can only understand entries that it itself has added. Entries not understood by this credential store will be ignored (and a log message will be generated indicating the presence of unknown credentials).

The following configuration parameters are supported:

• location: specifies the location of the key store (none means, use an in-memory store and do not store changes)
• modifiable: specifies whether the credential store should be modifiable
• create: specifies to automatically create storage file for this credential store (defaults to false).

  If external is true, the storage file will be created calling the flush() method. If external is false and the storage file does not exist yet, then an empty credential store is created when initialize(java.util.Map<java.lang.String, java.lang.String>, org.wildfly.security.credential.store.CredentialStore.ProtectionParameter, java.security.Provider[]) method is invoked.

• keyStoreType: specifies the key store type to use (defaults to KeyStore.getDefaultType())
• keyAlias: specifies the secret key alias within the key store to use for encrypt/decrypt of data in external storage (defaults to cs_key)
• external: specifies whether to store data to external storage and encrypted by keyAlias key (defaults to false)
• externalPath: specifies path to the external storage. It has to be used in conjunction with external=true
• cryptoAlg: cryptographic algorithm name to be used to encrypt decrypt entries at external storage (external has to be set to true)

Field Summary

Fields

Modifier and Type	Field	Description
static String	KEY_STORE_CREDENTIAL_STORE	The name of this credential store implementation.

Fields inherited from class org.wildfly.security.credential.store.CredentialStoreSpi

initialized

Constructor Summary

Constructors

Constructor	Description
KeyStoreCredentialStore()

Method Summary

Modifier and Type	Method	Description
void	flush()	Flush the credential store contents to storage.
Set<String>	getAliases()	Returns credential aliases stored in this store as Set<String>.
Set<String>	getCredentialTypesForAlias(String credentialAlias)	Returns credential types stored in this store with given alias as Set<String>.
void	initialize(Map<String,String> attributes, CredentialStore.ProtectionParameter protectionParameter, Provider[] providers)	Initialize credential store service with given attributes.
boolean	isModifiable()	Check if credential store service supports modification of its store
void	remove(String credentialAlias, Class<? extends Credential> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec)	Remove the credentialType with from given alias from the credential store service.
<C extends Credential> C	retrieve(String credentialAlias, Class<C> credentialType, String credentialAlgorithm, AlgorithmParameterSpec parameterSpec, CredentialStore.ProtectionParameter protectionParameter)	Retrieve the credential stored in the store under the given alias, matching the given criteria.
void	store(String credentialAlias, Credential credential, CredentialStore.ProtectionParameter protectionParameter)	Store credential to the credential store service under the given alias.

Methods inherited from class org.wildfly.security.credential.store.CredentialStoreSpi

exists, isInitialized, validateAttribute

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

KEY_STORE_CREDENTIAL_STORE

public static final String KEY_STORE_CREDENTIAL_STORE

The name of this credential store implementation.

Constructor Detail

KeyStoreCredentialStore

public KeyStoreCredentialStore()

Method Detail

initialize

public void initialize(Map<String,String> attributes,
                       CredentialStore.ProtectionParameter protectionParameter,
                       Provider[] providers)
                throws CredentialStoreException

Description copied from class: CredentialStoreSpi

Initialize credential store service with given attributes. This procedure should set CredentialStoreSpi.initialized after successful initialization.

Specified by:

initialize in class CredentialStoreSpi

Parameters:

attributes - attributes to used to pass information to credential store service

protectionParameter - the store-wide protection parameter to apply, or null for none

providers - providers to be injected into SPI implementation to get custom object instances of various type from, or null for none

Throws:

CredentialStoreException - if initialization fails due to any reason

isModifiable

public boolean isModifiable()

Description copied from class: CredentialStoreSpi

Check if credential store service supports modification of its store

Specified by:

isModifiable in class CredentialStoreSpi

Returns:

true in case of modification of the store is supported, false otherwise

store

public void store(String credentialAlias,
                  Credential credential,
                  CredentialStore.ProtectionParameter protectionParameter)
           throws CredentialStoreException

Description copied from class: CredentialStoreSpi

Store credential to the credential store service under the given alias. If given alias already contains specific credential type type the credential replaces older one. Note: CredentialStoreSpi supports storing of multiple entries (credential types) per alias. Each must be of different credential type, or differing algorithm, or differing parameters.

Specified by:

store in class CredentialStoreSpi

Parameters:

credentialAlias - to store the credential to the store

credential - instance of Credential to store

protectionParameter - the protection parameter to apply to the entry, or null for none

Throws:

CredentialStoreException - when the credential cannot be stored

UnsupportedCredentialTypeException - when the credentialType is not supported

retrieve

public <C extends Credential> C retrieve(String credentialAlias,
                                         Class<C> credentialType,
                                         String credentialAlgorithm,
                                         AlgorithmParameterSpec parameterSpec,
                                         CredentialStore.ProtectionParameter protectionParameter)
                                  throws CredentialStoreException

Description copied from class: CredentialStoreSpi

Retrieve the credential stored in the store under the given alias, matching the given criteria.

Specified by:

retrieve in class CredentialStoreSpi

Type Parameters:

C - the credential type

Parameters:

credentialAlias - to find the credential in the store

credentialType - the credential type class (must not be null)

credentialAlgorithm - the credential algorithm to match, or null to match any algorithm

parameterSpec - the parameter specification to match, or null to match any parameters

protectionParameter - the protection parameter to use to access the entry, or null for none

Returns:

instance of Credential stored in the store, or null if the credential is not found

Throws:

CredentialStoreException - if the credential cannot be retrieved due to an error

remove

public void remove(String credentialAlias,
                   Class<? extends Credential> credentialType,
                   String credentialAlgorithm,
                   AlgorithmParameterSpec parameterSpec)
            throws CredentialStoreException

Description copied from class: CredentialStoreSpi

Remove the credentialType with from given alias from the credential store service.

Specified by:

remove in class CredentialStoreSpi

Parameters:

credentialAlias - alias to remove

credentialType - the credential type class to match (must not be null)

credentialAlgorithm - the credential algorithm to match, or null to match all algorithms

parameterSpec - the credential parameters to match, or null to match all parameters

Throws:

CredentialStoreException - if the credential cannot be removed due to an error

flush

public void flush()
           throws CredentialStoreException

Description copied from class: CredentialStoreSpi

Flush the credential store contents to storage. If the credential store does not support or require explicit flushing, this method should do nothing and simply return.

Overrides:

flush in class CredentialStoreSpi

Throws:

CredentialStoreException - if the flush fails for some reason.

getAliases

public Set<String> getAliases()
                       throws UnsupportedOperationException,
                              CredentialStoreException

Returns credential aliases stored in this store as Set<String>.

It is not mandatory to override this method (throws UnsupportedOperationException by default).

Overrides:

getAliases in class CredentialStoreSpi

Returns:

Set<String> of all keys stored in this store

Throws:

UnsupportedOperationException - when this method is not supported by the underlying credential store

CredentialStoreException - if there is any problem with internal store

getCredentialTypesForAlias

public Set<String> getCredentialTypesForAlias(String credentialAlias)

Description copied from class: CredentialStoreSpi

Returns credential types stored in this store with given alias as Set<String>. It is not mandatory to override this method (throws UnsupportedOperationException by default).

Overrides:

getCredentialTypesForAlias in class CredentialStoreSpi

Parameters:

credentialAlias - to find the credentials types in the store

Returns:

Set<String> of all credential types stored in this store with credential alias