3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * The contents of this file are subject to the terms of the Common Development and
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * Distribution License (the License). You may not use this file except in compliance with the
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * specific language governing permission and limitations under the License.
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * When distributing Covered Software, include this CDDL Header Notice in each file and include
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * Header, with the fields enclosed by brackets [] replaced by your own identifying
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * information: "Portions Copyrighted [year] [name of copyright owner]".
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * Copyright 2015 ForgeRock AS.
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hoganpackage org.forgerock.openam.sts.tokengeneration.oidc.crypto;
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hoganimport org.forgerock.openam.sts.TokenCreationException;
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hoganimport org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig;
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hoganimport org.forgerock.openam.sts.tokengeneration.STSCryptoProviderBase;
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan * @see OpenIdConnectTokenPKIProvider
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hoganpublic class OpenIdConnectTokenPKIProviderImpl extends STSCryptoProviderBase implements OpenIdConnectTokenPKIProvider {
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan public OpenIdConnectTokenPKIProviderImpl(final OpenIdConnectTokenConfig tokenConfiguration) throws TokenCreationException{
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan //TODO: might want to make the keystore type configurable at some point - see AME-646
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan super(tokenConfiguration.getKeystoreLocation(), tokenConfiguration.getKeystorePassword(), JKS_KEYSTORE);
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan public PrivateKey getProviderPrivateKey(String keyAlias, String keyPassword) throws TokenCreationException {
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan public X509Certificate[] getProviderCertificateChain(String keyAlias) throws TokenCreationException {
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan From the KeyStore javadocs:
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan for getCertificateChain:
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan The certificate chain must have been associated with the alias by a call to setKeyEntry, or by a call to setEntry with a PrivateKeyEntry.
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan for getCertificate:
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan If the given alias name identifies an entry created by a call to setCertificateEntry, or created by a call to
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan setEntry with a TrustedCertificateEntry, then the trusted certificate contained in that entry is returned.
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan If the given alias name identifies an entry created by a call to setKeyEntry, or created by a call to setEntry with a
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan PrivateKeyEntry, then the first element of the certificate chain in that entry is returned.
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan Thus getCertificate will get X509Certificate state for all cases handled by getCertificateChain, but the X509Certificate
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan state which corresponds to a given PrivateKey is most correctly represented as a X509Certificate[]. However, it seems
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan that the X509Certificate state corresponding to a PrivateKeyEntry is often entered as a TrustedCertificateEntry - e.g.
3744900be632496920d4c9aca8f94ba6db4dd882Dirk Hogan the default keystore.jks bundled with OpenAM is created in that fashion. So this implementation must handle both