This base module provides common functions for implementations for the KeyAndCertificateHandler API.
This module provides the following common configuration classes for all KeyAndCertificateHandler instances:
- CredentialContainerConfiguration
- AbstractKeyAndCertificateHandlerConfiguration
- DefaultValuePolicyCheckerConfiguration (Inner Class)
- CertificateProfileConfiguration
- SigningKeyUsageDirective
The CredentialContainerConfiguration describes the configuration for the signer key provider used to generate the signing keys used to sign documents in the signature service.
| Field | Description |
|---|---|
hsmConfigurationFile |
A full path to the PKCS#11 configuration file. If not provided generation and use of software based keys will be effective. |
hsmPin |
The PIN/password used to access the HSM slot if HSM is used. |
securityProvider |
The name of the crypto provider used to generate software based keys. This value is ignored if the hsmConfigurationFile property is set. If not provided, a default security provider will be used. |
The AbstractKeyAndCertificateHandlerConfiguration class describes base configuration parameters common to all KeyAndCertificateHandler instances.
| Field | Description |
|---|---|
algorithmRegistry |
Algorithm registry providing information about supported algorithms. If not assigned a default AlgorithmRegistry is used. |
algorithmKeyType |
A map specifying the key type for each supported algorithm type (primary EC and RSA algorithm types). See KeyGenType for possible values. If not set, default key types will be set by the handler. |
keyProvider |
Configuration for the signature key provider (see CredentialContainerConfiguration configuration above). |
keyProviderRef |
Reference to an existing PkiCredentialContainer bean to be used as the keyProvider for this handler. |
attributeMapper |
Attribute mapper responsible for mapping authentication attributes/claims to certificate attributes. If not set, a default attribute mapper will be assigned. |
defaultValuePolicyChecker |
Configuration for permitted default values used in attribute mapping if no value is provided by the identity provider. If no attribute mapper is set by the attributeMapper configuration parameter, then a DefaultAttributeMapper will be created based on this defaultValuePolicyChecker configuration. |
caSupportedCertificateTypes |
A list of certificate types supported by this CA (Supported values: "CertificateType.PKC", "CertificateType.QC" and "CertificateType.QC_SSCD" |
profileConfiguration |
Configuration of the certificate profile used to determine the content of issued certificates. |
serviceName |
Service name placed in AuthnContextExtensions. If not set, the client ID will be used by default. |
The DefaultValuePolicyCheckerConfiguration has the following configuration data:
| Field | Description |
|---|---|
rules |
A list of DefaultValuePolicyCheckerConfig configuration data. Each object in the list holds configuration data for a particular attribute |
defaultReply |
This defines the default reply (true or false) if a default value is allowed in cases where no rule is specified for a supplied item (attribute type and reference). |
DefaultValuePolicyCheckerConfig in DefaultValuePolicyCheckerConfiguration has the following configuration data:
| Field | Description |
|---|---|
attributeTyep |
The certificate attribute type this attribute is mapped to, I.e RDN (Relative Distinguished Name), SAN (Subject Alternative Name) or SDA (Subject Directory Attribute) |
ref |
The reference of the certificate attribute or subject alt name. For an attribute (RDN or SDA) this is the attribute OID string and for a SAN it is the index of the enumerated GeneralName types in SAN |
allowedValues |
A list of allowed values. If null or empty, the allowAnyValue will determine if the value is OK |
allowAnyValue |
If allowedValues are null or empty, this field determines whether a default value assignment should be allowed. |
The certificate profile configuration allows some control over the content in issued signer certificates:
| Field | Description |
|---|---|
policies |
A list of certificate Policy OIDs (String representation) that will be included in issued certificates. |
extendedKeyUsages |
List of extended key usage object identifier values that will be included in issued certificates. |
extendedKeyUsageCritical |
Determines if a present extended key usage extension is critical. |
usageDirective |
Optional settings for certificate key usage. |
keyUsageCritical |
Determines if the present key usage extension is critical. |
basicConstraintsCritical |
Determines if the present basic constraints extension is critical. |
The SigningKeyUsageDirective provides configuration data for the usageDirective parameter above:
| Field | Description |
|---|---|
encrypt |
Flag that marks the key usage for the signing key for encryption (as well as signing). Default false. |
excludeNonRepudiation |
Flag that marks that the key usage for the signing key should not include non-repudiation. |
Copyright © 2022-2023, Myndigheten för digital förvaltning - Swedish Agency for Digital Government (DIGG). Licensed under version 2.0 of the Apache License.