Class MsCertificateManagementService

java.lang.Object

de.xima.fc.certificate.ms.impl.rpc.MsCertificateManagementService

All Implemented Interfaces:

RpcCertificateManagementService, RpcHandler, Serializable

public class MsCertificateManagementService
extends Object
implements RpcCertificateManagementService

Since:

10.03.25

Author:

tobias

See Also:

• Serialized Form

Constructor Summary

Constructors

Constructor	Description
MsCertificateManagementService(SystemPersistenceManager spm, IDaoFactory daoFactory, MsCryptoSettingsService cryptoSettingsService, IUserAccessController userAccessController, IAuditServiceFactory auditServiceFactory, ICertificateEventPublisher eventPublisher)

Method Summary

Modifier and Type	Method	Description
void	deleteCertificate(Long id, CertificateManagementUser user)	Deletes a certificate from the system.
byte[]	exportCertificate(Long certificateId, ECertificateFileType fileType, CertificateManagementUser user)	Exports a certificate
byte[]	exportCSR(Long certificateId, ECsrFileType fileType, CertificateManagementUser user)	Exports a Certificate Signing Request (CSR)
byte[]	exportKeyPair(Long certificateId, char[] password, EKeyPairFileType fileType, CertificateManagementUser user)	Exports a key pair (both public and private keys) of a certificate
byte[]	exportPrivateKey(Long certificateId, char[] password, EPrivateKeyFileType fileType, CertificateManagementUser user)	Exports the private key of a certificate
byte[]	exportPublicKey(Long certificateId, EPublicKeyFileType fileType, CertificateManagementUser user)	Exports the public key of a certificate
Optional<CertificateInfoDTO>	findById(Long certificateId, CertificateManagementUser user)	Retrieves the certificate with the specified ID.
List<CertificateInfoDTO>	findValidCertificatesForSubject(CertificateSelectionBySubjectQuery query, CertificateManagementUser user)	Retrieves all valid certificates for a given subject within a defined scope.
List<CertificateInfoDTO>	findValidCertificatesForUsageSubject(CertificateSelectionByUsageSubjectQuery query, CertificateManagementUser user)	Retrieves all valid client certificates for a given usage subject within a defined scope.
CertificateInfoDTO	generateCertificate(X501DistinguishedName certificateSubject, Duration certificateValidity, IKeyPairGenerationSpec keyPairGenerationSpec, List<ICertificateUsageSpecification> certificateUsageSpecifications, KeyStoreSelector keyStoreSelector, boolean autoRenew, CertificateManagementUser user)	Generates a self-signed certificate with the given specifications.
CertificateInfoDTO	generateCertificate(X501DistinguishedName certificateSubject, Duration certificateValidity, IKeyPairGenerationSpec keyPairGenerationSpec, List<ICertificateUsageSpecification> certificateUsageSpecifications, Long signingAuthorityId, KeyStoreSelector keyStoreSelector, boolean autoRenew, CertificateManagementUser user)	Generates a certificate with the given specifications.
Optional<CertificateInfoDTO>	getCurrentValidCertificateForSubject(CertificateSelectionBySubjectQuery query, CertificateManagementUser user)	Retrieves the current valid certificate for the given subject within a defined scope.
Optional<CertificateInfoDTO>	getCurrentValidCertificateForUsageSubject(CertificateSelectionByUsageSubjectQuery query, CertificateManagementUser user)	Retrieves the current valid certificate for the given usage subject within a defined scope.
FileImportResult	importCryptographicCredentials(SerializableInputStreamContainer is, FileImportSpecification fileImportSpecification, KeyStoreSelector keyStoreSelector, CertificateManagementUser user)	Universal method to import a file into the keystore.
FileImportResult	importCryptographicCredentials(SerializableInputStreamContainer is, KeyStoreSelector keyStoreSelector, CertificateManagementUser user)	Universal method to import a file into the keystore.
CertificateInfoDTO	renewCertificate(Long certificateId, CertificateManagementUser user)	Renews a certificate by generating a new certificate with the same subject and key pair.
CertificateInfoDTO	update(CertificateInfoDTO certificate, CertificateManagementUser user)	Updates the metadata of a certificate.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

MsCertificateManagementService

public MsCertificateManagementService(SystemPersistenceManager spm,
 IDaoFactory daoFactory,
 MsCryptoSettingsService cryptoSettingsService,
 IUserAccessController userAccessController,
 IAuditServiceFactory auditServiceFactory,
 ICertificateEventPublisher eventPublisher)

Method Details

deleteCertificate

public void deleteCertificate(Long id,
 CertificateManagementUser user)
                       throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Deletes a certificate from the system.

Note: This method will also delete the keystore it is assigned to if it is the last entry in the keystore.

Specified by:

deleteCertificate in interface RpcCertificateManagementService

Parameters:

id - the ID of the certificate to delete.

user - the user deleting the certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate deletion or the user does not have permission to delete the certificate.

exportCSR

public byte[] exportCSR(Long certificateId,
 ECsrFileType fileType,
 CertificateManagementUser user)
                 throws IOException,
FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Exports a Certificate Signing Request (CSR)

Specified by:

exportCSR in interface RpcCertificateManagementService

Parameters:

certificateId - the ID of the certificate for which the CSR will be exported.

fileType - the file type to export the CSR as.

user - the user who is exporting the CSR.

Returns:

a byte array containing the exported CSR data.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during CSR export (e.g. the certificate could not be found or has no CSR, which is the case for externally imported certificates) or the user does not have permission to export the CSR.

exportCertificate

public byte[] exportCertificate(Long certificateId,
 ECertificateFileType fileType,
 CertificateManagementUser user)
                         throws IOException,
FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Exports a certificate

Specified by:

exportCertificate in interface RpcCertificateManagementService

Parameters:

certificateId - the ID of the certificate to export.

fileType - the file type to export the certificate as.

user - the user who is exporting the certificate.

Returns:

a byte array containing the exported certificate data.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during certificate export (e.g. the certificate could not be found or the user does not have permission to export the certificate).

exportKeyPair

public byte[] exportKeyPair(Long certificateId,
 char[] password,
 EKeyPairFileType fileType,
 CertificateManagementUser user)
                     throws IOException,
FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Exports a key pair (both public and private keys) of a certificate

Specified by:

exportKeyPair in interface RpcCertificateManagementService

Parameters:

certificateId - the ID of the certificate whose key pair will be exported.

password - the password to protect the exported key pair.

fileType - the file type to export the key pair as.

user - the user who is exporting the key pair.

Returns:

a byte array containing the exported key pair data.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during key pair export (e.g. the certificate could not be found or the user does not have permission to export the key pair).

exportPrivateKey

public byte[] exportPrivateKey(Long certificateId,
 char[] password,
 EPrivateKeyFileType fileType,
 CertificateManagementUser user)
                        throws IOException,
FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Exports the private key of a certificate

Specified by:

exportPrivateKey in interface RpcCertificateManagementService

Parameters:

certificateId - the ID of the certificate whose private key will be exported.

password - the password to protect the exported private key.

fileType - the file type to export the private key as.

user - the user who is exporting the private key.

Returns:

a byte array containing the exported private key data.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during private key export (e.g. the certificate could not be or the user does not have permission to export the private key).

exportPublicKey

public byte[] exportPublicKey(Long certificateId,
 EPublicKeyFileType fileType,
 CertificateManagementUser user)
                       throws IOException,
FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Exports the public key of a certificate

Specified by:

exportPublicKey in interface RpcCertificateManagementService

Parameters:

certificateId - the ID of the certificate whose public key will be exported.

fileType - the file type to export the public key as.

user - the user who is exporting the public key.

Returns:

a byte array containing the exported public key data.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during public key export (e.g. the certificate could not be found or the user does not have permission to export the public key).

findById

public Optional<CertificateInfoDTO> findById(Long certificateId,
 CertificateManagementUser user)
                                      throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Retrieves the certificate with the specified ID.

Specified by:

findById in interface RpcCertificateManagementService

Parameters:

certificateId - the ID of the certificate to retrieve.

user - the user who is requesting the certificate.

Returns:

an Optional containing the CertificateInfoDTO object with the specified ID.

Throws:

FcCertificateManagementException - if the user does not have permission to access the certificate.

findValidCertificatesForSubject

public List<CertificateInfoDTO> findValidCertificatesForSubject(CertificateSelectionBySubjectQuery query,
 CertificateManagementUser user)
                                                         throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Retrieves all valid certificates for a given subject within a defined scope.

Specified by:

findValidCertificatesForSubject in interface RpcCertificateManagementService

Parameters:

query - the CertificateSelectionBySubjectQuery defining the subject, scope and optionally further criteria to filter the certificates (e.g. usage types, algorithms, etc.).

user - the user requesting the certificates.

Returns:

a list of CertificateInfoDTO objects representing the valid client certificates that match the given criteria.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificates.

findValidCertificatesForUsageSubject

public List<CertificateInfoDTO> findValidCertificatesForUsageSubject(CertificateSelectionByUsageSubjectQuery query,
 CertificateManagementUser user)
                                                              throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Retrieves all valid client certificates for a given usage subject within a defined scope. This is in contrast to RpcCertificateManagementService.findValidCertificatesForSubject(CertificateSelectionBySubjectQuery, CertificateManagementUser), which retrieves the certificates by their subject, and not by their usage subject.

Specified by:

findValidCertificatesForUsageSubject in interface RpcCertificateManagementService

Parameters:

query - the CertificateSelectionByUsageSubjectQuery defining the usage subject, scope and optionally further criteria to filter the certificates (e.g. key algorithm, private key presence, etc.).

user - the user requesting the certificates.

Returns:

a list of CertificateInfoDTO objects representing the valid client certificates that match the given criteria.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificates.

generateCertificate

public CertificateInfoDTO generateCertificate(X501DistinguishedName certificateSubject,
 Duration certificateValidity,
 IKeyPairGenerationSpec keyPairGenerationSpec,
 List<ICertificateUsageSpecification> certificateUsageSpecifications,
 Long signingAuthorityId,
 KeyStoreSelector keyStoreSelector,
 boolean autoRenew,
 CertificateManagementUser user)
                                       throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Generates a certificate with the given specifications.

Specified by:

generateCertificate in interface RpcCertificateManagementService

Parameters:

certificateSubject - the subject information for the certificate.

certificateValidity - the validity period of the certificate.

keyPairGenerationSpec - the specifications for generating the key pair, including the algorithm and algorithm-specific settings.

certificateUsageSpecifications - the (optional) usage specification the certificate will be used (e.g. SMIME certificate with email addresses).

signingAuthorityId - the ID of the signing authority that will sign the certificate.

keyStoreSelector - the keystore selector, defining the keystore where the key pair will be stored.

autoRenew - whether the certificate should be automatically renewed before it expires.

user - the user generating the key pair and certificate.

Returns:

a CertificateInfoDTO object containing information about the generated certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate generation or the user does not have permission to generate the certificate.

generateCertificate

public CertificateInfoDTO generateCertificate(X501DistinguishedName certificateSubject,
 Duration certificateValidity,
 IKeyPairGenerationSpec keyPairGenerationSpec,
 List<ICertificateUsageSpecification> certificateUsageSpecifications,
 KeyStoreSelector keyStoreSelector,
 boolean autoRenew,
 CertificateManagementUser user)
                                       throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Generates a self-signed certificate with the given specifications.

Specified by:

generateCertificate in interface RpcCertificateManagementService

Parameters:

certificateSubject - the subject information for the certificate.

certificateValidity - the validity period of the certificate.

keyPairGenerationSpec - the specifications for generating the key pair, including the algorithm and algorithm-specific settings.

certificateUsageSpecifications - the (optional) usage specification the certificate will be used (e.g. SMIME certificate with email addresses).

keyStoreSelector - the keystore selector, defining the keystore where the key pair will be stored.

autoRenew - whether the certificate should be automatically renewed before it expires.

user - the user generating the key pair and certificate.

Returns:

a CertificateInfoDTO object containing information about the generated certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate generation or the user does not have permission to generate the certificate.

getCurrentValidCertificateForSubject

public Optional<CertificateInfoDTO> getCurrentValidCertificateForSubject(CertificateSelectionBySubjectQuery query,
 CertificateManagementUser user)
                                                                  throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Retrieves the current valid certificate for the given subject within a defined scope.

CertificateSelectionBySubjectQuery.isPartialMatch() does not apply in this method; only exact matches are considered.

Specified by:

getCurrentValidCertificateForSubject in interface RpcCertificateManagementService

Parameters:

query - the CertificateSelectionBySubjectQuery defining the subject, scope and optionally further criteria to filter the certificates (e.g. usage types, algorithms, etc.).

user - the user requesting the certificate.

Returns:

an Optional containing the CertificateInfoDTO object if the certificate exists.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificate.

getCurrentValidCertificateForUsageSubject

public Optional<CertificateInfoDTO> getCurrentValidCertificateForUsageSubject(CertificateSelectionByUsageSubjectQuery query,
 CertificateManagementUser user)
                                                                       throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Retrieves the current valid certificate for the given usage subject within a defined scope. This is in contrast to RpcCertificateManagementService.getCurrentValidCertificateForSubject(CertificateSelectionBySubjectQuery, CertificateManagementUser), which retrieves the certificate by its subject, and not by its usage subject.

CertificateSelectionByUsageSubjectQuery.isPartialMatch() does not apply in this method; only exact matches are considered.

Specified by:

getCurrentValidCertificateForUsageSubject in interface RpcCertificateManagementService

Parameters:

query - the CertificateSelectionByUsageSubjectQuery defining the usage subject, scope and optionally further criteria to filter the certificates (e.g. key algorithm, private key presence, etc.).

user - the user requesting the certificate.

Returns:

an Optional containing the CertificateInfoDTO object if the certificate exists.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificate.

importCryptographicCredentials

public FileImportResult importCryptographicCredentials(SerializableInputStreamContainer is,
 KeyStoreSelector keyStoreSelector,
 CertificateManagementUser user)
                                                throws IOException,
FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Universal method to import a file into the keystore. The method will automatically detect the type of the file and import it accordingly. It is capable of importing all file types specified in the enum ECryptoFileFormat

Specified by:

importCryptographicCredentials in interface RpcCertificateManagementService

Parameters:

is - the input stream containing the file data

keyStoreSelector - the selector, defining the keystore to import the file into

user - the user who is importing the file

Returns:

a FileImportResult object containing information about the imported file

Throws:

IOException - if an I/O error occurs during import

FcCertificateManagementException - if the file data has an invalid or unknown format or if a custom keystore could not be created

importCryptographicCredentials

public FileImportResult importCryptographicCredentials(SerializableInputStreamContainer is,
 FileImportSpecification fileImportSpecification,
 KeyStoreSelector keyStoreSelector,
 CertificateManagementUser user)
                                                throws IOException,
FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Universal method to import a file into the keystore. The method will automatically detect the type of the file and import it accordingly. It is capable of importing all file types specified in the enum ECryptoFileFormat

Specified by:

importCryptographicCredentials in interface RpcCertificateManagementService

Parameters:

is - the input stream containing the file data

fileImportSpecification - the credentials for the import (e.g. in case of an encrypted file, where the file itself and/or the entries from the files are protected)

keyStoreSelector - the selector, defining the keystore to import the file into

user - the user who is importing the file

Returns:

a FileImportResult object containing information about the imported file

Throws:

IOException - if an I/O error occurs during import

FcCertificateManagementException - if the file data has an invalid or unknown format or if a custom keystore could not be created

renewCertificate

public CertificateInfoDTO renewCertificate(Long certificateId,
 CertificateManagementUser user)
                                    throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Renews a certificate by generating a new certificate with the same subject and key pair. This method will only succeed if the certificate has a private key associated with it!

If the certificate to be renewed is expired already, the new certificate will become the new default certificate for the associated key. Otherwise, the new certificate will be listed as the prepared replacement certificate.

Specified by:

renewCertificate in interface RpcCertificateManagementService

Parameters:

certificateId - the ID of the certificate to renew.

user - the user renewing the certificate.

Returns:

a CertificateInfoDTO object containing information about the renewed certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate renewal (e.g. the certificate has no private key or could not be found in the database) or the user does not have permission to renew the certificate.

update

public CertificateInfoDTO update(CertificateInfoDTO certificate,
 CertificateManagementUser user)
                          throws FcCertificateManagementException

Description copied from interface: RpcCertificateManagementService

Updates the metadata of a certificate. Only certain fields can be updated, such as the renewal strategy.

Specified by:

update in interface RpcCertificateManagementService

Parameters:

certificate - the CertificateInfoDTO object containing the updated certificate information. The ID field must be set to identify the certificate to update.

user - the user updating the certificate.

Returns:

a CertificateInfoDTO object containing information about the updated certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate update (e.g. the certificate could not be found in the database) or the user does not have permission to update the certificate.