Class CertificateManagementServiceImpl

java.lang.Object

de.xima.fc.certificate.mgmt.internal.CertificateManagementServiceImpl

All Implemented Interfaces:

CertificateManagementService

@ApplicationScoped
public class CertificateManagementServiceImpl
extends Object
implements CertificateManagementService

Since:

30.01.26

Author:

Norman Lorenz

Method Summary

Modifier and Type	Method	Description
void	deleteCertificate(Long id, CertificateManagementUser user)	Deletes a certificate from the system.
void	exportCertificate(Long certificateId, OutputStream os, ECertificateFileType fileType, CertificateManagementUser user)	Exports a certificate to the specified output stream.
void	exportCSR(Long certificateId, OutputStream os, ECsrFileType fileType, CertificateManagementUser user)	Exports a Certificate Signing Request (CSR) to the specified output stream.
void	exportKeyPair(Long certificateId, OutputStream os, char[] password, EKeyPairFileType fileType, CertificateManagementUser user)	Exports a key pair (both public and private keys) of a certificate to the specified output stream.
void	exportPrivateKey(Long certificateId, OutputStream os, char[] password, EPrivateKeyFileType fileType, CertificateManagementUser user)	Exports the private key of a certificate to the specified output stream.
void	exportPublicKey(Long certificateId, OutputStream os, EPublicKeyFileType fileType, CertificateManagementUser user)	Exports the public key of a certificate to the specified output stream.
Optional<CertificateInfoDTO>	findById(Long certificateId, CertificateManagementUser user)	Retrieves the certificate with the specified ID.
List<CertificateInfoDTO>	findValidCertificatesForSubject(CertificateSelectionBySubjectQuery query, CertificateManagementUser user)	Retrieves all valid certificates for a given subject within a defined scope.
List<CertificateInfoDTO>	findValidCertificatesForUsageSubject(CertificateSelectionByUsageSubjectQuery query, CertificateManagementUser user)	Retrieves all valid client certificates for a given usage subject within a defined scope.
CertificateInfoDTO	generateCertificate(X501DistinguishedName certificateSubject, Duration certificateValidity, IKeyPairGenerationSpec keyPairGenerationSpec, List<ICertificateUsageSpecification> certificateUsageSpecifications, KeyStoreSelector keyStoreSelector, boolean autoRenew, CertificateManagementUser user)	Generates a self-signed certificate with the given specifications.
CertificateInfoDTO	generateCertificate(X501DistinguishedName certificateSubject, Duration certificateValidity, IKeyPairGenerationSpec keyPairGenerationSpec, List<ICertificateUsageSpecification> certificateUsageSpecifications, Long signingAuthorityId, KeyStoreSelector keyStoreSelector, boolean autoRenew, CertificateManagementUser user)	Generates a certificate with the given specifications.
Optional<CertificateInfoDTO>	getCurrentValidCertificateForSubject(CertificateSelectionBySubjectQuery query, CertificateManagementUser user)	Retrieves the current valid certificate for the given subject within a defined scope.
Optional<CertificateInfoDTO>	getCurrentValidCertificateForUsageSubject(CertificateSelectionByUsageSubjectQuery query, CertificateManagementUser user)	Retrieves the current valid certificate for the given usage subject within a defined scope.
FileImportResult	importCryptographicCredentials(InputStream is, FileImportSpecification fileImportSpecification, KeyStoreSelector keyStoreSelector, CertificateManagementUser user)	Universal method to import a file into the keystore.
FileImportResult	importCryptographicCredentials(InputStream is, KeyStoreSelector keyStoreSelector, CertificateManagementUser user)	Universal method to import a file into the keystore.
CertificateInfoDTO	renewCertificate(Long certificateId, CertificateManagementUser user)	Renews a certificate by generating a new certificate with the same subject and key pair.
CertificateInfoDTO	update(CertificateInfoDTO certificate, CertificateManagementUser user)	Updates the metadata of a certificate.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

deleteCertificate

public void deleteCertificate(Long id,
 CertificateManagementUser user)
                       throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Deletes a certificate from the system.

Note: This method will also delete the keystore it is assigned to if it is the last entry in the keystore.

Specified by:

deleteCertificate in interface CertificateManagementService

Parameters:

id - the ID of the certificate to delete.

user - the user deleting the certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate deletion or the user does not have permission to delete the certificate.

exportCSR

public void exportCSR(Long certificateId,
 OutputStream os,
 ECsrFileType fileType,
 CertificateManagementUser user)
               throws IOException,
FcCertificateManagementException

Description copied from interface: CertificateManagementService

Exports a Certificate Signing Request (CSR) to the specified output stream.

Specified by:

exportCSR in interface CertificateManagementService

Parameters:

certificateId - the ID of the certificate for which the CSR will be exported.

os - the output stream to write the CSR data to.

fileType - the file type to export the CSR as.

user - the user who is exporting the CSR.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during CSR export (e.g. the certificate could not be found or has no CSR, which is the case for externally imported certificates) or the user does not have permission to export the CSR.

exportCertificate

public void exportCertificate(Long certificateId,
 OutputStream os,
 ECertificateFileType fileType,
 CertificateManagementUser user)
                       throws IOException,
FcCertificateManagementException

Description copied from interface: CertificateManagementService

Exports a certificate to the specified output stream.

Specified by:

exportCertificate in interface CertificateManagementService

Parameters:

certificateId - the ID of the certificate to export.

os - the output stream to write the certificate data to.

fileType - the file type to export the certificate as.

user - the user who is exporting the certificate.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during certificate export (e.g. the certificate could not be found or the user does not have permission to export the certificate).

exportKeyPair

public void exportKeyPair(Long certificateId,
 OutputStream os,
 char[] password,
 EKeyPairFileType fileType,
 CertificateManagementUser user)
                   throws IOException,
FcCertificateManagementException

Description copied from interface: CertificateManagementService

Exports a key pair (both public and private keys) of a certificate to the specified output stream.

Specified by:

exportKeyPair in interface CertificateManagementService

Parameters:

certificateId - the ID of the certificate whose key pair will be exported.

os - the output stream to write the key pair data to.

password - the password to protect the exported key pair.

fileType - the file type to export the key pair as.

user - the user who is exporting the key pair.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during key pair export (e.g. the certificate could not be found or the user does not have permission to export the key pair).

exportPrivateKey

public void exportPrivateKey(Long certificateId,
 OutputStream os,
 char[] password,
 EPrivateKeyFileType fileType,
 CertificateManagementUser user)
                      throws IOException,
FcCertificateManagementException

Description copied from interface: CertificateManagementService

Exports the private key of a certificate to the specified output stream.

Specified by:

exportPrivateKey in interface CertificateManagementService

Parameters:

certificateId - the ID of the certificate whose private key will be exported.

os - the output stream to write the private key data to.

password - the password to protect the exported private key.

fileType - the file type to export the private key as.

user - the user who is exporting the private key.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during private key export (e.g. the certificate could not be or the user does not have permission to export the private key).

exportPublicKey

public void exportPublicKey(Long certificateId,
 OutputStream os,
 EPublicKeyFileType fileType,
 CertificateManagementUser user)
                     throws IOException,
FcCertificateManagementException

Description copied from interface: CertificateManagementService

Exports the public key of a certificate to the specified output stream.

Specified by:

exportPublicKey in interface CertificateManagementService

Parameters:

certificateId - the ID of the certificate whose public key will be exported.

os - the output stream to write the public key data to.

fileType - the file type to export the public key as.

user - the user who is exporting the public key.

Throws:

IOException - if an I/O error occurs during export.

FcCertificateManagementException - if an error occurs during public key export (e.g. the certificate could not be found or the user does not have permission to export the public key).

findById

public Optional<CertificateInfoDTO> findById(Long certificateId,
 CertificateManagementUser user)
                                      throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Retrieves the certificate with the specified ID.

Specified by:

findById in interface CertificateManagementService

Parameters:

certificateId - the ID of the certificate to retrieve.

user - the user who is requesting the certificate.

Returns:

an Optional containing the CertificateInfoDTO object with the specified ID.

Throws:

FcCertificateManagementException - if the user does not have permission to access the certificate.

findValidCertificatesForSubject

public List<CertificateInfoDTO> findValidCertificatesForSubject(CertificateSelectionBySubjectQuery query,
 CertificateManagementUser user)
                                                         throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Retrieves all valid certificates for a given subject within a defined scope.

Specified by:

findValidCertificatesForSubject in interface CertificateManagementService

Parameters:

query - the CertificateSelectionBySubjectQuery defining the subject, scope and optionally further criteria to filter the certificates (e.g. usage types, algorithms, etc.).

user - the user requesting the certificates.

Returns:

a list of CertificateInfoDTO objects representing the valid client certificates that match the given criteria.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificates.

findValidCertificatesForUsageSubject

public List<CertificateInfoDTO> findValidCertificatesForUsageSubject(CertificateSelectionByUsageSubjectQuery query,
 CertificateManagementUser user)
                                                              throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Retrieves all valid client certificates for a given usage subject within a defined scope. This is in contrast to CertificateManagementService.findValidCertificatesForSubject(CertificateSelectionBySubjectQuery, CertificateManagementUser), which retrieves the certificates by their subject, and not by their usage subject.

Specified by:

findValidCertificatesForUsageSubject in interface CertificateManagementService

Parameters:

query - the CertificateSelectionByUsageSubjectQuery defining the usage subject, scope and optionally further criteria to filter the certificates (e.g. key algorithm, private key presence, etc.).

user - the user requesting the certificates.

Returns:

a list of CertificateInfoDTO objects representing the valid client certificates that match the given criteria.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificates.

generateCertificate

public CertificateInfoDTO generateCertificate(X501DistinguishedName certificateSubject,
 Duration certificateValidity,
 IKeyPairGenerationSpec keyPairGenerationSpec,
 List<ICertificateUsageSpecification> certificateUsageSpecifications,
 Long signingAuthorityId,
 KeyStoreSelector keyStoreSelector,
 boolean autoRenew,
 CertificateManagementUser user)
                                       throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Generates a certificate with the given specifications.

Specified by:

generateCertificate in interface CertificateManagementService

Parameters:

certificateSubject - the subject information for the certificate.

certificateValidity - the validity period of the certificate.

keyPairGenerationSpec - the specifications for generating the key pair, including the algorithm and algorithm-specific settings.

certificateUsageSpecifications - the (optional) usage specification the certificate will be used (e.g. SMIME certificate with email addresses).

signingAuthorityId - the ID of the signing authority that will sign the certificate.

keyStoreSelector - the keystore selector, defining the keystore where the key pair will be stored.

autoRenew - whether the certificate should be automatically renewed before it expires.

user - the user generating the key pair and certificate.

Returns:

a CertificateInfoDTO object containing information about the generated certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate generation or the user does not have permission to generate the certificate.

generateCertificate

public CertificateInfoDTO generateCertificate(X501DistinguishedName certificateSubject,
 Duration certificateValidity,
 IKeyPairGenerationSpec keyPairGenerationSpec,
 List<ICertificateUsageSpecification> certificateUsageSpecifications,
 KeyStoreSelector keyStoreSelector,
 boolean autoRenew,
 CertificateManagementUser user)
                                       throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Generates a self-signed certificate with the given specifications.

Specified by:

generateCertificate in interface CertificateManagementService

Parameters:

certificateSubject - the subject information for the certificate.

certificateValidity - the validity period of the certificate.

keyPairGenerationSpec - the specifications for generating the key pair, including the algorithm and algorithm-specific settings.

certificateUsageSpecifications - the (optional) usage specification the certificate will be used (e.g. SMIME certificate with email addresses).

keyStoreSelector - the keystore selector, defining the keystore where the key pair will be stored.

autoRenew - whether the certificate should be automatically renewed before it expires.

user - the user generating the key pair and certificate.

Returns:

a CertificateInfoDTO object containing information about the generated certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate generation or the user does not have permission to generate the certificate.

getCurrentValidCertificateForSubject

public Optional<CertificateInfoDTO> getCurrentValidCertificateForSubject(CertificateSelectionBySubjectQuery query,
 CertificateManagementUser user)
                                                                  throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Retrieves the current valid certificate for the given subject within a defined scope.

CertificateSelectionBySubjectQuery.isPartialMatch() does not apply in this method; only exact matches are considered.

Specified by:

getCurrentValidCertificateForSubject in interface CertificateManagementService

Parameters:

query - the CertificateSelectionBySubjectQuery defining the subject, scope and optionally further criteria to filter the certificates (e.g. usage types, algorithms, etc.).

user - the user requesting the certificate.

Returns:

an Optional containing the CertificateInfoDTO object if the certificate exists.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificate.

getCurrentValidCertificateForUsageSubject

public Optional<CertificateInfoDTO> getCurrentValidCertificateForUsageSubject(CertificateSelectionByUsageSubjectQuery query,
 CertificateManagementUser user)
                                                                       throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Retrieves the current valid certificate for the given usage subject within a defined scope. This is in contrast to CertificateManagementService.getCurrentValidCertificateForSubject(CertificateSelectionBySubjectQuery, CertificateManagementUser), which retrieves the certificate by its subject, and not by its usage subject.

CertificateSelectionByUsageSubjectQuery.isPartialMatch() does not apply in this method; only exact matches are considered.

Specified by:

getCurrentValidCertificateForUsageSubject in interface CertificateManagementService

Parameters:

query - the CertificateSelectionByUsageSubjectQuery defining the usage subject, scope and optionally further criteria to filter the certificates (e.g. key algorithm, private key presence, etc.).

user - the user requesting the certificate.

Returns:

an Optional containing the CertificateInfoDTO object if the certificate exists.

Throws:

FcCertificateManagementException - if an error occurs during the search or the user does not have permission to access the certificate.

importCryptographicCredentials

public FileImportResult importCryptographicCredentials(InputStream is,
 KeyStoreSelector keyStoreSelector,
 CertificateManagementUser user)
                                                throws IOException,
FcCertificateManagementException

Description copied from interface: CertificateManagementService

Universal method to import a file into the keystore. The method will automatically detect the type of the file and import it accordingly. It is capable of importing all file types specified in the enum ECryptoFileFormat

Specified by:

importCryptographicCredentials in interface CertificateManagementService

Parameters:

is - the input stream containing the file data

keyStoreSelector - the selector, defining the keystore to import the file into

user - the user who is importing the file

Returns:

a FileImportResult object containing information about the imported file

Throws:

IOException - if an I/O error occurs during import

FcCertificateManagementException - if the file data has an invalid or unknown format or if a custom keystore could not be created

importCryptographicCredentials

public FileImportResult importCryptographicCredentials(InputStream is,
 FileImportSpecification fileImportSpecification,
 KeyStoreSelector keyStoreSelector,
 CertificateManagementUser user)
                                                throws IOException,
FcCertificateManagementException

Description copied from interface: CertificateManagementService

Universal method to import a file into the keystore. The method will automatically detect the type of the file and import it accordingly. It is capable of importing all file types specified in the enum ECryptoFileFormat

Specified by:

importCryptographicCredentials in interface CertificateManagementService

Parameters:

is - the input stream containing the file data

fileImportSpecification - the credentials for the import (e.g. in case of an encrypted file, where the file itself and/or the entries from the files are protected)

keyStoreSelector - the selector, defining the keystore to import the file into

user - the user who is importing the file

Returns:

a FileImportResult object containing information about the imported file

Throws:

IOException - if an I/O error occurs during import

FcCertificateManagementException - if the file data has an invalid or unknown format or if a custom keystore could not be created

renewCertificate

public CertificateInfoDTO renewCertificate(Long certificateId,
 CertificateManagementUser user)
                                    throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Renews a certificate by generating a new certificate with the same subject and key pair. This method will only succeed if the certificate has a private key associated with it!

If the certificate to be renewed is expired already, the new certificate will become the new default certificate for the associated key. Otherwise, the new certificate will be listed as the prepared replacement certificate.

Specified by:

renewCertificate in interface CertificateManagementService

Parameters:

certificateId - the ID of the certificate to renew.

user - the user renewing the certificate.

Returns:

a CertificateInfoDTO object containing information about the renewed certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate renewal (e.g. the certificate has no private key or could not be found in the database) or the user does not have permission to renew the certificate.

update

public CertificateInfoDTO update(CertificateInfoDTO certificate,
 CertificateManagementUser user)
                          throws FcCertificateManagementException

Description copied from interface: CertificateManagementService

Updates the metadata of a certificate. Only certain fields can be updated, such as the renewal strategy.

Specified by:

update in interface CertificateManagementService

Parameters:

certificate - the CertificateInfoDTO object containing the updated certificate information. The ID field must be set to identify the certificate to update.

user - the user updating the certificate.

Returns:

a CertificateInfoDTO object containing information about the updated certificate.

Throws:

FcCertificateManagementException - if an error occurs during certificate update (e.g. the certificate could not be found in the database) or the user does not have permission to update the certificate.