org.forgerock.secrets.keys

Enum KeyUsage

java.lang.Object

java.lang.Enum<KeyUsage>

org.forgerock.secrets.keys.KeyUsage

All Implemented Interfaces:

Serializable, Comparable<KeyUsage>

public enum KeyUsage
extends Enum<KeyUsage>

Indicates the allowed usages for a particular key. Where applicable the values are mapped to equivalent X.509 KeyUsage extension and WebCrypto KeyUsage values.

See Also:

RFC 5280 (section 4.2.1.3), WebCrypto KeyUsage

Enum Constant Summary

Enum Constants

Enum Constant and Description
AGREE_KEY Key is intended for deriving a key via a key agreement protocol such as Diffie-Hellman.
DECRYPT Key is intended for decrypting data directly.
ENCRYPT Key is intended for encrypting data directly.
SIGN Key is intended for signing messages with digital signatures.
UNWRAP_KEY Key is intended for decrypting (unwrapping) other keys.
VERIFY Key is intended for verifying signatures on messages.
WRAP_KEY Key is intended for encrypting (wrapping) other keys.

Method Summary

Modifier and Type	Method and Description
static EnumSet<KeyUsage>	forKeyType(Class<? extends CryptoKey> keyType) Returns the set of all key usages that are applicable to the given key type.
static Optional<KeyUsage>	forWebCryptoName(String keyOperation) Converts a Web Crypto/JWK key operation name into the equivalent key usage constant.
static EnumSet<KeyUsage>	fromCertificate(Certificate certificate) Determines what usages are allowed for a public key based on the associated certificate.
static EnumSet<KeyUsage>	fromX509KeyUsageBits(boolean[] bits) Converts an X.509 KeyUsage bit vector into a corresponding set of usage values.
Class<? extends CryptoKey>	getKeyType() The key type corresponding to this key usage.
String	getWebCryptoName() The standard WebCrypto KeyUsage name for this usage.
int	getX509BitPosition() The bit position of this usage in the X.509 KeyUsage extension.
String	getX509StandardName() The standard name of this key usage in the X.509 standard.
String	toString()
static boolean[]	toX509KeyUsageBits(Set<KeyUsage> usages) Converts a set of key usage values to an X.509 KeyUsage constraint bit string.
static KeyUsage	valueOf(String name) Returns the enum constant of this type with the specified name.
static KeyUsage[]	values() Returns an array containing the constants of this enum type, in the order they are declared.

Methods inherited from class java.lang.Enum

clone, compareTo, equals, finalize, getDeclaringClass, hashCode, name, ordinal, valueOf

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Enum Constant Detail

ENCRYPT

public static final KeyUsage ENCRYPT

Key is intended for encrypting data directly.

DECRYPT

public static final KeyUsage DECRYPT

Key is intended for decrypting data directly.

SIGN

public static final KeyUsage SIGN

Key is intended for signing messages with digital signatures.

VERIFY

public static final KeyUsage VERIFY

Key is intended for verifying signatures on messages.

AGREE_KEY

public static final KeyUsage AGREE_KEY

Key is intended for deriving a key via a key agreement protocol such as Diffie-Hellman. The WebCrypto spec treats this as a special-case of the "deriveKey" and/or "deriveBits" usages, but we treat it separately as there are significant differences in how key agreement is used compared to key derivation functions such as HKDF or PBKDF2.

WRAP_KEY

public static final KeyUsage WRAP_KEY

Key is intended for encrypting (wrapping) other keys. This is the typical mode when using public key cryptography where typically a temporary symmetric key will be generated and used to encrypt the message with a fast symmetric block cipher, such as AES, and then just this temporary key is encrypted using the expensive encryption such as RSA.

UNWRAP_KEY

public static final KeyUsage UNWRAP_KEY

Key is intended for decrypting (unwrapping) other keys.

Method Detail

values

public static KeyUsage[] values()

Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows:

for (KeyUsage c : KeyUsage.values())
    System.out.println(c);

Returns:

an array containing the constants of this enum type, in the order they are declared

valueOf

public static KeyUsage valueOf(String name)

Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)

Parameters:

name - the name of the enum constant to be returned.

Returns:

the enum constant with the specified name

Throws:

IllegalArgumentException - if this enum type has no constant with the specified name

NullPointerException - if the argument is null

fromCertificate

public static EnumSet<KeyUsage> fromCertificate(Certificate certificate)

Determines what usages are allowed for a public key based on the associated certificate. For X.509 certificates, this checks the KeyUsage extension. If it is not possible to determine what constraints are applied to the key, then this returns all usages as valid. This is because in the absence of constraints it is not possible to say what should be forbidden and it makes validation checks easier to perform as the validator can just assert the presence of desired usages.

Parameters:

certificate - the certificate to check for usage constraints.

Returns:

the set of allowed key usages.

fromX509KeyUsageBits

public static EnumSet<KeyUsage> fromX509KeyUsageBits(boolean[] bits)

Converts an X.509 KeyUsage bit vector into a corresponding set of usage values.

Parameters:

bits - the X.509 KeyUsage bit vector.

Returns:

the corresponding usage values.

forKeyType

public static EnumSet<KeyUsage> forKeyType(Class<? extends CryptoKey> keyType)

Returns the set of all key usages that are applicable to the given key type.

Parameters:

keyType - the type of key.

Returns:

the set of all key usages that that key type is applicable to.

toX509KeyUsageBits

public static boolean[] toX509KeyUsageBits(Set<KeyUsage> usages)

Converts a set of key usage values to an X.509 KeyUsage constraint bit string.

Parameters:

usages - the allowed usages.

Returns:

the X.509 key usage bit string.

See Also:

X509Certificate.getKeyUsage()

forWebCryptoName

public static Optional<KeyUsage> forWebCryptoName(String keyOperation)

Converts a Web Crypto/JWK key operation name into the equivalent key usage constant.

Parameters:

keyOperation - a Web Crypto/JWK key operation name.

Returns:

the equivalent key usage, or empty if this key operation does not correspond to any known key usage.

getX509StandardName

public String getX509StandardName()

The standard name of this key usage in the X.509 standard.

Returns:

the X.509 standard name for this usage, or null if no equivalent.

getWebCryptoName

public String getWebCryptoName()

The standard WebCrypto KeyUsage name for this usage.

Returns:

the WebCrypto KeyUsage name.

getX509BitPosition

public int getX509BitPosition()

The bit position of this usage in the X.509 KeyUsage extension.

Returns:

the bit position of this usage in the X.509 KeyUsage extension.

getKeyType

public Class<? extends CryptoKey> getKeyType()

The key type corresponding to this key usage.

Returns:

the key type corresponding to this usage.

toString

public String toString()

Overrides:

toString in class Enum<KeyUsage>