Module io.helidon.integrations.vault.secrets.pki

Package io.helidon.integrations.vault.secrets.pki

Interface PkiSecrets

All Superinterfaces:

Secrets

public interface PkiSecrets
extends Secrets

API operation for Vault PKI Secrets Engine. All methods block the current thread. This implementation is not suitable for reactive programming. Use PkiSecretsRx in reactive code.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	KEY_TYPE_EC	EC (Elliptic curve) algorithm for keys.
static final String	KEY_TYPE_RSA	RSA algorithm for keys.

Method Summary

Modifier and Type	Method	Description
default X509Certificate	caCertificate()	Certification authority certificate.
CaCertificateGet.Response	caCertificate(CaCertificateGet.Request request)	Certification authority certificate.
default byte[]	caCertificate(PkiFormat format)	Certification authority certificate in raw bytes.
VaultOptionalResponse<CertificateGet.Response>	certificate(CertificateGet.Request request)	Get a certificate.
default Optional<X509Certificate>	certificate(String serialNumber)	Certificate with the defined serial id.
default Optional<byte[]>	certificate(String serialNumber, PkiFormat format)	Certificate in raw bytes, currently only PkiFormat.PEM is supported.
static PkiSecrets	create(PkiSecretsRx reactive)	Create a new blocking API from its reactive counterpart.
PkiRole.Response	createOrUpdateRole(PkiRole.Request request)	This endpoint creates or updates the role definition.
default X509CRL	crl()	Certificate revocation list.
CrlGet.Response	crl(CrlGet.Request request)	Get a CRL (certificate revocation list).
default byte[]	crl(PkiFormat format)	Certificate revocation list in raw bytes.
GenerateSelfSignedRoot.Response	generateSelfSignedRoot(GenerateSelfSignedRoot.Request request)	Generate a self signed root certificate.
default GenerateSelfSignedRoot.Response	generateSelfSignedRoot(String commonName)	Generate a self signed root certificate.
IssueCertificate.Response	issueCertificate(IssueCertificate.Request request)	Issue a new certificate returning raw data.
VaultOptionalResponse<ListSecrets.Response>	list(ListSecrets.Request request)	List certificate serial numbers.
RevokeCertificate.Response	revokeCertificate(RevokeCertificate.Request request)	Revoke a certificate.
default Instant	revokeCertificate(String serialNumber)	Revoke a certificate by its serial number.
SignCsr.Response	signCertificateRequest(SignCsr.Request request)	This endpoint signs a new certificate based upon the provided CSR and the supplied parameters, subject to the restrictions contained in the role named in the endpoint.

Methods inherited from interface io.helidon.integrations.vault.Secrets

list, list

Field Details

KEY_TYPE_RSA

static final String KEY_TYPE_RSA

RSA algorithm for keys.

See Also:

• Constant Field Values

KEY_TYPE_EC

static final String KEY_TYPE_EC

EC (Elliptic curve) algorithm for keys.

See Also:

• Constant Field Values

Method Details

create

static PkiSecrets create(PkiSecretsRx reactive)

Create a new blocking API from its reactive counterpart.

Parameters:

reactive - reactive PKI Secrets

Returns:

blocking PKI Secrets

list

VaultOptionalResponse<ListSecrets.Response> list(ListSecrets.Request request)

List certificate serial numbers.

Specified by:

list in interface Secrets

Parameters:

request - request, path is ignored

Returns:

serial numbers of certificates

caCertificate

default X509Certificate caCertificate()

Certification authority certificate.

Returns:

certificate of the CA

caCertificate

default byte[] caCertificate(PkiFormat format)

Certification authority certificate in raw bytes.

Parameters:

format - format to use, either DER or PEM format are supported

Returns:

CA certificate bytes

caCertificate

CaCertificateGet.Response caCertificate(CaCertificateGet.Request request)

Certification authority certificate.

Parameters:

request - request with optional PkiFormat configured

Returns:

CA certificate bytes

certificate

default Optional<X509Certificate> certificate(String serialNumber)

Certificate with the defined serial id.

Parameters:

serialNumber - serial number of the certificate

Returns:

certificate, if not found, an exception is returned

certificate

default Optional<byte[]> certificate(String serialNumber,
 PkiFormat format)

Certificate in raw bytes, currently only PkiFormat.PEM is supported.

Parameters:

serialNumber - serial number of the certificate

format - format - must be PkiFormat.PEM

Returns:

certificate bytes in PEM format

certificate

VaultOptionalResponse<CertificateGet.Response> certificate(CertificateGet.Request request)

Get a certificate.

Parameters:

request - certificate request with at least the serial number

Returns:

get certificate response

crl

default X509CRL crl()

Certificate revocation list.

Returns:

revoke list

crl

default byte[] crl(PkiFormat format)

Certificate revocation list in raw bytes.

Parameters:

format - to choose between PEM and DER encoding of the list

Returns:

CRL bytes

crl

CrlGet.Response crl(CrlGet.Request request)

Get a CRL (certificate revocation list).

Parameters:

request - get CRL request

Returns:

get CRL response

issueCertificate

IssueCertificate.Response issueCertificate(IssueCertificate.Request request)

Issue a new certificate returning raw data.

The format of data returned depends on the PkiFormat chosen:

• PkiFormat.PEM - pem bytes (e.g. -----BEGIN CERTIFICATE-----...)
• PkiFormat.PEM_BUNDLE - same as above, with certificate bundling the private key
• PkiFormat.DER - binary encoding

Parameters:

request - configuration of the new certificate

Returns:

certificate response with bytes of returned certificates

signCertificateRequest

SignCsr.Response signCertificateRequest(SignCsr.Request request)

This endpoint signs a new certificate based upon the provided CSR and the supplied parameters, subject to the restrictions contained in the role named in the endpoint.

Parameters:

request - sign CSR request

Returns:

a new certificate

revokeCertificate

default Instant revokeCertificate(String serialNumber)

Revoke a certificate by its serial number.

Parameters:

serialNumber - serial number of the certificate to revoke

Returns:

revocation instant

revokeCertificate

RevokeCertificate.Response revokeCertificate(RevokeCertificate.Request request)

Revoke a certificate.

Parameters:

request - revoke certificate request with at least the certificate serial number

Returns:

revoke certificate response

generateSelfSignedRoot

default GenerateSelfSignedRoot.Response generateSelfSignedRoot(String commonName)

Generate a self signed root certificate. This operations makes sense for testing. For production environments, this would most likely be initialized with an explicit key and certificate.

Parameters:

commonName - the common name (cn) of the certificate

Returns:

when request finishes

generateSelfSignedRoot

GenerateSelfSignedRoot.Response generateSelfSignedRoot(GenerateSelfSignedRoot.Request request)

Generate a self signed root certificate. This operations makes sense for testing. For production environments, this would most likely be initialized with an explicit key and certificate.

Parameters:

request - generate self signed root request with at least the common name configured

Returns:

generate self signed root response

createOrUpdateRole

PkiRole.Response createOrUpdateRole(PkiRole.Request request)

This endpoint creates or updates the role definition. Note that the PkiRole.Request.addAllowedDomain(String), PkiRole.Request.allowSubDomains(boolean), PkiRole.Request.allowGlobDomains(boolean), and PkiRole.Request.allowAnyName(boolean) are additive; between these options, and across multiple roles, nearly any issuing policy can be accommodated. PkiRole.Request.serverFlag(boolean), PkiRole.Request.clientFlag(boolean), and PkiRole.Request.codeSigningFlag(boolean) are additive as well. If a client requests a certificate that is not allowed by the CN policy in the role, the request is denied.

Parameters:

request - request modifying the role

Returns:

when request finishes