Class SpiffeProvider

java.lang.Object

java.util.Dictionary<Object,Object>

java.util.Hashtable<Object,Object>

java.util.Properties

java.security.Provider

io.spiffe.provider.SpiffeProvider

All Implemented Interfaces:

Serializable, Cloneable, Map<Object,Object>

public final class SpiffeProvider
extends Provider

Represents a Security Provider for the Java Security API that supports SPIFFE X.509-SVIDs and Bundles fetched from the Workload API.

The KeyManager and TrustManager implementations in this Provider handle the SPIFFE X.509-SVIDs and Bundles in memory fetching them from the Workload API and rotating them automatically.

The SpiffeKeyManager provides the X.509-SVID (chain of certificates) to probe identity to another peer in a TLS connection.

The SpiffeTrustManager provides the X.509 Bundles to validate the peer's X.509 chain of certificates. It also performs SPIFFE ID validation on the SVIDs presented by peers in a TLS connection.

The way this Provider is plugged in into the Java Security API is by registering a KeyManagerFactory for creating an instance of a KeyManager. It also registers a TrustManagerFactory for creating an instance of a TrustManager.

To use this Provider, it is needed to add the following lines to the java.security file:

      security.provider.n=io.spiffe.SpiffeProvider
      ssl.KeyManagerFactory.algorithm=Spiffe
      ssl.TrustManagerFactory.algorithm=Spiffe
 

Also, to configure the accepted SPIFFE IDs, add to the java.security the list of SPIFFE IDs separated by the pipe character:

      ssl.spiffe.accept=spiffe://example.org/workload1 | spiffe://example.org/workload2,
 

This property can also be defined as a System parameter passed through -Dssl.spiffe.accept:

      -Dssl.spiffe.accept=ssl.spiffe.accept=spiffe://example.org/workload1 | spiffe://example.org/workload2
 

To configure the `TrustManager` to accept any SPIFFE ID presented by a peer, the property ssl.spiffe.acceptAll must be set with the value true:

     ssl.spiffe.acceptAll=true
 

See Also:

• Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from class java.security.Provider

Provider.Service

Field Summary

Fields inherited from class java.util.Properties

defaults

Constructor Summary

Constructors

Constructor	Description
SpiffeProvider()	Constructor.

Method Summary

Modifier and Type	Method	Description
static void	install()	Installs this provider implementation.

Methods inherited from class java.security.Provider

clear, compute, computeIfAbsent, computeIfPresent, configure, elements, entrySet, forEach, get, getInfo, getName, getOrDefault, getProperty, getService, getServices, getVersion, getVersionStr, isConfigured, keys, keySet, load, merge, put, putAll, putIfAbsent, putService, remove, remove, removeService, replace, replace, replaceAll, toString, values

Methods inherited from class java.util.Properties

clone, contains, containsKey, containsValue, equals, getProperty, hashCode, isEmpty, list, list, load, loadFromXML, propertyNames, rehash, save, setProperty, size, store, store, storeToXML, storeToXML, storeToXML, stringPropertyNames

Methods inherited from class java.lang.Object

finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Details

SpiffeProvider

public SpiffeProvider()

Constructor.

Configure the Provider Name and register KeyManagerFactory, TrustManagerFactory and KeyStore

Method Details

install

public static void install()

Installs this provider implementation.