{"id":15334642,"url":"https://github.com/chonton/vault-jca","last_synced_at":"2025-10-10T07:30:22.239Z","repository":{"id":73261191,"uuid":"603587884","full_name":"chonton/vault-jca","owner":"chonton","description":"Java Cryptography Provider using Vault","archived":true,"fork":false,"pushed_at":"2023-11-20T21:25:47.000Z","size":112,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-15T23:04:57.684Z","etag":null,"topics":["hashicorp-vault","java-cryptography-implementation","jca"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chonton.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-02-19T00:46:19.000Z","updated_at":"2024-03-20T14:42:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"519f8991-6f6b-496f-a08d-7de575064485","html_url":"https://github.com/chonton/vault-jca","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chonton%2Fvault-jca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chonton%2Fvault-jca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chonton%2Fvault-jca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chonton%2Fvault-jca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chonton","download_url":"https://codeload.github.com/chonton/vault-jca/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235934807,"owners_count":19068745,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hashicorp-vault","java-cryptography-implementation","jca"],"created_at":"2024-10-01T10:08:18.020Z","updated_at":"2025-10-10T07:30:16.936Z","avatar_url":"https://github.com/chonton.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JCA for VAULT\n\n[Java Cryptography Architecture](https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html)\nprovides a way to plug a cryptography provider without modifying the client code. The client needs\nto register the provider for it to be available through the Security apis.\n\nThis provider leverages\n[Vault's transit secrets](https://developer.hashicorp.com/vault/docs/v1.11.x/secrets/transit)\nfor implementing KeyStore, KeyPairGenerator, and Signature algorithms.\n\n# Requirements\n\n- Java 11\n- Maven 3.5.4\n\n# Maven Coordinates\n\n```xml\n    \u003cdependency\u003e\n      \u003cgroupId\u003eorg.honton.chas\u003c/groupId\u003e\n      \u003cartifactId\u003evault-jca\u003c/artifactId\u003e\n      \u003cversion\u003e1.1.0\u003c/version\u003e\n    \u003c/dependency\u003e\n```\n[Build details](https://chonton.github.io/vault-jca/index.html)\n\n# Use Cases\n\n## Register Provider\n\n```java\n    // Explicity specify vault address and token supplier\n    VaultApi.setVaultInstance(vaultAddress, () -\u003e vaultToken);\n    private static final String providerName = VaultProvider.register().getName();\n\n    // Otherwise, defaul to using VAULT_ADDR and VAULT_TOKEN environment variables\n    private static final String NAME = VaultProvider.register().getName();\n```\n\n## KeyStore\n\nThe KeyStore can fetch existing PublicKey from Vault.\n\n```java\n    // initialize KeyStore\n    KeyStore keyStore = KeyStore.getInstance(NAME, NAME);\n    keyStore.load(null, null);\n\n    // get an existing Vault public key\n    PublicKey publicKey = (PublicKey) keyStore.getCertificate(keyName).getPublicKey();\n\n    // get an existing Vault private key. Just a reference for use with signature.sign\n    PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyName, null);\n\n    // list keys\n    Collections.list(keyStore.aliases());\n```\n\n## KeyPairGenerator\n\nThe KeyPairGenerator can create a new KeyPair in Vault with the name specified in the\nVaultParameterSpec.\n\n```java\n\n    // keyAlgorithmName is from KeyPairGenerator Algorithms table below\n    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyAlgorithmName, NAME);\n\n    VaultParameterSpec keySpec;\n    if (\"EC\".equals(keyAlgorithmName)) {\n      // use appropriate VaultRsaKeyType\n      keySpec = new VaultRsaParameterSpec(keyName, VaultRsaKeyType.RSA_3072);\n    } else {\n        // use appropriate VaultEcdsaKeyAlgorithm\n      keySpec = new VaultEcdsaParameterSpec(keyName, VaultEcdsaKeyAlgorithm.ECDSA_P521);\n    }\n\n    keyPairGenerator.initialize(keySpec);\n    KeyPair keyPair = keyPairGenerator.generateKeyPair();\n    // PublicKey is exported from vault and can be transfered out of process\n    PublicKey publicKey = keyPair.getPublic();\n    // PrivateKey remains in vault. This is a reference that can be used by signature,initSign\n    PrivateKey privateKey = keyPair.getPrivate();\n```\n\n## Signature\n\nThe Signature can sign (with the PrivateKey) or verify (with the PublicKey) a message using a\nVault key.  The keys are obtained from the KeyStore.\n\n```java\n    // algorithm is from Signature Algorithms table below\n    Signature signature = Signature.getInstance(signatureAlgorithmName, NAME);\n\n    // sign\n    signature.initSign(privateKey);\n    signature.update(MESSAGE);\n    byte[] signatureBytes = signature.sign();\n\n    // verify\n    signature.initVerify(publicKey);\n    signature.update(MESSAGE);\n    if (!signature.verify(signatureBytes)) {\n      throw new VerificationException(\"\");\n    }\n```\n\nThe security provider leverages\n[Vault's transit secrets](https://developer.hashicorp.com/vault/docs/v1.11.x/secrets/transit)\nfor implementing the following algorithms.\n\n## [KeyPairGenerator Algorithms](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#keypairgenerator-algorithms)\n\n| Algorithm Name | Description                                     |\n|----------------|-------------------------------------------------|\n| RSA            | keypairs for the RSA algorithm                  |\n| RSASSA-PSS\t    | keypairs for the RSASSA-PSS signature algorithm |\n| EC\t            | keypairs for the Elliptic Curve algorithm       |\n\n## KeyStore Algorithms\n\n| Algorithm Name | Description              |\n|----------------|--------------------------|\n| Vault          | keypairs stored in Vault |\n\n## [Signature Algorithms](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#signature-algorithms)\n\n| Algorithm Name       | Description                            |\n|----------------------|----------------------------------------|\n| ___Deterministic___  | RSA signatures using RSASSA-PKCS1-v1_5 |\n| SHA256withRSA        | 2048 bit RSA                           |\n| SHA384withRSA        | 3072 bit RSA                           |\n| SHA512withRSA        | 4096 bit RSA                           |\n| ___Randomized___     | RSA signatures using RSASSA-PSS        |\n| SHA256withRSAandMGF1 | 2048 bit RSA, MGF1 salt 256 bits       |\n| SHA384withRSAandMGF1 | 3072 bit RSA, MGF1 salt 384 bits       |\n| SHA512withRSAandMGF1 | 4096 bit RSA, MGF1 salt 512 bits       |\n| ___Elliptic Curve___ | EC signatures                          |\n| SHA256withECDSA      | 256 bit EC                             |\n| SHA384withECDSA      | 384 bit EC                             |\n| SHA512withECDSA      | 512 bit EC                             |\n\n# Keys Security\n\nAll private keys remain in Vault. The public key is available through the KeyStore interface. A new\nKeyPair is generated using the KeyPairGenerator interface.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchonton%2Fvault-jca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchonton%2Fvault-jca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchonton%2Fvault-jca/lists"}