{"id":37021664,"url":"https://github.com/swedenconnect/credentials-support","last_synced_at":"2026-01-14T02:34:13.890Z","repository":{"id":39621569,"uuid":"309636432","full_name":"swedenconnect/credentials-support","owner":"swedenconnect","description":"Java library for PKI credentials support, including PKCS#11 and HSM:s.","archived":false,"fork":false,"pushed_at":"2025-12-18T15:19:09.000Z","size":4097,"stargazers_count":6,"open_issues_count":1,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-12-21T04:56:20.600Z","etag":null,"topics":["eidas","opensaml","pkcs11","pki","softhsm","sweden-connect"],"latest_commit_sha":null,"homepage":"https://www.swedenconnect.se","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swedenconnect.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-11-03T09:31:37.000Z","updated_at":"2025-12-18T15:19:11.000Z","dependencies_parsed_at":"2025-02-26T13:38:19.528Z","dependency_job_id":"f82f98cc-5ec7-4abf-85fe-04ed7ede191e","html_url":"https://github.com/swedenconnect/credentials-support","commit_stats":null,"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"purl":"pkg:github/swedenconnect/credentials-support","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedenconnect%2Fcredentials-support","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedenconnect%2Fcredentials-support/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedenconnect%2Fcredentials-support/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedenconnect%2Fcredentials-support/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swedenconnect","download_url":"https://codeload.github.com/swedenconnect/credentials-support/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedenconnect%2Fcredentials-support/sbom","scorecard":{"id":861749,"data":{"date":"2025-08-11","repo":{"name":"github.com/swedenconnect/credentials-support","commit":"69525256ee4748ee6422a3349997016b0c90a43b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.2,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":1,"reason":"Found 4/24 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: hsm-support-scripts/soft-hsm-deployment/softhsm/Dockerfile-key-import:2","Warn: containerImage not pinned by hash: softhsm/Dockerfile:1: pin your Docker image by updating docker.sunet.se/openjdk-jre-luna:luna7.4-jre17 to docker.sunet.se/openjdk-jre-luna:luna7.4-jre17@sha256:da3f3186e891f6f6684927f88a8951c7d60da648dbdca7e66930f4bc335b8304","Info: 0 out of 2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-4wp7-92pw-q264"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-24T01:29:59.570Z","repository_id":39621569,"created_at":"2025-08-24T01:29:59.570Z","updated_at":"2025-08-24T01:29:59.570Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408711,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["eidas","opensaml","pkcs11","pki","softhsm","sweden-connect"],"created_at":"2026-01-14T02:34:13.208Z","updated_at":"2026-01-14T02:34:13.872Z","avatar_url":"https://github.com/swedenconnect.png","language":"Java","readme":"![Logo](https://docs.swedenconnect.se/technical-framework/img/sweden-connect.png)\n\n# credentials-support\n\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![Maven Central](https://img.shields.io/maven-central/v/se.swedenconnect.security/credentials-support.svg)\n\nJava libraries for PKI credentials support, including PKCS#11 and HSM:s.\n\n---\n\n## Table of contents\n\n1. [**Overview**](#overview)\n\n 1.1. [API Documentation](#api-documentation)\n \n 1.2. [Maven](#maven)\n \n 1.3. [Release Notes](#release-notes)\n \n2. [**Credential types**](#credential-types)\n\n 2.1. [BasicCredential](#basiccredential)\n \n 2.2. [KeyStoreCredential](#keystorecredential)\n \n 2.3. [Pkcs11Credential](#pkcs11credential)\n \n3. [**PkiCredential Features**](#pkicredential-features)\n\n 3.1. [Credential Name](#credential-name)\n \n 3.2. [Transformation to other Formats](#transformation-to-other-formats)\n \n 3.3. [Testing and Reloading](#testing-and-reloading)\n \n 3.4. [Credential Metadata](#credential-metadata)\n \n4. [**Builders and Factories**](#builders-and-factories)\n\n 4.1. [KeyStore Builder and Factories](#keystore-builder-and-factories)\n \n 4.2. [Credential Factories](#credential-factories)\n\n5. [**Credential Bundles, Collections and Configuration Support**](#credential-bundles-collections-and-configuration-support)\n\n 5.1. [The Bundles Concept](#the-bundles-concept)\n \n 5.2. [PkiCredentialCollection](#pki-credential-collection)\n \n 5.3. [Configuration Support](#configuration-support)\n \n 5.3.1. [StoreConfigurationProperties](#store-configuration-properties)\n \n 5.3.2. [BaseCredentialConfigurationProperties](#base-credential-configuration-properties)\n\n 5.3.3. [PemCredentialConfigurationProperties](#pem-credential-configuration-properties)\n \n 5.3.4. [StoreCredentialConfigurationProperties](#store-credential-configuration-properties)\n\n 5.3.5. [PkiCredentialConfigurationProperties](#pki-credential-configuration-properties)\n\n 5.3.6. [CredentialBundlesConfigurationProperties](#credential-bundles-configuration-properties)\n\n 5.3.7. [PkiCredentialCollectionConfigurationProperties](#pki-credential-collection-configuration-properties)\n \n 5.3.8. [SpringCredentialConfigurationProperties](#spring-credential-configuration-properties)\n \n6. [**Monitoring**](#monitoring)\n\n7. [**Credential Containers for Managing Keys**](#credential-containers)\n\n 7.1. [Creating a Credential Container](#creating-a-credential-container)\n \n 7.1.1. [HSM-based Credential Containers](#hsm-based-credential-container)\n \n 7.1.2. [In-memory KeyStore-based Credential Container](#in-memory-keystore-based-credential-container)\n \n 7.1.3. [In-memory Credential Container](#in-memory-credential-container)\n \n 7.2. [Using the Credential Container](#using-the-credential-container)\n \n8. [**Spring Support**](#spring-support)\n\n 8.1. [Spring Factories](#spring-factories)\n\n 8.2. [Spring Converters](#spring-converters)\n\n 8.3. [The Spring Boot Starter for Credentials Support](#the-spring-boot-starter-for-credentials-support)\n \n 8.3.1. [Credential Monitoring Health Endpoint](#credential-monitoring-health-endpoint)\n\n9. [**OpenSAML Support**](#opensaml-support)\n\n10. [**Nimbus Support**](#nimbus-support)\n\n11. [**PKCS#11 Specifics**](#pkcs11-specifics)\n\n 11.1. [Using SoftHSM to Test PKCS#11 Credentials](#using-softhsm-to-test-pkcs11-credentials)\n\n 11.2. [Key Generation Scripts](#key-generation-scripts)\n\n---\n\n\u003ca name=\"overview\"\u003e\u003c/a\u003e\n## 1. Overview\n\nThe **credentials-support** library defines an uniform way of representing PKI credentials (private keys and X.509 certificates) by introducing the [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) interface.\n\nThe library supports both basic credentials stored on file, or in a key store (JKS, PKCS#12), as well as PKCS#11 credentials residing on a Hardware Security Module.\n\nThe **credentials-support-nimbus** library offers support for working with [Nimbus](https://connect2id.com/products/nimbus-jose-jwt) datatypes such as the [JWK](https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-generation) class in conjunction with [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) objects.\n\nThe **credentials-support-opensaml** library offers an add-on for OpenSAML, where a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) object can be used to create an OpenSAML credential.\n\nThe **credentials-support-spring** library offers Spring add-ons consisting of converters, factories and configuration support.\n\nThe **credentials-support-spring-boot-starter** library is a Spring Boot starter that can be used for an easy and straight forward way of configuring credentials that are to be used in a Spring Boot application.\n\n\n\u003ca name=\"generic-pkicredentialfactorybean-for-springboot-users\"\u003e\u003c/a\u003e\n:exclamation: If you are still using the 1.X.X version of the **credentials-support** library, see the [old README](https://docs.swedenconnect.se/credentials-support/old-readme.html).\n\n\u003ca name=\"api-documentation\"\u003e\u003c/a\u003e\n### 1.1. API Documentation\n\n* [Java API documentation](https://docs.swedenconnect.se/credentials-support/apidoc/index.html)\n\n\u003ca name=\"maven\"\u003e\u003c/a\u003e\n### 1.2. Maven\n\nAll libraries for the credentials-support project is published to Maven central.\n\nInclude the following snippets in your Maven POM to add dependencies for your project.\n\nThe **credentials-support** base library:\n\n```\n\u003cdependency\u003e\n \u003cgroupId\u003ese.swedenconnect.security\u003c/groupId\u003e\n \u003cartifactId\u003ecredentials-support\u003c/artifactId\u003e\n \u003cversion\u003e${credentials-support.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\nThe **credentials-support-opensaml** library:\n\n```\n\u003cdependency\u003e\n \u003cgroupId\u003ese.swedenconnect.security\u003c/groupId\u003e\n \u003cartifactId\u003ecredentials-support-opensaml\u003c/artifactId\u003e\n \u003cversion\u003e${credentials-support.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n\u003e Will include the **opensaml-library**.\n\nThe **credentials-support-nimbus** library:\n\n```\n\u003cdependency\u003e\n \u003cgroupId\u003ese.swedenconnect.security\u003c/groupId\u003e\n \u003cartifactId\u003ecredentials-support-nimbus\u003c/artifactId\u003e\n \u003cversion\u003e${credentials-support.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n\u003e Will include the **opensaml-library**.\n\nThe **credentials-support-spring** library:\n\n```\n\u003cdependency\u003e\n \u003cgroupId\u003ese.swedenconnect.security\u003c/groupId\u003e\n \u003cartifactId\u003ecredentials-support-spring\u003c/artifactId\u003e\n \u003cversion\u003e${credentials-support.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n\u003e Will include the **opensaml-library**.\n\nThe **credentials-support-spring-boot-starter** library:\n\n```\n\u003cdependency\u003e\n \u003cgroupId\u003ese.swedenconnect.security\u003c/groupId\u003e\n \u003cartifactId\u003ecredentials-support-spring-boot-starter\u003c/artifactId\u003e\n \u003cversion\u003e${credentials-support.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n\u003e Will include **opensaml-library** and **credentials-support-spring**.\n\n\u003ca name=\"release-notes\"\u003e\u003c/a\u003e\n### 1.3. Release Notes\n\nSee https://docs.swedenconnect.se/credentials-support/release-notes.html\n\n\u003ca name=\"credential-types\"\u003e\u003c/a\u003e\n## 2. Credential Types\n\nThe **credentials-support** library defines three classes implementing the [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) interface and a wrapper that takes a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) into an OpenSAML credential type.\n\n\u003ca name=\"basiccredential\"\u003e\u003c/a\u003e\n### 2.1. BasicCredential\n\nThe [BasicCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/BasicCredential.java) class is a simple implementation of the [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) interface that is created by providing the private key and certificate (or just a public key). This class can for example be used when you have the key and certificate stored on file or in memory.\n\n\u003ca name=\"keystorecredential\"\u003e\u003c/a\u003e\n### 2.2. KeyStoreCredential\n\nThe [KeyStoreCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/KeyStoreCredential.java) class is backed by a Java KeyStore and is initialized by providing a loaded KeyStore instance (see [KeyStore Builder and Factory](#keystore-builder-and-factory) below) and giving the entry alias and key password. \n\nThis class also supports handling of PKCS#11 credentials. This requires using a security provider that supports creating a KeyStore based on an underlying PKCS#11 implementation (for example the SunPKCS11 provider).\n\n:exclamation: For a PKCS#11 key store, the `alias` parameter is equal to the PKCS#11 `CKA_LABEL` attribute for the object holding the private key (and certificate), and the `password` parameter is the PIN needed to unlock the object.\n\n**Note:** If you are using a security provider for PKCS#11 support that does not support exposing the HSM device as a Java KeyStore, you need to use the [Pkcs11Credential](#pkcs11credential) (see below).\n\n\u003ca name=\"pkcs11credential\"\u003e\u003c/a\u003e\n### 2.3. Pkcs11Credential\n\nAs was described above, the [KeyStoreCredential](#keystorecredential) can be used for PKCS#11 credentials, but it is limited to those Java security providers that also offers a KeyStore abstraction of the PKCS#11 device entry. The [Pkcs11Credential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/pkcs11/Pkcs11Credential.java) is a class that does not make any assumptions on how the security provider in use handles its PKCS#11 entries. Instead it uses the [Pkcs11Configuration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/pkcs11/Pkcs11Configuration.java),\n[Pkcs11PrivateKeyAccessor](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/pkcs11/Pkcs11PrivateKeyAccessor.java) and [Pkcs11CertificatesAccessor](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/pkcs11/Pkcs11CertificatesAccessor.java) interfaces.\n\nThe [Pkcs11Configuration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/pkcs11/Pkcs11Configuration.java) interface declares the method `getProvider()` that returns the Java Security Provider that should be used for the PKCS#11 credential, and the accessors provide access to the private key and certificates respectively.\n\nSo, for those that wishes to use the **credentials-support** library with a custom security provider there is an implementation task ahead...\n\n\u003e The **credentials-support** library also offers implementation of the above interfaces for providers that uses key stores for PKCS#11 (SunPKCS11 provider). However, if you are using the SunPKCS11 provider stick with the [KeyStoreCredential](#keystorecredential).\n\n\u003ca name=\"pkicredential-features\"\u003e\u003c/a\u003e\n## 3. PkiCredential Features\n\nThe main use of a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) is to provide an abstraction and unified way of holding a private key and a certificate (or just a public key) for use in signing and decryption.\n\nThis section highlights some interesting features apart from getter-methods for keys and certificates.\n\n\u003ca name=\"credential-name\"\u003e\u003c/a\u003e\n### 3.1. Credential Name\n\nIn an application where multiple credentials are used, we may want to have a way to name each credential (for logging and other purposes). Therefore, the `getName()` method exists, and the [AbstractPkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/AbstractPkiCredential.java) offers a way of assigning a custom name to a credential.\n\nIf no name is explicitly assigned, a name will be generated according to the following:\n\n- For a [BasicCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/BasicCredential.java) the serial numver of the entity certificate will be used. If no certificate exists, the name will be chosen as \\\u003cpublic-key-type\\\u003e-\\\u003cuuid\\\u003e, for example, `RSA-0c6fbdce-b485-44a4-9000-93943626c675`.\n\n- For a [KeyStoreCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/KeyStoreCredential.java) the following rules apply:\n - If the key store is a PKCS#11 key store, the name is `\u003cprovider name\u003e-\u003calias\u003e-\u003ccertificate serial number\u003e`, for example `SunPKCS11-foo-rsa1-89716151`. Note that the provider name most usually is \"base provider name\"-\"slot name\".\n \n - For other key store types, the name is `\u003ckey type\u003e-\u003calias\u003e-\u003ccertificate serial number\u003e`, for example `RSA-mykey-89716151`.\n \n- For a [Pkcs11Credential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/pkcs11/Pkcs11Credential.java) the name is calculated as `\u003cprovider-name\u003e-\u003calias\u003e`.\n\n:raised_hand: It is recommended that a custom name is assigned to each credential to get a good understanding of which credential is which when looking at the logs. Make sure to use unique names.\n\n\u003ca name=\"transformation-to-other-formats\"\u003e\u003c/a\u003e\n### 3.2. Transformation to other Formats\n\nThe **credentials-support** libraries offer a uniform way of representing credentials via the [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) interface and also a smooth and efficient way of configuring those (see [Section 5](credential-bundles-collections-and-configuration-support) below), but other frameworks and libraries have their way of representing credentials. So, we need a way to handle this. The solution is the `tranform` method:\n\n```java\n/**\n * Transforms the credential to another format, for example an JWK or a Java KeyPair.\n *\n * @param transformFunction the transform function\n * @param \u003cT\u003e the type of the new format\n * @return the new format\n */\ndefault \u003cT\u003e T transform(@Nonnull final Function\u003cPkiCredential, T\u003e transformFunction) {\n return transformFunction.apply(this);\n}\n```\n\nThus, by implementing a `Function` that accepts a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) and returns the custom credential representation we can use the **credentials-support** library together with other frameworks.\n\nSee [Section 10, Nimbus Support](#nimbus-support), for how to transform a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) into a [JWK](https://javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jose/jwk/JWK.html) and [Section 11, OpenSAML Support](#opensaml-support), for how to transform a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) into an OpenSAML [X509Credential](https://shibboleth.net/api/java-opensaml/5.1.3/org/opensaml/security/x509/X509Credential.html).\n\n\n\u003ca name=\"testing-and-reloading\"\u003e\u003c/a\u003e\n### 3.3. Testing and Reloading\n\nWhen using a HSM there is a possibility that the connection with the device is lost. The result is that the instantiated credential stops working. Therefore the **credentials-support** library offers ways to test and reload credentials. The credential types that support testing and reloading implements the [ReloadablePkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/ReloadablePkiCredential.java) interface.\n\nAn application that makes use of credentials that may fail, and may need to be reloaded, needs to set up a monitor that periodically tests that all monitored credentials are functional, and if not, tries to reload them. See [Section 6, Monitoring](#monitoring) below.\n\nFor credentials implementing the [ReloadablePkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/ReloadablePkiCredential.java), the [DefaultCredentialTestFunction](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/monitoring/DefaultCredentialTestFunction.java) will be installed by default.\n\n\u003ca name=\"credential-metadata\"\u003e\u003c/a\u003e\n### 3.4. Credential Metadata\n\nAdditional metadata may be associated with a credential. This is mainly useful when transforming to other formats, see [Section 3.2](#transformation-to-other-formats), or when storing credentials in a [PkiCredentialCollection](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredentialCollection.java), see [Section 5.2](#pki-credential-collection).\n\nThe [PkiCredential.Metadata](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) interface is basically a map where metadata is stored.\n\nThe following metadata properties are pre-defined:\n\n- `key-id` - Property name for the key identifier metadata property.\n\n- `issued-at` - Property name for the instant when the credential was issued.\n\n- `expires-at` - Property name for the instant when the credential expires. Note that this may be different from the instant holding the `active-to` property.\n\n- `active-to` - Property that may be set to the instant at which the credential no longer should be regarded as active.\n\n- `active-from` - Property that may be set to the instant from when the credential should be regarded as active.\n\n- `usage` - Property name for the usage property. This property holds a string that may be `signing`, `encryption`, `metadata-signing` or any other application specific usage.\n\n- `key-use` - \\[Nimbus specific\\] - Property name for the key use metadata property. Maps to JWK's `use` property. Prefer to use the generic `usage` setting.\n\n- `key-ops` - \\[Nimbus specific\\] - Property name for the key operations metadata property. Maps to JWK's `ops` property. Should hold a set of [KeyOperation](https://javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jose/jwk/KeyOperation.html) objects or a comma-separated list of strings.\n\n- `jose-alg`- \\[Nimbus specific\\] - Property name for the JOSE algorithm metadata property. Maps to JWK's `alg` property. Should hold a [Algorithm](https://javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jose/Algorithm.html) or its string representation.\n\n- `entity-id` - \\[OpenSAML specific\\] - Property name for assigning a SAML entity ID to the credential metadata.\n\n- `encryption-methods` - \\[OpenSAML specific\\] - Property name for holding `md:EncryptionMethod` data. See [EncryptionMethodMetadata](https://github.com/swedenconnect/credentials-support/blob/main/opensaml/src/main/java/se/swedenconnect/security/credential/opensaml/EncryptionMethodMetadata.java).\n\nThe [AbstractPkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/AbstractPkiCredential.java) class will pre-populate the `issued-at` and `expires-at` based on the validity of a credential's entity certificate.\n\n\u003ca name=\"builders-and-factories\"\u003e\u003c/a\u003e\n## 4. Builders and Factories\n\nThe libraries offer a number of builder and factory classes for building [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) and [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) objects.\n\n\u003ca name=\"keystore-builder-and-factories\"\u003e\u003c/a\u003e\n### 4.1. KeyStore Builder and Factories\n\nSetting up a Java [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) involves loading a file from disc and unlocking it. \n\nThe [KeyStoreBuilder](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/factory/KeyStoreBuilder.java) class offers doing this using a standard builder pattern.\n\nTo load a Java KeyStore from file and to unlock it may then be done like:\n\n```java\nfinal KeyStore keyStore = KeyStoreBuilder.builder()\n .location(\"classpath:store.jks\")\n .password(\"secret\")\n .build();\n```\n\n\u003e Note: The default resource loader will support strings with prefixes defined by Spring and [SmallRye](https://smallrye.io) (Qurkus style).\n\nExample of how a PKCS#12 file is loaded.\n\n```java\nfinal KeyStore keyStore = KeyStoreBuilder.builder()\n .location(\"/opt/keys/mykeys.p12\")\n .password(\"secret\")\n .type(\"PKCS12\")\n .build();\n```\n\nIt is also possible to use the builder to load a PKCS#11 KeyStore:\n\n```java\nfinal KeyStore keyStore = KeyStoreBuilder.builder(customResourceLoader)\n .type(\"PKCS11\")\n .provider(\"SunPKCS11\")\n .pin(\"secret\")\n .pkcs11ConfigurationFile(\"/opt/config/p11.conf\")\n .build();\n```\n\nThe example above illustrates how another resource loader is used. For Spring users, the [SpringConfigurationResourceLoader](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/config/SpringConfigurationResourceLoader.java) should be used.\n\nApart from the nice builder the class [KeyStoreFactory](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/factory/KeyStoreFactory.java) offers methods for loading a KeyStore. This class is mainly used internally when a [StoreConfiguration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/StoreConfiguration.java) object should be turned into a KeyStore. See [Section 5.3](#configuration-support) below.\n\nSee also [Section 8.1, Spring Factories](#spring-factories).\n\n\u003ca name=\"credential-factories\"\u003e\u003c/a\u003e\n### 4.2. Credential Factories\n\nCreating a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) instance is easiest done using the different constructors for [BasicCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/BasicCredential.java) or [KeyStoreCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/KeyStoreCredential.java), but the **credentials-support** also offers the [PkiCredentialFactory](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/factory/PkiCredentialFactory.java). This class is mainly intended to be used internally when loading configuration (see [Section 5.3](#configuration-support)) below.\n\nSee also [Section 8.1, Spring Factories](#spring-factories).\n\n\u003ca name=\"credential-bundles-collections-and-configuration-support\"\u003e\u003c/a\u003e\n## 5. Credential Bundles, Collections and Configuration Support\n\n\u003ca name=\"the-bundles-concept\"\u003e\u003c/a\u003e\n### 5.1. The Bundles Concept\n\nSpring Boot has introduced a feature called [SSL Bundles](https://docs.spring.io/spring-boot/reference/features/ssl.html) where SSL/TLS credentials are configured in a separate place, and later referenced in different location where they are needed.\n\n```yaml\nspring:\n ssl:\n bundle:\n jks:\n mybundle:\n key:\n alias: \"application\"\n keystore:\n location: \"classpath:application.p12\"\n password: \"secret\"\n type: \"PKCS12\"\n \nmyapp:\n example:\n bundle: mybundle\n```\n\nThe **credentials-support** library borrows/steals this concept and introduces \"Credential Bundles\", where [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) and [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) instances are configured under a bundle, and then referenced wherever they are needed.\n\nExample:\n\n```\ncredential:\n bundles:\n keystore:\n ks1:\n location: classpath:ks-1.jks\n password: secret\n type: JKS\n jks:\n cred1:\n store-reference: ks1\n name: \"Credential One\"\n key:\n alias: rsa1\n key-password: secret\n cred2:\n store-reference: ks1\n name: \"Credential Two\"\n key:\n alias: rsa2\n key-password: secret\n pem:\n cred3:\n certificates: file:/opt/creds/cred3.pem.crt\n private-key: file:/opt/creds/cred3.pkcs8.key\n name: \"Credential Three\"\n \nmyapp:\n example:\n credential: cred2\n```\n\nThe package [se.swedenconnect.security.credential.bundle](https://github.com/swedenconnect/credentials-support/tree/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle) contains support for implementing \"Credential Bundles\". It contains the following interfaces and classes:\n\n- [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) - An interface for accessing registered credentials and keystores. \n\n- [CredentialBundleRegistry](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundleRegistry.java) - An interface for registering [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) and [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) instances in the credential bundle.\n\n- [CredentialBundleRegistrar](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundleRegistrar.java) - A functional interface for registering stores and credentials at a [CredentialBundleRegistry](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundleRegistry.java).\n\n- [DefaultCredentialBundleRegistry](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/DefaultCredentialBundleRegistry.java) - Default implementation of the [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) and [CredentialBundleRegistry](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundleRegistry.java) interfaces.\n\n- [ConfigurationCredentialBundleRegistrar](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/ConfigurationCredentialBundleRegistrar.java) - An implementation of the [CredentialBundleRegistrar](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundleRegistrar.java) interface that sets up a [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) based on the a supplied [CredentialBundlesConfiguration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/CredentialBundlesConfiguration.java) (see [Section 5.3](#configuration-support) below).\n\nThe below example shows how a [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) is constructed.\n\n```java\nfinal CredentialBundlesConfiguration config = ...;\nfinal DefaultCredentialBundleRegistry bundle = new DefaultCredentialBundleRegistry();\n\nfinal ConfigurationCredentialBundleRegistrar registrar =\n new ConfigurationCredentialBundleRegistrar(config);\nregistrar.register(bundle);\n// bundle is now populated with all stores and credentials available from the configuration object.\n```\n\n:raised_hand: When using the Spring Boot Starter, a fully populated [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) bean will be injected automatically based on the credentials configuration. See [Section 8.3, The Spring Boot Starter for Credentials Support](#the-spring-boot-starter-for-credentials-support).\n\nOnce a [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) object has been set up, it can be queried for registered keystores and credentials.\n\n```java\nfinal CredentialBundles bundles = ...;\n\nfinal PkiCredential credential1 = bundles.getCredential(\"cred1\");\n```\n\n\u003ca name=\"pki-credential-collection\"\u003e\u003c/a\u003e\n### 5.2. PkiCredentialCollection\n\nThe [PkiCredentialCollection](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredentialCollection.java) class is intended for applications that need to configure several credentials, for example a SAML Identity Provider that has a signature key, an encryption key and possibly other keys.\n\nBy using any of the pre-defined [Predicate](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/function/Predicate.html)s, or by supplying a custom [Predicate](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/function/Predicate.html), a specific credential is returned from the collection.\n\nThe pre-defined [Predicate](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/function/Predicate.html)s are:\n\n- `isRsa` - Predicate that tells whether a credential holds an RSA key.\n\n- `isEc` - Predicate that tells whether a credential holds an EC key.\n\n- `isHardwareCredential` - Predicate that tells whether a credential is a hardware credential, i.e., stored on an HSM.\n\n- `keyId(id)` - Method that returns a Predicate that checks if a credential has a given key ID.\n\n- `usage(u)` - Method that returns a Predicate that checks if a credential has a given usage.\n\n- `signatureUsage` - Predicate that checks if the credential has the `signing` usage.\n\n- `encryptionUsage` - Predicate that checks if the credential has the `encryption` usage.\n\n- `unspecifiedUsage` - Predicate that checks if the credential does not have a specified usage.\n\n- `isActive` - Predicate that checks if the credential is \"active\", meaning that the current time is within the `active-from` and `active-to` properties. If no such properties are set, the credential is assumed to be active.\n\n- `noLongerActive` - Predicate that checks if the credential is no longer active, meaning that the `active-to` metadata setting is before the current time.\n\n- `isNotYetActive` - Predicate that tells whether the credential is \"not yet active\", meaning that the `active-from` metadata setting is after the current time.\n\n- `forFutureSigning` - Predicate that tells if a credential is intended to be the signing credential in the future. It is a combination of `signatureUsage` and `isNotYetActive`.\n\n\u003ca name=\"configuration-support\"\u003e\u003c/a\u003e\n### 5.3. Configuration Support\n\nThe package [se.swedenconnect.security.credential.config](https://github.com/swedenconnect/credentials-support/tree/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config) contains interfaces for configuring [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) and [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) instances.\n\nEach interface also has a corresponding implementation class under the [se.swedenconnect.security.credential.config.properties](https://github.com/swedenconnect/credentials-support/tree/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties) package.\n\nThe reason that interfaces are used is that we want to make it possible to use the [SmallRye Configuration Library](https://smallrye.io/smallrye-config/) to configure keystores and credentials. For Spring use, the corresponding concrete classes are used.\n\nThe following configuration interfaces and classes are available:\n\n| Interface | Class | Description |\n| :--- | :--- | :--- |\n| [StoreConfiguration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/StoreConfiguration.java) | [StoreConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/StoreConfigurationProperties.java) | Configuration for creating a [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html). This includes configuration support for configuring a PKCS#11 [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html).\u003cbr /\u003eSee [5.3.1](#store-configuration-properties). |\n| [PemCredentialConfiguration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/PemCredentialConfiguration.java) | [PemCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/PemCredentialConfigurationProperties.java) | Configuration for creating a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) using PEM-encoded certificate(s)/public keys and private keys. Both references to resources and inline PEM-encodings are supported.\u003cbr /\u003eSee [5.3.3](#pem-credential-configuration-properties). |\n| [StoreCredentialConfiguration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/StoreCredentialConfiguration.java) | [StoreCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/StoreCredentialConfigurationProperties.java) | Configuration for creating a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) backed by a [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html).\u003cbr /\u003eSee [5.3.4](#store-credential-configuration-properties). |\n| [PkiCredentialConfiguration](https://github.com/swedenconnect/credentials-support/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/PkiCredentialConfiguration.java) | [PkiCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/PkiCredentialConfigurationProperties.java) | Configuration support for configuring a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) outside of the bundles concept. One, and exactly one, of `bundle`, `jks` or `pem` must be supplied.\u003cbr /\u003eSee [5.3.5](#pki-credential-configuration-properties). |\n| [CredentialBundlesConfiguration](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/CredentialBundlesConfiguration.java) | [CredentialBundlesConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/CredentialBundlesConfigurationProperties.java) | Configuration for bundles of credentials and keystores.\u003cbr /\u003eIf both PEM and JKS (keystore) credentials are configured, the ID:s assigned must be unique for all credentials, i.e., the same ID can not be used for PEM and JKS.\u003cbr /\u003eSee [5.3.6](#credential-bundles-configuration-properties). |\n\n\u003ca name=\"store-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.1. StoreConfigurationProperties\n\nConfiguration for creating a [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html).\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `location` | Location of the keystore. Spring and [SmallRye](https://smallrye.io/smallrye-config/) prefixes such as \"classpath:\" and \"file:\" are supported. For PKCS#11 keystores, this property should not be assigned. | String |\n| `password` | The password for unlocking the keystore. | String |\n| `type` | The type of keystore, e.g. \"JKS\", \"PKCS12 or \"PKCS11\". | String |\n| `provider` | The name of the Security provider to use when setting up the keystore. If not assigned, a system default will be used. | String |\n| `pkcs11.*` | If the `type` is \"PKCS11\" and a provider that is not statically configured for PKCS#11, additional PKCS#11 configuration needs to be supplied. Note that the security provider used must support PKCS#11 via the KeyStoreSpi interface. The \"SunPKCS11\" is such a provider. | See [Pkcs11ConfigurationProperties](#pkcs11-configuration-properties) below |\n\n\u003ca name=\"pkcs11-configuration-properties\"\u003e\u003c/a\u003e\n##### 5.2.1.1. Pkcs11ConfigurationProperties\n\nAdditional configuration of PKCS11 key stores.\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `configuration-file` | The complete path of the PKCS#11 configuration file with which the PKCS#11 device is configured. | String |\n| `settings.*` | As an alternative to providing the PKCS#11 configuration file, each PKCS#11 setting can be provided separately. This property holds these detailed settings. | See Pkcs11SettingsProperties below |\n\n**Pkcs11SettingsProperties:**\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `library` | The PKCS#11 library path. | String |\n| `name` | The name of the PKCS#11 slot. | String |\n| `slot` | The slot number/id to use. | String |\n| `slot-list-index` | The slot index to use. | Integer |\n\n\u003ca name=\"base-credential-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.2. BaseCredentialConfigurationProperties\n\nthe [AbstractBaseCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/AbstractBaseCredentialConfigurationProperties.java) class is a base class that is used by both [PemCredentialConfigurationProperties](#pem-credential-configuration-properties) and [StoreCredentialConfigurationProperties](#store-credential-configuration-properties). It defines properties that are common for all type of credentials.\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `name` | The name of the credential. | String |\n| `key-id` | Key identifier metadata property. | String |\n| `issued-at` | Issued-at metadata property. | [Instant](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/time/Instant.html) |\n| `expires-at` | Expires-at metadata property. | [Instant](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/time/Instant.html) |\n| `metadata` | Additional metadata in the form of key-value:s | [Map](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/util/Map.html) where both keys and values are Strings |\n\n\u003ca name=\"pem-credential-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.3. PemCredentialConfigurationProperties\n\nConfiguration for creating a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) using PEM-encoded certificate(s)/public keys and private keys. Both references to resources and inline PEM-encodings are supported.\n\nIn addition to the [BaseCredentialConfigurationProperties](#base-credential-configuration-properties) the following properties are used to configure a PEM-based credential:\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `public-key` | Location or content of the public key in PEM format. This setting is mutually exclusive with the `certificates` setting. | String |\n| `certificates` | Location or content of the certificate or certificate chain in PEM format. If more than one certificate is supplied, the entity certificate, i.e., the certificate holding the public key of the key pair, must be placed first. This setting is mutually exclusive with the `public-key` setting. | String |\n| `private-key` | Location or content of the private key in PEM format. | String |\n| `key-password` | Password used to decrypt the private key (if this is given in encrypted format). | String |\n\nExamples illustrating how a PEM-based credential can be configured.\n\n```yml\ncredential:\n bundles:\n ...\n pem:\n cred1:\n certificates: file:/opt/keys/test1.pem.crt\n private-key: file:/opt/keys/test1.pkcs8.key\n name: \"Example credential #1\"\n```\n\n```yml\ncredential:\n bundles:\n ...\n pem:\n cred2:\n certificates: |\n -----BEGIN CERTIFICATE-----\n MIIDFDCCAfygAwIBAgIEZyt6yTANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJT\n RTEXMBUGA1UECgwOU3dlZGVuIENvbm5lY3QxFDASBgNVBAsMC0RldmVsb3BtZW50\n ...\n wVz5c0ouR+c54aoJn1oVg6PCga41gvEtc03Fl0W0vmxs0QZHg15g7Mugd4jQzi/9\n 6mrCVbGyFIYkGi4vgVA+aMVYyyaSXKyN\n -----END CERTIFICATE-----\n private-key: |\n -----BEGIN PRIVATE KEY-----\n MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCX9V5RUFhAId1X\n JVBPYN0lWkV4sWrZuPzxRTYDdA5LNsLPXmu/lthjLk1RLYqxJidsywJWTzkNS3FU\n ...\n 5MGCkA4SKlmCZFqyKq6W7Dxk+dz55VNoZNAKpYaPIex885cl1A6/7OxMt4V3Fp/Z\n gwfASW4la2qIv1z4fIuR4Tnz3uE7UXdfHJSBVr0D0fFf7JrOQV0lMx5wr3X4jcKQ\n 6gE2jgKrhq3F/BbqbDEk7mTfHw==\n -----END PRIVATE KEY-----\n name: \"Example credential #2\"\n```\n\n\u003ca name=\"store-credential-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.4. StoreCredentialConfigurationProperties\n\nConfiguration for creating a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) backed by a [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html).\n\nIn addition to the [BaseCredentialConfigurationProperties](#base-credential-configuration-properties) the following properties are used to configure a JKS-based credential:\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `store` | Configuration for the [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) holding the key pair entry. Mutually exclusive with the `store-reference` property. | [StoreConfigurationProperties](#store-configuration-properties) |\n| `store-reference` | A store reference. As an alternative to giving the key store configuration, a reference to a key store configuration may be given. This feature may be used when one key store holds several keys. Makes use of the [Bundles Concept](#the-bundles-concept). | String |\n| `monitor` | Setting telling whether the credential should be configured for [monitoring](#monitoring). The default is `true` if the store used is a PKCS#11 store, and `false` otherwise. | Boolean |\n| `key.alias` | The alias that identifies the key pair in the key store.\u003cbr /\u003eIf the store is a PKCS#11 store, this setting corresponds to the PKCS#11 `CKA_LABEL` attribute for the object holding the private key on the device. | String |\n| `key.key-password` | The password to unlock the key entry identified by the given alias. If not given, the store password will be used (in these cases, using a store reference will not function). | String |\n| `key.certificates` | For some credentials where an underlying KeyStore is being used, an external certificate should be used. The most typical example would be a PKCS#11 key store where the certificate of the key pair resides outside the HSM device. This setting holds the location or content of the certificate or certificate chain in PEM format. | String |\n\nExample:\n\n```yml\ncredential:\n bundles:\n keystore:\n ks1: \n ...\n jks:\n cred1:\n name: \"Example credential #1\"\n store-reference: ks1\n key:\n alias: test1\n key-password: secret\n monitor: true\n key-id: 123456\n issued-at: \"2024-11-15T14:08:26Z\"\n metadata:\n algorithm: RSA\n keyuse: sign\n cred2:\n name: \"Example credential #2\"\n store:\n location: file:/opt/keys/example.p12\n password: secret\n type: PKCS12\n key:\n alias: mykey\n```\n\nThe above example illustrates how two JKS-credentials are configured. The first one refers to an already configured keystore and the other configures the store inline. Also note how metadata is configured for the first credential.\n\n\u003ca name=\"pki-credential-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.5. PkiCredentialConfigurationProperties\n\nThe [PkiCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/PkiCredentialConfigurationProperties.java) is not used when setting up a credential using the [Bundles Concept](#the-bundles-concept). It is aimed to be used as the primary configuration object when a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) is to be configured directly in an application.\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `bundle` | Reference to a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) accessible via the [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) bean. | String |\n| `jks` | Configuration for a JKS (Java KeyStore) based credential. | [StoreCredentialConfigurationProperties](#store-credential-configuration-properties) |\n| `pem` | Configuration for a PEM-based credential. | [PemCredentialConfigurationProperties](#pem-credential-configuration-properties) |\n\n:exclamation: One, and exactly one, of `bundle`, `jks` or `pem` must be supplied.\n\nStudy the [TestConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/softhsm/src/main/java/se/swedenconnect/security/credential/test/TestConfigurationProperties.java) and [TestConfiguration](https://github.com/swedenconnect/credentials-support/blob/main/softhsm/src/main/java/se/swedenconnect/security/credential/test/TestConfiguration.java) in the application example for how a [PkiCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/PkiCredentialConfigurationProperties.java) class can be used in an application's configuration to inject a credential (from a bundle or directly configured).\n\n\u003ca name=\"credential-bundles-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.6. CredentialBundlesConfigurationProperties\n\nThe [CredentialBundlesConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/CredentialBundlesConfigurationProperties.java) class is the main configuration class for setting up a [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) bean (see [5.1](#the-bundles-concept) above).\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `keystore` | Map of key store ID:s and key store configurations. | Map where keys are Strings (ID:s) and the values are [StoreConfigurationProperties](#store-configuration-properties). |\n| `pem` | Map of credential ID:s and PEM based credential configurations. | Map where keys are Strings (ID:s) and the values are [PemCredentialConfigurationProperties](#pem-credential-configuration-properties). |\n| `jks` | Map of credential ID:s and key store based credential configurations. | Map where keys are Strings (ID:s) and the values are [StoreCredentialConfigurationProperties](#store-credential-configuration-properties). |\n\n:exclamation: If both PEM and JKS (keystore) credentials are configured, the ID:s assigned must be unique for all credentials, i.e., the same ID can not be used for PEM and JKS.\n\n**Example:**\n\n```yml\ncredential:\n bundles:\n keystore:\n ks1:\n location: file:/opt/keys/test-1.jks\n password: secret\n type: JKS\n p11:\n password: secret\n type: PKCS11\n provider: SunPKCS11\n pkcs11:\n configuration-file: /opt/config/p11.conf\n jks:\n test1:\n store-reference: ks1\n name: \"Test1\"\n key:\n alias: test1\n key-password: secret\n monitor: true\n key-id: 123456\n issued-at: \"2024-11-15T14:08:26Z\"\n metadata:\n algorithm: RSA\n keyuse: sign\n test2:\n store:\n location: classpath:test-2.p12\n password: secret\n type: PKCS12\n name: \"Test2\"\n key:\n alias: test2\n testP11:\n store-reference: p11\n name: \"TestPkcs11\"\n key:\n key-password: secret\n alias: test1\n monitor: true\n pem:\n test3:\n certificates: classpath:test3.pem.crt\n private-key: classpath:test3.pkcs8.key\n name: \"Test3\"\n test3b:\n public-key: classpath:test3.pubkey.pem\n private-key: classpath:test3.pkcs8.key\n name: \"Test3b\"\n test4:\n certificates: classpath:test4.pem.crt\n private-key: classpath:test4.pkcs8.enc.key\n key-password: secret\n name: \"Test4\"\n test5:\n certificates: |\n -----BEGIN CERTIFICATE-----\n MIIDFDCCAfygAwIBAgIEZyt6yTANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJT\n RTEXMBUGA1UECgwOU3dlZGVuIENvbm5lY3QxFDASBgNVBAsMC0RldmVsb3BtZW50\n ...\n wVz5c0ouR+c54aoJn1oVg6PCga41gvEtc03Fl0W0vmxs0QZHg15g7Mugd4jQzi/9\n 6mrCVbGyFIYkGi4vgVA+aMVYyyaSXKyN\n -----END CERTIFICATE-----\n private-key: |\n -----BEGIN PRIVATE KEY-----\n MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCX9V5RUFhAId1X\n JVBPYN0lWkV4sWrZuPzxRTYDdA5LNsLPXmu/lthjLk1RLYqxJidsywJWTzkNS3FU\n ...\n 6gE2jgKrhq3F/BbqbDEk7mTfHw==\n -----END PRIVATE KEY-----\n name: \"Test5\"\n```\n\n\u003ca name=\"pki-credential-collection-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.7. PkiCredentialCollectionConfigurationProperties\n\nThe [PkiCredentialCollectionConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/PkiCredentialCollectionConfigurationProperties.java) class in the main configuration class for creating a [PkiCredentialCollection](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredentialCollection.java) bean (see [5.2](#pki-credential-collection) above).\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `credentials` | A list of [PkiCredentialConfigurationProperties](#pki-credential-configuration-properties) objects. | List of [PkiCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/PkiCredentialConfigurationProperties.java) |\n\n**Example:**\n\n```yml\ncredential:\n collection:\n bundles:\n jks:\n cred1:\n ...\n credentials:\n - bundle: cred1\n - jks:\n name: \"IdP Signing\"\n store:\n location: file:/opt/keys/example.p12\n password: secret\n type: PKCS12\n key:\n alias: signing\n usage: signing\n```\n\nThe credentials of the collection can either refer to a bundle, or be configured \"in place\".\n\n\u003ca name=\"spring-credential-configuration-properties\"\u003e\u003c/a\u003e\n#### 5.3.8. SpringCredentialConfigurationProperties\n\nThe Spring Boot Starter, as described in [Section 8.3](#the-spring-boot-starter-for-credentials-support), defines the class [SpringCredentialConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring-boot-starter/src/main/java/se/swedenconnect/security/credential/spring/autoconfigure/SpringCredentialConfigurationProperties.html). This class is the main Spring Boot configuration properties (having the key `credential`) class for autowiring bundles, collections and monitoring.\n\n| Property | Description | Type |\n| :--- | :--- | :--- |\n| `bundles` | Configuration properties for bundles of credentials and key stores. See [Section 5.3.6](#credential-bundles-configuration-properties) above | [CredentialBundlesConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/CredentialBundlesConfigurationProperties.java) |\n| `collection` | Configuration for setting up a [PkiCredentialCollection](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredentialCollection.java) bean. See [Section 5.3.7](#pki-credential-collection-configuration-properties) above. | [PkiCredentialCollectionConfigurationProperties](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/config/properties/PkiCredentialCollectionConfigurationProperties.java) |\n| `monitoring.enabled` | Whether credential monitoring is enabled. If enabled, a [CredentialMonitorBean](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/monitoring/CredentialMonitorBean.java) is set up to monitor all credentials (that are configured for monitoring). | Boolean |\n| `monitoring.test-interval` | The interval between tests of credentials. The default is 10 minutes. | [Duration](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/time/Duration.html) |\n| `monitoring.health-endpoint-enabled` | Whether a HealthEndpoint for monitoring should be set up. See [Section 8.3.1, Credential Monitoring Health Endpoint](#credential-monitoring-health-endpoint). | Boolean |\n\n\u003ca name=\"monitoring\"\u003e\u003c/a\u003e\n## 6. Monitoring\n\nWhen using a HSM there is a possibility that the connection with the device is lost. The result is that the instantiated credential stops working. Therefore the **credentials-support** library offers ways to test and reload credentials. The credential types that support testing and reloading implements the [ReloadablePkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/ReloadablePkiCredential.java) interface.\n\nAn application that makes use of credentials that may fail, and may need to be reloaded, needs to set up a monitor that periodically tests that all monitored credentials are functional, and if not, tries to reload them.\n\nBy implementing the [CredentialMonitorBean](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/monitoring/CredentialMonitorBean.java) interface and schedule it to run periodically, one or more credentials can be monitored.\n\nThe [DefaultCredentialMonitorBean](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/monitoring/DefaultCredentialMonitorBean.java) is the default implementation of this interface. It can be configured with a number of callbacks that can be used for raising alarms or produce audit logs.\n\n\u003e The [The Spring Boot Starter for Credentials Support](#the-spring-boot-starter-for-credentials-support) creates a monitor bean automatically based on the credential configuration.\n\n\u003ca name=\"credential-containers\"\u003e\u003c/a\u003e\n## 7. Credential Containers for Managing Keys\n\nThis library provides support for setting up a credential container for generating, storing and managing public and private key pairs.\n\nThe primary use case for the credential container is when key pairs for user accounts are generated and maintained by an application and these keys are generated and stored in a HSM slot. A typical such usage is when a signing service needs to generate a signing key for a document signer (user), and where this key is used to sign a document and then permanently deleted/destroyed without ever leaving the HSM.\n\nSuch procedure is necessary for the highest level of confidence that the signing key is kept under so called \"sole-control\" in accordance with the eIDAS regulation, which ensures that the key can never be copied or used by any other process or person to sign any other document under another identity.\n\nEven though the HSM option is the primary use case, the credential container also supports software based or in-memory key storage.\n\n\u003ca name=\"creating-a-credential-container\"\u003e\u003c/a\u003e\n### 7.1. Creating a Credential Container\n\nA credential container is created according to the following examples:\n\n\u003ca name=\"hsm-based-credential-container\"\u003e\u003c/a\u003e\n#### 7.1.1. HSM-based Credential Containers\n\nA credential container backed up by a HSM via the PKCS#11 interface is implemented by the [HsmPkiCredentialContainer](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/container/HsmPkiCredentialContainer.java) class.\n\n```java\nfinal PkiCredentialContainer credentialContainer = new HsmPkiCredentialContainer(provider, hsmSlotPin);\n```\n\nThe `provider` parameter is the security provider that implements the HSM slot‚ and the `hsmSlotPin` is the PIN code for accessing the HSM slot.\n\nInstead of supplying a provider for the HSM slot as input, you may instead provide a `Pkcs11Configuration` object:\n\n```java\nfinal Pkcs11Configuration pkcs11Configuration = ...\nfinal PkiCredentialContainer credentialContainer =\n new HsmPkiCredentialContainer(pkcs11Configuration, hsmSlotPin);\n```\n\nIn most cases, the connection to the HSM-device is configured using a PKCS#11 configuration file, and\na `HsmPkiCredentialContainer` may be initialized by giving the full path to such a file.\n\n```java\nfinal String p11ConfigFile = \"/opt/config/p11/hsm.cfg\";\nfinal PkiCredentialContainer credentialContainer = \n new HsmPkiCredentialContainer(p11ConfigFile, hsmSlotPin);\n```\n\n\u003ca name=\"in-memory-keystore-based-credential-container\"\u003e\u003c/a\u003e\n#### 7.1.2. In-memory KeyStore-based Credential Container\n\nThe above example uses a Java [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) to maintain the keys/credentials in the HSM, but it is also possible to use a container that uses a [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) that resides in memory. The [SoftPkiCredentialContainer](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/container/SoftPkiCredentialContainer.java) class is mainly intended to mimic the behaviour of `HsmPkiCredentialContainer` and may be used in tests and simulations. See [7.1.3](#in-memory-based-credential-container) below for an in-memory credential container that does not go the detour via KeyStore-usage.\n\nAn in-memory KeyStore-based credential container is created as follows:\n\n```java\nfinal PkiCredentialContainer credentialContainer = new SoftPkiCredentialContainer(provider);\n```\n\nThe `provider` parameter is either a Java Security Provider, or the name of the security provider. This provider is used to create the key store used to store keys as well as the provider used to generate keys.\n\n\u003ca name=\"in-memory-credential-container\"\u003e\u003c/a\u003e\n#### 7.1.3. In-memory Credential Container\n\nIn order to use an in-memory based credential container create an instance of [InMemoryPkiCredentialContainer](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/container/InMemoryPkiCredentialContainer.java) as follows:\n\n```java\nfinal InMemoryPkiCredentialContainer credentialsContainer = new InMemoryPkiCredentialContainer(provider);\n```\n\nThe `provider` parameter is either a Java Security Provider, or the name of the security provider. This provider is used to create the key store used to store keys as well as the provider used to generate\nkeys.\n\n\u003ca name=\"using-the-credential-container\"\u003e\u003c/a\u003e\n### 7.2. Using the Credential Container\n\nKeys are generated in the credential container by calling the method `generateCredential(keyType)`, \nwhere `keyType` is a string representing an algorithm and key type, see [KeyGenType](https://github.com/swedenconnect/credentials-support/blob/main/src/main/java/se/swedenconnect/security/credential/container/keytype/KeyGenType.java).\n\n**Example:** Generating a Nist P-256 EC key pair:\n\n```\nfinal String alias = credentialContainer.generateCredential(KeyGenType.EC_P256);\n```\n\nThe returned alias is the handle used to obtain a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) object for the newly generated key pair.\n\n```\nfinal PkiCredential credential = credentialContainer.getCredential(alias);\n```\n\n**Destroying credentials after use**\n\nThe [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) objects returned from the credential container have extended capabilities to ensure that the private key is destroyed when calling the `destroy()` method of the `PkiCredential` object.\n\nIn order to ensure that private keys are properly removed after usage, implementations should:\n\n1. Create keys with as short validity time as possible.\u003csup\u003e*\u003c/sup\u003e\n2. On all restarts and on suitable occasions, call the `cleanup()` method to ensure that old keys are properly deleted.\u003csup\u003e**\u003c/sup\u003e\n3. Always call the `destroy()` method immediately after its last intended use.\n\n\u003e \\[\\*\\]: The validity time of a key pair (credential) is 15 minutes by default. It can be changed\nusing the `setKeyValidity` method on the container.\n\n\u003e \\[\\*\\*\\]: It is also wise to schedule a task that periodically invokes the `cleanup()` method of the container in use. By doing so we ensure that generated keys are not left too long in the container (expired credentials will be purged).\n \n\u003ca name=\"spring-support\"\u003e\u003c/a\u003e\n## 8. Spring Support\n\nBy including the **credentials-support-spring** artifact, the Credential Support is extended with Spring features.\n\n\u003ca name=\"spring-factories\"\u003e\u003c/a\u003e\n### 8.1. Spring Factories\n\nThe **credentials-support-spring**, offers the [se.swedenconnect.security.credential.spring.factory.PkiCredentialFactoryBean](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/factory/PkiCredentialFactoryBean.java). This is a Spring-style factory that accepts different credential configuration objects (see [5.3](#configuration-support)).\n\n\u003e The [se.swedenconnect.security.credential.factory.PkiCredentialFactoryBean](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/factory/PkiCredentialFactoryBean.java) previously used in earlier versions of the **credentials-support** library has been deprecated and will be removed in future versions.\n\nThe library also offers the following factory beans:\n\n- [KeyStoreFactoryBean](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/factory/KeyStoreFactoryBean.java) - for creating [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) instances using the Spring factory bean concept. However, it is recommended to use the [Bundles Concept(#the-bundles-concept) when creating key stores.\n\n- [X509CertificateFactoryBean](https://github.com/swedenconnect/credentials-support/blob/feature/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/factory/X509CertificateFactoryBean.java) - for creating [X509Certificate](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/cert/X509Certificate.html) instances given a [Resource](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/io/Resource.html).\n\n\u003ca name=\"spring-converters\"\u003e\u003c/a\u003e\n### 8.2. Spring Converters\n\nA Spring [Converter](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/convert/converter/Converter.html) is an interface for type conversion. This feature is typically useful when using an application properties or YAML-file and we want to convert from Strings in the property file to certain types. \n\nThe following converters are available:\n\n- [PropertyToPrivateKeyConverter](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/converters/PropertyToPrivateKeyConverter.java) - A [Converter](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/convert/converter/Converter.html) that gets a property value (e.g., `classpath:signing.key`) and instantiates a `PrivateKey` object.\u003cbr /\u003e\u003cbr /\u003e Note: The converter only handles non-encrypted private keys in DER, PEM, and PKCS#8 formats.\n\n- [PropertyToPublicKeyConverter](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/converters/PropertyToPublicKeyConverter.java) - A [Converter](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/convert/converter/Converter.html) that gets a property value (e.g., `classpath:trust.key`) and instantiates a `PublicKey` object.\n\n- [PropertyToX509CertificateConverter](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/converters/PropertyToX509CertificateConverter.java) - A [Converter](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/convert/converter/Converter.html) that gets a property value (e.g., `classpath:cert.crt`) and instantiates an `X509Certificate` object. The converter also handles \"inlined\" PEM certificates.\n\n- [PkiCredentialReferenceConverter](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/converters/PkiCredentialReferenceConverter.java) - A [Converter](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/convert/converter/Converter.html) that accepts a string that is a reference to a registered [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) and uses the\nsystem [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) bean to create a resolvable [PkiCredentialReference](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/config/PkiCredentialReference.java).\n\n- [KeyStoreReferenceConverter](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/converters/KeyStoreReferenceConverter.java) - A [Converter](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/convert/converter/Converter.html) that accepts a string that is a reference to a registered [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html) and uses the system [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) bean to create a resolvable [KeyStoreReference](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring/src/main/java/se/swedenconnect/security/credential/spring/config/KeyStoreReference.java).\n\nIf the Spring Boot starter is used, these converters will be automatically installed. Otherwise, they have to be \"manually\" configured, see \u003chttps://docs.spring.io/spring-framework/reference/core/validation/convert.html\u003e.\n\n\n\u003ca name=\"the-spring-boot-starter-for-credentials-support\"\u003e\u003c/a\u003e\n### 8.3. The Spring Boot Starter for Credentials Support\n\nThe **credentials-support-spring-boot-starter** gives a number of useful features:\n\n- Injection of a fully populated [CredentialBundles](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/bundle/CredentialBundles.java) bean. This bean is populated based on the configuration described in [Section 5, Credential Bundles, Collections and Configuration Support](#credential-bundles-collections-and-configuration-support).\n\n- Automatic registration of the converters documented in [Section 8.2, Spring Converters](#spring-converters).\n\n- The creation and injection of a scheduled [CredentialMonitorBean](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/monitoring/CredentialMonitorBean.java) bean.\n\n- As part of the monitoring of credentials a number of application events are published. These events may be used for alarms or audit logging. The events are:\n\n - [SuccessfulCredentialTestEvent](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring-boot-starter/src/main/java/se/swedenconnect/security/credential/spring/monitoring/events/SuccessfulCredentialTestEvent.java) - An event that is signalled when a credential has been tested and the test was successful.\n \n - [FailedCredentialTestEvent](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring-boot-starter/src/main/java/se/swedenconnect/security/credential/spring/monitoring/events/FailedCredentialTestEvent.java) - An event that is signalled when a credential has been tested and the test failed.\n \n - [SuccessfulCredentialReloadEvent](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring-boot-starter/src/main/java/se/swedenconnect/security/credential/spring/monitoring/events/SuccessfulCredentialReloadEvent.java) - An event that is signalled when a credential has been reloaded successfully.\n \n - [FailedCredentialReloadEvent](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring-boot-starter/src/main/java/se/swedenconnect/security/credential/spring/monitoring/events/FailedCredentialReloadEvent.java) - An event that is signalled when a credential has been reloaded with an error. This means that the credential no longer is functional.\n \n- If configured (`credential.bundle.monitoring.health-endpoint-enabled` is set), an actuator health endpoint for credential monitoring is configured and made active. See below.\n\n\u003ca name=\"credential-monitoring-health-endpoint\"\u003e\u003c/a\u003e\n#### 8.3.1. Credential Monitoring Health Endpoint\n\nIf the property `credential.bundle.monitoring.health-endpoint-enabled` is set, the actuator health endpoint [CredentialMonitorHealthIndicator](https://github.com/swedenconnect/credentials-support/blob/main/spring/credentials-support-spring-boot-starter/src/main/java/se/swedenconnect/security/credential/spring/actuator/CredentialMonitorHealthIndicator.java) is created and registered under the name `credential-monitor`.\n\nIf everything is looking good (no failed tests of reloads), an output like the following will be returned:\n\n```json\n{\n \"status\" : \"UP\",\n \"details\" : {\n \"credentials\" : [ \n {\n \"credential-name\" : \"Signing\",\n \"test-result\" : \"success\"\n }, \n {\n \"credential-name\" : \"Encryption\",\n \"test-result\" : \"success\"\n }\n ]\n }\n}\n```\n\nThe `credential-name` holds the configured name for the credential (see [Section 3.1](#credential-name)).\n\nAn error may look like:\n\n```json\n{\n \"status\" : \"DOWN\",\n \"details\" : {\n \"credentials\" : [ \n {\n \"credential-name\" : \"Signing\",\n \"test-result\" : \"success\"\n }, \n {\n \"credential-name\" : \"Encryption\",\n \"test-result\" : \"failure\",\n \"test-error\" : \"Failed to access the private key\",\n \"test-exception\" : \"java.lang.SecurityException\",\n \"reload-result\" : \"failure\",\n \"reload-error\" : \"No contact with PKCS#11 device\",\n \"reload-exception\" : \"java.security.KeyStoreException\"\n }\n ]\n }\n}\n```\n\nIn the above example it seems like both testing and reloading of the credential named \"Encryption\" has failed. \n\nThe health endpoint delivers a details-map, where the `credentials` key holds a list of objects (one for each monitored credential). These objects have the following fields:\n\n| Field | Description |\n| :--- | :--- |\n| `credential-name` | The name of the credential that was tested (and possible reloaded). |\n| `test-result` | The result of a test. May be `success` or `failure`. |\n| `test-error` | If the `test-result` is `failure`, this field holds a string describing the test error. |\n| `test-exception` | If the `test-result` is `failure`, this field holds the class name for the exception that occurred during testing. |\n| `reload-result` | If a test failed, the credential is reloaded. This field holds the result of the reloading. May be `success` or `failure`. |\n| `reload-error` | If the `reload-result` is `failure`, this field holds a string describing the reload error. |\n| `reload-exception` | If the `reload-result` is `failure`, this field holds the class name for the exception that occurred during reloading. |\n\n\u003ca name=\"opensaml-support\"\u003e\u003c/a\u003e\n## 9. OpenSAML Support\n\nThe library **credentials-support-opensaml** contains the [OpenSamlCredential](https://github.com/swedenconnect/credentials-support/blob/main/opensaml/src/main/java/se/swedenconnect/security/credential/opensaml/OpenSamlCredential.java) class which is a class that wraps a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) as an OpenSAML [X509Credential](https://shibboleth.net/api/java-opensaml/5.0.0/org/opensaml/security/x509/X509Credential.html). This enables us to use the configuration support of the **credentials-support** library and use our credentials in an OpenSAML context.\n\nThe **credentials-support-opensaml** library also defines the following transformers:\n\n- [OpenSamlCredentialTransformerFunction](https://github.com/swedenconnect/credentials-support/blob/main/opensaml/src/main/java/se/swedenconnect/security/credential/opensaml/OpenSamlCredentialTransformerFunction.java), which can be supplied to the `transform` method of an existing [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) and create an [OpenSamlCredential](https://github.com/swedenconnect/credentials-support/blob/main/opensaml/src/main/java/se/swedenconnect/security/credential/opensaml/OpenSamlCredential.java) instance.\n\n- [KeyDescriptorTransformerFunction](https://github.com/swedenconnect/credentials-support/blob/main/opensaml/src/main/java/se/swedenconnect/security/credential/opensaml/KeyDescriptorTransformerFunction.java), which can be used to create a SAML `md:KeyDescriptor` element to be included in SAML metadata.\n\n\u003ca name=\"nimbus-support\"\u003e\u003c/a\u003e\n## 10. Nimbus Support\n\nThe **credentials-support-nimbus** library offers support for working with [Nimbus](https://connect2id.com/products/nimbus-jose-jwt) datatypes such as the [JWK](https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-generation) class in conjunction with [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) objects.\n\nIt introduces the [JwkTransformerFunction](https://github.com/swedenconnect/credentials-support/blob/main/nimbus/src/main/java/se/swedenconnect/security/credential/nimbus/JwkTransformerFunction.java) for transforming a [PkiCredential](https://github.com/swedenconnect/credentials-support/blob/main/credentials-support/src/main/java/se/swedenconnect/security/credential/PkiCredential.java) into a [JWK](https://www.javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jose/jwk/JWK.html) instance.\n\nAlso check the [JwkMetadataProperties](https://github.com/swedenconnect/credentials-support/blob/main/nimbus/src/main/java/se/swedenconnect/security/credential/nimbus/JwkMetadataProperties.java) for definitions of metadata keys useful for an JWK.\n\n\u003e Note: This library will be extended with more useful features in future versions.\n\n\u003ca name=\"pkcs11-specifics\"\u003e\u003c/a\u003e\n## 11. PKCS#11 Specifics\n\n\u003ca name=\"using-softhsm-to-test-pkcs11-credentials\"\u003e\u003c/a\u003e\n### 11.1. Using SoftHSM to Test PKCS#11 Credentials\n\n[SoftHSM](https://wiki.opendnssec.org/display/SoftHSMDOCS) is a great way to test your PKCS#11 credentials without an actual HSM. The **credentials-support** library contains a simple Spring Boot app that illustrates how to set up SoftHSM and how to configure your PKCS#11 devices, see the [softhsm](https://github.com/swedenconnect/credentials-support/tree/main/softhsm) directory for details.\n\nOnce you have an application that is setup to use credentials from an HSM, this library also includes a set of scripts that extends a docker image with SoftHSM support. These scripts and their usage is described in [hsm-support-scripts/soft-hsm-deployment/README.md](https://github.com/swedenconnect/credentials-support/blob/main/hsm-support-scripts/soft-hsm-deployment/README.md).\n\n\u003ca name=\"key-generation-scripts\"\u003e\u003c/a\u003e\n### 11.2. Key Generation Scripts\n\nIn order to support generation and installing of keys and key certificates in any HSM device as part of setting up a production environment, this repository also provides some supporting key generation scripts:\n\n- A PKCS11 key generation script (p11-keygen.sh) used to generate keys and install certificates in a HSM slot.\n- A corresponding soft key generation script that will create key stores (JKS and PKCS12) to support test environment setup.\n\nFor further information consult the information at [hsm-support-scripts/key-generation/README.md](https://github.com/swedenconnect/credentials-support/blob/main/hsm-support-scripts/key-generation/README.md)\n\n\n---\n\nCopyright \u0026copy; 2020-2025, [Sweden Connect](https://swedenconnect.se). Licensed under version 2.0 of the [Apache License](http://www.apache.org/licenses/LICENSE-2.0).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswedenconnect%2Fcredentials-support","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswedenconnect%2Fcredentials-support","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswedenconnect%2Fcredentials-support/lists"}