Package org.opensaml.xmlsec.impl

Class BasicEncryptionParametersResolver

  • All Implemented Interfaces:
    net.shibboleth.utilities.java.support.resolver.Resolver<org.opensaml.xmlsec.EncryptionParameters,​net.shibboleth.utilities.java.support.resolver.CriteriaSet>, org.opensaml.xmlsec.EncryptionParametersResolver
    public class BasicEncryptionParametersResolver
extends AbstractSecurityParametersResolver<org.opensaml.xmlsec.EncryptionParameters>
implements org.opensaml.xmlsec.EncryptionParametersResolver
    Basic implementation of EncryptionParametersResolver.

    The following Criterion inputs are supported:

    • EncryptionConfigurationCriterion - required
    • KeyInfoGenerationProfileCriterion - optional
    • EncryptionOptionalCriterion - optional

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private org.opensaml.xmlsec.algorithm.AlgorithmRegistry algorithmRegistry
      The AlgorithmRegistry used when processing algorithm URIs.
      private boolean autoGenerateDataEncryptionCredential
      Flag indicating whether the resolver should auto-generate data encryption credentials.
      private org.slf4j.Logger log
      Logger.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected boolean credentialSupportsAlgorithm​(org.opensaml.security.credential.Credential credential, String algorithm)
      Evaluate whether the specified credential is supported for use with the specified algorithm URI.
      protected org.opensaml.security.credential.Credential generateDataEncryptionCredential​(String dataEncryptionAlgorithm)
      Generate a random data encryption symmetric key credential.
      org.opensaml.xmlsec.algorithm.AlgorithmRegistry getAlgorithmRegistry()
      Get the AlgorithmRegistry instance used when resolving algorithm URIs.
      protected Predicate<String> getAlgorithmRuntimeSupportedPredicate()
      Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.
      protected List<String> getEffectiveDataEncryptionAlgorithms​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.
      protected List<org.opensaml.security.credential.Credential> getEffectiveDataEncryptionCredentials​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
      Get the effective list of data encryption credentials to consider.
      protected List<String> getEffectiveKeyTransportAlgorithms​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.
      protected List<org.opensaml.security.credential.Credential> getEffectiveKeyTransportCredentials​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
      Get the effective list of key transport credentials to consider.
      protected Predicate<String> getWhitelistBlacklistPredicate​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
      Get a predicate which implements the effective configured whitelist/blacklist policy.
      boolean isAutoGenerateDataEncryptionCredential()
      Get whether an this resolver should auto-generate data encryption credentials.
      protected boolean isDataEncryptionAlgorithm​(String algorithm)
      Evaluate whether the specified algorithm is a data encryption algorithm.
      protected boolean isKeyTransportAlgorithm​(String algorithm)
      Evaluate whether the specified algorithm is a key transport algorithm.
      protected void logResult​(org.opensaml.xmlsec.EncryptionParameters params)
      Log the resolved parameters.
      protected void populateRSAOAEPParams​(org.opensaml.xmlsec.encryption.support.RSAOAEPParameters rsaParams, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.
      protected void processDataEncryptionCredentialAutoGeneration​(org.opensaml.xmlsec.EncryptionParameters params)
      Auto-generate and populate a data encryption credential, if configured and required conditions are met.
      Iterable<org.opensaml.xmlsec.EncryptionParameters> resolve​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
      protected void resolveAndPopulateCredentialsAndAlgorithms​(org.opensaml.xmlsec.EncryptionParameters params, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Resolve and populate the data encryption and key transport credentials and algorithm URIs.
      protected void resolveAndPopulateRSAOAEPParams​(org.opensaml.xmlsec.EncryptionParameters params, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
      protected String resolveDataEncryptionAlgorithm​(org.opensaml.security.credential.Credential dataEncryptionCredential, List<String> dataEncryptionAlgorithms)
      Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
      protected String resolveDataEncryptionAlgorithm​(org.opensaml.security.credential.Credential dataEncryptionCredential, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Determine the data encryption algorithm URI to use with the specified data encryption credential.
      protected org.opensaml.xmlsec.keyinfo.KeyInfoGenerator resolveDataKeyInfoGenerator​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, org.opensaml.security.credential.Credential dataEncryptionCredential)
      Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.
      protected String resolveKeyTransportAlgorithm​(org.opensaml.security.credential.Credential keyTransportCredential, List<String> keyTransportAlgorithms, String dataEncryptionAlgorithm, org.opensaml.xmlsec.KeyTransportAlgorithmPredicate keyTransportPredicate)
      Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.
      protected String resolveKeyTransportAlgorithm​(org.opensaml.security.credential.Credential keyTransportCredential, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, String dataEncryptionAlgorithm)
      Determine the key transport algorithm URI to use with the specified credential.
      protected org.opensaml.xmlsec.KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
      Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.
      protected org.opensaml.xmlsec.keyinfo.KeyInfoGenerator resolveKeyTransportKeyInfoGenerator​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, org.opensaml.security.credential.Credential keyTransportEncryptionCredential)
      Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.
      org.opensaml.xmlsec.EncryptionParameters resolveSingle​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
      void setAlgorithmRegistry​(org.opensaml.xmlsec.algorithm.AlgorithmRegistry registry)
      Set the AlgorithmRegistry instance used when resolving algorithm URIs.
      void setAutoGenerateDataEncryptionCredential​(boolean flag)
      Set whether an this resolver should auto-generate data encryption credentials.
      protected boolean validate​(org.opensaml.xmlsec.EncryptionParameters params, boolean encryptionOptional)
      Validate that the EncryptionParameters instance has all the required properties populated.

    • Field Detail

      • log

        @Nonnull
private org.slf4j.Logger log
        Logger.

      • algorithmRegistry

        @Nonnull
private org.opensaml.xmlsec.algorithm.AlgorithmRegistry algorithmRegistry
        The AlgorithmRegistry used when processing algorithm URIs.

      • autoGenerateDataEncryptionCredential

        private boolean autoGenerateDataEncryptionCredential
        Flag indicating whether the resolver should auto-generate data encryption credentials.

    • Constructor Detail

      • BasicEncryptionParametersResolver

        public BasicEncryptionParametersResolver()
        Constructor.

    • Method Detail

      • getAlgorithmRegistry

        @Nonnull
public org.opensaml.xmlsec.algorithm.AlgorithmRegistry getAlgorithmRegistry()
        Get the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().
        Returns:
        the algorithm registry instance

      • setAlgorithmRegistry

        public void setAlgorithmRegistry​(@Nonnull
                                 org.opensaml.xmlsec.algorithm.AlgorithmRegistry registry)
        Set the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().
        Parameters:
        registry - the new algorithm registry instance

      • isAutoGenerateDataEncryptionCredential

        public boolean isAutoGenerateDataEncryptionCredential()
        Get whether an this resolver should auto-generate data encryption credentials.
        Returns:
        true if should auto-generate, false otherwise

      • setAutoGenerateDataEncryptionCredential

        public void setAutoGenerateDataEncryptionCredential​(boolean flag)
        Set whether an this resolver should auto-generate data encryption credentials.
        Parameters:
        flag - true if should auto-generate, false otherwise

      • resolve

        @Nonnull
public Iterable<org.opensaml.xmlsec.EncryptionParameters> resolve​(@Nonnull
                                                                  net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
                                                           throws net.shibboleth.utilities.java.support.resolver.ResolverException
        Specified by:
        resolve in interface net.shibboleth.utilities.java.support.resolver.Resolver<org.opensaml.xmlsec.EncryptionParameters,​net.shibboleth.utilities.java.support.resolver.CriteriaSet>
        Throws:
        net.shibboleth.utilities.java.support.resolver.ResolverException

      • resolveSingle

        @Nullable
public org.opensaml.xmlsec.EncryptionParameters resolveSingle​(@Nonnull
                                                              net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
                                                       throws net.shibboleth.utilities.java.support.resolver.ResolverException
        Specified by:
        resolveSingle in interface net.shibboleth.utilities.java.support.resolver.Resolver<org.opensaml.xmlsec.EncryptionParameters,​net.shibboleth.utilities.java.support.resolver.CriteriaSet>
        Throws:
        net.shibboleth.utilities.java.support.resolver.ResolverException

      • logResult

        protected void logResult​(@Nonnull
                         org.opensaml.xmlsec.EncryptionParameters params)
        Log the resolved parameters.
        Parameters:
        params - the resolved param

      • validate

        protected boolean validate​(@Nonnull
                           org.opensaml.xmlsec.EncryptionParameters params,
                           boolean encryptionOptional)
        Validate that the EncryptionParameters instance has all the required properties populated.
        Parameters:
        params - the parameters instance to evaluate
        encryptionOptional - whether to consider invalid parameters to be a problem
        Returns:
        true if parameters instance passes validation, false otherwise
        Since:
        3.3.0

      • getWhitelistBlacklistPredicate

        @Nonnull
protected Predicate<String> getWhitelistBlacklistPredicate​(@Nonnull
                                                           net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
        Get a predicate which implements the effective configured whitelist/blacklist policy.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        a whitelist/blacklist predicate instance

      • resolveAndPopulateCredentialsAndAlgorithms

        protected void resolveAndPopulateCredentialsAndAlgorithms​(@Nonnull
                                                          org.opensaml.xmlsec.EncryptionParameters params,
                                                          @Nonnull
                                                          net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                          @Nonnull
                                                          Predicate<String> whitelistBlacklistPredicate)
        Resolve and populate the data encryption and key transport credentials and algorithm URIs.
        Parameters:
        params - the params instance being populated
        criteria - the input criteria being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • resolveAndPopulateRSAOAEPParams

        protected void resolveAndPopulateRSAOAEPParams​(@Nonnull
                                               org.opensaml.xmlsec.EncryptionParameters params,
                                               @Nonnull
                                               net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                               @Nonnull
                                               Predicate<String> whitelistBlacklistPredicate)
        Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
        Parameters:
        params - the params instance being populated
        criteria - the input criteria being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • populateRSAOAEPParams

        protected void populateRSAOAEPParams​(@Nonnull
                                     org.opensaml.xmlsec.encryption.support.RSAOAEPParameters rsaParams,
                                     @Nonnull
                                     net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                     @Nonnull
                                     Predicate<String> whitelistBlacklistPredicate)
        Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.
        Parameters:
        rsaParams - the existing RSAOAEPParameters instance being populated
        criteria - the input criteria being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • resolveKeyTransportAlgorithmPredicate

        @Nullable
protected org.opensaml.xmlsec.KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate​(@Nonnull
                                                                                                   net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
        Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        the resolved predicate instance, may be null

      • resolveKeyTransportAlgorithm

        @Nullable
protected String resolveKeyTransportAlgorithm​(@Nonnull
                                              org.opensaml.security.credential.Credential keyTransportCredential,
                                              @Nonnull
                                              List<String> keyTransportAlgorithms,
                                              @Nullable
                                              String dataEncryptionAlgorithm,
                                              @Nullable
                                              org.opensaml.xmlsec.KeyTransportAlgorithmPredicate keyTransportPredicate)
        Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.
        Parameters:
        keyTransportCredential - the key transport credential being evaluated
        keyTransportAlgorithms - the list of effective key transport algorithms to evaluate
        dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
        keyTransportPredicate - the optional key transport algorithm predicate to evaluate
        Returns:
        the resolved algorithm URI, may be null

      • resolveKeyTransportAlgorithm

        @Nullable
protected String resolveKeyTransportAlgorithm​(@Nonnull
                                              org.opensaml.security.credential.Credential keyTransportCredential,
                                              @Nonnull
                                              net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                              @Nonnull
                                              Predicate<String> whitelistBlacklistPredicate,
                                              @Nullable
                                              String dataEncryptionAlgorithm)
        Determine the key transport algorithm URI to use with the specified credential.
        Parameters:
        keyTransportCredential - the key transport credential to evaluate
        criteria - the criteria instance being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
        Returns:
        the selected algorithm URI, may be null

      • resolveDataEncryptionAlgorithm

        @Nullable
protected String resolveDataEncryptionAlgorithm​(@Nullable
                                                org.opensaml.security.credential.Credential dataEncryptionCredential,
                                                @Nonnull
                                                List<String> dataEncryptionAlgorithms)
        Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
        Parameters:
        dataEncryptionCredential - the data encryption credential being evaluated, may be null
        dataEncryptionAlgorithms - the list of effective data encryption algorithms to evaluate
        Returns:
        the resolved algorithm URI, may be null

      • resolveDataEncryptionAlgorithm

        @Nullable
protected String resolveDataEncryptionAlgorithm​(@Nonnull
                                                org.opensaml.security.credential.Credential dataEncryptionCredential,
                                                @Nonnull
                                                net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                @Nonnull
                                                Predicate<String> whitelistBlacklistPredicate)
        Determine the data encryption algorithm URI to use with the specified data encryption credential.
        Parameters:
        dataEncryptionCredential - the data encryption credential to evaluate
        criteria - the criteria instance being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        Returns:
        the selected algorithm URI

      • getEffectiveDataEncryptionCredentials

        @Nonnull
protected List<org.opensaml.security.credential.Credential> getEffectiveDataEncryptionCredentials​(@Nonnull
                                                                                                  net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
        Get the effective list of data encryption credentials to consider.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        the list of credentials

      • getEffectiveDataEncryptionAlgorithms

        @Nonnull
protected List<String> getEffectiveDataEncryptionAlgorithms​(@Nonnull
                                                            net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                            @Nonnull
                                                            Predicate<String> whitelistBlacklistPredicate)
        Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.
        Parameters:
        criteria - the input criteria being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate to use
        Returns:
        the list of effective algorithm URIs

      • getEffectiveKeyTransportCredentials

        @Nonnull
protected List<org.opensaml.security.credential.Credential> getEffectiveKeyTransportCredentials​(@Nonnull
                                                                                                net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
        Get the effective list of key transport credentials to consider.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        the list of credentials

      • getEffectiveKeyTransportAlgorithms

        @Nonnull
protected List<String> getEffectiveKeyTransportAlgorithms​(@Nonnull
                                                          net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                          @Nonnull
                                                          Predicate<String> whitelistBlacklistPredicate)
        Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.
        Parameters:
        criteria - the input criteria being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate to use
        Returns:
        the list of effective algorithm URIs

      • resolveDataKeyInfoGenerator

        @Nullable
protected org.opensaml.xmlsec.keyinfo.KeyInfoGenerator resolveDataKeyInfoGenerator​(@Nullable
                                                                                   net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                                                   @Nullable
                                                                                   org.opensaml.security.credential.Credential dataEncryptionCredential)
        Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.
        Parameters:
        criteria - the input criteria being evaluated
        dataEncryptionCredential - the credential being evaluated
        Returns:
        KeyInfo generator instance, or null

      • resolveKeyTransportKeyInfoGenerator

        @Nullable
protected org.opensaml.xmlsec.keyinfo.KeyInfoGenerator resolveKeyTransportKeyInfoGenerator​(@Nonnull
                                                                                           net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                                                           @Nullable
                                                                                           org.opensaml.security.credential.Credential keyTransportEncryptionCredential)
        Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.
        Parameters:
        criteria - the input criteria being evaluated
        keyTransportEncryptionCredential - the credential being evaluated
        Returns:
        KeyInfo generator instance, or null

      • getAlgorithmRuntimeSupportedPredicate

        @Nonnull
protected Predicate<String> getAlgorithmRuntimeSupportedPredicate()
        Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.
        Returns:
        the predicate

      • credentialSupportsAlgorithm

        protected boolean credentialSupportsAlgorithm​(@Nonnull
                                              org.opensaml.security.credential.Credential credential,
                                              @Nonnull @NotEmpty
                                              String algorithm)
        Evaluate whether the specified credential is supported for use with the specified algorithm URI.
        Parameters:
        credential - the credential to evaluate
        algorithm - the algorithm URI to evaluate
        Returns:
        true if credential may be used with the supplied algorithm URI, false otherwise

      • isKeyTransportAlgorithm

        protected boolean isKeyTransportAlgorithm​(@Nonnull
                                          String algorithm)
        Evaluate whether the specified algorithm is a key transport algorithm.
        Parameters:
        algorithm - the algorithm URI to evaluate
        Returns:
        true if is a key transport algorithm URI, false otherwise

      • isDataEncryptionAlgorithm

        protected boolean isDataEncryptionAlgorithm​(String algorithm)
        Evaluate whether the specified algorithm is a data encryption algorithm.
        Parameters:
        algorithm - the algorithm URI to evaluate
        Returns:
        true if is a key transport algorithm URI, false otherwise

      • generateDataEncryptionCredential

        @Nullable
protected org.opensaml.security.credential.Credential generateDataEncryptionCredential​(@Nonnull
                                                                                       String dataEncryptionAlgorithm)
        Generate a random data encryption symmetric key credential.
        Parameters:
        dataEncryptionAlgorithm - the data encryption algorithm URI
        Returns:
        the generated credential, or null if there was a problem generating a key from the algorithm URI

      • processDataEncryptionCredentialAutoGeneration

        protected void processDataEncryptionCredentialAutoGeneration​(@Nonnull
                                                             org.opensaml.xmlsec.EncryptionParameters params)
        Auto-generate and populate a data encryption credential, if configured and required conditions are met.
        Parameters:
        params - the encryption parameters instance to process