Package org.opensaml.xmlsec.impl
Class BasicEncryptionParametersResolver
- java.lang.Object
-
- org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>
-
- org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
-
- All Implemented Interfaces:
Resolver<EncryptionParameters,CriteriaSet>
,EncryptionParametersResolver
public class BasicEncryptionParametersResolver extends AbstractSecurityParametersResolver<EncryptionParameters> implements EncryptionParametersResolver
Basic implementation ofEncryptionParametersResolver
.The following
Criterion
inputs are supported:EncryptionConfigurationCriterion
- requiredKeyInfoGenerationProfileCriterion
- optionalEncryptionOptionalCriterion
- optional
-
-
Field Summary
Fields Modifier and Type Field Description private AlgorithmRegistry
algorithmRegistry
The AlgorithmRegistry used when processing algorithm URIs.private boolean
autoGenerateDataEncryptionCredential
Flag indicating whether the resolver should auto-generate data encryption credentials.private org.slf4j.Logger
log
Logger.
-
Constructor Summary
Constructors Constructor Description BasicEncryptionParametersResolver()
Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected boolean
credentialSupportsAlgorithm(Credential credential, String algorithm)
Evaluate whether the specified credential is supported for use with the specified algorithm URI.protected Credential
generateDataEncryptionCredential(String dataEncryptionAlgorithm)
Generate a random data encryption symmetric key credential.AlgorithmRegistry
getAlgorithmRegistry()
Get theAlgorithmRegistry
instance used when resolving algorithm URIs.protected Predicate<String>
getAlgorithmRuntimeSupportedPredicate()
Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.protected List<String>
getEffectiveDataEncryptionAlgorithms(CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.protected List<Credential>
getEffectiveDataEncryptionCredentials(CriteriaSet criteria)
Get the effective list of data encryption credentials to consider.protected List<String>
getEffectiveKeyTransportAlgorithms(CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.protected List<Credential>
getEffectiveKeyTransportCredentials(CriteriaSet criteria)
Get the effective list of key transport credentials to consider.protected Predicate<String>
getWhitelistBlacklistPredicate(CriteriaSet criteria)
Get a predicate which implements the effective configured whitelist/blacklist policy.boolean
isAutoGenerateDataEncryptionCredential()
Get whether an this resolver should auto-generate data encryption credentials.protected boolean
isDataEncryptionAlgorithm(String algorithm)
Evaluate whether the specified algorithm is a data encryption algorithm.protected boolean
isKeyTransportAlgorithm(String algorithm)
Evaluate whether the specified algorithm is a key transport algorithm.protected void
logResult(EncryptionParameters params)
Log the resolved parameters.protected void
populateRSAOAEPParams(RSAOAEPParameters rsaParams, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
Populate an instance ofRSAOAEPParameters
based on data from the supplied instances ofEncryptionConfiguration
.protected void
processDataEncryptionCredentialAutoGeneration(EncryptionParameters params)
Auto-generate and populate a data encryption credential, if configured and required conditions are met.Iterable<EncryptionParameters>
resolve(CriteriaSet criteria)
protected void
resolveAndPopulateCredentialsAndAlgorithms(EncryptionParameters params, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
Resolve and populate the data encryption and key transport credentials and algorithm URIs.protected void
resolveAndPopulateRSAOAEPParams(EncryptionParameters params, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
Resolve and populate an instance ofRSAOAEPParameters
, if appropriate for the selected key transport encryption algorithm.protected String
resolveDataEncryptionAlgorithm(Credential dataEncryptionCredential, List<String> dataEncryptionAlgorithms)
Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.protected String
resolveDataEncryptionAlgorithm(Credential dataEncryptionCredential, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
Determine the data encryption algorithm URI to use with the specified data encryption credential.protected KeyInfoGenerator
resolveDataKeyInfoGenerator(CriteriaSet criteria, Credential dataEncryptionCredential)
Resolve and return theKeyInfoGenerator
instance to use with the specified data encryption credential.protected String
resolveKeyTransportAlgorithm(Credential keyTransportCredential, List<String> keyTransportAlgorithms, String dataEncryptionAlgorithm, KeyTransportAlgorithmPredicate keyTransportPredicate)
Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.protected String
resolveKeyTransportAlgorithm(Credential keyTransportCredential, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, String dataEncryptionAlgorithm)
Determine the key transport algorithm URI to use with the specified credential.protected KeyTransportAlgorithmPredicate
resolveKeyTransportAlgorithmPredicate(CriteriaSet criteria)
Resolve the optional effectively configured instance ofKeyTransportAlgorithmPredicate
to use.protected KeyInfoGenerator
resolveKeyTransportKeyInfoGenerator(CriteriaSet criteria, Credential keyTransportEncryptionCredential)
Resolve and return theKeyInfoGenerator
instance to use with the specified key transport credential.EncryptionParameters
resolveSingle(CriteriaSet criteria)
void
setAlgorithmRegistry(AlgorithmRegistry registry)
Set theAlgorithmRegistry
instance used when resolving algorithm URIs.void
setAutoGenerateDataEncryptionCredential(boolean flag)
Set whether an this resolver should auto-generate data encryption credentials.protected boolean
validate(EncryptionParameters params, boolean encryptionOptional)
Validate that theEncryptionParameters
instance has all the required properties populated.-
Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver
lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate
-
-
-
-
Field Detail
-
log
@Nonnull private org.slf4j.Logger log
Logger.
-
algorithmRegistry
@Nonnull private AlgorithmRegistry algorithmRegistry
The AlgorithmRegistry used when processing algorithm URIs.
-
autoGenerateDataEncryptionCredential
private boolean autoGenerateDataEncryptionCredential
Flag indicating whether the resolver should auto-generate data encryption credentials.
-
-
Method Detail
-
getAlgorithmRegistry
@Nonnull public AlgorithmRegistry getAlgorithmRegistry()
Get theAlgorithmRegistry
instance used when resolving algorithm URIs. Defaults to the registry resolved viaAlgorithmSupport.getGlobalAlgorithmRegistry()
.- Returns:
- the algorithm registry instance
-
setAlgorithmRegistry
public void setAlgorithmRegistry(@Nonnull AlgorithmRegistry registry)
Set theAlgorithmRegistry
instance used when resolving algorithm URIs. Defaults to the registry resolved viaAlgorithmSupport.getGlobalAlgorithmRegistry()
.- Parameters:
registry
- the new algorithm registry instance
-
isAutoGenerateDataEncryptionCredential
public boolean isAutoGenerateDataEncryptionCredential()
Get whether an this resolver should auto-generate data encryption credentials.- Returns:
- true if should auto-generate, false otherwise
-
setAutoGenerateDataEncryptionCredential
public void setAutoGenerateDataEncryptionCredential(boolean flag)
Set whether an this resolver should auto-generate data encryption credentials.- Parameters:
flag
- true if should auto-generate, false otherwise
-
resolve
@Nonnull public Iterable<EncryptionParameters> resolve(@Nonnull CriteriaSet criteria) throws ResolverException
- Specified by:
resolve
in interfaceResolver<EncryptionParameters,CriteriaSet>
- Throws:
ResolverException
-
resolveSingle
@Nullable public EncryptionParameters resolveSingle(@Nonnull CriteriaSet criteria) throws ResolverException
- Specified by:
resolveSingle
in interfaceResolver<EncryptionParameters,CriteriaSet>
- Throws:
ResolverException
-
logResult
protected void logResult(@Nonnull EncryptionParameters params)
Log the resolved parameters.- Parameters:
params
- the resolved param
-
validate
protected boolean validate(@Nonnull EncryptionParameters params, boolean encryptionOptional)
Validate that theEncryptionParameters
instance has all the required properties populated.- Parameters:
params
- the parameters instance to evaluateencryptionOptional
- whether to consider invalid parameters to be a problem- Returns:
- true if parameters instance passes validation, false otherwise
- Since:
- 3.3.0
-
getWhitelistBlacklistPredicate
@Nonnull protected Predicate<String> getWhitelistBlacklistPredicate(@Nonnull CriteriaSet criteria)
Get a predicate which implements the effective configured whitelist/blacklist policy.- Parameters:
criteria
- the input criteria being evaluated- Returns:
- a whitelist/blacklist predicate instance
-
resolveAndPopulateCredentialsAndAlgorithms
protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate)
Resolve and populate the data encryption and key transport credentials and algorithm URIs.- Parameters:
params
- the params instance being populatedcriteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
-
resolveAndPopulateRSAOAEPParams
protected void resolveAndPopulateRSAOAEPParams(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate)
Resolve and populate an instance ofRSAOAEPParameters
, if appropriate for the selected key transport encryption algorithm.- Parameters:
params
- the params instance being populatedcriteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
-
populateRSAOAEPParams
protected void populateRSAOAEPParams(@Nonnull RSAOAEPParameters rsaParams, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate)
Populate an instance ofRSAOAEPParameters
based on data from the supplied instances ofEncryptionConfiguration
.- Parameters:
rsaParams
- the existing RSAOAEPParameters instance being populatedcriteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
-
resolveKeyTransportAlgorithmPredicate
@Nullable protected KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate(@Nonnull CriteriaSet criteria)
Resolve the optional effectively configured instance ofKeyTransportAlgorithmPredicate
to use.- Parameters:
criteria
- the input criteria being evaluated- Returns:
- the resolved predicate instance, may be null
-
resolveKeyTransportAlgorithm
@Nullable protected String resolveKeyTransportAlgorithm(@Nonnull Credential keyTransportCredential, @Nonnull List<String> keyTransportAlgorithms, @Nullable String dataEncryptionAlgorithm, @Nullable KeyTransportAlgorithmPredicate keyTransportPredicate)
Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.- Parameters:
keyTransportCredential
- the key transport credential being evaluatedkeyTransportAlgorithms
- the list of effective key transport algorithms to evaluatedataEncryptionAlgorithm
- the optional data encryption algorithm URI to considerkeyTransportPredicate
- the optional key transport algorithm predicate to evaluate- Returns:
- the resolved algorithm URI, may be null
-
resolveKeyTransportAlgorithm
@Nullable protected String resolveKeyTransportAlgorithm(@Nonnull Credential keyTransportCredential, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate, @Nullable String dataEncryptionAlgorithm)
Determine the key transport algorithm URI to use with the specified credential.- Parameters:
keyTransportCredential
- the key transport credential to evaluatecriteria
- the criteria instance being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIsdataEncryptionAlgorithm
- the optional data encryption algorithm URI to consider- Returns:
- the selected algorithm URI, may be null
-
resolveDataEncryptionAlgorithm
@Nullable protected String resolveDataEncryptionAlgorithm(@Nullable Credential dataEncryptionCredential, @Nonnull List<String> dataEncryptionAlgorithms)
Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.- Parameters:
dataEncryptionCredential
- the data encryption credential being evaluated, may be nulldataEncryptionAlgorithms
- the list of effective data encryption algorithms to evaluate- Returns:
- the resolved algorithm URI, may be null
-
resolveDataEncryptionAlgorithm
@Nullable protected String resolveDataEncryptionAlgorithm(@Nonnull Credential dataEncryptionCredential, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate)
Determine the data encryption algorithm URI to use with the specified data encryption credential.- Parameters:
dataEncryptionCredential
- the data encryption credential to evaluatecriteria
- the criteria instance being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs- Returns:
- the selected algorithm URI
-
getEffectiveDataEncryptionCredentials
@Nonnull protected List<Credential> getEffectiveDataEncryptionCredentials(@Nonnull CriteriaSet criteria)
Get the effective list of data encryption credentials to consider.- Parameters:
criteria
- the input criteria being evaluated- Returns:
- the list of credentials
-
getEffectiveDataEncryptionAlgorithms
@Nonnull protected List<String> getEffectiveDataEncryptionAlgorithms(@Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate)
Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.- Parameters:
criteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate to use- Returns:
- the list of effective algorithm URIs
-
getEffectiveKeyTransportCredentials
@Nonnull protected List<Credential> getEffectiveKeyTransportCredentials(@Nonnull CriteriaSet criteria)
Get the effective list of key transport credentials to consider.- Parameters:
criteria
- the input criteria being evaluated- Returns:
- the list of credentials
-
getEffectiveKeyTransportAlgorithms
@Nonnull protected List<String> getEffectiveKeyTransportAlgorithms(@Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate)
Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.- Parameters:
criteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate to use- Returns:
- the list of effective algorithm URIs
-
resolveDataKeyInfoGenerator
@Nullable protected KeyInfoGenerator resolveDataKeyInfoGenerator(@Nullable CriteriaSet criteria, @Nullable Credential dataEncryptionCredential)
Resolve and return theKeyInfoGenerator
instance to use with the specified data encryption credential.- Parameters:
criteria
- the input criteria being evaluateddataEncryptionCredential
- the credential being evaluated- Returns:
- KeyInfo generator instance, or null
-
resolveKeyTransportKeyInfoGenerator
@Nullable protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull CriteriaSet criteria, @Nullable Credential keyTransportEncryptionCredential)
Resolve and return theKeyInfoGenerator
instance to use with the specified key transport credential.- Parameters:
criteria
- the input criteria being evaluatedkeyTransportEncryptionCredential
- the credential being evaluated- Returns:
- KeyInfo generator instance, or null
-
getAlgorithmRuntimeSupportedPredicate
@Nonnull protected Predicate<String> getAlgorithmRuntimeSupportedPredicate()
Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.- Returns:
- the predicate
-
credentialSupportsAlgorithm
protected boolean credentialSupportsAlgorithm(@Nonnull Credential credential, @Nonnull @NotEmpty String algorithm)
Evaluate whether the specified credential is supported for use with the specified algorithm URI.- Parameters:
credential
- the credential to evaluatealgorithm
- the algorithm URI to evaluate- Returns:
- true if credential may be used with the supplied algorithm URI, false otherwise
-
isKeyTransportAlgorithm
protected boolean isKeyTransportAlgorithm(@Nonnull String algorithm)
Evaluate whether the specified algorithm is a key transport algorithm.- Parameters:
algorithm
- the algorithm URI to evaluate- Returns:
- true if is a key transport algorithm URI, false otherwise
-
isDataEncryptionAlgorithm
protected boolean isDataEncryptionAlgorithm(String algorithm)
Evaluate whether the specified algorithm is a data encryption algorithm.- Parameters:
algorithm
- the algorithm URI to evaluate- Returns:
- true if is a key transport algorithm URI, false otherwise
-
generateDataEncryptionCredential
@Nullable protected Credential generateDataEncryptionCredential(@Nonnull String dataEncryptionAlgorithm)
Generate a random data encryption symmetric key credential.- Parameters:
dataEncryptionAlgorithm
- the data encryption algorithm URI- Returns:
- the generated credential, or null if there was a problem generating a key from the algorithm URI
-
processDataEncryptionCredentialAutoGeneration
protected void processDataEncryptionCredentialAutoGeneration(@Nonnull EncryptionParameters params)
Auto-generate and populate a data encryption credential, if configured and required conditions are met.- Parameters:
params
- the encryption parameters instance to process
-
-