Package org.opensaml.saml.security.impl

Class SAMLMetadataEncryptionParametersResolver

java.lang.Object
org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>
org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver
All Implemented Interfaces:
Resolver<EncryptionParameters,CriteriaSet>, EncryptionParametersResolver
public class SAMLMetadataEncryptionParametersResolver extends BasicEncryptionParametersResolver
A specialization of BasicEncryptionParametersResolver which resolves credentials and algorithm preferences against SAML metadata via a MetadataCredentialResolver.

In addition to the Criterion inputs documented in BasicEncryptionParametersResolver, the inputs and associated modes of operation documented for MetadataCredentialResolver are also supported and required.

The CriteriaSet instance passed to the configured metadata credential resolver will be a copy of the input criteria set, with the addition of a UsageCriterion containing the value UsageType.ENCRYPTION, which will replace any existing usage criterion instance.

  • Field Details

    • log

      @Nonnull private org.slf4j.Logger log
      Logger.

    • credentialResolver

      @Nonnull private MetadataCredentialResolver credentialResolver
      Metadata credential resolver.

    • mergeMetadataRSAOAEPParametersWithConfig

      private boolean mergeMetadataRSAOAEPParametersWithConfig
      Flag indicating whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

    • defaultKeyAgreementUseKeyWrap

      @Nonnull private SAMLMetadataKeyAgreementEncryptionConfiguration.KeyWrap defaultKeyAgreementUseKeyWrap
      Default for usage of key wrapping with key agreement if not otherwise configured.

  • Constructor Details

    • SAMLMetadataEncryptionParametersResolver

      public SAMLMetadataEncryptionParametersResolver(@Nonnull @ParameterName(name="resolver") MetadataCredentialResolver resolver)
      Constructor.
      Parameters:
      resolver - the metadata credential resolver instance to use to resolve encryption credentials

  • Method Details

    • isMergeMetadataRSAOAEPParametersWithConfig

      public boolean isMergeMetadataRSAOAEPParametersWithConfig()
      Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

      Defaults to: false

      Returns:
      true if should merge metadata parameters with configuration, false otherwise

    • setMergeMetadataRSAOAEPParametersWithConfig

      public void setMergeMetadataRSAOAEPParametersWithConfig(boolean flag)
      Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

      Defaults to: false

      Parameters:
      flag - true if should merge metadata parameters with configuration, false otherwise

    • getDefaultKeyAgreemenUseKeyWrap

      @Nonnull public SAMLMetadataKeyAgreementEncryptionConfiguration.KeyWrap getDefaultKeyAgreemenUseKeyWrap()
      Get the default for usage of key wrapping with key agreement if not otherwise configured.

      The default is: SAMLMetadataKeyAgreementEncryptionConfiguration.KeyWrap.Default.

      Returns:
      the default value

    • setDefaultKeyAgreementUseKeyWrap

      public void setDefaultKeyAgreementUseKeyWrap(@Nullable SAMLMetadataKeyAgreementEncryptionConfiguration.KeyWrap keyWrap)
      Set the default for usage of key wrapping with key agreement if not otherwise configured.

      The default is: SAMLMetadataKeyAgreementEncryptionConfiguration.KeyWrap.Default.

      Parameters:
      keyWrap - the value to set; null implies SAMLMetadataKeyAgreementEncryptionConfiguration.KeyWrap.Default

    • getMetadataCredentialResolver

      @Nonnull protected MetadataCredentialResolver getMetadataCredentialResolver()
      Get the metadata credential resolver instance to use to resolve encryption credentials.
      Returns:
      the configured metadata credential resolver instance

    • resolveAndPopulateCredentialsAndAlgorithms

      protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Resolve and populate the data encryption and key transport credentials and algorithm URIs.
      Overrides:
      resolveAndPopulateCredentialsAndAlgorithms in class BasicEncryptionParametersResolver
      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

    • checkAndProcessKeyAgreement

      protected boolean checkAndProcessKeyAgreement(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate, @Nonnull Credential credential)
      Check for a credential type that implies a key agreement operation, and process if so indicated.
      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate
      credential - the credential being evaluated
      Returns:
      true if all required parameters were supplied, key agreement was successfully performed, and the EncryptionParameters instance's credential and algorithms properties are fully populated, otherwise false

    • getEffectiveKeyAgreementConfiguration

      @Nullable protected SAMLMetadataKeyAgreementEncryptionConfiguration getEffectiveKeyAgreementConfiguration(@Nonnull CriteriaSet criteria, @Nonnull Credential credential)
      Get the effective SAMLMetadataKeyAgreementEncryptionConfiguration to use with the specified credential.
      Overrides:
      getEffectiveKeyAgreementConfiguration in class BasicEncryptionParametersResolver
      Parameters:
      criteria - the criteria
      credential - the credential to evaluate
      Returns:
      the key agreement configuration for the credential, or null if could not be resolved

    • concatLists

      @SafeVarargs @Nonnull private List<String> concatLists(@Nonnull List<String>... lists)
      Concatenate multiple lists into one list.
      Parameters:
      lists - the lists to process
      Returns:
      the concatenation of the supplied lists

    • resolveAndPopulateRSAOAEPParams

      protected void resolveAndPopulateRSAOAEPParams(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate, @Nullable EncryptionMethod encryptionMethod)
      Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.

      This method itself resolves the parameters data from the metadata EncryptionMethod. If this results in a non-complete RSAOAEPParameters instance and if isMergeMetadataRSAOAEPParametersWithConfig() evaluates true, then the resolver will delegate to the local config resolution process via the superclass to attempt to resolve and merge any null parameter values. (see BasicEncryptionParametersResolver.resolveAndPopulateRSAOAEPParams(EncryptionParameters, CriteriaSet, Predicate)).

      Parameters:
      params - the current encryption parameters instance being resolved
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.

    • populateRSAOAEPParamsFromEncryptionMethod

      protected void populateRSAOAEPParamsFromEncryptionMethod(@Nonnull RSAOAEPParameters params, @Nonnull EncryptionMethod encryptionMethod, @Nonnull Predicate<String> includeExcludePredicate)
      Extract DigestMethod, MGF and OAEPparams data present on the supplied instance of EncryptionMethod and populate it on the supplied instance of of RSAOAEPParameters.

      Include/exclude evaluation is applied to the digest method and MGF algorithm URIs.

      Parameters:
      params - the existing RSAOAEPParameters instance being populated
      encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

    • resolveKeyTransportAlgorithm

      @Nonnull @NullableElements protected Pair<String,EncryptionMethod> resolveKeyTransportAlgorithm(@Nonnull Credential keyTransportCredential, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate, @Nullable String dataEncryptionAlgorithm, @Nullable SAMLMDCredentialContext metadataCredContext)
      Determine the key transport algorithm URI to use with the specified credential, also returning the associated EncryptionMethod from metadata if relevant.

      Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

      Parameters:
      keyTransportCredential - the key transport credential to evaluate
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
      metadataCredContext - the credential context extracted from metadata
      Returns:
      the selected algorithm URI and the associated encryption method from metadata, if any.

    • resolveDataEncryptionAlgorithm

      @Nonnull @NullableElements protected Pair<String,EncryptionMethod> resolveDataEncryptionAlgorithm(@Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate, @Nullable SAMLMDCredentialContext metadataCredContext)
      Determine the data encryption algorithm URI to use, also returning the associated EncryptionMethod from metadata if relevant.

      Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

      Parameters:
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      metadataCredContext - the credential context extracted from metadata
      Returns:
      the selected algorithm URI and the associated encryption method from metadata, if any

    • evaluateEncryptionMethodChildren

      protected boolean evaluateEncryptionMethodChildren(@Nonnull EncryptionMethod encryptionMethod, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Evaluate the child elements of an EncryptionMethod for acceptability based on for example include/exclude policy and algorithm runtime support.
      Parameters:
      encryptionMethod - the EncryptionMethod being evaluated
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      Returns:
      true if the EncryptionMethod children are acceptable

    • evaluateRSAOAEPChildren

      protected boolean evaluateRSAOAEPChildren(@Nonnull EncryptionMethod encryptionMethod, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example include/exclude policy and algorithm runtime support.
      Parameters:
      encryptionMethod - the EncryptionMethod being evaluated
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      Returns:
      true if the EncryptionMethod children are acceptable

    • credentialSupportsEncryptionMethod

      protected boolean credentialSupportsEncryptionMethod(@Nonnull Credential credential, @Nonnull EncryptionMethod encryptionMethod)
      Evaluate whether the specified credential is supported for use with the specified EncryptionMethod.
      Parameters:
      credential - the credential to evaluate
      encryptionMethod - the encryption method to evaluate
      Returns:
      true if credential may be used with the supplied encryption method, false otherwise