Package org.opensaml.xmlsec.impl

Class BasicEncryptionParametersResolver

java.lang.Object
org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>
org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
All Implemented Interfaces:
Resolver<EncryptionParameters,CriteriaSet>, EncryptionParametersResolver
Direct Known Subclasses:
SAMLMetadataEncryptionParametersResolver
public class BasicEncryptionParametersResolver extends AbstractSecurityParametersResolver<EncryptionParameters> implements EncryptionParametersResolver
Basic implementation of EncryptionParametersResolver.

The following Criterion inputs are supported:

  • Field Details

    • log

      @Nonnull private org.slf4j.Logger log
      Logger.

    • algorithmRegistry

      @Nullable private AlgorithmRegistry algorithmRegistry
      The AlgorithmRegistry used when processing algorithm URIs.

    • autoGenerateDataEncryptionCredential

      private boolean autoGenerateDataEncryptionCredential
      Flag indicating whether the resolver should auto-generate data encryption credentials.

  • Constructor Details

    • BasicEncryptionParametersResolver

      public BasicEncryptionParametersResolver()
      Constructor.

  • Method Details

    • getAlgorithmRegistry

      @Nonnull public AlgorithmRegistry getAlgorithmRegistry()
      Get the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().
      Returns:
      the algorithm registry instance

    • setAlgorithmRegistry

      public void setAlgorithmRegistry(@Nonnull AlgorithmRegistry registry)
      Set the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().
      Parameters:
      registry - the new algorithm registry instance

    • isAutoGenerateDataEncryptionCredential

      public boolean isAutoGenerateDataEncryptionCredential()
      Get whether an this resolver should auto-generate data encryption credentials.
      Returns:
      true if should auto-generate, false otherwise

    • setAutoGenerateDataEncryptionCredential

      public void setAutoGenerateDataEncryptionCredential(boolean flag)
      Set whether an this resolver should auto-generate data encryption credentials.
      Parameters:
      flag - true if should auto-generate, false otherwise

    • resolve

      @Nonnull public Iterable<EncryptionParameters> resolve(@Nullable CriteriaSet criteria) throws ResolverException
      Specified by:
      resolve in interface Resolver<EncryptionParameters,CriteriaSet>
      Throws:
      ResolverException

    • resolveSingle

      @Nullable public EncryptionParameters resolveSingle(@Nullable CriteriaSet criteria) throws ResolverException
      Specified by:
      resolveSingle in interface Resolver<EncryptionParameters,CriteriaSet>
      Throws:
      ResolverException

    • logResult

      protected void logResult(@Nonnull EncryptionParameters params)
      Log the resolved parameters.
      Parameters:
      params - the resolved param

    • validate

      protected boolean validate(@Nonnull EncryptionParameters params, boolean encryptionOptional)
      Validate that the EncryptionParameters instance has all the required properties populated.
      Parameters:
      params - the parameters instance to evaluate
      encryptionOptional - whether to consider invalid parameters to be a problem
      Returns:
      true if parameters instance passes validation, false otherwise
      Since:
      3.3.0

    • getIncludeExcludePredicate

      @Nonnull protected Predicate<String> getIncludeExcludePredicate(@Nonnull CriteriaSet criteria)
      Get a predicate which implements the effective configured include/exclude policy.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      a include/exclude predicate instance

    • resolveAndPopulateCredentialsAndAlgorithms

      protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Resolve and populate the data encryption and key transport credentials and algorithm URIs.
      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

    • checkAndProcessKeyAgreement

      protected boolean checkAndProcessKeyAgreement(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Credential credential, @Nonnull List<String> dataEncryptionAlgorithms, @Nonnull List<String> keyTransportAlgorithms)
      Check for a credential type that implies a key agreement operation, and process if so indicated.

      For both algorithm list arguments, they are assumed to already have had runtime support and include/exclude filtering applied.

      If symmetric key wrap should NOT be considered, pass an empty list for keyTransportAlgorithms. Otherwise, if the keyTransportAlgorithms list contains a symmetric key wrap algorithm, then key wrapping will be indicated in the produced parameters. If it does not then direct data encryption will be indicated.

      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      credential - the credential being evaluated
      dataEncryptionAlgorithms - the effective data encryption credentials
      keyTransportAlgorithms - the effective key transport credentials
      Returns:
      true if all required parameters were supplied, key agreement was successfully performed, and the EncryptionParameters instance's credential and algorithms properties are fully populated, otherwise false

    • getEffectiveKeyAgreementConfiguration

      @Nullable protected KeyAgreementEncryptionConfiguration getEffectiveKeyAgreementConfiguration(@Nonnull CriteriaSet criteria, @Nonnull Credential credential)
      Get the effective KeyAgreementEncryptionConfiguration to use with the specified credential.
      Parameters:
      criteria - the criteria
      credential - the credential to evaluate
      Returns:
      the key agreement configuration for the credential, or null if could not be resolved

    • resolveAndPopulateRSAOAEPParams

      protected void resolveAndPopulateRSAOAEPParams(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

    • populateRSAOAEPParams

      protected void populateRSAOAEPParams(@Nonnull RSAOAEPParameters rsaParams, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.
      Parameters:
      rsaParams - the existing RSAOAEPParameters instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

    • resolveKeyTransportAlgorithmPredicate

      @Nullable protected KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate(@Nonnull CriteriaSet criteria)
      Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      the resolved predicate instance, may be null

    • resolveKeyTransportAlgorithm

      @Nullable protected String resolveKeyTransportAlgorithm(@Nonnull Credential keyTransportCredential, @Nonnull List<String> keyTransportAlgorithms, @Nullable String dataEncryptionAlgorithm, @Nullable KeyTransportAlgorithmPredicate keyTransportPredicate)
      Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.
      Parameters:
      keyTransportCredential - the key transport credential being evaluated
      keyTransportAlgorithms - the list of effective key transport algorithms to evaluate
      dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
      keyTransportPredicate - the optional key transport algorithm predicate to evaluate
      Returns:
      the resolved algorithm URI, may be null

    • resolveKeyTransportAlgorithm

      @Nullable protected String resolveKeyTransportAlgorithm(@Nonnull Credential keyTransportCredential, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate, @Nullable String dataEncryptionAlgorithm)
      Determine the key transport algorithm URI to use with the specified credential.
      Parameters:
      keyTransportCredential - the key transport credential to evaluate
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
      Returns:
      the selected algorithm URI, may be null

    • resolveDataEncryptionAlgorithm

      @Nullable protected String resolveDataEncryptionAlgorithm(@Nullable Credential dataEncryptionCredential, @Nonnull List<String> dataEncryptionAlgorithms)
      Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
      Parameters:
      dataEncryptionCredential - the data encryption credential being evaluated, may be null
      dataEncryptionAlgorithms - the list of effective data encryption algorithms to evaluate
      Returns:
      the resolved algorithm URI, may be null

    • resolveDataEncryptionAlgorithm

      @Nullable protected String resolveDataEncryptionAlgorithm(@Nullable Credential dataEncryptionCredential, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Determine the data encryption algorithm URI to use with the specified data encryption credential.
      Parameters:
      dataEncryptionCredential - the data encryption credential to evaluate
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      Returns:
      the selected algorithm URI

    • getEffectiveDataEncryptionCredentials

      @Nonnull protected List<Credential> getEffectiveDataEncryptionCredentials(@Nonnull CriteriaSet criteria)
      Get the effective list of data encryption credentials to consider.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      the list of credentials

    • getEffectiveDataEncryptionAlgorithms

      @Nonnull protected List<String> getEffectiveDataEncryptionAlgorithms(@Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Get the effective list of data encryption algorithm URIs to consider, including application of include/exclude policy.
      Parameters:
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate to use
      Returns:
      the list of effective algorithm URIs

    • getEffectiveKeyTransportCredentials

      @Nonnull protected List<Credential> getEffectiveKeyTransportCredentials(@Nonnull CriteriaSet criteria)
      Get the effective list of key transport credentials to consider.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      the list of credentials

    • getEffectiveKeyTransportAlgorithms

      @Nonnull protected List<String> getEffectiveKeyTransportAlgorithms(@Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Get the effective list of key transport algorithm URIs to consider, including application of include/exclude policy.
      Parameters:
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate to use
      Returns:
      the list of effective algorithm URIs

    • resolveDataKeyInfoGenerator

      @Nullable protected KeyInfoGenerator resolveDataKeyInfoGenerator(@Nonnull CriteriaSet criteria, @Nullable Credential dataEncryptionCredential)
      Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.
      Parameters:
      criteria - the input criteria being evaluated
      dataEncryptionCredential - the credential being evaluated
      Returns:
      KeyInfo generator instance, or null

    • resolveKeyTransportKeyInfoGenerator

      @Nullable protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull CriteriaSet criteria, @Nullable Credential keyTransportEncryptionCredential)
      Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.
      Parameters:
      criteria - the input criteria being evaluated
      keyTransportEncryptionCredential - the credential being evaluated
      Returns:
      KeyInfo generator instance, or null

    • getAlgorithmRuntimeSupportedPredicate

      @Nonnull protected Predicate<String> getAlgorithmRuntimeSupportedPredicate()
      Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.
      Returns:
      the predicate

    • credentialSupportsAlgorithm

      protected boolean credentialSupportsAlgorithm(@Nonnull Credential credential, @Nonnull @NotEmpty String algorithm)
      Evaluate whether the specified credential is supported for use with the specified algorithm URI.
      Parameters:
      credential - the credential to evaluate
      algorithm - the algorithm URI to evaluate
      Returns:
      true if credential may be used with the supplied algorithm URI, false otherwise

    • isKeyTransportAlgorithm

      protected boolean isKeyTransportAlgorithm(@Nonnull String algorithm)
      Evaluate whether the specified algorithm is a key transport algorithm.
      Parameters:
      algorithm - the algorithm URI to evaluate
      Returns:
      true if is a key transport algorithm URI, false otherwise

    • isDataEncryptionAlgorithm

      protected boolean isDataEncryptionAlgorithm(String algorithm)
      Evaluate whether the specified algorithm is a data encryption algorithm.
      Parameters:
      algorithm - the algorithm URI to evaluate
      Returns:
      true if is a key transport algorithm URI, false otherwise

    • generateDataEncryptionCredential

      @Nullable protected Credential generateDataEncryptionCredential(@Nonnull String dataEncryptionAlgorithm)
      Generate a random data encryption symmetric key credential.
      Parameters:
      dataEncryptionAlgorithm - the data encryption algorithm URI
      Returns:
      the generated credential, or null if there was a problem generating a key from the algorithm URI

    • processDataEncryptionCredentialAutoGeneration

      protected void processDataEncryptionCredentialAutoGeneration(@Nonnull EncryptionParameters params)
      Auto-generate and populate a data encryption credential, if configured and required conditions are met.
      Parameters:
      params - the encryption parameters instance to process