Package org.opensaml.xmlsec.keyinfo

Class KeyInfoSupport

java.lang.Object
org.opensaml.xmlsec.keyinfo.KeyInfoSupport
public final class KeyInfoSupport extends Object
Utility class for working with data inside a KeyInfo object. Methods are provided for converting the representation stored in the XMLTooling KeyInfo to Java java.security native types, and for storing these Java native types inside a KeyInfo.

  • Field Details

  • Constructor Details

    • KeyInfoSupport

      private KeyInfoSupport()
      Constructor.

  • Method Details

    • getKeyNames

      @Nonnull @Unmodifiable @NotLive public static List<String> getKeyNames(@Nullable KeyInfo keyInfo)
      Get the set of key names inside the specified KeyInfo as a list of strings.
      Parameters:
      keyInfo - KeyInfo to retrieve key names from
      Returns:
      a list of key name strings

    • addKeyName

      public static void addKeyName(@Nonnull KeyInfo keyInfo, @Nullable String keyNameValue)
      Add a new KeyName value to a KeyInfo.
      Parameters:
      keyInfo - the KeyInfo to which to add the new value
      keyNameValue - the new key name value to add

    • getCertificates

      @Nonnull @Unmodifiable @NotLive public static List<X509Certificate> getCertificates(@Nullable KeyInfo keyInfo) throws CertificateException
      Get a list of the Java X509Certificate within the given KeyInfo.
      Parameters:
      keyInfo - key info to extract the certificates from
      Returns:
      a list of Java X509Certificates
      Throws:
      CertificateException - thrown if there is a problem converting the X509 data into X509Certificates.

    • getCertificates

      @Nonnull @Unmodifiable @NotLive public static List<X509Certificate> getCertificates(@Nullable X509Data x509Data) throws CertificateException
      Get a list of the Java X509Certificate within the given X509Data.
      Parameters:
      x509Data - X509Data from which to extract the certificate
      Returns:
      a list of Java X509Certificates
      Throws:
      CertificateException - thrown if there is a problem converting the X509 data into X509Certificates.

    • getCertificate

      @Nullable public static X509Certificate getCertificate(@Nullable X509Certificate xmlCert) throws CertificateException
      Convert an X509Certificate into a native Java representation.
      Parameters:
      xmlCert - an X509Certificate
      Returns:
      a X509Certificate
      Throws:
      CertificateException - thrown if there is a problem converting the X509 data into X509Certificates.

    • getCRLs

      @Nonnull @Unmodifiable @NotLive public static List<X509CRL> getCRLs(@Nullable KeyInfo keyInfo) throws CRLException
      Get a list of the Java X509CRLs within the given KeyInfo.
      Parameters:
      keyInfo - the KeyInfo to extract the CRLs from
      Returns:
      a list of Java X509CRLs
      Throws:
      CRLException - thrown if there is a problem converting the CRL data into X509CRL s

    • getCRLs

      @Nonnull @Unmodifiable @NotLive public static List<X509CRL> getCRLs(@Nullable X509Data x509Data) throws CRLException
      Get a list of the Java X509CRLs within the given X509Data.
      Parameters:
      x509Data - X509Data to extract the CRLs from
      Returns:
      a list of Java X509CRLs
      Throws:
      CRLException - thrown if there is a problem converting the CRL data into X509CRL s

    • getCRL

      @Nullable public static X509CRL getCRL(@Nullable X509CRL xmlCRL) throws CRLException
      Convert an X509CRL into a native Java representation.
      Parameters:
      xmlCRL - object to extract the CRL from
      Returns:
      a native Java X509CRL object
      Throws:
      CRLException - thrown if there is a problem converting the CRL data into X509CRL

    • addCertificate

      public static void addCertificate(@Nonnull KeyInfo keyInfo, @Nonnull X509Certificate cert) throws CertificateEncodingException
      Converts a native Java X509Certificate into the corresponding XMLObject and stores it in a KeyInfo in the first X509Data element. The X509Data element will be created if necessary.
      Parameters:
      keyInfo - the KeyInfo object into which to add the certificate
      cert - the Java X509Certificate to add
      Throws:
      CertificateEncodingException - thrown when there is an error converting the Java certificate representation to the XMLObject representation

    • addCRL

      public static void addCRL(@Nonnull KeyInfo keyInfo, @Nonnull X509CRL crl) throws CRLException
      Converts a native Java X509CRL into the corresponding XMLObject and stores it in a KeyInfo in the first X509Data element. The X509Data element will be created if necessary.
      Parameters:
      keyInfo - the KeyInfo object into which to add the CRL
      crl - the Java X509CRL to add
      Throws:
      CRLException - thrown when there is an error converting the Java CRL representation to the XMLObject representation

    • buildX509Certificate

      @Nonnull public static X509Certificate buildX509Certificate(X509Certificate cert) throws CertificateEncodingException
      Builds an X509Certificate XMLObject from a native Java X509Certificate.
      Parameters:
      cert - the Java X509Certificate to convert
      Returns:
      a X509Certificate XMLObject
      Throws:
      CertificateEncodingException - thrown when there is an error converting the Java certificate representation to the XMLObject representation

    • buildX509CRL

      @Nonnull public static X509CRL buildX509CRL(X509CRL crl) throws CRLException
      Builds an X509CRL XMLObject from a native Java X509CRL.
      Parameters:
      crl - the Java X509CRL to convert
      Returns:
      a X509CRL XMLObject
      Throws:
      CRLException - thrown when there is an error converting the Java CRL representation to the XMLObject representation

    • buildX509SubjectName

      @Nonnull public static X509SubjectName buildX509SubjectName(@Nullable String subjectName)
      Build an X509SubjectName containing a given subject name.
      Parameters:
      subjectName - the name content
      Returns:
      the new X509SubjectName

    • buildX509IssuerSerial

      @Nonnull public static X509IssuerSerial buildX509IssuerSerial(@Nullable String issuerName, @Nullable BigInteger serialNumber)
      Build an X509IssuerSerial containing a given issuer name and serial number.
      Parameters:
      issuerName - the name content
      serialNumber - the serial number content
      Returns:
      the new X509IssuerSerial

    • buildX509SKI

      @Nullable public static X509SKI buildX509SKI(@Nonnull X509Certificate javaCert) throws SecurityException
      Build an X509SKI containing the subject key identifier extension value contained within a certificate.
      Parameters:
      javaCert - the Java X509Certificate from which to extract the subject key identifier value.
      Returns:
      a new X509SKI object, or null if the certificate did not contain the subject key identifier extension, or the subject key identifier binary can not be base64-encoded.
      Throws:
      SecurityException - if there is a problem building the subject key identifier.

    • buildX509Digest

      @Nonnull public static X509Digest buildX509Digest(@Nonnull X509Certificate javaCert, @Nonnull String algorithmURI) throws NoSuchAlgorithmException, CertificateEncodingException
      Build an X509Digest containing the digest of the specified certificate.
      Parameters:
      javaCert - the Java X509Certificate to digest
      algorithmURI - digest algorithm URI
      Returns:
      a new X509Digest object
      Throws:
      NoSuchAlgorithmException - if the algorithm specified cannot be used
      CertificateEncodingException - if the certificate cannot be encoded

    • addPublicKey

      public static void addPublicKey(@Nonnull KeyInfo keyInfo, @Nonnull PublicKey pk) throws EncodingException
      Converts a Java RSA, EC, DSA or DH public key into the corresponding XMLObject and stores it in a KeyInfo in a new KeyValue element.

      As input, only supports PublicKey instances which are:

      Parameters:
      keyInfo - the KeyInfo element to which to add the key
      pk - the native Java PublicKey to add
      Throws:
      EncodingException - if base64 encoding the components of the public key pk fails

    • buildDHKeyValue

      @Nonnull public static DHKeyValue buildDHKeyValue(@Nonnull DHPublicKey dhPubKey) throws EncodingException
      Builds a DHKeyValue XMLObject from the Java security DH public key type.
      Parameters:
      dhPubKey - a native Java DHPublicKey
      Returns:
      an DHKeyValue XMLObject
      Throws:
      EncodingException - if the DH public key parameters can not be base64 encoded

    • buildECKeyValue

      @Nonnull public static ECKeyValue buildECKeyValue(@Nonnull ECPublicKey ecPubKey) throws EncodingException
      Builds an ECKeyValue XMLObject from the Java security EC public key type.

      Only curve parameters specified by a NamedCurve are supported. Use of explicit curve parameters will throw.

      Parameters:
      ecPubKey - a naive java ECPublicKey
      Returns:
      an ECKeyValue XMLObject
      Throws:
      EncodingException - if the NamedCurve variant was not used, if the EC PublicKey value is invalid or if the EC PublicKey value can not be Base64 encoded

    • buildRSAKeyValue

      @Nonnull public static RSAKeyValue buildRSAKeyValue(@Nonnull RSAPublicKey rsaPubKey) throws EncodingException
      Builds an RSAKeyValue XMLObject from the Java security RSA public key type.
      Parameters:
      rsaPubKey - a native Java RSAPublicKey
      Returns:
      an RSAKeyValue XMLObject
      Throws:
      EncodingException - if the RSA public key modulus/exponent can not be base64 encoded

    • buildDSAKeyValue

      @Nonnull public static DSAKeyValue buildDSAKeyValue(@Nonnull DSAPublicKey dsaPubKey) throws EncodingException
      Builds a DSAKeyValue XMLObject from the Java security DSA public key type.
      Parameters:
      dsaPubKey - a native Java DSAPublicKey
      Returns:
      an DSAKeyValue XMLObject
      Throws:
      EncodingException - if the DSA public key parameters can not be base64 encoded

    • addDEREncodedPublicKey

      public static void addDEREncodedPublicKey(@Nonnull KeyInfo keyInfo, @Nonnull PublicKey pk) throws NoSuchAlgorithmException, InvalidKeySpecException
      Converts a Java public key into the corresponding XMLObject and stores it in a KeyInfo in a new DEREncodedKeyValue element.
      Parameters:
      keyInfo - the KeyInfo element to which to add the key
      pk - the native Java PublicKey to convert
      Throws:
      NoSuchAlgorithmException - if the key type is unsupported
      InvalidKeySpecException - if the key type does not support X.509 SPKI encoding

    • getPublicKeys

      @Nonnull public static List<PublicKey> getPublicKeys(@Nullable KeyInfo keyInfo) throws KeyException
      Extracts all the public keys within the given KeyInfo's KeyValues and DEREncodedKeyValues.
      Parameters:
      keyInfo - KeyInfo to extract the keys out of
      Returns:
      a list of native Java PublicKey objects
      Throws:
      KeyException - thrown if the given key data can not be converted into PublicKey

    • getKey

      @Nullable public static PublicKey getKey(@Nonnull KeyValue keyValue) throws KeyException
      Extracts the DSA or RSA public key within the KeyValue.
      Parameters:
      keyValue - the KeyValue to extract the key from
      Returns:
      a native Java security Key object
      Throws:
      KeyException - thrown if the given key data can not be converted into PublicKey

    • getECKey

      @Nonnull public static PublicKey getECKey(@Nonnull ECKeyValue keyDescriptor) throws KeyException
      Builds an EC key from an ECKeyValue element.
      Parameters:
      keyDescriptor - the ECKeyValue key descriptor
      Returns:
      a new ECPublicKey instance of PublicKey
      Throws:
      KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

    • getDHKey

      @Nonnull public static PublicKey getDHKey(@Nonnull DHKeyValue keyDescriptor) throws KeyException
      Builds a DH key from a DHKeyValue element. The element must contain values for all required DH public key parameters, including values for shared key family values P, Q and G (aka Generator).
      Parameters:
      keyDescriptor - the DHKeyValue key descriptor
      Returns:
      a new DHPublicKey instance of PublicKey
      Throws:
      KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

    • hasCompleteDHParams

      public static boolean hasCompleteDHParams(@Nullable DHKeyValue keyDescriptor)
      Check whether the specified DHKeyValue element has the all optional DH values which can be shared amongst many keys in a DH "key family", and are presumed to be known from context.
      Parameters:
      keyDescriptor - the DHKeyValue element to check
      Returns:
      true if all parameters are present and non-empty, false otherwise

    • getDSAKey

      @Nonnull public static PublicKey getDSAKey(@Nonnull DSAKeyValue keyDescriptor) throws KeyException
      Builds an DSA key from a DSAKeyValue element. The element must contain values for all required DSA public key parameters, including values for shared key family values P, Q and G.
      Parameters:
      keyDescriptor - the DSAKeyValue key descriptor
      Returns:
      a new DSAPublicKey instance of PublicKey
      Throws:
      KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

    • getDSAKey

      @Nonnull public static PublicKey getDSAKey(@Nonnull DSAKeyValue keyDescriptor, @Nonnull DSAParams dsaParams) throws KeyException
      Builds a DSA key from an DSAKeyValue element and the supplied Java DSAParams, which supplies key material from a shared key family.
      Parameters:
      keyDescriptor - the DSAKeyValue key descriptor
      dsaParams - the DSAParams DSA key family parameters
      Returns:
      a new DSAPublicKey instance of PublicKey
      Throws:
      KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

    • hasCompleteDSAParams

      public static boolean hasCompleteDSAParams(@Nullable DSAKeyValue keyDescriptor)
      Check whether the specified DSAKeyValue element has the all optional DSA values which can be shared amongst many keys in a DSA "key family", and are presumed to be known from context.
      Parameters:
      keyDescriptor - the DSAKeyValue element to check
      Returns:
      true if all parameters are present and non-empty, false otherwise

    • getRSAKey

      @Nonnull public static PublicKey getRSAKey(@Nonnull RSAKeyValue keyDescriptor) throws KeyException
      Builds an RSA key from an RSAKeyValue element.
      Parameters:
      keyDescriptor - the RSAKeyValue key descriptor
      Returns:
      a new RSAPublicKey instance of PublicKey
      Throws:
      KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

    • decodeBigIntegerFromCryptoBinary

      @Nonnull public static final BigInteger decodeBigIntegerFromCryptoBinary(@Nonnull String base64Value) throws DecodingException
      Decode a base64-encoded ds:CryptoBinary value to a native Java BigInteger type.
      Parameters:
      base64Value - base64-encoded CryptoBinary value
      Returns:
      the decoded BigInteger
      Throws:
      DecodingException - if the base64 value can not be decoded.

    • encodeCryptoBinaryFromBigInteger

      @Nonnull @NotEmpty public static final String encodeCryptoBinaryFromBigInteger(@Nonnull BigInteger bigInt) throws EncodingException
      Encode a native Java BigInteger type to a base64-encoded ds:CryptoBinary value.
      Parameters:
      bigInt - the BigInteger value
      Returns:
      the encoded CryptoBinary value
      Throws:
      EncodingException - if the BigInteger as bytes can not be base64 encoded.

    • buildKey

      @Nonnull protected static PublicKey buildKey(@Nonnull KeySpec keySpec, @Nonnull String keyAlgorithm) throws KeyException
      Generates a public key from the given key spec.
      Parameters:
      keySpec - KeySpec specification for the key
      keyAlgorithm - key generation algorithm, only DSA and RSA supported
      Returns:
      the generated PublicKey
      Throws:
      KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

    • getKey

      @Nonnull public static PublicKey getKey(@Nonnull DEREncodedKeyValue keyValue) throws KeyException
      Extracts the public key within the DEREncodedKeyValue.
      Parameters:
      keyValue - the DEREncodedKeyValue to extract the key from
      Returns:
      a native Java security Key object
      Throws:
      KeyException - thrown if the given key data can not be converted into PublicKey

    • parseKeyType

      private static String parseKeyType(@Nonnull byte[] encodedKey)
      Parse the JCA key algorithm type from the ASN.1 encoded form of the public key.

      Methodology is to parse the ASN.1 data to the SubjectPublicKeyInfo, read the AlgorithmIdentifier for the key type's OID, then map the OID to the JCA key algorithm.

      Parameters:
      encodedKey - the ASN.1 encoded key
      Returns:
      the JCA key algorithm, or null if the OID parsing or OID-to-algorithm mapping fails

    • getX509CertFactory

      @Nonnull protected static CertificateFactory getX509CertFactory() throws CertificateException
      Get the Java certificate factory singleton.
      Returns:
      CertificateFactory the factory used to create X509 certificate objects
      Throws:
      CertificateException - thrown if the factory can not be created

    • getKeyInfoGenerator

      @Nullable public static KeyInfoGenerator getKeyInfoGenerator(@Nonnull Credential credential, @Nonnull NamedKeyInfoGeneratorManager manager, @Nullable String keyInfoProfileName)
      Obtains a KeyInfoGenerator for the specified Credential.

      The KeyInfoGenerator returned is resolved via the supplied NamedKeyInfoGeneratorManager and is determined by the type of the signing credential and an optional KeyInfo generator profile configuration name. If the latter is ommited, the default manager (NamedKeyInfoGeneratorManager.getDefaultManager()) of the security configuration's named generator manager will be used.

      Parameters:
      credential - the credential for which a generator is desired
      manager - the NamedKeyInfoGeneratorManager instance to use
      keyInfoProfileName - the named KeyInfoGeneratorManager configuration to use (may be null)
      Returns:
      a KeyInfoGenerator appropriate for the specified credential