Package org.opensaml.saml.security.impl

Class SAMLMetadataEncryptionParametersResolver

  • All Implemented Interfaces:
    net.shibboleth.utilities.java.support.resolver.Resolver<org.opensaml.xmlsec.EncryptionParameters,​net.shibboleth.utilities.java.support.resolver.CriteriaSet>, org.opensaml.xmlsec.EncryptionParametersResolver
    public class SAMLMetadataEncryptionParametersResolver
extends org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
    A specialization of BasicEncryptionParametersResolver which resolves credentials and algorithm preferences against SAML metadata via a MetadataCredentialResolver.

    In addition to the Criterion inputs documented in BasicEncryptionParametersResolver, the inputs and associated modes of operation documented for MetadataCredentialResolver are also supported and required.

    The CriteriaSet instance passed to the configured metadata credential resolver will be a copy of the input criteria set, with the addition of a UsageCriterion containing the value UsageType.ENCRYPTION, which will replace any existing usage criterion instance.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected boolean credentialSupportsEncryptionMethod​(org.opensaml.security.credential.Credential credential, org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod)
      Evaluate whether the specified credential is supported for use with the specified EncryptionMethod.
      protected boolean evaluateEncryptionMethodChildren​(org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Evaluate the child elements of an EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
      protected boolean evaluateRSAOAEPChildren​(org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
      protected MetadataCredentialResolver getMetadataCredentialResolver()
      Get the metadata credential resolver instance to use to resolve encryption credentials.
      boolean isMergeMetadataRSAOAEPParametersWithConfig()
      Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.
      protected void populateRSAOAEPParamsFromEncryptionMethod​(org.opensaml.xmlsec.encryption.support.RSAOAEPParameters params, org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod, Predicate<String> whitelistBlacklistPredicate)
      Extract DigestMethod, MGF and OAEPparams data present on the supplied instance of EncryptionMethod and populate it on the supplied instance of of RSAOAEPParameters.
      protected void resolveAndPopulateCredentialsAndAlgorithms​(org.opensaml.xmlsec.EncryptionParameters params, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
      protected void resolveAndPopulateRSAOAEPParams​(org.opensaml.xmlsec.EncryptionParameters params, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod)
      Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
      protected net.shibboleth.utilities.java.support.collection.Pair<String,​org.opensaml.saml.saml2.metadata.EncryptionMethod> resolveDataEncryptionAlgorithm​(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, SAMLMDCredentialContext metadataCredContext)
      Determine the data encryption algorithm URI to use, also returning the associated EncryptionMethod from metadata if relevant.
      protected net.shibboleth.utilities.java.support.collection.Pair<String,​org.opensaml.saml.saml2.metadata.EncryptionMethod> resolveKeyTransportAlgorithm​(org.opensaml.security.credential.Credential keyTransportCredential, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, String dataEncryptionAlgorithm, SAMLMDCredentialContext metadataCredContext)
      Determine the key transport algorithm URI to use with the specified credential, also returning the associated EncryptionMethod from metadata if relevant.
      void setMergeMetadataRSAOAEPParametersWithConfig​(boolean flag)
      Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

      • Methods inherited from class org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

        credentialSupportsAlgorithm, generateDataEncryptionCredential, getAlgorithmRegistry, getAlgorithmRuntimeSupportedPredicate, getEffectiveDataEncryptionAlgorithms, getEffectiveDataEncryptionCredentials, getEffectiveKeyTransportAlgorithms, getEffectiveKeyTransportCredentials, getWhitelistBlacklistPredicate, isAutoGenerateDataEncryptionCredential, isDataEncryptionAlgorithm, isKeyTransportAlgorithm, logResult, populateRSAOAEPParams, processDataEncryptionCredentialAutoGeneration, resolve, resolveAndPopulateRSAOAEPParams, resolveDataEncryptionAlgorithm, resolveDataEncryptionAlgorithm, resolveDataKeyInfoGenerator, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithmPredicate, resolveKeyTransportKeyInfoGenerator, resolveSingle, setAlgorithmRegistry, setAutoGenerateDataEncryptionCredential, validate

      • Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver

        lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate

    • Field Detail

      • log

        @Nonnull
private org.slf4j.Logger log
        Logger.

      • mergeMetadataRSAOAEPParametersWithConfig

        private boolean mergeMetadataRSAOAEPParametersWithConfig
        Flag indicating whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

    • Constructor Detail

      • SAMLMetadataEncryptionParametersResolver

        public SAMLMetadataEncryptionParametersResolver​(@Nonnull @ParameterName(name="resolver")
                                                MetadataCredentialResolver resolver)
        Constructor.
        Parameters:
        resolver - the metadata credential resolver instance to use to resolve encryption credentials

    • Method Detail

      • isMergeMetadataRSAOAEPParametersWithConfig

        public boolean isMergeMetadataRSAOAEPParametersWithConfig()
        Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

        Defaults to: false

        Returns:
        true if should merge metadata parameters with configuration, false otherwise

      • setMergeMetadataRSAOAEPParametersWithConfig

        public void setMergeMetadataRSAOAEPParametersWithConfig​(boolean flag)
        Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

        Defaults to: false

        Parameters:
        flag - true if should merge metadata parameters with configuration, false otherwise

      • getMetadataCredentialResolver

        @Nonnull
protected MetadataCredentialResolver getMetadataCredentialResolver()
        Get the metadata credential resolver instance to use to resolve encryption credentials.
        Returns:
        the configured metadata credential resolver instance

      • resolveAndPopulateCredentialsAndAlgorithms

        protected void resolveAndPopulateCredentialsAndAlgorithms​(@Nonnull
                                                          org.opensaml.xmlsec.EncryptionParameters params,
                                                          @Nonnull
                                                          net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                          @Nonnull
                                                          Predicate<String> whitelistBlacklistPredicate)
        Overrides:
        resolveAndPopulateCredentialsAndAlgorithms in class org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

      • resolveAndPopulateRSAOAEPParams

        protected void resolveAndPopulateRSAOAEPParams​(@Nonnull
                                               org.opensaml.xmlsec.EncryptionParameters params,
                                               @Nonnull
                                               net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                               @Nonnull
                                               Predicate<String> whitelistBlacklistPredicate,
                                               @Nullable
                                               org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod)
        Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.

        This method itself resolves the parameters data from the metadata EncryptionMethod. If this results in a non-complete RSAOAEPParameters instance and if isMergeMetadataRSAOAEPParametersWithConfig() evaluates true, then the resolver will delegate to the local config resolution process via the superclass to attempt to resolve and merge any null parameter values. (see BasicEncryptionParametersResolver.resolveAndPopulateRSAOAEPParams(EncryptionParameters, CriteriaSet, Predicate)).

        Parameters:
        params - the current encryption parameters instance being resolved
        criteria - the criteria instance being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.

      • populateRSAOAEPParamsFromEncryptionMethod

        protected void populateRSAOAEPParamsFromEncryptionMethod​(@Nonnull
                                                         org.opensaml.xmlsec.encryption.support.RSAOAEPParameters params,
                                                         @Nonnull
                                                         org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod,
                                                         @Nonnull
                                                         Predicate<String> whitelistBlacklistPredicate)
        Extract DigestMethod, MGF and OAEPparams data present on the supplied instance of EncryptionMethod and populate it on the supplied instance of of RSAOAEPParameters.

        Whitelist/blacklist evaluation is applied to the digest method and MGF algorithm URIs.

        Parameters:
        params - the existing RSAOAEPParameters instance being populated
        encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • resolveKeyTransportAlgorithm

        @Nonnull
protected net.shibboleth.utilities.java.support.collection.Pair<String,​org.opensaml.saml.saml2.metadata.EncryptionMethod> resolveKeyTransportAlgorithm​(@Nonnull
                                                                                                                                                             org.opensaml.security.credential.Credential keyTransportCredential,
                                                                                                                                                             @Nonnull
                                                                                                                                                             net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                                                                                                                             @Nonnull
                                                                                                                                                             Predicate<String> whitelistBlacklistPredicate,
                                                                                                                                                             @Nullable
                                                                                                                                                             String dataEncryptionAlgorithm,
                                                                                                                                                             @Nullable
                                                                                                                                                             SAMLMDCredentialContext metadataCredContext)
        Determine the key transport algorithm URI to use with the specified credential, also returning the associated EncryptionMethod from metadata if relevant.

        Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

        Parameters:
        keyTransportCredential - the key transport credential to evaluate
        criteria - the criteria instance being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
        metadataCredContext - the credential context extracted from metadata
        Returns:
        the selected algorithm URI and the associated encryption method from metadata, if any.

      • resolveDataEncryptionAlgorithm

        @Nonnull
protected net.shibboleth.utilities.java.support.collection.Pair<String,​org.opensaml.saml.saml2.metadata.EncryptionMethod> resolveDataEncryptionAlgorithm​(@Nonnull
                                                                                                                                                               net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                                                                                                                               @Nonnull
                                                                                                                                                               Predicate<String> whitelistBlacklistPredicate,
                                                                                                                                                               @Nullable
                                                                                                                                                               SAMLMDCredentialContext metadataCredContext)
        Determine the data encryption algorithm URI to use, also returning the associated EncryptionMethod from metadata if relevant.

        Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

        Parameters:
        criteria - the criteria instance being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        metadataCredContext - the credential context extracted from metadata
        Returns:
        the selected algorithm URI and the associated encryption method from metadata, if any

      • evaluateEncryptionMethodChildren

        protected boolean evaluateEncryptionMethodChildren​(@Nonnull
                                                   org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod,
                                                   @Nonnull
                                                   net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                   @Nonnull
                                                   Predicate<String> whitelistBlacklistPredicate)
        Evaluate the child elements of an EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
        Parameters:
        encryptionMethod - the EncryptionMethod being evaluated
        criteria - the criteria instance being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        Returns:
        true if the EncryptionMethod children are acceptable

      • evaluateRSAOAEPChildren

        protected boolean evaluateRSAOAEPChildren​(@Nonnull
                                          org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod,
                                          @Nonnull
                                          net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                          @Nonnull
                                          Predicate<String> whitelistBlacklistPredicate)
        Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
        Parameters:
        encryptionMethod - the EncryptionMethod being evaluated
        criteria - the criteria instance being evaluated
        whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        Returns:
        true if the EncryptionMethod children are acceptable

      • credentialSupportsEncryptionMethod

        protected boolean credentialSupportsEncryptionMethod​(@Nonnull
                                                     org.opensaml.security.credential.Credential credential,
                                                     @Nonnull @NotEmpty
                                                     org.opensaml.saml.saml2.metadata.EncryptionMethod encryptionMethod)
        Evaluate whether the specified credential is supported for use with the specified EncryptionMethod.
        Parameters:
        credential - the credential to evaluate
        encryptionMethod - the encryption method to evaluate
        Returns:
        true if credential may be used with the supplied encryption method, false otherwise