Package org.opensaml.xmlsec.impl

Class BasicEncryptionParametersResolver

    • Field Detail

      • log

        @Nonnull
private org.slf4j.Logger log
        Logger.

      • algorithmRegistry

        @Nonnull
private AlgorithmRegistry algorithmRegistry
        The AlgorithmRegistry used when processing algorithm URIs.

      • autoGenerateDataEncryptionCredential

        private boolean autoGenerateDataEncryptionCredential
        Flag indicating whether the resolver should auto-generate data encryption credentials.

    • Constructor Detail

      • BasicEncryptionParametersResolver

        public BasicEncryptionParametersResolver()
        Constructor.

    • Method Detail

      • isAutoGenerateDataEncryptionCredential

        public boolean isAutoGenerateDataEncryptionCredential()
        Get whether an this resolver should auto-generate data encryption credentials.
        Returns:
        true if should auto-generate, false otherwise

      • setAutoGenerateDataEncryptionCredential

        public void setAutoGenerateDataEncryptionCredential​(boolean flag)
        Set whether an this resolver should auto-generate data encryption credentials.
        Parameters:
        flag - true if should auto-generate, false otherwise

      • logResult

        protected void logResult​(@Nonnull
                         EncryptionParameters params)
        Log the resolved parameters.
        Parameters:
        params - the resolved param

      • validate

        protected boolean validate​(@Nonnull
                           EncryptionParameters params,
                           boolean encryptionOptional)
        Validate that the EncryptionParameters instance has all the required properties populated.
        Parameters:
        params - the parameters instance to evaluate
        encryptionOptional - whether to consider invalid parameters to be a problem
        Returns:
        true if parameters instance passes validation, false otherwise
        Since:
        3.3.0

      • getIncludeExcludePredicate

        @Nonnull
protected Predicate<String> getIncludeExcludePredicate​(@Nonnull
                                                       CriteriaSet criteria)
        Get a predicate which implements the effective configured include/exclude policy.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        a include/exclude predicate instance

      • getWhitelistBlacklistPredicate

        @Deprecated(since="4.1.0",
            forRemoval=true)
@Nonnull
protected Predicate<String> getWhitelistBlacklistPredicate​(@Nonnull
                                                           CriteriaSet criteria)
        Deprecated, for removal: This API element is subject to removal in a future version.
        Get a predicate which implements the effective configured include/exclude policy.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        a include/exclude predicate instance

      • resolveAndPopulateCredentialsAndAlgorithms

        protected void resolveAndPopulateCredentialsAndAlgorithms​(@Nonnull
                                                          EncryptionParameters params,
                                                          @Nonnull
                                                          CriteriaSet criteria,
                                                          @Nonnull
                                                          Predicate<String> includeExcludePredicate)
        Resolve and populate the data encryption and key transport credentials and algorithm URIs.
        Parameters:
        params - the params instance being populated
        criteria - the input criteria being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • checkAndProcessKeyAgreement

        protected boolean checkAndProcessKeyAgreement​(@Nonnull
                                              EncryptionParameters params,
                                              @Nonnull
                                              CriteriaSet criteria,
                                              @Nonnull
                                              Credential credential,
                                              @Nonnull
                                              List<String> dataEncryptionAlgorithms,
                                              @Nonnull
                                              List<String> keyTransportAlgorithms)
        Check for a credential type that implies a key agreement operation, and process if so indicated.

        For both algorithm list arguments, they are assumed to already have had runtime support and include/exclude filtering applied.

        If symmetric key wrap should NOT be considered, pass an empty list for keyTransportAlgorithms. Otherwise, if the keyTransportAlgorithms list contains a symmetric key wrap algorithm, then key wrapping will be indicated in the produced parameters. If it does not then direct data encryption will be indicated.

        Parameters:
        params - the params instance being populated
        criteria - the input criteria being evaluated
        credential - the credential being evaluated
        dataEncryptionAlgorithms - the effective data encryption credentials
        keyTransportAlgorithms - the effective key transport credentials
        Returns:
        true if all required parameters were supplied, key agreement was successfully performed, and the EncryptionParameters instance's credential and algorithms properties are fully populated, otherwise false

      • getEffectiveKeyAgreementConfiguration

        @Nullable
protected KeyAgreementEncryptionConfiguration getEffectiveKeyAgreementConfiguration​(@Nonnull
                                                                                    CriteriaSet criteria,
                                                                                    @Nonnull
                                                                                    Credential credential)
        Get the effective KeyAgreementEncryptionConfiguration to use with the specified credential.
        Parameters:
        criteria - the criteria
        credential - the credential to evaluate
        Returns:
        the key agreement configuration for the credential, or null if could not be resolved

      • resolveAndPopulateRSAOAEPParams

        protected void resolveAndPopulateRSAOAEPParams​(@Nonnull
                                               EncryptionParameters params,
                                               @Nonnull
                                               CriteriaSet criteria,
                                               @Nonnull
                                               Predicate<String> includeExcludePredicate)
        Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
        Parameters:
        params - the params instance being populated
        criteria - the input criteria being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • populateRSAOAEPParams

        protected void populateRSAOAEPParams​(@Nonnull
                                     RSAOAEPParameters rsaParams,
                                     @Nonnull
                                     CriteriaSet criteria,
                                     @Nonnull
                                     Predicate<String> includeExcludePredicate)
        Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.
        Parameters:
        rsaParams - the existing RSAOAEPParameters instance being populated
        criteria - the input criteria being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • resolveKeyTransportAlgorithmPredicate

        @Nullable
protected KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate​(@Nonnull
                                                                               CriteriaSet criteria)
        Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        the resolved predicate instance, may be null

      • resolveKeyTransportAlgorithm

        @Nullable
protected String resolveKeyTransportAlgorithm​(@Nonnull
                                              Credential keyTransportCredential,
                                              @Nonnull
                                              List<String> keyTransportAlgorithms,
                                              @Nullable
                                              String dataEncryptionAlgorithm,
                                              @Nullable
                                              KeyTransportAlgorithmPredicate keyTransportPredicate)
        Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.
        Parameters:
        keyTransportCredential - the key transport credential being evaluated
        keyTransportAlgorithms - the list of effective key transport algorithms to evaluate
        dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
        keyTransportPredicate - the optional key transport algorithm predicate to evaluate
        Returns:
        the resolved algorithm URI, may be null

      • resolveKeyTransportAlgorithm

        @Nullable
protected String resolveKeyTransportAlgorithm​(@Nonnull
                                              Credential keyTransportCredential,
                                              @Nonnull
                                              CriteriaSet criteria,
                                              @Nonnull
                                              Predicate<String> includeExcludePredicate,
                                              @Nullable
                                              String dataEncryptionAlgorithm)
        Determine the key transport algorithm URI to use with the specified credential.
        Parameters:
        keyTransportCredential - the key transport credential to evaluate
        criteria - the criteria instance being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
        Returns:
        the selected algorithm URI, may be null

      • resolveDataEncryptionAlgorithm

        @Nullable
protected String resolveDataEncryptionAlgorithm​(@Nullable
                                                Credential dataEncryptionCredential,
                                                @Nonnull
                                                List<String> dataEncryptionAlgorithms)
        Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
        Parameters:
        dataEncryptionCredential - the data encryption credential being evaluated, may be null
        dataEncryptionAlgorithms - the list of effective data encryption algorithms to evaluate
        Returns:
        the resolved algorithm URI, may be null

      • resolveDataEncryptionAlgorithm

        @Nullable
protected String resolveDataEncryptionAlgorithm​(@Nonnull
                                                Credential dataEncryptionCredential,
                                                @Nonnull
                                                CriteriaSet criteria,
                                                @Nonnull
                                                Predicate<String> includeExcludePredicate)
        Determine the data encryption algorithm URI to use with the specified data encryption credential.
        Parameters:
        dataEncryptionCredential - the data encryption credential to evaluate
        criteria - the criteria instance being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        Returns:
        the selected algorithm URI

      • getEffectiveDataEncryptionCredentials

        @Nonnull
protected List<Credential> getEffectiveDataEncryptionCredentials​(@Nonnull
                                                                 CriteriaSet criteria)
        Get the effective list of data encryption credentials to consider.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        the list of credentials

      • getEffectiveDataEncryptionAlgorithms

        @Nonnull
protected List<String> getEffectiveDataEncryptionAlgorithms​(@Nonnull
                                                            CriteriaSet criteria,
                                                            @Nonnull
                                                            Predicate<String> includeExcludePredicate)
        Get the effective list of data encryption algorithm URIs to consider, including application of include/exclude policy.
        Parameters:
        criteria - the input criteria being evaluated
        includeExcludePredicate - the include/exclude predicate to use
        Returns:
        the list of effective algorithm URIs

      • getEffectiveKeyTransportCredentials

        @Nonnull
protected List<Credential> getEffectiveKeyTransportCredentials​(@Nonnull
                                                               CriteriaSet criteria)
        Get the effective list of key transport credentials to consider.
        Parameters:
        criteria - the input criteria being evaluated
        Returns:
        the list of credentials

      • getEffectiveKeyTransportAlgorithms

        @Nonnull
protected List<String> getEffectiveKeyTransportAlgorithms​(@Nonnull
                                                          CriteriaSet criteria,
                                                          @Nonnull
                                                          Predicate<String> includeExcludePredicate)
        Get the effective list of key transport algorithm URIs to consider, including application of include/exclude policy.
        Parameters:
        criteria - the input criteria being evaluated
        includeExcludePredicate - the include/exclude predicate to use
        Returns:
        the list of effective algorithm URIs

      • resolveDataKeyInfoGenerator

        @Nullable
protected KeyInfoGenerator resolveDataKeyInfoGenerator​(@Nullable
                                                       CriteriaSet criteria,
                                                       @Nullable
                                                       Credential dataEncryptionCredential)
        Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.
        Parameters:
        criteria - the input criteria being evaluated
        dataEncryptionCredential - the credential being evaluated
        Returns:
        KeyInfo generator instance, or null

      • resolveKeyTransportKeyInfoGenerator

        @Nullable
protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator​(@Nonnull
                                                               CriteriaSet criteria,
                                                               @Nullable
                                                               Credential keyTransportEncryptionCredential)
        Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.
        Parameters:
        criteria - the input criteria being evaluated
        keyTransportEncryptionCredential - the credential being evaluated
        Returns:
        KeyInfo generator instance, or null

      • getAlgorithmRuntimeSupportedPredicate

        @Nonnull
protected Predicate<String> getAlgorithmRuntimeSupportedPredicate()
        Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.
        Returns:
        the predicate

      • credentialSupportsAlgorithm

        protected boolean credentialSupportsAlgorithm​(@Nonnull
                                              Credential credential,
                                              @Nonnull @NotEmpty
                                              String algorithm)
        Evaluate whether the specified credential is supported for use with the specified algorithm URI.
        Parameters:
        credential - the credential to evaluate
        algorithm - the algorithm URI to evaluate
        Returns:
        true if credential may be used with the supplied algorithm URI, false otherwise

      • isKeyTransportAlgorithm

        protected boolean isKeyTransportAlgorithm​(@Nonnull
                                          String algorithm)
        Evaluate whether the specified algorithm is a key transport algorithm.
        Parameters:
        algorithm - the algorithm URI to evaluate
        Returns:
        true if is a key transport algorithm URI, false otherwise

      • isDataEncryptionAlgorithm

        protected boolean isDataEncryptionAlgorithm​(String algorithm)
        Evaluate whether the specified algorithm is a data encryption algorithm.
        Parameters:
        algorithm - the algorithm URI to evaluate
        Returns:
        true if is a key transport algorithm URI, false otherwise

      • generateDataEncryptionCredential

        @Nullable
protected Credential generateDataEncryptionCredential​(@Nonnull
                                                      String dataEncryptionAlgorithm)
        Generate a random data encryption symmetric key credential.
        Parameters:
        dataEncryptionAlgorithm - the data encryption algorithm URI
        Returns:
        the generated credential, or null if there was a problem generating a key from the algorithm URI

      • processDataEncryptionCredentialAutoGeneration

        protected void processDataEncryptionCredentialAutoGeneration​(@Nonnull
                                                             EncryptionParameters params)
        Auto-generate and populate a data encryption credential, if configured and required conditions are met.
        Parameters:
        params - the encryption parameters instance to process