org.opensaml.xmlsec.impl

Class BasicEncryptionParametersResolver

java.lang.Object

org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>

org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

All Implemented Interfaces:

net.shibboleth.utilities.java.support.resolver.Resolver<EncryptionParameters,net.shibboleth.utilities.java.support.resolver.CriteriaSet>, EncryptionParametersResolver

public class BasicEncryptionParametersResolver
extends AbstractSecurityParametersResolver<EncryptionParameters>
implements EncryptionParametersResolver

Basic implementation of EncryptionParametersResolver.

The following Criterion inputs are supported:

• EncryptionConfigurationCriterion - required
• KeyInfoGenerationProfileCriterion - optional

Field Summary

Fields

Modifier and Type	Field and Description
private AlgorithmRegistry	algorithmRegistry The AlgorithmRegistry used when processing algorithm URIs.
private boolean	autoGenerateDataEncryptionCredential Flag indicating whether the resolver should auto-generate data encryption credentials.
private Logger	log Logger.

Constructor Summary

Constructors

Constructor and Description
BasicEncryptionParametersResolver() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected boolean	credentialSupportsAlgorithm(org.opensaml.security.credential.Credential credential, String algorithm) Evaluate whether the specified credential is supported for use with the specified algorithm URI.
protected org.opensaml.security.credential.Credential	generateDataEncryptionCredential(String dataEncryptionAlgorithm) Generate a random data encryption symmetric key credential.
AlgorithmRegistry	getAlgorithmRegistry() Get the AlgorithmRegistry instance used when resolving algorithm URIs.
protected com.google.common.base.Predicate<String>	getAlgorithmRuntimeSupportedPredicate() Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.
protected List<String>	getEffectiveDataEncryptionAlgorithms(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.
protected List<org.opensaml.security.credential.Credential>	getEffectiveDataEncryptionCredentials(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) Get the effective list of data encryption credentials to consider.
protected List<String>	getEffectiveKeyTransportAlgorithms(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.
protected List<org.opensaml.security.credential.Credential>	getEffectiveKeyTransportCredentials(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) Get the effective list of key transport credentials to consider.
protected com.google.common.base.Predicate<String>	getWhitelistBlacklistPredicate(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) Get a predicate which implements the effective configured whitelist/blacklist policy.
boolean	isAutoGenerateDataEncryptionCredential() Get whether an this resolver should auto-generate data encryption credentials.
protected boolean	isDataEncryptionAlgorithm(String algorithm) Evaluate whether the specified algorithm is a data encryption algorithm.
protected boolean	isKeyTransportAlgorithm(String algorithm) Evaluate whether the specified algorithm is a key transport algorithm.
protected void	logResult(EncryptionParameters params) Log the resolved parameters.
protected void	populateRSAOAEPParams(RSAOAEPParameters rsaParams, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.
protected void	processDataEncryptionCredentialAutoGeneration(EncryptionParameters params) Auto-generate and populate a data encryption credential, if configured and required conditions are met.
Iterable<EncryptionParameters>	resolve(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
protected void	resolveAndPopulateCredentialsAndAlgorithms(EncryptionParameters params, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Resolve and populate the data encryption and key transport credentials and algorithm URIs.
protected void	resolveAndPopulateRSAOAEPParams(EncryptionParameters params, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
protected String	resolveDataEncryptionAlgorithm(org.opensaml.security.credential.Credential dataEncryptionCredential, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Determine the data encryption algorithm URI to use with the specified data encryption credential.
protected String	resolveDataEncryptionAlgorithm(org.opensaml.security.credential.Credential dataEncryptionCredential, List<String> dataEncryptionAlgorithms) Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
protected KeyInfoGenerator	resolveDataKeyInfoGenerator(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, org.opensaml.security.credential.Credential dataEncryptionCredential) Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.
protected String	resolveKeyTransportAlgorithm(org.opensaml.security.credential.Credential keyTransportCredential, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate, String dataEncryptionAlgorithm) Determine the key transport algorithm URI to use with the specified credential.
protected String	resolveKeyTransportAlgorithm(org.opensaml.security.credential.Credential keyTransportCredential, List<String> keyTransportAlgorithms, String dataEncryptionAlgorithm, KeyTransportAlgorithmPredicate keyTransportPredicate) Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.
protected KeyTransportAlgorithmPredicate	resolveKeyTransportAlgorithmPredicate(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.
protected KeyInfoGenerator	resolveKeyTransportKeyInfoGenerator(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, org.opensaml.security.credential.Credential keyTransportEncryptionCredential) Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.
EncryptionParameters	resolveSingle(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
void	setAlgorithmRegistry(AlgorithmRegistry registry) Set the AlgorithmRegistry instance used when resolving algorithm URIs.
void	setAutoGenerateDataEncryptionCredential(boolean flag) Set whether an this resolver should auto-generate data encryption credentials.
protected boolean	validate(EncryptionParameters params) Validate that the EncryptionParameters instance has all the required properties populated.

Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver

lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private Logger log

Logger.

algorithmRegistry

private AlgorithmRegistry algorithmRegistry

The AlgorithmRegistry used when processing algorithm URIs.

autoGenerateDataEncryptionCredential

private boolean autoGenerateDataEncryptionCredential

Flag indicating whether the resolver should auto-generate data encryption credentials.

Constructor Detail

BasicEncryptionParametersResolver

public BasicEncryptionParametersResolver()

Constructor.

Method Detail

getAlgorithmRegistry

public AlgorithmRegistry getAlgorithmRegistry()

Get the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().

Returns:

the algorithm registry instance

setAlgorithmRegistry

public void setAlgorithmRegistry(@Nonnull
                        AlgorithmRegistry registry)

Set the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().

Parameters:

registry - the new algorithm registry instance

isAutoGenerateDataEncryptionCredential

public boolean isAutoGenerateDataEncryptionCredential()

Get whether an this resolver should auto-generate data encryption credentials.

Returns:

true if should auto-generate, false otherwise

setAutoGenerateDataEncryptionCredential

public void setAutoGenerateDataEncryptionCredential(boolean flag)

Set whether an this resolver should auto-generate data encryption credentials.

Parameters:

flag - true if should auto-generate, false otherwise

resolve

@Nonnull
public Iterable<EncryptionParameters> resolve(@Nonnull
                                             net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
                                       throws net.shibboleth.utilities.java.support.resolver.ResolverException

Specified by:

resolve in interface net.shibboleth.utilities.java.support.resolver.Resolver<EncryptionParameters,net.shibboleth.utilities.java.support.resolver.CriteriaSet>

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException

resolveSingle

@Nullable
public EncryptionParameters resolveSingle(@Nonnull
                                          net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
                                   throws net.shibboleth.utilities.java.support.resolver.ResolverException

Specified by:

resolveSingle in interface net.shibboleth.utilities.java.support.resolver.Resolver<EncryptionParameters,net.shibboleth.utilities.java.support.resolver.CriteriaSet>

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException

logResult

protected void logResult(@Nonnull
             EncryptionParameters params)

Log the resolved parameters.

Parameters:

params - the resolved param

validate

protected boolean validate(@Nonnull
               EncryptionParameters params)

Validate that the EncryptionParameters instance has all the required properties populated.

Parameters:

params - the parameters instance to evaluate

Returns:

true if parameters instance passes validation, false otherwise

getWhitelistBlacklistPredicate

@Nonnull
protected com.google.common.base.Predicate<String> getWhitelistBlacklistPredicate(@Nonnull
                                                                              net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)

Get a predicate which implements the effective configured whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

Returns:

a whitelist/blacklist predicate instance

resolveAndPopulateCredentialsAndAlgorithms

protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull
                                              EncryptionParameters params,
                                              @Nonnull
                                              net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                              @Nonnull
                                              com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Resolve and populate the data encryption and key transport credentials and algorithm URIs.

Parameters:

params - the params instance being populated

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

resolveAndPopulateRSAOAEPParams

protected void resolveAndPopulateRSAOAEPParams(@Nonnull
                                   EncryptionParameters params,
                                   @Nonnull
                                   net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                   @Nonnull
                                   com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.

Parameters:

params - the params instance being populated

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

populateRSAOAEPParams

protected void populateRSAOAEPParams(@Nonnull
                         RSAOAEPParameters rsaParams,
                         @Nonnull
                         net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                         @Nonnull
                         com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.

Parameters:

rsaParams - the existing RSAOAEPParameters instance being populated

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

resolveKeyTransportAlgorithmPredicate

@Nullable
protected KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate(@Nonnull
                                                                            net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)

Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.

Parameters:

criteria - the input criteria being evaluated

Returns:

the resolved predicate instance, may be null

resolveKeyTransportAlgorithm

@Nullable
protected String resolveKeyTransportAlgorithm(@Nonnull
                                           org.opensaml.security.credential.Credential keyTransportCredential,
                                           @Nonnull
                                           List<String> keyTransportAlgorithms,
                                           @Nullable
                                           String dataEncryptionAlgorithm,
                                           @Nullable
                                           KeyTransportAlgorithmPredicate keyTransportPredicate)

Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.

Parameters:

keyTransportCredential - the key transport credential being evaluated

keyTransportAlgorithms - the list of effective key transport algorithms to evaluate

dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider

keyTransportPredicate - the optional key transport algorithm predicate to evaluate

Returns:

the resolved algorithm URI, may be null

resolveKeyTransportAlgorithm

@Nullable
protected String resolveKeyTransportAlgorithm(@Nonnull
                                           org.opensaml.security.credential.Credential keyTransportCredential,
                                           @Nonnull
                                           net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                           @Nonnull
                                           com.google.common.base.Predicate<String> whitelistBlacklistPredicate,
                                           @Nullable
                                           String dataEncryptionAlgorithm)

Determine the key transport algorithm URI to use with the specified credential.

Parameters:

keyTransportCredential - the key transport credential to evaluate

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider

Returns:

the selected algorithm URI, may be null

resolveDataEncryptionAlgorithm

@Nullable
protected String resolveDataEncryptionAlgorithm(@Nullable
                                             org.opensaml.security.credential.Credential dataEncryptionCredential,
                                             @Nonnull
                                             List<String> dataEncryptionAlgorithms)

Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.

Parameters:

dataEncryptionCredential - the data encryption credential being evaluated, may be null

dataEncryptionAlgorithms - the list of effective data encryption algorithms to evaluate

Returns:

the resolved algorithm URI, may be null

resolveDataEncryptionAlgorithm

@Nullable
protected String resolveDataEncryptionAlgorithm(@Nonnull
                                             org.opensaml.security.credential.Credential dataEncryptionCredential,
                                             @Nonnull
                                             net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                             @Nonnull
                                             com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Determine the data encryption algorithm URI to use with the specified data encryption credential.

Parameters:

dataEncryptionCredential - the data encryption credential to evaluate

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

Returns:

the selected algorithm URI

getEffectiveDataEncryptionCredentials

@Nonnull
protected List<org.opensaml.security.credential.Credential> getEffectiveDataEncryptionCredentials(@Nonnull
                                                                                              net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)

Get the effective list of data encryption credentials to consider.

Parameters:

criteria - the input criteria being evaluated

Returns:

the list of credentials

getEffectiveDataEncryptionAlgorithms

@Nonnull
protected List<String> getEffectiveDataEncryptionAlgorithms(@Nonnull
                                                        net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                        @Nonnull
                                                        com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the list of effective algorithm URIs

getEffectiveKeyTransportCredentials

@Nonnull
protected List<org.opensaml.security.credential.Credential> getEffectiveKeyTransportCredentials(@Nonnull
                                                                                            net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)

Get the effective list of key transport credentials to consider.

Parameters:

criteria - the input criteria being evaluated

Returns:

the list of credentials

getEffectiveKeyTransportAlgorithms

@Nonnull
protected List<String> getEffectiveKeyTransportAlgorithms(@Nonnull
                                                      net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                      @Nonnull
                                                      com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the list of effective algorithm URIs

resolveDataKeyInfoGenerator

@Nullable
protected KeyInfoGenerator resolveDataKeyInfoGenerator(@Nullable
                                                    net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                    @Nullable
                                                    org.opensaml.security.credential.Credential dataEncryptionCredential)

Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.

Parameters:

criteria - the input criteria being evaluated

dataEncryptionCredential - the credential being evaluated

Returns:

KeyInfo generator instance, or null

resolveKeyTransportKeyInfoGenerator

@Nullable
protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull
                                                            net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                            @Nullable
                                                            org.opensaml.security.credential.Credential keyTransportEncryptionCredential)

Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.

Parameters:

criteria - the input criteria being evaluated

keyTransportEncryptionCredential - the credential being evaluated

Returns:

KeyInfo generator instance, or null

getAlgorithmRuntimeSupportedPredicate

@Nonnull
protected com.google.common.base.Predicate<String> getAlgorithmRuntimeSupportedPredicate()

Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.

Returns:

the predicate

credentialSupportsAlgorithm

protected boolean credentialSupportsAlgorithm(@Nonnull
                                  org.opensaml.security.credential.Credential credential,
                                  @Nonnull@NotEmpty
                                  String algorithm)

Evaluate whether the specified credential is supported for use with the specified algorithm URI.

Parameters:

credential - the credential to evaluate

algorithm - the algorithm URI to evaluate

Returns:

true if credential may be used with the supplied algorithm URI, false otherwise

isKeyTransportAlgorithm

protected boolean isKeyTransportAlgorithm(@Nonnull
                              String algorithm)

Evaluate whether the specified algorithm is a key transport algorithm.

Parameters:

algorithm - the algorithm URI to evaluate

Returns:

true if is a key transport algorithm URI, false otherwise

isDataEncryptionAlgorithm

protected boolean isDataEncryptionAlgorithm(String algorithm)

Evaluate whether the specified algorithm is a data encryption algorithm.

Parameters:

algorithm - the algorithm URI to evaluate

Returns:

true if is a key transport algorithm URI, false otherwise

generateDataEncryptionCredential

@Nullable
protected org.opensaml.security.credential.Credential generateDataEncryptionCredential(@Nonnull
                                                                                    String dataEncryptionAlgorithm)

Generate a random data encryption symmetric key credential.

Parameters:

dataEncryptionAlgorithm - the data encryption algorithm URI

Returns:

the generated credential, or null if there was a problem generating a key from the algorithm URI

processDataEncryptionCredentialAutoGeneration

protected void processDataEncryptionCredentialAutoGeneration(@Nonnull
                                                 EncryptionParameters params)

Auto-generate and populate a data encryption credential, if configured and required conditions are met.

Parameters:

params - the encryption parameters instance to process