SAMLMetadataEncryptionParametersResolver (Red Hat JBoss Enterprise Application Platform 7.0.0.GA public API)

java.lang.Object
- org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>
- - org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
  - - org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver

All Implemented Interfaces:

Resolver<EncryptionParameters,CriteriaSet>, EncryptionParametersResolver
```
public class SAMLMetadataEncryptionParametersResolver
extends BasicEncryptionParametersResolver
```
A specialization of BasicEncryptionParametersResolver which resolves credentials and algorithm preferences against SAML metadata via a MetadataCredentialResolver.
In addition to the Criterion inputs documented in BasicEncryptionParametersResolver, the inputs and associated modes of operation documented for MetadataCredentialResolver are also supported and required.

The CriteriaSet instance passed to the configured metadata credential resolver will be a copy of the input criteria set, with the addition of a UsageCriterion containing the value UsageType.ENCRYPTION, which will replace any existing usage criterion instance.

Constructor Summary

Constructors
Constructor and Description

SAMLMetadataEncryptionParametersResolver(MetadataCredentialResolver resolver)
Constructor.

Constructors
Constructor and Description
`SAMLMetadataEncryptionParametersResolver(MetadataCredentialResolver resolver)` Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected boolean`	`credentialSupportsEncryptionMethod(Credential credential, EncryptionMethod encryptionMethod)` Evaluate whether the specified credential is supported for use with the specified `EncryptionMethod`.
`protected boolean`	`evaluateEncryptionMethodChildren(EncryptionMethod encryptionMethod, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate)` Evaluate the child elements of an EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
`protected boolean`	`evaluateRSAOAEPChildren(EncryptionMethod encryptionMethod, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate)` Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
`protected MetadataCredentialResolver`	`getMetadataCredentialResolver()` Get the metadata credential resolver instance to use to resolve encryption credentials.
`boolean`	`isMergeMetadataRSAOAEPParametersWithConfig()` Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of `EncryptionConfiguration`.
`protected void`	`populateRSAOAEPParamsFromEncryptionMethod(RSAOAEPParameters params, EncryptionMethod encryptionMethod, com.google.common.base.Predicate<String> whitelistBlacklistPredicate)` Extract `DigestMethod`, `MGF` and `OAEPparams` data present on the supplied instance of `EncryptionMethod` and populate it on the supplied instance of of `RSAOAEPParameters`.
`protected void`	`resolveAndPopulateCredentialsAndAlgorithms(EncryptionParameters params, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate)` Resolve and populate the data encryption and key transport credentials and algorithm URIs.
`protected void`	`resolveAndPopulateRSAOAEPParams(EncryptionParameters params, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate, EncryptionMethod encryptionMethod)` Resolve and populate an instance of `RSAOAEPParameters`, if appropriate for the selected key transport encryption algorithm.
`protected Pair<String,EncryptionMethod>`	`resolveDataEncryptionAlgorithm(CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate, SAMLMDCredentialContext metadataCredContext)` Determine the data encryption algorithm URI to use, also returning the associated `EncryptionMethod` from metadata if relevant.
`protected Pair<String,EncryptionMethod>`	`resolveKeyTransportAlgorithm(Credential keyTransportCredential, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate, String dataEncryptionAlgorithm, SAMLMDCredentialContext metadataCredContext)` Determine the key transport algorithm URI to use with the specified credential, also returning the associated `EncryptionMethod` from metadata if relevant.
`void`	`setMergeMetadataRSAOAEPParametersWithConfig(boolean flag)` Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of `EncryptionConfiguration`.

Methods inherited from class org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
credentialSupportsAlgorithm, generateDataEncryptionCredential, getAlgorithmRegistry, getAlgorithmRuntimeSupportedPredicate, getEffectiveDataEncryptionAlgorithms, getEffectiveDataEncryptionCredentials, getEffectiveKeyTransportAlgorithms, getEffectiveKeyTransportCredentials, getWhitelistBlacklistPredicate, isAutoGenerateDataEncryptionCredential, isDataEncryptionAlgorithm, isKeyTransportAlgorithm, logResult, populateRSAOAEPParams, processDataEncryptionCredentialAutoGeneration, resolve, resolveAndPopulateRSAOAEPParams, resolveDataEncryptionAlgorithm, resolveDataEncryptionAlgorithm, resolveDataKeyInfoGenerator, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithmPredicate, resolveKeyTransportKeyInfoGenerator, resolveSingle, setAlgorithmRegistry, setAutoGenerateDataEncryptionCredential, validate

Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver
lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAMLMetadataEncryptionParametersResolver

public SAMLMetadataEncryptionParametersResolver(@Nonnull
                                                MetadataCredentialResolver resolver)

Constructor.

Parameters:: resolver - the metadata credential resolver instance to use to resolve encryption credentials

Method Detail

isMergeMetadataRSAOAEPParametersWithConfig
```
public boolean isMergeMetadataRSAOAEPParametersWithConfig()
```
Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.
Defaults to: false

Returns:

true if should merge metadata parameters with configuration, false otherwise

setMergeMetadataRSAOAEPParametersWithConfig
```
public void setMergeMetadataRSAOAEPParametersWithConfig(boolean flag)
```
Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.
Defaults to: false

Parameters:

flag - true if should merge metadata parameters with configuration, false otherwise

getMetadataCredentialResolver
```
@Nonnull
protected MetadataCredentialResolver getMetadataCredentialResolver()
```
Get the metadata credential resolver instance to use to resolve encryption credentials.

Returns:

the configured metadata credential resolver instance

resolveAndPopulateCredentialsAndAlgorithms

protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull
                                                          EncryptionParameters params,
                                                          @Nonnull
                                                          CriteriaSet criteria,
                                                          @Nonnull
                                                          com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Resolve and populate the data encryption and key transport credentials and algorithm URIs.

Overrides:: resolveAndPopulateCredentialsAndAlgorithms in class BasicEncryptionParametersResolver
Parameters:: params - the params instance being populated; criteria - the input criteria being evaluated; whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

resolveAndPopulateRSAOAEPParams
```
protected void resolveAndPopulateRSAOAEPParams(@Nonnull
                                               EncryptionParameters params,
                                               @Nonnull
                                               CriteriaSet criteria,
                                               @Nonnull
                                               com.google.common.base.Predicate<String> whitelistBlacklistPredicate,
                                               @Nullable
                                               EncryptionMethod encryptionMethod)
```
Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
This method itself resolves the parameters data from the metadata EncryptionMethod. If this results in a non-complete RSAOAEPParameters instance and if isMergeMetadataRSAOAEPParametersWithConfig() evaluates true, then the resolver will delegate to the local config resolution process via the superclass to attempt to resolve and merge any null parameter values. (see BasicEncryptionParametersResolver.resolveAndPopulateRSAOAEPParams(EncryptionParameters, CriteriaSet, Predicate)).

Parameters:

params - the current encryption parameters instance being resolved

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.

populateRSAOAEPParamsFromEncryptionMethod

protected void populateRSAOAEPParamsFromEncryptionMethod(@Nonnull
                                                         RSAOAEPParameters params,
                                                         @Nonnull
                                                         EncryptionMethod encryptionMethod,
                                                         @Nonnull
                                                         com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Extract DigestMethod, MGF and OAEPparams data present on the supplied instance of EncryptionMethod and populate it on the supplied instance of of RSAOAEPParameters.

Whitelist/blacklist evaluation is applied to the digest method and MGF algorithm URIs.

Parameters:: params - the existing RSAOAEPParameters instance being populated; encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.; whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

resolveKeyTransportAlgorithm

@Nonnull
protected Pair<String,EncryptionMethod> resolveKeyTransportAlgorithm(@Nonnull
                                                                              Credential keyTransportCredential,
                                                                              @Nonnull
                                                                              CriteriaSet criteria,
                                                                              @Nonnull
                                                                              com.google.common.base.Predicate<String> whitelistBlacklistPredicate,
                                                                              @Nullable
                                                                              String dataEncryptionAlgorithm,
                                                                              @Nullable
                                                                              SAMLMDCredentialContext metadataCredContext)

Determine the key transport algorithm URI to use with the specified credential, also returning the associated EncryptionMethod from metadata if relevant.

Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

Parameters:: keyTransportCredential - the key transport credential to evaluate; criteria - the criteria instance being evaluated; whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs; dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider; metadataCredContext - the credential context extracted from metadata
Returns:: the selected algorithm URI and the associated encryption method from metadata, if any.

resolveDataEncryptionAlgorithm

@Nonnull
protected Pair<String,EncryptionMethod> resolveDataEncryptionAlgorithm(@Nonnull
                                                                                CriteriaSet criteria,
                                                                                @Nonnull
                                                                                com.google.common.base.Predicate<String> whitelistBlacklistPredicate,
                                                                                @Nullable
                                                                                SAMLMDCredentialContext metadataCredContext)

Determine the data encryption algorithm URI to use, also returning the associated EncryptionMethod from metadata if relevant.

Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

Parameters:: criteria - the criteria instance being evaluated; whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs; metadataCredContext - the credential context extracted from metadata
Returns:: the selected algorithm URI and the associated encryption method from metadata, if any

evaluateEncryptionMethodChildren

protected boolean evaluateEncryptionMethodChildren(@Nonnull
                                                   EncryptionMethod encryptionMethod,
                                                   @Nonnull
                                                   CriteriaSet criteria,
                                                   @Nonnull
                                                   com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Evaluate the child elements of an EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.

Parameters:: encryptionMethod - the EncryptionMethod being evaluated; criteria - the criteria instance being evaluated; whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
Returns:: true if the EncryptionMethod children are acceptable

evaluateRSAOAEPChildren

protected boolean evaluateRSAOAEPChildren(@Nonnull
                                          EncryptionMethod encryptionMethod,
                                          @Nonnull
                                          CriteriaSet criteria,
                                          @Nonnull
                                          com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.

Parameters:: encryptionMethod - the EncryptionMethod being evaluated; criteria - the criteria instance being evaluated; whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
Returns:: true if the EncryptionMethod children are acceptable

credentialSupportsEncryptionMethod

protected boolean credentialSupportsEncryptionMethod(@Nonnull
                                                     Credential credential,
                                                     @Nonnull @NotEmpty
                                                     EncryptionMethod encryptionMethod)

Evaluate whether the specified credential is supported for use with the specified EncryptionMethod.

Parameters:: credential - the credential to evaluate; encryptionMethod - the encryption method to evaluate
Returns:: true if credential may be used with the supplied encryption method, false otherwise

Class SAMLMetadataEncryptionParametersResolver

Constructor Summary

Method Summary

Methods inherited from class org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver

Methods inherited from class java.lang.Object