org.opensaml.xmlsec.impl

Class BasicEncryptionParametersResolver

java.lang.Object

org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>

org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

All Implemented Interfaces:

Resolver<EncryptionParameters,CriteriaSet>, EncryptionParametersResolver

Direct Known Subclasses:

SAMLMetadataEncryptionParametersResolver

public class BasicEncryptionParametersResolver
extends AbstractSecurityParametersResolver<EncryptionParameters>
implements EncryptionParametersResolver

Basic implementation of EncryptionParametersResolver.

The following Criterion inputs are supported:

• EncryptionConfigurationCriterion - required
• KeyInfoGenerationProfileCriterion - optional

Constructor Summary

Constructors

Constructor and Description
BasicEncryptionParametersResolver() Constructor.

Method Summary

Modifier and Type	Method and Description
protected boolean	credentialSupportsAlgorithm(Credential credential, String algorithm) Evaluate whether the specified credential is supported for use with the specified algorithm URI.
protected Credential	generateDataEncryptionCredential(String dataEncryptionAlgorithm) Generate a random data encryption symmetric key credential.
AlgorithmRegistry	getAlgorithmRegistry() Get the AlgorithmRegistry instance used when resolving algorithm URIs.
protected com.google.common.base.Predicate<String>	getAlgorithmRuntimeSupportedPredicate() Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.
protected List<String>	getEffectiveDataEncryptionAlgorithms(CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.
protected List<Credential>	getEffectiveDataEncryptionCredentials(CriteriaSet criteria) Get the effective list of data encryption credentials to consider.
protected List<String>	getEffectiveKeyTransportAlgorithms(CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.
protected List<Credential>	getEffectiveKeyTransportCredentials(CriteriaSet criteria) Get the effective list of key transport credentials to consider.
protected com.google.common.base.Predicate<String>	getWhitelistBlacklistPredicate(CriteriaSet criteria) Get a predicate which implements the effective configured whitelist/blacklist policy.
boolean	isAutoGenerateDataEncryptionCredential() Get whether an this resolver should auto-generate data encryption credentials.
protected boolean	isDataEncryptionAlgorithm(String algorithm) Evaluate whether the specified algorithm is a data encryption algorithm.
protected boolean	isKeyTransportAlgorithm(String algorithm) Evaluate whether the specified algorithm is a key transport algorithm.
protected void	logResult(EncryptionParameters params) Log the resolved parameters.
protected void	populateRSAOAEPParams(RSAOAEPParameters rsaParams, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.
protected void	processDataEncryptionCredentialAutoGeneration(EncryptionParameters params) Auto-generate and populate a data encryption credential, if configured and required conditions are met.
Iterable<EncryptionParameters>	resolve(CriteriaSet criteria) Process the specified criteria and return the resulting instances of the product type which satisfy the criteria.
protected void	resolveAndPopulateCredentialsAndAlgorithms(EncryptionParameters params, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Resolve and populate the data encryption and key transport credentials and algorithm URIs.
protected void	resolveAndPopulateRSAOAEPParams(EncryptionParameters params, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
protected String	resolveDataEncryptionAlgorithm(Credential dataEncryptionCredential, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Determine the data encryption algorithm URI to use with the specified data encryption credential.
protected String	resolveDataEncryptionAlgorithm(Credential dataEncryptionCredential, List<String> dataEncryptionAlgorithms) Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
protected KeyInfoGenerator	resolveDataKeyInfoGenerator(CriteriaSet criteria, Credential dataEncryptionCredential) Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.
protected String	resolveKeyTransportAlgorithm(Credential keyTransportCredential, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate, String dataEncryptionAlgorithm) Determine the key transport algorithm URI to use with the specified credential.
protected String	resolveKeyTransportAlgorithm(Credential keyTransportCredential, List<String> keyTransportAlgorithms, String dataEncryptionAlgorithm, KeyTransportAlgorithmPredicate keyTransportPredicate) Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.
protected KeyTransportAlgorithmPredicate	resolveKeyTransportAlgorithmPredicate(CriteriaSet criteria) Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.
protected KeyInfoGenerator	resolveKeyTransportKeyInfoGenerator(CriteriaSet criteria, Credential keyTransportEncryptionCredential) Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.
EncryptionParameters	resolveSingle(CriteriaSet criteria) Process the specified criteria and return a single instance of the product type which satisfies the criteria.
void	setAlgorithmRegistry(AlgorithmRegistry registry) Set the AlgorithmRegistry instance used when resolving algorithm URIs.
void	setAutoGenerateDataEncryptionCredential(boolean flag) Set whether an this resolver should auto-generate data encryption credentials.
protected boolean	validate(EncryptionParameters params) Validate that the EncryptionParameters instance has all the required properties populated.

Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver

lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

BasicEncryptionParametersResolver

public BasicEncryptionParametersResolver()

Constructor.

Method Detail

getAlgorithmRegistry

public AlgorithmRegistry getAlgorithmRegistry()

Get the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().

Returns:

the algorithm registry instance

setAlgorithmRegistry

public void setAlgorithmRegistry(@Nonnull
                                 AlgorithmRegistry registry)

Set the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().

Parameters:

registry - the new algorithm registry instance

isAutoGenerateDataEncryptionCredential

public boolean isAutoGenerateDataEncryptionCredential()

Get whether an this resolver should auto-generate data encryption credentials.

Returns:

true if should auto-generate, false otherwise

setAutoGenerateDataEncryptionCredential

public void setAutoGenerateDataEncryptionCredential(boolean flag)

Set whether an this resolver should auto-generate data encryption credentials.

Parameters:

flag - true if should auto-generate, false otherwise

resolve

@Nonnull
public Iterable<EncryptionParameters> resolve(@Nonnull
                                                       CriteriaSet criteria)
                                                throws ResolverException

Process the specified criteria and return the resulting instances of the product type which satisfy the criteria.

Specified by:

resolve in interface Resolver<EncryptionParameters,CriteriaSet>

Parameters:

criteria - the criteria to evaluate or process

Returns:

instances which satisfy the criteria

Throws:

ResolverException - thrown if there is an error processing the specified criteria

resolveSingle

@Nullable
public EncryptionParameters resolveSingle(@Nonnull
                                                    CriteriaSet criteria)
                                             throws ResolverException

Process the specified criteria and return a single instance of the product type which satisfies the criteria. If multiple items satisfy the criteria, the choice of which single item to return is implementation-dependent.

Specified by:

resolveSingle in interface Resolver<EncryptionParameters,CriteriaSet>

Parameters:

criteria - the criteria to evaluate or process

Returns:

a single instance satisfying the criteria, or null

Throws:

ResolverException - thrown if there is an error processing the specified criteria

logResult

protected void logResult(@Nonnull
                         EncryptionParameters params)

Log the resolved parameters.

Parameters:

params - the resolved param

validate

protected boolean validate(@Nonnull
                           EncryptionParameters params)

Validate that the EncryptionParameters instance has all the required properties populated.

Parameters:

params - the parameters instance to evaluate

Returns:

true if parameters instance passes validation, false otherwise

getWhitelistBlacklistPredicate

@Nonnull
protected com.google.common.base.Predicate<String> getWhitelistBlacklistPredicate(@Nonnull
                                                                                           CriteriaSet criteria)

Get a predicate which implements the effective configured whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

Returns:

a whitelist/blacklist predicate instance

resolveAndPopulateCredentialsAndAlgorithms

protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull
                                                          EncryptionParameters params,
                                                          @Nonnull
                                                          CriteriaSet criteria,
                                                          @Nonnull
                                                          com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Resolve and populate the data encryption and key transport credentials and algorithm URIs.

Parameters:

params - the params instance being populated

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

resolveAndPopulateRSAOAEPParams

protected void resolveAndPopulateRSAOAEPParams(@Nonnull
                                               EncryptionParameters params,
                                               @Nonnull
                                               CriteriaSet criteria,
                                               @Nonnull
                                               com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.

Parameters:

params - the params instance being populated

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

populateRSAOAEPParams

protected void populateRSAOAEPParams(@Nonnull
                                     RSAOAEPParameters rsaParams,
                                     @Nonnull
                                     CriteriaSet criteria,
                                     @Nonnull
                                     com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.

Parameters:

rsaParams - the existing RSAOAEPParameters instance being populated

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

resolveKeyTransportAlgorithmPredicate

@Nullable
protected KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate(@Nonnull
                                                                                         CriteriaSet criteria)

Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.

Parameters:

criteria - the input criteria being evaluated

Returns:

the resolved predicate instance, may be null

resolveKeyTransportAlgorithm

@Nullable
protected String resolveKeyTransportAlgorithm(@Nonnull
                                                        Credential keyTransportCredential,
                                                        @Nonnull
                                                        List<String> keyTransportAlgorithms,
                                                        @Nullable
                                                        String dataEncryptionAlgorithm,
                                                        @Nullable
                                                        KeyTransportAlgorithmPredicate keyTransportPredicate)

Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.

Parameters:

keyTransportCredential - the key transport credential being evaluated

keyTransportAlgorithms - the list of effective key transport algorithms to evaluate

dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider

keyTransportPredicate - the optional key transport algorithm predicate to evaluate

Returns:

the resolved algorithm URI, may be null

resolveKeyTransportAlgorithm

@Nullable
protected String resolveKeyTransportAlgorithm(@Nonnull
                                                        Credential keyTransportCredential,
                                                        @Nonnull
                                                        CriteriaSet criteria,
                                                        @Nonnull
                                                        com.google.common.base.Predicate<String> whitelistBlacklistPredicate,
                                                        @Nullable
                                                        String dataEncryptionAlgorithm)

Determine the key transport algorithm URI to use with the specified credential.

Parameters:

keyTransportCredential - the key transport credential to evaluate

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider

Returns:

the selected algorithm URI, may be null

resolveDataEncryptionAlgorithm

@Nullable
protected String resolveDataEncryptionAlgorithm(@Nullable
                                                          Credential dataEncryptionCredential,
                                                          @Nonnull
                                                          List<String> dataEncryptionAlgorithms)

Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.

Parameters:

dataEncryptionCredential - the data encryption credential being evaluated, may be null

dataEncryptionAlgorithms - the list of effective data encryption algorithms to evaluate

Returns:

the resolved algorithm URI, may be null

resolveDataEncryptionAlgorithm

@Nullable
protected String resolveDataEncryptionAlgorithm(@Nonnull
                                                          Credential dataEncryptionCredential,
                                                          @Nonnull
                                                          CriteriaSet criteria,
                                                          @Nonnull
                                                          com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Determine the data encryption algorithm URI to use with the specified data encryption credential.

Parameters:

dataEncryptionCredential - the data encryption credential to evaluate

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

Returns:

the selected algorithm URI

getEffectiveDataEncryptionCredentials

@Nonnull
protected List<Credential> getEffectiveDataEncryptionCredentials(@Nonnull
                                                                          CriteriaSet criteria)

Get the effective list of data encryption credentials to consider.

Parameters:

criteria - the input criteria being evaluated

Returns:

the list of credentials

getEffectiveDataEncryptionAlgorithms

@Nonnull
protected List<String> getEffectiveDataEncryptionAlgorithms(@Nonnull
                                                                     CriteriaSet criteria,
                                                                     @Nonnull
                                                                     com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Get the effective list of data encryption algorithm URIs to consider, including application of whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the list of effective algorithm URIs

getEffectiveKeyTransportCredentials

@Nonnull
protected List<Credential> getEffectiveKeyTransportCredentials(@Nonnull
                                                                        CriteriaSet criteria)

Get the effective list of key transport credentials to consider.

Parameters:

criteria - the input criteria being evaluated

Returns:

the list of credentials

getEffectiveKeyTransportAlgorithms

@Nonnull
protected List<String> getEffectiveKeyTransportAlgorithms(@Nonnull
                                                                   CriteriaSet criteria,
                                                                   @Nonnull
                                                                   com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Get the effective list of key transport algorithm URIs to consider, including application of whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the list of effective algorithm URIs

resolveDataKeyInfoGenerator

@Nullable
protected KeyInfoGenerator resolveDataKeyInfoGenerator(@Nullable
                                                                 CriteriaSet criteria,
                                                                 @Nullable
                                                                 Credential dataEncryptionCredential)

Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.

Parameters:

criteria - the input criteria being evaluated

dataEncryptionCredential - the credential being evaluated

Returns:

KeyInfo generator instance, or null

resolveKeyTransportKeyInfoGenerator

@Nullable
protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull
                                                                         CriteriaSet criteria,
                                                                         @Nullable
                                                                         Credential keyTransportEncryptionCredential)

Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.

Parameters:

criteria - the input criteria being evaluated

keyTransportEncryptionCredential - the credential being evaluated

Returns:

KeyInfo generator instance, or null

getAlgorithmRuntimeSupportedPredicate

@Nonnull
protected com.google.common.base.Predicate<String> getAlgorithmRuntimeSupportedPredicate()

Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.

Returns:

the predicate

credentialSupportsAlgorithm

protected boolean credentialSupportsAlgorithm(@Nonnull
                                              Credential credential,
                                              @Nonnull @NotEmpty
                                              String algorithm)

Evaluate whether the specified credential is supported for use with the specified algorithm URI.

Parameters:

credential - the credential to evaluate

algorithm - the algorithm URI to evaluate

Returns:

true if credential may be used with the supplied algorithm URI, false otherwise

isKeyTransportAlgorithm

protected boolean isKeyTransportAlgorithm(@Nonnull
                                          String algorithm)

Evaluate whether the specified algorithm is a key transport algorithm.

Parameters:

algorithm - the algorithm URI to evaluate

Returns:

true if is a key transport algorithm URI, false otherwise

isDataEncryptionAlgorithm

protected boolean isDataEncryptionAlgorithm(String algorithm)

Evaluate whether the specified algorithm is a data encryption algorithm.

Parameters:

algorithm - the algorithm URI to evaluate

Returns:

true if is a key transport algorithm URI, false otherwise

generateDataEncryptionCredential

@Nullable
protected Credential generateDataEncryptionCredential(@Nonnull
                                                                String dataEncryptionAlgorithm)

Generate a random data encryption symmetric key credential.

Parameters:

dataEncryptionAlgorithm - the data encryption algorithm URI

Returns:

the generated credential, or null if there was a problem generating a key from the algorithm URI

processDataEncryptionCredentialAutoGeneration

protected void processDataEncryptionCredentialAutoGeneration(@Nonnull
                                                             EncryptionParameters params)

Auto-generate and populate a data encryption credential, if configured and required conditions are met.

Parameters:

params - the encryption parameters instance to process