se.swedenconnect.opensaml.xmlsec

Class ExtendedEncryptionParametersResolver

java.lang.Object

org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>

org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

se.swedenconnect.opensaml.xmlsec.ExtendedEncryptionParametersResolver

All Implemented Interfaces:

Resolver<EncryptionParameters,CriteriaSet>, EncryptionParametersResolver

public class ExtendedEncryptionParametersResolver
extends BasicEncryptionParametersResolver

Extends OpenSAML's BasicEncryptionParametersResolver with support for key agreement.

Author:

Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)

Constructor Summary

Constructors

Constructor and Description
ExtendedEncryptionParametersResolver() Constructor.

Method Summary

Modifier and Type	Method and Description
protected Credential	generateKeyAgreementCredential(Credential credential, String keyWrappingAlgorithm, List<String> keyAgreementMethods, List<String> keyDerivationAlgorithms, ConcatKDFParameters concatKDFParameters) Generates a key agreement credential based on the resolved algorithms.
protected ConcatKDFParameters	getConcatKDFParameters(CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Obtains the ConcatKDFParameters to use for ConcatKDF key derivation.
protected List<String>	getEffectiveKeyAgreementMethods(CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Get the effective list of key agreement method URIs to consider, including application of whitelist/blacklist policy.
protected List<String>	getEffectiveKeyDerivationAlgorithms(CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Get the effective list of key derivation algorithm URIs to consider, including application of whitelist/blacklist policy.
protected List<Credential>	getEffectivePeerKeyAgreementCredentials(CriteriaSet criteria) Get the effective list of peer key agreement credentials to consider.
protected void	logResult(EncryptionParameters params)
protected void	resolveAndPopulateCredentialsAndAlgorithms(EncryptionParameters params, CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Extends the default implementation with support for encrypting the data encrypting key using a key wrapping key that is created using a key agreement protocol.
protected KeyInfoGenerator	resolveKeyTransportKeyInfoGenerator(CriteriaSet criteria, Credential keyTransportEncryptionCredential)
void	setUseKeyAgreementDefaults(boolean flag) Tells whether we should rely on that we received an ExtendedEncryptionConfiguration object among the criteria.

Methods inherited from class org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

credentialSupportsAlgorithm, generateDataEncryptionCredential, getAlgorithmRegistry, getAlgorithmRuntimeSupportedPredicate, getEffectiveDataEncryptionAlgorithms, getEffectiveDataEncryptionCredentials, getEffectiveKeyTransportAlgorithms, getEffectiveKeyTransportCredentials, getWhitelistBlacklistPredicate, isAutoGenerateDataEncryptionCredential, isDataEncryptionAlgorithm, isKeyTransportAlgorithm, populateRSAOAEPParams, processDataEncryptionCredentialAutoGeneration, resolve, resolveAndPopulateRSAOAEPParams, resolveDataEncryptionAlgorithm, resolveDataEncryptionAlgorithm, resolveDataKeyInfoGenerator, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithmPredicate, resolveSingle, setAlgorithmRegistry, setAutoGenerateDataEncryptionCredential, validate, validate

Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver

lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ExtendedEncryptionParametersResolver

public ExtendedEncryptionParametersResolver()

Constructor.

Method Detail

resolveAndPopulateCredentialsAndAlgorithms

protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull
                                                          EncryptionParameters params,
                                                          @Nonnull
                                                          CriteriaSet criteria,
                                                          @Nonnull
                                                          com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Extends the default implementation with support for encrypting the data encrypting key using a key wrapping key that is created using a key agreement protocol.

Overrides:

resolveAndPopulateCredentialsAndAlgorithms in class BasicEncryptionParametersResolver

generateKeyAgreementCredential

protected Credential generateKeyAgreementCredential(@Nonnull
                                                    Credential credential,
                                                    @Nonnull
                                                    String keyWrappingAlgorithm,
                                                    @Nonnull
                                                    List<String> keyAgreementMethods,
                                                    @Nonnull
                                                    List<String> keyDerivationAlgorithms,
                                                    ConcatKDFParameters concatKDFParameters)
                                             throws SecurityException

Generates a key agreement credential based on the resolved algorithms.

Parameters:

credential - the peer credential

keyWrappingAlgorithm - key wrapping algorithm

keyAgreementMethods - key agreement methods

keyDerivationAlgorithms - key derivation algorithms

concatKDFParameters - concat KDF parameters

Returns:

a key key agreement credential or null

Throws:

SecurityException - for key generation errors

getEffectiveKeyAgreementMethods

@Nonnull
protected List<String> getEffectiveKeyAgreementMethods(@Nonnull
                                                                CriteriaSet criteria,
                                                                @Nonnull
                                                                com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Get the effective list of key agreement method URIs to consider, including application of whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the list of effective algorithm URIs

getEffectiveKeyDerivationAlgorithms

@Nonnull
protected List<String> getEffectiveKeyDerivationAlgorithms(@Nonnull
                                                                    CriteriaSet criteria,
                                                                    @Nonnull
                                                                    com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Get the effective list of key derivation algorithm URIs to consider, including application of whitelist/blacklist policy.

Parameters:

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the list of effective algorithm URIs

getConcatKDFParameters

@Nonnull
protected ConcatKDFParameters getConcatKDFParameters(@Nonnull
                                                              CriteriaSet criteria,
                                                              @Nonnull
                                                              com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Obtains the ConcatKDFParameters to use for ConcatKDF key derivation.

Parameters:

criteria - the criteria

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the ConcatKDFParameters object or null

getEffectivePeerKeyAgreementCredentials

@Nonnull
protected List<Credential> getEffectivePeerKeyAgreementCredentials(@Nonnull
                                                                            CriteriaSet criteria)

Get the effective list of peer key agreement credentials to consider.

Parameters:

criteria - the input criteria being evaluated

Returns:

the list of credentials

resolveKeyTransportKeyInfoGenerator

@Nullable
protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull
                                                                         CriteriaSet criteria,
                                                                         @Nullable
                                                                         Credential keyTransportEncryptionCredential)

Overrides:

resolveKeyTransportKeyInfoGenerator in class BasicEncryptionParametersResolver

setUseKeyAgreementDefaults

public void setUseKeyAgreementDefaults(boolean flag)

Tells whether we should rely on that we received an ExtendedEncryptionConfiguration object among the criteria. If we want to function in an environment where the caller doesn't know anything about ExtendedEncryptionConfiguration we can set this property to true. In that case, our resolving will assume that default key agreement methods are available if no ExtendedEncryptionConfiguration is passed among the criteria.

Parameters:

flag - whether we should assume a set of key agreement methods (if no ExtendedEncryptionConfiguration is passed)

logResult

protected void logResult(EncryptionParameters params)

Overrides:

logResult in class BasicEncryptionParametersResolver