se.swedenconnect.opensaml.xmlsec.encryption.support

Class Pkcs11Decrypter

java.lang.Object

org.opensaml.xmlsec.encryption.support.Decrypter

org.opensaml.saml.saml2.encryption.Decrypter

se.swedenconnect.opensaml.xmlsec.encryption.support.Pkcs11Decrypter

public class Pkcs11Decrypter
extends Decrypter

An extension to OpenSAML's Decrypter class implementing a workaround for the problem that when using the SunPKCS11 crypto provider OAEPPadding does not work.

See this post on Stack overflow.

Author:

Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)

Constructor Summary

Constructors

Constructor and Description
Pkcs11Decrypter(DecryptionParameters params) Constructor.
Pkcs11Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver, EncryptedKeyResolver newEncKeyResolver) Constructor.
Pkcs11Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver, EncryptedKeyResolver newEncKeyResolver, Collection<String> whitelistAlgos, Collection<String> blacklistAlgos) Constructor.

Method Summary

Modifier and Type	Method and Description
Key	decryptKey(EncryptedKey encryptedKey, String algorithm) Extends Decrypter.decryptKey(EncryptedKey, String) so that we may get hold of the corresponding RSA certificate.
Key	decryptKey(EncryptedKey encryptedKey, String algorithm, Key kek) Extends Decrypter.decryptKey(EncryptedKey, String, Key) with an implementation for missing OAEP padding in the SunPKCS11 provider.
protected Key	decryptKey(EncryptedKey encryptedKey, String algorithm, Key kek, int keysize) Decrypts the key (work-around for OAEP padding).
void	setTestMode(boolean testMode) Should we run this class in test mode? By using test mode, the customized code where we handle padding for OAEP is executed even if the SunPKCS11 provider is not in use.

Methods inherited from class org.opensaml.saml.saml2.encryption.Decrypter

decrypt, decrypt, decrypt, decrypt

Methods inherited from class org.opensaml.xmlsec.encryption.support.Decrypter

buildParserPool, checkAndMarshall, decryptData, decryptData, decryptDataToDOM, decryptDataToDOM, decryptDataToList, decryptDataToList, getJCAProviderName, getKEKResolverCriteria, getKeyResolverCriteria, isRootInNewDocument, preProcessEncryptedKey, setJCAProviderName, setKEKResolverCriteria, setKeyResolverCriteria, setRootInNewDocument, validateAlgorithms, validateAlgorithms, validateAlgorithmURI

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

Pkcs11Decrypter

public Pkcs11Decrypter(DecryptionParameters params)

Constructor.

Parameters:

params - decryption parameters to use

Pkcs11Decrypter

public Pkcs11Decrypter(KeyInfoCredentialResolver newResolver,
                       KeyInfoCredentialResolver newKEKResolver,
                       EncryptedKeyResolver newEncKeyResolver)

Constructor.

Parameters:

newResolver - resolver for data encryption keys.

newKEKResolver - resolver for key encryption keys.

newEncKeyResolver - resolver for EncryptedKey elements

Pkcs11Decrypter

public Pkcs11Decrypter(KeyInfoCredentialResolver newResolver,
                       KeyInfoCredentialResolver newKEKResolver,
                       EncryptedKeyResolver newEncKeyResolver,
                       Collection<String> whitelistAlgos,
                       Collection<String> blacklistAlgos)

Constructor.

Parameters:

newResolver - resolver for data encryption keys.

newKEKResolver - resolver for key encryption keys.

newEncKeyResolver - resolver for EncryptedKey elements

whitelistAlgos - collection of whitelisted algorithm URIs

blacklistAlgos - collection of blacklisted algorithm URIs

Method Detail

decryptKey

@Nonnull
public Key decryptKey(@Nonnull
                               EncryptedKey encryptedKey,
                               @Nonnull
                               String algorithm,
                               @Nonnull
                               Key kek)
                        throws DecryptionException

Extends Decrypter.decryptKey(EncryptedKey, String, Key) with an implementation for missing OAEP padding in the SunPKCS11 provider.

Overrides:

decryptKey in class Decrypter

Throws:

DecryptionException

decryptKey

@Nonnull
public Key decryptKey(@Nonnull
                               EncryptedKey encryptedKey,
                               @Nonnull
                               String algorithm)
                        throws DecryptionException

Extends Decrypter.decryptKey(EncryptedKey, String) so that we may get hold of the corresponding RSA certificate. We need that since we need to figure out the key length of the RSA private key (and we can't ask a SunPKCS11 private key for its key length).

Overrides:

decryptKey in class Decrypter

Throws:

DecryptionException

decryptKey

@Nonnull
protected Key decryptKey(@Nonnull
                                  EncryptedKey encryptedKey,
                                  @Nonnull
                                  String algorithm,
                                  @Nonnull
                                  Key kek,
                                  int keysize)
                           throws DecryptionException

Decrypts the key (work-around for OAEP padding).

Parameters:

encryptedKey - encrypted key element containing the encrypted key to be decrypted

algorithm - the algorithm associated with the decrypted key

kek - the key encryption key with which to attempt decryption of the encrypted key

keysize - the key length

Returns:

the decrypted key

Throws:

DecryptionException - for decryption errors

setTestMode

public void setTestMode(boolean testMode)

Should we run this class in test mode? By using test mode, the customized code where we handle padding for OAEP is executed even if the SunPKCS11 provider is not in use.

Parameters:

testMode - test mode flag