Package org.opensaml.saml.security.impl

Class SAMLMetadataEncryptionParametersResolver

java.lang.Object

org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<EncryptionParameters>

org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver

All Implemented Interfaces:

Resolver<EncryptionParameters,CriteriaSet>, EncryptionParametersResolver

public class SAMLMetadataEncryptionParametersResolver
extends BasicEncryptionParametersResolver

A specialization of BasicEncryptionParametersResolver which resolves credentials and algorithm preferences against SAML metadata via a MetadataCredentialResolver.

In addition to the Criterion inputs documented in BasicEncryptionParametersResolver, the inputs and associated modes of operation documented for MetadataCredentialResolver are also supported and required.

The CriteriaSet instance passed to the configured metadata credential resolver will be a copy of the input criteria set, with the addition of a UsageCriterion containing the value UsageType.ENCRYPTION, which will replace any existing usage criterion instance.

Field Summary

Fields

Modifier and Type	Field	Description
private MetadataCredentialResolver	credentialResolver	Metadata credential resolver.
private org.slf4j.Logger	log	Logger.
private boolean	mergeMetadataRSAOAEPParametersWithConfig	Flag indicating whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

Constructor Summary

Constructors

Constructor	Description
SAMLMetadataEncryptionParametersResolver(MetadataCredentialResolver resolver)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected boolean	credentialSupportsEncryptionMethod(Credential credential, EncryptionMethod encryptionMethod)	Evaluate whether the specified credential is supported for use with the specified EncryptionMethod.
protected boolean	evaluateEncryptionMethodChildren(EncryptionMethod encryptionMethod, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)	Evaluate the child elements of an EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
protected boolean	evaluateRSAOAEPChildren(EncryptionMethod encryptionMethod, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)	Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.
protected MetadataCredentialResolver	getMetadataCredentialResolver()	Get the metadata credential resolver instance to use to resolve encryption credentials.
boolean	isMergeMetadataRSAOAEPParametersWithConfig()	Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.
protected void	populateRSAOAEPParamsFromEncryptionMethod(RSAOAEPParameters params, EncryptionMethod encryptionMethod, Predicate<String> whitelistBlacklistPredicate)	Extract DigestMethod, MGF and OAEPparams data present on the supplied instance of EncryptionMethod and populate it on the supplied instance of of RSAOAEPParameters.
protected void	resolveAndPopulateCredentialsAndAlgorithms(EncryptionParameters params, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)
protected void	resolveAndPopulateRSAOAEPParams(EncryptionParameters params, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, EncryptionMethod encryptionMethod)	Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
protected Pair<String,EncryptionMethod>	resolveDataEncryptionAlgorithm(CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, SAMLMDCredentialContext metadataCredContext)	Determine the data encryption algorithm URI to use, also returning the associated EncryptionMethod from metadata if relevant.
protected Pair<String,EncryptionMethod>	resolveKeyTransportAlgorithm(Credential keyTransportCredential, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate, String dataEncryptionAlgorithm, SAMLMDCredentialContext metadataCredContext)	Determine the key transport algorithm URI to use with the specified credential, also returning the associated EncryptionMethod from metadata if relevant.
void	setMergeMetadataRSAOAEPParametersWithConfig(boolean flag)	Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

Methods inherited from class org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver

credentialSupportsAlgorithm, generateDataEncryptionCredential, getAlgorithmRegistry, getAlgorithmRuntimeSupportedPredicate, getEffectiveDataEncryptionAlgorithms, getEffectiveDataEncryptionCredentials, getEffectiveKeyTransportAlgorithms, getEffectiveKeyTransportCredentials, getWhitelistBlacklistPredicate, isAutoGenerateDataEncryptionCredential, isDataEncryptionAlgorithm, isKeyTransportAlgorithm, logResult, populateRSAOAEPParams, processDataEncryptionCredentialAutoGeneration, resolve, resolveAndPopulateRSAOAEPParams, resolveDataEncryptionAlgorithm, resolveDataEncryptionAlgorithm, resolveDataKeyInfoGenerator, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithm, resolveKeyTransportAlgorithmPredicate, resolveKeyTransportKeyInfoGenerator, resolveSingle, setAlgorithmRegistry, setAutoGenerateDataEncryptionCredential, validate

Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver

lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

@Nonnull
private org.slf4j.Logger log

Logger.

credentialResolver

@Nonnull
private MetadataCredentialResolver credentialResolver

Metadata credential resolver.

mergeMetadataRSAOAEPParametersWithConfig

private boolean mergeMetadataRSAOAEPParametersWithConfig

Flag indicating whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

Constructor Detail

SAMLMetadataEncryptionParametersResolver

public SAMLMetadataEncryptionParametersResolver(@Nonnull @ParameterName(name="resolver")
                                                MetadataCredentialResolver resolver)

Constructor.

Parameters:

resolver - the metadata credential resolver instance to use to resolve encryption credentials

Method Detail

isMergeMetadataRSAOAEPParametersWithConfig

public boolean isMergeMetadataRSAOAEPParametersWithConfig()

Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

Defaults to: false

Returns:

true if should merge metadata parameters with configuration, false otherwise

setMergeMetadataRSAOAEPParametersWithConfig

public void setMergeMetadataRSAOAEPParametersWithConfig(boolean flag)

Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

Defaults to: false

Parameters:

flag - true if should merge metadata parameters with configuration, false otherwise

getMetadataCredentialResolver

@Nonnull
protected MetadataCredentialResolver getMetadataCredentialResolver()

Get the metadata credential resolver instance to use to resolve encryption credentials.

Returns:

the configured metadata credential resolver instance

resolveAndPopulateCredentialsAndAlgorithms

protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull
                                                          EncryptionParameters params,
                                                          @Nonnull
                                                          CriteriaSet criteria,
                                                          @Nonnull
                                                          Predicate<String> whitelistBlacklistPredicate)

Overrides:

resolveAndPopulateCredentialsAndAlgorithms in class BasicEncryptionParametersResolver

resolveAndPopulateRSAOAEPParams

protected void resolveAndPopulateRSAOAEPParams(@Nonnull
                                               EncryptionParameters params,
                                               @Nonnull
                                               CriteriaSet criteria,
                                               @Nonnull
                                               Predicate<String> whitelistBlacklistPredicate,
                                               @Nullable
                                               EncryptionMethod encryptionMethod)

Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.

This method itself resolves the parameters data from the metadata EncryptionMethod. If this results in a non-complete RSAOAEPParameters instance and if isMergeMetadataRSAOAEPParametersWithConfig() evaluates true, then the resolver will delegate to the local config resolution process via the superclass to attempt to resolve and merge any null parameter values. (see BasicEncryptionParametersResolver.resolveAndPopulateRSAOAEPParams(EncryptionParameters, CriteriaSet, Predicate)).

Parameters:

params - the current encryption parameters instance being resolved

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.

populateRSAOAEPParamsFromEncryptionMethod

protected void populateRSAOAEPParamsFromEncryptionMethod(@Nonnull
                                                         RSAOAEPParameters params,
                                                         @Nonnull
                                                         EncryptionMethod encryptionMethod,
                                                         @Nonnull
                                                         Predicate<String> whitelistBlacklistPredicate)

Extract DigestMethod, MGF and OAEPparams data present on the supplied instance of EncryptionMethod and populate it on the supplied instance of of RSAOAEPParameters.

Whitelist/blacklist evaluation is applied to the digest method and MGF algorithm URIs.

Parameters:

params - the existing RSAOAEPParameters instance being populated

encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

resolveKeyTransportAlgorithm

@Nonnull
protected Pair<String,EncryptionMethod> resolveKeyTransportAlgorithm(@Nonnull
                                                                           Credential keyTransportCredential,
                                                                           @Nonnull
                                                                           CriteriaSet criteria,
                                                                           @Nonnull
                                                                           Predicate<String> whitelistBlacklistPredicate,
                                                                           @Nullable
                                                                           String dataEncryptionAlgorithm,
                                                                           @Nullable
                                                                           SAMLMDCredentialContext metadataCredContext)

Determine the key transport algorithm URI to use with the specified credential, also returning the associated EncryptionMethod from metadata if relevant.

Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

Parameters:

keyTransportCredential - the key transport credential to evaluate

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider

metadataCredContext - the credential context extracted from metadata

Returns:

the selected algorithm URI and the associated encryption method from metadata, if any.

resolveDataEncryptionAlgorithm

@Nonnull
protected Pair<String,EncryptionMethod> resolveDataEncryptionAlgorithm(@Nonnull
                                                                             CriteriaSet criteria,
                                                                             @Nonnull
                                                                             Predicate<String> whitelistBlacklistPredicate,
                                                                             @Nullable
                                                                             SAMLMDCredentialContext metadataCredContext)

Determine the data encryption algorithm URI to use, also returning the associated EncryptionMethod from metadata if relevant.

Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

Parameters:

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

metadataCredContext - the credential context extracted from metadata

Returns:

the selected algorithm URI and the associated encryption method from metadata, if any

evaluateEncryptionMethodChildren

protected boolean evaluateEncryptionMethodChildren(@Nonnull
                                                   EncryptionMethod encryptionMethod,
                                                   @Nonnull
                                                   CriteriaSet criteria,
                                                   @Nonnull
                                                   Predicate<String> whitelistBlacklistPredicate)

Evaluate the child elements of an EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.

Parameters:

encryptionMethod - the EncryptionMethod being evaluated

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

Returns:

true if the EncryptionMethod children are acceptable

evaluateRSAOAEPChildren

protected boolean evaluateRSAOAEPChildren(@Nonnull
                                          EncryptionMethod encryptionMethod,
                                          @Nonnull
                                          CriteriaSet criteria,
                                          @Nonnull
                                          Predicate<String> whitelistBlacklistPredicate)

Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example whitelist/blacklist policy and algorithm runtime support.

Parameters:

encryptionMethod - the EncryptionMethod being evaluated

criteria - the criteria instance being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

Returns:

true if the EncryptionMethod children are acceptable

credentialSupportsEncryptionMethod

protected boolean credentialSupportsEncryptionMethod(@Nonnull
                                                     Credential credential,
                                                     @Nonnull @NotEmpty
                                                     EncryptionMethod encryptionMethod)

Evaluate whether the specified credential is supported for use with the specified EncryptionMethod.

Parameters:

credential - the credential to evaluate

encryptionMethod - the encryption method to evaluate

Returns:

true if credential may be used with the supplied encryption method, false otherwise