Package org.opensaml.saml.security.impl

Class SAMLMetadataEncryptionParametersResolver

    • Field Detail

      • log

        @Nonnull
private org.slf4j.Logger log
        Logger.

      • mergeMetadataRSAOAEPParametersWithConfig

        private boolean mergeMetadataRSAOAEPParametersWithConfig
        Flag indicating whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

    • Constructor Detail

      • SAMLMetadataEncryptionParametersResolver

        public SAMLMetadataEncryptionParametersResolver​(@Nonnull @ParameterName(name="resolver")
                                                MetadataCredentialResolver resolver)
        Constructor.
        Parameters:
        resolver - the metadata credential resolver instance to use to resolve encryption credentials

    • Method Detail

      • isMergeMetadataRSAOAEPParametersWithConfig

        public boolean isMergeMetadataRSAOAEPParametersWithConfig()
        Determine whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

        Defaults to: false

        Returns:
        true if should merge metadata parameters with configuration, false otherwise

      • setMergeMetadataRSAOAEPParametersWithConfig

        public void setMergeMetadataRSAOAEPParametersWithConfig​(boolean flag)
        Set whether the resolver should attempt to merge RSAOAEPParameters values resolved from metadata with additional parameters from supplied instances of EncryptionConfiguration.

        Defaults to: false

        Parameters:
        flag - true if should merge metadata parameters with configuration, false otherwise

      • getMetadataCredentialResolver

        @Nonnull
protected MetadataCredentialResolver getMetadataCredentialResolver()
        Get the metadata credential resolver instance to use to resolve encryption credentials.
        Returns:
        the configured metadata credential resolver instance

      • checkAndProcessKeyAgreement

        protected boolean checkAndProcessKeyAgreement​(@Nonnull
                                              EncryptionParameters params,
                                              @Nonnull
                                              CriteriaSet criteria,
                                              @Nonnull
                                              Predicate<String> includeExcludePredicate,
                                              @Nonnull
                                              Credential credential)
        Check for a credential type that implies a key agreement operation, and process if so indicated.
        Parameters:
        params - the params instance being populated
        criteria - the input criteria being evaluated
        includeExcludePredicate - the include/exclude predicate
        credential - the credential being evaluated
        Returns:
        true if all required parameters were supplied, key agreement was successfully performed, and the EncryptionParameters instance's credential and algorithms properties are fully populated, otherwise false

      • concatLists

        @SafeVarargs
private List<String> concatLists​(@Nonnull
                                 List<String>... lists)
        Concatenate multiple lists into one list.
        Parameters:
        lists - the lists to process
        Returns:
        the concatenation of the supplied lists

      • resolveAndPopulateRSAOAEPParams

        protected void resolveAndPopulateRSAOAEPParams​(@Nonnull
                                               EncryptionParameters params,
                                               @Nonnull
                                               CriteriaSet criteria,
                                               @Nonnull
                                               Predicate<String> includeExcludePredicate,
                                               @Nullable
                                               EncryptionMethod encryptionMethod)
        Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.

        This method itself resolves the parameters data from the metadata EncryptionMethod. If this results in a non-complete RSAOAEPParameters instance and if isMergeMetadataRSAOAEPParametersWithConfig() evaluates true, then the resolver will delegate to the local config resolution process via the superclass to attempt to resolve and merge any null parameter values. (see BasicEncryptionParametersResolver.resolveAndPopulateRSAOAEPParams(EncryptionParameters, CriteriaSet, Predicate)).

        Parameters:
        params - the current encryption parameters instance being resolved
        criteria - the criteria instance being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.

      • populateRSAOAEPParamsFromEncryptionMethod

        protected void populateRSAOAEPParamsFromEncryptionMethod​(@Nonnull
                                                         RSAOAEPParameters params,
                                                         @Nonnull
                                                         EncryptionMethod encryptionMethod,
                                                         @Nonnull
                                                         Predicate<String> includeExcludePredicate)
        Extract DigestMethod, MGF and OAEPparams data present on the supplied instance of EncryptionMethod and populate it on the supplied instance of of RSAOAEPParameters.

        Include/exclude evaluation is applied to the digest method and MGF algorithm URIs.

        Parameters:
        params - the existing RSAOAEPParameters instance being populated
        encryptionMethod - the method encryption method that was resolved along with the key transport encryption algorithm URI, if any. May be null.
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs

      • resolveKeyTransportAlgorithm

        @Nonnull
protected Pair<String,​EncryptionMethod> resolveKeyTransportAlgorithm​(@Nonnull
                                                                           Credential keyTransportCredential,
                                                                           @Nonnull
                                                                           CriteriaSet criteria,
                                                                           @Nonnull
                                                                           Predicate<String> includeExcludePredicate,
                                                                           @Nullable
                                                                           String dataEncryptionAlgorithm,
                                                                           @Nullable
                                                                           SAMLMDCredentialContext metadataCredContext)
        Determine the key transport algorithm URI to use with the specified credential, also returning the associated EncryptionMethod from metadata if relevant.

        Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

        Parameters:
        keyTransportCredential - the key transport credential to evaluate
        criteria - the criteria instance being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
        metadataCredContext - the credential context extracted from metadata
        Returns:
        the selected algorithm URI and the associated encryption method from metadata, if any.

      • resolveDataEncryptionAlgorithm

        @Nonnull
protected Pair<String,​EncryptionMethod> resolveDataEncryptionAlgorithm​(@Nonnull
                                                                             CriteriaSet criteria,
                                                                             @Nonnull
                                                                             Predicate<String> includeExcludePredicate,
                                                                             @Nullable
                                                                             SAMLMDCredentialContext metadataCredContext)
        Determine the data encryption algorithm URI to use, also returning the associated EncryptionMethod from metadata if relevant.

        Any algorithms specified in metadata via the passed SAMLMDCredentialContext are considered first, followed by locally configured algorithms.

        Parameters:
        criteria - the criteria instance being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        metadataCredContext - the credential context extracted from metadata
        Returns:
        the selected algorithm URI and the associated encryption method from metadata, if any

      • evaluateEncryptionMethodChildren

        protected boolean evaluateEncryptionMethodChildren​(@Nonnull
                                                   EncryptionMethod encryptionMethod,
                                                   @Nonnull
                                                   CriteriaSet criteria,
                                                   @Nonnull
                                                   Predicate<String> includeExcludePredicate)
        Evaluate the child elements of an EncryptionMethod for acceptability based on for example include/exclude policy and algorithm runtime support.
        Parameters:
        encryptionMethod - the EncryptionMethod being evaluated
        criteria - the criteria instance being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        Returns:
        true if the EncryptionMethod children are acceptable

      • evaluateRSAOAEPChildren

        protected boolean evaluateRSAOAEPChildren​(@Nonnull
                                          EncryptionMethod encryptionMethod,
                                          @Nonnull
                                          CriteriaSet criteria,
                                          @Nonnull
                                          Predicate<String> includeExcludePredicate)
        Evaluate the child elements of an RSA OAEP EncryptionMethod for acceptability based on for example include/exclude policy and algorithm runtime support.
        Parameters:
        encryptionMethod - the EncryptionMethod being evaluated
        criteria - the criteria instance being evaluated
        includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
        Returns:
        true if the EncryptionMethod children are acceptable

      • credentialSupportsEncryptionMethod

        protected boolean credentialSupportsEncryptionMethod​(@Nonnull
                                                     Credential credential,
                                                     @Nonnull @NotEmpty
                                                     EncryptionMethod encryptionMethod)
        Evaluate whether the specified credential is supported for use with the specified EncryptionMethod.
        Parameters:
        credential - the credential to evaluate
        encryptionMethod - the encryption method to evaluate
        Returns:
        true if credential may be used with the supplied encryption method, false otherwise