Package org.opensaml.xmlsec.keyinfo

Class KeyInfoSupport

  • public class KeyInfoSupport
extends Object
    Utility class for working with data inside a KeyInfo object. Methods are provided for converting the representation stored in the XMLTooling KeyInfo to Java java.security native types, and for storing these Java native types inside a KeyInfo.

    • Constructor Detail

      • KeyInfoSupport

        protected KeyInfoSupport()
        Constructor.

    • Method Detail

      • getKeyNames

        @Nonnull
public static List<String> getKeyNames​(@Nullable
                                       KeyInfo keyInfo)
        Get the set of key names inside the specified KeyInfo as a list of strings.
        Parameters:
        keyInfo - KeyInfo to retrieve key names from
        Returns:
        a list of key name strings

      • addKeyName

        public static void addKeyName​(@Nonnull
                              KeyInfo keyInfo,
                              @Nullable
                              String keyNameValue)
        Add a new KeyName value to a KeyInfo.
        Parameters:
        keyInfo - the KeyInfo to which to add the new value
        keyNameValue - the new key name value to add

      • getCRL

        @Nullable
public static X509CRL getCRL​(@Nullable
                             X509CRL xmlCRL)
                      throws CRLException
        Convert an X509CRL into a native Java representation.
        Parameters:
        xmlCRL - object to extract the CRL from
        Returns:
        a native Java X509CRL object
        Throws:
        CRLException - thrown if there is a problem converting the CRL data into X509CRL

      • addCRL

        public static void addCRL​(@Nonnull
                          KeyInfo keyInfo,
                          @Nonnull
                          X509CRL crl)
                   throws CRLException
        Converts a native Java X509CRL into the corresponding XMLObject and stores it in a KeyInfo in the first X509Data element. The X509Data element will be created if necessary.
        Parameters:
        keyInfo - the KeyInfo object into which to add the CRL
        crl - the Java X509CRL to add
        Throws:
        CRLException - thrown when there is an error converting the Java CRL representation to the XMLObject representation

      • buildX509CRL

        @Nonnull
public static X509CRL buildX509CRL​(X509CRL crl)
                            throws CRLException
        Builds an X509CRL XMLObject from a native Java X509CRL.
        Parameters:
        crl - the Java X509CRL to convert
        Returns:
        a X509CRL XMLObject
        Throws:
        CRLException - thrown when there is an error converting the Java CRL representation to the XMLObject representation

      • buildX509SubjectName

        @Nonnull
public static X509SubjectName buildX509SubjectName​(@Nullable
                                                   String subjectName)
        Build an X509SubjectName containing a given subject name.
        Parameters:
        subjectName - the name content
        Returns:
        the new X509SubjectName

      • buildX509IssuerSerial

        @Nonnull
public static X509IssuerSerial buildX509IssuerSerial​(@Nullable
                                                     String issuerName,
                                                     @Nullable
                                                     BigInteger serialNumber)
        Build an X509IssuerSerial containing a given issuer name and serial number.
        Parameters:
        issuerName - the name content
        serialNumber - the serial number content
        Returns:
        the new X509IssuerSerial

      • buildX509SKI

        @Nullable
public static X509SKI buildX509SKI​(@Nonnull
                                   X509Certificate javaCert)
                            throws SecurityException
        Build an X509SKI containing the subject key identifier extension value contained within a certificate.
        Parameters:
        javaCert - the Java X509Certificate from which to extract the subject key identifier value.
        Returns:
        a new X509SKI object, or null if the certificate did not contain the subject key identifier extension, or the subject key identifier binary can not be base64-encoded.
        Throws:
        SecurityException - if there is a problem building the subject key identifier.

      • buildECKeyValue

        @Nonnull
public static ECKeyValue buildECKeyValue​(@Nonnull
                                         ECPublicKey ecPubKey)
                                  throws EncodingException
        Builds an ECKeyValue XMLObject from the Java security EC public key type.

        Only curve parameters specified by a NamedCurve are supported. Use of explicit curve parameters will throw.

        Parameters:
        ecPubKey - a naive java ECPublicKey
        Returns:
        an ECKeyValue XMLObject
        Throws:
        EncodingException - if the NamedCurve variant was not used, if the EC PublicKey value is invalid or if the EC PublicKey value can not be Base64 encoded

      • getKey

        @Nullable
public static PublicKey getKey​(@Nonnull
                               KeyValue keyValue)
                        throws KeyException
        Extracts the DSA or RSA public key within the KeyValue.
        Parameters:
        keyValue - the KeyValue to extract the key from
        Returns:
        a native Java security Key object
        Throws:
        KeyException - thrown if the given key data can not be converted into PublicKey

      • getDHKey

        @Nonnull
public static PublicKey getDHKey​(@Nonnull
                                 DHKeyValue keyDescriptor)
                          throws KeyException
        Builds a DH key from a DHKeyValue element. The element must contain values for all required DH public key parameters, including values for shared key family values P, Q and G (aka Generator).
        Parameters:
        keyDescriptor - the DHKeyValue key descriptor
        Returns:
        a new DHPublicKey instance of PublicKey
        Throws:
        KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

      • hasCompleteDHParams

        public static boolean hasCompleteDHParams​(@Nullable
                                          DHKeyValue keyDescriptor)
        Check whether the specified DHKeyValue element has the all optional DH values which can be shared amongst many keys in a DH "key family", and are presumed to be known from context.
        Parameters:
        keyDescriptor - the DHKeyValue element to check
        Returns:
        true if all parameters are present and non-empty, false otherwise

      • getDSAKey

        @Nonnull
public static PublicKey getDSAKey​(@Nonnull
                                  DSAKeyValue keyDescriptor)
                           throws KeyException
        Builds an DSA key from a DSAKeyValue element. The element must contain values for all required DSA public key parameters, including values for shared key family values P, Q and G.
        Parameters:
        keyDescriptor - the DSAKeyValue key descriptor
        Returns:
        a new DSAPublicKey instance of PublicKey
        Throws:
        KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

      • getDSAKey

        @Nonnull
public static PublicKey getDSAKey​(@Nonnull
                                  DSAKeyValue keyDescriptor,
                                  @Nonnull
                                  DSAParams dsaParams)
                           throws KeyException
        Builds a DSA key from an DSAKeyValue element and the supplied Java DSAParams, which supplies key material from a shared key family.
        Parameters:
        keyDescriptor - the DSAKeyValue key descriptor
        dsaParams - the DSAParams DSA key family parameters
        Returns:
        a new DSAPublicKey instance of PublicKey
        Throws:
        KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

      • hasCompleteDSAParams

        public static boolean hasCompleteDSAParams​(@Nullable
                                           DSAKeyValue keyDescriptor)
        Check whether the specified DSAKeyValue element has the all optional DSA values which can be shared amongst many keys in a DSA "key family", and are presumed to be known from context.
        Parameters:
        keyDescriptor - the DSAKeyValue element to check
        Returns:
        true if all parameters are present and non-empty, false otherwise

      • decodeBigIntegerFromCryptoBinary

        @Nonnull
public static final BigInteger decodeBigIntegerFromCryptoBinary​(@Nonnull
                                                                String base64Value)
                                                         throws DecodingException
        Decode a base64-encoded ds:CryptoBinary value to a native Java BigInteger type.
        Parameters:
        base64Value - base64-encoded CryptoBinary value
        Returns:
        the decoded BigInteger
        Throws:
        DecodingException - if the base64 value can not be decoded.

      • encodeCryptoBinaryFromBigInteger

        @Nonnull
public static final String encodeCryptoBinaryFromBigInteger​(@Nonnull
                                                            BigInteger bigInt)
                                                     throws EncodingException
        Encode a native Java BigInteger type to a base64-encoded ds:CryptoBinary value.
        Parameters:
        bigInt - the BigInteger value
        Returns:
        the encoded CryptoBinary value
        Throws:
        EncodingException - if the BigInteger as bytes can not be base64 encoded.

      • buildKey

        @Nonnull
protected static PublicKey buildKey​(@Nonnull
                                    KeySpec keySpec,
                                    @Nonnull
                                    String keyAlgorithm)
                             throws KeyException
        Generates a public key from the given key spec.
        Parameters:
        keySpec - KeySpec specification for the key
        keyAlgorithm - key generation algorithm, only DSA and RSA supported
        Returns:
        the generated PublicKey
        Throws:
        KeyException - thrown if the key algorithm is not supported by the JCE or the key spec does not contain valid information

      • parseKeyType

        private static String parseKeyType​(@Nonnull
                                   byte[] encodedKey)
        Parse the JCA key algorithm type from the ASN.1 encoded form of the public key.

        Methodology is to parse the ASN.1 data to the SubjectPublicKeyInfo, read the AlgorithmIdentifier for the key type's OID, then map the OID to the JCA key algorithm.

        Parameters:
        encodedKey - the ASN.1 encoded key
        Returns:
        the JCA key algorithm, or null if the OID parsing or OID-to-algorithm mapping fails

      • getKeyInfoGenerator

        @Nullable
public static KeyInfoGenerator getKeyInfoGenerator​(@Nonnull
                                                   Credential credential,
                                                   @Nonnull
                                                   NamedKeyInfoGeneratorManager manager,
                                                   @Nullable
                                                   String keyInfoProfileName)
        Obtains a KeyInfoGenerator for the specified Credential.

        The KeyInfoGenerator returned is resolved via the supplied NamedKeyInfoGeneratorManager and is determined by the type of the signing credential and an optional KeyInfo generator profile configuration name. If the latter is ommited, the default manager (NamedKeyInfoGeneratorManager.getDefaultManager()) of the security configuration's named generator manager will be used.

        Parameters:
        credential - the credential for which a generator is desired
        manager - the NamedKeyInfoGeneratorManager instance to use
        keyInfoProfileName - the named KeyInfoGeneratorManager configuration to use (may be null)
        Returns:
        a KeyInfoGenerator appropriate for the specified credential