public class BasicEncryptionParametersResolver extends AbstractSecurityParametersResolver<EncryptionParameters> implements EncryptionParametersResolver
EncryptionParametersResolver
.
The following Criterion
inputs are supported:
EncryptionConfigurationCriterion
- requiredKeyInfoGenerationProfileCriterion
- optionalEncryptionOptionalCriterion
- optionalModifier and Type | Field and Description |
---|---|
private AlgorithmRegistry |
algorithmRegistry
The AlgorithmRegistry used when processing algorithm URIs.
|
private boolean |
autoGenerateDataEncryptionCredential
Flag indicating whether the resolver should auto-generate data encryption credentials.
|
private org.slf4j.Logger |
log
Logger.
|
Constructor and Description |
---|
BasicEncryptionParametersResolver()
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected boolean |
credentialSupportsAlgorithm(org.opensaml.security.credential.Credential credential,
String algorithm)
Evaluate whether the specified credential is supported for use with the specified algorithm URI.
|
protected org.opensaml.security.credential.Credential |
generateDataEncryptionCredential(String dataEncryptionAlgorithm)
Generate a random data encryption symmetric key credential.
|
AlgorithmRegistry |
getAlgorithmRegistry()
Get the
AlgorithmRegistry instance used when resolving algorithm URIs. |
protected com.google.common.base.Predicate<String> |
getAlgorithmRuntimeSupportedPredicate()
Get a predicate which evaluates whether a cryptographic algorithm is supported
by the runtime environment.
|
protected List<String> |
getEffectiveDataEncryptionAlgorithms(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
Get the effective list of data encryption algorithm URIs to consider, including application of
whitelist/blacklist policy.
|
protected List<org.opensaml.security.credential.Credential> |
getEffectiveDataEncryptionCredentials(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
Get the effective list of data encryption credentials to consider.
|
protected List<String> |
getEffectiveKeyTransportAlgorithms(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
Get the effective list of key transport algorithm URIs to consider, including application of
whitelist/blacklist policy.
|
protected List<org.opensaml.security.credential.Credential> |
getEffectiveKeyTransportCredentials(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
Get the effective list of key transport credentials to consider.
|
protected com.google.common.base.Predicate<String> |
getWhitelistBlacklistPredicate(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
Get a predicate which implements the effective configured whitelist/blacklist policy.
|
boolean |
isAutoGenerateDataEncryptionCredential()
Get whether an this resolver should auto-generate data encryption credentials.
|
protected boolean |
isDataEncryptionAlgorithm(String algorithm)
Evaluate whether the specified algorithm is a data encryption algorithm.
|
protected boolean |
isKeyTransportAlgorithm(String algorithm)
Evaluate whether the specified algorithm is a key transport algorithm.
|
protected void |
logResult(EncryptionParameters params)
Log the resolved parameters.
|
protected void |
populateRSAOAEPParams(RSAOAEPParameters rsaParams,
net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
Populate an instance of
RSAOAEPParameters based on data from the supplied instances
of EncryptionConfiguration . |
protected void |
processDataEncryptionCredentialAutoGeneration(EncryptionParameters params)
Auto-generate and populate a data encryption credential, if configured and required conditions
are met.
|
Iterable<EncryptionParameters> |
resolve(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) |
protected void |
resolveAndPopulateCredentialsAndAlgorithms(EncryptionParameters params,
net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
Resolve and populate the data encryption and key transport credentials and algorithm URIs.
|
protected void |
resolveAndPopulateRSAOAEPParams(EncryptionParameters params,
net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
Resolve and populate an instance of
RSAOAEPParameters , if appropriate for the selected
key transport encryption algorithm. |
protected String |
resolveDataEncryptionAlgorithm(org.opensaml.security.credential.Credential dataEncryptionCredential,
net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
Determine the data encryption algorithm URI to use with the specified data encryption credential.
|
protected String |
resolveDataEncryptionAlgorithm(org.opensaml.security.credential.Credential dataEncryptionCredential,
List<String> dataEncryptionAlgorithms)
Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
|
protected KeyInfoGenerator |
resolveDataKeyInfoGenerator(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
org.opensaml.security.credential.Credential dataEncryptionCredential)
Resolve and return the
KeyInfoGenerator instance to use with the specified data encryption credential. |
protected String |
resolveKeyTransportAlgorithm(org.opensaml.security.credential.Credential keyTransportCredential,
net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
com.google.common.base.Predicate<String> whitelistBlacklistPredicate,
String dataEncryptionAlgorithm)
Determine the key transport algorithm URI to use with the specified credential.
|
protected String |
resolveKeyTransportAlgorithm(org.opensaml.security.credential.Credential keyTransportCredential,
List<String> keyTransportAlgorithms,
String dataEncryptionAlgorithm,
KeyTransportAlgorithmPredicate keyTransportPredicate)
Determine the key transport encryption algorithm URI to use with the specified key transport credential
and optional data encryption algorithm URI.
|
protected KeyTransportAlgorithmPredicate |
resolveKeyTransportAlgorithmPredicate(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
Resolve the optional effectively configured instance of
KeyTransportAlgorithmPredicate to use. |
protected KeyInfoGenerator |
resolveKeyTransportKeyInfoGenerator(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
org.opensaml.security.credential.Credential keyTransportEncryptionCredential)
Resolve and return the
KeyInfoGenerator instance to use with the specified key transport credential. |
EncryptionParameters |
resolveSingle(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) |
void |
setAlgorithmRegistry(AlgorithmRegistry registry)
Set the
AlgorithmRegistry instance used when resolving algorithm URIs. |
void |
setAutoGenerateDataEncryptionCredential(boolean flag)
Set whether an this resolver should auto-generate data encryption credentials.
|
protected boolean |
validate(EncryptionParameters params)
Deprecated.
|
protected boolean |
validate(EncryptionParameters params,
boolean encryptionOptional)
Validate that the
EncryptionParameters instance has all the required properties populated. |
lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate
private org.slf4j.Logger log
private AlgorithmRegistry algorithmRegistry
private boolean autoGenerateDataEncryptionCredential
public BasicEncryptionParametersResolver()
public AlgorithmRegistry getAlgorithmRegistry()
AlgorithmRegistry
instance used when resolving algorithm URIs. Defaults to
the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry()
.public void setAlgorithmRegistry(@Nonnull AlgorithmRegistry registry)
AlgorithmRegistry
instance used when resolving algorithm URIs. Defaults to
the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry()
.registry
- the new algorithm registry instancepublic boolean isAutoGenerateDataEncryptionCredential()
public void setAutoGenerateDataEncryptionCredential(boolean flag)
flag
- true if should auto-generate, false otherwise@Nonnull public Iterable<EncryptionParameters> resolve(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) throws net.shibboleth.utilities.java.support.resolver.ResolverException
resolve
in interface net.shibboleth.utilities.java.support.resolver.Resolver<EncryptionParameters,net.shibboleth.utilities.java.support.resolver.CriteriaSet>
net.shibboleth.utilities.java.support.resolver.ResolverException
@Nullable public EncryptionParameters resolveSingle(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) throws net.shibboleth.utilities.java.support.resolver.ResolverException
resolveSingle
in interface net.shibboleth.utilities.java.support.resolver.Resolver<EncryptionParameters,net.shibboleth.utilities.java.support.resolver.CriteriaSet>
net.shibboleth.utilities.java.support.resolver.ResolverException
protected void logResult(@Nonnull EncryptionParameters params)
params
- the resolved paramprotected boolean validate(@Nonnull EncryptionParameters params)
validate(EncryptionParameters, boolean)
.EncryptionParameters
instance has all the required properties populated.
Equivalent to: #validate(EncryptionParameters, false)
params
- the parameters instance to evaluateprotected boolean validate(@Nonnull EncryptionParameters params, boolean encryptionOptional)
EncryptionParameters
instance has all the required properties populated.params
- the parameters instance to evaluate@Nonnull protected com.google.common.base.Predicate<String> getWhitelistBlacklistPredicate(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
criteria
- the input criteria being evaluatedprotected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters params, @Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nonnull com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
params
- the params instance being populatedcriteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the
candidate data encryption and key transport algorithm URIsprotected void resolveAndPopulateRSAOAEPParams(@Nonnull EncryptionParameters params, @Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nonnull com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
RSAOAEPParameters
, if appropriate for the selected
key transport encryption algorithm.params
- the params instance being populatedcriteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the
candidate data encryption and key transport algorithm URIsprotected void populateRSAOAEPParams(@Nonnull RSAOAEPParameters rsaParams, @Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nonnull com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
RSAOAEPParameters
based on data from the supplied instances
of EncryptionConfiguration
.rsaParams
- the existing RSAOAEPParameters instance being populatedcriteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the
candidate data encryption and key transport algorithm URIs@Nullable protected KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
KeyTransportAlgorithmPredicate
to use.criteria
- the input criteria being evaluated@Nullable protected String resolveKeyTransportAlgorithm(@Nonnull org.opensaml.security.credential.Credential keyTransportCredential, @Nonnull List<String> keyTransportAlgorithms, @Nullable String dataEncryptionAlgorithm, @Nullable KeyTransportAlgorithmPredicate keyTransportPredicate)
keyTransportCredential
- the key transport credential being evaluatedkeyTransportAlgorithms
- the list of effective key transport algorithms to evaluatedataEncryptionAlgorithm
- the optional data encryption algorithm URI to considerkeyTransportPredicate
- the optional key transport algorithm predicate to evaluate@Nullable protected String resolveKeyTransportAlgorithm(@Nonnull org.opensaml.security.credential.Credential keyTransportCredential, @Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nonnull com.google.common.base.Predicate<String> whitelistBlacklistPredicate, @Nullable String dataEncryptionAlgorithm)
keyTransportCredential
- the key transport credential to evaluatecriteria
- the criteria instance being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the
candidate data encryption and key transport algorithm URIsdataEncryptionAlgorithm
- the optional data encryption algorithm URI to consider@Nullable protected String resolveDataEncryptionAlgorithm(@Nullable org.opensaml.security.credential.Credential dataEncryptionCredential, @Nonnull List<String> dataEncryptionAlgorithms)
dataEncryptionCredential
- the data encryption credential being evaluated, may be nulldataEncryptionAlgorithms
- the list of effective data encryption algorithms to evaluate@Nullable protected String resolveDataEncryptionAlgorithm(@Nonnull org.opensaml.security.credential.Credential dataEncryptionCredential, @Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nonnull com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
dataEncryptionCredential
- the data encryption credential to evaluatecriteria
- the criteria instance being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate with which to evaluate the
candidate data encryption and key transport algorithm URIs@Nonnull protected List<org.opensaml.security.credential.Credential> getEffectiveDataEncryptionCredentials(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
criteria
- the input criteria being evaluated@Nonnull protected List<String> getEffectiveDataEncryptionAlgorithms(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nonnull com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
criteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate to use@Nonnull protected List<org.opensaml.security.credential.Credential> getEffectiveKeyTransportCredentials(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
criteria
- the input criteria being evaluated@Nonnull protected List<String> getEffectiveKeyTransportAlgorithms(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nonnull com.google.common.base.Predicate<String> whitelistBlacklistPredicate)
criteria
- the input criteria being evaluatedwhitelistBlacklistPredicate
- the whitelist/blacklist predicate to use@Nullable protected KeyInfoGenerator resolveDataKeyInfoGenerator(@Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nullable org.opensaml.security.credential.Credential dataEncryptionCredential)
KeyInfoGenerator
instance to use with the specified data encryption credential.criteria
- the input criteria being evaluateddataEncryptionCredential
- the credential being evaluated@Nullable protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, @Nullable org.opensaml.security.credential.Credential keyTransportEncryptionCredential)
KeyInfoGenerator
instance to use with the specified key transport credential.criteria
- the input criteria being evaluatedkeyTransportEncryptionCredential
- the credential being evaluated@Nonnull protected com.google.common.base.Predicate<String> getAlgorithmRuntimeSupportedPredicate()
protected boolean credentialSupportsAlgorithm(@Nonnull org.opensaml.security.credential.Credential credential, @Nonnull @NotEmpty String algorithm)
credential
- the credential to evaluatealgorithm
- the algorithm URI to evaluateprotected boolean isKeyTransportAlgorithm(@Nonnull String algorithm)
algorithm
- the algorithm URI to evaluateprotected boolean isDataEncryptionAlgorithm(String algorithm)
algorithm
- the algorithm URI to evaluate@Nullable protected org.opensaml.security.credential.Credential generateDataEncryptionCredential(@Nonnull String dataEncryptionAlgorithm)
dataEncryptionAlgorithm
- the data encryption algorithm URIprotected void processDataEncryptionCredentialAutoGeneration(@Nonnull EncryptionParameters params)
params
- the encryption parameters instance to processCopyright © 1999–2020 Shibboleth Consortium. All rights reserved.