Class BasicEncryptionParametersResolver

All Implemented Interfaces:
Resolver<EncryptionParameters,​CriteriaSet>, EncryptionParametersResolver
Direct Known Subclasses:
SAMLMetadataEncryptionParametersResolver

public class BasicEncryptionParametersResolver
extends AbstractSecurityParametersResolver<EncryptionParameters>
implements EncryptionParametersResolver
Basic implementation of EncryptionParametersResolver.

The following Criterion inputs are supported:

  • Field Details

    • log

      @Nonnull private org.slf4j.Logger log
      Logger.
    • algorithmRegistry

      @Nonnull private AlgorithmRegistry algorithmRegistry
      The AlgorithmRegistry used when processing algorithm URIs.
    • autoGenerateDataEncryptionCredential

      private boolean autoGenerateDataEncryptionCredential
      Flag indicating whether the resolver should auto-generate data encryption credentials.
  • Constructor Details

    • BasicEncryptionParametersResolver

      public BasicEncryptionParametersResolver()
      Constructor.
  • Method Details

    • getAlgorithmRegistry

      @Nonnull public AlgorithmRegistry getAlgorithmRegistry()
      Get the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().
      Returns:
      the algorithm registry instance
    • setAlgorithmRegistry

      public void setAlgorithmRegistry​(@Nonnull AlgorithmRegistry registry)
      Set the AlgorithmRegistry instance used when resolving algorithm URIs. Defaults to the registry resolved via AlgorithmSupport.getGlobalAlgorithmRegistry().
      Parameters:
      registry - the new algorithm registry instance
    • isAutoGenerateDataEncryptionCredential

      public boolean isAutoGenerateDataEncryptionCredential()
      Get whether an this resolver should auto-generate data encryption credentials.
      Returns:
      true if should auto-generate, false otherwise
    • setAutoGenerateDataEncryptionCredential

      public void setAutoGenerateDataEncryptionCredential​(boolean flag)
      Set whether an this resolver should auto-generate data encryption credentials.
      Parameters:
      flag - true if should auto-generate, false otherwise
    • resolve

      @Nonnull public Iterable<EncryptionParameters> resolve​(@Nonnull CriteriaSet criteria) throws ResolverException
      Specified by:
      resolve in interface Resolver<EncryptionParameters,​CriteriaSet>
      Throws:
      ResolverException
    • resolveSingle

      @Nullable public EncryptionParameters resolveSingle​(@Nonnull CriteriaSet criteria) throws ResolverException
      Specified by:
      resolveSingle in interface Resolver<EncryptionParameters,​CriteriaSet>
      Throws:
      ResolverException
    • logResult

      protected void logResult​(@Nonnull EncryptionParameters params)
      Log the resolved parameters.
      Parameters:
      params - the resolved param
    • validate

      protected boolean validate​(@Nonnull EncryptionParameters params, boolean encryptionOptional)
      Validate that the EncryptionParameters instance has all the required properties populated.
      Parameters:
      params - the parameters instance to evaluate
      encryptionOptional - whether to consider invalid parameters to be a problem
      Returns:
      true if parameters instance passes validation, false otherwise
      Since:
      3.3.0
    • getIncludeExcludePredicate

      @Nonnull protected Predicate<String> getIncludeExcludePredicate​(@Nonnull CriteriaSet criteria)
      Get a predicate which implements the effective configured include/exclude policy.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      a include/exclude predicate instance
    • getWhitelistBlacklistPredicate

      @Deprecated(since="4.1.0", forRemoval=true) @Nonnull protected Predicate<String> getWhitelistBlacklistPredicate​(@Nonnull CriteriaSet criteria)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Get a predicate which implements the effective configured include/exclude policy.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      a include/exclude predicate instance
    • resolveAndPopulateCredentialsAndAlgorithms

      protected void resolveAndPopulateCredentialsAndAlgorithms​(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Resolve and populate the data encryption and key transport credentials and algorithm URIs.
      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
    • checkAndProcessKeyAgreement

      protected boolean checkAndProcessKeyAgreement​(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Credential credential, @Nonnull List<String> dataEncryptionAlgorithms, @Nonnull List<String> keyTransportAlgorithms)
      Check for a credential type that implies a key agreement operation, and process if so indicated.

      For both algorithm list arguments, they are assumed to already have had runtime support and include/exclude filtering applied.

      If symmetric key wrap should NOT be considered, pass an empty list for keyTransportAlgorithms. Otherwise, if the keyTransportAlgorithms list contains a symmetric key wrap algorithm, then key wrapping will be indicated in the produced parameters. If it does not then direct data encryption will be indicated.

      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      credential - the credential being evaluated
      dataEncryptionAlgorithms - the effective data encryption credentials
      keyTransportAlgorithms - the effective key transport credentials
      Returns:
      true if all required parameters were supplied, key agreement was successfully performed, and the EncryptionParameters instance's credential and algorithms properties are fully populated, otherwise false
    • getEffectiveKeyAgreementConfiguration

      @Nullable protected KeyAgreementEncryptionConfiguration getEffectiveKeyAgreementConfiguration​(@Nonnull CriteriaSet criteria, @Nonnull Credential credential)
      Get the effective KeyAgreementEncryptionConfiguration to use with the specified credential.
      Parameters:
      criteria - the criteria
      credential - the credential to evaluate
      Returns:
      the key agreement configuration for the credential, or null if could not be resolved
    • resolveAndPopulateRSAOAEPParams

      protected void resolveAndPopulateRSAOAEPParams​(@Nonnull EncryptionParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Resolve and populate an instance of RSAOAEPParameters, if appropriate for the selected key transport encryption algorithm.
      Parameters:
      params - the params instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
    • populateRSAOAEPParams

      protected void populateRSAOAEPParams​(@Nonnull RSAOAEPParameters rsaParams, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Populate an instance of RSAOAEPParameters based on data from the supplied instances of EncryptionConfiguration.
      Parameters:
      rsaParams - the existing RSAOAEPParameters instance being populated
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
    • resolveKeyTransportAlgorithmPredicate

      @Nullable protected KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate​(@Nonnull CriteriaSet criteria)
      Resolve the optional effectively configured instance of KeyTransportAlgorithmPredicate to use.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      the resolved predicate instance, may be null
    • resolveKeyTransportAlgorithm

      @Nullable protected String resolveKeyTransportAlgorithm​(@Nonnull Credential keyTransportCredential, @Nonnull List<String> keyTransportAlgorithms, @Nullable String dataEncryptionAlgorithm, @Nullable KeyTransportAlgorithmPredicate keyTransportPredicate)
      Determine the key transport encryption algorithm URI to use with the specified key transport credential and optional data encryption algorithm URI.
      Parameters:
      keyTransportCredential - the key transport credential being evaluated
      keyTransportAlgorithms - the list of effective key transport algorithms to evaluate
      dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
      keyTransportPredicate - the optional key transport algorithm predicate to evaluate
      Returns:
      the resolved algorithm URI, may be null
    • resolveKeyTransportAlgorithm

      @Nullable protected String resolveKeyTransportAlgorithm​(@Nonnull Credential keyTransportCredential, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate, @Nullable String dataEncryptionAlgorithm)
      Determine the key transport algorithm URI to use with the specified credential.
      Parameters:
      keyTransportCredential - the key transport credential to evaluate
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      dataEncryptionAlgorithm - the optional data encryption algorithm URI to consider
      Returns:
      the selected algorithm URI, may be null
    • resolveDataEncryptionAlgorithm

      @Nullable protected String resolveDataEncryptionAlgorithm​(@Nullable Credential dataEncryptionCredential, @Nonnull List<String> dataEncryptionAlgorithms)
      Determine the data encryption algorithm URI, considering the optionally specified data encryption credential.
      Parameters:
      dataEncryptionCredential - the data encryption credential being evaluated, may be null
      dataEncryptionAlgorithms - the list of effective data encryption algorithms to evaluate
      Returns:
      the resolved algorithm URI, may be null
    • resolveDataEncryptionAlgorithm

      @Nullable protected String resolveDataEncryptionAlgorithm​(@Nonnull Credential dataEncryptionCredential, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Determine the data encryption algorithm URI to use with the specified data encryption credential.
      Parameters:
      dataEncryptionCredential - the data encryption credential to evaluate
      criteria - the criteria instance being evaluated
      includeExcludePredicate - the include/exclude predicate with which to evaluate the candidate data encryption and key transport algorithm URIs
      Returns:
      the selected algorithm URI
    • getEffectiveDataEncryptionCredentials

      @Nonnull protected List<Credential> getEffectiveDataEncryptionCredentials​(@Nonnull CriteriaSet criteria)
      Get the effective list of data encryption credentials to consider.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      the list of credentials
    • getEffectiveDataEncryptionAlgorithms

      @Nonnull protected List<String> getEffectiveDataEncryptionAlgorithms​(@Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Get the effective list of data encryption algorithm URIs to consider, including application of include/exclude policy.
      Parameters:
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate to use
      Returns:
      the list of effective algorithm URIs
    • getEffectiveKeyTransportCredentials

      @Nonnull protected List<Credential> getEffectiveKeyTransportCredentials​(@Nonnull CriteriaSet criteria)
      Get the effective list of key transport credentials to consider.
      Parameters:
      criteria - the input criteria being evaluated
      Returns:
      the list of credentials
    • getEffectiveKeyTransportAlgorithms

      @Nonnull protected List<String> getEffectiveKeyTransportAlgorithms​(@Nonnull CriteriaSet criteria, @Nonnull Predicate<String> includeExcludePredicate)
      Get the effective list of key transport algorithm URIs to consider, including application of include/exclude policy.
      Parameters:
      criteria - the input criteria being evaluated
      includeExcludePredicate - the include/exclude predicate to use
      Returns:
      the list of effective algorithm URIs
    • resolveDataKeyInfoGenerator

      @Nullable protected KeyInfoGenerator resolveDataKeyInfoGenerator​(@Nullable CriteriaSet criteria, @Nullable Credential dataEncryptionCredential)
      Resolve and return the KeyInfoGenerator instance to use with the specified data encryption credential.
      Parameters:
      criteria - the input criteria being evaluated
      dataEncryptionCredential - the credential being evaluated
      Returns:
      KeyInfo generator instance, or null
    • resolveKeyTransportKeyInfoGenerator

      @Nullable protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator​(@Nonnull CriteriaSet criteria, @Nullable Credential keyTransportEncryptionCredential)
      Resolve and return the KeyInfoGenerator instance to use with the specified key transport credential.
      Parameters:
      criteria - the input criteria being evaluated
      keyTransportEncryptionCredential - the credential being evaluated
      Returns:
      KeyInfo generator instance, or null
    • getAlgorithmRuntimeSupportedPredicate

      @Nonnull protected Predicate<String> getAlgorithmRuntimeSupportedPredicate()
      Get a predicate which evaluates whether a cryptographic algorithm is supported by the runtime environment.
      Returns:
      the predicate
    • credentialSupportsAlgorithm

      protected boolean credentialSupportsAlgorithm​(@Nonnull Credential credential, @Nonnull @NotEmpty String algorithm)
      Evaluate whether the specified credential is supported for use with the specified algorithm URI.
      Parameters:
      credential - the credential to evaluate
      algorithm - the algorithm URI to evaluate
      Returns:
      true if credential may be used with the supplied algorithm URI, false otherwise
    • isKeyTransportAlgorithm

      protected boolean isKeyTransportAlgorithm​(@Nonnull String algorithm)
      Evaluate whether the specified algorithm is a key transport algorithm.
      Parameters:
      algorithm - the algorithm URI to evaluate
      Returns:
      true if is a key transport algorithm URI, false otherwise
    • isDataEncryptionAlgorithm

      protected boolean isDataEncryptionAlgorithm​(String algorithm)
      Evaluate whether the specified algorithm is a data encryption algorithm.
      Parameters:
      algorithm - the algorithm URI to evaluate
      Returns:
      true if is a key transport algorithm URI, false otherwise
    • generateDataEncryptionCredential

      @Nullable protected Credential generateDataEncryptionCredential​(@Nonnull String dataEncryptionAlgorithm)
      Generate a random data encryption symmetric key credential.
      Parameters:
      dataEncryptionAlgorithm - the data encryption algorithm URI
      Returns:
      the generated credential, or null if there was a problem generating a key from the algorithm URI
    • processDataEncryptionCredentialAutoGeneration

      protected void processDataEncryptionCredentialAutoGeneration​(@Nonnull EncryptionParameters params)
      Auto-generate and populate a data encryption credential, if configured and required conditions are met.
      Parameters:
      params - the encryption parameters instance to process