se.litsec.opensaml.xmlsec

Class SAMLObjectDecrypter

java.lang.Object

se.litsec.opensaml.xmlsec.SAMLObjectDecrypter

public class SAMLObjectDecrypter
extends Object

A support bean for easy decryption.

For some reason, OpenSAML offers two ways to represent decryption parameters, the DecryptionParameters and the DecryptionConfiguration. This bean supports being initialized by either of these two, but also, and perhaps easier to use; it supports initialization with just the encryption credentials and assigns the following defaults:

• For the encrypted key resolver a ChainingKeyInfoCredentialResolver instance is used that chains a LocalKeyInfoCredentialResolver and a InlineEncryptedKeyResolver.
• For the key encryption key resolver a ChainingEncryptedKeyResolver instance chaining the resolvers: InlineEncryptedKeyResolver, EncryptedElementTypeEncryptedKeyResolver, SimpleRetrievalMethodEncryptedKeyResolver and SimpleKeyInfoReferenceEncryptedKeyResolver.

Author:

Martin Lindström (martin.lindstrom@litsec.se)

Constructor Summary

Constructors

Constructor and Description
SAMLObjectDecrypter(Credential decryptionCredential) Constructor given the credential to use to decrypt the messages (certificate or key pair).
SAMLObjectDecrypter(DecryptionConfiguration decryptionConfiguration) Initializes the decrypter using DecryptionConfiguration.
SAMLObjectDecrypter(DecryptionParameters decryptionParameters) Initializes the decrypter using DecryptionParameters.
SAMLObjectDecrypter(List<Credential> decryptionCredentials) Constructor accepting several credentials (certificates or key pairs) to be used when decrypting.

Method Summary

Modifier and Type	Method and Description
<T extends XMLObject,E extends EncryptedElementType> T	decrypt(E encryptedObject, Class<T> destinationClass) Decrypts the supplied encrypted object into an object of the given type.
void	setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms) Assigns a list of black listed algorithms
void	setPkcs11testMode(boolean pkcs11testMode) For internal testing only.
void	setPkcs11Workaround(boolean pkcs11Workaround) If using a HSM it is likely that the SunPKCS11 crypto provider is used.
void	setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms) Assigns a list of white listed algorithms

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAMLObjectDecrypter

public SAMLObjectDecrypter(Credential decryptionCredential)

Constructor given the credential to use to decrypt the messages (certificate or key pair).

Parameters:

decryptionCredential - decryption credential

SAMLObjectDecrypter

public SAMLObjectDecrypter(List<Credential> decryptionCredentials)

Constructor accepting several credentials (certificates or key pairs) to be used when decrypting. This may be useful after a key rollover.

Parameters:

decryptionCredentials - decryption credentials

SAMLObjectDecrypter

public SAMLObjectDecrypter(DecryptionParameters decryptionParameters)

Initializes the decrypter using DecryptionParameters.

Parameters:

decryptionParameters - parameters

SAMLObjectDecrypter

public SAMLObjectDecrypter(DecryptionConfiguration decryptionConfiguration)

Initializes the decrypter using DecryptionConfiguration.

Parameters:

decryptionConfiguration - parameters

Method Detail

decrypt

public <T extends XMLObject,E extends EncryptedElementType> T decrypt(E encryptedObject,
                                                                      Class<T> destinationClass)
                                                               throws DecryptionException

Decrypts the supplied encrypted object into an object of the given type.

Type Parameters:

T - the type of the destination object

E - the type of the encrypted object

Parameters:

encryptedObject - the encrypted object

destinationClass - the class of the destination object

Returns:

the decrypted element of object T

Throws:

DecryptionException - for decryption errors

setBlacklistedAlgorithms

public void setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms)

Assigns a list of black listed algorithms

Parameters:

blacklistedAlgorithms - non allowed algorithms

setWhitelistedAlgorithms

public void setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms)

Assigns a list of white listed algorithms

Parameters:

whitelistedAlgorithms - white listed algorithms

setPkcs11Workaround

public void setPkcs11Workaround(boolean pkcs11Workaround)

If using a HSM it is likely that the SunPKCS11 crypto provider is used. This provider does not have support for OAEP padding. This is used commonly for XML encryption since http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p is the default algorithm to use for key encryption. This class has a workaround for this limitation that is enabled by setting the pkcs11Workaround flag.

Parameters:

pkcs11Workaround - whether to run in PKCS11 workaround mode

setPkcs11testMode

public void setPkcs11testMode(boolean pkcs11testMode)

For internal testing only.

Parameters:

pkcs11testMode - test flag