Package se.litsec.swedisheid.opensaml.saml2.signservice

Class SignMessageDecrypter

java.lang.Object

se.litsec.swedisheid.opensaml.saml2.signservice.SignMessageDecrypter

public class SignMessageDecrypter
extends Object

A bean for decrypting encrypted messages within SignMessage objects.

Author:

Martin Lindström (martin.lindstrom@litsec.se)

Constructor Summary

Constructors

Constructor	Description
SignMessageDecrypter(List<Credential> decryptionCredentials)	Constructor accepting several credentials (certificates or key pairs) to be used when decrypting.
SignMessageDecrypter(Credential decryptionCredential)	Constructor given the credential to use to decrypt the messages (certificate or key pair)
SignMessageDecrypter(KeyInfoCredentialResolver keyEncryptionKeyResolver)	Constructor accepting a key encryption key resolver.

Method Summary

Modifier and Type	Method	Description
Message	decrypt(SignMessage signMessage)	Decrypts the encrypted message of a SignMessage and returns the cleartext Message.
void	setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms)	Assigns a list of black listed algorithms
void	setPkcs11Workaround(boolean pkcs11Workaround)	If using a HSM it is likely that the SunPKCS11 crypto provider is used.
void	setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms)	Assigns a list of white listed algorithms

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SignMessageDecrypter

public SignMessageDecrypter(Credential decryptionCredential)

Constructor given the credential to use to decrypt the messages (certificate or key pair)

Parameters:

decryptionCredential - decryption credential

SignMessageDecrypter

public SignMessageDecrypter(List<Credential> decryptionCredentials)

Constructor accepting several credentials (certificates or key pairs) to be used when decrypting. This may be useful after a key rollover.

Parameters:

decryptionCredentials - decryption credentials

SignMessageDecrypter

public SignMessageDecrypter(KeyInfoCredentialResolver keyEncryptionKeyResolver)

Constructor accepting a key encryption key resolver.

Parameters:

keyEncryptionKeyResolver - the resolver

Method Detail

decrypt

public Message decrypt(SignMessage signMessage)
                throws DecryptionException

Decrypts the encrypted message of a SignMessage and returns the cleartext Message.

Parameters:

signMessage - the element holding the encrypted message

Returns:

a cleartext Message element

Throws:

DecryptionException - for decryption errors

setBlacklistedAlgorithms

public void setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms)

Assigns a list of black listed algorithms

Parameters:

blacklistedAlgorithms - non allowed algorithms

setWhitelistedAlgorithms

public void setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms)

Assigns a list of white listed algorithms

Parameters:

whitelistedAlgorithms - white listed algorithms

setPkcs11Workaround

public void setPkcs11Workaround(boolean pkcs11Workaround)

If using a HSM it is likely that the SunPKCS11 crypto provider is used. This provider does not have support for OAEP padding. This is used commonly for XML encryption since http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p is the default algorithm to use for key encryption. This class has a workaround for this limitation that is enabled by setting the pkcs11Workaround flag.

Parameters:

pkcs11Workaround - whether to run in PKCS11 workaround mode