Package se.swedenconnect.opensaml.xmlsec.encryption.support

Class Pkcs11Decrypter

java.lang.Object
org.opensaml.xmlsec.encryption.support.Decrypter
org.opensaml.saml.saml2.encryption.Decrypter
se.swedenconnect.opensaml.xmlsec.encryption.support.Pkcs11Decrypter
public class Pkcs11Decrypter extends Decrypter
An extension to OpenSAML's Decrypter class implementing a workaround for the problem that when using the SunPKCS11 crypto provider OAEPPadding does not work.

See this post on Stack overflow.

Author:
Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)

  • Constructor Details

    • Pkcs11Decrypter

      public Pkcs11Decrypter(DecryptionParameters params)
      Constructor.
      Parameters:
      params - decryption parameters to use

    • Pkcs11Decrypter

      public Pkcs11Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver, EncryptedKeyResolver newEncKeyResolver)
      Constructor.
      Parameters:
      newResolver - resolver for data encryption keys.
      newKEKResolver - resolver for key encryption keys.
      newEncKeyResolver - resolver for EncryptedKey elements

    • Pkcs11Decrypter

      public Pkcs11Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver, EncryptedKeyResolver newEncKeyResolver, Collection<String> whitelistAlgos, Collection<String> blacklistAlgos)
      Constructor.
      Parameters:
      newResolver - resolver for data encryption keys.
      newKEKResolver - resolver for key encryption keys.
      newEncKeyResolver - resolver for EncryptedKey elements
      whitelistAlgos - collection of whitelisted algorithm URIs
      blacklistAlgos - collection of blacklisted algorithm URIs

  • Method Details

    • decryptKey

      @Nonnull public Key decryptKey(@Nonnull EncryptedKey encryptedKey, @Nonnull String algorithm, @Nonnull Key kek) throws DecryptionException
      Extends Decrypter.decryptKey(EncryptedKey, String, Key) with an implementation for missing OAEP padding in the SunPKCS11 provider.
      Overrides:
      decryptKey in class Decrypter
      Throws:
      DecryptionException

    • decryptKey

      @Nonnull public Key decryptKey(@Nonnull EncryptedKey encryptedKey, @Nonnull String algorithm) throws DecryptionException
      Extends Decrypter.decryptKey(EncryptedKey, String) so that we may get hold of the corresponding RSA certificate. We need that since we need to figure out the key length of the RSA private key (and we can't ask a SunPKCS11 private key for its key length).
      Overrides:
      decryptKey in class Decrypter
      Throws:
      DecryptionException

    • decryptKey

      @Nonnull protected Key decryptKey(@Nonnull EncryptedKey encryptedKey, @Nonnull String algorithm, @Nonnull Key kek, int keysize) throws DecryptionException
      Decrypts the key (work-around for OAEP padding).
      Parameters:
      encryptedKey - encrypted key element containing the encrypted key to be decrypted
      algorithm - the algorithm associated with the decrypted key
      kek - the key encryption key with which to attempt decryption of the encrypted key
      keysize - the key length
      Returns:
      the decrypted key
      Throws:
      DecryptionException - for decryption errors

    • setTestMode

      public void setTestMode(boolean testMode)
      Should we run this class in test mode? By using test mode, the customized code where we handle padding for OAEP is executed even if the SunPKCS11 provider is not in use.
      Parameters:
      testMode - test mode flag