Class Pkcs11Decrypter
java.lang.Object
org.opensaml.xmlsec.encryption.support.Decrypter
org.opensaml.saml.saml2.encryption.Decrypter
se.swedenconnect.opensaml.xmlsec.encryption.support.Pkcs11Decrypter
public class Pkcs11Decrypter
extends org.opensaml.saml.saml2.encryption.Decrypter
An extension to OpenSAML's
Decrypter class implementing a workaround for the problem that when using the
SunPKCS11 crypto provider OAEPPadding does not work.
See this post on Stack overflow.
- Author:
- Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
-
Constructor Summary
ConstructorsConstructorDescriptionPkcs11Decrypter(org.opensaml.xmlsec.DecryptionParameters params) Constructor.Pkcs11Decrypter(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newResolver, org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newKEKResolver, org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver newEncKeyResolver) Constructor.Pkcs11Decrypter(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newResolver, org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newKEKResolver, org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver newEncKeyResolver, Collection<String> whitelistAlgos, Collection<String> blacklistAlgos) Constructor. -
Method Summary
Modifier and TypeMethodDescriptiondecryptKey(org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey, String algorithm) ExtendsDecrypter.decryptKey(EncryptedKey, String)so that we may get hold of the corresponding RSA certificate.decryptKey(org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey, String algorithm, Key kek) ExtendsDecrypter.decryptKey(EncryptedKey, String, Key)with an implementation for missing OAEP padding in the SunPKCS11 provider.protected KeydecryptKey(org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey, String algorithm, Key kek, int keysize) Decrypts the key (work-around for OAEP padding).voidsetTestMode(boolean testMode) Should we run this class in test mode?Methods inherited from class org.opensaml.saml.saml2.encryption.Decrypter
decrypt, decrypt, decrypt, decryptMethods inherited from class org.opensaml.xmlsec.encryption.support.Decrypter
checkAndMarshall, decryptData, decryptData, decryptDataToDOM, decryptDataToDOM, decryptDataToList, decryptDataToList, getJCAProviderName, getKEKResolverCriteria, getKeyResolverCriteria, getPreDecryptionValidator, isRootInNewDocument, preProcessEncryptedData, preProcessEncryptedKey, setJCAProviderName, setKEKResolverCriteria, setKeyResolverCriteria, setPreDecryptionValidator, setRootInNewDocument, validateAlgorithms, validateAlgorithms, validateAlgorithmURI
-
Constructor Details
-
Pkcs11Decrypter
public Pkcs11Decrypter(org.opensaml.xmlsec.DecryptionParameters params) Constructor.- Parameters:
params- decryption parameters to use
-
Pkcs11Decrypter
public Pkcs11Decrypter(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newResolver, org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newKEKResolver, org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver newEncKeyResolver) Constructor.- Parameters:
newResolver- resolver for data encryption keys.newKEKResolver- resolver for key encryption keys.newEncKeyResolver- resolver for EncryptedKey elements
-
Pkcs11Decrypter
public Pkcs11Decrypter(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newResolver, org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver newKEKResolver, org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver newEncKeyResolver, Collection<String> whitelistAlgos, Collection<String> blacklistAlgos) Constructor.- Parameters:
newResolver- resolver for data encryption keys.newKEKResolver- resolver for key encryption keys.newEncKeyResolver- resolver for EncryptedKey elementswhitelistAlgos- collection of whitelisted algorithm URIsblacklistAlgos- collection of blacklisted algorithm URIs
-
-
Method Details
-
decryptKey
@Nonnull public Key decryptKey(@Nonnull org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey, @Nonnull String algorithm, @Nonnull Key kek) throws org.opensaml.xmlsec.encryption.support.DecryptionException ExtendsDecrypter.decryptKey(EncryptedKey, String, Key)with an implementation for missing OAEP padding in the SunPKCS11 provider.- Overrides:
decryptKeyin classorg.opensaml.xmlsec.encryption.support.Decrypter- Throws:
org.opensaml.xmlsec.encryption.support.DecryptionException
-
decryptKey
@Nonnull public Key decryptKey(@Nonnull org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey, @Nonnull String algorithm) throws org.opensaml.xmlsec.encryption.support.DecryptionException ExtendsDecrypter.decryptKey(EncryptedKey, String)so that we may get hold of the corresponding RSA certificate. We need that since we need to figure out the key length of the RSA private key (and we can't ask a SunPKCS11 private key for its key length).- Overrides:
decryptKeyin classorg.opensaml.xmlsec.encryption.support.Decrypter- Throws:
org.opensaml.xmlsec.encryption.support.DecryptionException
-
decryptKey
@Nonnull protected Key decryptKey(@Nonnull org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey, @Nonnull String algorithm, @Nonnull Key kek, int keysize) throws org.opensaml.xmlsec.encryption.support.DecryptionException Decrypts the key (work-around for OAEP padding).- Parameters:
encryptedKey- encrypted key element containing the encrypted key to be decryptedalgorithm- the algorithm associated with the decrypted keykek- the key encryption key with which to attempt decryption of the encrypted keykeysize- the key length- Returns:
- the decrypted key
- Throws:
org.opensaml.xmlsec.encryption.support.DecryptionException- for decryption errors
-
setTestMode
public void setTestMode(boolean testMode) Should we run this class in test mode? By using test mode, the customized code where we handle padding for OAEP is executed even if the SunPKCS11 provider is not in use.- Parameters:
testMode- test mode flag
-