Class SAMLObjectDecrypter

java.lang.Object
se.swedenconnect.opensaml.xmlsec.encryption.support.SAMLObjectDecrypter

public class SAMLObjectDecrypter extends Object
A support bean for easy decryption.

OpenSAML offers two ways to represent decryption parameters, the DecryptionParameters and the DecryptionConfiguration. This bean supports being initialized by either of these two, but also, and perhaps easier to use; it supports initialization with just the encryption credentials and assigns the defaults from DecryptionUtils.createDecryptionParameters(Credential...).

Author:
Martin Lindström (martin@idsec.se)
  • Constructor Summary

    Constructors
    Constructor
    Description
    SAMLObjectDecrypter(List<org.opensaml.security.credential.Credential> decryptionCredentials)
    Constructor accepting several credentials (certificates or key pairs) to be used when decrypting.
    SAMLObjectDecrypter(org.opensaml.security.credential.Credential decryptionCredential)
    Constructor given the credential to use to decrypt the messages (certificate or key pair).
    SAMLObjectDecrypter(org.opensaml.xmlsec.DecryptionConfiguration decryptionConfiguration)
    Initializes the decrypter using DecryptionConfiguration.
    SAMLObjectDecrypter(org.opensaml.xmlsec.DecryptionParameters decryptionParameters)
    Initializes the decrypter using DecryptionParameters.
  • Method Summary

    Modifier and Type
    Method
    Description
    <T extends org.opensaml.core.xml.XMLObject, E extends org.opensaml.saml.saml2.core.EncryptedElementType>
    T
    decrypt(E encryptedObject, Class<T> destinationClass)
    Decrypts the supplied encrypted object into an object of the given type.
    <T extends org.opensaml.core.xml.XMLObject>
    T
    decrypt(org.opensaml.xmlsec.encryption.EncryptedData encryptedData, Class<T> destinationClass)
    Decrypts the supplied encrypted object into an object of the given type.
    void
    setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms)
    Assigns a list of black listed algorithms
    void
    setPkcs11testMode(boolean pkcs11testMode)
    For internal testing only.
    void
    setPkcs11Workaround(boolean pkcs11Workaround)
    If using an HSM it is likely that the SunPKCS11 crypto provider is used.
    void
    setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms)
    Assigns a list of white listed algorithms

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • SAMLObjectDecrypter

      public SAMLObjectDecrypter(org.opensaml.security.credential.Credential decryptionCredential)
      Constructor given the credential to use to decrypt the messages (certificate or key pair).
      Parameters:
      decryptionCredential - decryption credential
    • SAMLObjectDecrypter

      public SAMLObjectDecrypter(List<org.opensaml.security.credential.Credential> decryptionCredentials)
      Constructor accepting several credentials (certificates or key pairs) to be used when decrypting. This may be useful after a key rollover.
      Parameters:
      decryptionCredentials - decryption credentials
    • SAMLObjectDecrypter

      public SAMLObjectDecrypter(org.opensaml.xmlsec.DecryptionParameters decryptionParameters)
      Initializes the decrypter using DecryptionParameters.
      Parameters:
      decryptionParameters - parameters
    • SAMLObjectDecrypter

      public SAMLObjectDecrypter(org.opensaml.xmlsec.DecryptionConfiguration decryptionConfiguration)
      Initializes the decrypter using DecryptionConfiguration.
      Parameters:
      decryptionConfiguration - parameters
  • Method Details

    • decrypt

      public <T extends org.opensaml.core.xml.XMLObject, E extends org.opensaml.saml.saml2.core.EncryptedElementType> T decrypt(E encryptedObject, Class<T> destinationClass) throws org.opensaml.xmlsec.encryption.support.DecryptionException
      Decrypts the supplied encrypted object into an object of the given type.
      Type Parameters:
      T - the type of the destination object
      E - the type of the encrypted object
      Parameters:
      encryptedObject - the encrypted object
      destinationClass - the class of the destination object
      Returns:
      the decrypted element of object T
      Throws:
      org.opensaml.xmlsec.encryption.support.DecryptionException - for decryption errors
    • decrypt

      public <T extends org.opensaml.core.xml.XMLObject> T decrypt(org.opensaml.xmlsec.encryption.EncryptedData encryptedData, Class<T> destinationClass) throws org.opensaml.xmlsec.encryption.support.DecryptionException
      Decrypts the supplied encrypted object into an object of the given type.
      Type Parameters:
      T - the type of the destination object
      Parameters:
      encryptedData - the encrypted data
      destinationClass - the class of the destination object
      Returns:
      the decrypted element of object T
      Throws:
      org.opensaml.xmlsec.encryption.support.DecryptionException - for decryption errors
    • setBlacklistedAlgorithms

      public void setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms)
      Assigns a list of black listed algorithms
      Parameters:
      blacklistedAlgorithms - non allowed algorithms
    • setWhitelistedAlgorithms

      public void setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms)
      Assigns a list of white listed algorithms
      Parameters:
      whitelistedAlgorithms - white listed algorithms
    • setPkcs11Workaround

      public void setPkcs11Workaround(boolean pkcs11Workaround)
      If using an HSM it is likely that the SunPKCS11 crypto provider is used. This provider does not have support for OAEP padding. This is used commonly for XML encryption since http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p is the default algorithm to use for key encryption. This class has a workaround for this limitation that is enabled by setting the pkcs11Workaround flag.
      Parameters:
      pkcs11Workaround - whether to run in PKCS11 workaround mode
    • setPkcs11testMode

      public void setPkcs11testMode(boolean pkcs11testMode)
      For internal testing only.
      Parameters:
      pkcs11testMode - test flag