Package se.swedenconnect.opensaml.sweid.saml2.signservice

Class SignMessageDecrypter

java.lang.Object

se.swedenconnect.opensaml.sweid.saml2.signservice.SignMessageDecrypter

public class SignMessageDecrypter
extends Object

A bean for decrypting encrypted messages within SignMessage objects.

Author:

Martin Lindström (martin@idsec.se)

Constructor Summary

Constructors

Constructor	Description
SignMessageDecrypter(List<org.opensaml.security.credential.Credential> decryptionCredentials)	Constructor accepting several credentials (certificates or key pairs) to be used when decrypting.
SignMessageDecrypter(org.opensaml.security.credential.Credential decryptionCredential)	Constructor given the credential to use to decrypt the messages (certificate or key pair)
SignMessageDecrypter(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyEncryptionKeyResolver)	Constructor accepting a key encryption key resolver.

Method Summary

Modifier and Type	Method	Description
Message	decrypt(SignMessage signMessage)	Decrypts the encrypted message of a SignMessage and returns the cleartext Message.
void	setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms)	Assigns a list of black listed algorithms
void	setPkcs11Workaround(boolean pkcs11Workaround)	If using a HSM it is likely that the SunPKCS11 crypto provider is used.
void	setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms)	Assigns a list of white listed algorithms

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SignMessageDecrypter

public SignMessageDecrypter(org.opensaml.security.credential.Credential decryptionCredential)

Constructor given the credential to use to decrypt the messages (certificate or key pair)

Parameters:

decryptionCredential - decryption credential

SignMessageDecrypter

public SignMessageDecrypter(List<org.opensaml.security.credential.Credential> decryptionCredentials)

Constructor accepting several credentials (certificates or key pairs) to be used when decrypting. This may be useful after a key rollover.

Parameters:

decryptionCredentials - decryption credentials

SignMessageDecrypter

public SignMessageDecrypter(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyEncryptionKeyResolver)

Constructor accepting a key encryption key resolver.

Parameters:

keyEncryptionKeyResolver - the resolver

Method Details

decrypt

public Message decrypt(SignMessage signMessage)
                throws org.opensaml.xmlsec.encryption.support.DecryptionException

Decrypts the encrypted message of a SignMessage and returns the cleartext Message.

Parameters:

signMessage - the element holding the encrypted message

Returns:

a cleartext Message element

Throws:

org.opensaml.xmlsec.encryption.support.DecryptionException - for decryption errors

setBlacklistedAlgorithms

public void setBlacklistedAlgorithms(Collection<String> blacklistedAlgorithms)

Assigns a list of black listed algorithms

Parameters:

blacklistedAlgorithms - non allowed algorithms

setWhitelistedAlgorithms

public void setWhitelistedAlgorithms(Collection<String> whitelistedAlgorithms)

Assigns a list of white listed algorithms

Parameters:

whitelistedAlgorithms - white listed algorithms

setPkcs11Workaround

public void setPkcs11Workaround(boolean pkcs11Workaround)

If using a HSM it is likely that the SunPKCS11 crypto provider is used. This provider does not have support for OAEP padding. This is used commonly for XML encryption since http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p is the default algorithm to use for key encryption. This class has a workaround for this limitation that is enabled by setting the pkcs11Workaround flag.

Parameters:

pkcs11Workaround - whether to run in PKCS11 workaround mode