private KeyDescriptor buildKeyDescriptor(String keyName, UsageType use, Object... contentItems) {
    KeyDescriptor keyDesc = buildXMLObject(KeyDescriptor.DEFAULT_ELEMENT_NAME);
    KeyInfo keyInfo = buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);

    for (Object contentItem : contentItems) {
      if (contentItem instanceof PublicKey) {
        KeyInfoSupport.addPublicKey(keyInfo, (PublicKey) contentItem);
      } else if (contentItem instanceof X509Certificate) {
        try {
          KeyInfoSupport.addCertificate(keyInfo, (X509Certificate) contentItem);
        } catch (CertificateEncodingException e) {
          throw new RuntimeException("CertificateEncodingException ading cert to KeyInfo", e);
        }
      } else {
        throw new RuntimeException(
            "Saw unknown KeyInfo content type: " + contentItem.getClass().getName());
      }
    }

    if (keyName != null) {
      KeyInfoSupport.addKeyName(keyInfo, keyName);
    }

    keyDesc.setKeyInfo(keyInfo);

    if (use != null) {
      keyDesc.setUse(use);
    }

    return keyDesc;
  }
  @Test
  public void testEncryptionMethodWithWhitelist() throws ResolverException {
    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES));
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    config1.setWhitelistedAlgorithms(
        Arrays.asList(
            EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testEncryptionMethodWithBlacklistedDigest() throws ResolverException {
    EncryptionMethod rsaEncryptionMethod;
    DigestMethod digestMethod;

    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());

    // This one will be effectively blacklist due to the DigestMethod SHA-1, won't be resolved.
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
    digestMethod.setAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);
    rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);

    // This one will be resolved with DigestMethod SHA-256.
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
    digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);

    roleDesc.getKeyDescriptors().add(keyDescriptor);

    config1.setBlacklistedAlgorithms(Arrays.asList(SignatureConstants.ALGO_ID_DIGEST_SHA1));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertEquals(
        params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
    Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testKeyTransportAlgorithmPredicate() throws ResolverException {
    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    // Data algorithm -> key transport algorithm preferences mappings
    HashMap<String, String> algoMap = new HashMap<>();
    algoMap.put(
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    algoMap.put(
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    KeyTransportAlgorithmPredicate predicate = new MapBasedKeyTransportAlgorithmPredicate(algoMap);

    // Without the predicate, for control
    EncryptionParameters params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);

    config1.setKeyTransportAlgorithmPredicate(predicate);

    // Explicit preference with predicate, mapping # 1
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);

    // Change algo ordering
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));

    // Explicit preference with predicate, mapping # 2
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
  }
  @Test
  public void testEncryptionMethodWithRSAOAEPParameters()
      throws ResolverException, InitializationException {
    EncryptionParameters params;
    EncryptionMethod rsaEncryptionMethod;
    DigestMethod digestMethod;
    MGF mgf;
    OAEPparams oaepParams;

    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    // Shouldn't resolve, since not RSA OAEP
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertNull(params.getRSAOAEPParameters());

    // Should resolve empty instance
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertTrue(params.getRSAOAEPParameters().isEmpty());

    // Load BouncyCastle so can really test RSA OAEP 1.1 stuff.
    AlgorithmRegistry originalRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
    Assert.assertNotNull(originalRegistry);
    providerSupport.loadBC();
    new GlobalAlgorithmRegistryInitializer().init();
    resolver.setAlgorithmRegistry(AlgorithmSupport.getGlobalAlgorithmRegistry());

    try {
      // Should resolve digest from metadata
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

      // Should resolve all values from metadata
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      mgf = buildXMLObject(MGF.DEFAULT_ELEMENT_NAME);
      mgf.setAlgorithm(EncryptionConstants.ALGO_ID_MGF1_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(mgf);
      oaepParams = buildXMLObject(OAEPparams.DEFAULT_ELEMENT_NAME);
      oaepParams.setValue("oaep-params-md");
      rsaEncryptionMethod.setOAEPparams(oaepParams);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertEquals(
          params.getRSAOAEPParameters().getMaskGenerationFunction(),
          EncryptionConstants.ALGO_ID_MGF1_SHA256);
      Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-md");

      // Should resolve digest from metadata, should NOT resolve OAEPParms from config by default
      config3.setRSAOAEPParameters(
          new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

      // Should resolve digest from metadata, should resolve OAEPParms from config3
      config3.setRSAOAEPParameters(
          new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
      resolver.setMergeMetadataRSAOAEPParametersWithConfig(true);
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");

    } finally {
      providerSupport.unloadBC();
      ConfigurationService.register(AlgorithmRegistry.class, originalRegistry);
    }
  }