private KeyDescriptor buildKeyDescriptor(String keyName, UsageType use, Object... contentItems) {
KeyDescriptor keyDesc = buildXMLObject(KeyDescriptor.DEFAULT_ELEMENT_NAME);
KeyInfo keyInfo = buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
for (Object contentItem : contentItems) {
if (contentItem instanceof PublicKey) {
KeyInfoSupport.addPublicKey(keyInfo, (PublicKey) contentItem);
} else if (contentItem instanceof X509Certificate) {
try {
KeyInfoSupport.addCertificate(keyInfo, (X509Certificate) contentItem);
} catch (CertificateEncodingException e) {
throw new RuntimeException("CertificateEncodingException ading cert to KeyInfo", e);
}
} else {
throw new RuntimeException(
"Saw unknown KeyInfo content type: " + contentItem.getClass().getName());
}
}
if (keyName != null) {
KeyInfoSupport.addKeyName(keyInfo, keyName);
}
keyDesc.setKeyInfo(keyInfo);
if (use != null) {
keyDesc.setUse(use);
}
return keyDesc;
}
@Test
public void testEncryptionMethodWithWhitelist() throws ResolverException {
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES));
roleDesc.getKeyDescriptors().add(keyDescriptor);
config1.setWhitelistedAlgorithms(
Arrays.asList(
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params);
Assert.assertEquals(
params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
Assert.assertNull(params.getDataEncryptionCredential());
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
Assert.assertNull(params.getDataKeyInfoGenerator());
}
@Test
public void testEncryptionMethodWithBlacklistedDigest() throws ResolverException {
EncryptionMethod rsaEncryptionMethod;
DigestMethod digestMethod;
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
// This one will be effectively blacklist due to the DigestMethod SHA-1, won't be resolved.
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
// This one will be resolved with DigestMethod SHA-256.
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
roleDesc.getKeyDescriptors().add(keyDescriptor);
config1.setBlacklistedAlgorithms(Arrays.asList(SignatureConstants.ALGO_ID_DIGEST_SHA1));
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params);
Assert.assertEquals(
params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());
Assert.assertNull(params.getDataEncryptionCredential());
Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
Assert.assertNull(params.getDataKeyInfoGenerator());
}
@Test
public void testKeyTransportAlgorithmPredicate() throws ResolverException {
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));
roleDesc.getKeyDescriptors().add(keyDescriptor);
// Data algorithm -> key transport algorithm preferences mappings
HashMap<String, String> algoMap = new HashMap<>();
algoMap.put(
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
algoMap.put(
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
KeyTransportAlgorithmPredicate predicate = new MapBasedKeyTransportAlgorithmPredicate(algoMap);
// Without the predicate, for control
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
config1.setKeyTransportAlgorithmPredicate(predicate);
// Explicit preference with predicate, mapping # 1
params = resolver.resolveSingle(criteriaSet);
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
// Change algo ordering
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));
// Explicit preference with predicate, mapping # 2
params = resolver.resolveSingle(criteriaSet);
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
}
@Test
public void testEncryptionMethodWithRSAOAEPParameters()
throws ResolverException, InitializationException {
EncryptionParameters params;
EncryptionMethod rsaEncryptionMethod;
DigestMethod digestMethod;
MGF mgf;
OAEPparams oaepParams;
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
roleDesc.getKeyDescriptors().add(keyDescriptor);
// Shouldn't resolve, since not RSA OAEP
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNull(params.getRSAOAEPParameters());
// Should resolve empty instance
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertTrue(params.getRSAOAEPParameters().isEmpty());
// Load BouncyCastle so can really test RSA OAEP 1.1 stuff.
AlgorithmRegistry originalRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
Assert.assertNotNull(originalRegistry);
providerSupport.loadBC();
new GlobalAlgorithmRegistryInitializer().init();
resolver.setAlgorithmRegistry(AlgorithmSupport.getGlobalAlgorithmRegistry());
try {
// Should resolve digest from metadata
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());
// Should resolve all values from metadata
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
mgf = buildXMLObject(MGF.DEFAULT_ELEMENT_NAME);
mgf.setAlgorithm(EncryptionConstants.ALGO_ID_MGF1_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(mgf);
oaepParams = buildXMLObject(OAEPparams.DEFAULT_ELEMENT_NAME);
oaepParams.setValue("oaep-params-md");
rsaEncryptionMethod.setOAEPparams(oaepParams);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertEquals(
params.getRSAOAEPParameters().getMaskGenerationFunction(),
EncryptionConstants.ALGO_ID_MGF1_SHA256);
Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-md");
// Should resolve digest from metadata, should NOT resolve OAEPParms from config by default
config3.setRSAOAEPParameters(
new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());
// Should resolve digest from metadata, should resolve OAEPParms from config3
config3.setRSAOAEPParameters(
new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
resolver.setMergeMetadataRSAOAEPParametersWithConfig(true);
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");
} finally {
providerSupport.unloadBC();
ConfigurationService.register(AlgorithmRegistry.class, originalRegistry);
}
}