@Test
  public void testWithAlgorithmOverrides() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));

    config2.setDataEncryptionAlgorithms(
        Collections.singletonList(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
    config2.setKeyTransportEncryptionAlgorithms(
        Collections.singletonList(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @BeforeMethod
  public void setUp() throws ComponentInitializationException {
    mdCredResolver = new MetadataCredentialResolver();
    mdCredResolver.setKeyInfoCredentialResolver(SAMLTestSupport.buildBasicInlineKeyInfoResolver());
    mdCredResolver.initialize();

    resolver = new SAMLMetadataEncryptionParametersResolver(mdCredResolver);

    config1 = new BasicEncryptionConfiguration();
    config2 = new BasicEncryptionConfiguration();
    config3 = new BasicEncryptionConfiguration();

    // Set these as defaults on the last config in the chain, just so don't have to set in every
    // test.
    config3.setDataEncryptionAlgorithms(
        Arrays.asList(
            defaultAES128DataAlgo,
            defaultAES192DataAlgo,
            defaultAES256DataAlgo,
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES,
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM,
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM,
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM));
    config3.setKeyTransportEncryptionAlgorithms(
        Arrays.asList(
            defaultRSAKeyTransportAlgo,
            EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15,
            EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11,
            EncryptionConstants.ALGO_ID_KEYWRAP_AES128,
            EncryptionConstants.ALGO_ID_KEYWRAP_AES192,
            EncryptionConstants.ALGO_ID_KEYWRAP_AES256,
            EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES));

    BasicKeyInfoGeneratorFactory basicFactory1 = new BasicKeyInfoGeneratorFactory();
    X509KeyInfoGeneratorFactory x509Factory1 = new X509KeyInfoGeneratorFactory();
    defaultKeyTransportKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager();
    defaultKeyTransportKeyInfoGeneratorManager.registerDefaultFactory(basicFactory1);
    defaultKeyTransportKeyInfoGeneratorManager.registerDefaultFactory(x509Factory1);
    config3.setKeyTransportKeyInfoGeneratorManager(defaultKeyTransportKeyInfoGeneratorManager);

    BasicKeyInfoGeneratorFactory basicFactory2 = new BasicKeyInfoGeneratorFactory();
    X509KeyInfoGeneratorFactory x509Factory2 = new X509KeyInfoGeneratorFactory();
    defaultDataEncryptionKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager();
    defaultDataEncryptionKeyInfoGeneratorManager.registerDefaultFactory(basicFactory2);
    defaultDataEncryptionKeyInfoGeneratorManager.registerDefaultFactory(x509Factory2);
    config3.setDataKeyInfoGeneratorManager(defaultDataEncryptionKeyInfoGeneratorManager);

    configCriterion = new EncryptionConfigurationCriterion(config1, config2, config3);

    roleDesc = buildRoleDescriptorSkeleton();
    roleDescCriterion = new RoleDescriptorCriterion(roleDesc);

    criteriaSet = new CriteriaSet(configCriterion, roleDescCriterion);
  }
  @Test
  public void testEncryptionMethodWithWhitelist() throws ResolverException {
    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES));
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    config1.setWhitelistedAlgorithms(
        Arrays.asList(
            EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testWithRSAOAEPParametersFromConfig() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
    config3.setRSAOAEPParameters(
        new RSAOAEPParameters(EncryptionConstants.ALGO_ID_DIGEST_SHA256, null, "oaep-params-3"));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());

    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertEquals(
        params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
    Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");
  }
  @Test
  public void testNoDataEncryptionAlgorithmForEncrypterAutoGen() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
    config3.setDataEncryptionAlgorithms(new ArrayList<String>());

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNull(params);
  }
  @Test
  public void testEncryptionMethodWithBlacklistedDigest() throws ResolverException {
    EncryptionMethod rsaEncryptionMethod;
    DigestMethod digestMethod;

    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());

    // This one will be effectively blacklist due to the DigestMethod SHA-1, won't be resolved.
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
    digestMethod.setAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);
    rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);

    // This one will be resolved with DigestMethod SHA-256.
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
    digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);

    roleDesc.getKeyDescriptors().add(keyDescriptor);

    config1.setBlacklistedAlgorithms(Arrays.asList(SignatureConstants.ALGO_ID_DIGEST_SHA1));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertEquals(
        params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
    Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testWithBlacklist() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));

    config1.setBlacklistedAlgorithms(
        Arrays.asList(defaultRSAKeyTransportAlgo, defaultAES128DataAlgo, defaultAES192DataAlgo));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES256DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testKeyTransportAlgorithmPredicate() throws ResolverException {
    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    // Data algorithm -> key transport algorithm preferences mappings
    HashMap<String, String> algoMap = new HashMap<>();
    algoMap.put(
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    algoMap.put(
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    KeyTransportAlgorithmPredicate predicate = new MapBasedKeyTransportAlgorithmPredicate(algoMap);

    // Without the predicate, for control
    EncryptionParameters params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);

    config1.setKeyTransportAlgorithmPredicate(predicate);

    // Explicit preference with predicate, mapping # 1
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);

    // Change algo ordering
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));

    // Explicit preference with predicate, mapping # 2
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
  }
  @Test
  public void testEncryptionMethodWithRSAOAEPParameters()
      throws ResolverException, InitializationException {
    EncryptionParameters params;
    EncryptionMethod rsaEncryptionMethod;
    DigestMethod digestMethod;
    MGF mgf;
    OAEPparams oaepParams;

    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    // Shouldn't resolve, since not RSA OAEP
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertNull(params.getRSAOAEPParameters());

    // Should resolve empty instance
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertTrue(params.getRSAOAEPParameters().isEmpty());

    // Load BouncyCastle so can really test RSA OAEP 1.1 stuff.
    AlgorithmRegistry originalRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
    Assert.assertNotNull(originalRegistry);
    providerSupport.loadBC();
    new GlobalAlgorithmRegistryInitializer().init();
    resolver.setAlgorithmRegistry(AlgorithmSupport.getGlobalAlgorithmRegistry());

    try {
      // Should resolve digest from metadata
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

      // Should resolve all values from metadata
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      mgf = buildXMLObject(MGF.DEFAULT_ELEMENT_NAME);
      mgf.setAlgorithm(EncryptionConstants.ALGO_ID_MGF1_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(mgf);
      oaepParams = buildXMLObject(OAEPparams.DEFAULT_ELEMENT_NAME);
      oaepParams.setValue("oaep-params-md");
      rsaEncryptionMethod.setOAEPparams(oaepParams);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertEquals(
          params.getRSAOAEPParameters().getMaskGenerationFunction(),
          EncryptionConstants.ALGO_ID_MGF1_SHA256);
      Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-md");

      // Should resolve digest from metadata, should NOT resolve OAEPParms from config by default
      config3.setRSAOAEPParameters(
          new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

      // Should resolve digest from metadata, should resolve OAEPParms from config3
      config3.setRSAOAEPParameters(
          new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
      resolver.setMergeMetadataRSAOAEPParametersWithConfig(true);
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");

    } finally {
      providerSupport.unloadBC();
      ConfigurationService.register(AlgorithmRegistry.class, originalRegistry);
    }
  }