@Test
  public void testWithAlgorithmOverrides() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));

    config2.setDataEncryptionAlgorithms(
        Collections.singletonList(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
    config2.setKeyTransportEncryptionAlgorithms(
        Collections.singletonList(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testEncryptionMethodWithWhitelist() throws ResolverException {
    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES));
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    config1.setWhitelistedAlgorithms(
        Arrays.asList(
            EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testResolve() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));

    Iterable<EncryptionParameters> paramsIter = resolver.resolve(criteriaSet);
    Assert.assertNotNull(paramsIter);

    Iterator<EncryptionParameters> iterator = paramsIter.iterator();
    Assert.assertNotNull(iterator);

    Assert.assertTrue(iterator.hasNext());

    EncryptionParameters params = iterator.next();

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());

    Assert.assertFalse(iterator.hasNext());
  }
  @Test
  public void testWithRSAOAEPParametersFromConfig() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
    config3.setRSAOAEPParameters(
        new RSAOAEPParameters(EncryptionConstants.ALGO_ID_DIGEST_SHA256, null, "oaep-params-3"));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());

    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertEquals(
        params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
    Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");
  }
  @Test
  public void testOnlySigningDescriptor() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(dsaCred1KeyName, UsageType.SIGNING, dsaCred1.getPublicKey()));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNull(params);
  }
  @Test
  public void testDSACredWithUnspecifiedUse() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(dsaCred1KeyName, null, dsaCred1.getPublicKey()));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNull(params);
  }
  @Test
  public void testNoDataEncryptionAlgorithmForEncrypterAutoGen() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
    config3.setDataEncryptionAlgorithms(new ArrayList<String>());

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNull(params);
  }
  @Test
  public void testKeyInfoGenerationProfile() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
    resolver.setAutoGenerateDataEncryptionCredential(true);

    criteriaSet.add(new KeyInfoGenerationProfileCriterion("testKeyInfoProfile"));

    defaultDataEncryptionKeyInfoGeneratorManager.setUseDefaultManager(true);
    defaultKeyTransportKeyInfoGeneratorManager.setUseDefaultManager(true);

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params.getDataKeyInfoGenerator());
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    defaultDataEncryptionKeyInfoGeneratorManager.setUseDefaultManager(false);
    defaultKeyTransportKeyInfoGeneratorManager.setUseDefaultManager(false);

    params = resolver.resolveSingle(criteriaSet);

    Assert.assertNull(params.getDataKeyInfoGenerator());
    Assert.assertNull(params.getKeyTransportKeyInfoGenerator());

    defaultDataEncryptionKeyInfoGeneratorManager.setUseDefaultManager(false);
    defaultKeyTransportKeyInfoGeneratorManager.setUseDefaultManager(false);
    defaultDataEncryptionKeyInfoGeneratorManager.registerFactory(
        "testKeyInfoProfile", new BasicKeyInfoGeneratorFactory());
    defaultKeyTransportKeyInfoGeneratorManager.registerFactory(
        "testKeyInfoProfile", new BasicKeyInfoGeneratorFactory());

    params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params.getDataKeyInfoGenerator());
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
  }
  @Test
  public void testGeneratedDataCredential() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));

    resolver.setAutoGenerateDataEncryptionCredential(true);

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNotNull(params.getDataEncryptionCredential());
    Assert.assertNotNull(params.getDataEncryptionCredential().getSecretKey());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertEquals(
        KeySupport.getKeyLength(params.getDataEncryptionCredential().getSecretKey()),
        new Integer(128));
    Assert.assertNotNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testEncryptionMethodWithBlacklistedDigest() throws ResolverException {
    EncryptionMethod rsaEncryptionMethod;
    DigestMethod digestMethod;

    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());

    // This one will be effectively blacklist due to the DigestMethod SHA-1, won't be resolved.
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
    digestMethod.setAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);
    rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);

    // This one will be resolved with DigestMethod SHA-256.
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
    digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);

    roleDesc.getKeyDescriptors().add(keyDescriptor);

    config1.setBlacklistedAlgorithms(Arrays.asList(SignatureConstants.ALGO_ID_DIGEST_SHA1));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertEquals(
        params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
    Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
    Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testRSACredWithUnspecifiedUse() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, null, rsaCred1.getPublicKey()));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testMultipleKeyDescriptors() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(dsaCred1KeyName, UsageType.SIGNING, dsaCred1.getPublicKey()));
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
  @Test
  public void testWithBlacklist() throws ResolverException {
    roleDesc
        .getKeyDescriptors()
        .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));

    config1.setBlacklistedAlgorithms(
        Arrays.asList(defaultRSAKeyTransportAlgo, defaultAES128DataAlgo, defaultAES192DataAlgo));

    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNotNull(params);
    Assert.assertEquals(
        params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());

    Assert.assertNull(params.getDataEncryptionCredential());
    Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES256DataAlgo);
    Assert.assertNull(params.getDataKeyInfoGenerator());
  }
 @Test(expectedExceptions = ConstraintViolationException.class)
 public void testAbsentCriterion() throws ResolverException {
   resolver.resolve(new CriteriaSet());
 }
 @Test(expectedExceptions = ConstraintViolationException.class)
 public void testNullCriteriaSet() throws ResolverException {
   resolver.resolve(null);
 }
  @Test
  public void testNoCredentials() throws ResolverException {
    EncryptionParameters params = resolver.resolveSingle(criteriaSet);

    Assert.assertNull(params);
  }
  @Test
  public void testEncryptionMethodWithRSAOAEPParameters()
      throws ResolverException, InitializationException {
    EncryptionParameters params;
    EncryptionMethod rsaEncryptionMethod;
    DigestMethod digestMethod;
    MGF mgf;
    OAEPparams oaepParams;

    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    // Shouldn't resolve, since not RSA OAEP
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertNull(params.getRSAOAEPParameters());

    // Should resolve empty instance
    rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertNotNull(params.getRSAOAEPParameters());
    Assert.assertTrue(params.getRSAOAEPParameters().isEmpty());

    // Load BouncyCastle so can really test RSA OAEP 1.1 stuff.
    AlgorithmRegistry originalRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
    Assert.assertNotNull(originalRegistry);
    providerSupport.loadBC();
    new GlobalAlgorithmRegistryInitializer().init();
    resolver.setAlgorithmRegistry(AlgorithmSupport.getGlobalAlgorithmRegistry());

    try {
      // Should resolve digest from metadata
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

      // Should resolve all values from metadata
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      mgf = buildXMLObject(MGF.DEFAULT_ELEMENT_NAME);
      mgf.setAlgorithm(EncryptionConstants.ALGO_ID_MGF1_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(mgf);
      oaepParams = buildXMLObject(OAEPparams.DEFAULT_ELEMENT_NAME);
      oaepParams.setValue("oaep-params-md");
      rsaEncryptionMethod.setOAEPparams(oaepParams);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertEquals(
          params.getRSAOAEPParameters().getMaskGenerationFunction(),
          EncryptionConstants.ALGO_ID_MGF1_SHA256);
      Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-md");

      // Should resolve digest from metadata, should NOT resolve OAEPParms from config by default
      config3.setRSAOAEPParameters(
          new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());

      // Should resolve digest from metadata, should resolve OAEPParms from config3
      config3.setRSAOAEPParameters(
          new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
      resolver.setMergeMetadataRSAOAEPParametersWithConfig(true);
      rsaEncryptionMethod =
          buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
      digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
      digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
      keyDescriptor.getEncryptionMethods().clear();
      keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
      params = resolver.resolveSingle(criteriaSet);
      Assert.assertNotNull(params.getRSAOAEPParameters());
      Assert.assertEquals(
          params.getRSAOAEPParameters().getDigestMethod(),
          EncryptionConstants.ALGO_ID_DIGEST_SHA256);
      Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
      Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");

    } finally {
      providerSupport.unloadBC();
      ConfigurationService.register(AlgorithmRegistry.class, originalRegistry);
    }
  }
  @Test
  public void testKeyTransportAlgorithmPredicate() throws ResolverException {
    KeyDescriptor keyDescriptor =
        buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));
    roleDesc.getKeyDescriptors().add(keyDescriptor);

    // Data algorithm -> key transport algorithm preferences mappings
    HashMap<String, String> algoMap = new HashMap<>();
    algoMap.put(
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
    algoMap.put(
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
    KeyTransportAlgorithmPredicate predicate = new MapBasedKeyTransportAlgorithmPredicate(algoMap);

    // Without the predicate, for control
    EncryptionParameters params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);

    config1.setKeyTransportAlgorithmPredicate(predicate);

    // Explicit preference with predicate, mapping # 1
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);

    // Change algo ordering
    keyDescriptor.getEncryptionMethods().clear();
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
    keyDescriptor
        .getEncryptionMethods()
        .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));

    // Explicit preference with predicate, mapping # 2
    params = resolver.resolveSingle(criteriaSet);
    Assert.assertEquals(
        params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
    Assert.assertEquals(
        params.getKeyTransportEncryptionAlgorithm(),
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
  }