@Test
public void testWithAlgorithmOverrides() throws ResolverException {
roleDesc
.getKeyDescriptors()
.add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
config2.setDataEncryptionAlgorithms(
Collections.singletonList(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
config2.setKeyTransportEncryptionAlgorithms(
Collections.singletonList(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params);
Assert.assertEquals(
params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
Assert.assertNull(params.getDataEncryptionCredential());
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
Assert.assertNull(params.getDataKeyInfoGenerator());
}
@BeforeMethod
public void setUp() throws ComponentInitializationException {
mdCredResolver = new MetadataCredentialResolver();
mdCredResolver.setKeyInfoCredentialResolver(SAMLTestSupport.buildBasicInlineKeyInfoResolver());
mdCredResolver.initialize();
resolver = new SAMLMetadataEncryptionParametersResolver(mdCredResolver);
config1 = new BasicEncryptionConfiguration();
config2 = new BasicEncryptionConfiguration();
config3 = new BasicEncryptionConfiguration();
// Set these as defaults on the last config in the chain, just so don't have to set in every
// test.
config3.setDataEncryptionAlgorithms(
Arrays.asList(
defaultAES128DataAlgo,
defaultAES192DataAlgo,
defaultAES256DataAlgo,
EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES,
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM,
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM,
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM));
config3.setKeyTransportEncryptionAlgorithms(
Arrays.asList(
defaultRSAKeyTransportAlgo,
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15,
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11,
EncryptionConstants.ALGO_ID_KEYWRAP_AES128,
EncryptionConstants.ALGO_ID_KEYWRAP_AES192,
EncryptionConstants.ALGO_ID_KEYWRAP_AES256,
EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES));
BasicKeyInfoGeneratorFactory basicFactory1 = new BasicKeyInfoGeneratorFactory();
X509KeyInfoGeneratorFactory x509Factory1 = new X509KeyInfoGeneratorFactory();
defaultKeyTransportKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager();
defaultKeyTransportKeyInfoGeneratorManager.registerDefaultFactory(basicFactory1);
defaultKeyTransportKeyInfoGeneratorManager.registerDefaultFactory(x509Factory1);
config3.setKeyTransportKeyInfoGeneratorManager(defaultKeyTransportKeyInfoGeneratorManager);
BasicKeyInfoGeneratorFactory basicFactory2 = new BasicKeyInfoGeneratorFactory();
X509KeyInfoGeneratorFactory x509Factory2 = new X509KeyInfoGeneratorFactory();
defaultDataEncryptionKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager();
defaultDataEncryptionKeyInfoGeneratorManager.registerDefaultFactory(basicFactory2);
defaultDataEncryptionKeyInfoGeneratorManager.registerDefaultFactory(x509Factory2);
config3.setDataKeyInfoGeneratorManager(defaultDataEncryptionKeyInfoGeneratorManager);
configCriterion = new EncryptionConfigurationCriterion(config1, config2, config3);
roleDesc = buildRoleDescriptorSkeleton();
roleDescCriterion = new RoleDescriptorCriterion(roleDesc);
criteriaSet = new CriteriaSet(configCriterion, roleDescCriterion);
}
@Test
public void testEncryptionMethodWithWhitelist() throws ResolverException {
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES));
roleDesc.getKeyDescriptors().add(keyDescriptor);
config1.setWhitelistedAlgorithms(
Arrays.asList(
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params);
Assert.assertEquals(
params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
Assert.assertNull(params.getDataEncryptionCredential());
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
Assert.assertNull(params.getDataKeyInfoGenerator());
}
@Test
public void testWithRSAOAEPParametersFromConfig() throws ResolverException {
roleDesc
.getKeyDescriptors()
.add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
config3.setRSAOAEPParameters(
new RSAOAEPParameters(EncryptionConstants.ALGO_ID_DIGEST_SHA256, null, "oaep-params-3"));
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params);
Assert.assertEquals(
params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo);
Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
Assert.assertNull(params.getDataEncryptionCredential());
Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
Assert.assertNull(params.getDataKeyInfoGenerator());
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");
}
@Test
public void testNoDataEncryptionAlgorithmForEncrypterAutoGen() throws ResolverException {
roleDesc
.getKeyDescriptors()
.add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
config3.setDataEncryptionAlgorithms(new ArrayList<String>());
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNull(params);
}
@Test
public void testEncryptionMethodWithBlacklistedDigest() throws ResolverException {
EncryptionMethod rsaEncryptionMethod;
DigestMethod digestMethod;
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
// This one will be effectively blacklist due to the DigestMethod SHA-1, won't be resolved.
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
// This one will be resolved with DigestMethod SHA-256.
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
roleDesc.getKeyDescriptors().add(keyDescriptor);
config1.setBlacklistedAlgorithms(Arrays.asList(SignatureConstants.ALGO_ID_DIGEST_SHA1));
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params);
Assert.assertEquals(
params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());
Assert.assertNull(params.getDataEncryptionCredential());
Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo);
Assert.assertNull(params.getDataKeyInfoGenerator());
}
@Test
public void testWithBlacklist() throws ResolverException {
roleDesc
.getKeyDescriptors()
.add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()));
config1.setBlacklistedAlgorithms(
Arrays.asList(defaultRSAKeyTransportAlgo, defaultAES128DataAlgo, defaultAES192DataAlgo));
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params);
Assert.assertEquals(
params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey());
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator());
Assert.assertNull(params.getDataEncryptionCredential());
Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES256DataAlgo);
Assert.assertNull(params.getDataKeyInfoGenerator());
}
@Test
public void testKeyTransportAlgorithmPredicate() throws ResolverException {
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));
roleDesc.getKeyDescriptors().add(keyDescriptor);
// Data algorithm -> key transport algorithm preferences mappings
HashMap<String, String> algoMap = new HashMap<>();
algoMap.put(
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
algoMap.put(
EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
KeyTransportAlgorithmPredicate predicate = new MapBasedKeyTransportAlgorithmPredicate(algoMap);
// Without the predicate, for control
EncryptionParameters params = resolver.resolveSingle(criteriaSet);
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
config1.setKeyTransportAlgorithmPredicate(predicate);
// Explicit preference with predicate, mapping # 1
params = resolver.resolveSingle(criteriaSet);
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
// Change algo ordering
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192));
keyDescriptor
.getEncryptionMethods()
.add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128));
// Explicit preference with predicate, mapping # 2
params = resolver.resolveSingle(criteriaSet);
Assert.assertEquals(
params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192);
Assert.assertEquals(
params.getKeyTransportEncryptionAlgorithm(),
EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
}
@Test
public void testEncryptionMethodWithRSAOAEPParameters()
throws ResolverException, InitializationException {
EncryptionParameters params;
EncryptionMethod rsaEncryptionMethod;
DigestMethod digestMethod;
MGF mgf;
OAEPparams oaepParams;
KeyDescriptor keyDescriptor =
buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey());
roleDesc.getKeyDescriptors().add(keyDescriptor);
// Shouldn't resolve, since not RSA OAEP
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNull(params.getRSAOAEPParameters());
// Should resolve empty instance
rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertTrue(params.getRSAOAEPParameters().isEmpty());
// Load BouncyCastle so can really test RSA OAEP 1.1 stuff.
AlgorithmRegistry originalRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
Assert.assertNotNull(originalRegistry);
providerSupport.loadBC();
new GlobalAlgorithmRegistryInitializer().init();
resolver.setAlgorithmRegistry(AlgorithmSupport.getGlobalAlgorithmRegistry());
try {
// Should resolve digest from metadata
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());
// Should resolve all values from metadata
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
mgf = buildXMLObject(MGF.DEFAULT_ELEMENT_NAME);
mgf.setAlgorithm(EncryptionConstants.ALGO_ID_MGF1_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(mgf);
oaepParams = buildXMLObject(OAEPparams.DEFAULT_ELEMENT_NAME);
oaepParams.setValue("oaep-params-md");
rsaEncryptionMethod.setOAEPparams(oaepParams);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertEquals(
params.getRSAOAEPParameters().getMaskGenerationFunction(),
EncryptionConstants.ALGO_ID_MGF1_SHA256);
Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-md");
// Should resolve digest from metadata, should NOT resolve OAEPParms from config by default
config3.setRSAOAEPParameters(
new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams());
// Should resolve digest from metadata, should resolve OAEPParms from config3
config3.setRSAOAEPParameters(
new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3"));
resolver.setMergeMetadataRSAOAEPParametersWithConfig(true);
rsaEncryptionMethod =
buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11);
digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod);
keyDescriptor.getEncryptionMethods().clear();
keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod);
params = resolver.resolveSingle(criteriaSet);
Assert.assertNotNull(params.getRSAOAEPParameters());
Assert.assertEquals(
params.getRSAOAEPParameters().getDigestMethod(),
EncryptionConstants.ALGO_ID_DIGEST_SHA256);
Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction());
Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3");
} finally {
providerSupport.unloadBC();
ConfigurationService.register(AlgorithmRegistry.class, originalRegistry);
}
}
