@Test public void testWithAlgorithmOverrides() throws ResolverException { roleDesc .getKeyDescriptors() .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey())); config2.setDataEncryptionAlgorithms( Collections.singletonList(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256)); config2.setKeyTransportEncryptionAlgorithms( Collections.singletonList(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params); Assert.assertEquals( params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey()); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator()); Assert.assertNull(params.getDataEncryptionCredential()); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); Assert.assertNull(params.getDataKeyInfoGenerator()); }
@BeforeMethod public void setUp() throws ComponentInitializationException { mdCredResolver = new MetadataCredentialResolver(); mdCredResolver.setKeyInfoCredentialResolver(SAMLTestSupport.buildBasicInlineKeyInfoResolver()); mdCredResolver.initialize(); resolver = new SAMLMetadataEncryptionParametersResolver(mdCredResolver); config1 = new BasicEncryptionConfiguration(); config2 = new BasicEncryptionConfiguration(); config3 = new BasicEncryptionConfiguration(); // Set these as defaults on the last config in the chain, just so don't have to set in every // test. config3.setDataEncryptionAlgorithms( Arrays.asList( defaultAES128DataAlgo, defaultAES192DataAlgo, defaultAES256DataAlgo, EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM)); config3.setKeyTransportEncryptionAlgorithms( Arrays.asList( defaultRSAKeyTransportAlgo, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11, EncryptionConstants.ALGO_ID_KEYWRAP_AES128, EncryptionConstants.ALGO_ID_KEYWRAP_AES192, EncryptionConstants.ALGO_ID_KEYWRAP_AES256, EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES)); BasicKeyInfoGeneratorFactory basicFactory1 = new BasicKeyInfoGeneratorFactory(); X509KeyInfoGeneratorFactory x509Factory1 = new X509KeyInfoGeneratorFactory(); defaultKeyTransportKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager(); defaultKeyTransportKeyInfoGeneratorManager.registerDefaultFactory(basicFactory1); defaultKeyTransportKeyInfoGeneratorManager.registerDefaultFactory(x509Factory1); config3.setKeyTransportKeyInfoGeneratorManager(defaultKeyTransportKeyInfoGeneratorManager); BasicKeyInfoGeneratorFactory basicFactory2 = new BasicKeyInfoGeneratorFactory(); X509KeyInfoGeneratorFactory x509Factory2 = new X509KeyInfoGeneratorFactory(); defaultDataEncryptionKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager(); defaultDataEncryptionKeyInfoGeneratorManager.registerDefaultFactory(basicFactory2); defaultDataEncryptionKeyInfoGeneratorManager.registerDefaultFactory(x509Factory2); config3.setDataKeyInfoGeneratorManager(defaultDataEncryptionKeyInfoGeneratorManager); configCriterion = new EncryptionConfigurationCriterion(config1, config2, config3); roleDesc = buildRoleDescriptorSkeleton(); roleDescCriterion = new RoleDescriptorCriterion(roleDesc); criteriaSet = new CriteriaSet(configCriterion, roleDescCriterion); }
@Test public void testEncryptionMethodWithWhitelist() throws ResolverException { KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES)); roleDesc.getKeyDescriptors().add(keyDescriptor); config1.setWhitelistedAlgorithms( Arrays.asList( EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192)); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params); Assert.assertEquals( params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey()); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator()); Assert.assertNull(params.getDataEncryptionCredential()); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192); Assert.assertNull(params.getDataKeyInfoGenerator()); }
@Test public void testWithRSAOAEPParametersFromConfig() throws ResolverException { roleDesc .getKeyDescriptors() .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey())); config3.setRSAOAEPParameters( new RSAOAEPParameters(EncryptionConstants.ALGO_ID_DIGEST_SHA256, null, "oaep-params-3")); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params); Assert.assertEquals( params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey()); Assert.assertEquals(params.getKeyTransportEncryptionAlgorithm(), defaultRSAKeyTransportAlgo); Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator()); Assert.assertNull(params.getDataEncryptionCredential()); Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo); Assert.assertNull(params.getDataKeyInfoGenerator()); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3"); }
@Test public void testNoDataEncryptionAlgorithmForEncrypterAutoGen() throws ResolverException { roleDesc .getKeyDescriptors() .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey())); config3.setDataEncryptionAlgorithms(new ArrayList<String>()); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNull(params); }
@Test public void testEncryptionMethodWithBlacklistedDigest() throws ResolverException { EncryptionMethod rsaEncryptionMethod; DigestMethod digestMethod; KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); // This one will be effectively blacklist due to the DigestMethod SHA-1, won't be resolved. rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); // This one will be resolved with DigestMethod SHA-256. rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); roleDesc.getKeyDescriptors().add(keyDescriptor); config1.setBlacklistedAlgorithms(Arrays.asList(SignatureConstants.ALGO_ID_DIGEST_SHA1)); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params); Assert.assertEquals( params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey()); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator()); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams()); Assert.assertNull(params.getDataEncryptionCredential()); Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo); Assert.assertNull(params.getDataKeyInfoGenerator()); }
@Test public void testWithBlacklist() throws ResolverException { roleDesc .getKeyDescriptors() .add(buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey())); config1.setBlacklistedAlgorithms( Arrays.asList(defaultRSAKeyTransportAlgo, defaultAES128DataAlgo, defaultAES192DataAlgo)); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params); Assert.assertEquals( params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey()); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator()); Assert.assertNull(params.getDataEncryptionCredential()); Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES256DataAlgo); Assert.assertNull(params.getDataKeyInfoGenerator()); }
@Test public void testKeyTransportAlgorithmPredicate() throws ResolverException { KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128)); roleDesc.getKeyDescriptors().add(keyDescriptor); // Data algorithm -> key transport algorithm preferences mappings HashMap<String, String> algoMap = new HashMap<>(); algoMap.put( EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); algoMap.put( EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); KeyTransportAlgorithmPredicate predicate = new MapBasedKeyTransportAlgorithmPredicate(algoMap); // Without the predicate, for control EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); config1.setKeyTransportAlgorithmPredicate(predicate); // Explicit preference with predicate, mapping # 1 params = resolver.resolveSingle(criteriaSet); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); // Change algo ordering keyDescriptor.getEncryptionMethods().clear(); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128)); // Explicit preference with predicate, mapping # 2 params = resolver.resolveSingle(criteriaSet); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); }
@Test public void testEncryptionMethodWithRSAOAEPParameters() throws ResolverException, InitializationException { EncryptionParameters params; EncryptionMethod rsaEncryptionMethod; DigestMethod digestMethod; MGF mgf; OAEPparams oaepParams; KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); roleDesc.getKeyDescriptors().add(keyDescriptor); // Shouldn't resolve, since not RSA OAEP rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNull(params.getRSAOAEPParameters()); // Should resolve empty instance rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertTrue(params.getRSAOAEPParameters().isEmpty()); // Load BouncyCastle so can really test RSA OAEP 1.1 stuff. AlgorithmRegistry originalRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry(); Assert.assertNotNull(originalRegistry); providerSupport.loadBC(); new GlobalAlgorithmRegistryInitializer().init(); resolver.setAlgorithmRegistry(AlgorithmSupport.getGlobalAlgorithmRegistry()); try { // Should resolve digest from metadata rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams()); // Should resolve all values from metadata rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); mgf = buildXMLObject(MGF.DEFAULT_ELEMENT_NAME); mgf.setAlgorithm(EncryptionConstants.ALGO_ID_MGF1_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(mgf); oaepParams = buildXMLObject(OAEPparams.DEFAULT_ELEMENT_NAME); oaepParams.setValue("oaep-params-md"); rsaEncryptionMethod.setOAEPparams(oaepParams); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertEquals( params.getRSAOAEPParameters().getMaskGenerationFunction(), EncryptionConstants.ALGO_ID_MGF1_SHA256); Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-md"); // Should resolve digest from metadata, should NOT resolve OAEPParms from config by default config3.setRSAOAEPParameters( new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3")); rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams()); // Should resolve digest from metadata, should resolve OAEPParms from config3 config3.setRSAOAEPParameters( new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3")); resolver.setMergeMetadataRSAOAEPParametersWithConfig(true); rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3"); } finally { providerSupport.unloadBC(); ConfigurationService.register(AlgorithmRegistry.class, originalRegistry); } }