private KeyDescriptor buildKeyDescriptor(String keyName, UsageType use, Object... contentItems) { KeyDescriptor keyDesc = buildXMLObject(KeyDescriptor.DEFAULT_ELEMENT_NAME); KeyInfo keyInfo = buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME); for (Object contentItem : contentItems) { if (contentItem instanceof PublicKey) { KeyInfoSupport.addPublicKey(keyInfo, (PublicKey) contentItem); } else if (contentItem instanceof X509Certificate) { try { KeyInfoSupport.addCertificate(keyInfo, (X509Certificate) contentItem); } catch (CertificateEncodingException e) { throw new RuntimeException("CertificateEncodingException ading cert to KeyInfo", e); } } else { throw new RuntimeException( "Saw unknown KeyInfo content type: " + contentItem.getClass().getName()); } } if (keyName != null) { KeyInfoSupport.addKeyName(keyInfo, keyName); } keyDesc.setKeyInfo(keyInfo); if (use != null) { keyDesc.setUse(use); } return keyDesc; }
@Test public void testEncryptionMethodWithWhitelist() throws ResolverException { KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES)); roleDesc.getKeyDescriptors().add(keyDescriptor); config1.setWhitelistedAlgorithms( Arrays.asList( EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192)); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params); Assert.assertEquals( params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey()); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator()); Assert.assertNull(params.getDataEncryptionCredential()); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192); Assert.assertNull(params.getDataKeyInfoGenerator()); }
@Test public void testEncryptionMethodWithBlacklistedDigest() throws ResolverException { EncryptionMethod rsaEncryptionMethod; DigestMethod digestMethod; KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); // This one will be effectively blacklist due to the DigestMethod SHA-1, won't be resolved. rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); // This one will be resolved with DigestMethod SHA-256. rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); roleDesc.getKeyDescriptors().add(keyDescriptor); config1.setBlacklistedAlgorithms(Arrays.asList(SignatureConstants.ALGO_ID_DIGEST_SHA1)); EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params); Assert.assertEquals( params.getKeyTransportEncryptionCredential().getPublicKey(), rsaCred1.getPublicKey()); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); Assert.assertNotNull(params.getKeyTransportKeyInfoGenerator()); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams()); Assert.assertNull(params.getDataEncryptionCredential()); Assert.assertEquals(params.getDataEncryptionAlgorithm(), defaultAES128DataAlgo); Assert.assertNull(params.getDataKeyInfoGenerator()); }
@Test public void testKeyTransportAlgorithmPredicate() throws ResolverException { KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128)); roleDesc.getKeyDescriptors().add(keyDescriptor); // Data algorithm -> key transport algorithm preferences mappings HashMap<String, String> algoMap = new HashMap<>(); algoMap.put( EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); algoMap.put( EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); KeyTransportAlgorithmPredicate predicate = new MapBasedKeyTransportAlgorithmPredicate(algoMap); // Without the predicate, for control EncryptionParameters params = resolver.resolveSingle(criteriaSet); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); config1.setKeyTransportAlgorithmPredicate(predicate); // Explicit preference with predicate, mapping # 1 params = resolver.resolveSingle(criteriaSet); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); // Change algo ordering keyDescriptor.getEncryptionMethods().clear(); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192)); keyDescriptor .getEncryptionMethods() .add(buildEncryptionMethod(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128)); // Explicit preference with predicate, mapping # 2 params = resolver.resolveSingle(criteriaSet); Assert.assertEquals( params.getDataEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192); Assert.assertEquals( params.getKeyTransportEncryptionAlgorithm(), EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); }
@Test public void testEncryptionMethodWithRSAOAEPParameters() throws ResolverException, InitializationException { EncryptionParameters params; EncryptionMethod rsaEncryptionMethod; DigestMethod digestMethod; MGF mgf; OAEPparams oaepParams; KeyDescriptor keyDescriptor = buildKeyDescriptor(rsaCred1KeyName, UsageType.ENCRYPTION, rsaCred1.getPublicKey()); roleDesc.getKeyDescriptors().add(keyDescriptor); // Shouldn't resolve, since not RSA OAEP rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNull(params.getRSAOAEPParameters()); // Should resolve empty instance rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertTrue(params.getRSAOAEPParameters().isEmpty()); // Load BouncyCastle so can really test RSA OAEP 1.1 stuff. AlgorithmRegistry originalRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry(); Assert.assertNotNull(originalRegistry); providerSupport.loadBC(); new GlobalAlgorithmRegistryInitializer().init(); resolver.setAlgorithmRegistry(AlgorithmSupport.getGlobalAlgorithmRegistry()); try { // Should resolve digest from metadata rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams()); // Should resolve all values from metadata rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); mgf = buildXMLObject(MGF.DEFAULT_ELEMENT_NAME); mgf.setAlgorithm(EncryptionConstants.ALGO_ID_MGF1_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(mgf); oaepParams = buildXMLObject(OAEPparams.DEFAULT_ELEMENT_NAME); oaepParams.setValue("oaep-params-md"); rsaEncryptionMethod.setOAEPparams(oaepParams); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertEquals( params.getRSAOAEPParameters().getMaskGenerationFunction(), EncryptionConstants.ALGO_ID_MGF1_SHA256); Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-md"); // Should resolve digest from metadata, should NOT resolve OAEPParms from config by default config3.setRSAOAEPParameters( new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3")); rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertNull(params.getRSAOAEPParameters().getOAEPParams()); // Should resolve digest from metadata, should resolve OAEPParms from config3 config3.setRSAOAEPParameters( new RSAOAEPParameters(SignatureConstants.ALGO_ID_DIGEST_SHA1, null, "oaep-params-3")); resolver.setMergeMetadataRSAOAEPParametersWithConfig(true); rsaEncryptionMethod = buildEncryptionMethod(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11); digestMethod = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME); digestMethod.setAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256); rsaEncryptionMethod.getUnknownXMLObjects().add(digestMethod); keyDescriptor.getEncryptionMethods().clear(); keyDescriptor.getEncryptionMethods().add(rsaEncryptionMethod); params = resolver.resolveSingle(criteriaSet); Assert.assertNotNull(params.getRSAOAEPParameters()); Assert.assertEquals( params.getRSAOAEPParameters().getDigestMethod(), EncryptionConstants.ALGO_ID_DIGEST_SHA256); Assert.assertNull(params.getRSAOAEPParameters().getMaskGenerationFunction()); Assert.assertEquals(params.getRSAOAEPParameters().getOAEPParams(), "oaep-params-3"); } finally { providerSupport.unloadBC(); ConfigurationService.register(AlgorithmRegistry.class, originalRegistry); } }