1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.opensaml.xml.security;
18
19 import java.io.ByteArrayInputStream;
20 import java.io.File;
21 import java.io.IOException;
22 import java.math.BigInteger;
23 import java.security.GeneralSecurityException;
24 import java.security.Key;
25 import java.security.KeyException;
26 import java.security.KeyFactory;
27 import java.security.KeyPair;
28 import java.security.KeyPairGenerator;
29 import java.security.NoSuchAlgorithmException;
30 import java.security.NoSuchProviderException;
31 import java.security.PrivateKey;
32 import java.security.PublicKey;
33 import java.security.cert.CRLException;
34 import java.security.cert.CertificateException;
35 import java.security.cert.CertificateFactory;
36 import java.security.cert.X509Certificate;
37 import java.security.interfaces.DSAParams;
38 import java.security.interfaces.DSAPrivateKey;
39 import java.security.interfaces.DSAPublicKey;
40 import java.security.interfaces.ECPublicKey;
41 import java.security.interfaces.RSAPrivateCrtKey;
42 import java.security.interfaces.RSAPrivateKey;
43 import java.security.interfaces.RSAPublicKey;
44 import java.security.spec.DSAPublicKeySpec;
45 import java.security.spec.InvalidKeySpecException;
46 import java.security.spec.KeySpec;
47 import java.security.spec.RSAPublicKeySpec;
48 import java.security.spec.X509EncodedKeySpec;
49 import java.util.ArrayList;
50 import java.util.HashSet;
51 import java.util.List;
52 import java.util.Set;
53
54 import javax.crypto.KeyGenerator;
55 import javax.crypto.SecretKey;
56 import org.apache.commons.ssl.PKCS8Key;
57 import org.apache.xml.security.Init;
58 import org.apache.xml.security.algorithms.JCEMapper;
59 import org.opensaml.xml.Configuration;
60 import org.opensaml.xml.encryption.EncryptionParameters;
61 import org.opensaml.xml.encryption.KeyEncryptionParameters;
62 import org.opensaml.xml.security.credential.BasicCredential;
63 import org.opensaml.xml.security.credential.Credential;
64 import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
65 import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
66 import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
67 import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
68 import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
69 import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
70 import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
71 import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
72 import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
73 import org.opensaml.xml.security.x509.BasicX509Credential;
74 import org.opensaml.xml.signature.KeyInfo;
75 import org.opensaml.xml.signature.Signature;
76 import org.opensaml.xml.signature.SignatureConstants;
77 import org.opensaml.xml.util.Base64;
78 import org.opensaml.xml.util.DatatypeHelper;
79 import org.opensaml.xml.util.LazySet;
80 import org.slf4j.Logger;
81 import org.slf4j.LoggerFactory;
82
83
84
85
86 public final class SecurityHelper {
87
88
89 private static Logger log = LoggerFactory.getLogger(SecurityHelper.class);
90
91
92 private static Set<String> rsaAlgorithmURIs;
93
94
95 private static Set<String> dsaAlgorithmURIs;
96
97
98 private static Set<String> ecdsaAlgorithmURIs;
99
100
101 private SecurityHelper() {
102 }
103
104
105
106
107
108
109
110 public static String getAlgorithmIDFromURI(String algorithmURI) {
111 return DatatypeHelper.safeTrimOrNullString(JCEMapper.translateURItoJCEID(algorithmURI));
112 }
113
114
115
116
117
118
119
120 public static boolean isHMAC(String signatureAlgorithm) {
121 String algoClass = DatatypeHelper.safeTrimOrNullString(JCEMapper.getAlgorithmClassFromURI(signatureAlgorithm));
122 return ApacheXMLSecurityConstants.ALGO_CLASS_MAC.equals(algoClass);
123 }
124
125
126
127
128
129
130
131 public static String getKeyAlgorithmFromURI(String algorithmURI) {
132
133
134 String apacheValue = DatatypeHelper.safeTrimOrNullString(JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI));
135 if (apacheValue != null) {
136 return apacheValue;
137 }
138
139
140 if (isHMAC(algorithmURI)) {
141 return null;
142 }
143
144
145 if (rsaAlgorithmURIs.contains(algorithmURI)) {
146 return "RSA";
147 }
148 if (dsaAlgorithmURIs.contains(algorithmURI)) {
149 return "DSA";
150 }
151 if (ecdsaAlgorithmURIs.contains(algorithmURI)) {
152 return "ECDSA";
153 }
154
155 return null;
156 }
157
158
159
160
161
162
163
164
165 public static Integer getKeyLengthFromURI(String algorithmURI) {
166 String algoClass = DatatypeHelper.safeTrimOrNullString(JCEMapper.getAlgorithmClassFromURI(algorithmURI));
167
168 if (ApacheXMLSecurityConstants.ALGO_CLASS_BLOCK_ENCRYPTION.equals(algoClass)
169 || ApacheXMLSecurityConstants.ALGO_CLASS_SYMMETRIC_KEY_WRAP.equals(algoClass)) {
170
171 try {
172 int keyLength = JCEMapper.getKeyLengthFromURI(algorithmURI);
173 return new Integer(keyLength);
174 } catch (NumberFormatException e) {
175 log.warn("XML Security config contained invalid key length value for algorithm URI: " + algorithmURI);
176 }
177 }
178
179 log.info("Mapping from algorithm URI {} to key length not available", algorithmURI);
180 return null;
181 }
182
183
184
185
186
187
188
189
190
191 public static SecretKey generateSymmetricKey(String algoURI) throws NoSuchAlgorithmException, KeyException {
192 String jceAlgorithmName = getKeyAlgorithmFromURI(algoURI);
193 if (DatatypeHelper.isEmpty(jceAlgorithmName)) {
194 log.error("Mapping from algorithm URI '" + algoURI
195 + "' to key algorithm not available, key generation failed");
196 throw new NoSuchAlgorithmException("Algorithm URI'" + algoURI + "' is invalid for key generation");
197 }
198 Integer keyLength = getKeyLengthFromURI(algoURI);
199 if (keyLength == null) {
200 log.error("Key length could not be determined from algorithm URI, can't generate key");
201 throw new KeyException("Key length not determinable from algorithm URI, could not generate new key");
202 }
203 KeyGenerator keyGenerator = KeyGenerator.getInstance(jceAlgorithmName);
204 keyGenerator.init(keyLength);
205 return keyGenerator.generateKey();
206 }
207
208
209
210
211
212
213
214 public static Key extractEncryptionKey(Credential credential) {
215 if (credential == null) {
216 return null;
217 }
218 if (credential.getPublicKey() != null) {
219 return credential.getPublicKey();
220 } else {
221 return credential.getSecretKey();
222 }
223 }
224
225
226
227
228
229
230
231 public static Key extractDecryptionKey(Credential credential) {
232 if (credential == null) {
233 return null;
234 }
235 if (credential.getPrivateKey() != null) {
236 return credential.getPrivateKey();
237 } else {
238 return credential.getSecretKey();
239 }
240 }
241
242
243
244
245
246
247
248 public static Key extractSigningKey(Credential credential) {
249 if (credential == null) {
250 return null;
251 }
252 if (credential.getPrivateKey() != null) {
253 return credential.getPrivateKey();
254 } else {
255 return credential.getSecretKey();
256 }
257 }
258
259
260
261
262
263
264
265 public static Key extractVerificationKey(Credential credential) {
266 if (credential == null) {
267 return null;
268 }
269 if (credential.getPublicKey() != null) {
270 return credential.getPublicKey();
271 } else {
272 return credential.getSecretKey();
273 }
274 }
275
276
277
278
279
280
281
282 public static Integer getKeyLength(Key key) {
283
284
285 if (key instanceof SecretKey && "RAW".equals(key.getFormat())) {
286 return key.getEncoded().length * 8;
287 }
288 log.debug("Unable to determine length in bits of specified Key instance");
289 return null;
290 }
291
292
293
294
295
296
297
298 public static BasicCredential getSimpleCredential(SecretKey secretKey) {
299 if (secretKey == null) {
300 throw new IllegalArgumentException("A secret key is required");
301 }
302 BasicCredential cred = new BasicCredential();
303 cred.setSecretKey(secretKey);
304 return cred;
305 }
306
307
308
309
310
311
312
313
314 public static BasicCredential getSimpleCredential(PublicKey publicKey, PrivateKey privateKey) {
315 if (publicKey == null) {
316 throw new IllegalArgumentException("A public key is required");
317 }
318 BasicCredential cred = new BasicCredential();
319 cred.setPublicKey(publicKey);
320 cred.setPrivateKey(privateKey);
321 return cred;
322 }
323
324
325
326
327
328
329
330
331 public static BasicX509Credential getSimpleCredential(X509Certificate cert, PrivateKey privateKey) {
332 if (cert == null) {
333 throw new IllegalArgumentException("A certificate is required");
334 }
335 BasicX509Credential cred = new BasicX509Credential();
336 cred.setEntityCertificate(cert);
337 cred.setPrivateKey(privateKey);
338 return cred;
339 }
340
341
342
343
344
345
346
347
348
349
350
351
352
353 public static SecretKey decodeSecretKey(byte[] key, char[] password) throws KeyException {
354
355 throw new UnsupportedOperationException("This method is not yet supported");
356 }
357
358
359
360
361
362
363
364
365
366
367
368 public static PublicKey decodePublicKey(byte[] key, char[] password) throws KeyException {
369 X509EncodedKeySpec keySpec = new X509EncodedKeySpec(key);
370 try {
371 return buildKey(keySpec, "RSA");
372 }
373 catch (KeyException ex) {
374 }
375 try {
376 return buildKey(keySpec, "DSA");
377 }
378 catch (KeyException ex) {
379 }
380 try {
381 return buildKey(keySpec, "EC");
382 }
383 catch (KeyException ex) {
384 }
385 throw new KeyException("Unsupported key type.");
386 }
387
388
389
390
391
392
393
394
395
396
397
398 public static PublicKey derivePublicKey(PrivateKey key) throws KeyException {
399 KeyFactory factory;
400 if (key instanceof DSAPrivateKey) {
401 DSAPrivateKey dsaKey = (DSAPrivateKey) key;
402 DSAParams keyParams = dsaKey.getParams();
403 BigInteger y = keyParams.getQ().modPow(dsaKey.getX(), keyParams.getP());
404 DSAPublicKeySpec pubKeySpec = new DSAPublicKeySpec(y, keyParams.getP(), keyParams.getQ(), keyParams.getG());
405
406 try {
407 factory = KeyFactory.getInstance("DSA");
408 return factory.generatePublic(pubKeySpec);
409 } catch (GeneralSecurityException e) {
410 throw new KeyException("Unable to derive public key from DSA private key", e);
411 }
412 } else if (key instanceof RSAPrivateCrtKey) {
413 RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey) key;
414 RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(rsaKey.getModulus(), rsaKey.getPublicExponent());
415
416 try {
417 factory = KeyFactory.getInstance("RSA");
418 return factory.generatePublic(pubKeySpec);
419 } catch (GeneralSecurityException e) {
420 throw new KeyException("Unable to derive public key from RSA private key", e);
421 }
422 } else {
423 throw new KeyException("Private key was not a DSA or RSA key");
424 }
425 }
426
427
428
429
430
431
432
433
434
435
436
437 public static PrivateKey decodePrivateKey(File key, char[] password) throws KeyException {
438 if (!key.exists()) {
439 throw new KeyException("Key file " + key.getAbsolutePath() + " does not exist");
440 }
441
442 if (!key.canRead()) {
443 throw new KeyException("Key file " + key.getAbsolutePath() + " is not readable");
444 }
445
446 try {
447 return decodePrivateKey(DatatypeHelper.fileToByteArray(key), password);
448 } catch (IOException e) {
449 throw new KeyException("Error reading Key file " + key.getAbsolutePath(), e);
450 }
451 }
452
453
454
455
456
457
458
459
460
461
462
463 public static PrivateKey decodePrivateKey(byte[] key, char[] password) throws KeyException {
464 try {
465 PKCS8Key deocodedKey = new PKCS8Key(key, password);
466 return deocodedKey.getPrivateKey();
467 } catch (GeneralSecurityException e) {
468 throw new KeyException("Unable to decode private key", e);
469 }
470 }
471
472
473
474
475
476
477
478
479 public static java.security.cert.X509Certificate buildJavaX509Cert(String base64Cert) throws CertificateException {
480 CertificateFactory cf = CertificateFactory.getInstance("X.509");
481 ByteArrayInputStream input = new ByteArrayInputStream(Base64.decode(base64Cert));
482 return (java.security.cert.X509Certificate) cf.generateCertificate(input);
483 }
484
485
486
487
488
489
490
491
492
493 public static java.security.cert.X509CRL buildJavaX509CRL(String base64CRL)
494 throws CertificateException, CRLException {
495 CertificateFactory cf = CertificateFactory.getInstance("X.509");
496 ByteArrayInputStream input = new ByteArrayInputStream(Base64.decode(base64CRL));
497 return (java.security.cert.X509CRL) cf.generateCRL(input);
498 }
499
500
501
502
503
504
505
506
507 public static DSAPublicKey buildJavaDSAPublicKey(String base64EncodedKey) throws KeyException {
508 X509EncodedKeySpec keySpec = new X509EncodedKeySpec(Base64.decode(base64EncodedKey));
509 return (DSAPublicKey) buildKey(keySpec, "DSA");
510 }
511
512
513
514
515
516
517
518
519 public static RSAPublicKey buildJavaRSAPublicKey(String base64EncodedKey) throws KeyException {
520 X509EncodedKeySpec keySpec = new X509EncodedKeySpec(Base64.decode(base64EncodedKey));
521 return (RSAPublicKey) buildKey(keySpec, "RSA");
522 }
523
524
525
526
527
528
529
530
531 public static ECPublicKey buildJavaECPublicKey(String base64EncodedKey) throws KeyException {
532 X509EncodedKeySpec keySpec = new X509EncodedKeySpec(Base64.decode(base64EncodedKey));
533 return (ECPublicKey) buildKey(keySpec, "EC");
534 }
535
536
537
538
539
540
541
542
543 public static RSAPrivateKey buildJavaRSAPrivateKey(String base64EncodedKey) throws KeyException {
544 PrivateKey key = buildJavaPrivateKey(base64EncodedKey);
545 if (! (key instanceof RSAPrivateKey)) {
546 throw new KeyException("Generated key was not an RSAPrivateKey instance");
547 }
548 return (RSAPrivateKey) key;
549 }
550
551
552
553
554
555
556
557
558 public static DSAPrivateKey buildJavaDSAPrivateKey(String base64EncodedKey) throws KeyException {
559 PrivateKey key = buildJavaPrivateKey(base64EncodedKey);
560 if (! (key instanceof DSAPrivateKey)) {
561 throw new KeyException("Generated key was not a DSAPrivateKey instance");
562 }
563 return (DSAPrivateKey) key;
564 }
565
566
567
568
569
570
571
572
573 public static PrivateKey buildJavaPrivateKey(String base64EncodedKey) throws KeyException {
574 return SecurityHelper.decodePrivateKey(Base64.decode(base64EncodedKey), null);
575 }
576
577
578
579
580
581
582
583
584
585
586
587
588 public static PublicKey buildKey(KeySpec keySpec, String keyAlgorithm) throws KeyException {
589 try {
590 KeyFactory keyFactory = KeyFactory.getInstance(keyAlgorithm);
591 return keyFactory.generatePublic(keySpec);
592 } catch (NoSuchAlgorithmException e) {
593 throw new KeyException(keyAlgorithm + "algorithm is not supported by the JCE", e);
594 } catch (InvalidKeySpecException e) {
595 throw new KeyException("Invalid key information", e);
596 }
597 }
598
599
600
601
602
603
604
605
606
607 public static SecretKey generateKeyFromURI(String algoURI)
608 throws NoSuchAlgorithmException, NoSuchProviderException {
609 String jceAlgorithmName = JCEMapper.getJCEKeyAlgorithmFromURI(algoURI);
610 int keyLength = JCEMapper.getKeyLengthFromURI(algoURI);
611 return generateKey(jceAlgorithmName, keyLength, null);
612 }
613
614
615
616
617
618
619
620
621
622
623 public static KeyPair generateKeyPairFromURI(String algoURI, int keyLength)
624 throws NoSuchAlgorithmException, NoSuchProviderException {
625 String jceAlgorithmName = JCEMapper.getJCEKeyAlgorithmFromURI(algoURI);
626 return generateKeyPair(jceAlgorithmName, keyLength, null);
627 }
628
629
630
631
632
633
634
635
636
637
638
639 public static SecretKey generateKey(String algo, int keyLength, String provider)
640 throws NoSuchAlgorithmException, NoSuchProviderException {
641 SecretKey key = null;
642 KeyGenerator keyGenerator = null;
643 if (provider != null) {
644 keyGenerator = KeyGenerator.getInstance(algo, provider);
645 } else {
646 keyGenerator = KeyGenerator.getInstance(algo);
647 }
648 keyGenerator.init(keyLength);
649 key = keyGenerator.generateKey();
650 return key;
651 }
652
653
654
655
656
657
658
659
660
661
662
663 public static KeyPair generateKeyPair(String algo, int keyLength, String provider)
664 throws NoSuchAlgorithmException, NoSuchProviderException {
665 KeyPairGenerator keyGenerator = null;
666 if (provider != null) {
667 keyGenerator = KeyPairGenerator.getInstance(algo, provider);
668 } else {
669 keyGenerator = KeyPairGenerator.getInstance(algo);
670 }
671 keyGenerator.initialize(keyLength);
672 return keyGenerator.generateKeyPair();
673 }
674
675
676
677
678
679
680
681
682
683 public static Credential generateKeyAndCredential(String algorithmURI)
684 throws NoSuchAlgorithmException, NoSuchProviderException {
685 SecretKey key = generateKeyFromURI(algorithmURI);
686 BasicCredential credential = new BasicCredential();
687 credential.setSecretKey(key);
688 return credential;
689 }
690
691
692
693
694
695
696
697
698
699
700
701 public static Credential generateKeyPairAndCredential(String algorithmURI, int keyLength, boolean includePrivate)
702 throws NoSuchAlgorithmException, NoSuchProviderException {
703 KeyPair keyPair = generateKeyPairFromURI(algorithmURI, keyLength);
704 BasicCredential credential = new BasicCredential();
705 credential.setPublicKey(keyPair.getPublic());
706 if (includePrivate) {
707 credential.setPrivateKey(keyPair.getPrivate());
708 }
709 return credential;
710 }
711
712
713
714
715
716
717
718 public static KeyInfoCredentialResolver buildBasicInlineKeyInfoResolver() {
719 List<KeyInfoProvider> providers = new ArrayList<KeyInfoProvider>();
720 providers.add( new RSAKeyValueProvider() );
721 providers.add( new DSAKeyValueProvider() );
722 providers.add( new InlineX509DataProvider() );
723 return new BasicProviderKeyInfoCredentialResolver(providers);
724 }
725
726
727
728
729
730
731
732
733
734 public static boolean matchKeyPair(PublicKey pubKey, PrivateKey privKey) throws SecurityException {
735
736
737 if (pubKey == null || privKey == null) {
738 throw new SecurityException("Either public or private key was null");
739 }
740
741
742
743
744 SecurityConfiguration secConfig = Configuration.getGlobalSecurityConfiguration();
745 if (secConfig == null) {
746 throw new SecurityException("Global security configuration was null, could not resolve signing algorithm");
747 }
748 String algoURI = secConfig.getSignatureAlgorithmURI(privKey.getAlgorithm());
749 if (algoURI == null) {
750 throw new SecurityException("Can't determine algorithm URI from key algorithm: " + privKey.getAlgorithm());
751 }
752 String jcaAlgoID = getAlgorithmIDFromURI(algoURI);
753 if (jcaAlgoID == null) {
754 throw new SecurityException("Can't determine JCA algorithm ID from algorithm URI: " + algoURI);
755 }
756
757 if (log.isDebugEnabled()) {
758 log.debug("Attempting to match key pair containing key algorithms public '{}' private '{}', "
759 + "using JCA signature algorithm '{}'", new Object[] { pubKey.getAlgorithm(),
760 privKey.getAlgorithm(), jcaAlgoID, });
761 }
762
763 byte[] data = "This is the data to sign".getBytes();
764 byte[] signature = SigningUtil.sign(privKey, jcaAlgoID, data);
765 return SigningUtil.verify(pubKey, jcaAlgoID, signature, data);
766 }
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814 public static void prepareSignatureParams(Signature signature, Credential signingCredential,
815 SecurityConfiguration config, String keyInfoGenName) throws SecurityException {
816
817 SecurityConfiguration secConfig;
818 if (config != null) {
819 secConfig = config;
820 } else {
821 secConfig = Configuration.getGlobalSecurityConfiguration();
822 }
823
824
825 String signAlgo = signature.getSignatureAlgorithm();
826 if (signAlgo == null) {
827 signAlgo = secConfig.getSignatureAlgorithmURI(signingCredential);
828 signature.setSignatureAlgorithm(signAlgo);
829 }
830
831
832 if (SecurityHelper.isHMAC(signAlgo)) {
833 if (signature.getHMACOutputLength() == null) {
834 signature.setHMACOutputLength(secConfig.getSignatureHMACOutputLength());
835 }
836 }
837
838 if (signature.getCanonicalizationAlgorithm() == null) {
839 signature.setCanonicalizationAlgorithm(secConfig.getSignatureCanonicalizationAlgorithm());
840 }
841
842 if (signature.getKeyInfo() == null) {
843 KeyInfoGenerator kiGenerator = getKeyInfoGenerator(signingCredential, secConfig, keyInfoGenName);
844 if (kiGenerator != null) {
845 try {
846 KeyInfo keyInfo = kiGenerator.generate(signingCredential);
847 signature.setKeyInfo(keyInfo);
848 } catch (SecurityException e) {
849 log.error("Error generating KeyInfo from credential", e);
850 throw e;
851 }
852 } else {
853 log.info("No factory for named KeyInfoGenerator {} was found for credential type {}", keyInfoGenName,
854 signingCredential.getCredentialType().getName());
855 log.info("No KeyInfo will be generated for Signature");
856 }
857 }
858 }
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897 public static EncryptionParameters buildDataEncryptionParams(Credential encryptionCredential,
898 SecurityConfiguration config, String keyInfoGenName) {
899
900 SecurityConfiguration secConfig;
901 if (config != null) {
902 secConfig = config;
903 } else {
904 secConfig = Configuration.getGlobalSecurityConfiguration();
905 }
906
907 EncryptionParameters encParams = new EncryptionParameters();
908 encParams.setEncryptionCredential(encryptionCredential);
909
910 if (encryptionCredential == null) {
911 encParams.setAlgorithm(secConfig.getAutoGeneratedDataEncryptionKeyAlgorithmURI());
912 } else {
913 encParams.setAlgorithm(secConfig.getDataEncryptionAlgorithmURI(encryptionCredential));
914
915 KeyInfoGenerator kiGenerator = getKeyInfoGenerator(encryptionCredential, secConfig, keyInfoGenName);
916 if (kiGenerator != null) {
917 encParams.setKeyInfoGenerator(kiGenerator);
918 } else {
919 log.info("No factory for named KeyInfoGenerator {} was found for credential type{}", keyInfoGenName,
920 encryptionCredential.getCredentialType().getName());
921 log.info("No KeyInfo will be generated for EncryptedData");
922 }
923 }
924
925 return encParams;
926 }
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971 public static KeyEncryptionParameters buildKeyEncryptionParams(Credential encryptionCredential,
972 String wrappedKeyAlgorithm, SecurityConfiguration config, String keyInfoGenName, String recipient)
973 throws SecurityException {
974
975 SecurityConfiguration secConfig;
976 if (config != null) {
977 secConfig = config;
978 } else {
979 secConfig = Configuration.getGlobalSecurityConfiguration();
980 }
981
982 KeyEncryptionParameters kekParams = new KeyEncryptionParameters();
983 kekParams.setEncryptionCredential(encryptionCredential);
984
985 if (encryptionCredential == null) {
986 throw new SecurityException("Key encryption credential may not be null");
987 }
988
989 kekParams.setAlgorithm(secConfig.getKeyTransportEncryptionAlgorithmURI(encryptionCredential,
990 wrappedKeyAlgorithm));
991
992 KeyInfoGenerator kiGenerator = getKeyInfoGenerator(encryptionCredential, secConfig, keyInfoGenName);
993 if (kiGenerator != null) {
994 kekParams.setKeyInfoGenerator(kiGenerator);
995 } else {
996 log.info("No factory for named KeyInfoGenerator {} was found for credential type {}", keyInfoGenName,
997 encryptionCredential.getCredentialType().getName());
998 log.info("No KeyInfo will be generated for EncryptedKey");
999 }
1000
1001 kekParams.setRecipient(recipient);
1002
1003 return kekParams;
1004 }
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028 public static KeyInfoGenerator getKeyInfoGenerator(Credential credential, SecurityConfiguration config,
1029 String keyInfoGenName) {
1030
1031 SecurityConfiguration secConfig;
1032 if (config != null) {
1033 secConfig = config;
1034 } else {
1035 secConfig = Configuration.getGlobalSecurityConfiguration();
1036 }
1037
1038 NamedKeyInfoGeneratorManager kiMgr = secConfig.getKeyInfoGeneratorManager();
1039 if (kiMgr != null) {
1040 KeyInfoGeneratorFactory kiFactory = null;
1041 if (DatatypeHelper.isEmpty(keyInfoGenName)) {
1042 kiFactory = kiMgr.getDefaultManager().getFactory(credential);
1043 } else {
1044 kiFactory = kiMgr.getFactory(keyInfoGenName, credential);
1045 }
1046 if (kiFactory != null) {
1047 return kiFactory.newInstance();
1048 }
1049 }
1050 return null;
1051 }
1052
1053 static {
1054
1055
1056 if (!Init.isInitialized()) {
1057 Init.init();
1058 }
1059
1060
1061
1062 dsaAlgorithmURIs = new LazySet<String>();
1063 dsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_DSA);
1064
1065 ecdsaAlgorithmURIs = new LazySet<String>();
1066 ecdsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
1067
1068 rsaAlgorithmURIs = new HashSet<String>(10);
1069 rsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
1070 rsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
1071 rsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384);
1072 rsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512);
1073 rsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512);
1074 rsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_RSA_RIPEMD160);
1075 rsaAlgorithmURIs.add(SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5);
1076 }
1077 }