org.opensaml.xml.signature.KeyInfo Java Examples

private static Signature setSignatureRaw(String signatureAlgorithm, X509Credential cred) throws SSOAgentException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        org.opensaml.xml.signature.X509Certificate cert =
                (org.opensaml.xml.signature.X509Certificate) buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
        String value =
                org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
        return signature;

    } catch (CertificateEncodingException e) {
        throw new SSOAgentException("Error getting certificate", e);
    }
}
 

/**
 * Get the set of key names inside the specified {@link KeyInfo} as a list of strings.
 * 
 * @param keyInfo {@link KeyInfo} to retrieve key names from
 * 
 * @return a list of key name strings
 */
public static List<String> getKeyNames(KeyInfo keyInfo) {
    List<String> keynameList = new LinkedList<String>();

    if (keyInfo == null) {
        return keynameList;
    }

    List<KeyName> keyNames = keyInfo.getKeyNames();
    for (KeyName keyName : keyNames) {
        if (keyName.getValue() != null) {
            keynameList.add(keyName.getValue());
        }
    }

    return keynameList;
}
 

/**
 * Get a list of the Java {@link java.security.cert.X509Certificate} within the given KeyInfo.
 * 
 * @param keyInfo key info to extract the certificates from
 * 
 * @return a list of Java {@link java.security.cert.X509Certificate}s
 * 
 * @throws CertificateException thrown if there is a problem converting the 
 *          X509 data into {@link java.security.cert.X509Certificate}s.
 */
public static List<X509Certificate> getCertificates(KeyInfo keyInfo) throws CertificateException {
    List<X509Certificate> certList = new LinkedList<X509Certificate>();

    if (keyInfo == null) {
        return certList;
    }

    List<X509Data> x509Datas = keyInfo.getX509Datas();
    for (X509Data x509Data : x509Datas) {
        if (x509Data != null) {
            certList.addAll(getCertificates(x509Data));
        }
    }

    return certList;
}
 

/**
 * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link KeyInfo}.
 * 
 * @param keyInfo the {@link KeyInfo} to extract the CRL's from
 * 
 * @return a list of Java {@link java.security.cert.X509CRL}s
 * 
 * @throws CRLException thrown if there is a problem converting the 
 *          CRL data into {@link java.security.cert.X509CRL}s
 */
public static List<X509CRL> getCRLs(KeyInfo keyInfo) throws CRLException {
    List<X509CRL> crlList = new LinkedList<X509CRL>();

    if (keyInfo == null) {
        return crlList;
    }

    List<X509Data> x509Datas = keyInfo.getX509Datas();
    for (X509Data x509Data : x509Datas) {
        if (x509Data != null) {
            crlList.addAll(getCRLs(x509Data));
        }
    }

    return crlList;
}
 

/**
 * Initialize the resolution context that will be used by the providers.
 * 
 * The supplied KeyInfo object is stored in the context, as well as the values of any {@link KeyName} children
 * present. Finally if a credential is resolveble by any registered provider from a plain {@link KeyValue} child,
 * the key from that credential is also stored in the context.
 * 
 * @param kiContext KeyInfo resolution context
 * @param keyInfo the KeyInfo to evaluate
 * @param criteriaSet the credential criteria used to resolve credentials
 * @throws SecurityException thrown if there is an error processing the KeyValue children
 */
protected void initResolutionContext(KeyInfoResolutionContext kiContext, KeyInfo keyInfo, CriteriaSet criteriaSet)
        throws SecurityException {

    kiContext.setKeyInfo(keyInfo);

    // Extract all KeyNames
    kiContext.getKeyNames().addAll(KeyInfoHelper.getKeyNames(keyInfo));
    log.debug("Found {} key names: {}", kiContext.getKeyNames().size(), kiContext.getKeyNames());

    // Extract the Credential based on the (singular) key from an existing KeyValue(s).
    resolveKeyValue(kiContext, criteriaSet, keyInfo.getKeyValues());

    // Extract the Credential based on the (singular) key from an existing DEREncodedKeyValue(s).
    resolveKeyValue(kiContext, criteriaSet, keyInfo.getXMLObjects(DEREncodedKeyValue.DEFAULT_ELEMENT_NAME));
}
 

/**
 * Converts a Java DSA or RSA public key into the corresponding XMLObject and stores it
 * in a {@link KeyInfo} in a new {@link KeyValue} element.
 * 
 * As input, only supports {@link PublicKey}s which are instances of either
 * {@link java.security.interfaces.DSAPublicKey} or
 * {@link java.security.interfaces.RSAPublicKey}
 * 
 * @param keyInfo the {@link KeyInfo} element to which to add the key
 * @param pk the native Java {@link PublicKey} to add
 * @throws IllegalArgumentException thrown if an unsupported public key
 *          type is passed
 */
public static void addPublicKey(KeyInfo keyInfo, PublicKey pk) throws IllegalArgumentException {
    KeyValue keyValue = (KeyValue) Configuration.getBuilderFactory()
        .getBuilder(KeyValue.DEFAULT_ELEMENT_NAME)
        .buildObject(KeyValue.DEFAULT_ELEMENT_NAME);
    
    if (pk instanceof RSAPublicKey) {
        keyValue.setRSAKeyValue(buildRSAKeyValue((RSAPublicKey) pk));
    } else if (pk instanceof DSAPublicKey) {
        keyValue.setDSAKeyValue(buildDSAKeyValue((DSAPublicKey) pk));
    } else {
       throw new IllegalArgumentException("Only RSAPublicKey and DSAPublicKey are supported");
    }
    
    keyInfo.getKeyValues().add(keyValue);
}
 

/**
 * Dereference the URI attribute of the specified retrieval method into a KeyInfo.
 * 
 * @param ref the KeyInfoReference to process
 * @return the dereferenced KeyInfo
 */
protected KeyInfo dereferenceURI(KeyInfoReference ref) {
    String uri = ref.getURI();
    if (DatatypeHelper.isEmpty(uri) || !uri.startsWith("#")) {
        log.warn("EncryptedKey KeyInfoReference did not contain a same-document URI reference, cannot process");
        return null;
    }
    XMLObject target = ref.resolveIDFromRoot(uri.substring(1));
    if (target == null) {
        log.warn("EncryptedKey KeyInfoReference URI could not be dereferenced");
        return null;
    } else if (!(target instanceof KeyInfo)) {
        log.warn("The product of dereferencing the EncryptedKey KeyInfoReference was not a KeyInfo");
        return null;
    }
    return (KeyInfo) target;
}
 

/** {@inheritDoc} */
protected void processChildElement(XMLObject parentXMLObject, XMLObject childXMLObject)
        throws UnmarshallingException {
    EncryptedType et = (EncryptedType) parentXMLObject;

    if (childXMLObject instanceof EncryptionMethod) {
        et.setEncryptionMethod((EncryptionMethod) childXMLObject);
    } else if (childXMLObject instanceof KeyInfo) {
        et.setKeyInfo((KeyInfo) childXMLObject);
    } else if (childXMLObject instanceof CipherData) {
        et.setCipherData((CipherData) childXMLObject);
    } else if (childXMLObject instanceof EncryptionProperties) {
        et.setEncryptionProperties((EncryptionProperties) childXMLObject);
    } else {
        super.processChildElement(parentXMLObject, childXMLObject);
    }

}
 

/** Process the value of {@link X509Credential#getCRLs()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the CRL data can not be encoded from the Java certificate object
 */
protected void processCRLs(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (options.emitCRLs && credential.getCRLs() != null) {
        for (java.security.cert.X509CRL javaCRL : credential.getCRLs()) {
            try {
                X509CRL xmlCRL = KeyInfoHelper.buildX509CRL(javaCRL);
                x509Data.getX509CRLs().add(xmlCRL);
            } catch (CRLException e) {
                throw new SecurityException("Error generating X509CRL element " 
                        + "from a CRL in credential's CRL list", e);
            }
        }
    }
}
 

/**
 * Process the options related to generation of KeyName elements based on subject
 * alternative name information within the certificate data.
 * 
 * @param keyInfo the KeyInfo element being processed.
 * @param cert the certificate being processed
 */
protected void processSubjectAltNameKeyNames(KeyInfo keyInfo, java.security.cert.X509Certificate cert) {
    if (options.emitSubjectAltNamesAsKeyNames && options.subjectAltNames.size() > 0) {
        Integer[] nameTypes = new Integer[ options.subjectAltNames.size() ];
        options.subjectAltNames.toArray(nameTypes);
        for (Object altNameValue : X509Util.getAltNames(cert, nameTypes)) {
            // Each returned value should either be a String or a DER-encoded byte array.
            // See X509Certificate#getSubjectAlternativeNames for the type rules.
            if (altNameValue instanceof String) {
                KeyInfoHelper.addKeyName(keyInfo, (String) altNameValue);
            } else if (altNameValue instanceof byte[]){
                log.warn("Certificate contained an alt name value as a DER-encoded byte[] (not supported)");
            } else {
                log.warn("Certificate contained an alt name value with an unexpected type: {}",
                        altNameValue.getClass().getName());
            }
        }
    }
}
 

@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Error while getting the encoded certificate", e);
        throw new IdentityProviderException("Error while getting the encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 

/** Process the value of {@link X509Credential#getEntityCertificate()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object
 */
protected void processEntityCertificate(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (credential.getEntityCertificate() == null) {
        return;
    }
    
    java.security.cert.X509Certificate javaCert = credential.getEntityCertificate();
    
    processCertX509DataOptions(x509Data, javaCert);
    processCertKeyNameOptions(keyInfo, javaCert);
    
    // The cert chain includes the entity cert, so don't add a duplicate
    if (options.emitEntityCertificate && ! options.emitEntityCertificateChain) {
        try {
            X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert);
            x509Data.getX509Certificates().add(xmlCert);
        } catch (CertificateEncodingException e) {
            throw new SecurityException("Error generating X509Certificate element " 
                    + "from credential's end-entity certificate", e);
        }
    }
    
}
 

/** Process the value of {@link X509Credential#getEntityCertificateChain()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object
 */
protected void processEntityCertificateChain(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (options.emitEntityCertificateChain && credential.getEntityCertificateChain() != null) {
        for (java.security.cert.X509Certificate javaCert : credential.getEntityCertificateChain()) {
            try {
                X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert);
                x509Data.getX509Certificates().add(xmlCert);
            } catch (CertificateEncodingException e) {
                throw new SecurityException("Error generating X509Certificate element " 
                        + "from a certificate in credential's certificate chain", e);
            }
        }
    }
}
 

/**
 * Helper method for constructors.
 */
private void init() {
    builderFactory = Configuration.getBuilderFactory();
    keyInfoBuilder = 
        (XMLSignatureBuilder<KeyInfo>) builderFactory.getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);
    dataReferenceBuilder = 
        (XMLEncryptionBuilder<DataReference>) builderFactory.getBuilder(DataReference.DEFAULT_ELEMENT_NAME);
    referenceListBuilder = 
        (XMLEncryptionBuilder<ReferenceList>) builderFactory.getBuilder(ReferenceList.DEFAULT_ELEMENT_NAME);
    retrievalMethodBuilder = 
        (XMLSignatureBuilder<RetrievalMethod>) builderFactory.getBuilder(RetrievalMethod.DEFAULT_ELEMENT_NAME);
    keyNameBuilder = 
        (XMLSignatureBuilder<KeyName>) builderFactory.getBuilder(KeyName.DEFAULT_ELEMENT_NAME);
    carriedKeyNameBuilder = 
        (XMLEncryptionBuilder<CarriedKeyName>) builderFactory.getBuilder(CarriedKeyName.DEFAULT_ELEMENT_NAME);
    
    try{
        idGenerator = new SecureRandomIdentifierGenerator();
    }catch(NoSuchAlgorithmException e){
        log.error("JVM does not support SHA1PRNG random number generation algorithm.");
    }
    
    keyPlacement = KeyPlacement.PEER;
}
 

@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Failed to get encoded certificate", e);
        throw new IdentityProviderException("Error while getting encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 

/**
 * Converts a Java public key into a {@link DEREncodedKeyValue} element and adds it to
 * a {@link KeyInfo}.
 * 
 * @param keyInfo the {@link KeyInfo} element to which to add the key
 * @param pk the native Java {@link PublicKey} to add
 * @throws NoSuchAlgorithmException if the key type is unsupported
 * @throws InvalidKeySpecException if the key type does not support X.509 SPKI encoding
 */
public static void addDEREncodedPublicKey(KeyInfo keyInfo, PublicKey pk)
        throws NoSuchAlgorithmException, InvalidKeySpecException {
    DEREncodedKeyValue keyValue = (DEREncodedKeyValue) Configuration.getBuilderFactory()
        .getBuilder(DEREncodedKeyValue.DEFAULT_ELEMENT_NAME)
        .buildObject(DEREncodedKeyValue.DEFAULT_ELEMENT_NAME);
    
    KeyFactory keyFactory = KeyFactory.getInstance(pk.getAlgorithm());
    X509EncodedKeySpec keySpec = keyFactory.getKeySpec(pk, X509EncodedKeySpec.class);
    keyValue.setValue(Base64.encodeBytes(keySpec.getEncoded()));
    keyInfo.getXMLObjects().add(keyValue);
}
 

/**
 * Constructor.
 * 
 * @param newOptions the options to be used by the generator
 */
protected X509KeyInfoGenerator(X509Options newOptions) {
    super(newOptions);
    options = newOptions;
    
    keyInfoBuilder = 
        (KeyInfoBuilder) Configuration.getBuilderFactory().getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);
    x509DataBuilder = 
        (X509DataBuilder) Configuration.getBuilderFactory().getBuilder(X509Data.DEFAULT_ELEMENT_NAME);
}
 

/**
 * Get a KeyInfo unmarshaller.
 * 
 * @return a KeyInfo unmarshaller
 * @throws SecurityException thrown if there is an error obtaining the unmarshaller from the configuration
 */
private Unmarshaller getUnmarshaller() throws SecurityException {
    if (keyInfoUnmarshaller != null) {
        return keyInfoUnmarshaller;
    }
    keyInfoUnmarshaller = Configuration.getUnmarshallerFactory().getUnmarshaller(KeyInfo.DEFAULT_ELEMENT_NAME);
    if (keyInfoUnmarshaller == null) {
        throw new SecurityException("Could not obtain KeyInfo unmarshaller from the configuration");
    }
    return keyInfoUnmarshaller;
}
 

/**
 * Process the options related to generation of KeyName elements based on the
 * the common name field(s) of the certificate's subject DN.
 * 
 * @param keyInfo the KeyInfo element being processed.
 * @param cert the certificate being processed
 */
protected void processSubjectCNKeyName(KeyInfo keyInfo, java.security.cert.X509Certificate cert) {
    if (options.emitSubjectCNAsKeyName) {
        for (String name : X509Util.getCommonNames(cert.getSubjectX500Principal())) {
            if (! DatatypeHelper.isEmpty(name)) {
                KeyInfoHelper.addKeyName(keyInfo, name);
            }
        }
    }
}
 

/**
 * Get a KeyInfo marshaller.
 * 
 * @return a KeyInfo marshaller
 * @throws SecurityException thrown if there is an error obtaining the marshaller from the configuration
 */
private Marshaller getMarshaller() throws SecurityException {
    if (keyInfoMarshaller != null) {
        return keyInfoMarshaller;
    }
    keyInfoMarshaller = Configuration.getMarshallerFactory().getMarshaller(KeyInfo.DEFAULT_ELEMENT_NAME);
    if (keyInfoMarshaller == null) {
        throw new SecurityException("Could not obtain KeyInfo marshaller from the configuration");
    }
    return keyInfoMarshaller;
}
 

/** {@inheritDoc} */
public KeyInfo generate(Credential credential) throws SecurityException {
    KeyInfo keyInfo = keyInfoBuilder.buildObject();
    
    processKeyNames(keyInfo, credential);
    processEntityID(keyInfo, credential);
    processPublicKey(keyInfo, credential);
    
    List<XMLObject> children = keyInfo.getOrderedChildren();
    if (children != null && children.size() > 0) {
        return keyInfo;
    } else {
        return null;
    }
}
 

/**
 * Add a new {@link KeyName} value to a KeyInfo.
 * 
 * @param keyInfo the KeyInfo to which to add the new value
 * @param keyNameValue the new key name value to add
 */
public static void addKeyName(KeyInfo keyInfo, String keyNameValue) {
    KeyName keyName = (KeyName) Configuration.getBuilderFactory()
        .getBuilder(KeyName.DEFAULT_ELEMENT_NAME)
        .buildObject(KeyName.DEFAULT_ELEMENT_NAME);
    keyName.setValue(keyNameValue);
    keyInfo.getKeyNames().add(keyName);
}
 

/** Process the values of {@link Credential#getKeyNames()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param credential the Credential that is geing processed
 */
protected void processKeyNames(KeyInfo keyInfo, Credential credential) {
    if (options.emitKeyNames) {
        for (String keyNameValue : credential.getKeyNames()) {
            if ( ! DatatypeHelper.isEmpty(keyNameValue)) {
                KeyInfoHelper.addKeyName(keyInfo, keyNameValue);
            }
        }
    }
}
 

/** Process the value of {@link Credential#getEntityId()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param credential the Credential that is geing processed
 */
protected void processEntityID(KeyInfo keyInfo, Credential credential) {
    if (options.emitEntityIDAsKeyName) {
        String keyNameValue = credential.getEntityId();
        if ( ! DatatypeHelper.isEmpty(keyNameValue)) {
            KeyInfoHelper.addKeyName(keyInfo, keyNameValue);
        }
    }
}
 

/** {@inheritDoc} */
public Signature unmarshall(Element signatureElement) throws UnmarshallingException {
    log.debug("Starting to unmarshall Apache XML-Security-based SignatureImpl element");

    SignatureImpl signature = new SignatureImpl(signatureElement.getNamespaceURI(),
            signatureElement.getLocalName(), signatureElement.getPrefix());

    try {
        log.debug("Constructing Apache XMLSignature object");

        XMLSignature xmlSignature = new XMLSignature(signatureElement, "");

        SignedInfo signedInfo = xmlSignature.getSignedInfo();

        log.debug("Adding canonicalization and signing algorithms, and HMAC output length to Signature");
        signature.setCanonicalizationAlgorithm(signedInfo.getCanonicalizationMethodURI());
        signature.setSignatureAlgorithm(signedInfo.getSignatureMethodURI());
        signature.setHMACOutputLength(getHMACOutputLengthValue(signedInfo.getSignatureMethodElement()));

        org.apache.xml.security.keys.KeyInfo xmlSecKeyInfo = xmlSignature.getKeyInfo();
        if (xmlSecKeyInfo != null) {
            log.debug("Adding KeyInfo to Signature");
            Unmarshaller unmarshaller = Configuration.getUnmarshallerFactory().getUnmarshaller(
                    xmlSecKeyInfo.getElement());
            KeyInfo keyInfo = (KeyInfo) unmarshaller.unmarshall(xmlSecKeyInfo.getElement());
            signature.setKeyInfo(keyInfo);
        }
        signature.setXMLSignature(xmlSignature);
        signature.setDOM(signatureElement);
        return signature;
    } catch (XMLSecurityException e) {
        log.error("Error constructing Apache XMLSignature instance from Signature element: {}", e.getMessage());
        throw new UnmarshallingException("Unable to unmarshall Signature with Apache XMLSignature", e);
    }
}
 

/** {@inheritDoc} */
protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject)
        throws UnmarshallingException {
    KeyDescriptor keyDescriptor = (KeyDescriptor) parentSAMLObject;

    if (childSAMLObject instanceof KeyInfo) {
        keyDescriptor.setKeyInfo((KeyInfo) childSAMLObject);
    } else if (childSAMLObject instanceof EncryptionMethod) {
        keyDescriptor.getEncryptionMethods().add((EncryptionMethod) childSAMLObject);
    } else {
        super.processChildElement(parentSAMLObject, childSAMLObject);
    }
}
 

/**
 * Constructor.
 * 
 */
public Encrypter() {
    UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
    encryptedDataUnmarshaller = unmarshallerFactory.getUnmarshaller(EncryptedData.DEFAULT_ELEMENT_NAME);
    encryptedKeyUnmarshaller = unmarshallerFactory.getUnmarshaller(EncryptedKey.DEFAULT_ELEMENT_NAME);

    XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
    keyInfoBuilder = (XMLSignatureBuilder<KeyInfo>) builderFactory.getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);

    jcaProviderName = null;
}
 

/**
 * Encrypts the given XMLObject using the specified encryption key, algorithm URI and content mode flag.
 * EncryptedKeys, if any, are placed inline within the KeyInfo of the resulting EncryptedData.
 * 
 * @param xmlObject the XMLObject to be encrypted
 * @param encParams the encryption parameters to use
 * @param kekParamsList the key encryption parameters to use
 * @param encryptContentMode whether just the content of the XMLObject should be encrypted
 * 
 * @return the resulting EncryptedData object
 * @throws EncryptionException exception thrown on encryption errors
 */
private EncryptedData encryptElement(XMLObject xmlObject, EncryptionParameters encParams,
        List<KeyEncryptionParameters> kekParamsList, boolean encryptContentMode) throws EncryptionException {

    checkParams(encParams, kekParamsList);

    String encryptionAlgorithmURI = encParams.getAlgorithm();
    Key encryptionKey = SecurityHelper.extractEncryptionKey(encParams.getEncryptionCredential());
    if (encryptionKey == null) {
        encryptionKey = generateEncryptionKey(encryptionAlgorithmURI);
    }

    EncryptedData encryptedData = encryptElement(xmlObject, encryptionKey, encryptionAlgorithmURI,
            encryptContentMode);
    Document ownerDocument = encryptedData.getDOM().getOwnerDocument();

    if (encParams.getKeyInfoGenerator() != null) {
        KeyInfoGenerator generator = encParams.getKeyInfoGenerator();
        log.debug("Dynamically generating KeyInfo from Credential for EncryptedData using generator: {}",
                generator.getClass().getName());
        try {
            encryptedData.setKeyInfo(generator.generate(encParams.getEncryptionCredential()));
        } catch (SecurityException e) {
            log.error("Error during EncryptedData KeyInfo generation", e);
            throw new EncryptionException("Error during EncryptedData KeyInfo generation", e);
        }
    }

    for (KeyEncryptionParameters kekParams : kekParamsList) {
        EncryptedKey encryptedKey = encryptKey(encryptionKey, kekParams, ownerDocument);
        if (encryptedData.getKeyInfo() == null) {
            KeyInfo keyInfo = keyInfoBuilder.buildObject();
            encryptedData.setKeyInfo(keyInfo);
        }
        encryptedData.getKeyInfo().getEncryptedKeys().add(encryptedKey);
    }

    return encryptedData;
}
 

/** {@inheritDoc} */
protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject)
        throws UnmarshallingException {

    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) parentSAMLObject;

    if (childSAMLObject instanceof ConfirmationMethod) {
        subjectConfirmation.getConfirmationMethods().add((ConfirmationMethod) childSAMLObject);
    } else if(childSAMLObject instanceof KeyInfo) {
        subjectConfirmation.setKeyInfo((KeyInfo)childSAMLObject);
    } else {
        subjectConfirmation.setSubjectConfirmationData(childSAMLObject);
    }
}
 

/** {@inheritDoc} */
protected void processChildElement(XMLObject parentObject, XMLObject childObject) throws UnmarshallingException {
    SessionKey key = (SessionKey) parentObject;

    if (childObject instanceof EncType) {
        key.getEncTypes().add((EncType) childObject);
    } else if (childObject instanceof KeyInfo) {
        key.setKeyInfo((KeyInfo) childObject);
    } else {
        super.processChildElement(parentObject, childObject);
    }
}