package org.apereo.cas.support.saml.web.idp.profile.builders.enc;

import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPAlgorithmsProperties;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataLocator;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.crypto.DecryptionException;
import org.apereo.cas.util.crypto.PrivateKeyFactoryBean;
import org.apereo.cas.util.function.FunctionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml.saml2.encryption.Encrypter;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.AlgorithmPolicyConfiguration;
import org.opensaml.xmlsec.DecryptionParameters;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.criterion.DecryptionConfigurationCriterion;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.criterion.EncryptionOptionalCriterion;
import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xmlsec.impl.BasicDecryptionConfiguration;
import org.opensaml.xmlsec.impl.BasicDecryptionParametersResolver;
import org.opensaml.xmlsec.impl.BasicEncryptionConfiguration;
import org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-web-6.6.15.jar:org/apereo/cas/support/saml/web/idp/profile/builders/enc/SamlIdPObjectEncrypter.class */
public class SamlIdPObjectEncrypter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlIdPObjectEncrypter.class);
    private final SamlIdPProperties samlIdPProperties;
    private final SamlIdPMetadataLocator samlIdPMetadataLocator;

    private static void handleEncryptionFailure(SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        String entityId = samlRegisteredServiceServiceProviderMetadataFacade.getEntityId();
        if (!samlRegisteredService.isEncryptionOptional()) {
            throw new SamlException("Unable to encrypt assertion for " + entityId);
        }
        LOGGER.debug("Skipping to encrypt; No encrypter can be determined and encryption is optional for [{}]", entityId);
    }

    public EncryptedAssertion encode(Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        try {
            Encrypter buildEncrypterForSamlObject = buildEncrypterForSamlObject(assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            if (buildEncrypterForSamlObject != null) {
                return buildEncrypterForSamlObject.encrypt(assertion);
            }
            return null;
        } catch (Exception e) {
            handleEncryptionFailure(samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            return null;
        }
    }

    public EncryptedID encode(NameID nameID, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        try {
            Encrypter buildEncrypterForSamlObject = buildEncrypterForSamlObject(nameID, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            if (buildEncrypterForSamlObject != null) {
                return buildEncrypterForSamlObject.encrypt(nameID);
            }
            return null;
        } catch (Exception e) {
            handleEncryptionFailure(samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            return null;
        }
    }

    public EncryptedAttribute encode(Attribute attribute, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        try {
            Encrypter buildEncrypterForSamlObject = buildEncrypterForSamlObject(attribute, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            if (buildEncrypterForSamlObject != null) {
                return buildEncrypterForSamlObject.encrypt(attribute);
            }
            return null;
        } catch (Exception e) {
            handleEncryptionFailure(samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            return null;
        }
    }

    public NameID decode(EncryptedID encryptedID, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        try {
            Security.addProvider(new BouncyCastleProvider());
            BasicDecryptionConfiguration configureDecryptionSecurityConfiguration = configureDecryptionSecurityConfiguration(samlRegisteredService);
            configureKeyDecryptionCredential(samlRegisteredServiceServiceProviderMetadataFacade.getEntityId(), samlRegisteredServiceServiceProviderMetadataFacade, samlRegisteredService, configureDecryptionSecurityConfiguration);
            return (NameID) getDecrypter(encryptedID, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, resolveDecryptionParameters(samlRegisteredService, configureDecryptionSecurityConfiguration)).decrypt(encryptedID);
        } catch (Exception e) {
            throw new DecryptionException(e);
        }
    }

    protected Encrypter buildEncrypterForSamlObject(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        String entityId = samlRegisteredServiceServiceProviderMetadataFacade.getEntityId();
        LOGGER.trace("Calculating encryption security configuration for [{}] based on service [{}]", entityId, samlRegisteredService.getName());
        BasicEncryptionConfiguration configureEncryptionSecurityConfiguration = configureEncryptionSecurityConfiguration(samlRegisteredService);
        FunctionUtils.doUnchecked(obj2 -> {
            LOGGER.trace("Fetching key encryption credential for [{}] based on service [{}]", entityId, samlRegisteredService.getName());
            configureKeyEncryptionCredential(entityId, samlRegisteredServiceServiceProviderMetadataFacade, samlRegisteredService, configureEncryptionSecurityConfiguration);
        }, new Object[0]);
        LOGGER.trace("Fetching key encryption parameters for [{}] based on service [{}]", entityId, samlRegisteredService.getName());
        KeyEncryptionParameters keyEncryptionParameters = getKeyEncryptionParameters(obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, configureEncryptionSecurityConfiguration);
        if (keyEncryptionParameters != null) {
            LOGGER.trace("Key encryption algorithm for [{}] is [{}]", keyEncryptionParameters.getRecipient(), keyEncryptionParameters.getAlgorithm());
        }
        LOGGER.trace("Fetching data encryption parameters for [{}] based on service [{}]", entityId, samlRegisteredService.getName());
        DataEncryptionParameters dataEncryptionParameters = getDataEncryptionParameters(obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, configureEncryptionSecurityConfiguration);
        if (dataEncryptionParameters != null) {
            LOGGER.trace("Data encryption algorithm for [{}] is [{}]", entityId, dataEncryptionParameters.getAlgorithm());
        }
        LOGGER.trace("Building encrypter component for [{}]", entityId);
        return getEncrypter(obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, keyEncryptionParameters, dataEncryptionParameters);
    }

    protected Encrypter getEncrypter(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, KeyEncryptionParameters keyEncryptionParameters, DataEncryptionParameters dataEncryptionParameters) {
        String entityId = samlRegisteredServiceServiceProviderMetadataFacade.getEntityId();
        String name = obj.getClass().getName();
        Encrypter encrypter = new Encrypter(dataEncryptionParameters, keyEncryptionParameters);
        encrypter.setKeyPlacement(Encrypter.KeyPlacement.PEER);
        LOGGER.debug("Attempting to encrypt [{}] for [{}] with key placement of [{}]", name, entityId, encrypter.getKeyPlacement());
        return encrypter;
    }

    protected DataEncryptionParameters getDataEncryptionParameters(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, BasicEncryptionConfiguration basicEncryptionConfiguration) {
        try {
            EncryptionParameters resolveEncryptionParameters = resolveEncryptionParameters(samlRegisteredService, basicEncryptionConfiguration);
            if (resolveEncryptionParameters != null) {
                return new DataEncryptionParameters(resolveEncryptionParameters);
            }
            LOGGER.debug("No data encryption parameters could be determined");
            return null;
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    protected KeyEncryptionParameters getKeyEncryptionParameters(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, BasicEncryptionConfiguration basicEncryptionConfiguration) {
        try {
            EncryptionParameters resolveEncryptionParameters = resolveEncryptionParameters(samlRegisteredService, basicEncryptionConfiguration);
            if (resolveEncryptionParameters != null) {
                return new KeyEncryptionParameters(resolveEncryptionParameters, samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            }
            LOGGER.debug("No key encryption parameters could be determined");
            return null;
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    protected Credential configureKeyEncryptionCredential(String str, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, SamlRegisteredService samlRegisteredService, BasicEncryptionConfiguration basicEncryptionConfiguration) throws Exception {
        SamlIdPMetadataCredentialResolver samlIdPMetadataCredentialResolver = new SamlIdPMetadataCredentialResolver();
        ArrayList arrayList = new ArrayList(5);
        arrayList.add(new RSAKeyValueProvider());
        arrayList.add(new DSAKeyValueProvider());
        arrayList.add(new InlineX509DataProvider());
        arrayList.add(new DEREncodedKeyValueProvider());
        arrayList.add(new KeyInfoReferenceProvider());
        samlIdPMetadataCredentialResolver.setKeyInfoCredentialResolver(new BasicProviderKeyInfoCredentialResolver(arrayList));
        samlIdPMetadataCredentialResolver.setRoleDescriptorResolver(SamlIdPUtils.getRoleDescriptorResolver(samlRegisteredServiceServiceProviderMetadataFacade, this.samlIdPProperties.getMetadata().getCore().isRequireValidMetadata()));
        samlIdPMetadataCredentialResolver.initialize();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EncryptionConfigurationCriterion(basicEncryptionConfiguration));
        criteriaSet.add(new EntityIdCriterion(str));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(samlRegisteredService));
        LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", str);
        Credential resolveSingle = samlIdPMetadataCredentialResolver.resolveSingle(criteriaSet);
        if (resolveSingle != null && resolveSingle.getPublicKey() != null) {
            LOGGER.debug("Found encryption public key: [{}]", EncodingUtils.encodeBase64(resolveSingle.getPublicKey().getEncoded()));
            basicEncryptionConfiguration.setKeyTransportEncryptionCredentials(CollectionUtils.wrapList(resolveSingle));
            return resolveSingle;
        }
        if (!samlRegisteredService.isEncryptionOptional()) {
            throw new SamlException("Unable to resolve the encryption [public] key for entity id " + str);
        }
        LOGGER.warn("Unable to resolve the encryption [public] key for entity id [{}]", str);
        return null;
    }

    protected EncryptionParameters resolveEncryptionParameters(SamlRegisteredService samlRegisteredService, BasicEncryptionConfiguration basicEncryptionConfiguration) throws ResolverException {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EncryptionConfigurationCriterion(basicEncryptionConfiguration));
        criteriaSet.add(new EncryptionOptionalCriterion(samlRegisteredService.isEncryptionOptional()));
        return new BasicEncryptionParametersResolver().resolveSingle(criteriaSet);
    }

    protected BasicEncryptionConfiguration configureEncryptionSecurityConfiguration(SamlRegisteredService samlRegisteredService) {
        BasicEncryptionConfiguration buildDefaultEncryptionConfiguration = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
        LOGGER.trace("Default encryption blocked algorithms: [{}]", buildDefaultEncryptionConfiguration.getExcludedAlgorithms());
        LOGGER.trace("Default encryption key algorithms: [{}]", buildDefaultEncryptionConfiguration.getKeyTransportEncryptionAlgorithms());
        LOGGER.trace("Default encryption data algorithms: [{}]", buildDefaultEncryptionConfiguration.getDataEncryptionAlgorithms());
        LOGGER.trace("Default encryption allowed algorithms: [{}]", buildDefaultEncryptionConfiguration.getIncludedAlgorithms());
        SamlIdPAlgorithmsProperties algs = this.samlIdPProperties.getAlgs();
        List<String> overrideDataEncryptionAlgorithms = samlRegisteredService.getEncryptionDataAlgorithms().isEmpty() ? algs.getOverrideDataEncryptionAlgorithms() : samlRegisteredService.getEncryptionDataAlgorithms();
        if (overrideDataEncryptionAlgorithms != null && !overrideDataEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setDataEncryptionAlgorithms(overrideDataEncryptionAlgorithms);
        }
        List<String> overrideKeyEncryptionAlgorithms = samlRegisteredService.getEncryptionKeyAlgorithms().isEmpty() ? algs.getOverrideKeyEncryptionAlgorithms() : samlRegisteredService.getEncryptionKeyAlgorithms();
        if (overrideKeyEncryptionAlgorithms != null && !overrideKeyEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setKeyTransportEncryptionAlgorithms(overrideKeyEncryptionAlgorithms);
        }
        List<String> overrideBlockedEncryptionAlgorithms = samlRegisteredService.getEncryptionBlackListedAlgorithms().isEmpty() ? algs.getOverrideBlockedEncryptionAlgorithms() : samlRegisteredService.getEncryptionBlackListedAlgorithms();
        if (overrideBlockedEncryptionAlgorithms != null && !overrideBlockedEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setExcludedAlgorithms(overrideBlockedEncryptionAlgorithms);
        }
        List<String> overrideAllowedAlgorithms = samlRegisteredService.getEncryptionWhiteListedAlgorithms().isEmpty() ? algs.getOverrideAllowedAlgorithms() : samlRegisteredService.getEncryptionWhiteListedAlgorithms();
        if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setIncludedAlgorithms(overrideAllowedAlgorithms);
        }
        LOGGER.trace("Finalized encryption blocked algorithms: [{}]", buildDefaultEncryptionConfiguration.getExcludedAlgorithms());
        LOGGER.trace("Finalized encryption key algorithms: [{}]", buildDefaultEncryptionConfiguration.getKeyTransportEncryptionAlgorithms());
        LOGGER.trace("Finalized encryption data algorithms: [{}]", buildDefaultEncryptionConfiguration.getDataEncryptionAlgorithms());
        LOGGER.trace("Finalized encryption allowed algorithms: [{}]", buildDefaultEncryptionConfiguration.getIncludedAlgorithms());
        if (StringUtils.isNotBlank(samlRegisteredService.getWhiteListBlackListPrecedence())) {
            buildDefaultEncryptionConfiguration.setIncludeExcludePrecedence(AlgorithmPolicyConfiguration.Precedence.valueOf(samlRegisteredService.getWhiteListBlackListPrecedence().trim().toUpperCase()));
        }
        return buildDefaultEncryptionConfiguration;
    }

    protected Decrypter getDecrypter(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, DecryptionParameters decryptionParameters) {
        Decrypter decrypter = new Decrypter(decryptionParameters);
        decrypter.setRootInNewDocument(true);
        return decrypter;
    }

    protected Credential configureKeyDecryptionCredential(String str, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, SamlRegisteredService samlRegisteredService, BasicDecryptionConfiguration basicDecryptionConfiguration) throws Exception {
        SamlIdPMetadataCredentialResolver samlIdPMetadataCredentialResolver = new SamlIdPMetadataCredentialResolver();
        ArrayList arrayList = new ArrayList(5);
        arrayList.add(new RSAKeyValueProvider());
        arrayList.add(new DSAKeyValueProvider());
        arrayList.add(new InlineX509DataProvider());
        arrayList.add(new DEREncodedKeyValueProvider());
        arrayList.add(new KeyInfoReferenceProvider());
        samlIdPMetadataCredentialResolver.setKeyInfoCredentialResolver(new BasicProviderKeyInfoCredentialResolver(arrayList));
        samlIdPMetadataCredentialResolver.setRoleDescriptorResolver(SamlIdPUtils.getRoleDescriptorResolver(samlRegisteredServiceServiceProviderMetadataFacade, this.samlIdPProperties.getMetadata().getCore().isRequireValidMetadata()));
        samlIdPMetadataCredentialResolver.initialize();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new DecryptionConfigurationCriterion(basicDecryptionConfiguration));
        criteriaSet.add(new EntityIdCriterion(str));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(samlRegisteredService));
        LOGGER.debug("Attempting to resolve the decryption key for entity id [{}]", str);
        Credential credential = (Credential) Objects.requireNonNull(samlIdPMetadataCredentialResolver.resolveSingle(criteriaSet));
        Resource resolveEncryptionKey = this.samlIdPMetadataLocator.resolveEncryptionKey(Optional.ofNullable(samlRegisteredService));
        PrivateKeyFactoryBean privateKeyFactoryBean = new PrivateKeyFactoryBean();
        privateKeyFactoryBean.setSingleton(false);
        privateKeyFactoryBean.setLocation(resolveEncryptionKey);
        basicDecryptionConfiguration.setKEKKeyInfoCredentialResolver(new StaticKeyInfoCredentialResolver(new BasicCredential((PublicKey) Objects.requireNonNull(credential.getPublicKey()), (PrivateKey) Objects.requireNonNull(privateKeyFactoryBean.getObject2()))));
        ArrayList arrayList2 = new ArrayList(3);
        arrayList2.add(new InlineEncryptedKeyResolver());
        arrayList2.add(new EncryptedElementTypeEncryptedKeyResolver());
        arrayList2.add(new SimpleRetrievalMethodEncryptedKeyResolver());
        basicDecryptionConfiguration.setEncryptedKeyResolver(new ChainingEncryptedKeyResolver(arrayList2));
        return credential;
    }

    protected BasicDecryptionConfiguration configureDecryptionSecurityConfiguration(SamlRegisteredService samlRegisteredService) {
        BasicDecryptionConfiguration buildDefaultDecryptionConfiguration = DefaultSecurityConfigurationBootstrap.buildDefaultDecryptionConfiguration();
        LOGGER.trace("Default decryption blocked algorithms: [{}]", buildDefaultDecryptionConfiguration.getExcludedAlgorithms());
        LOGGER.trace("Default decryption allowed algorithms: [{}]", buildDefaultDecryptionConfiguration.getIncludedAlgorithms());
        SamlIdPAlgorithmsProperties algs = this.samlIdPProperties.getAlgs();
        List<String> overrideBlockedEncryptionAlgorithms = samlRegisteredService.getEncryptionBlackListedAlgorithms().isEmpty() ? algs.getOverrideBlockedEncryptionAlgorithms() : samlRegisteredService.getEncryptionBlackListedAlgorithms();
        if (overrideBlockedEncryptionAlgorithms != null && !overrideBlockedEncryptionAlgorithms.isEmpty()) {
            buildDefaultDecryptionConfiguration.setExcludedAlgorithms(overrideBlockedEncryptionAlgorithms);
        }
        List<String> overrideAllowedAlgorithms = samlRegisteredService.getEncryptionWhiteListedAlgorithms().isEmpty() ? algs.getOverrideAllowedAlgorithms() : samlRegisteredService.getEncryptionWhiteListedAlgorithms();
        if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
            buildDefaultDecryptionConfiguration.setIncludedAlgorithms(overrideAllowedAlgorithms);
        }
        LOGGER.trace("Finalized decryption blocked algorithms: [{}]", buildDefaultDecryptionConfiguration.getExcludedAlgorithms());
        LOGGER.trace("Finalized decryption allowed algorithms: [{}]", buildDefaultDecryptionConfiguration.getIncludedAlgorithms());
        if (StringUtils.isNotBlank(samlRegisteredService.getWhiteListBlackListPrecedence())) {
            buildDefaultDecryptionConfiguration.setIncludeExcludePrecedence(AlgorithmPolicyConfiguration.Precedence.valueOf(samlRegisteredService.getWhiteListBlackListPrecedence().trim().toUpperCase()));
        }
        return buildDefaultDecryptionConfiguration;
    }

    protected DecryptionParameters resolveDecryptionParameters(SamlRegisteredService samlRegisteredService, BasicDecryptionConfiguration basicDecryptionConfiguration) throws ResolverException {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new DecryptionConfigurationCriterion(basicDecryptionConfiguration));
        return new BasicDecryptionParametersResolver().resolveSingle(criteriaSet);
    }

    @Generated
    public SamlIdPObjectEncrypter(SamlIdPProperties samlIdPProperties, SamlIdPMetadataLocator samlIdPMetadataLocator) {
        this.samlIdPProperties = samlIdPProperties;
        this.samlIdPMetadataLocator = samlIdPMetadataLocator;
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
