What is the recommended way to implement a KeyResolver for an EncryptedKey where the KEK is a PublicKey?
At first I thought I could write a Resolver for the KEK PrivateKey and let the EncryptedKeyResolver call it. Unfortunately, the KeyResolverSpi API can return a SecretKey but there is no provision to return a PrivateKey. Can we augment the KeyResolverSpi with a new method engineLookupAndResolvePrivateKey()? This method would be called by the EncryptedKeyResolver when it detects the KeyWrap algorithm rsa-1_5 or rsa-oaep-mgf1p. This change looks possible since KeyResolverSpi is a class not an interface. In the meantime, I tried to replace the EncryptedKeyResolver with my own implementation. Again, I've hit a problem because I need the symmetric key algorithm. Normally this is passed to the constructor of a temporary EncryptedKeyResolver in the method XMLCipher.decryptToByteArray(): ki.registerInternalKeyResolver( new EncryptedKeyResolver( encryptedData.getEncryptionMethod().getAlgorithm(), _kek)); As you can see, the constructor is called directly. If you don't like my idea of a PrivateKey resolver, can we at least move that constructor call to a new protected method on XMLCipher so we could override it in a subclass?