What is the recommended way to implement a KeyResolver for an EncryptedKey
where the KEK is a PublicKey?
At first I thought I could write a Resolver for the KEK PrivateKey and let the
EncryptedKeyResolver call it.
Unfortunately, the KeyResolverSpi API can return a SecretKey but there is no
provision to return a PrivateKey.
Can we augment the KeyResolverSpi with a new method
engineLookupAndResolvePrivateKey()?
This method would be called by the EncryptedKeyResolver when it detects the
KeyWrap algorithm rsa-1_5
or rsa-oaep-mgf1p. This change looks possible since KeyResolverSpi is a class
not an interface.
In the meantime, I tried to replace the EncryptedKeyResolver with my own
implementation.
Again, I've hit a problem because I need the symmetric key algorithm.
Normally this is passed to the constructor of a temporary EncryptedKeyResolver
in the method
XMLCipher.decryptToByteArray():
ki.registerInternalKeyResolver(
new EncryptedKeyResolver(
encryptedData.getEncryptionMethod().getAlgorithm(),
_kek));
As you can see, the constructor is called directly.
If you don't like my idea of a PrivateKey resolver, can we at least move that
constructor call
to a new protected method on XMLCipher so we could override it in a subclass?
