Skip to content

Commit

Permalink
Merge pull request #96 from wijith7/master
Browse files Browse the repository at this point in the history 
Fix for unable to decrypt SAML assertion
  • Loading branch information
@madurangasiriwardena
madurangasiriwardena authored Jan 13, 2020
2 parents 49fca50 + ec37830 commit 30bfc5f
Showing 1 changed file with 23 additions and 4 deletions.
27 changes: 23 additions & 4 deletions ...so2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@
import javax.crypto.SecretKey;
import javax.servlet.http.HttpServletRequest;

import static org.apache.commons.collections.CollectionUtils.isNotEmpty;
import static org.opensaml.saml.saml2.core.StatusCode.SUCCESS;
import static org.wso2.carbon.CarbonConstants.AUDIT_LOG;

Expand Down Expand Up @@ -513,7 +514,7 @@ private void processSSOResponse(HttpServletRequest request, Response samlRespons
if (SSOUtils.isAssertionEncryptionEnabled(properties)) {
List<EncryptedAssertion> encryptedAssertions = samlResponse.getEncryptedAssertions();
EncryptedAssertion encryptedAssertion = null;
if (CollectionUtils.isNotEmpty(encryptedAssertions)) {
if (isNotEmpty(encryptedAssertions)) {
encryptedAssertion = encryptedAssertions.get(0);
try {
assertion = getDecryptedAssertion(encryptedAssertion);
Expand All @@ -523,7 +524,7 @@ private void processSSOResponse(HttpServletRequest request, Response samlRespons
}
} else {
List<Assertion> assertions = samlResponse.getAssertions();
if (CollectionUtils.isNotEmpty(assertions)) {
if (isNotEmpty(assertions)) {
assertion = assertions.get(0);
}
}
Expand Down Expand Up @@ -1015,7 +1016,7 @@ private void validateAudienceRestriction(Assertion assertion, String issuer) thr
List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
for (AudienceRestriction audienceRestriction : audienceRestrictions) {
if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
if (isNotEmpty(audienceRestriction.getAudiences())) {
boolean audienceFound = false;
for (Audience audience : audienceRestriction.getAudiences()) {
if (issuer != null && issuer.equals(audience.getAudienceURI())) {
Expand Down Expand Up @@ -1186,7 +1187,7 @@ private Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion) t

X509Credential credential = new X509CredentialImpl(tenantDomain, null);
KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential);
EncryptedKey key = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
EncryptedKey key = getEncryptedKey(encryptedAssertion);
Decrypter decrypter = new Decrypter(null, keyResolver, null);
SecretKey dkey = (SecretKey) decrypter.decryptKey(key, encryptedAssertion.getEncryptedData().
getEncryptionMethod().getAlgorithm());
Expand Down Expand Up @@ -1239,4 +1240,22 @@ protected String getIssuer(AuthenticationContext context) {
return properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID);
}

private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) throws Exception {

List<EncryptedKey> encryptedKeys = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys();
if (isNotEmpty(encryptedKeys)) {
if (log.isDebugEnabled()) {
log.debug("EncryptedKey obtain from the encrypted data element.");
}
return encryptedKeys.get(0);
}
encryptedKeys = encryptedAssertion.getEncryptedKeys();
if (isNotEmpty(encryptedKeys)) {
if (log.isDebugEnabled()) {
log.debug("EncryptedKey obtained from the Assertion.");
}
return encryptedKeys.get(0);
}
throw new Exception("Could not obtain the encrypted key from the encrypted assertion.");
}
}

0 comments on commit 30bfc5f

Please sign in to comment.