From 9370fe2c29680b92a574bcbafb2c5396ef6bd547 Mon Sep 17 00:00:00 2001 From: Wijith Bandara Date: Fri, 6 Dec 2019 19:03:07 +0530 Subject: [PATCH 1/7] Fix Unable to decrypt SAML Assertion --- .../samlsso/manager/DefaultSAML2SSOManager.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java index 29f60872..2722a82e 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java +++ b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java @@ -1175,7 +1175,7 @@ private Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion) t X509Credential credential = new X509CredentialImpl(tenantDomain, null); KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential); - EncryptedKey key = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0); + EncryptedKey key = getKey(encryptedAssertion); Decrypter decrypter = new Decrypter(null, keyResolver, null); SecretKey dkey = (SecretKey) decrypter.decryptKey(key, encryptedAssertion.getEncryptedData(). getEncryptionMethod().getAlgorithm()); @@ -1228,4 +1228,16 @@ protected String getIssuer(AuthenticationContext context) { return properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID); } + private EncryptedKey getKey(EncryptedAssertion encryptedAssertion) throws Exception { + + try { + if (encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().isEmpty()) { + return encryptedAssertion.getEncryptedKeys().get(0); + } else { + return encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0); + } + } catch (Exception e) { + throw new Exception(" Can not get the encrypted key ", e); + } + } } From 8244960d7b595c1a7e827ada92d9e12e255dbef8 Mon Sep 17 00:00:00 2001 From: Wijith Bandara Date: Thu, 12 Dec 2019 09:25:50 +0530 Subject: [PATCH 2/7] fix comment --- .../authenticator/samlsso/manager/DefaultSAML2SSOManager.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java index 2722a82e..becce75d 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java +++ b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java @@ -1175,7 +1175,7 @@ private Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion) t X509Credential credential = new X509CredentialImpl(tenantDomain, null); KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential); - EncryptedKey key = getKey(encryptedAssertion); + EncryptedKey key = getEncryptedKey(encryptedAssertion); Decrypter decrypter = new Decrypter(null, keyResolver, null); SecretKey dkey = (SecretKey) decrypter.decryptKey(key, encryptedAssertion.getEncryptedData(). getEncryptionMethod().getAlgorithm()); @@ -1228,7 +1228,7 @@ protected String getIssuer(AuthenticationContext context) { return properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID); } - private EncryptedKey getKey(EncryptedAssertion encryptedAssertion) throws Exception { + private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) throws Exception { try { if (encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().isEmpty()) { From 5a89b107be97a7f065e0c428c7817048e2fb508f Mon Sep 17 00:00:00 2001 From: Wijith Bandara Date: Thu, 12 Dec 2019 16:01:02 +0530 Subject: [PATCH 3/7] fix comment --- .../manager/DefaultSAML2SSOManager.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java index becce75d..3992021a 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java +++ b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java @@ -120,6 +120,8 @@ import javax.crypto.SecretKey; import javax.servlet.http.HttpServletRequest; +import static org.apache.commons.collections.CollectionUtils.*; +import static org.apache.commons.collections.CollectionUtils.isNotEmpty; import static org.opensaml.saml.saml2.core.StatusCode.SUCCESS; import static org.wso2.carbon.CarbonConstants.AUDIT_LOG; @@ -513,7 +515,7 @@ private void processSSOResponse(HttpServletRequest request, Response samlRespons if (SSOUtils.isAssertionEncryptionEnabled(properties)) { List encryptedAssertions = samlResponse.getEncryptedAssertions(); EncryptedAssertion encryptedAssertion = null; - if (CollectionUtils.isNotEmpty(encryptedAssertions)) { + if (isNotEmpty(encryptedAssertions)) { encryptedAssertion = encryptedAssertions.get(0); try { assertion = getDecryptedAssertion(encryptedAssertion); @@ -523,7 +525,7 @@ private void processSSOResponse(HttpServletRequest request, Response samlRespons } } else { List assertions = samlResponse.getAssertions(); - if (CollectionUtils.isNotEmpty(assertions)) { + if (isNotEmpty(assertions)) { assertion = assertions.get(0); } } @@ -1004,7 +1006,7 @@ private void validateAudienceRestriction(Assertion assertion, String issuer) thr List audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { - if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { + if (isNotEmpty(audienceRestriction.getAudiences())) { boolean audienceFound = false; for (Audience audience : audienceRestriction.getAudiences()) { if (issuer != null && issuer.equals(audience.getAudienceURI())) { @@ -1230,14 +1232,12 @@ protected String getIssuer(AuthenticationContext context) { private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) throws Exception { - try { - if (encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().isEmpty()) { - return encryptedAssertion.getEncryptedKeys().get(0); - } else { - return encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0); - } - } catch (Exception e) { - throw new Exception(" Can not get the encrypted key ", e); + if (isNotEmpty(encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys())) { + return encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0); + } + if (isNotEmpty(encryptedAssertion.getEncryptedKeys())) { + return encryptedAssertion.getEncryptedKeys().get(0); } + throw new Exception("Can not get the encrypted key"); } } From c4c2f58f8664f5737edb9c2e89233d56c95df26d Mon Sep 17 00:00:00 2001 From: Wijith Bandara Date: Thu, 12 Dec 2019 16:12:58 +0530 Subject: [PATCH 4/7] fix comments --- .../authenticator/samlsso/manager/DefaultSAML2SSOManager.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java index 3992021a..820b5440 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java +++ b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java @@ -120,7 +120,6 @@ import javax.crypto.SecretKey; import javax.servlet.http.HttpServletRequest; -import static org.apache.commons.collections.CollectionUtils.*; import static org.apache.commons.collections.CollectionUtils.isNotEmpty; import static org.opensaml.saml.saml2.core.StatusCode.SUCCESS; import static org.wso2.carbon.CarbonConstants.AUDIT_LOG; @@ -1238,6 +1237,6 @@ private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) thro if (isNotEmpty(encryptedAssertion.getEncryptedKeys())) { return encryptedAssertion.getEncryptedKeys().get(0); } - throw new Exception("Can not get the encrypted key"); + throw new Exception("Can not get the encrypted key from the encrypted assertion."); } } From b381a8ada0f0efac035032cb1beeedcf94a538eb Mon Sep 17 00:00:00 2001 From: Wijith Bandara Date: Fri, 13 Dec 2019 10:53:06 +0530 Subject: [PATCH 5/7] fix comment --- .../samlsso/manager/DefaultSAML2SSOManager.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java index 820b5440..6b00340d 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java +++ b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java @@ -1232,9 +1232,15 @@ protected String getIssuer(AuthenticationContext context) { private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) throws Exception { if (isNotEmpty(encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys())) { + if (log.isDebugEnabled()) { + log.debug("EncryptedKey obtain from the Element."); + } return encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0); } if (isNotEmpty(encryptedAssertion.getEncryptedKeys())) { + if (log.isDebugEnabled()) { + log.debug("EncryptedKey obtain from the Assertion."); + } return encryptedAssertion.getEncryptedKeys().get(0); } throw new Exception("Can not get the encrypted key from the encrypted assertion."); From c5b6bd112135ed85a348ee53c5ee4c76c9d80238 Mon Sep 17 00:00:00 2001 From: Wijith Bandara Date: Fri, 3 Jan 2020 13:29:36 +0530 Subject: [PATCH 6/7] Fix comments --- .../samlsso/manager/DefaultSAML2SSOManager.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java index 6b00340d..73ea5a17 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java +++ b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java @@ -1233,16 +1233,16 @@ private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) thro if (isNotEmpty(encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys())) { if (log.isDebugEnabled()) { - log.debug("EncryptedKey obtain from the Element."); + log.debug("EncryptedKey obtain from the encrypted data element."); } return encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0); } if (isNotEmpty(encryptedAssertion.getEncryptedKeys())) { if (log.isDebugEnabled()) { - log.debug("EncryptedKey obtain from the Assertion."); + log.debug("EncryptedKey obtained from the Assertion."); } return encryptedAssertion.getEncryptedKeys().get(0); } - throw new Exception("Can not get the encrypted key from the encrypted assertion."); + throw new Exception("Could not obtain the encrypted key from the encrypted assertion."); } } From ec378308d99b41bef78673dab791587cde3ce855 Mon Sep 17 00:00:00 2001 From: Maduranga Siriwardena Date: Mon, 13 Jan 2020 11:01:54 +0530 Subject: [PATCH 7/7] Update DefaultSAML2SSOManager.java --- .../samlsso/manager/DefaultSAML2SSOManager.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java index 73ea5a17..8f84878d 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java +++ b/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java @@ -1231,17 +1231,19 @@ protected String getIssuer(AuthenticationContext context) { private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) throws Exception { - if (isNotEmpty(encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys())) { + List encryptedKeys = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys(); + if (isNotEmpty(encryptedKeys)) { if (log.isDebugEnabled()) { log.debug("EncryptedKey obtain from the encrypted data element."); } - return encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0); + return encryptedKeys.get(0); } - if (isNotEmpty(encryptedAssertion.getEncryptedKeys())) { + encryptedKeys = encryptedAssertion.getEncryptedKeys(); + if (isNotEmpty(encryptedKeys)) { if (log.isDebugEnabled()) { log.debug("EncryptedKey obtained from the Assertion."); } - return encryptedAssertion.getEncryptedKeys().get(0); + return encryptedKeys.get(0); } throw new Exception("Could not obtain the encrypted key from the encrypted assertion."); }