[GitHub] [cxf-fediz] coheigea commented on a change in pull request #55: Support for encryted assertion in tokens

Mon, 15 Jun 2020 08:23:29 -0700 


coheigea commented on a change in pull request #55:
URL: https://github.com/apache/cxf-fediz/pull/55#discussion_r440033469



##########
File path: 
plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
##########
@@ -254,6 +269,62 @@ protected FedizResponse processSignInRequest(FedizRequest 
request, FedizContext
         return fedResponse;
     }
 
+    private void 
decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response 
responseObject, FedizContext config)
+            throws ProcessingException {
+        if (responseObject.getEncryptedAssertions() != null && 
!responseObject.getEncryptedAssertions().isEmpty()) {
+            KeyManager decryptionKeyManager = config.getDecryptionKey();
+            if (decryptionKeyManager == null || 
decryptionKeyManager.getCrypto() == null) {
+                LOG.debug("We must have a decryption Crypto instance 
configured to decrypt encrypted tokens");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+            String keyPassword = decryptionKeyManager.getKeyPassword();
+            if (keyPassword == null) {
+                LOG.debug("We must have a decryption key password to decrypt 
encrypted tokens");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+     
+            String keyAlias = decryptionKeyManager.getKeyAlias();
+            if (keyAlias == null) {
+                LOG.debug("No alias configured for decrypt");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+            
+            try {
+                // Get the private key
+                PrivateKey privateKey = 
decryptionKeyManager.getCrypto().getPrivateKey(keyAlias, keyPassword);
+                if (privateKey == null) {
+                    LOG.debug("No private key available");
+                    throw new ProcessingException(TYPE.BAD_REQUEST);
+                }
+                
+                BasicX509Credential cred = new BasicX509Credential(
+                    
CertsUtils.getX509CertificateFromCrypto(decryptionKeyManager.getCrypto(), 
keyAlias));
+                cred.setPrivateKey(privateKey);
+                
+                StaticKeyInfoCredentialResolver resolver = new 
StaticKeyInfoCredentialResolver(cred);
+                
+                ChainingEncryptedKeyResolver keyResolver = new 
ChainingEncryptedKeyResolver(
+                        Arrays.<EncryptedKeyResolver>asList(
+                                new InlineEncryptedKeyResolver(),
+                                new 
EncryptedElementTypeEncryptedKeyResolver(), 
+                                new 
SimpleRetrievalMethodEncryptedKeyResolver(),
+                                new 
SimpleKeyInfoReferenceEncryptedKeyResolver()));
+                
+                Decrypter decrypter = new Decrypter(null, resolver, 
keyResolver);
+                
+                for (EncryptedAssertion encryptedAssertion : 
responseObject.getEncryptedAssertions()) {
+                
+                    Assertion decrypted = 
decrypter.decrypt(encryptedAssertion);
+                    LOG.debug("Decrypted:" + 
DOM2Writer.nodeToString(decrypted.getDOM()));

Review comment:
       Better to wrap this in a LOG.isDebugEnabled() if statement, as otherwise 
it will cause a performance problem by calling nodeToString even when debug is 
not enabled.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to