private void decryptEncryptedAssertions()

in plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java [244:304]

• 50 lines of code
• 11 McCabe index (conditional complexity)

    private void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response responseObject, FedizContext config)
            throws ProcessingException {
        if (responseObject.getEncryptedAssertions() != null && !responseObject.getEncryptedAssertions().isEmpty()) {
            KeyManager decryptionKeyManager = config.getDecryptionKey();
            if (decryptionKeyManager == null || decryptionKeyManager.getCrypto() == null) {
                LOG.debug("We must have a decryption Crypto instance configured to decrypt encrypted tokens");
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }
            String keyPassword = decryptionKeyManager.getKeyPassword();
            if (keyPassword == null) {
                LOG.debug("We must have a decryption key password to decrypt encrypted tokens");
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }
     
            String keyAlias = decryptionKeyManager.getKeyAlias();
            if (keyAlias == null) {
                LOG.debug("No alias configured for decrypt");
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }
            
            try {
                // Get the private key
                PrivateKey privateKey = decryptionKeyManager.getCrypto().getPrivateKey(keyAlias, keyPassword);
                if (privateKey == null) {
                    LOG.debug("No private key available");
                    throw new ProcessingException(TYPE.BAD_REQUEST);
                }
                
                BasicX509Credential cred = new BasicX509Credential(
                    CertsUtils.getX509CertificateFromCrypto(decryptionKeyManager.getCrypto(), keyAlias));
                cred.setPrivateKey(privateKey);
                
                StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(cred);
                
                ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver(
                        Arrays.asList(
                                new InlineEncryptedKeyResolver(),
                                new EncryptedElementTypeEncryptedKeyResolver(), 
                                new SimpleRetrievalMethodEncryptedKeyResolver(),
                                new SimpleKeyInfoReferenceEncryptedKeyResolver()));
                
                Decrypter decrypter = new Decrypter(null, resolver, keyResolver);
                
                for (EncryptedAssertion encryptedAssertion : responseObject.getEncryptedAssertions()) {
                
                    Assertion decrypted = decrypter.decrypt(encryptedAssertion);
                    Element decryptedToken = decrypted.getDOM();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Decrypted assertion: {}", DOM2Writer.nodeToString(decryptedToken));
                    }
                    responseObject.getAssertions().add(decrypted);
                    // Add the decrypted Assertion to the Response DOM, as otherwise there's a problem with
                    // doc.getElementById() when trying to verify the signature of the decrypted assertion
                    decryptedToken.getOwnerDocument().getDocumentElement().appendChild(decryptedToken);
                }
            } catch (Exception e) {
                LOG.debug("Cannot decrypt assertions", e);
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }
        }
    }