#117,#119 Send encryption keys only when required

pitbulk · pitbulk · commit 46ddd59c377f · 2017-07-23T12:49:10.000+02:00
diff --git a/core/src/main/java/com/onelogin/saml2/settings/Metadata.java b/core/src/main/java/com/onelogin/saml2/settings/Metadata.java
@@ -136,7 +136,8 @@ public Metadata(Saml2Settings settings) throws CertificateEncodingException {
 	private StrSubstitutor generateSubstitutor(Saml2Settings settings) throws CertificateEncodingException {
 
 		Map<String, String> valueMap = new HashMap<String, String>();
-
+		Boolean wantsEncrypted = settings.getWantAssertionsEncrypted() || settings.getWantNameIdEncrypted(); 
+		
 		valueMap.put("id", Util.generateUniqueID());
 		valueMap.put("validUntilTime", Util.formatDateTime(validUntilTime.getTimeInMillis()));
 		valueMap.put("cacheDuration", String.valueOf(cacheDuration));
@@ -150,7 +151,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) throws Certif
 
 		valueMap.put("strAttributeConsumingService", getAttributeConsumingServiceXml());
 		
-		valueMap.put("strKeyDescriptor", toX509KeyDescriptorsXML(settings.getSPcert()));
+		valueMap.put("strKeyDescriptor", toX509KeyDescriptorsXML(settings.getSPcert(), wantsEncrypted));
 		valueMap.put("strContacts", toContactsXml(settings.getContacts()));
 		valueMap.put("strOrganization", toOrganizationXml(settings.getOrganization()));
 
@@ -291,10 +292,12 @@ private String toOrganizationXml(Organization organization) {
 	 * 
 	 * @param cert
 	 * 				the public cert that will be used by the SP to sign and encrypt
+	 * @param wantsEncrypted
+	 * 				Whether to include the KeyDescriptor for encryption
 	 *
 	 * @return the KeyDescriptor section of the metadata's template
 	 */
-	private String toX509KeyDescriptorsXML(X509Certificate cert) throws CertificateEncodingException {
+	private String toX509KeyDescriptorsXML(X509Certificate cert, Boolean wantsEncrypted) throws CertificateEncodingException {
 		StringBuilder keyDescriptorXml = new StringBuilder();
 
 		if (cert != null) {
@@ -310,18 +313,32 @@ private String toX509KeyDescriptorsXML(X509Certificate cert) throws CertificateE
 			keyDescriptorXml.append("</ds:KeyInfo>");
 			keyDescriptorXml.append("</md:KeyDescriptor>");
 
-			keyDescriptorXml.append("<md:KeyDescriptor use=\"encryption\">");
-			keyDescriptorXml.append("<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">");
-			keyDescriptorXml.append("<ds:X509Data>");
-			keyDescriptorXml.append("<ds:X509Certificate>"+certString+"</ds:X509Certificate>");
-			keyDescriptorXml.append("</ds:X509Data>");
-			keyDescriptorXml.append("</ds:KeyInfo>");
-			keyDescriptorXml.append("</md:KeyDescriptor>");
+			if (wantsEncrypted) {
+				keyDescriptorXml.append("<md:KeyDescriptor use=\"encryption\">");
+				keyDescriptorXml.append("<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">");
+				keyDescriptorXml.append("<ds:X509Data>");
+				keyDescriptorXml.append("<ds:X509Certificate>"+certString+"</ds:X509Certificate>");
+				keyDescriptorXml.append("</ds:X509Data>");
+				keyDescriptorXml.append("</ds:KeyInfo>");
+				keyDescriptorXml.append("</md:KeyDescriptor>");
+			}
 		}
 
 		return keyDescriptorXml.toString();
 	}
 
+	/**
+	 * Generates the KeyDescriptor section of the metadata's template
+	 * 
+	 * @param cert
+	 * 				the public cert that will be used by the SP to sign and encrypt
+	 *
+	 * @return the KeyDescriptor section of the metadata's template
+	 */
+	private String toX509KeyDescriptorsXML(X509Certificate cert) throws CertificateEncodingException {
+		return toX509KeyDescriptorsXML(cert, true);
+	}
+	
 	/**
 	 * @return the md:SingleLogoutService section of the metadata's template
 	 */
diff --git a/core/src/test/java/com/onelogin/saml2/test/settings/MetadataTest.java b/core/src/test/java/com/onelogin/saml2/test/settings/MetadataTest.java
@@ -249,7 +249,47 @@ public void testToX509KeyDescriptorsXML() throws IOException, CertificateEncodin
 		assertThat(metadataStr2, not(containsString(keyDescriptorSignStr)));
 		assertThat(metadataStr2, not(containsString(keyDescriptorEncStr)));
 	}
-	
+
+	/**
+	 * Tests the toX509KeyDescriptorsXML method of Metadata
+	 * Case: Check where to add or not md:KeyDescriptor encryption
+	 *
+	 * @throws IOException
+	 * @throws CertificateEncodingException
+	 * @throws Error
+	 *
+	 * @see com.onelogin.saml2.settings.Metadata#toX509KeyDescriptorsXML
+	 */
+	@Test
+	public void testToX509KeyDescriptorsXMLEncryption() throws IOException, CertificateEncodingException, Error {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.all.properties").build();
+		String keyDescriptorEncStr = "<md:KeyDescriptor use=\"encryption\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICeDCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBZMQswCQYDVQQGEwJ1czET";
+
+		settings.setWantAssertionsEncrypted(false);
+		settings.setWantNameIdEncrypted(false);
+		Metadata metadataObj = new Metadata(settings);
+		String metadataStr = metadataObj.getMetadataString();
+		assertThat(metadataStr, not(containsString(keyDescriptorEncStr)));
+
+		settings.setWantAssertionsEncrypted(true);
+		settings.setWantNameIdEncrypted(false);
+		metadataObj = new Metadata(settings);
+		metadataStr = metadataObj.getMetadataString();
+		assertThat(metadataStr, containsString(keyDescriptorEncStr));
+
+		settings.setWantAssertionsEncrypted(false);
+		settings.setWantNameIdEncrypted(true);
+		metadataObj = new Metadata(settings);
+		metadataStr = metadataObj.getMetadataString();
+		assertThat(metadataStr, containsString(keyDescriptorEncStr));
+
+		settings.setWantAssertionsEncrypted(true);
+		settings.setWantNameIdEncrypted(true);
+		metadataObj = new Metadata(settings);
+		metadataStr = metadataObj.getMetadataString();
+		assertThat(metadataStr, containsString(keyDescriptorEncStr));
+	}
+		
 	/**
 	 * Tests the getAttributeConsumingServiceXml method of Metadata
      *
