Support NameID Encryptation with MultiCert

Author: pitbulk

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -321,10 +321,15 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		if (nameIdFormat != null && nameIdFormat.equals(Constants.NAMEID_UNSPECIFIED)) {
 			nameIdFormat = null;
 		}
-		
+
 		X509Certificate cert = null;
 		if (settings.getNameIdEncrypted()) {
 			cert = settings.getIdpx509cert();
+			if (cert == null) {
+				List<X509Certificate> multipleCertList = settings.getIdpx509certMulti();
+				if (multipleCertList != null && !multipleCertList.isEmpty())
+				cert = multipleCertList.get(0);
+			}
 		}
 
 		String nameIdStr = Util.generateNameId(nameId, spNameQualifier, nameIdFormat, nameQualifier, cert);
@@ -429,19 +434,22 @@ public Boolean isValid() throws Exception {
 
 			if (signature != null && !signature.isEmpty()) {
 				X509Certificate cert = settings.getIdpx509cert();
-				if (cert == null) {
-					throw new SettingsException("In order to validate the sign on the Logout Request, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
-				}
-
+				
 				List<X509Certificate> certList = new ArrayList<X509Certificate>();
 				List<X509Certificate> multipleCertList = settings.getIdpx509certMulti();
 
 				if (multipleCertList != null && multipleCertList.size() != 0) {
 					certList.addAll(multipleCertList);
 				}
 
-				if (certList.isEmpty() || !certList.contains(cert)) {
-					certList.add(0, cert);
+				if (cert != null) {
+					if (certList.isEmpty() || !certList.contains(cert)) {
+						certList.add(0, cert);
+					}
+				}
+
+				if (certList.isEmpty()) {
+					throw new SettingsException("In order to validate the sign on the Logout Request, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
 				String signAlg = request.getParameter("SigAlg");

core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java

@@ -230,9 +230,6 @@ public Boolean isValid(String requestId) {
 
 			if (signature != null && !signature.isEmpty()) {
 				X509Certificate cert = settings.getIdpx509cert();
-				if (cert == null) {
-					throw new SettingsException("In order to validate the sign on the Logout Response, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
-				}
 
 				List<X509Certificate> certList = new ArrayList<X509Certificate>();
 				List<X509Certificate> multipleCertList = settings.getIdpx509certMulti();
@@ -241,8 +238,14 @@ public Boolean isValid(String requestId) {
 					certList.addAll(multipleCertList);
 				}
 
-				if (certList.isEmpty() || !certList.contains(cert)) {
-					certList.add(0, cert);
+				if (cert != null) {
+					if (certList.isEmpty() || !certList.contains(cert)) {
+						certList.add(0, cert);
+					}
+				}
+
+				if (certList.isEmpty()) {
+					throw new SettingsException("In order to validate the sign on the Logout Response, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
 				String signAlg = request.getParameter("SigAlg");

core/src/main/java/com/onelogin/saml2/settings/Saml2Settings.java

@@ -850,7 +850,7 @@ public List<String> checkIdPSettings() {
 			LOGGER.error(errorMsg);			
 		}
 
-		if (this.getNameIdEncrypted() == true && this.getIdpx509cert() == null) {
+		if (!checkIdpx509certRequired() && this.getNameIdEncrypted()) {
 			errorMsg = "idp_cert_not_found_and_required";
 			errors.add(errorMsg);
 			LOGGER.error(errorMsg);