1. Added support for unwrapping the key via an HSM when decrypting the SAML assertion.

2. Added 2 optional dependencies to integrate this library with the Azure Key Vault.
3. Modified the decryptAssertion() method in the SamlResponse class in order to check whether an HSM has been configured or not. If yes, it will call the HSM in order to unwrap the key.
4. Modified the settings validations in the Saml2Settings class in order to validate the following scenarios:
     a. If the library is configured with both a private key and an HSM, an error (use_either_hsm_or_private_key) is thrown.
     b. If the library is configured to use an HSM, it does not need to check for the SP certificate.
5. Added a new function decryptUsingHsm() in the Util class and moved the validation on the encrypted data to a new function in order to be used both from the decryptUsingHsm() and decryptElement() functions.
6. Added respective tests for the Saml2Settings class and added also the config.hsm.properties file in order to test the scenario when you have the library configured with both the private key and the HSM.
7. Added a new abstract class HSM, which must be used whenever a new HSM needs to be integrated with this library.
8. Added a new class AzureKeyVault which extends the abstract class and implement its abstract methods.

Author: RobertButtigieg

.nvd-suppressions.xml

@@ -1,4 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
-
+    <suppress>
+        <notes></notes>
+        <filePath regex="true">.*\bmsal4j-1.6.1\.jar</filePath>
+        <cpe>cpe:/a:http_authentication_library_project:http_authentication_library</cpe>
+    </suppress>
+    <suppress>
+        <notes></notes>
+        <filePath regex="true">.*\boauth2-oidc-sdk-6.14\.jar</filePath>
+        <cpe>cpe:/a:openid:openid</cpe>
+    </suppress>
 </suppressions>

core/pom.xml

@@ -67,6 +67,20 @@
 			<artifactId>commons-codec</artifactId>
 			<version>1.15</version>
 		</dependency>
+
+		<!-- Azure Key Vault -->
+		<dependency>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-security-keyvault-keys</artifactId>
+			<version>4.2.1</version>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-identity</artifactId>
+			<version>1.0.9</version>
+			<optional>true</optional>
+		</dependency>
 	</dependencies>
 
 	<build>

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -10,6 +10,8 @@
 import java.util.Objects;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPathExpressionException;
+
+import com.onelogin.saml2.model.hsm.HSM;
 import org.joda.time.DateTime;
 import org.joda.time.Instant;
 import org.slf4j.Logger;
@@ -78,7 +80,7 @@ public class SamlResponse {
 
 	/**
 	 * After validation, if it fails this property has the cause of the problem
-	 */ 
+	 */
 	private Exception validationException;
 
 	/**
@@ -156,7 +158,7 @@ public void loadXmlFromBase64(String responseStr) throws ParserConfigurationExce
 
 		NodeList encryptedAssertionNodes = samlResponseDocument.getElementsByTagNameNS(Constants.NS_SAML,"EncryptedAssertion");
 
-		if (encryptedAssertionNodes.getLength() != 0) {			
+		if (encryptedAssertionNodes.getLength() != 0) {
 			decryptedDocument = Util.copyDocument(samlResponseDocument);
 			encrypted = true;
 			decryptedDocument = this.decryptAssertion(decryptedDocument);
@@ -566,20 +568,20 @@ public String getNameIdSPNameQualifier() throws Exception {
 	 * @throws XPathExpressionException
 	 * @throws ValidationError
      *
-     */	
+     */
 	public HashMap<String, List<String>> getAttributes() throws XPathExpressionException, ValidationError {
 		HashMap<String, List<String>> attributes = new HashMap<String, List<String>>();
 
 		NodeList nodes = this.queryAssertion("/saml:AttributeStatement/saml:Attribute");
-		
+
 		if (nodes.getLength() != 0) {
 			for (int i = 0; i < nodes.getLength(); i++) {
 				NamedNodeMap attrName = nodes.item(i).getAttributes();
 				String attName = attrName.getNamedItem("Name").getNodeValue();
 				if (attributes.containsKey(attName) && !settings.isAllowRepeatAttributeName()) {
 					throw new ValidationError("Found an Attribute element with duplicated Name", ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND);
 				}
-				
+
 				NodeList childrens = nodes.item(i).getChildNodes();
 
 				List<String> attrValues = null;
@@ -605,7 +607,7 @@ public HashMap<String, List<String>> getAttributes() throws XPathExpressionExcep
 
 	/**
 	 * Returns the ResponseStatus object
-	 * 
+	 *
 	 * @return
 	 */
 	public SamlResponseStatus getResponseStatus() {
@@ -639,7 +641,7 @@ public void checkStatus() throws ValidationError {
 	 *
 	 * @throws IllegalArgumentException
 	 *             if the response not contain status or if Unexpected XPath error
-	 * @throws ValidationError 
+	 * @throws ValidationError
 	 */
 	public static SamlResponseStatus getStatus(Document dom) throws ValidationError {
 		String statusXpath = "/samlp:Response/samlp:Status";
@@ -682,7 +684,7 @@ public Boolean checkOneAuthnStatement() throws XPathExpressionException {
 	 * Gets the audiences.
 	 *
 	 * @return the audiences of the response
-	 * 
+	 *
 	 * @throws XPathExpressionException
 	 */
 	public List<String> getAudiences() throws XPathExpressionException {
@@ -706,8 +708,8 @@ public List<String> getAudiences() throws XPathExpressionException {
 	 *
 	 * @return the issuers of the assertion/response
 	 *
-	 * @throws XPathExpressionException 
-	 * @throws ValidationError 
+	 * @throws XPathExpressionException
+	 * @throws ValidationError
 	 */
 	public List<String> getIssuers() throws XPathExpressionException, ValidationError {
 		List<String> issuers = new ArrayList<String>();
@@ -763,7 +765,7 @@ public DateTime getSessionNotOnOrAfter() throws XPathExpressionException {
      *
      * @return the SessionIndex value
      *
-     * @throws XPathExpressionException 
+     * @throws XPathExpressionException
      */
     public String getSessionIndex() throws XPathExpressionException {
         String sessionIndex = null;
@@ -852,7 +854,7 @@ public ArrayList<String> processSignedElements() throws XPathExpressionException
 
 			String responseTag = "{" + Constants.NS_SAMLP  + "}Response";
 			String assertionTag = "{" + Constants.NS_SAML + "}Assertion";
-			
+
 			if (!signedElement.equals(responseTag) && !signedElement.equals(assertionTag)) {
 				throw new ValidationError("Invalid Signature Element " + signedElement + " SAML Response rejected", ValidationError.WRONG_SIGNED_ELEMENT);
 			}
@@ -862,13 +864,13 @@ public ArrayList<String> processSignedElements() throws XPathExpressionException
 			if (idNode == null || idNode.getNodeValue() == null || idNode.getNodeValue().isEmpty()) {
 				throw new ValidationError("Signed Element must contain an ID. SAML Response rejected", ValidationError.ID_NOT_FOUND_IN_SIGNED_ELEMENT);
 			}
-			
-			String idValue = idNode.getNodeValue();			
+
+			String idValue = idNode.getNodeValue();
 			if (verifiedIds.contains(idValue)) {
 				throw new ValidationError("Duplicated ID. SAML Response rejected", ValidationError.DUPLICATED_ID_IN_SIGNED_ELEMENTS);
 			}
 			verifiedIds.add(idValue);
-			
+
 			NodeList refNodes = Util.query(null, "ds:SignedInfo/ds:Reference", signNode);
 			if (refNodes.getLength() == 1) {
 				Node refNode = refNodes.item(0);
@@ -878,7 +880,7 @@ public ArrayList<String> processSignedElements() throws XPathExpressionException
 					if (!sei.equals(idValue)) {
 						throw new ValidationError("Found an invalid Signed Element. SAML Response rejected", ValidationError.INVALID_SIGNED_ELEMENT);
 					}
-					
+
 					if (verifiedSeis.contains(sei)) {
 						throw new ValidationError("Duplicated Reference URI. SAML Response rejected", ValidationError.DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS);
 					}
@@ -958,7 +960,7 @@ public boolean validateSignedElements(ArrayList<String> signedElements) throws X
 	 *
 	 * @return true if still valid
 	 *
-	 * @throws ValidationError 
+	 * @throws ValidationError
 	 */
 	public boolean validateTimestamps() throws ValidationError {
 		NodeList timestampNodes = samlResponseDocument.getElementsByTagNameNS("*", "Conditions");
@@ -1026,7 +1028,7 @@ public Exception getValidationException() {
 	 *				Xpath Expression
 	 *
 	 * @return the queried node
-	 * @throws XPathExpressionException 
+	 * @throws XPathExpressionException
 	 *
 	 */
 	private NodeList queryAssertion(String assertionXpath) throws XPathExpressionException {
@@ -1075,7 +1077,7 @@ private NodeList queryAssertion(String assertionXpath) throws XPathExpressionExc
      *
      * @param nameQuery
      *				Xpath Expression
-     * @param context 
+     * @param context
      *              The context node
      *
      * @return DOMNodeList The queried nodes
@@ -1094,13 +1096,13 @@ private NodeList query(String nameQuery, Node context) throws XPathExpressionExc
 
 	/**
 	 * Decrypt assertion.
-	 * 
+	 *
 	 * @param dom
 	 *            Encrypted assertion
 	 *
 	 * @return Decrypted Assertion.
 	 *
-	 * @throws XPathExpressionException 
+	 * @throws XPathExpressionException
 	 * @throws IOException
 	 * @throws SAXException
 	 * @throws ParserConfigurationException
@@ -1110,7 +1112,9 @@ private NodeList query(String nameQuery, Node context) throws XPathExpressionExc
 	private Document decryptAssertion(Document dom) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError {
 		PrivateKey key = settings.getSPkey();
 
-		if (key == null) {
+		HSM hsm = this.settings.getHsm();
+
+		if (hsm == null && key == null) {
 			throw new SettingsException("No private key available for decrypt, check settings", SettingsException.PRIVATE_KEY_NOT_FOUND);
 		}
 
@@ -1119,7 +1123,13 @@ private Document decryptAssertion(Document dom) throws XPathExpressionException,
 		    throw new ValidationError("No /samlp:Response/saml:EncryptedAssertion/xenc:EncryptedData element found", ValidationError.MISSING_ENCRYPTED_ELEMENT);
 		}
 		Element encryptedData = (Element) encryptedDataNodes.item(0);
-		Util.decryptElement(encryptedData, key);
+
+		if (hsm != null) {
+			Util.decryptUsingHsm(encryptedData, hsm);
+		} else {
+			Util.decryptElement(encryptedData, key);
+		}
+
 
 		// We need to Remove the saml:EncryptedAssertion Node
 		NodeList AssertionDataNodes = Util.query(dom, "/samlp:Response/saml:EncryptedAssertion/saml:Assertion");
@@ -1138,7 +1148,7 @@ private Document decryptAssertion(Document dom) throws XPathExpressionException,
 	}
 
 	/**
-	 * @return the SAMLResponse XML, If the Assertion of the SAMLResponse was encrypted,  
+	 * @return the SAMLResponse XML, If the Assertion of the SAMLResponse was encrypted,
 	 *         returns the XML with the assertion decrypted
 	 */
 	public String getSAMLResponseXml() {
@@ -1148,11 +1158,11 @@ public String getSAMLResponseXml() {
 		} else {
 			xml = samlResponseString;
 		}
-		return xml; 
+		return xml;
 	}
 
 	/**
-	 * @return the SAMLResponse Document, If the Assertion of the SAMLResponse was encrypted,  
+	 * @return the SAMLResponse Document, If the Assertion of the SAMLResponse was encrypted,
 	 *         returns the Document with the assertion decrypted
 	 */
 	protected Document getSAMLResponseDocument() {