KeyInfoHelper getCertificate method making incorrect assumption on X509Certificate element content
Invalid
Description fields
Basics
Logistics
Basics
Logistics
Description
I found, what I think, is a fairly significant oversight in the KeyInfoHelper#getCertificate() method.
This method calls decodes the Base64 content of a o.o.x.s.X509Certificate element before passing to the o.o.x.s.x509.X509Util#decodeCertificate() method. That method attempts to create a new instance of the "not-yet-commons-ssl" class TrustMaterial which is expecting a stream of PEM encoded certificates as bytes.
This fails miserably when attempting to use this with an encrypted assertion with KeyInfo present.
A remediation this problem would be to update the KeyInfoHelper#getCertificateMethod to the following:
public static X509Certificate getCertificate(org.opensaml.xml.signature.X509Certificate xmlCert)
throws CertificateException {
if (xmlCert == null || xmlCert.getValue() == null) {
return null;
}
final byte[] certificateMaterial= Base64.decode(xmlCert.getValue());
final InputStream cerificateMaterialStream= new ByteArrayInputStream(certificateMaterial);
final CertificateFactory certificateFactory= CertificateFactory.getInstance("X.509");
final X09Certificate certificate= (X509Certificate)certificateFactory.generateCertificate(certificateMaterialStream);
return certificate;
}
I found, what I think, is a fairly significant oversight in the KeyInfoHelper#getCertificate() method.
This method calls decodes the Base64 content of a o.o.x.s.X509Certificate element before passing to the o.o.x.s.x509.X509Util#decodeCertificate() method. That method attempts to create a new instance of the "not-yet-commons-ssl" class TrustMaterial which is expecting a stream of PEM encoded certificates as bytes.
This fails miserably when attempting to use this with an encrypted assertion with KeyInfo present.
A remediation this problem would be to update the KeyInfoHelper#getCertificateMethod to the following:
public static X509Certificate getCertificate(org.opensaml.xml.signature.X509Certificate xmlCert) throws CertificateException { if (xmlCert == null || xmlCert.getValue() == null) { return null; } final byte[] certificateMaterial= Base64.decode(xmlCert.getValue()); final InputStream cerificateMaterialStream= new ByteArrayInputStream(certificateMaterial); final CertificateFactory certificateFactory= CertificateFactory.getInstance("X.509"); final X09Certificate certificate= (X509Certificate)certificateFactory.generateCertificate(certificateMaterialStream); return certificate; }