Signing code in profile handlers and encoders should not just check that a signing...

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2809 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

diff --git a/doc/RELEASE-NOTES.txt b/doc/RELEASE-NOTES.txt
index c99d7fc..d22c699 100644 (file)
--- a/doc/RELEASE-NOTES.txt
+++ b/doc/RELEASE-NOTES.txt
@@ -1,5 +1,6 @@
 Changes in Release 2.1.1
 =============================================
+[SIDP-248] - Signing code in profile handlers and encoders should not just check that a signing credential is supplied, but that a signing key is available in that credential.
 [SIDP-249] - PreviousSession INFO message printed as ERROR message
 [SIDP-250] - AuthenticationEngine::returnToAuthenticationEngine() static method called before servlet init() when clustered.
 [SIDP-252] - IdPSessionFilter throws ArrayIndexOutOfBoundsException on validation of unexpected cookie

diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java
index 647f91f..3627629 100644 (file)
--- a/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java
+++ b/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java
@@ -509,10 +509,8 @@ public abstract class AbstractSAMLProfileHandler extends
                 if (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
                         || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional && !encoder
                                 .providesMessageIntegrity(requestContext))) {
-                    Credential signingCredential = null;
-                    if (profileConfig.getSigningCredential() != null) {
-                        signingCredential = profileConfig.getSigningCredential();
-                    } else if (requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential() != null) {
+                    Credential signingCredential = profileConfig.getSigningCredential();
+                    if (signingCredential == null) {
                         signingCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
                     }
 
@@ -521,6 +519,11 @@ public abstract class AbstractSAMLProfileHandler extends
                                 "Signing of responses is required but no signing credential is available");
                     }
 
+                    if (signingCredential.getPrivateKey() == null) {
+                        throw new ProfileException(
+                                "Signing of response is required but signing credential does not have a private key");
+                    }
+
                     requestContext.setOutboundSAMLMessageSigningCredential(signingCredential);
                 }
             }