SIDP-429 - Limit metadata SP credential resolution for encryption to RSA keys only
authorputmanb <putmanb@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 3 Feb 2011 21:59:35 +0000 (21:59 +0000)
committerputmanb <putmanb@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 3 Feb 2011 21:59:35 +0000 (21:59 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2985 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

doc/RELEASE-NOTES.txt
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java

index 8a914f2..e0d751d 100644 (file)
@@ -1,3 +1,7 @@
+Changes in Release 2.3.0
+=============================================
+[SIDP-429] - Limit metadata SP credential resolution for encryption to RSA keys only
+
 Changes in Release 2.2.1
 =============================================
 [SIDP-286] - Configurable validity period for self signed certificate
index b2719e8..8fe2e54 100644 (file)
@@ -67,6 +67,7 @@ import org.opensaml.xml.security.SecurityHelper;
 import org.opensaml.xml.security.credential.Credential;
 import org.opensaml.xml.security.credential.UsageType;
 import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.KeyAlgorithmCriteria;
 import org.opensaml.xml.security.criteria.UsageCriteria;
 import org.opensaml.xml.signature.Signature;
 import org.opensaml.xml.signature.SignatureException;
@@ -915,6 +916,12 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
         criteriaSet.add(new EntityIDCriteria(peerEntityId));
         criteriaSet.add(new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
         criteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION));
+        
+        // We practically speaking only support RSA keys for encryption.
+        // DSA isn't defined for encryption and currently EC keys aren't supported
+        // by the underlying libraries.  So in the case multiple keys are defined in metadata,
+        // or are erroneously flagged for use='encryption', filter out those that wouldn't work.
+        criteriaSet.add(new KeyAlgorithmCriteria("RSA"));
 
         return kekCredentialResolver.resolveSingle(criteriaSet);
     }