/**
* Decrypt an assertion.
*
* This function takes in a \SAML2\Assertion and decrypts it if it is encrypted.
* If it is unencrypted, and encryption is enabled in the metadata, an exception
* will be throws.
*
* @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP).
* @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP).
* @param \SAML2\Assertion|\SAML2\EncryptedAssertion $assertion The assertion we are decrypting.
* @return \SAML2\Assertion The assertion.
*/
private static function decryptAssertion(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, $assertion)
{
assert('$assertion instanceof \\SAML2\\Assertion || $assertion instanceof \\SAML2\\EncryptedAssertion');
if ($assertion instanceof \SAML2\Assertion) {
$encryptAssertion = $srcMetadata->getBoolean('assertion.encryption', NULL);
if ($encryptAssertion === NULL) {
$encryptAssertion = $dstMetadata->getBoolean('assertion.encryption', FALSE);
}
if ($encryptAssertion) {
/* The assertion was unencrypted, but we have encryption enabled. */
throw new Exception('Received unencrypted assertion, but encryption was enabled.');
}
return $assertion;
}
try {
$keys = self::getDecryptionKeys($srcMetadata, $dstMetadata);
} catch (Exception $e) {
throw new SimpleSAML_Error_Exception('Error decrypting assertion: ' . $e->getMessage());
}
$blacklist = self::getBlacklistedAlgorithms($srcMetadata, $dstMetadata);
$lastException = NULL;
foreach ($keys as $i => $key) {
try {
$ret = $assertion->getAssertion($key, $blacklist);
SimpleSAML\Logger::debug('Decryption with key #' . $i . ' succeeded.');
return $ret;
} catch (Exception $e) {
SimpleSAML\Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage());
$lastException = $e;
}
}
throw $lastException;
}
