+ CredentialResolver* cr = application.getCredentialResolver();
+ if (!cr) {
+ m_log.warn("found encrypted assertion, but no CredentialResolver was available");
+ throw FatalProfileException("Assertion was encrypted, but no decryption credentials are available.");
+ }
+
+ // With this flag on, we block unauthenticated ciphertext when decrypting,
+ // unless the protocol was authenticated.
+ pair<bool,bool> authenticatedCipher = application.getBool("requireAuthenticatedEncryption");
+ if (policy->isAuthenticated())
+ authenticatedCipher.second = false;
+
+ // Attempt to decrypt it.
+ try {
+ Locker credlocker(cr);
+ auto_ptr<XMLObject> tokenwrapper(
+ encassertions.front()->decrypt(
+ *cr, relyingParty->getXMLString("entityID").second, &mcc, authenticatedCipher.first && authenticatedCipher.second
+ )
+ );
+ newtoken = dynamic_cast<saml2::Assertion*>(tokenwrapper.get());
+ if (newtoken) {
+ tokenwrapper.release();
+ newtokenwrapper.reset(newtoken);
+ if (m_log.isDebugEnabled())
+ m_log.debugStream() << "decrypted assertion: " << *newtoken << logging::eol;
+ }
+ }
+ catch (exception& ex) {
+ m_log.error("failed to decrypt assertion: %s", ex.what());
+ throw;
+ }
+ }
+ else {
+ if (assertions.size() > 1)
+ m_log.warn("simple resolver only supports one assertion in the query response");
+ newtoken = assertions.front();
+ }