+ CredentialResolver* cr=application.getCredentialResolver();
+ if (!cr) {
+ m_log.warn("found encrypted assertion, but no CredentialResolver was available");
+ return true;
+ }
+
+ // Attempt to decrypt it.
+ try {
+ Locker credlocker(cr);
+ auto_ptr<MetadataCredentialCriteria> mcc(
+ policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
+ );
+ auto_ptr<XMLObject> tokenwrapper(
+ encassertions.front()->decrypt(*cr, application.getRelyingParty(ctx.getEntityDescriptor())->getXMLString("entityID").second, mcc.get())
+ );
+ newtoken = dynamic_cast<saml2::Assertion*>(tokenwrapper.get());
+ if (newtoken) {
+ tokenwrapper.release();
+ if (m_log.isDebugEnabled())
+ m_log.debugStream() << "decrypted Assertion: " << *newtoken << logging::eol;
+ }
+ }
+ catch (exception& ex) {
+ m_log.error(ex.what());
+ }
+ if (newtoken) {
+ // Free the Response now, so we know this is a stand-alone token later.
+ delete wrapper.release();
+ }
+ else {
+ // Nothing decrypted, should already be logged.
+ return true;
+ }
+ }
+ else {
+ if (assertions.size() > 1)
+ m_log.warn("simple resolver only supports one assertion in the query response");
+ newtoken = assertions.front();
+ }