Merge branch 'mukulagrawal-master'

pitbulk · pitbulk · commit a982e8c1c327 · 2015-07-17T13:03:15.000+02:00
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -449,6 +449,25 @@ def __decrypt_assertion(self, dom):
         if encrypted_assertion_nodes:
             encrypted_data_nodes = OneLogin_Saml2_Utils.query(encrypted_assertion_nodes[0], '//saml:EncryptedAssertion/xenc:EncryptedData')
             if encrypted_data_nodes:
+                keyinfo = OneLogin_Saml2_Utils.query(encrypted_assertion_nodes[0], '//saml:EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo')
+                if not keyinfo:
+                    raise Exception('No KeyInfo present, invalid Assertion')
+                keyinfo = keyinfo[0]
+                children = keyinfo.getchildren()
+                if not children:
+                    raise Exception('No child to KeyInfo, invalid Assertion')
+                for child in children:
+                    if 'RetrievalMethod' in child.tag:
+                        if child.attrib['Type'] != 'http://www.w3.org/2001/04/xmlenc#EncryptedKey':
+                            raise Exception('Unsupported Retrieval Method found')
+                        uri  = child.attrib['URI'] 
+                        if not uri.startswith('#'):
+                            break
+                        uri = uri.split('#')[1]
+                        encrypted_key = OneLogin_Saml2_Utils.query(encrypted_assertion_nodes[0], './xenc:EncryptedKey[@Id="'+uri +'"]')
+                        if encrypted_key:
+                            keyinfo.append(encrypted_key[0])
+
                 encrypted_data = encrypted_data_nodes[0]
                 OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key)
         return dom
