Fixes to encryption optional (#2254)

kwessel · web-flow · commit 49fb3cd67448 · 2024-09-21T11:31:42.000+02:00
The new feature from f99217b only worked if a signing cert was present. With no certs present, getPublicKeys threw an exception. Fixed the call from encryptAssertion to getPublicKeys to not require that a key be returned. Also fixed logic in getPublicKeys in Configuration.php. Previous logic would return an empty array if a use type was passed in but no keys of that type were found even if required was set to true. Thus, the encryptAssertion bug didn't appear until we had an SP with no certs at all rather than just one without an encryption cert.
diff --git a/modules/saml/src/IdP/SAML2.php b/modules/saml/src/IdP/SAML2.php
@@ -1436,7 +1436,7 @@ private static function encryptAssertion(
             $key = new XMLSecurityKey($algo);
             $key->loadKey($sharedKey);
         } else {
-            $keys = $spMetadata->getPublicKeys('encryption', true);
+            $keys = $spMetadata->getPublicKeys('encryption');
             if (!empty($keys)) {
                 $key = $keys[0];
                 switch ($key['type']) {
diff --git a/src/SimpleSAML/Configuration.php b/src/SimpleSAML/Configuration.php
@@ -1415,7 +1415,9 @@ public function getPublicKeys(?string $use = null, bool $required = false, strin
                 }
                 $ret[] = $key;
             }
-            return $ret;
+            if (!empty($ret)) {
+                return $ret;
+            }
         } elseif ($this->hasValue($prefix . 'certData')) {
             $certData = $this->getString($prefix . 'certData');
             $certData = preg_replace('/\s+/', '', $certData);
@@ -1460,7 +1462,10 @@ public function getPublicKeys(?string $use = null, bool $required = false, strin
                     'X509Certificate' => $certData,
                 ],
             ];
-        } elseif ($required === true) {
+        }
+
+        // If still here, we didn't find a certificate of the requested use
+        if ($required === true) {
             throw new Error\Exception($this->location . ': Missing certificate in metadata.');
         } else {
             return [];
