From d40e9bd3c1c9214af76b0bece42b4820983c72c5 Mon Sep 17 00:00:00 2001
From: wyvie <irum@redhat.com>
Date: Mon, 26 Mar 2018 08:41:06 +0200
Subject: [PATCH] [KEYCLOAK-6814] check if HMAC exists during session restart

---
 .../main/java/org/keycloak/protocol/RestartLoginCookie.java   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java
index 59cd0b9f78..8e8c576e93 100644
--- a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java
+++ b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java
@@ -154,6 +154,10 @@ public class RestartLoginCookie {
         String encodedCookie = cook.getValue();
         JWSInput input = new JWSInput(encodedCookie);
         SecretKey secretKey = session.keys().getHmacSecretKey(realm, input.getHeader().getKeyId());
+        if (secretKey == null) {
+            logger.debug("Failed to retrieve HMAC secret key for session restart");
+            return null;
+        }
         if (!HMACProvider.verify(input, secretKey)) {
             logger.debug("Failed to verify encoded RestartLoginCookie");
             return null;