From d9d77fe1f7275f7e2f50d43939c356f0ffa3dff2 Mon Sep 17 00:00:00 2001
From: Hans-Christian Halfbrodt <hc42@users.noreply.github.com>
Date: Thu, 6 Jan 2022 18:05:50 +0100
Subject: [PATCH] Fix for KEYCLOAK-18914 (#9355)

Closed #9382

Co-authored-by: Hans-Christian Halfbrodt <hc-github42@halfbrodt.org>
---
 .../AbstractSamlAuthenticationHandler.java    |    2 +-
 .../java/org/keycloak/common/util/Base64.java |   97 +-
 .../org/keycloak/common/util/Base64Url.java   |    3 +-
 .../common/util/Base64DecodeTest.java         |  135 +++
 .../xmlsec/w3/xmldsig/DSAKeyValueType.java    |   26 +-
 .../xmlsec/w3/xmldsig/RSAKeyValueType.java    |   14 +-
 .../org/keycloak/saml/common/util/Base64.java | 1060 -----------------
 .../org/keycloak/saml/SAMLRequestParser.java  |   15 +-
 .../core/saml/v2/util/SignatureUtil.java      |    9 +-
 .../core/util/XMLSignatureUtil.java           |    6 +-
 .../processing/web/util/PostBindingUtil.java  |   13 +-
 .../web/util/RedirectBindingUtil.java         |   14 +-
 12 files changed, 235 insertions(+), 1159 deletions(-)
 create mode 100644 common/src/test/java/org/keycloak/common/util/Base64DecodeTest.java
 delete mode 100755 saml-core-api/src/main/java/org/keycloak/saml/common/util/Base64.java

diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
index 59b453c1062..7b728ade620 100644
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
@@ -33,6 +33,7 @@ import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.AuthOutcome;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.common.VerificationException;
+import org.keycloak.common.util.Base64;
 import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.dom.saml.v2.assertion.AssertionType;
@@ -57,7 +58,6 @@ import org.keycloak.saml.common.constants.JBossSAMLConstants;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
-import org.keycloak.saml.common.util.Base64;
 import org.keycloak.saml.common.util.DocumentUtil;
 import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
 import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
diff --git a/common/src/main/java/org/keycloak/common/util/Base64.java b/common/src/main/java/org/keycloak/common/util/Base64.java
index ae1897da331..3840d688fc8 100644
--- a/common/src/main/java/org/keycloak/common/util/Base64.java
+++ b/common/src/main/java/org/keycloak/common/util/Base64.java
@@ -1,5 +1,7 @@
 package org.keycloak.common.util;
 
+import java.io.IOException;
+
 /**
  * <p>Encodes and decodes to and from Base64 notation.</p>
  * <p>Homepage: <a href="http://iharder.net/base64">http://iharder.net/base64</a>.</p>
@@ -35,6 +37,10 @@ package org.keycloak.common.util;
  * Change Log:
  * </p>
  * <ul>
+ *  <li>v2.3.8 - Fixed automatic gzip decoding, based on the content,
+ *  as this may lead to unexpected behaviour. Request either gzipped
+ *  or non gzipped decoding as excepted. Automatic encoding is especially
+ *  problematic with generated input (see KEYCLOAK-18914 for a detailed case).</li>
  *  <li>v2.3.7 - Fixed subtle bug when base 64 input stream contained the
  *   value 01111111, which is an invalid base 64 character but should not
  *   throw an ArrayIndexOutOfBoundsException either. Led to discovery of
@@ -76,7 +82,7 @@ package org.keycloak.common.util;
  *      <a href="http://www.faqs.org/rfcs/rfc3548.html">RFC3548</a>.</li>
  *    <li><em>Throws exceptions instead of returning null values.</em> Because some operations
  *      (especially those that may permit the GZIP option) use IO streams, there
- *      is a possiblity of an java.io.IOException being thrown. After some discussion and
+ *      is a possibility of an java.io.IOException being thrown. After some discussion and
  *      thought, I've changed the behavior of the methods to throw java.io.IOExceptions
  *      rather than return null if ever there's an error. I think this is more
  *      appropriate, though it will require some changes to your code. Sorry,
@@ -167,9 +173,8 @@ public class Base64
     /** Specify that data should be gzip-compressed in second bit. Value is two. */
     public final static int GZIP = 2;
 
-    /** Specify that gzipped data should <em>not</em> be automatically gunzipped. */
-    public final static int DONT_GUNZIP = 4;
-
+    /** Specify that data should be gunzipped. */
+    public final static int GUNZIP = 4;
 
     /** Do break lines when encoding. Value is 8. */
     public final static int DO_BREAK_LINES = 8;
@@ -179,7 +184,7 @@ public class Base64
      * in Section 4 of RFC3548:
      * <a href="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs.org/rfcs/rfc3548.html</a>.
      * It is important to note that data encoded this way is <em>not</em> officially valid Base64,
-     * or at the very least should not be called Base64 without also specifying that is
+     * or at the very least should not be called Base64 without also specifying that it
      * was encoded using the URL- and Filename-safe dialect.
      */
     public final static int URL_SAFE = 16;
@@ -476,7 +481,7 @@ public class Base64
      * anywhere along their length by specifying
      * <var>srcOffset</var> and <var>destOffset</var>.
      * This method does not check to make sure your arrays
-     * are large enough to accomodate <var>srcOffset</var> + 3 for
+     * are large enough to accommodate <var>srcOffset</var> + 3 for
      * the <var>source</var> array or <var>destOffset</var> + 4 for
      * the <var>destination</var> array.
      * The actual number of significant bytes in your array is
@@ -548,7 +553,7 @@ public class Base64
      * writing it to the <code>encoded</code> ByteBuffer.
      * This is an experimental feature. Currently it does not
      * pass along any options (such as {@link #DO_BREAK_LINES}
-     * or {@link #GZIP}.
+     * or {@link #GZIP}).
      *
      * @param raw input buffer
      * @param encoded output buffer
@@ -733,7 +738,7 @@ public class Base64
      * Example options:<pre>
      *   GZIP: gzip-compresses object before encoding it.
      *   DO_BREAK_LINES: break lines at 76 characters
-     *     <i>Note: Technically, this makes your encoding non-compliant.</i>
+     *     <i>Note: Technically, without line break your encoding may become non-compliant (see rfc2045 and rfc4648).</i>
      * </pre>
      * <p>
      * Example: <code>encodeBytes( myData, Base64.GZIP )</code> or
@@ -1115,15 +1120,8 @@ public class Base64
      * @return decoded data
      * @since 2.3.1
      */
-    public static byte[] decode( byte[] source )
-            throws java.io.IOException {
-        byte[] decoded = null;
-//        try {
-        decoded = decode( source, 0, source.length, Base64.NO_OPTIONS );
-//        } catch( java.io.IOException ex ) {
-//            assert false : "IOExceptions only come from GZipping, which is turned off: " + ex.getMessage();
-//        }
-        return decoded;
+    public static byte[] decode( byte[] source ) throws java.io.IOException {
+        return decode( source, 0, source.length, Base64.NO_OPTIONS );
     }
 
 
@@ -1231,9 +1229,9 @@ public class Base64
      * detecting gzip-compressed data and decompressing it.
      *
      * @param s the string to decode
-     * @param options encode options such as URL_SAFE
+     * @param options decode options such as URL_SAFE or GUNZIP
      * @return the decoded data
-     * @throws java.io.IOException if there is an error
+     * @throws java.io.IOException if there is an error (invalid character in source string or gunzip error)
      * @throws NullPointerException if <tt>s</tt> is null
      * @since 1.4
      */
@@ -1257,46 +1255,41 @@ public class Base64
 
         // Check to see if it's gzip-compressed
         // GZIP Magic Two-Byte Number: 0x8b1f (35615)
-        boolean dontGunzip = (options & DONT_GUNZIP) != 0;
-        if( (bytes != null) && (bytes.length >= 4) && (!dontGunzip) ) {
+        boolean doGunzip = (options & GUNZIP) != 0;
+        if( (bytes != null) && (bytes.length >= 4) && doGunzip ) {
 
             int head = ((int)bytes[0] & 0xff) | ((bytes[1] << 8) & 0xff00);
-            if( java.util.zip.GZIPInputStream.GZIP_MAGIC == head )  {
-                java.io.ByteArrayInputStream  bais = null;
-                java.util.zip.GZIPInputStream gzis = null;
-                java.io.ByteArrayOutputStream baos = null;
-                byte[] buffer = new byte[2048];
-                int    length = 0;
+            if( java.util.zip.GZIPInputStream.GZIP_MAGIC != head )  {
+                throw new IOException("Provided data has no GZIP magic header.");
+            }
+            java.io.ByteArrayInputStream  bais = null;
+            java.util.zip.GZIPInputStream gzis = null;
+            java.io.ByteArrayOutputStream baos = null;
+            byte[] buffer = new byte[2048];
+            int    length = 0;
 
-                try {
-                    baos = new java.io.ByteArrayOutputStream();
-                    bais = new java.io.ByteArrayInputStream( bytes );
-                    gzis = new java.util.zip.GZIPInputStream( bais );
+            try {
+                baos = new java.io.ByteArrayOutputStream();
+                bais = new java.io.ByteArrayInputStream( bytes );
+                gzis = new java.util.zip.GZIPInputStream( bais );
 
-                    while( ( length = gzis.read( buffer ) ) >= 0 ) {
-                        baos.write(buffer,0,length);
-                    }   // end while: reading input
+                while( ( length = gzis.read( buffer ) ) >= 0 ) {
+                    baos.write(buffer,0,length);
+                }   // end while: reading input
 
-                    // No error? Get new bytes.
-                    bytes = baos.toByteArray();
+                // No error? Get new bytes.
+                bytes = baos.toByteArray();
 
-                }   // end try
-                catch( java.io.IOException e ) {
-                    if (e.getMessage().equals("Unsupported compression method")) {
-                        System.out.println("Base64 decoding: Ignoring GZIP header and just returning originally-decoded bytes."); // Better to log as debug, but jboss logging not available in the module :/
-                    } else {
-                        e.printStackTrace();
-                    }
+            }   // end try
+            catch( java.io.IOException e ) {
+                throw new IOException("Failed to gunzip", e);
+            }   // end catch
+            finally {
+                try{ baos.close(); } catch( Exception e ){}
+                try{ gzis.close(); } catch( Exception e ){}
+                try{ bais.close(); } catch( Exception e ){}
+            }   // end finally
 
-                    // Just return originally-decoded bytes
-                }   // end catch
-                finally {
-                    try{ baos.close(); } catch( Exception e ){}
-                    try{ gzis.close(); } catch( Exception e ){}
-                    try{ bais.close(); } catch( Exception e ){}
-                }   // end finally
-
-            }   // end if: gzipped
         }   // end if: bytes.length >= 2
 
         return bytes;
diff --git a/common/src/main/java/org/keycloak/common/util/Base64Url.java b/common/src/main/java/org/keycloak/common/util/Base64Url.java
index 4a351c9de53..6bf9ac595fc 100755
--- a/common/src/main/java/org/keycloak/common/util/Base64Url.java
+++ b/common/src/main/java/org/keycloak/common/util/Base64Url.java
@@ -31,8 +31,7 @@ public class Base64Url {
     public static byte[] decode(String s) {
         s = encodeBase64UrlToBase64(s);
         try {
-            // KEYCLOAK-2479 : Avoid to try gzip decoding as for some objects, it may display exception to STDERR. And we know that object wasn't encoded as GZIP
-            return Base64.decode(s, Base64.DONT_GUNZIP);
+            return Base64.decode(s);
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
diff --git a/common/src/test/java/org/keycloak/common/util/Base64DecodeTest.java b/common/src/test/java/org/keycloak/common/util/Base64DecodeTest.java
new file mode 100644
index 00000000000..6c32f896bd4
--- /dev/null
+++ b/common/src/test/java/org/keycloak/common/util/Base64DecodeTest.java
@@ -0,0 +1,135 @@
+package org.keycloak.common.util;
+
+import org.hamcrest.MatcherAssert;
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.instanceOf;
+
+/**
+ * Test for BASE64 decode implementation.
+ *
+ * @author <a href="mailto:keycloak-hc@halfbrodt.org">Hans-Christian Halfbrodt</a>
+ */
+public class Base64DecodeTest {
+
+    @Test
+    public void decode_simple() throws IOException {
+        // high level string variant
+        final String testData = "test data";
+        final String encoded = "dGVzdCBkYXRh";
+        final String decoded = new String(Base64.decode(encoded));
+        assertThat(decoded, equalTo(testData));
+
+        // low level byte array variant
+        final byte[] encoded2 = encoded.getBytes();
+        final String decoded2 = new String(Base64.decode(encoded2));
+        assertThat(decoded2, equalTo(testData));
+    }
+
+    @Test
+    public void decode_doNotUseGzip() throws IOException {
+        // Input has gzip magic byte by coincidence and should not be gunzipped. (KEYCLOAK-18914)
+        // high level string variant
+        final byte[] testData = new byte[]{
+                31, -117, 8, -56, 1, 1, 1, 1, 1, 1, 43, 73, 45, 46,
+                81, 72, 73, 44, 73, 4, 1, -78, -82, 8, -45, 9, 1, 1, 1};
+        final String encoded = "H4sIyAEBAQEBAStJLS5RSEksSQQBsq4I0wkBAQE=";
+        final byte[] decoded = Base64.decode(encoded);
+        assertThat(decoded, equalTo(testData));
+
+        // low level byte array variant
+        final byte[] encoded2 = encoded.getBytes();
+        final byte[] decoded2 = Base64.decode(encoded2);
+        assertThat(decoded2, equalTo(testData));
+    }
+
+    @Test
+    public void decode_gzip() throws IOException {
+        // high level string variant
+        final String testData = "test data";
+        final String encoded = "H4sIAAAAAAAAACtJLS5RSEksSQQAsq4I0wkAAAA=";
+        final String decoded = new String(Base64.decode(encoded, Base64.GUNZIP));
+        assertThat(decoded, equalTo(testData));
+
+        // low level byte array variant
+        // specified to ignore gunzip option (see javadoc)
+        final byte[] expected2 = new byte[]{
+                31, -117, 8, 0, 0, 0, 0, 0, 0, 0, 43, 73,
+                45, 46, 81, 72, 73, 44, 73, 4, 0, -78, -82,
+                8, -45, 9, 0, 0, 0};
+        final byte[] encoded2 = encoded.getBytes();
+        final byte[] decoded2 = Base64.decode(encoded2, 0, encoded2.length, Base64.GUNZIP);
+        assertThat(decoded2, equalTo(expected2));
+    }
+
+    @Test
+    public void decode_empty() throws IOException {
+        final byte[] result = Base64.decode("");
+        assertThat(result, equalTo(new byte[0]));
+        final byte[] result2 = Base64.decode(new byte[0]);
+        assertThat(result2, equalTo(new byte[0]));
+
+        try {
+            Base64.decode(" ");
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e) {
+            assertThat(e, instanceOf(IllegalArgumentException.class));
+        }
+
+        try {
+            Base64.decode(" ".getBytes());
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e) {
+            assertThat(e, instanceOf(IllegalArgumentException.class));
+        }
+
+        try {
+            Base64.decode((String) null);
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e) {
+            assertThat(e, instanceOf(NullPointerException.class));
+        }
+
+        try {
+            Base64.decode((byte[]) null);
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e) {
+            assertThat(e, instanceOf(NullPointerException.class));
+        }
+    }
+
+    @Test
+    public void decode_lowLevelInvalidParams() {
+        try {
+            Base64.decode(null, 0, 1, Base64.NO_OPTIONS);
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e){
+            assertThat(e, instanceOf(NullPointerException.class));
+        }
+
+        try {
+            Base64.decode(new byte[2], 0, 1, Base64.NO_OPTIONS);
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e){
+            assertThat(e, instanceOf(IllegalArgumentException.class));
+        }
+
+        try {
+            Base64.decode(new byte[8], 0, 10, Base64.NO_OPTIONS);
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e){
+            assertThat(e, instanceOf(IllegalArgumentException.class));
+        }
+
+        try {
+            Base64.decode(new byte[8], 5, 5, Base64.NO_OPTIONS);
+            MatcherAssert.assertThat("Exception excepted", false);
+        } catch (final Exception e){
+            assertThat(e, instanceOf(IllegalArgumentException.class));
+        }
+    }
+}
diff --git a/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java b/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java
index ed3bfdc7e0f..ed198143072 100755
--- a/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java
+++ b/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java
@@ -17,9 +17,9 @@
 
 package org.keycloak.dom.xmlsec.w3.xmldsig;
 
+import org.keycloak.common.util.Base64;
 import org.keycloak.saml.common.constants.WSTrustConstants;
 import org.keycloak.saml.common.exceptions.ProcessingException;
-import org.keycloak.saml.common.util.Base64;
 
 import java.math.BigInteger;
 import java.security.KeyFactory;
@@ -201,14 +201,13 @@ public class DSAKeyValueType implements KeyValueType {
      * @throws org.keycloak.saml.common.exceptions.ProcessingException
      */
     public DSAPublicKey convertToPublicKey() throws ProcessingException {
-        BigInteger BigY, BigP, BigQ, BigG;
-
-        BigY = new BigInteger(1, massage(Base64.decode(new String(y))));
-        BigP = new BigInteger(1, massage(Base64.decode(new String(p))));
-        BigQ = new BigInteger(1, massage(Base64.decode(new String(q))));
-        BigG = new BigInteger(1, massage(Base64.decode(new String(g))));
 
         try {
+            BigInteger BigY = new BigInteger(1, massage(Base64.decode(new String(y))));
+            BigInteger BigP = new BigInteger(1, massage(Base64.decode(new String(p))));
+            BigInteger BigQ = new BigInteger(1, massage(Base64.decode(new String(q))));
+            BigInteger BigG = new BigInteger(1, massage(Base64.decode(new String(g))));
+
             KeyFactory dsaKeyFactory = KeyFactory.getInstance("dsa");
             DSAPublicKeySpec kspec = new DSAPublicKeySpec(BigY, BigP, BigQ, BigG);
             return (DSAPublicKey) dsaKeyFactory.generatePublic(kspec);
@@ -225,14 +224,13 @@ public class DSAKeyValueType implements KeyValueType {
      * @throws ProcessingException
      */
     public DSAPrivateKey convertToPrivateKey() throws ProcessingException {
-        BigInteger BigY, BigP, BigQ, BigG;
-
-        BigY = new BigInteger(1, massage(Base64.decode(new String(y))));
-        BigP = new BigInteger(1, massage(Base64.decode(new String(p))));
-        BigQ = new BigInteger(1, massage(Base64.decode(new String(q))));
-        BigG = new BigInteger(1, massage(Base64.decode(new String(g))));
 
         try {
+            BigInteger BigY = new BigInteger(1, massage(Base64.decode(new String(y))));
+            BigInteger BigP = new BigInteger(1, massage(Base64.decode(new String(p))));
+            BigInteger BigQ = new BigInteger(1, massage(Base64.decode(new String(q))));
+            BigInteger BigG = new BigInteger(1, massage(Base64.decode(new String(g))));
+
             KeyFactory dsaKeyFactory = KeyFactory.getInstance("dsa");
             DSAPrivateKeySpec kspec = new DSAPrivateKeySpec(BigY, BigP, BigQ, BigG);
             return (DSAPrivateKey) dsaKeyFactory.generatePrivate(kspec);
@@ -300,4 +298,4 @@ public class DSAKeyValueType implements KeyValueType {
         }
         return byteArray;
     }
-}
\ No newline at end of file
+}
diff --git a/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java b/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java
index a1cf7808fa6..4d1676af045 100755
--- a/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java
+++ b/saml-core-api/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java
@@ -17,9 +17,9 @@
 
 package org.keycloak.dom.xmlsec.w3.xmldsig;
 
+import org.keycloak.common.util.Base64;
 import org.keycloak.saml.common.constants.WSTrustConstants;
 import org.keycloak.saml.common.exceptions.ProcessingException;
-import org.keycloak.saml.common.util.Base64;
 
 import java.math.BigInteger;
 import java.security.KeyFactory;
@@ -97,10 +97,9 @@ public class RSAKeyValueType implements KeyValueType {
      * @throws org.keycloak.saml.common.exceptions.ProcessingException
      */
     public RSAPublicKey convertToPublicKey() throws ProcessingException {
-        BigInteger bigModulus = new BigInteger(1, massage(Base64.decode(new String(modulus))));
-        BigInteger bigEx = new BigInteger(1, massage(Base64.decode(new String(exponent))));
-
         try {
+            BigInteger bigModulus = new BigInteger(1, massage(Base64.decode(new String(modulus))));
+            BigInteger bigEx = new BigInteger(1, massage(Base64.decode(new String(exponent))));
             KeyFactory rsaKeyFactory = KeyFactory.getInstance("rsa");
             RSAPublicKeySpec kspec = new RSAPublicKeySpec(bigModulus, bigEx);
             return (RSAPublicKey) rsaKeyFactory.generatePublic(kspec);
@@ -117,10 +116,9 @@ public class RSAKeyValueType implements KeyValueType {
      * @throws ProcessingException
      */
     public RSAPrivateKey convertToPrivateKey() throws ProcessingException {
-        BigInteger bigModulus = new BigInteger(1, massage(Base64.decode(new String(modulus))));
-        BigInteger bigEx = new BigInteger(1, massage(Base64.decode(new String(exponent))));
-
         try {
+            BigInteger bigModulus = new BigInteger(1, massage(Base64.decode(new String(modulus))));
+            BigInteger bigEx = new BigInteger(1, massage(Base64.decode(new String(exponent))));
             KeyFactory rsaKeyFactory = KeyFactory.getInstance("rsa");
             RSAPrivateKeySpec kspec = new RSAPrivateKeySpec(bigModulus, bigEx);
             return (RSAPrivateKey) rsaKeyFactory.generatePrivate(kspec);
@@ -160,4 +158,4 @@ public class RSAKeyValueType implements KeyValueType {
         }
         return byteArray;
     }
-}
\ No newline at end of file
+}
diff --git a/saml-core-api/src/main/java/org/keycloak/saml/common/util/Base64.java b/saml-core-api/src/main/java/org/keycloak/saml/common/util/Base64.java
deleted file mode 100755
index 49a581e9b42..00000000000
--- a/saml-core-api/src/main/java/org/keycloak/saml/common/util/Base64.java
+++ /dev/null
@@ -1,1060 +0,0 @@
-/*
- * Copyright 2016 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.keycloak.saml.common.util;
-
-import java.nio.charset.StandardCharsets;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-/**
- * Encodes and decodes to and from Base64 notation.
- *
- * <p>
- * Change Log:
- * </p>
- * <ul>
- * <li>v2.1 - Cleaned up javadoc comments and unused variables and methods. Added some convenience methods for reading
- * and
- * writing to and from files.</li>
- * <li>v2.0.2 - Now specifies UTF-8 encoding in places where the code fails on systems with other encodings (like
- * EBCDIC).</li>
- * <li>v2.0.1 - Fixed an error when decoding a single byte, that is, when the encoded data was a single byte.</li>
- * <li>v2.0 - I got rid of methods that used booleans to set options. Now everything is more consolidated and cleaner.
- * The code
- * now detects when data that's being decoded is gzip-compressed and will decompress it automatically. Generally things
- * are
- * cleaner. You'll probably have to change some method calls that you were making to support the new options format (
- * <tt>int</tt>s that you "OR" together).</li>
- * <li>v1.5.1 - Fixed bug when decompressing and decoding to a byte[] using <tt>decode( String s, boolean
- * gzipCompressed
- * )</tt>.
- * Added the ability to "suspend" encoding in the Output Stream so you can turn on and off the encoding if you need to
- * embed
- * base64 data in an otherwise "normal" stream (like an XML file).</li>
- * <li>v1.5 - Output stream pases on flush() command but doesn't do anything itself. This helps when using GZIP
- * streams.
- * Added
- * the ability to GZip-compress objects before encoding them.</li>
- * <li>v1.4 - Added helper methods to read/write files.</li>
- * <li>v1.3.6 - Fixed OutputStream.flush() so that 'position' is reset.</li>
- * <li>v1.3.5 - Added flag to turn on and off line breaks. Fixed bug in input stream where last buffer being read, if
- * not
- * completely full, was not returned.</li>
- * <li>v1.3.4 - Fixed when "improperly padded stream" error was thrown at the wrong time.</li>
- * <li>v1.3.3 - Fixed I/O streams which were totally messed up.</li>
- * </ul>
- *
- * <p>
- * I am placing this code in the Public Domain. Do with it as you will. This software comes with no guarantees or
- * warranties but
- * with plenty of well-wishing instead! Please visit <a href="http://iharder.net/base64">http://iharder.net/base64</a>
- * periodically to check for updates or to contribute improvements.
- * </p>
- *
- * @author Robert Harder
- * @author rob@iharder.net
- * @version 2.1
- */
-public class Base64 {
-
-    private static Logger logger = Logger.getLogger(Base64.class.getCanonicalName());
-
-    /* ******** P U B L I C F I E L D S ******** */
-
-    /** No options specified. Value is zero. */
-    public static final int NO_OPTIONS = 0;
-
-    /** Specify encoding. */
-    public static final int ENCODE = 1;
-
-    /** Specify decoding. */
-    public static final int DECODE = 0;
-
-    /** Specify that data should be gzip-compressed. */
-    public static final int GZIP = 2;
-
-    /** Don't break lines when encoding (violates strict Base64 specification) */
-    public static final int DONT_BREAK_LINES = 8;
-
-    /* ******** P R I V A T E F I E L D S ******** */
-
-    /** Maximum line length (76) of Base64 output. */
-    private static final int MAX_LINE_LENGTH = 76;
-
-    /** The equals sign (=) as a byte. */
-    private static final byte EQUALS_SIGN = (byte) '=';
-
-    /** The new line character (\n) as a byte. */
-    private static final byte NEW_LINE = (byte) '\n';
-
-    /** The 64 valid Base64 values. */
-    private static final byte[] ALPHABET;
-    private static final byte[] _NATIVE_ALPHABET = /* May be something funny like EBCDIC */
-            {(byte) 'A', (byte) 'B', (byte) 'C', (byte) 'D', (byte) 'E', (byte) 'F', (byte) 'G', (byte) 'H', (byte) 'I', (byte) 'J',
-                    (byte) 'K', (byte) 'L', (byte) 'M', (byte) 'N', (byte) 'O', (byte) 'P', (byte) 'Q', (byte) 'R', (byte) 'S',
-                    (byte) 'T', (byte) 'U', (byte) 'V', (byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z', (byte) 'a', (byte) 'b',
-                    (byte) 'c', (byte) 'd', (byte) 'e', (byte) 'f', (byte) 'g', (byte) 'h', (byte) 'i', (byte) 'j', (byte) 'k',
-                    (byte) 'l', (byte) 'm', (byte) 'n', (byte) 'o', (byte) 'p', (byte) 'q', (byte) 'r', (byte) 's', (byte) 't',
-                    (byte) 'u', (byte) 'v', (byte) 'w', (byte) 'x', (byte) 'y', (byte) 'z', (byte) '0', (byte) '1', (byte) '2',
-                    (byte) '3', (byte) '4', (byte) '5', (byte) '6', (byte) '7', (byte) '8', (byte) '9', (byte) '+', (byte) '/'};
-
-    /** Determine which ALPHABET to use. */
-    static {
-        byte[] __bytes;
-        try {
-            __bytes = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".getBytes(StandardCharsets.UTF_8.name());
-        } // end try
-        catch (java.io.UnsupportedEncodingException use) {
-            __bytes = _NATIVE_ALPHABET; // Fall back to native encoding
-        } // end catch
-        ALPHABET = __bytes;
-    } // end static
-
-    /**
-     * Translates a Base64 value to either its 6-bit reconstruction value or a negative number indicating some other meaning.
-     **/
-    private static final byte[] DECODABET = {-9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 0 - 8
-            -5, -5, // Whitespace: Tab and Linefeed
-            -9, -9, // Decimal 11 - 12
-            -5, // Whitespace: Carriage Return
-            -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - 26
-            -9, -9, -9, -9, -9, // Decimal 27 - 31
-            -5, // Whitespace: Space
-            -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42
-            62, // Plus sign at decimal 43
-            -9, -9, -9, // Decimal 44 - 46
-            63, // Slash at decimal 47
-            52, 53, 54, 55, 56, 57, 58, 59, 60, 61, // Numbers zero through nine
-            -9, -9, -9, // Decimal 58 - 60
-            -1, // Equals sign at decimal 61
-            -9, -9, -9, // Decimal 62 - 64
-            0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, // Letters 'A' through 'N'
-            14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, // Letters 'O' through 'Z'
-            -9, -9, -9, -9, -9, -9, // Decimal 91 - 96
-            26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, // Letters 'a' through 'm'
-            39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, // Letters 'n' through 'z'
-            -9, -9, -9, -9 // Decimal 123 - 126
-    /*
-     * ,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 127 - 139 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 140 -
-     * 152 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 153 - 165 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 166 -
-     * 178 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 179 - 191 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 192 -
-     * 204 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 205 - 217 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 218 -
-     * 230 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 231 - 243 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9 // Decimal 244 - 255
-     */
-    };
-
-    // I think I end up not using the BAD_ENCODING indicator.
-    // private static final byte BAD_ENCODING = -9; // Indicates error in encoding
-    private static final byte WHITE_SPACE_ENC = -5; // Indicates white space in encoding
-    private static final byte EQUALS_SIGN_ENC = -1; // Indicates equals sign in encoding
-
-    /** Defeats instantiation. */
-    private Base64() {
-    }
-
-    /* ******** E N C O D I N G M E T H O D S ******** */
-
-    /**
-     * Encodes up to the first three bytes of array <var>threeBytes</var> and returns a four-byte array in Base64 notation. The
-     * actual number of significant bytes in your array is given by <var>numSigBytes</var>. The array <var>threeBytes</var>
-     * needs only be as big as <var>numSigBytes</var>. Code can reuse a byte array by passing a four-byte array as
-     * <var>b4</var>.
-     *
-     * @param b4 A reusable byte array to reduce array instantiation
-     * @param threeBytes the array to convert
-     * @param numSigBytes the number of significant bytes in your array
-     * @return four byte array in Base64 notation.
-     * @since 1.5.1
-     */
-    private static byte[] encode3to4(byte[] b4, byte[] threeBytes, int numSigBytes) {
-        encode3to4(threeBytes, 0, numSigBytes, b4, 0);
-        return b4;
-    } // end encode3to4
-
-    /**
-     * Encodes up to three bytes of the array <var>source</var> and writes the resulting four Base64 bytes to
-     * <var>destination</var>. The source and destination arrays can be manipulated anywhere along their length by specifying
-     * <var>srcOffset</var> and <var>destOffset</var>. This method does not check to make sure your arrays are large enough to
-     * accomodate <var>srcOffset</var> + 3 for the <var>source</var> array or <var>destOffset</var> + 4 for the
-     * <var>destination</var> array. The actual number of significant bytes in your array is given by <var>numSigBytes</var>.
-     *
-     * @param source the array to convert
-     * @param srcOffset the index where conversion begins
-     * @param numSigBytes the number of significant bytes in your array
-     * @param destination the array to hold the conversion
-     * @param destOffset the index where output will be put
-     * @return the <var>destination</var> array
-     * @since 1.3
-     */
-    private static byte[] encode3to4(byte[] source, int srcOffset, int numSigBytes, byte[] destination, int destOffset) {
-        // 1 2 3
-        // 01234567890123456789012345678901 Bit position
-        // --------000000001111111122222222 Array position from threeBytes
-        // --------| || || || | Six bit groups to index ALPHABET
-        // >>18 >>12 >> 6 >> 0 Right shift necessary
-        // 0x3f 0x3f 0x3f Additional AND
-
-        // Create buffer with zero-padding if there are only one or two
-        // significant bytes passed in the array.
-        // We have to shift left 24 in order to flush out the 1's that appear
-        // when Java treats a value as negative that is cast from a byte to an int.
-        int inBuff = (numSigBytes > 0 ? ((source[srcOffset] << 24) >>> 8) : 0)
-                | (numSigBytes > 1 ? ((source[srcOffset + 1] << 24) >>> 16) : 0)
-                | (numSigBytes > 2 ? ((source[srcOffset + 2] << 24) >>> 24) : 0);
-
-        switch (numSigBytes) {
-            case 3:
-                destination[destOffset] = ALPHABET[(inBuff >>> 18)];
-                destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
-                destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f];
-                destination[destOffset + 3] = ALPHABET[(inBuff) & 0x3f];
-                return destination;
-
-            case 2:
-                destination[destOffset] = ALPHABET[(inBuff >>> 18)];
-                destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
-                destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f];
-                destination[destOffset + 3] = EQUALS_SIGN;
-                return destination;
-
-            case 1:
-                destination[destOffset] = ALPHABET[(inBuff >>> 18)];
-                destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
-                destination[destOffset + 2] = EQUALS_SIGN;
-                destination[destOffset + 3] = EQUALS_SIGN;
-                return destination;
-
-            default:
-                return destination;
-        } // end switch
-    } // end encode3to4
-
-    /**
-     * Serializes an object and returns the Base64-encoded version of that serialized object. If the object cannot be serialized
-     * or there is another error, the method will return <tt>null</tt>. The object is not GZip-compressed before being encoded.
-     *
-     * @param serializableObject The object to encode
-     * @return The Base64-encoded object
-     * @since 1.4
-     */
-    public static String encodeObject(java.io.Serializable serializableObject) {
-        return encodeObject(serializableObject, NO_OPTIONS);
-    } // end encodeObject
-
-    /**
-     * Serializes an object and returns the Base64-encoded version of that serialized object. If the object cannot be serialized
-     * or there is another error, the method will return <tt>null</tt>.
-     * <p>
-     * Valid options:
-     *
-     * <pre>
-     *   GZIP: gzip-compresses object before encoding it.
-     *   DONT_BREAK_LINES: don't break lines at 76 characters
-     *     <i>Note: Technically, this makes your encoding non-compliant.</i>
-     * </pre>
-     * <p>
-     * Example: <code>encodeObject( myObj, Base64.GZIP )</code> or
-     * <p>
-     * Example: <code>encodeObject( myObj, Base64.GZIP | Base64.DONT_BREAK_LINES )</code>
-     *
-     * @param serializableObject The object to encode
-     * @param options Specified options
-     * @return The Base64-encoded object
-     * @see Base64#GZIP
-     * @see Base64#DONT_BREAK_LINES
-     * @since 2.0
-     */
-    public static String encodeObject(java.io.Serializable serializableObject, int options) {
-        // Streams
-        java.io.ByteArrayOutputStream baos = null;
-        java.io.OutputStream b64os = null;
-        java.io.ObjectOutputStream oos = null;
-        java.util.zip.GZIPOutputStream gzos = null;
-
-        // Isolate options
-        int gzip = (options & GZIP);
-        int dontBreakLines = (options & DONT_BREAK_LINES);
-
-        try {
-            // ObjectOutputStream -> (GZIP) -> Base64 -> ByteArrayOutputStream
-            baos = new java.io.ByteArrayOutputStream();
-            b64os = new Base64.OutputStream(baos, ENCODE | dontBreakLines);
-
-            // GZip?
-            if (gzip == GZIP) {
-                gzos = new java.util.zip.GZIPOutputStream(b64os);
-                oos = new java.io.ObjectOutputStream(gzos);
-            } // end if: gzip
-            else
-                oos = new java.io.ObjectOutputStream(b64os);
-
-            oos.writeObject(serializableObject);
-        } // end try
-        catch (java.io.IOException e) {
-            e.printStackTrace();
-            return null;
-        } // end catch
-        finally {
-            try {
-                oos.close();
-            } catch (Exception e) {
-            }
-            try {
-                gzos.close();
-            } catch (Exception e) {
-            }
-            try {
-                b64os.close();
-            } catch (Exception e) {
-            }
-            try {
-                baos.close();
-            } catch (Exception e) {
-            }
-        } // end finally
-
-        // Return value according to relevant encoding.
-        return new String(baos.toByteArray(), StandardCharsets.UTF_8);
-
-    } // end encode
-
-    /**
-     * Encodes a byte array into Base64 notation. Does not GZip-compress data.
-     *
-     * @param source The data to convert
-     * @return the encode bytes
-     * @since 1.4
-     */
-    public static String encodeBytes(byte[] source) {
-        return encodeBytes(source, 0, source.length, NO_OPTIONS);
-    } // end encodeBytes
-
-    /**
-     * Encodes a byte array into Base64 notation.
-     * <p>
-     * Valid options:
-     *
-     * <pre>
-     *   GZIP: gzip-compresses object before encoding it.
-     *   DONT_BREAK_LINES: don't break lines at 76 characters
-     *     <i>Note: Technically, this makes your encoding non-compliant.</i>
-     * </pre>
-     * <p>
-     * Example: <code>encodeBytes( myData, Base64.GZIP )</code> or
-     * <p>
-     * Example: <code>encodeBytes( myData, Base64.GZIP | Base64.DONT_BREAK_LINES )</code>
-     *
-     *
-     * @param source The data to convert
-     * @param options Specified options
-     * @return the encoded bytes
-     * @see Base64#GZIP
-     * @see Base64#DONT_BREAK_LINES
-     * @since 2.0
-     */
-    public static String encodeBytes(byte[] source, int options) {
-        return encodeBytes(source, 0, source.length, options);
-    } // end encodeBytes
-
-    /**
-     * Encodes a byte array into Base64 notation. Does not GZip-compress data.
-     *
-     * @param source The data to convert
-     * @param off Offset in array where conversion should begin
-     * @param len Length of data to convert
-     * @return the text node
-     * @since 1.4
-     */
-    public static String encodeBytes(byte[] source, int off, int len) {
-        return encodeBytes(source, off, len, NO_OPTIONS);
-    } // end encodeBytes
-
-    /**
-     * Encodes a byte array into Base64 notation.
-     * <p>
-     * Valid options:
-     *
-     * <pre>
-     *   GZIP: gzip-compresses object before encoding it.
-     *   DONT_BREAK_LINES: don't break lines at 76 characters
-     *     <i>Note: Technically, this makes your encoding non-compliant.</i>
-     * </pre>
-     * <p>
-     * Example: <code>encodeBytes( myData, Base64.GZIP )</code> or
-     * <p>
-     * Example: <code>encodeBytes( myData, Base64.GZIP | Base64.DONT_BREAK_LINES )</code>
-     *
-     *
-     * @param source The data to convert
-     * @param off Offset in array where conversion should begin
-     * @param len Length of data to convert
-     * @param options Specified options
-     * @see Base64#GZIP
-     * @see Base64#DONT_BREAK_LINES
-     * @return the text node
-     * @since 2.0
-     */
-    public static String encodeBytes(byte[] source, int off, int len, int options) {
-        // Isolate options
-        int dontBreakLines = (options & DONT_BREAK_LINES);
-        int gzip = (options & GZIP);
-
-        // Compress?
-        if (gzip == GZIP) {
-            java.io.ByteArrayOutputStream baos = null;
-            java.util.zip.GZIPOutputStream gzos = null;
-            Base64.OutputStream b64os = null;
-
-            try {
-                // GZip -> Base64 -> ByteArray
-                baos = new java.io.ByteArrayOutputStream();
-                b64os = new Base64.OutputStream(baos, ENCODE | dontBreakLines);
-                gzos = new java.util.zip.GZIPOutputStream(b64os);
-
-                gzos.write(source, off, len);
-                gzos.close();
-            } // end try
-            catch (java.io.IOException e) {
-                e.printStackTrace();
-                return null;
-            } // end catch
-            finally {
-                try {
-                    gzos.close();
-                } catch (Exception e) {
-                }
-                try {
-                    b64os.close();
-                } catch (Exception e) {
-                }
-                try {
-                    baos.close();
-                } catch (Exception e) {
-                }
-            } // end finally
-
-            // Return value according to relevant encoding.
-            return new String(baos.toByteArray(), StandardCharsets.UTF_8);
-        } // end if: compress
-
-        // Else, don't compress. Better not to use streams at all then.
-        else {
-            // Convert option to boolean in way that code likes it.
-            boolean breakLines = dontBreakLines == 0;
-
-            int len43 = len * 4 / 3;
-            byte[] outBuff = new byte[(len43) // Main 4:3
-                    + ((len % 3) > 0 ? 4 : 0) // Account for padding
-                    + (breakLines ? (len43 / MAX_LINE_LENGTH) : 0)]; // New lines
-            int d = 0;
-            int e = 0;
-            int len2 = len - 2;
-            int lineLength = 0;
-            for (; d < len2; d += 3, e += 4) {
-                encode3to4(source, d + off, 3, outBuff, e);
-
-                lineLength += 4;
-                if (breakLines && lineLength == MAX_LINE_LENGTH) {
-                    outBuff[e + 4] = NEW_LINE;
-                    e++;
-                    lineLength = 0;
-                } // end if: end of line
-            } // en dfor: each piece of array
-
-            if (d < len) {
-                encode3to4(source, d + off, len - d, outBuff, e);
-                e += 4;
-            } // end if: some padding needed
-
-            // Return value according to relevant encoding.
-            return new String(outBuff, 0, e, StandardCharsets.UTF_8);
-
-        } // end else: don't compress
-
-    } // end encodeBytes
-
-    /* ******** D E C O D I N G M E T H O D S ******** */
-
-    /**
-     * Decodes four bytes from array <var>source</var> and writes the resulting bytes (up to three of them) to
-     * <var>destination</var>. The source and destination arrays can be manipulated anywhere along their length by specifying
-     * <var>srcOffset</var> and <var>destOffset</var>. This method does not check to make sure your arrays are large enough to
-     * accomodate <var>srcOffset</var> + 4 for the <var>source</var> array or <var>destOffset</var> + 3 for the
-     * <var>destination</var> array. This method returns the actual number of bytes that were converted from the Base64
-     * encoding.
-     *
-     *
-     * @param source the array to convert
-     * @param srcOffset the index where conversion begins
-     * @param destination the array to hold the conversion
-     * @param destOffset the index where output will be put
-     * @return the number of decoded bytes converted
-     * @since 1.3
-     */
-    private static int decode4to3(byte[] source, int srcOffset, byte[] destination, int destOffset) {
-        // Example: Dk==
-        if (source[srcOffset + 2] == EQUALS_SIGN) {
-            // Two ways to do the same thing. Don't know which way I like best.
-            // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
-            // | ( ( DECODABET[ source[ srcOffset + 1] ] << 24 ) >>> 12 );
-            int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12);
-
-            destination[destOffset] = (byte) (outBuff >>> 16);
-            return 1;
-        }
-
-        // Example: DkL=
-        else if (source[srcOffset + 3] == EQUALS_SIGN) {
-            // Two ways to do the same thing. Don't know which way I like best.
-            // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
-            // | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 )
-            // | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 );
-            int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12)
-                    | ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6);
-
-            destination[destOffset] = (byte) (outBuff >>> 16);
-            destination[destOffset + 1] = (byte) (outBuff >>> 8);
-            return 2;
-        }
-
-        // Example: DkLE
-        else {
-            try {
-                // Two ways to do the same thing. Don't know which way I like best.
-                // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
-                // | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 )
-                // | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 )
-                // | ( ( DECODABET[ source[ srcOffset + 3 ] ] << 24 ) >>> 24 );
-                int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12)
-                        | ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6) | ((DECODABET[source[srcOffset + 3]] & 0xFF));
-
-                destination[destOffset] = (byte) (outBuff >> 16);
-                destination[destOffset + 1] = (byte) (outBuff >> 8);
-                destination[destOffset + 2] = (byte) (outBuff);
-
-                return 3;
-            } catch (Exception e) {
-                logger.log(Level.FINE, "" + source[srcOffset] + ": " + (DECODABET[source[srcOffset]]));
-                logger.log(Level.FINE, "" + source[srcOffset + 1] + ": " + (DECODABET[source[srcOffset + 1]]));
-                logger.log(Level.FINE, "" + source[srcOffset + 2] + ": " + (DECODABET[source[srcOffset + 2]]));
-                logger.log(Level.FINE, "" + source[srcOffset + 3] + ": " + (DECODABET[source[srcOffset + 3]]));
-                return -1;
-            } // end catch
-        }
-    } // end decodeToBytes
-
-    /**
-     * Very low-level access to decoding ASCII characters in the form of a byte array. Does not support automatically gunzipping
-     * or any other "fancy" features.
-     *
-     * @param source The Base64 encoded data
-     * @param off The offset of where to begin decoding
-     * @param len The length of characters to decode
-     * @return decoded data
-     * @since 1.3
-     */
-    public static byte[] decode(byte[] source, int off, int len) {
-        int len34 = len * 3 / 4;
-        byte[] outBuff = new byte[len34]; // Upper limit on size of output
-        int outBuffPosn = 0;
-
-        byte[] b4 = new byte[4];
-        int b4Posn = 0;
-        int i = 0;
-        byte sbiCrop = 0;
-        byte sbiDecode = 0;
-        for (i = off; i < off + len; i++) {
-            sbiCrop = (byte) (source[i] & 0x7f); // Only the low seven bits
-            sbiDecode = DECODABET[sbiCrop];
-
-            if (sbiDecode >= WHITE_SPACE_ENC) // White space, Equals sign or better
-            {
-                if (sbiDecode >= EQUALS_SIGN_ENC) {
-                    b4[b4Posn++] = sbiCrop;
-                    if (b4Posn > 3) {
-                        outBuffPosn += decode4to3(b4, 0, outBuff, outBuffPosn);
-                        b4Posn = 0;
-
-                        // If that was the equals sign, break out of 'for' loop
-                        if (sbiCrop == EQUALS_SIGN)
-                            break;
-                    } // end if: quartet built
-
-                } // end if: equals sign or better
-
-            } // end if: white space, equals sign or better
-            else {
-                throw new IllegalStateException("Bad Base64 input character at " + i + ": " + source[i] + "(decimal)");
-            } // end else:
-        } // each input character
-
-        byte[] out = new byte[outBuffPosn];
-        System.arraycopy(outBuff, 0, out, 0, outBuffPosn);
-        return out;
-    } // end decode
-
-    /**
-     * Decodes data from Base64 notation, automatically detecting gzip-compressed data and decompressing it.
-     *
-     * @param s the string to decode
-     * @return the decoded data
-     * @since 1.4
-     */
-    public static byte[] decode(String s) {
-        byte[] bytes = s.getBytes(StandardCharsets.UTF_8);
-
-        // Decode
-        bytes = decode(bytes, 0, bytes.length);
-
-        // Check to see if it's gzip-compressed
-        // GZIP Magic Two-Byte Number: 0x8b1f (35615)
-        if (bytes != null && bytes.length >= 4) {
-
-            int head = (bytes[0] & 0xff) | ((bytes[1] << 8) & 0xff00);
-            if (java.util.zip.GZIPInputStream.GZIP_MAGIC == head) {
-                java.io.ByteArrayInputStream bais = null;
-                java.util.zip.GZIPInputStream gzis = null;
-                java.io.ByteArrayOutputStream baos = null;
-                byte[] buffer = new byte[2048];
-                int length = 0;
-
-                try {
-                    baos = new java.io.ByteArrayOutputStream();
-                    bais = new java.io.ByteArrayInputStream(bytes);
-                    gzis = new java.util.zip.GZIPInputStream(bais);
-
-                    while ((length = gzis.read(buffer)) >= 0) {
-                        baos.write(buffer, 0, length);
-                    } // end while: reading input
-
-                    // No error? Get new bytes.
-                    bytes = baos.toByteArray();
-
-                } // end try
-                catch (java.io.IOException e) {
-                    // Just return originally-decoded bytes
-                } // end catch
-                finally {
-                    try {
-                        baos.close();
-                    } catch (Exception e) {
-                    }
-                    try {
-                        gzis.close();
-                    } catch (Exception e) {
-                    }
-                    try {
-                        bais.close();
-                    } catch (Exception e) {
-                    }
-                } // end finally
-
-            } // end if: gzipped
-        } // end if: bytes.length >= 2
-
-        return bytes;
-    } // end decode
-
-
-    /* ******** I N N E R C L A S S I N P U T S T R E A M ******** */
-
-    /**
-     * A {@link Base64.InputStream} will read data from another <tt>java.io.InputStream</tt>, given in the constructor, and
-     * encode/decode to/from Base64 notation on the fly.
-     *
-     * @see Base64
-     * @since 1.3
-     */
-    public static class InputStream extends java.io.FilterInputStream {
-
-        private boolean encode; // Encoding or decoding
-        private int position; // Current position in the buffer
-        private byte[] buffer; // Small buffer holding converted data
-        private int bufferLength; // Length of buffer (3 or 4)
-        private int numSigBytes; // Number of meaningful bytes in the buffer
-        private int lineLength;
-        private boolean breakLines; // Break lines at less than 80 characters
-
-        /**
-         * Constructs a {@link Base64.InputStream} in DECODE mode.
-         *
-         * @param in the <tt>java.io.InputStream</tt> from which to read data.
-         * @since 1.3
-         */
-        public InputStream(java.io.InputStream in) {
-            this(in, DECODE);
-        } // end constructor
-
-        /**
-         * Constructs a {@link Base64.InputStream} in either ENCODE or DECODE mode.
-         * <p>
-         * Valid options:
-         *
-         * <pre>
-         *   ENCODE or DECODE: Encode or Decode as data is read.
-         *   DONT_BREAK_LINES: don't break lines at 76 characters
-         *     (only meaningful when encoding)
-         *     <i>Note: Technically, this makes your encoding non-compliant.</i>
-         * </pre>
-         * <p>
-         * Example: <code>new Base64.InputStream( in, Base64.DECODE )</code>
-         *
-         *
-         * @param in the <tt>java.io.InputStream</tt> from which to read data.
-         * @param options Specified options
-         * @see Base64#ENCODE
-         * @see Base64#DECODE
-         * @see Base64#DONT_BREAK_LINES
-         * @since 2.0
-         */
-        public InputStream(java.io.InputStream in, int options) {
-            super(in);
-            this.breakLines = (options & DONT_BREAK_LINES) != DONT_BREAK_LINES;
-            this.encode = (options & ENCODE) == ENCODE;
-            this.bufferLength = encode ? 4 : 3;
-            this.buffer = new byte[bufferLength];
-            this.position = -1;
-            this.lineLength = 0;
-        } // end constructor
-
-        /**
-         * Reads enough of the input stream to convert to/from Base64 and returns the next byte.
-         *
-         * @return next byte
-         * @since 1.3
-         */
-        public int read() throws java.io.IOException {
-            // Do we need to get data?
-            if (position < 0) {
-                if (encode) {
-                    byte[] b3 = new byte[3];
-                    int numBinaryBytes = 0;
-                    for (int i = 0; i < 3; i++) {
-                        try {
-                            int b = in.read();
-
-                            // If end of stream, b is -1.
-                            if (b >= 0) {
-                                b3[i] = (byte) b;
-                                numBinaryBytes++;
-                            } // end if: not end of stream
-
-                        } // end try: read
-                        catch (java.io.IOException e) {
-                            // Only a problem if we got no data at all.
-                            if (i == 0)
-                                throw e;
-
-                        } // end catch
-                    } // end for: each needed input byte
-
-                    if (numBinaryBytes > 0) {
-                        encode3to4(b3, 0, numBinaryBytes, buffer, 0);
-                        position = 0;
-                        numSigBytes = 4;
-                    } // end if: got data
-                    else {
-                        return -1;
-                    } // end else
-                } // end if: encoding
-
-                // Else decoding
-                else {
-                    byte[] b4 = new byte[4];
-                    int i = 0;
-                    for (i = 0; i < 4; i++) {
-                        // Read four "meaningful" bytes:
-                        int b = 0;
-                        do {
-                            b = in.read();
-                        } while (b >= 0 && DECODABET[b & 0x7f] <= WHITE_SPACE_ENC);
-
-                        if (b < 0)
-                            break; // Reads a -1 if end of stream
-
-                        b4[i] = (byte) b;
-                    } // end for: each needed input byte
-
-                    if (i == 4) {
-                        numSigBytes = decode4to3(b4, 0, buffer, 0);
-                        position = 0;
-                    } // end if: got four characters
-                    else if (i == 0) {
-                        return -1;
-                    } // end else if: also padded correctly
-                    else {
-                        // Must have broken out from above.
-                        throw new java.io.IOException("Improperly padded Base64 input.");
-                    } // end
-
-                } // end else: decode
-            } // end else: get data
-
-            // Got data?
-            if (position >= 0) {
-                // End of relevant data?
-                if (/* !encode && */position >= numSigBytes)
-                    return -1;
-
-                if (encode && breakLines && lineLength >= MAX_LINE_LENGTH) {
-                    lineLength = 0;
-                    return '\n';
-                } // end if
-                else {
-                    lineLength++; // This isn't important when decoding
-                    // but throwing an extra "if" seems
-                    // just as wasteful.
-
-                    int b = buffer[position++];
-
-                    if (position >= bufferLength)
-                        position = -1;
-
-                    return b & 0xFF; // This is how you "cast" a byte that's
-                    // intended to be unsigned.
-                } // end else
-            } // end if: position >= 0
-
-            // Else error
-            else {
-                // When JDK1.4 is more accepted, use an assertion here.
-                throw new java.io.IOException("Error in Base64 code reading stream.");
-            } // end else
-        } // end read
-
-        /**
-         * Calls {@link #read()} repeatedly until the end of stream is reached or <var>len</var> bytes are read. Returns number
-         * of bytes read into array or -1 if end of stream is encountered.
-         *
-         * @param dest array to hold values
-         * @param off offset for array
-         * @param len max number of bytes to read into array
-         * @return bytes read into array or -1 if end of stream is encountered.
-         * @since 1.3
-         */
-        public int read(byte[] dest, int off, int len) throws java.io.IOException {
-            int i;
-            int b;
-            for (i = 0; i < len; i++) {
-                b = read();
-
-                // if( b < 0 && i == 0 )
-                // return -1;
-
-                if (b >= 0)
-                    dest[off + i] = (byte) b;
-                else if (i == 0)
-                    return -1;
-                else
-                    break; // Out of 'for' loop
-            } // end for: each byte read
-            return i;
-        } // end read
-
-    } // end inner class InputStream
-
-    /* ******** I N N E R C L A S S O U T P U T S T R E A M ******** */
-
-    /**
-     * A {@link Base64.OutputStream} will write data to another <tt>java.io.OutputStream</tt>, given in the constructor, and
-     * encode/decode to/from Base64 notation on the fly.
-     *
-     * @see Base64
-     * @since 1.3
-     */
-    public static class OutputStream extends java.io.FilterOutputStream {
-
-        private boolean encode;
-        private int position;
-        private byte[] buffer;
-        private int bufferLength;
-        private int lineLength;
-        private boolean breakLines;
-        private byte[] b4; // Scratch used in a few places
-        private boolean suspendEncoding;
-
-        /**
-         * Constructs a {@link Base64.OutputStream} in ENCODE mode.
-         *
-         * @param out the <tt>java.io.OutputStream</tt> to which data will be written.
-         * @since 1.3
-         */
-        public OutputStream(java.io.OutputStream out) {
-            this(out, ENCODE);
-        } // end constructor
-
-        /**
-         * Constructs a {@link Base64.OutputStream} in either ENCODE or DECODE mode.
-         * <p>
-         * Valid options:
-         *
-         * <pre>
-         *   ENCODE or DECODE: Encode or Decode as data is read.
-         *   DONT_BREAK_LINES: don't break lines at 76 characters
-         *     (only meaningful when encoding)
-         *     <i>Note: Technically, this makes your encoding non-compliant.</i>
-         * </pre>
-         * <p>
-         * Example: <code>new Base64.OutputStream( out, Base64.ENCODE )</code>
-         *
-         * @param out the <tt>java.io.OutputStream</tt> to which data will be written.
-         * @param options Specified options.
-         * @see Base64#ENCODE
-         * @see Base64#DECODE
-         * @see Base64#DONT_BREAK_LINES
-         * @since 1.3
-         */
-        public OutputStream(java.io.OutputStream out, int options) {
-            super(out);
-            this.breakLines = (options & DONT_BREAK_LINES) != DONT_BREAK_LINES;
-            this.encode = (options & ENCODE) == ENCODE;
-            this.bufferLength = encode ? 3 : 4;
-            this.buffer = new byte[bufferLength];
-            this.position = 0;
-            this.lineLength = 0;
-            this.suspendEncoding = false;
-            this.b4 = new byte[4];
-        } // end constructor
-
-        /**
-         * Writes the byte to the output stream after converting to/from Base64 notation. When encoding, bytes are buffered
-         * three at a time before the output stream actually gets a write() call. When decoding, bytes are buffered four at a
-         * time.
-         *
-         * @param theByte the byte to write
-         * @since 1.3
-         */
-        public void write(int theByte) throws java.io.IOException {
-            // Encoding suspended?
-            if (suspendEncoding) {
-                super.out.write(theByte);
-                return;
-            } // end if: supsended
-
-            // Encode?
-            if (encode) {
-                buffer[position++] = (byte) theByte;
-                if (position >= bufferLength) { // Enough to encode.
-                    out.write(encode3to4(b4, buffer, bufferLength));
-
-                    lineLength += 4;
-                    if (breakLines && lineLength >= MAX_LINE_LENGTH) {
-                        out.write(NEW_LINE);
-                        lineLength = 0;
-                    } // end if: end of line
-
-                    position = 0;
-                } // end if: enough to output
-            } // end if: encoding
-
-            // Else, Decoding
-            else {
-                // Meaningful Base64 character?
-                if (DECODABET[theByte & 0x7f] > WHITE_SPACE_ENC) {
-                    buffer[position++] = (byte) theByte;
-                    if (position >= bufferLength) { // Enough to output.
-                        int len = Base64.decode4to3(buffer, 0, b4, 0);
-                        out.write(b4, 0, len);
-                        // out.write( Base64.decode4to3( buffer ) );
-                        position = 0;
-                    } // end if: enough to output
-                } // end if: meaningful base64 character
-                else if (DECODABET[theByte & 0x7f] != WHITE_SPACE_ENC) {
-                    throw new java.io.IOException("Invalid character in Base64 data.");
-                } // end else: not white space either
-            } // end else: decoding
-        } // end write
-
-        /**
-         * Calls {@link #write(int)} repeatedly until <var>len</var> bytes are written.
-         *
-         * @param theBytes array from which to read bytes
-         * @param off offset for array
-         * @param len max number of bytes to read into array
-         * @since 1.3
-         */
-        public void write(byte[] theBytes, int off, int len) throws java.io.IOException {
-            // Encoding suspended?
-            if (suspendEncoding) {
-                super.out.write(theBytes, off, len);
-                return;
-            } // end if: supsended
-
-            for (int i = 0; i < len; i++) {
-                write(theBytes[off + i]);
-            } // end for: each byte written
-
-        } // end write
-
-        /**
-         * Method added by PHIL. [Thanks, PHIL. -Rob] This pads the buffer without closing the stream.
-         *
-         * @throws IOException
-         */
-        public void flushBase64() throws java.io.IOException {
-            if (position > 0) {
-                if (encode) {
-                    out.write(encode3to4(b4, buffer, position));
-                    position = 0;
-                } // end if: encoding
-                else {
-                    throw new java.io.IOException("Base64 input not properly padded.");
-                } // end else: decoding
-            } // end if: buffer partially full
-
-        } // end flush
-
-        /**
-         * Flushes and closes (I think, in the superclass) the stream.
-         *
-         * @since 1.3
-         */
-        public void close() throws java.io.IOException {
-            // 1. Ensure that pending characters are written
-            flushBase64();
-
-            // 2. Actually close the stream
-            // Base class both flushes and closes.
-            super.close();
-
-            buffer = null;
-            out = null;
-        } // end close
-
-        /**
-         * Suspends encoding of the stream. May be helpful if you need to embed a piece of base640-encoded data in a stream.
-         *
-         * @since 1.5.1
-         * @throws IOException
-         */
-        public void suspendEncoding() throws java.io.IOException {
-            flushBase64();
-            this.suspendEncoding = true;
-        } // end suspendEncoding
-
-        /**
-         * Resumes encoding of the stream. May be helpful if you need to embed a piece of base640-encoded data in a stream.
-         *
-         * @since 1.5.1
-         */
-        public void resumeEncoding() {
-            this.suspendEncoding = false;
-        } // end resumeEncoding
-
-    } // end inner class OutputStream
-
-} // end class Base64
diff --git a/saml-core/src/main/java/org/keycloak/saml/SAMLRequestParser.java b/saml-core/src/main/java/org/keycloak/saml/SAMLRequestParser.java
index 335a72d11ee..1dac787e7c0 100755
--- a/saml-core/src/main/java/org/keycloak/saml/SAMLRequestParser.java
+++ b/saml-core/src/main/java/org/keycloak/saml/SAMLRequestParser.java
@@ -43,7 +43,12 @@ public class SAMLRequestParser {
 
     public static SAMLDocumentHolder parseRequestRedirectBinding(String samlMessage) {
         InputStream is;
-        is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
+        try {
+            is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
+        } catch (IOException e) {
+            logger.samlBase64DecodingError(e);
+            return null;
+        }
         if (log.isDebugEnabled()) {
             String message = null;
             try {
@@ -105,7 +110,13 @@ public class SAMLRequestParser {
     }
 
     public static SAMLDocumentHolder parseResponseRedirectBinding(String samlMessage) {
-        InputStream is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
+        InputStream is;
+        try {
+            is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
+        } catch (IOException e) {
+            logger.samlBase64DecodingError(e);
+            return null;
+        }
         if (log.isDebugEnabled()) {
             String message = null;
             try {
diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java b/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java
index 52c6b907566..3266e5356eb 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java
@@ -16,6 +16,7 @@
  */
 package org.keycloak.saml.processing.core.saml.v2.util;
 
+import org.keycloak.common.util.Base64;
 import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
 import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
 import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
@@ -24,14 +25,8 @@ import org.keycloak.saml.common.PicketLinkLogger;
 import org.keycloak.saml.common.PicketLinkLoggerFactory;
 import org.keycloak.saml.common.constants.GeneralConstants;
 import org.keycloak.saml.common.constants.JBossSAMLConstants;
-import org.keycloak.saml.common.constants.WSTrustConstants;
-import org.keycloak.saml.common.exceptions.ParsingException;
-import org.keycloak.saml.common.util.Base64;
 import org.keycloak.saml.processing.core.constants.PicketLinkFederationConstants;
 
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
 import javax.xml.bind.JAXBException;
@@ -220,4 +215,4 @@ public class SignatureUtil {
             throw logger.signatureUnknownAlgo(algo);
         return sig;
     }
-}
\ No newline at end of file
+}
diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
index a548ef5c305..0127c41d922 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
@@ -16,6 +16,7 @@
  */
 package org.keycloak.saml.processing.core.util;
 
+import org.keycloak.common.util.Base64;
 import org.keycloak.common.util.PemUtils;
 import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
 import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
@@ -28,7 +29,6 @@ import org.keycloak.saml.common.constants.JBossSAMLConstants;
 import org.keycloak.saml.common.constants.WSTrustConstants;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
-import org.keycloak.saml.common.util.Base64;
 import org.keycloak.saml.common.util.DocumentUtil;
 import org.keycloak.saml.common.util.StringUtil;
 import org.keycloak.saml.common.util.SystemPropertiesUtil;
@@ -519,7 +519,7 @@ public class XMLSignatureUtil {
         DOMValidateContext valContext = new DOMValidateContext(validationKeySelector, signatureNode);
         XMLSignature signature = fac.unmarshalXMLSignature(valContext);
         boolean coreValidity = signature.validate(valContext);
-        
+
         if (! coreValidity) {
             if (logger.isTraceEnabled()) {
                 boolean sv = signature.getSignatureValue().validate(valContext);
@@ -758,4 +758,4 @@ public class XMLSignatureUtil {
 
         return keyInfoFactory.newKeyInfo(items);
     }
-}
\ No newline at end of file
+}
diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java b/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java
index 57c5191e33e..d300b1d59ed 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java
@@ -16,10 +16,10 @@
  */
 package org.keycloak.saml.processing.web.util;
 
+import org.keycloak.common.util.Base64;
 import org.keycloak.saml.common.PicketLinkLogger;
 import org.keycloak.saml.common.PicketLinkLoggerFactory;
 import org.keycloak.saml.common.constants.GeneralConstants;
-import org.keycloak.saml.common.util.Base64;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -43,7 +43,7 @@ public class PostBindingUtil {
      * @return
      */
     public static String base64Encode(String stringToEncode) throws IOException {
-        return Base64.encodeBytes(stringToEncode.getBytes(GeneralConstants.SAML_CHARSET), Base64.DONT_BREAK_LINES);
+        return Base64.encodeBytes(stringToEncode.getBytes(GeneralConstants.SAML_CHARSET));
     }
 
     /**
@@ -57,7 +57,12 @@ public class PostBindingUtil {
         if (encodedString == null)
             throw logger.nullArgumentError("encodedString");
 
-        return Base64.decode(encodedString);
+        try {
+            return Base64.decode(encodedString);
+        } catch (Exception e) {
+            logger.error(e);
+            throw logger.invalidArgumentError("base64 decode failed: " + e.getMessage());
+        }
     }
 
     /**
@@ -87,4 +92,4 @@ public class PostBindingUtil {
 
         return escaped.toString();
     }
-}
\ No newline at end of file
+}
diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java b/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java
index e4a1a267ede..45455f1f288 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java
@@ -16,8 +16,8 @@
  */
 package org.keycloak.saml.processing.web.util;
 
+import org.keycloak.common.util.Base64;
 import org.keycloak.saml.common.constants.GeneralConstants;
-import org.keycloak.saml.common.util.Base64;
 import org.keycloak.saml.common.util.StringUtil;
 import org.keycloak.saml.processing.api.util.DeflateUtil;
 
@@ -70,7 +70,7 @@ public class RedirectBindingUtil {
      * @throws IOException
      */
     public static String base64Encode(byte[] stringToEncode) throws IOException {
-        return Base64.encodeBytes(stringToEncode, Base64.DONT_BREAK_LINES);
+        return Base64.encodeBytes(stringToEncode);
     }
 
     /**
@@ -83,7 +83,7 @@ public class RedirectBindingUtil {
      * @throws IOException
      */
     public static String base64URLEncode(byte[] stringToEncode) throws IOException {
-        String base64Request = Base64.encodeBytes(stringToEncode, Base64.DONT_BREAK_LINES);
+        String base64Request = Base64.encodeBytes(stringToEncode);
         return urlEncode(base64Request);
     }
 
@@ -139,7 +139,7 @@ public class RedirectBindingUtil {
      */
     public static String deflateBase64Encode(byte[] stringToEncode) throws IOException {
         byte[] deflatedMsg = DeflateUtil.encode(stringToEncode);
-        return Base64.encodeBytes(deflatedMsg, Base64.DONT_BREAK_LINES);
+        return Base64.encodeBytes(deflatedMsg);
     }
 
     /**
@@ -162,8 +162,10 @@ public class RedirectBindingUtil {
      * @param encodedString
      *
      * @return
+     *
+     * @throws IOException
      */
-    public static InputStream base64DeflateDecode(String encodedString) {
+    public static InputStream base64DeflateDecode(String encodedString) throws IOException {
         byte[] base64decodedMsg = Base64.decode(encodedString);
         return DeflateUtil.decode(base64decodedMsg);
     }
@@ -229,4 +231,4 @@ public class RedirectBindingUtil {
             return this;
         }
     }
-}
\ No newline at end of file
+}