Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

java Opensaml密钥信息配置

2 月,3 周 Questions & Answers

我和我的团队正在使用opensaml生成SAML令牌。我们已经设法进行了此设置,但另一个团队的成员告诉我们,如果我们能够稍微配置生成的令牌,他们将非常感激

他们希望我们更改的区域是令牌的EncryptedKey部分。目前,它看起来像这样:

        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="_9b07dd8a259d8ee8162adf17cd761d34">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC4DCCAcigAwIBAgIEUUrqgDANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDEydCRFNQVUtMNzAz
                    NDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20wHhcNMTMwMzIxMTEwOTUyWhcNMTQwMzIxMTEw
                    OTUyWjAyMTAwLgYDVQQDEydCRFNQVUtMNzAzNDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20w
                    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmWG7p7iATCM06WMsKg8LlLg8AXUvyZI6l
                    hZkz7Sc/moL6WtSUBrL60joLAi4L+P/VrbtZMNzP9kh3uyW0uZ0Vb+DhsXMQBccgdQMzq//nK2GN
                    0+/F4KYKLsdYpecR28YlOQRl2Y6Gc3i8PZIk2a8bmf64tbOCyOWHzX7fNHo+MSM3JcWOLltFKZCT
                    z8O8OJjhFqxA7fl+zLBEXprJZtxU/AOaLW6qBPh8w1LmIfU8nK5bnjlKpdobV8uXlXkKVOJWxm1P
                    yjQDt1G1FKyBKLmyPbw9xY5DSDmQFpwgeZIQdOkRrrYzwYzYFCuqL9USjPw6414kYqBNr221SWei
                    pLjbAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAILQ69plSMdO8/3nx5ZJPMWSS2MqFlThAoMW0kmK
                    20DBH5o3b+6BZ4d566IEGRReOOFVxMKNbuq3thrIliUQG0Qzzu0T41UE7noFXwZOwavYxhy1BdwW
                    B906CAb0Qq7qu1FXd8PVKzLn7IazaPXSuRkhGmoE4vcRVphRZkzU6xjkfEZ5AO+7qVE/5tcREXAB
                    coxpqWeTVeZiT0oazx7eWyqVlqSaLboOqByk5O921hY4E7PZaS7HGBXHcywVHU9fXwbEIgNl0noC
                    sduXcYkjC6WEiV8rQiuBXx5bspPkau28V+GQ1kNwuq5ypEskDW3GHUrZiAmaucooahVzvhDiBM0=
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:CipherValue>LhIn8/SjXbnCsMP6ITxb++0rFYpN8S0L6K/VE74XKjh4Jtlo8IaZQi6c9HRqlII/VT5OKaVySNCO2wOaKS/EUsTt5a/0oR9Yh9mCLt9NQDpkxau1OiydwTYoo6G29fFpYgeDXEPrdR4iUlOERuulmFlNTETWu/doHb4b6hFZdsLEtQH1qSi/jBIq2Q7peXI396G8RWDoWO1urJtIQWR5HjqDckcp3eQ2AC3mXkm949g+OS3Y3g/dPi5erkAhNmFXdinOnX6SQWHEBhFkroFfzqkzEPOVlJdL5Rb9X1mgEk5tJefSUChs6HguRqMeMr0s4UFi/KUwlZbINio1hSNTZg==
            </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#_a04f85fb05fda175a5e7eba026640f16" />
        </xenc:ReferenceList>
    </xenc:EncryptedKey>

然而,我的同事希望它看起来是这样的:

<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
   <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
     <dsig:KeyName>BCL12232</dsig:KeyName>
   </dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>
         H4lcHtpC9WJcwbZ4rWFEipoRN7tbc7EOWRqZPWDtds9WaukKZP8mPECxYS7LGbV5HP+87nTE5AMfTOLecVLMiR42vFL8sza6HiMD1L5+At26UUgowlixjnUs89vE8c11sv7J5eTVb41bi/DSFLRHdaZ+sJ4ojHCxwcsUcxelsjC+kcAC09hGXOT6b7DBxzWgk+XHY86uuvpYpLLu28TibzpJdpo1gm237QJrAcz2RSY9RqCDN9UOtByHbbihCiKIMIUXG6wHBUnAtZbTp7XS3RMgkK1YBys91ImXvmRYTaNRnW2sQmdwli6m1Oxi9vFFvt8wAUClNRbM1m6wX/r1oQ==
      </xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedKey>

如您所见,区别在于,在后一个示例中,X509证书没有添加到SAML令牌中,关于密钥的唯一信息是密钥名称

经过调查,我认为问题可能出在凭证上

有没有人有过以这种方式配置opensaml的经验?怎么可能像这样理解KeyInfo呢

提前谢谢你的帮助

更新:我现在已经解决了如何使用KeyInfoHelper.addKeyName(KeyInfo, KeyName);设置keyname的问题,但是仍然无法隐藏X509证书信息


共 (2) 个答案

  1. # 1 楼答案

    这是OpenSAML 3+版本

    private KeyInfo getKeyInfo(Credential c, String keyNameValue) {
    KeyName keyName = new KeyNameBuilder().buildObject();
    keyName.setValue(keyNameValue);
    EncryptionConfiguration secConfiguration = SecurityConfigurationSupport.getGlobalEncryptionConfiguration();
    NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration.getDataKeyInfoGeneratorManager();
    KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager.getDefaultManager();
    KeyInfoGeneratorFactory keyInfoGeneratorFactory = keyInfoGeneratorManager.getFactory(credential);
    KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo = keyInfoGenerator.generate(credential);
    keyInfo.getKeyNames().add(keyName);
    keyInfo.getX509Datas().clear();
    return keyInfo;             
}
  2. # 2 楼答案

    问题是我使用opensaml为我自动生成密钥信息。默认情况下,会附加x509证书。 我通过创建自己的KeyInfo对象并简单地向其添加一个键名来克服这个问题

    看起来有点老套,但工作完成了

    下面是我编写的创建密钥信息的方法

    private KeyInfo getKeyInfo(final Credential c, final String keyName) {

    final SecurityConfiguration secConfiguration =
            Configuration.getGlobalSecurityConfiguration();
    final NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager =
            secConfiguration.getKeyInfoGeneratorManager();
    final KeyInfoGeneratorManager keyInfoGeneratorManager =
            namedKeyInfoGeneratorManager.getDefaultManager();
    final KeyInfoGeneratorFactory keyInfoGeneratorFactory =
            keyInfoGeneratorManager.getFactory(c);
    final KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo;

    keyInfo = keyInfoGenerator.generate(c);
    KeyInfoHelper.addKeyName(keyInfo,
            keyName);
    return keyInfo;
}