1

我和我的团队正在使用 opensaml 生成 SAML 令牌。我们已经设法完成了这个设置,但另一个团队的一名成员告诉他们,如果我们可以对生成的令牌进行一些配置,他们会很感激的。

他们希望我们更改的区域是令牌的 EncryptedKey 部分。目前,它看起来像这样:

        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="_9b07dd8a259d8ee8162adf17cd761d34">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC4DCCAcigAwIBAgIEUUrqgDANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDEydCRFNQVUtMNzAz
                    NDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20wHhcNMTMwMzIxMTEwOTUyWhcNMTQwMzIxMTEw
                    OTUyWjAyMTAwLgYDVQQDEydCRFNQVUtMNzAzNDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20w
                    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmWG7p7iATCM06WMsKg8LlLg8AXUvyZI6l
                    hZkz7Sc/moL6WtSUBrL60joLAi4L+P/VrbtZMNzP9kh3uyW0uZ0Vb+DhsXMQBccgdQMzq//nK2GN
                    0+/F4KYKLsdYpecR28YlOQRl2Y6Gc3i8PZIk2a8bmf64tbOCyOWHzX7fNHo+MSM3JcWOLltFKZCT
                    z8O8OJjhFqxA7fl+zLBEXprJZtxU/AOaLW6qBPh8w1LmIfU8nK5bnjlKpdobV8uXlXkKVOJWxm1P
                    yjQDt1G1FKyBKLmyPbw9xY5DSDmQFpwgeZIQdOkRrrYzwYzYFCuqL9USjPw6414kYqBNr221SWei
                    pLjbAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAILQ69plSMdO8/3nx5ZJPMWSS2MqFlThAoMW0kmK
                    20DBH5o3b+6BZ4d566IEGRReOOFVxMKNbuq3thrIliUQG0Qzzu0T41UE7noFXwZOwavYxhy1BdwW
                    B906CAb0Qq7qu1FXd8PVKzLn7IazaPXSuRkhGmoE4vcRVphRZkzU6xjkfEZ5AO+7qVE/5tcREXAB
                    coxpqWeTVeZiT0oazx7eWyqVlqSaLboOqByk5O921hY4E7PZaS7HGBXHcywVHU9fXwbEIgNl0noC
                    sduXcYkjC6WEiV8rQiuBXx5bspPkau28V+GQ1kNwuq5ypEskDW3GHUrZiAmaucooahVzvhDiBM0=
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:CipherValue>LhIn8/SjXbnCsMP6ITxb++0rFYpN8S0L6K/VE74XKjh4Jtlo8IaZQi6c9HRqlII/VT5OKaVySNCO2wOaKS/EUsTt5a/0oR9Yh9mCLt9NQDpkxau1OiydwTYoo6G29fFpYgeDXEPrdR4iUlOERuulmFlNTETWu/doHb4b6hFZdsLEtQH1qSi/jBIq2Q7peXI396G8RWDoWO1urJtIQWR5HjqDckcp3eQ2AC3mXkm949g+OS3Y3g/dPi5erkAhNmFXdinOnX6SQWHEBhFkroFfzqkzEPOVlJdL5Rb9X1mgEk5tJefSUChs6HguRqMeMr0s4UFi/KUwlZbINio1hSNTZg==
            </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#_a04f85fb05fda175a5e7eba026640f16" />
        </xenc:ReferenceList>
    </xenc:EncryptedKey>

然而,我的同事希望它看起来像这样:

<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
   <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
     <dsig:KeyName>BCL12232</dsig:KeyName>
   </dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>
         H4lcHtpC9WJcwbZ4rWFEipoRN7tbc7EOWRqZPWDtds9WaukKZP8mPECxYS7LGbV5HP+87nTE5AMfTOLecVLMiR42vFL8sza6HiMD1L5+At26UUgowlixjnUs89vE8c11sv7J5eTVb41bi/DSFLRHdaZ+sJ4ojHCxwcsUcxelsjC+kcAC09hGXOT6b7DBxzWgk+XHY86uuvpYpLLu28TibzpJdpo1gm237QJrAcz2RSY9RqCDN9UOtByHbbihCiKIMIUXG6wHBUnAtZbTp7XS3RMgkK1YBys91ImXvmRYTaNRnW2sQmdwli6m1Oxi9vFFvt8wAUClNRbM1m6wX/r1oQ==
      </xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedKey>

如您所见,不同之处在于后一个示例中没有将 X509 证书添加到 SAML 令牌中,关于密钥的唯一信息是密钥名称。

经过调查,我认为问题可能出在凭证中。

有没有人有以这种方式配置 opensaml 的经验?怎么可能像这样配置 KeyInfo?

在此先感谢您的帮助。

更新:我现在已经弄清楚了如何使用 设置密钥名KeyInfoHelper.addKeyName(KeyInfo, KeyName);,但在隐藏 X509 证书信息方面仍然没有运气。

4

2 回答 2

3

这是 OpenSAML 3+ 版本。

private KeyInfo getKeyInfo(Credential c, String keyNameValue) {
    KeyName keyName = new KeyNameBuilder().buildObject();
    keyName.setValue(keyNameValue);
    EncryptionConfiguration secConfiguration = SecurityConfigurationSupport.getGlobalEncryptionConfiguration();
    NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration.getDataKeyInfoGeneratorManager();
    KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager.getDefaultManager();
    KeyInfoGeneratorFactory keyInfoGeneratorFactory = keyInfoGeneratorManager.getFactory(credential);
    KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo = keyInfoGenerator.generate(credential);
    keyInfo.getKeyNames().add(keyName);
    keyInfo.getX509Datas().clear();
    return keyInfo;             
}
于 2018-05-02T09:49:19.433 回答
0

问题是我正在使用 opensaml 为我自动生成密钥信息。默认情况下,附加 x509 证书。我通过创建自己的 KeyInfo 对象克服了这个问题,并简单地向它添加了一个键名。

似乎有点hacky,但完成了工作。

以下是我编写的创建密钥信息的方法。

private KeyInfo getKeyInfo(final Credential c, final String keyName) {

    final SecurityConfiguration secConfiguration =
            Configuration.getGlobalSecurityConfiguration();
    final NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager =
            secConfiguration.getKeyInfoGeneratorManager();
    final KeyInfoGeneratorManager keyInfoGeneratorManager =
            namedKeyInfoGeneratorManager.getDefaultManager();
    final KeyInfoGeneratorFactory keyInfoGeneratorFactory =
            keyInfoGeneratorManager.getFactory(c);
    final KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo;

    keyInfo = keyInfoGenerator.generate(c);
    KeyInfoHelper.addKeyName(keyInfo,
            keyName);
    return keyInfo;
}
于 2013-07-31T14:53:37.053 回答