java - 如何使用带有 jks 或签名元数据的 Spring SAML 代码

Question

IDP只提供了.crt文件和元数据xml文件，IDP告诉我们.crt文件没有密码，我用命令创建了jks文件：keytool -import -alias zoom -trustcacerts -file qa.crt -keystore keystory.jks . 现在，我下载了 spring SAML 演示代码，并将 securyContext.xml 更改为如下：

-----matadata.xml----------

<md:EntityDescriptor entityID="gene.com" cacheDuration="PT1440M" ID="dfhGJ7yKW7C3nvicVEN.puf7bSh" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#dfhGJ7yKW7C3nvicVEN.puf7bSh">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>lSCVZb+3JcGXnhwYj5IQqxaM2UaBbmiTOYa/fO5NRAo=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        {my ds:SignatureValue}
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>
                {my ds:X509Certificate}
            </ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
            <ds:RSAKeyValue>
                <ds:Modulus>
                    {my ds:Modulus}
                </ds:Modulus>
                <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
    </ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>
                    {my ds:X509Certificate}
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="WorkPhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="ChrisID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Account" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Department" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MobilePhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Sex" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative">
    <md:Company>Genentech Inc.,</md:Company>
    <md:GivenName>IAM-DFS</md:GivenName>
    <md:EmailAddress>GLOORG_SAS-AMS-Web-Access-Services-Comms@msxdl.roche.com</md:EmailAddress>
</md:ContactPerson>

---

<bean id="samlMetadataManager" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean id="samlRocheIDP" class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                <constructor-arg>
                    <value type="java.io.File">classpath:qa.xml</value>
                </constructor-arg>
                <property name="parserPool" ref="samlParserPool"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

--------------securiyContext.xml-------- 但是SP初始化的地方总是失败，错误信息：

Signature verification failed.
Signature trust establishment failed for metadata entry https://b2b.roche.com
Error filtering metadata from E:\Workspace2\saml\spring-security-saml\target\classes\qa.xml

我的问题是如何将 spring saml 与签名的元数据 xml 文件集成。我应该创建另一个 jks 文件吗？我克隆了许多 java 演示，他们在springWebSecurityContext.xml中配置了元数据 xml 文件和 jks 文件。

但我认为元数据 xml 已经包含证书和密钥。我认为我不再需要配置 jks 文件了，对吧？

你能帮我找出如何将 saml 集成到我的项目中吗？谢谢大家！

Answer 1

确保您有正确的 .jks 文件。您将需要一个用于 keyManager 的 bean。

@Bean
public KeyManager keyManager() {
    DefaultResourceLoader loader = new DefaultResourceLoader();
    Resource storeFile = loader
        .getResource("classpath:/saml/keystore.jks");
    String storePass = "nalle123";
    Map<String, String> passwords = new HashMap<String, String>();
    String defaultKey = "apollo";
    passwords.put("apollo", "nalle123");
    return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}

您可以在 Map 中为此设置多个密​​钥和密码，但默认需要一个。MetadataGenerator bean 也使用此 bean

您可以在密钥库中导入证书，可以使用以下脚本

IDP_HOST=<hostip>
IDP_PORT=<port>
CERTIFICATE_FILE=certfile.cert
KEYSTORE_FILE=keystore.jks
KEYSTORE_PASSWORD=<password>

openssl s_client -host $IDP_HOST -port $IDP_PORT -prexit -showcerts </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTIFICATE_FILE
keytool.exe -delete -alias <put alias name here> -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool.exe -import -alias <put alias name here> -file $CERTIFICATE_FILE - 
keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -noprompt