Java 如何使用openssl(.PCKS8)文件对SAML2.0断言进行签名
嗨,我需要一些关于SAML2.0身份验证请求的信息。我想用openssl创建的*.pkcs8文件签署我的authn请求。我可以使用JavaKeyTool处理密钥库文件。但我希望通过使用openssl生成*.PKCS8文件来实现同样的效果。我已经为此挣扎了一段时间。我能够用它生成xml //授权请求Java 如何使用openssl(.PCKS8)文件对SAML2.0断言进行签名,java,saml,opensaml,Java,Saml,Opensaml,嗨,我需要一些关于SAML2.0身份验证请求的信息。我想用openssl创建的*.pkcs8文件签署我的authn请求。我可以使用JavaKeyTool处理密钥库文件。但我希望通过使用openssl生成*.PKCS8文件来实现同样的效果。我已经为此挣扎了一段时间。我能够用它生成xml //授权请求 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceUR
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/sp/AssertionConsumerService" Destination="http://localhost:8080/idp/SingleSignOnService" ID="95cc3943-67dd-43ef-809b-2ccd8bd3e4e9" IssueInstant="2013-04-26T12:18:48.799Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#95cc3943-67dd-43ef-809b-2ccd8bd3e4e9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml samlp"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>2HkVe/KnVzcMgneRUItjq2V/FEA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
NjCxy8R3NjkN8B932FJolGTqtYTBBTLboHUo7ZqEXxICUW/ZhOV2Pwe+c4R0/TrPqBPVZBItlXyv
at3edIMrr7RlEFGy3rt7pPVRXUcmF6jtDZajCpwwaEKKD--REMOVED SOME CODE------------
egb8dua65WhY1KkugNPG4FWTVhtzul/CBo9a8vN/ZuXRbZQ6sUWbq1BFgC6Zmw8kr1aUNBwqRi7r
ZNPXcGVhXuFQTTV4Kuc1eiI1lgANKLTrkCBRSw==
</ds:SignatureValue>
</ds:Signature>
</samlp:AuthnRequest>
服务提供商
2HkVe/KnVzcMgneRUItjq2V/FEA=
NJCXY8R3NJKN8B932JOLLGTQTYTBTLBOHUO7ZQE2XICUW/ZhOV2Pwe+c4R0/TrPqBPVZBItlXyv
AT3EDIMRR7RLEFGY3RT7PPVRXUCMF6JTDZAJCPWAEKKD——删除了一些代码------------
egb8dua65WhY1KkugNPG4FWTVhtzul/CBo9a8vN/ZUXRBZQ6SUWBQ1BFGC6ZMW8KR1UNBWQRI7R
ZNPXCGVHXUFQTTV4KUC1EI1LGANKLTRKCBRSW==
//结束
我无法获得使用java keytool获得的keyInfo、X509数据和证书值
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>hZB2kOYypWs33Bs2BTaKZOKGig0CAwEAATANBgkqhkiG9w0BAQUFAAOB
gQB3Cfe0iTfrXY9E22TFy5b87kwpDKjLopNLtX3kqSUlfjnbN5tYN4zr91H5dZUkuFF83z7ztzKi
zkcxiMgVVQkU2X1bn5SdErvmS7aEcG8+5TdlO5bf+8as04u5qug+oQun5s1t9mSvaF7Ol5CX/gkp
EUTjXx28kldbY7ETgDUrSw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
HZB2KOYPWS3BS2BTAKZOKIG0CAWAEATANBGKQHKIG9W0BAQUFAAOB
gQB3Cfe0iTfrXY9E22TFy5b87kwpDKjLopNLtX3kqSUlfjnbN5tYN4zr91H5dZUkuFF83z7ztzKi
ZKCXIMGVQKU2X1BN5SDERVMS7AECG8+5TdlO5bf+8as04u5qug+oQun5s1t9mSvaF7Ol5CX/gkp
EUTjXx28kldbY7ETgDUrSw==
同时告诉我我的授权请求是否完成。
工件和POST(断言)saml消息的Authn请求是否相同
请帮忙 您可以使用它来输出keyinfo
X509KeyInfoGeneratorFactory fact = new X509KeyInfoGeneratorFactory();
fact.setEmitEntityCertificate(true);
signature.setKeyInfo(fact.newInstance().generate(cred));
如何构造
org.opensaml.xml.security.credential.credential
对象?
您只能从PKCS8文件加载。您仍然需要公钥来完全构造凭证对象。如果您的公钥存储在编码字节中,您可以使用以下代码创建凭证
,并使用该代码对请求进行签名
/**
* Load privateKeyDerBytes from PKCS8 file and publicKeyDerBytes from .cer, .crt, .der files
*/
private static Credential getCredential(byte[] privateKeyDerBytes , byte[] publicKeyDerBytes) throws IOException
{
PrivateKey privateKey = PKCS8Key.parse(new DerValue( privateKeyDerBytes ));
PublicKey publicKey = X509Key.parse(new DerValue(publicKeyDerBytes));
BasicCredential basicCredential = new BasicCredential();
basicCredential.setUsageType(UsageType.SIGNING);
basicCredential.setPrivateKey(privateKey);
basicCredential.setPublicKey(publicKey);
return basicCredential;
}
public static void signAssertion(Assertion assertion , byte[] privateKeyDerBytes , byte[] publicKeyDerBytes) throws IOException, SecurityException
{
// get Credential
Credential credential = getCredential(privateKeyDerBytes, publicKeyDerBytes);
// create Signature
Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(
Signature.DEFAULT_ELEMENT_NAME).buildObject(
Signature.DEFAULT_ELEMENT_NAME);
signature.setSigningCredential(credential);
signature
.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature
.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setKeyInfo(getKeyInfo(credential));
assertion.setSignature(signature);
}
public static KeyInfo getKeyInfo(Credential credential)
throws SecurityException {
SecurityConfiguration secConfiguration = Configuration
.getGlobalSecurityConfiguration();
NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration
.getKeyInfoGeneratorManager();
KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager
.getDefaultManager();
KeyInfoGeneratorFactory factory = keyInfoGeneratorManager
.getFactory(credential);
KeyInfoGenerator generator = factory.newInstance();
return generator.generate(credential);
}
只是为了证实我是这样做的。”Signature Signature=(Signature)Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT\u ELEMENT\u NAME).buildObject(Signature.DEFAULT\u ELEMENT\u NAME);X509KeyInfoGeneratorFactory事实=新的X509KeyInfoGeneratorFactory();事实。setEmitEntityCertificate(真);请尝试{signature.setKeyInfo(fact.newInstance().generate(signingCredential));}catch(SecurityException e){//TODO自动生成的catch块e.printStackTrace();}samlMessage.setSignature(signature);'你以前就是这么做的吗?不是。我只是把你的代码,并试图以这种方式添加它。但它没有生成所需的keyInfo(使用x506cert)。实际上需要将Keyinfo设置为凭证。这是否可能,一旦我获得签名凭证,我就不确定了。这是我编码和发送authn请求的代码。HttpServletResponsedAdapter outTransport=new HttpServletResponsedAdapter(response,false);BasicSAMLMessageContext=新的BasicSAMLMessageContext();messageContext.setOutboundMessageTransport(outTransport);messageContext.setPeerEntityEndpoint(端点);messageContext.setOutboundSAMLMessage(samlMessage);messageContext.setOutboundMessageIssuer(issuingEntityName);messageContext.setRelayState(clientId);messageContext.setOutboundSAMLMessageSigningCredential(signingCredential);encoder.encode(messageContext);谢谢你,纳迪尔萨加尔。我会核实你的建议,然后再给你回复。