Java 如何将SignatureValue和KeyInfo添加到OpenSaml3响应中?
在OpenSAML 2.5中,我使用以下代码生成具有安全证书详细信息的SAML断言:Java 如何将SignatureValue和KeyInfo添加到OpenSaml3响应中?,java,opensaml,Java,Opensaml,在OpenSAML 2.5中,我使用以下代码生成具有安全证书详细信息的SAML断言: Credential signingCredential = sign.getSigningCredential(); Signature signature = null; try { DefaultBootstrap.bootstrap(); } catch (ConfigurationException e) {
Credential signingCredential = sign.getSigningCredential();
Signature signature = null;
try {
DefaultBootstrap.bootstrap();
} catch (ConfigurationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
signature = (Signature) Configuration.getBuilderFactory()
.getBuilder(Signature.DEFAULT_ELEMENT_NAME)
.buildObject(Signature.DEFAULT_ELEMENT_NAME);
signature.setSigningCredential(signingCredential);
// This is also the default if a null SecurityConfiguration is
// specified
SecurityConfiguration secConfig = Configuration
.getGlobalSecurityConfiguration();
try {
SecurityHelper.prepareSignatureParams(signature,
signingCredential, secConfig, null);
} catch (SecurityException e) {
e.printStackTrace();
} catch (org.opensaml.xml.security.SecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
SsoSamlWriter samlWriter = new SsoSamlWriter(ssoData);
Assertion assertion = samlWriter.buildSamlAssertion();
SAML味精提取物:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#514131e4-8ef0-469c-b8b0-a185b874320e">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>fmIxhw8sGFU/J3SWDk5BnBCKRog=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HOHkf...pqj2w==</ds:SignatureValue>
<KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID...6BS9K
L/SvOZxWrA==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
fmIxhw8sGFU/J3SWDK5BNBCROG=
HOHkf…pqj2w==
MIID…6BS9K
L/Svozzwra==
我正在尝试将此代码更新为OpenSAML 3.2,并且我已经能够生成SAML消息,但是我没有;我不知道如何附上详细的安全证书数据。是否有人有代码示例将SignatureValue和X509Certificate详细信息添加到SAML断言中
到目前为止,我已经有了OpenSAML 3.2代码:
Credential signingCredential = sign.getSigningCredential();
SsoSamlWriter samlWriter = new SsoSamlWriter(ssoData);
Assertion assertion = samlWriter.buildSamlAssertion();
Signature signature = SAMLUtils.buildSAMLObject(Signature.class);
signature.setSigningCredential(signingCredential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
// Need to supply an org.opensaml.security.credential.Credential;
signature.setSigningCredential(signingCredential);
assertion.setSignature(signature);
try {
XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);
} catch (MarshallingException e) {
throw new RuntimeException(e);
}
try {
Signer.signObject(signature);
} catch (SignatureException e) {
throw new RuntimeException(e);
}
// Wrap assertion in SAML Response
ResponseBuilder responseBuilder = new ResponseBuilder();
Response samlResponse = responseBuilder.buildObject();
// Build an Issuer object
Issuer issuer = SAMLUtils.buildSAMLObject(Issuer.class);
issuer.setValue(ssoIssuerName);
issuer.setSPProvidedID(ssoUrlSuffix);
// Add NameID element to assertion with Oasis Employee SSN
Subject subject = new SubjectBuilder().buildObject();
NameID nameID = new NameIDBuilder().buildObject();
nameID.setValue(empSsn);
nameID.setFormat(NameIDType.X509_SUBJECT);
subject.setNameID(nameID);
assertion.setSubject(subject);
String responseIdStr = UUID.randomUUID().toString();
assertion.setID(responseIdStr);
samlResponse.setID(responseIdStr);
samlResponse.setIssueInstant(new DateTime());
samlResponse.setIssuer(issuer);
samlResponse.setVersion(SAMLVersion.VERSION_20);
samlResponse.setStatus(samlWriter.createStatus());
samlResponse.getAssertions().add(assertion);
ResponseMarshaller marshaller = new ResponseMarshaller();
Element plain = marshaller.marshall(samlResponse);
String samlResponseStr = XMLHelper.nodeToString(plain);
// Remove ds: prefix from <ds:KeyInfo> elements
// stegre => Accomodate bug on CIC side, remove this line eventually
samlResponseStr = samlResponseStr.replaceAll("ds:KeyInfo", "KeyInfo");
System.out.println("");
System.out.println("SAML Response: ");
System.out.println(samlResponseStr);
System.out.println("");
Credential signingCredential=sign.getSigningCredential();
SsoSamlWriter-samlWriter=新SsoSamlWriter(ssoData);
断言断言=samlWriter.buildSamlAssertion();
Signature-Signature=SAMLUtils.buildSAMLObject(Signature.class);
签名。设置签名凭证(签名凭证);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_signature_RSA_SHA1);
signature.setCanonicalization算法(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
//需要提供org.opensaml.security.credential.credential;
签名。设置签名凭证(签名凭证);
断言.设置签名(签名);
试一试{
XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(断言).marshall(断言);
}捕获(异常e){
抛出新的运行时异常(e);
}
试一试{
Signer.signObject(签名);
}捕获(签名例外e){
抛出新的运行时异常(e);
}
//SAML响应中的Wrap断言
ResponseBuilder ResponseBuilder=新ResponseBuilder();
Response samlResponse=responseBuilder.buildObject();
//构建发行者对象
发卡机构=SAMLUtils.buildSAMLObject(发行者.class);
issuer.setValue(SSOISUERNAME);
issuer.SetApprovedId(ssoUrlSuffix);
//使用Oasis Employee SSN将NameID元素添加到断言中
Subject Subject=new SubjectBuilder().buildObject();
NameID NameID=newnameibuilder().buildObject();
nameID.setValue(empSsn);
nameID.setFormat(NameIDType.X509_主题);
subject.setNameID(nameID);
断言。设置主语(主语);
字符串responseIdStr=UUID.randomUUID().toString();
assertion.setID(responseIdStr);
samlResponse.setID(responseIdStr);
samlResponse.setIssueInstant(新的日期时间());
samlResponse.setIssuer(发卡机构);
samlResponse.setVersion(SAMLVersion.VERSION_20);
samlResponse.setStatus(samlWriter.createStatus());
samlResponse.getAssertions().add(断言);
ResponseMarshaller marshaller=新ResponseMarshaller();
元素平面=marshaller.marshall(samlResponse);
字符串samlResponsest=XMLHelper.nodeToString(普通);
//从元素中删除ds:前缀
//stegre=>容纳CIC侧的错误,最终删除此行
samlresponsest=samlresponsest.replaceAll(“ds:KeyInfo”,“KeyInfo”);
System.out.println(“”);
System.out.println(“SAML响应:”);
System.out.println(samlresponsest);
System.out.println(“”);
产生的SAML消息:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="356498c8-036d-41b1-9602-89fa90e40331" IssueInstant="2016-10-12T15:15:23.987Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer SPProvidedID="OasisAdvantage" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">OasisAdvantage</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="356498c8-036d-41b1-9602-89fa90e40331" IssueInstant="2016-10-12T15:15:20.442Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer SPProvidedID="OasisAdvantage">OasisAdvantage</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#356498c8-036d-41b1-9602-89fa90e40331">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">OasisUser</saml2:NameID>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-10-12T15:15:20.442Z" NotOnOrAfter="2016-10-12T15:20:20.442Z"/>
<saml2:AuthnStatement AuthnInstant="2016-10-12T15:15:20.566Z" SessionNotOnOrAfter="2016-10-12T15:15:20.581Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="companyid">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">OasisAdvantage</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
劣势
劣势
OasisUser
urn:oasis:name:tc:SAML:2.0:ac:classes:Password
劣势
以下代码添加了计算签名值:
org.opensaml.saml.saml2.core.Response samlResponse = responseBuilder.buildObject();
// Compute and add SignatureValue element to Signature
XMLObjectProviderRegistrySupport.getMarshallerFactory()
.getMarshaller(samlResponse).marshall(samlResponse);
Signer.signObject(signature);