如何添加x509Data標籤和密鑰信息標籤在主題標籤中SAML2

Question

我使用下面的代碼生成以下SAML斷言：

 SAMLObjectBuilder confirmationMethodBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME); 
     SubjectConfirmationData confirmationMethod = (SubjectConfirmationData) confirmationMethodBuilder.buildObject(); 
     DateTime now = new DateTime(); 
     confirmationMethod.setNotBefore(now); 
     confirmationMethod.setNotOnOrAfter(now.plusMinutes(2)); 

    //SAMLObjectBuilder keyInfoBuilderMethod = (SAMLObjectBuilder) builderFactory.getBuilder(KeyInfoConfirmationDataType.DEFAULT_ELEMENT_NAME); 
    //KeyInfoConfirmationDataType keyInfoBuilder = (KeyInfoConfirmationDataType)keyInfoBuilderMethod.buildObject(); 
    //keyInfoBuilder.?? 
    //The commented part is what i tried but not successful to add the certificate into the SubjectConfirmationData. 


    SAMLObjectBuilder subjectConfirmationBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME); 
    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmationBuilder.buildObject(); 
    subjectConfirmation.setSubjectConfirmationData(confirmationMethod); 

目前得到以下的輸出：

<saml2:Subject> 
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="CCC">abcde.xyz@xyz.com</saml2:NameID> 
    <saml2:SubjectConfirmation> 
     <saml2:SubjectConfirmationData NotBefore="2015-08-16T06:04:54.115Z" NotOnOrAfter="2015-08-16T06:06:54.115Z"/> 
    </saml2:SubjectConfirmation> 
</saml2:Subject> 

我需要saml斷言在SubjectConfirmationData 中包含keyinfo和x509Certificate，如下所示：

<saml:Subject> 
     <saml:NameID 
     Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> 
     CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US 
     </saml:NameID> 
     <saml:SubjectConfirmation 
     Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> 
     <saml:SubjectConfirmationData> 
      <ds:KeyInfo> 
      <ds:X509Data> 
       <!-- principal's X.509 cert --> 
       <ds:X509Certificate> 
    MIICiDCCAXACCQDE+9eiWrm62jANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJV 
    UzESMBAGA1UEChMJTkNTQS1URVNUMQ0wCwYDVQQLEwRVc2VyMRMwEQYDVQQDEwpT 
    UC1TZXJ2aWNlMB4XDTA2MDcxNzIwMjE0MVoXDTA2MDcxODIwMjE0MVowSzELMAkG 
    A1UEBhMCVVMxEjAQBgNVBAoTCU5DU0EtVEVTVDENMAsGA1UECxMEVXNlcjEZMBcG 
    A1UEAwwQdHJzY2F2b0B1aXVjLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC 
    gYEAv9QMe4lRl3XbWPcflbCjGK9gty6zBJmp+tsaJINM0VaBaZ3t+tSXknelYife 
    nCc2O3yaX76aq53QMXy+5wKQYe8Rzdw28Nv3a73wfjXJXoUhGkvERcscs9EfIWcC 
    g2bHOg8uSh+Fbv3lHih4lBJ5MCS2buJfsR7dlr/xsadU2RcCAwEAATANBgkqhkiG 
    9w0BAQQFAAOCAQEAdyIcMTob7TVkelfJ7+I1j0LO24UlKvbLzd2OPvcFTCv6fVHx 
    Ejk0QxaZXJhreZ6+rIdiMXrEzlRdJEsNMxtDW8++sVp6avoB5EX1y3ez+CEAIL4g 
    cjvKZUR4dMryWshWIBHKFFul+r7urUgvWI12KbMeE9KP+kiiiiTskLcKgFzngw1J 
    selmHhTcTCrcDocn5yO2+d3dog52vSOtVFDBsBuvDixO2hv679JR6Hlqjtk4GExp 
    E9iVI0wdPE038uQIJJTXlhsMMLvUGVh/c0ReJBn92Vj4dI/yy6PtY/8ncYLYNkjg 
    oVN0J/ymOktn9lTlFyTiuY4OuJsZRO1+zWLy9g== 
       </ds:X509Certificate> 
      </ds:X509Data> 
      </ds:KeyInfo> 
     </saml:SubjectConfirmationData> 
     </saml:SubjectConfirmation> 
    </saml:Subject> 

上述樣品斷言可以在下面的鏈接中找到here

有對SO here另一個問題補充的簽名，而不是在主題標籤，證書，這是正確的跟隨？
另一個問題是如何生成證書的值，這是基於任何特定的.crt文件。

Answer 1

你問的有多好玩，我幾個星期前寫了一個blog post on the subject。基本上你創建一個使用X509KeyInfoGeneratorFactory

X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory(); 
KeyInfoGenerator genarator = x509Factory.newInstance(); 

然後使用發電機產生的密鑰信息

KeyInfo keyinfo = generator.generate(credentials); 

一個KeyInfoGenerator