1. 首頁
  2. 問答
  3. 如何使用openssl(.PCKS8)文件簽署saml 2.0聲明

如何使用openssl(.PCKS8)文件簽署saml 2.0聲明

2013-05-06 30 views
0

您好,我需要關於saml 2.0 Authn請求的一些信息。我想用openssl創建的* .pkcs8文件簽署我的authn請求。我可以使用java keytool來處理密鑰庫文件。但是我想使用openssl生成* .PKCS8文件來實現相同的功能。我一直在爲此奮鬥一段時間。我可以用它生成xml。如何使用openssl(.PCKS8)文件簽署saml 2.0聲明

// Authn請求...

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/sp/AssertionConsumerService" Destination="http://localhost:8080/idp/SingleSignOnService" ID="95cc3943-67dd-43ef-809b-2ccd8bd3e4e9" IssueInstant="2013-04-26T12:18:48.799Z" Version="2.0"> 
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sp</saml:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
    <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
     <ds:Reference URI="#95cc3943-67dd-43ef-809b-2ccd8bd3e4e9"> 
     <ds:Transforms> 
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
      <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
       PrefixList="ds saml samlp"/> 
      </ds:Transform> 
     </ds:Transforms> 
     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
     <ds:DigestValue>2HkVe/KnVzcMgneRUItjq2V/FEA=</ds:DigestValue> 
     </ds:Reference> 
    </ds:SignedInfo> 
    <ds:SignatureValue> 
      NjCxy8R3NjkN8B932FJolGTqtYTBBTLboHUo7ZqEXxICUW/ZhOV2Pwe+c4R0/TrPqBPVZBItlXyv 
      at3edIMrr7RlEFGy3rt7pPVRXUcmF6jtDZajCpwwaEKKD--REMOVED SOME CODE------------ 
      egb8dua65WhY1KkugNPG4FWTVhtzul/CBo9a8vN/ZuXRbZQ6sUWbq1BFgC6Zmw8kr1aUNBwqRi7r 
      ZNPXcGVhXuFQTTV4Kuc1eiI1lgANKLTrkCBRSw== 
    </ds:SignatureValue> 
    </ds:Signature> 
</samlp:AuthnRequest>

// END

我無法得到密鑰信息,並且我能夠使用Java keytool獲得x509data和證書值。

<ds:KeyInfo> 
     <ds:X509Data> 
     <ds:X509Certificate>hZB2kOYypWs33Bs2BTaKZOKGig0CAwEAATANBgkqhkiG9w0BAQUFAAOB 
     gQB3Cfe0iTfrXY9E22TFy5b87kwpDKjLopNLtX3kqSUlfjnbN5tYN4zr91H5dZUkuFF83z7ztzKi 
     zkcxiMgVVQkU2X1bn5SdErvmS7aEcG8+5TdlO5bf+8as04u5qug+oQun5s1t9mSvaF7Ol5CX/gkp 
     EUTjXx28kldbY7ETgDUrSw==</ds:X509Certificate> 
     </ds:X509Data> 
    </ds:KeyInfo> 
    </ds:Signature>

也告訴我是我的驗證申請完成。 也是對神器和POST(斷言)saml消息相同的Authn請求

PLS幫助!!!

來源

2013-05-06 vinay jalalpuram

回答

0

您可以用它來輸出的密鑰信息

X509KeyInfoGeneratorFactory fact = new X509KeyInfoGeneratorFactory(); 
fact.setEmitEntityCertificate(true); 
signature.setKeyInfo(fact.newInstance().generate(cred));

來源

2013-05-07 07:59:08

+0

只是爲了確認我是doign這種方式。 '簽名簽名=(簽名)Configuration.getBuilderFactory() .getBuilder(Signature.DEFAULT_ELEMENT_NAME) .buildObject(Signature.DEFAULT_ELEMENT_NAME); \t X509KeyInfoGeneratorFactory fact = new X509KeyInfoGeneratorFactory(); \t fact.setEmitEntityCertificate(true); \t嘗試signature.setKeyInfo(fact.newInstance()。generate(signingCredential)); } catch(SecurityException e){TODO自動生成的catch塊 e.printStackTrace(); } \t \t samlMessage.setSignature(signature);' – 2013-05-07 10:13:00

+0

這是你從前做的事嗎? – 2013-05-07 10:35:41

+0

沒有。我只是把你的代碼,並試圖以這種方式添加它。但它不會生成所需的keyInfo(帶有x506cert)。實際上需要將Keyinfo設置爲憑證。它是否可能我不確定 – 2013-05-07 10:47:19

2

你如何構建你的org.opensaml.xml.security.credential.Credential對象? 您只能從PKCS8文件加載private-key。您仍需要公鑰才能完全構建Credential對象。如果您的公共密鑰存儲在DER編碼字節你可以使用下面的代碼來創建Credential並用它來簽名的請求

/** 
* Load privateKeyDerBytes from PKCS8 file and publicKeyDerBytes from .cer, .crt, .der files 
*/ 
private static Credential getCredential(byte[] privateKeyDerBytes , byte[] publicKeyDerBytes) throws IOException 
{ 
    PrivateKey privateKey = PKCS8Key.parse(new DerValue(privateKeyDerBytes)); 
    PublicKey publicKey = X509Key.parse(new DerValue(publicKeyDerBytes)); 
    BasicCredential basicCredential = new BasicCredential(); 
    basicCredential.setUsageType(UsageType.SIGNING); 
    basicCredential.setPrivateKey(privateKey); 
    basicCredential.setPublicKey(publicKey); 
    return basicCredential; 
} 

public static void signAssertion(Assertion assertion , byte[] privateKeyDerBytes , byte[] publicKeyDerBytes) throws IOException, SecurityException 
{ 
    // get Credential 
    Credential credential = getCredential(privateKeyDerBytes, publicKeyDerBytes); 
    // create Signature 
    Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(
      Signature.DEFAULT_ELEMENT_NAME).buildObject(
      Signature.DEFAULT_ELEMENT_NAME); 

    signature.setSigningCredential(credential); 
    signature 
      .setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); 
    signature 
      .setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); 
    signature.setKeyInfo(getKeyInfo(credential)); 

    assertion.setSignature(signature); 

} 

public static KeyInfo getKeyInfo(Credential credential) 
     throws SecurityException { 
    SecurityConfiguration secConfiguration = Configuration 
      .getGlobalSecurityConfiguration(); 
    NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration 
      .getKeyInfoGeneratorManager(); 
    KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager 
      .getDefaultManager(); 
    KeyInfoGeneratorFactory factory = keyInfoGeneratorManager 
      .getFactory(credential); 
    KeyInfoGenerator generator = factory.newInstance(); 
    return generator.generate(credential); 

}

來源

2013-05-17 19:42:22 nadirsaghar

+0

謝謝你nadirsaghar。我會檢查你的建議,並會回覆你。 – 2013-05-21 07:59:25

+0

它適合你嗎? – nadirsaghar 2013-05-24 16:22:07

相關問題

 相關問題