Opensaml KeyInfo配置

Question

我和我的团队正在使用opensaml来生成SAML令牌。我们已经安排好了这个设置，但另一个团队的成员告诉我们，如果我们能稍微配置一下生成的令牌，他们会很感激的。

他们希望我们更改的区域是令牌的EncryptedKey部分。目前，它看起来像这样：

        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="_9b07dd8a259d8ee8162adf17cd761d34">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC4DCCAcigAwIBAgIEUUrqgDANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDEydCRFNQVUtMNzAz
                    NDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20wHhcNMTMwMzIxMTEwOTUyWhcNMTQwMzIxMTEw
                    OTUyWjAyMTAwLgYDVQQDEydCRFNQVUtMNzAzNDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20w
                    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmWG7p7iATCM06WMsKg8LlLg8AXUvyZI6l
                    hZkz7Sc/moL6WtSUBrL60joLAi4L+P/VrbtZMNzP9kh3uyW0uZ0Vb+DhsXMQBccgdQMzq//nK2GN
                    0+/F4KYKLsdYpecR28YlOQRl2Y6Gc3i8PZIk2a8bmf64tbOCyOWHzX7fNHo+MSM3JcWOLltFKZCT
                    z8O8OJjhFqxA7fl+zLBEXprJZtxU/AOaLW6qBPh8w1LmIfU8nK5bnjlKpdobV8uXlXkKVOJWxm1P
                    yjQDt1G1FKyBKLmyPbw9xY5DSDmQFpwgeZIQdOkRrrYzwYzYFCuqL9USjPw6414kYqBNr221SWei
                    pLjbAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAILQ69plSMdO8/3nx5ZJPMWSS2MqFlThAoMW0kmK
                    20DBH5o3b+6BZ4d566IEGRReOOFVxMKNbuq3thrIliUQG0Qzzu0T41UE7noFXwZOwavYxhy1BdwW
                    B906CAb0Qq7qu1FXd8PVKzLn7IazaPXSuRkhGmoE4vcRVphRZkzU6xjkfEZ5AO+7qVE/5tcREXAB
                    coxpqWeTVeZiT0oazx7eWyqVlqSaLboOqByk5O921hY4E7PZaS7HGBXHcywVHU9fXwbEIgNl0noC
                    sduXcYkjC6WEiV8rQiuBXx5bspPkau28V+GQ1kNwuq5ypEskDW3GHUrZiAmaucooahVzvhDiBM0=
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:CipherValue>LhIn8/SjXbnCsMP6ITxb++0rFYpN8S0L6K/VE74XKjh4Jtlo8IaZQi6c9HRqlII/VT5OKaVySNCO2wOaKS/EUsTt5a/0oR9Yh9mCLt9NQDpkxau1OiydwTYoo6G29fFpYgeDXEPrdR4iUlOERuulmFlNTETWu/doHb4b6hFZdsLEtQH1qSi/jBIq2Q7peXI396G8RWDoWO1urJtIQWR5HjqDckcp3eQ2AC3mXkm949g+OS3Y3g/dPi5erkAhNmFXdinOnX6SQWHEBhFkroFfzqkzEPOVlJdL5Rb9X1mgEk5tJefSUChs6HguRqMeMr0s4UFi/KUwlZbINio1hSNTZg==
            </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#_a04f85fb05fda175a5e7eba026640f16" />
        </xenc:ReferenceList>
    </xenc:EncryptedKey>

然而，我的同事希望它看起来是这样的：

<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
   <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
     <dsig:KeyName>BCL12232</dsig:KeyName>
   </dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>
         H4lcHtpC9WJcwbZ4rWFEipoRN7tbc7EOWRqZPWDtds9WaukKZP8mPECxYS7LGbV5HP+87nTE5AMfTOLecVLMiR42vFL8sza6HiMD1L5+At26UUgowlixjnUs89vE8c11sv7J5eTVb41bi/DSFLRHdaZ+sJ4ojHCxwcsUcxelsjC+kcAC09hGXOT6b7DBxzWgk+XHY86uuvpYpLLu28TibzpJdpo1gm237QJrAcz2RSY9RqCDN9UOtByHbbihCiKIMIUXG6wHBUnAtZbTp7XS3RMgkK1YBys91ImXvmRYTaNRnW2sQmdwli6m1Oxi9vFFvt8wAUClNRbM1m6wX/r1oQ==
      </xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedKey>

如您所见，不同之处在于在后一个示例中没有将X509证书添加到SAML令牌中，并且关于密钥的唯一信息是密钥名称。

经过调查，我认为问题可能出在凭据上。

有没有人有过这样配置opensaml的经验？怎么可能这样配置KeyInfo呢？

提前感谢你的帮助。

更新:我现在已经知道如何使用KeyInfoHelper.addKeyName(KeyInfo, KeyName);设置密钥名，但在隐藏X509证书信息方面仍然一无所获。

Answer 1

问题是我使用opensaml为我自动生成密钥信息。默认情况下，会附加x509证书。我创建了自己的KeyInfo对象，并简单地为它添加了一个键名，从而克服了这个问题。

看起来有点老生常谈，但还是完成了工作。

下面是我写的创建密钥信息的方法。

private KeyInfo getKeyInfo(final Credential c, final String keyName) {

    final SecurityConfiguration secConfiguration =
            Configuration.getGlobalSecurityConfiguration();
    final NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager =
            secConfiguration.getKeyInfoGeneratorManager();
    final KeyInfoGeneratorManager keyInfoGeneratorManager =
            namedKeyInfoGeneratorManager.getDefaultManager();
    final KeyInfoGeneratorFactory keyInfoGeneratorFactory =
            keyInfoGeneratorManager.getFactory(c);
    final KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo;

    keyInfo = keyInfoGenerator.generate(c);
    KeyInfoHelper.addKeyName(keyInfo,
            keyName);
    return keyInfo;
}

Answer 2

这是OpenSAML 3+版本。

private KeyInfo getKeyInfo(Credential c, String keyNameValue) {
    KeyName keyName = new KeyNameBuilder().buildObject();
    keyName.setValue(keyNameValue);
    EncryptionConfiguration secConfiguration = SecurityConfigurationSupport.getGlobalEncryptionConfiguration();
    NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration.getDataKeyInfoGeneratorManager();
    KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager.getDefaultManager();
    KeyInfoGeneratorFactory keyInfoGeneratorFactory = keyInfoGeneratorManager.getFactory(credential);
    KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo = keyInfoGenerator.generate(credential);
    keyInfo.getKeyNames().add(keyName);
    keyInfo.getX509Datas().clear();
    return keyInfo;             
}