使用 openSAML 签署响应

【问题标题】:Signing response using openSAML使用 openSAML 签署响应
【发布时间】:2012-11-13 20:24:31
【问题描述】:

我正在尝试通过签署响应而不是断言来实施 SAML 2.0。我有 3 个现有供应商在断言级别接受我的签名,但是一个新供应商正在协议/响应级别请求它。我已经在谷歌上搜索和调试了大约 8 个小时,但找不到一个有效的例子来说明我做错了什么。我下面的代码清楚地显示了我在做什么,最后 10 行左右是我实现的差异(在 if / else 中)。另外,我注意到在我的 XML 中我的 SignatureValue 和 DigestValue 都是空的。谁能指出我一些清晰的文档,或者更好的是,使用 openSAML 的工作响应签名的示例?在这一点上,任何帮助表示赞赏。 

Assertion assertion = OpenSamlHelper.CreateSamlAssertion(
            issuer.trim(), recipient.trim(), domain.trim(), subject.trim(),
            attributes);        


    //
    // Sign
    //
    Credential signingCredential = getSigningCredential(keystore, storetype, storepass, alias, keypass);

    Signature signature = (Signature) Configuration.getBuilderFactory()
                            .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
                            .buildObject(Signature.DEFAULT_ELEMENT_NAME);

    signature.setSigningCredential(signingCredential);
    signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);               
    signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);



            SecurityConfiguration secConfiguration = Configuration.getGlobalSecurityConfiguration(); 
            NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration.getKeyInfoGeneratorManager(); 
            KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager.getDefaultManager();
            KeyInfoGeneratorFactory keyInfoGeneratorFactory = keyInfoGeneratorManager.getFactory(signingCredential);
            KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
            KeyInfo keyInfo = null;
            try {
                keyInfo = keyInfoGenerator.generate(signingCredential);
            } catch  (Exception e) {
                logger.error(e);
            } 
            signature.setKeyInfo(keyInfo);

            String saml = "";
            try {
            MarshallerFactory marshallerFactory = Configuration.getMarshallerFactory();
    if (signatureType == SignatureType.Response) {
        response.setSignature(signature);
                    marshallerFactory.getMarshaller(response).marshall(response);
    }
    if (signatureType == SignatureType.Assertion) {
        assertion.setSignature(signature);
                    marshallerFactory.getMarshaller(assertion).marshall(assertion);
    }
        Signer.signObject(signature);

更新:我使用上述代码获得的 XML 不包含签名值或摘要值,如下所示..

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_651cc837-e890-46c7-9cf9-646ffd38aaad">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>

移动后Signer.signObject(signature);在断言附加到响应之后,我收到以下 XML ..

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_273e38e9-3b51-4845-8b8b-f0970e3e9bab">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>UlVtsjSAvtjOLMbw+HUX9n7FtxM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
jM7GxZ77VBHuAatMXLx14s0ExOmmfDpBhCpF8OKV4F3C1BiRutM41aTH25yhgSn+6l4TkK6kEDbFOYI6isvJUhtdVgH4E1xJl0DFfvPJphTF096acvJrLPehpsFd2Ab6sARuV1sbg/gwNFzvlHJWgit5NxHNuFN1qcv3vuhvQ83fOfxxuyLyJrEjpqvbRzwWepHiuTVHlNObrUvjVxEc7AUKPtwTqGlA6y3SdzIDwjN/LsB1V6PWhiMZsbxJx3LUuk5UECOYmRhKQifZWdOdvHoWBq05J54I6RvAplNDTfRBr4AM+tfIz3OXpN6OpKdSC43HRg9LO9bXprui+4CvrQ==
</ds:SignatureValue>

【问题讨论】:

  • 我明天会尝试重现这个。你想在这里签署什么回应?上面的代码签署了断言权但没有签署响应?

标签: java xml opensaml


【解决方案1】:

我尝试使用此代码签名和工件响应,只需将 entityDescriptor 切换为 artifactResponse 并且效果很好。 https://blog.samlsecurity.com/2012/11/signing-with-opensaml.html

<?xml version="1.0" encoding="UTF-8"?><saml2p:ArtifactResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ZkE02ZnvIqyd+FcfL6PaXNI88Co=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fDxfW06rbJEFu5nqmsGxwt6O53N8FWwmDOO0e3nUWh0in2TRYD9nj2927pnQZNL4Mk3KAcSWVETUuHX11XWL+MgcosfJd31TR0XEui/F+BbojQlXJRHfD2BfEO9cQCygFSyyOb9tE2FU5noqnx2b3vI5mToam3a135007mAN/t14Jm71EfvvCF9qL2wXI55R8uab0WGqXx1LYSrAjBZq455SH9AIQu+n8L+KaiOzfpjiL+h/5YJ/a+uyiLV6H06TsytowDTBSW67YW110fpoOsD5vgULrZOABmeK6NRZWpI8PK1M+/r6SO0DTEbUiSTYtHz9XBcqbnD9d7ZQ3oZpEQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDaTCCAlGgAwIBAgIEeL6vczANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJOTzENMAsGA1UE
CBMET3NsbzENMAsGA1UEBxMET3NsbzEOMAwGA1UEChMFQ2FwcmExDTALBgNVBAsTBGphdmExGTAX
BgNVBAMTEFN0ZWZhbiBSYXNtdXNzb24wHhcNMTIxMTA5MTA1MzU0WhcNMTMwMjA3MTA1MzU0WjBl
MQswCQYDVQQGEwJOTzENMAsGA1UECBMET3NsbzENMAsGA1UEBxMET3NsbzEOMAwGA1UEChMFQ2Fw
cmExDTALBgNVBAsTBGphdmExGTAXBgNVBAMTEFN0ZWZhbiBSYXNtdXNzb24wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCJFImFwnmxM28bSTWOIKCIW1nkZ4euYbB+aLFwc8nJZ0Go5+B3
sT4gxF5Cr2/syglO9fwNJH+hdIw9qXTcnZL6THGSlb7Hcci/541z3BdaljZ/DFqcvL6BzsY0uBc+
3ZbOEr+n3wADZ12GW1Pz7GxjZncJZUwDgO7M/wtscd4jZD7iRnRMux8dVbg8O1ywE16GEM/UkwF3
Xz98T4/TiEviPLrb+c5IO7KhZyJWndKOucTYUwhi4EZ169XSN03KMZeiMewxqcW4n1fb+GksN/TE
5Pl0Ci/0gSaAQKYTqAlIZ2TS7oQ0MRnI0jsjsUZDFbznTXBwticfHnoTyHDA4sctAgMBAAGjITAf
MB0GA1UdDgQWBBQUSNk3I5z4oXsByufaV51IgzuFdTANBgkqhkiG9w0BAQsFAAOCAQEAFmsaXdGS
fyHjYZzUrZKnX6xjJpB7UA48gd/0/Tylm1zfp+GeRGV3/hQan3+UuV8zrE9lhDUbgnoFFY2Xebrc
5Ij5DS3pEz8xi+isDCqvHrBGCMQ4G6eRUTxVz4VucY1j8G34+X5KECibyuCGPP1yXZf+57CciSpp
8tWGBPI1mOuCmEdiucMapJmZa8uQo5FqWZXoJ0cQgZZ1BEgNERAcCZ5xqF03tpfgFuIu7/arp77i
JKYWPX/a82feabjeecH+gAsWi8Tt1ixKNeNJklFY1GAllxwoDAYcxjjWxIbRh9Bl5Kaaf3S0da3p
Mkv4S1zTI0Bq/WcR5e0GHUFm4one3g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:ArtifactResponse>

尝试跳过 KeyInfo 部分。您没有收到任何编组错误?

【讨论】:

  • 我将尝试使用 entityDescriptor 的建议,我会在测试后回帖。不,我没有收到任何编组错误,事实上,唯一值得注意的问题是 DigestValue 和 SignatureValue 返回为空,当然,供应商无法进行身份验证。
  • 今天早上喝了几杯咖啡后,我查看了我的代码并意识到我试图在添加断言之前对响应进行签名。这是我的问题,一旦我确定了事情的顺序,一切都解决了。非常感谢您的回复,您的代码帮助我确信我所做的并没有完全错误!
  • 我不明白,您尝试在添加工件之前签署工件响应。那不应该使响应未签名。这将是无效的芽,你应该在上面签名。
  • 我用之前和之后的 XML 更新了上面的原始问题。 Signature 区域在那里,但 SignatureValue 和 DigestValue 为空。
  • @Devon 原帖现在有最终工作代码了吗?
【解决方案2】:

我有同样的问题,但我添加后

signature.setEntityCertificate(cert);

还有

 KeyInfoGenerator keyInfoGeneratorFactory= keyInfoGeneratorFactory.newInstance();
  if (keyInfoGeneratorFactory instanceof X509KeyInfoGeneratorFactory) {
                ((X509KeyInfoGeneratorFactory) keyInfoGeneratorFactory).setEmitX509Digest(Boolean.TRUE);
                ((X509KeyInfoGeneratorFactory) keyInfoGeneratorFactory).setEmitX509IssuerSerial(Boolean.FALSE);
                ((X509KeyInfoGeneratorFactory) keyInfoGeneratorFactory).setEmitEntityCertificate(Boolean.FALSE);
                ((X509KeyInfoGeneratorFactory) keyInfoGeneratorFactory).setEmitPublicKeyValue(Boolean.FALSE);
                ((X509KeyInfoGeneratorFactory) keyInfoGeneratorFactory).setX509DigestAlgorithmURI(SignatureConstants.ALGO_ID_DIGEST_SHA1);}

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2015-12-03
    • 2014-10-18
    • 1970-01-01
    • 2011-10-21
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode