How to add KeyInfo & X509Data under the Signature in SAML 2.0 using Java

问题

I am completely new to SAML, I just build the saml but per requirement I also need to add KeyInfo and x509 certificate nodes including client’s public cert, I have used below code to generate the signature element, but dont know how to add KeyInfo & X509Data inside signature. needing help on this?

BasicX509Credential signingCredential = new BasicX509Credential();
    //Namespace nameSpaceSAML = new Namespace("http://www.w3.org/2000/09/xmldsig#","ds");
    KeyStore keyStore = getKeyStore( signingKeyStorePath,signingKeyStorePassword);
    PrivateKey privateKey = getPrivateKey(keyStore,signingKeyalias,signingKeyStorePassword );
    signingCredential.setPrivateKey(privateKey);
    signature = (Signature) Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(signingCredential);
    signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
    signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); 

回答1:

If you want less code, there is a helper class for signatures that does this.

X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
x509Factory.setEmitEntityCertificate(true);
x509Factory.setEmitEntityCertificateChain(true);
x509Factory.setEmitX509IssuerSerial(true);
x509Factory.setEmitX509SubjectName(true);

Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().registerFactory("x509emitingKeyInfoGenerator", x509Factory);

SecurityHelper.prepareSignatureParams(signature, SPCredentials.getCredential(), null,  "x509emitingKeyInfoGenerator");

This sets KeyInfo, signing algorithms etc. Use the setEmit methods on the factory to set what should be added to the KeyInfo

For more information, read my blog post on it. I also wrote a book on OpenSAML where I explain signing and encryption functions and more in detail.

回答2:

For those seeking for answer, as I figured out the solution to add KayInfo elements along with X509Data as below, and it is working fine...

KeyInfo keyInfo=(KeyInfo)Configuration.getBuilderFactory().getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME).buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data=(X509Data)Configuration.getBuilderFactory().getBuilder(X509Data.DEFAULT_ELEMENT_NAME).buildObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert=(X509Certificate)Configuration.getBuilderFactory().getBuilder(X509Certificate.DEFAULT_ELEMENT_NAME).buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        signature.setSigningCredential(signingCredential);
        value=org.apache.xml.security.utils.Base64.encode(signingCredential.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);

来源：https://stackoverflow.com/questions/31403071/how-to-add-keyinfo-x509data-under-the-signature-in-saml-2-0-using-java