如何在 saml2 的 Subject 标记中添加 x509Data 标记和 keyInfo 标记答案

【问题标题】：How to add x509Data tag and keyInfo tag in Subject tag in saml2如何在 saml2 的 Subject 标记中添加 x509Data 标记和 keyInfo 标记
【发布时间】：2015-08-16 10:50:52
【问题描述】：

我正在使用下面的代码来生成下面的 saml 断言：

        SAMLObjectBuilder confirmationMethodBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME);
        SubjectConfirmationData  confirmationMethod = (SubjectConfirmationData) confirmationMethodBuilder.buildObject();
        DateTime now = new DateTime();
        confirmationMethod.setNotBefore(now);
        confirmationMethod.setNotOnOrAfter(now.plusMinutes(2));

    //SAMLObjectBuilder keyInfoBuilderMethod = (SAMLObjectBuilder) builderFactory.getBuilder(KeyInfoConfirmationDataType.DEFAULT_ELEMENT_NAME);
    //KeyInfoConfirmationDataType keyInfoBuilder = (KeyInfoConfirmationDataType)keyInfoBuilderMethod.buildObject();
    //keyInfoBuilder.??
    //The commented part is what i tried but not successful to add the certificate into the SubjectConfirmationData.


    SAMLObjectBuilder subjectConfirmationBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmationBuilder.buildObject();
    subjectConfirmation.setSubjectConfirmationData(confirmationMethod);

目前得到如下输出：

<saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="CCC">abcde.xyz@xyz.com</saml2:NameID>
    <saml2:SubjectConfirmation>
        <saml2:SubjectConfirmationData NotBefore="2015-08-16T06:04:54.115Z" NotOnOrAfter="2015-08-16T06:06:54.115Z"/>
    </saml2:SubjectConfirmation>
</saml2:Subject>

我需要 saml 断言在 SubjectConfirmationData 中包含 keyinfo 和 x509Certificate 如下：

<saml:Subject>
      <saml:NameID
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
        CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US
      </saml:NameID>
      <saml:SubjectConfirmation
        Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
        <saml:SubjectConfirmationData>
          <ds:KeyInfo>
            <ds:X509Data>
              <!-- principal's X.509 cert -->
              <ds:X509Certificate>
  MIICiDCCAXACCQDE+9eiWrm62jANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJV
  UzESMBAGA1UEChMJTkNTQS1URVNUMQ0wCwYDVQQLEwRVc2VyMRMwEQYDVQQDEwpT
  UC1TZXJ2aWNlMB4XDTA2MDcxNzIwMjE0MVoXDTA2MDcxODIwMjE0MVowSzELMAkG
  A1UEBhMCVVMxEjAQBgNVBAoTCU5DU0EtVEVTVDENMAsGA1UECxMEVXNlcjEZMBcG
  A1UEAwwQdHJzY2F2b0B1aXVjLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
  gYEAv9QMe4lRl3XbWPcflbCjGK9gty6zBJmp+tsaJINM0VaBaZ3t+tSXknelYife
  nCc2O3yaX76aq53QMXy+5wKQYe8Rzdw28Nv3a73wfjXJXoUhGkvERcscs9EfIWcC
  g2bHOg8uSh+Fbv3lHih4lBJ5MCS2buJfsR7dlr/xsadU2RcCAwEAATANBgkqhkiG
  9w0BAQQFAAOCAQEAdyIcMTob7TVkelfJ7+I1j0LO24UlKvbLzd2OPvcFTCv6fVHx
  Ejk0QxaZXJhreZ6+rIdiMXrEzlRdJEsNMxtDW8++sVp6avoB5EX1y3ez+CEAIL4g
  cjvKZUR4dMryWshWIBHKFFul+r7urUgvWI12KbMeE9KP+kiiiiTskLcKgFzngw1J
  selmHhTcTCrcDocn5yO2+d3dog52vSOtVFDBsBuvDixO2hv679JR6Hlqjtk4GExp
  E9iVI0wdPE038uQIJJTXlhsMMLvUGVh/c0ReJBn92Vj4dI/yy6PtY/8ncYLYNkjg
  oVN0J/ymOktn9lTlFyTiuY4OuJsZRO1+zWLy9g==
              </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </saml:SubjectConfirmationData>
      </saml:SubjectConfirmation>
    </saml:Subject>

上面的示例断言可以在以下链接中找到here

在 SO here 上还有另一个问题是在签名中而不是在主题标签中添加证书，哪个是正确的？
另一个问题是如何生成证书的值，这是基于任何特定的.crt文件吗？

【问题讨论】：

标签： java saml-2.0 opensaml

【解决方案1】：

你问得多么有趣啊，几周前我写了一个blog post on the subject。基本上你使用 X509KeyInfoGeneratorFactory 创建一个 KeyInfoGenerator

X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
KeyInfoGenerator genarator = x509Factory.newInstance();

然后你使用生成器来创建 KeyInfo

KeyInfo keyinfo = generator.generate(credentials);

【讨论】：