设置 ExtendedMetadata 'signingAlgorithm' 字段 [英] Setting the ExtendedMetadata 'signingAlgorithm' field

查看:17
本文介绍了设置 ExtendedMetadata 'signingAlgorithm' 字段的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在获取 Spring SAML 集成来为我的 IdP 生成正确的元数据文件时遇到问题.我获得了新的 SHA256 SSL 证书.我已经完成了所有步骤来创建适当的 keyStore 并设置我的 Spring 安全配置文件.我真的像 98% 那样,但是生成的元数据文件中缺少一件事,我一生都无法弄清楚为什么它没有被设置.

I'm having an issue getting the Spring SAML integration to generate the correct metadata file for my IdP. I was issued new SHA256 SSL certs. I've gone through all of the steps to create the appropriate keyStore and have my Spring security configuration file all set. I am literally like 98% of the way there but there is one thing missing in the generated metadata file that I can't for the life of me figure out why it's not getting set.

这是我的 MetadataGeneratorFilter 的 ExtendedMetadata 配置:

Here is my ExtendedMetadata config for MetadataGeneratorFilter:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
        <property name="entityId" value="urn:myentityidhere"/>
        <property name="entityBaseURL" value="https://${saml.url}"/>
        <property name="extendedMetadata">
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                <property name="signMetadata" value="true"/>
                <property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <property name="alias" value="ceo"/>
                <property name="signingKey" value="${saml.sp.alias}"/>
                <property name="encryptionKey" value="${saml.sp.alias}"/>
            </bean>
        </property>
    </bean>
</constructor-arg>

当我运行我的应用程序并转到/saml/metadata URI 以让 Spring 生成我需要发送到我的 IdP 的元数据文件时,SHA256 算法在 SignatureMethod 上正确设置,但子 DigestMethod 标记的算法值仍然设置为 SHA1,当我需要将 SHA256 和 DigestValue 一起设置为 SHA256 值而不是 SHA1 值时.

When I run my app and go to the /saml/metadata URI to get Spring to generate the metadata file I need to send to my IdP, the SHA256 algo gets correctly set on the SignatureMethod, but the child DigestMethod tag's algorithm value is still set to SHA1, when I need that ALSO set to SHA256 along with the DigestValue to be a SHA256 value and not a SHA1 value.

<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <ds:Reference URI="#urn_myentityidhere">
        <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>xxxxxxx</ds:DigestValue>
    </ds:Reference>
</ds:SignedInfo>

有人可以指导我如何/需要设置什么才能将 DigestMethod 算法值也设置为 256?我想,因为它是 SignedInfo 标记的子级,所以它会从 Extendedmetadata 配置继承 SigningAlgorithm 值,但遗憾的是它不是.

Can someone guide me in how/what I need to set to get the DigestMethod algorithm value set to 256 also? I figured since it is a child of the SignedInfo tag, it would inherit the signingAlgorithm value from the Extendedmetadata config, but alas it is not.

任何帮助将不胜感激.非常感谢.

Any help would be GREATLY appreciated. Thanks so much.

解决方案 - 万一有人关心

所以,经过一天的挖掘,我决定自己实现这个.我通过添加字段digestMethodAlgorithm 并添加了适当的getter/setter 来扩展ExtendedMetadata 类:

So, after a day's worth of digging, I decided to just implement this myself. I extended the ExtendedMetadata class by adding the field, digestMethodAlgorithm and added the appropriate getter/setters:

/**
 * Algorithm used for creation of digest method of this entity. At the moment only used for metadata signatures.
 * Only valid for local entities.
 */
private String digestMethodAlgorithm;

/**
 * Returns digest method algorithm value
 * @return String
 */
public String getDigestMethodAlgorithm()
{
    return digestMethodAlgorithm;
}

/**
 * Sets the digest method algorithm to use when signing the SAML messages.
 * This can be used, for example, when a strong algorithm is required (e.g. SHA 256 instead of SHA 128).
 * If this property is null, then the {@link org.opensaml.xml.Configuration} default algorithm will be used instead.
 *
 * Value only applies to local entities.
 *
 * At the moment the value is only used for signatures on metadata.
 *
 * Typical values are:
 * http://www.w3.org/2001/04/xmlenc#sha1
 * http://www.w3.org/2001/04/xmlenc#sha256
 * http://www.w3.org/2001/04/xmlenc#sha384
 * http://www.w3.org/2001/04/xmlenc#sha512
 * http://www.w3.org/2001/04/xmlenc#ripemd160
 *
 * @param digestMethodAlgorithm The new digest method algorithm to use
 * @see org.opensaml.xml.signature.SignatureConstants
 */
public void setDigestMethodAlgorithm(String digestMethodAlgorithm)
{
    this.digestMethodAlgorithm = digestMethodAlgorithm;
}

然后我从上面修改了我的 spring 安全配置,以在我的 MetadataGenerator 配置中包含这个新的 bean 属性:

Then I modified my spring security configuration from above to include this new bean property to be set in my MetadataGenerator config:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
        <property name="entityId" value="urn:myentityidhere"/>
        <property name="entityBaseURL" value="https://${saml.url}"/>
        <property name="extendedMetadata">
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                <property name="signMetadata" value="true"/>
                <property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <property name="digestMethodAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <property name="alias" value="ceo"/>
                <property name="signingKey" value="${saml.sp.alias}"/>
                <property name="encryptionKey" value="${saml.sp.alias}"/>
            </bean>
        </property>
    </bean>
</constructor-arg>

然后我还必须对 SAMLUtil 类进行两项更改.在 getmetadataAsString 中,在 isSignMetadata() if 子句中,我提取了由上面的配置设置的digestMethodAlgorithm 的注入值,然后进一步修改了 marshallAndSignMessage 方法以接受一个新的输入参数,我进一步使用该参数来正确设置 DigestMethod 算法.

Then I also had to make two changes to the SAMLUtil class. In getmetadataAsString, in the isSignMetadata() if-clause, I pulled out the injected value for the digestMethodAlgorithm set by the config above and then further modified the marshallAndSignMessage method to accept a new input parameter which I further use to get the DigestMethod algo set properly.

SAMLUtil.getMetaDataAsString 内部,第 572 行

Inside of SAMLUtil.getMetaDataAsString, line 572

...
String digestMethodAlgorithm = extendedMetadata.getDigestMethodAlgorithm();
element = SAMLUtil.marshallAndSignMessage(descriptor, credential, signingAlgorithm, digestMethodAlgorithm, keyGenerator);
...

在 SAMLUtil.marshallAndSignMessage 中,在第 437 行之后,我添加/更改了以下内容:

Inside of SAMLUtil.marshallAndSignMessage, right after line 437, I add/changed the following:

...
BasicSecurityConfiguration secConfig = null;

if (digestMethodAlgorithm != null)
{
    secConfig = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();

    secConfig.setSignatureReferenceDigestMethod(digestMethodAlgorithm);
}

try {
    SecurityHelper.prepareSignatureParams(signature, signingCredential, secConfig, keyInfoGenerator);
} catch (org.opensaml.xml.security.SecurityException e) {
    throw new MessageEncodingException("Error preparing signature for signing", e);
}
...

我通过 Gradle、spring-security-saml-1.0.0.RELEASE 重新编译了整个 Spring SAML 核心包,将新的 jar 从 build/libs 目录复制到我的项目中,部署了 webapp,将我的浏览器指向/saml/metadata 并成功获取元数据文件的正确 SHA256 签名部分.

I recompiled the entire Spring SAML core package via Gradle, spring-security-saml-1.0.0.RELEASE, copied the new jar from the build/libs directory to my project, deployed the webapp, pointed my browser to /saml/metadata and successfully got the metadata file with the correct SHA256 signed portion of the metadata file.

我将看看我能做些什么来将其提交到该项目的 git 存储库中,因为我不想在项目未来发布时失去这种能力.以前从未为这样的开源项目做出过贡献.

I'm going to see what I can do about getting this committed to the git repo for this project because I don't want to lose this ability as the project does future releases. Never contributed to an open-source project like this before.

<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#urn_myentityidhere">
    <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <ds:DigestValue>xxxxxx</ds:DigestValue>
</ds:Reference>

推荐答案

自从@VladimírSchäfer 回答之后,事情似乎发生了变化;它不适用于 AD FS 2.0 和 SHA-256.我们必须添加一个额外的设置才能让它工作(见下面的代码).

Things seem to have changed since the @VladimírSchäfer answer; it did not work for us with AD FS 2.0 and SHA-256. We had to add an extra setting to get it to work (see code, below).

问题似乎出在 OpenSAML 的 xmltooling 库中,特别是 org.opensaml.xml.security.BasicSecurityConfiguration.getSignatureAlgorithmURI(Credential) 方法 - 而不是仅使用证书的签名算法(在在我们的例子中,SHA256withRSA),它获取证书的密钥,然后查看该密钥的算法并使用已注册 URI 的映射来查找签名 URI.如果他们只有 JCA 签名算法到 URI 的映射,而不是 URI 的关键算法,那就没问题了.

The problem appears to be in OpenSAML's xmltooling library, specifically the org.opensaml.xml.security.BasicSecurityConfiguration.getSignatureAlgorithmURI(Credential) method - instead of just using the signature algorithm of the certificate (in our case, SHA256withRSA), it gets the key of the certificate, then looks at the algorithm of that key and uses a map of registered URIs to look up a signature URI. If they'd just have a map of JCA signature algorithms to URIs, instead of key algorithms to URIs, it would all be fine.

解决方法是在 Spring 接线期间使用 BasicSecurityConfiguration 注册正确的签名算法 URI,覆盖(不需要的)URI http://www.w3.org/2000/09/xmldsig#rsa-sha1 已经存在于 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

The workaround is to register the correct signature algorithm URI with BasicSecurityConfiguration during Spring wiring, overwriting the (undesirable) URI http://www.w3.org/2000/09/xmldsig#rsa-sha1 that's already present with http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

我们还必须删除setSignatureReferenceDigestMethod()调用,否则将元数据导入 AD FS 将失败.

We also had to remove the setSignatureReferenceDigestMethod() call, or importing metadata into AD FS would fail.

import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;

import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.security.saml.SAMLBootstrap;

public class CustomSamlBootstrap extends SAMLBootstrap {
    @Override
    public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
        super.postProcessBeanFactory(beanFactory);
        BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
        config.registerSignatureAlgorithmURI("RSA", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
    }
}

这篇关于设置 ExtendedMetadata 'signingAlgorithm' 字段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆