如何读取用于OpenSAML的私钥?
好吧,这是另一个“我真的不知道从哪里开始”的问题,所以希望答案很简单。但是,我真的不知道要搜索什么,到目前为止我的尝试还没有得到很多用处。
我想从(当前磁盘上)文件中读取私钥。最终,密钥将驻留在数据库中,但这对于当下来说已经足够好了,并且差异对解析密钥材料没有任何实际意义。我已经能够创建一个
Credential
openssl genrsa 512 > d:host.key
openssl req -new -x509 -nodes -sha1 -days 365 -key d:host.key > d:host.cert
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.x509.BasicX509Credential;
private Credential getSigningCredential()
throws java.security.cert.CertificateException, IOException {
BasicX509Credential credential = new BasicX509Credential();
credential.setUsageType(UsageType.SIGNING);
// read public key
InputStream inStream = new FileInputStream("d:\host.cert");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
inStream.close();
credential.setEntityCertificate(cert);
// TODO: read private key
// done.
return credential;
}
host.key
credential
Credential
没有找到相关结果
已邀请:
2 个回复
锯康
不是标准Java的一部分;我想你是在谈论OpenSAML的。 你想要一个,你将用设置。要获得,必须先将私钥转换为Java可以读取的格式,即PKCS#8:然后,来自Java:RandomAccessFile raf = new RandomAccessFile("d:\host.pk8", "r"); byte[] buf = new byte[(int)raf.length()]; raf.readFully(buf); raf.close(); PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(buf); KeyFactory kf = KeyFactory.getInstance("RSA"); PrivateKey privKey = kf.generatePrivate(kspec);。 默认情况下,以自己的格式写入密钥(对于RSA密钥,PKCS#8恰好是该格式的包装),并在PEM中对它们进行编码,其中Base64具有页眉和页脚。普通Java不支持这两个特性,因此转换为PKCS#8。选项是因为PKCS#8支持可选的基于密码的私钥加密。 警告:您确实想要使用更长的RSA密钥。 512位弱; 1999年,一台512位RSA密钥被破坏,有几百台计算机。 2011年,凭借12年的技术进步,人们应该假设几乎任何人都可以破解512位RSA密钥。因此,至少使用1024位RSA密钥(最好是2048位;使用密钥时的计算开销并不差,您仍然可以每秒执行数百个签名)。绵扇寸访
Properties sigProperties = new Properties(); sigProperties.put("org.apache.ws.security.crypto.provider","org.apache.ws.security.components.crypto.Merlin"); sigProperties.put("org.apache.ws.security.crypto.merlin.keystore.type","jks"); sigProperties.put("org.apache.ws.security.crypto.merlin.keystore.password","keypass"); sigProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias","keyalias"); sigProperties.put("org.apache.ws.security.crypto.merlin.keystore.file","keystore.jks"); Crypto issuerCrypto = CryptoFactory.getInstance(sigProperties); String issuerKeyName = (String) sigProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"); //See http://ws.apache.org/wss4j/xref/org/apache/ws/security/saml/ext/AssertionWrapper.html 'signAssertion' method // prepare to sign the SAML token CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); cryptoType.setAlias(issuerKeyName); X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType); if (issuerCerts == null) { throw new WSSecurityException( "No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName); } String password = ADSUnitTestUtils.getPrivateKeyPasswordFromAlias(issuerKeyName); PrivateKey privateKey = null; try { privateKey = issuerCrypto.getPrivateKey(issuerKeyName, password); } catch (Exception ex) { throw new WSSecurityException(ex.getMessage(), ex); } BasicX509Credential signingCredential = new BasicX509Credential(); signingCredential.setEntityCertificate(issuerCerts[0]); signingCredential.setPrivateKey(privateKey); signature.setSigningCredential(signingCredential);