Opensaml KeyInfo Configuration

Question

Me and my team are using opensaml to generate SAML tokens. We have mananaged to get this set up, but were told by a member of another team that they would appreciate it if we could configure the generated token somewhat.

The area they would like us to alter is the EncryptedKey section of the token. Currently, it looks something like this:

        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="_9b07dd8a259d8ee8162adf17cd761d34">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC4DCCAcigAwIBAgIEUUrqgDANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDEydCRFNQVUtMNzAz
                    NDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20wHhcNMTMwMzIxMTEwOTUyWhcNMTQwMzIxMTEw
                    OTUyWjAyMTAwLgYDVQQDEydCRFNQVUtMNzAzNDIzODUuY2xpZW50LmJhcmNsYXlzY29ycC5jb20w
                    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmWG7p7iATCM06WMsKg8LlLg8AXUvyZI6l
                    hZkz7Sc/moL6WtSUBrL60joLAi4L+P/VrbtZMNzP9kh3uyW0uZ0Vb+DhsXMQBccgdQMzq//nK2GN
                    0+/F4KYKLsdYpecR28YlOQRl2Y6Gc3i8PZIk2a8bmf64tbOCyOWHzX7fNHo+MSM3JcWOLltFKZCT
                    z8O8OJjhFqxA7fl+zLBEXprJZtxU/AOaLW6qBPh8w1LmIfU8nK5bnjlKpdobV8uXlXkKVOJWxm1P
                    yjQDt1G1FKyBKLmyPbw9xY5DSDmQFpwgeZIQdOkRrrYzwYzYFCuqL9USjPw6414kYqBNr221SWei
                    pLjbAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAILQ69plSMdO8/3nx5ZJPMWSS2MqFlThAoMW0kmK
                    20DBH5o3b+6BZ4d566IEGRReOOFVxMKNbuq3thrIliUQG0Qzzu0T41UE7noFXwZOwavYxhy1BdwW
                    B906CAb0Qq7qu1FXd8PVKzLn7IazaPXSuRkhGmoE4vcRVphRZkzU6xjkfEZ5AO+7qVE/5tcREXAB
                    coxpqWeTVeZiT0oazx7eWyqVlqSaLboOqByk5O921hY4E7PZaS7HGBXHcywVHU9fXwbEIgNl0noC
                    sduXcYkjC6WEiV8rQiuBXx5bspPkau28V+GQ1kNwuq5ypEskDW3GHUrZiAmaucooahVzvhDiBM0=
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:CipherValue>LhIn8/SjXbnCsMP6ITxb++0rFYpN8S0L6K/VE74XKjh4Jtlo8IaZQi6c9HRqlII/VT5OKaVySNCO2wOaKS/EUsTt5a/0oR9Yh9mCLt9NQDpkxau1OiydwTYoo6G29fFpYgeDXEPrdR4iUlOERuulmFlNTETWu/doHb4b6hFZdsLEtQH1qSi/jBIq2Q7peXI396G8RWDoWO1urJtIQWR5HjqDckcp3eQ2AC3mXkm949g+OS3Y3g/dPi5erkAhNmFXdinOnX6SQWHEBhFkroFfzqkzEPOVlJdL5Rb9X1mgEk5tJefSUChs6HguRqMeMr0s4UFi/KUwlZbINio1hSNTZg==
            </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#_a04f85fb05fda175a5e7eba026640f16" />
        </xenc:ReferenceList>
    </xenc:EncryptedKey>

The way my colleague would like it to look, however is something along the lines of this:

<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
   <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
     <dsig:KeyName>BCL12232</dsig:KeyName>
   </dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>
         H4lcHtpC9WJcwbZ4rWFEipoRN7tbc7EOWRqZPWDtds9WaukKZP8mPECxYS7LGbV5HP+87nTE5AMfTOLecVLMiR42vFL8sza6HiMD1L5+At26UUgowlixjnUs89vE8c11sv7J5eTVb41bi/DSFLRHdaZ+sJ4ojHCxwcsUcxelsjC+kcAC09hGXOT6b7DBxzWgk+XHY86uuvpYpLLu28TibzpJdpo1gm237QJrAcz2RSY9RqCDN9UOtByHbbihCiKIMIUXG6wHBUnAtZbTp7XS3RMgkK1YBys91ImXvmRYTaNRnW2sQmdwli6m1Oxi9vFFvt8wAUClNRbM1m6wX/r1oQ==
      </xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedKey>

As you can see, the difference is that the X509 certificate is not added to the SAML token in the latter example, and the only information about the key is the Key name.

Having looked into it, I think that the issue may be in the Credential.

Does anybody have any experience with configuring opensaml in such a way? How is it possible to conffigure the KeyInfo like this?

Thanks in advance for the help.

UPDATE: I have worked out how to set the keyname now, using KeyInfoHelper.addKeyName(KeyInfo, KeyName);, but am still having no luck in hiding the X509 certificate information.

Answer 1

The problem was that I was using opensaml to autogenerate the key info for me. By default, the x509 certificate is attached. I overcame this by creating my own KeyInfo object, and simply adding a key name to it.

Seems a bit hacky, but got the job done.

Below is the method I wrote to create the key info.

private KeyInfo getKeyInfo(final Credential c, final String keyName) {

    final SecurityConfiguration secConfiguration =
            Configuration.getGlobalSecurityConfiguration();
    final NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager =
            secConfiguration.getKeyInfoGeneratorManager();
    final KeyInfoGeneratorManager keyInfoGeneratorManager =
            namedKeyInfoGeneratorManager.getDefaultManager();
    final KeyInfoGeneratorFactory keyInfoGeneratorFactory =
            keyInfoGeneratorManager.getFactory(c);
    final KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo;

    keyInfo = keyInfoGenerator.generate(c);
    KeyInfoHelper.addKeyName(keyInfo,
            keyName);
    return keyInfo;
}

Answer 2

This is the OpenSAML 3+ version.

private KeyInfo getKeyInfo(Credential c, String keyNameValue) {
    KeyName keyName = new KeyNameBuilder().buildObject();
    keyName.setValue(keyNameValue);
    EncryptionConfiguration secConfiguration = SecurityConfigurationSupport.getGlobalEncryptionConfiguration();
    NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration.getDataKeyInfoGeneratorManager();
    KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager.getDefaultManager();
    KeyInfoGeneratorFactory keyInfoGeneratorFactory = keyInfoGeneratorManager.getFactory(credential);
    KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyInfo keyInfo = keyInfoGenerator.generate(credential);
    keyInfo.getKeyNames().add(keyName);
    keyInfo.getX509Datas().clear();
    return keyInfo;             
}