keycloak-scim/testsuite/integration-arquillian/servers/auth-server/common/keystore/client.key

55 lines
3.2 KiB
Text
Raw Normal View History

KEYCLOAK-4335: x509 client certificate authentication Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README Changes to the formating of the readme Added a list of features to readme Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master Removed a superfluous file created when merging x509 and main branches X509 authentication: removed the PKIX path validation as superflous Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main Merge the unit tests from x509 branch added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing. changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway) X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them X509 fixed a compile error caused by the changes to the user model in master Integration tests to validate X509 client certificate authentication Minor tweaks to X509 client auth related integration tests CRLs to support x509 client cert auth integration tests X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class X509 separated the browser and direct grant x509 authenction integration tests x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator x509 removed the dependency on mockito x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests index.txt.attr is needed by openssl to run a simple OCSP server x509: minor grammar fixes Add OCSP stub responder to integration tests This commit adds OCSP stub responder needed for the integration tests, and eliminates the need to run external OCSP responder in order to run the OCSP in X509OCSPResponderTest. Replace printStackTrece with logging This commit replaces call to printStackTrace that will end up going to the stderr with logging statement of WARN severity. Remove unused imports Removed unused imports in org.keycloak.authentication.authenticators.x509 package. Parameterized Hashtable variable Removed unused CertificateFactory variable Declared serialVersionUID for Serializable class Removed unused CertificateBuilder class The CertificateBuilder was not used anywhere in the code, removing it to prevent technical debt. Removing unused variable declaration `response` variable is not used in the test, removed it. Made sure InputStreams are closed Even though the InputStreams are memory based, added try-with-resources to make sure that they are closed. Removed deprecated usage of URLEncoder Replaced invocation of deprecated method from URLEncoder with Encode from Keycloak util package. Made it more clear how to control OCSP stub responder in the tests X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests KEYCLOAK-4335: fixed a few issues after rebasing
2016-07-26 15:47:28 +00:00
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,58507FBFA90F44D96D42E8ED4989032F
eO/DUxz7PGUmyv6Nu89tWvad4O2Jzdr6kNCMsRcaG1JFJsMdGUNtuXjKyEaIKo9B
MLXAoFgtyW4t0TozNVzsS8mSwkU9eOP+cAGLReoHZ8C+w5y+Dm7Kuc37X+HF0HCL
4UkfNGKwgVJuXbVFVTTRVypB0Ul9Q2s43iN0YUfsYK333FHdDHxYyk7X+zvbposO
Q33oFsa0D4Ga2VdE8FQX5pDBqPOjXt8a3LaZxi5r8pZDRY+mcE04qnZLdUk6jCeQ
u4zHjsn/F+aW+EhAHH9vAwHLJ7lQOBtsdGxj2QXUAnU3LnRs2XxvYtZbxkG/p4sb
FCAP57bBxmkL51RJTM4fgnq/b1JRtGwS1kRbHSiKTnrDO8JHcmILKSoIUG9IcwNp
SFcKVZiabEdNSAiY9J+nvZMR8d946SqAQ/kA2Z7WH/6pbs4pd0ODIpYbNYwUfPcP
51tQI/fna2fyvGA0xxr5MUi3Ua8kp9KmoZaX+ghjwh8QLa82mcvOjbYaV6c2OT4m
92Eq7Si+u82fq2l5TjmKXLT5dwAUqZU1GnbG2Qd7/HW2h7PFIuReITL9UZhbCMoi
zOSz3wKniP/npE+I4+hYTRxKaV2mkAd1FC4+QhSZbmupf3WOxbtaJP6V8gd4BgRQ
O6mN9BvXYihSWyn7zQ/4MuGq5/k+XmTsxhfPZ7KW7DyeDGdl7qTcW5I7k+i6Lnh6
YozNJn+CVQnZ67x4OhkQ9GQSBkEXudGurzWOJ3xNHOMtAGfQZRjHepcf1TeRN8C1
voyY0Yx4V95XfbCMzbQckxhDigHJqCBk0bewp0LYXbn0traawZXNJ9nZHDFMyuX9
Oztjx5cFdH/kxSjy0Qquzy9rtEzw72CnBw/AisaGMkMaxQWP92n0hav5XSKg5eD3
OD42fsFWvbTN12kFXETDeQGuSJoJ3X2R9UnG2GL1Uc4lEFOu7LVpQX1hVi0qJjsv
NqFO/4pbB+IpwwHV/6Nh7hwBXQVXKcGq3fq9+iCWk4hmZLutTSrsdsLWyqxF+r+1
a3mk2nZgpTVkmfNsOf7vY1R4fWkUu7M7Pb0R0eQ9vG8w7Aodym6snkxdZBwl09TM
YpxofsvgVGcteZWK7hgESODpBklZstNXOIk4hsDhm8+PPfWuOndBEkocAf0D/4OE
lPGcdG9gTc8HOiJLtK8QSJUbtfauJHqp9Dzkc3qNZuSTwwCvk4v2oYV7FrCzZfcC
yPgN2AhOx8EDT3vx2IV62dbHeamWlT+hpdCIiEXnyL5MVBvO3Td+g3BM+RRVSmaB
ZBgfZaFjlZvDDeqH8eOGNoKN06tGdpxeGJaPr5G3ksrmupBVB1Gay+T98Kux4zAk
fw0oFPDEyRiup+iOXpltRtP7d3SH7ngjapm6aDBs2weWrnLrcjZx5iyOed8z8zWG
Ygmar31qn0qMUf/8HZb4c3DYkc1mjpKZLQnyouP82p++1VTN8S27Kf06eTob5zYa
pWhCDHPWA8FFNF9d1zgSTBLEFawryM59rLJteg7G7yiSN43OBk7THNI2OwK8y2Mv
KvwMoyStvMbiMn4qVR8mcnLrAYUd2RhuDGX3NOExI+9EBSGpwUP22I/nQ9HRlJ9D
OoKaTIdqv0twC3QYIbYf6RUngD2Yzo8ie9Ys31dZqJidSRj9xnpkb8Xe4S5J2Sxm
HP7VJsjjlPH9X+Q+xRWqwvzPi/hDBozo5GR1wrLGOVTRSYsXHjrULu+ael+65m+m
VXg8Ufzl1j/8KttWjvHOi3RJuusOx8Z6U3E/9YoVCqyuR3rXX7ILHq6UrOLPmLhg
cOyZy3LJXH2MpLbfhVQ6C5xKUJLQm88FBzdfKTt5aSCHzGa0nmT+qzu+x/s4B37H
hk9/B0W6hUf8TCy8YYRx7vK6IKpo4qVG3R0n/brtWtw5fYCYHna1qPknQWzROUeK
2sLW1Xv7Tk1koGcDs4Xv6p3jVCgAYE3DsubqGu7y9j49t9D08IukOMbtY6tc5+b6
zIrZfz8+XpdM9BmQ+5N5yVv2Ut0t7SGoEQ+pHOwsBu2H2dcW+DdfwyCk7izC0eUR
Fkv//R+uTaX4g3WSI3++ghDtQlcRf0nFn3c3uCK4HSP2E6doPQuuguKXXnJ+syDD
rsUZUV0Ia8X8ZCLkza7WfFgoJ2hXe6rehU7YLnvBekCMu0S99/a/oJ3t/JJFB0LF
5aw9nSlunrcCce9umPwKxc2pMcrIEAAjmmUhXza3LgHJsDiYYSDDo2e1Cbb5j61s
qCbFxB+WFYc2rRnzK/CLIDhIayWcwyelHAelpQOQ+gReh7ZZSSu5c0Rl9brTZ9tN
HfMPY5/6eBbASXxA9BStFbasLnlOARojkRgEAMOMv4ZyN4gn949Dd3nwC4gr9f++
IjqV/YgQOKtL4rOMgvLvb5Y0rhDFOiXTdpZBqhk/6bZo1T2j4ts72FdkAmr2u5gp
VxVyLv8L/KJv8jKqGbqJeMntarl30wfq4SRNe5te81DbSWrUGaQQyYqLL0/ixL2F
E6O+0bajYmrz45ZGhJqXJRxnlwyDWL1kPy+f8IlItyXp72WqHqKb/IyImvHgxnnm
IDv06cjX1LvX+fO3B2/9AveksSqnifrMBRjtFhRxTHdLEt9E1kSOJMb4tOlm/QpI
UQV0HkQRsUE3F6N7OEmfuA88jwiNRTSjl6WbFQ0O01lKFeKmy4cPJfnSOvHNL34Z
zztSboe9Red6qXzkR1mjh8BO/5Nu2ihlk8spqxNFUoPteUU57KITanXr63IudaSX
hDA7viBAqcmjPy/j4YY0UVvvWBCqIK0ejcEghxHJak/n3qpiSm0mYMMubi51O5UT
rxzZ9aqVfw4zmmZqrh+UIAwHJRpQw+zmXIN1h7pdTR1JGuSqStNgSgL53FoX2v9K
I0QQ6RbGJ7Yleb4P8DUHkaY9ljARsioVdbmzQgYDpt45KG9iFeREadvA0WpuapKE
/WePOmKMJ+qhnvENPSLLrf5ssho95GWf/6pGEV4PmMLanQ5iGV48wLXMtbQ/ud9N
qA7XQd2Vb4fNEVQ1aNdXg1gjB3QYyJoB0/exCOm/xLrewfd7zlXk8BERXwV1yQ5f
tYumN2X4RS2+Y0s9K6ujwEkYi7HUph6vPuq3il4DcSNFj8Wop/f6AAXSml3mqxYd
KEYCLOAK-4335: x509 client certificate authentication Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README Changes to the formating of the readme Added a list of features to readme Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master Removed a superfluous file created when merging x509 and main branches X509 authentication: removed the PKIX path validation as superflous Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main Merge the unit tests from x509 branch added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing. changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway) X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them X509 fixed a compile error caused by the changes to the user model in master Integration tests to validate X509 client certificate authentication Minor tweaks to X509 client auth related integration tests CRLs to support x509 client cert auth integration tests X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class X509 separated the browser and direct grant x509 authenction integration tests x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator x509 removed the dependency on mockito x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests index.txt.attr is needed by openssl to run a simple OCSP server x509: minor grammar fixes Add OCSP stub responder to integration tests This commit adds OCSP stub responder needed for the integration tests, and eliminates the need to run external OCSP responder in order to run the OCSP in X509OCSPResponderTest. Replace printStackTrece with logging This commit replaces call to printStackTrace that will end up going to the stderr with logging statement of WARN severity. Remove unused imports Removed unused imports in org.keycloak.authentication.authenticators.x509 package. Parameterized Hashtable variable Removed unused CertificateFactory variable Declared serialVersionUID for Serializable class Removed unused CertificateBuilder class The CertificateBuilder was not used anywhere in the code, removing it to prevent technical debt. Removing unused variable declaration `response` variable is not used in the test, removed it. Made sure InputStreams are closed Even though the InputStreams are memory based, added try-with-resources to make sure that they are closed. Removed deprecated usage of URLEncoder Replaced invocation of deprecated method from URLEncoder with Encode from Keycloak util package. Made it more clear how to control OCSP stub responder in the tests X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests KEYCLOAK-4335: fixed a few issues after rebasing
2016-07-26 15:47:28 +00:00
-----END RSA PRIVATE KEY-----