keycloak-scim/services/src/main/java/org/keycloak/crypto/ClientECDSASignatureVerifierContext.java

package org.keycloak.crypto;

import org.keycloak.common.VerificationException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.keys.loader.PublicKeyStorageManager;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;

public class ClientECDSASignatureVerifierContext extends AsymmetricSignatureVerifierContext {
    public ClientECDSASignatureVerifierContext(KeycloakSession session, ClientModel client, JWSInput input) throws VerificationException {
        super(getKey(session, client, input));
    }

    private static KeyWrapper getKey(KeycloakSession session, ClientModel client, JWSInput input) throws VerificationException {
        KeyWrapper key = PublicKeyStorageManager.getClientPublicKeyWrapper(session, client, input);
        if (key == null) {
            throw new VerificationException("Key not found");
        }
        if (!KeyType.EC.equals(key.getType())) {
            throw new VerificationException("Key Type is not EC: " + key.getType());
        }
        if (key.getAlgorithm() == null) {
            // defaults to the algorithm set to the JWS
            // validations should be performed prior to verifying signature in case there are restrictions on the algorithms
            // that can used for signing
            key.setAlgorithm(input.getHeader().getRawAlgorithm());
        } else if (!key.getAlgorithm().equals(input.getHeader().getRawAlgorithm())) {
            throw new VerificationException("Key Algorithms are different, key-algorithm=" + key.getAlgorithm()
                    + " jwt-algorithm=" + input.getHeader().getRawAlgorithm());
        }
        return key;
    }

    @Override
    public boolean verify(byte[] data, byte[] signature) throws VerificationException {
        try {
            /*
            Fallback for backwards compatibility of ECDSA signed tokens which were issued in previous versions.
            TODO remove by https://issues.jboss.org/browse/KEYCLOAK-11911
             */
            int expectedSize = ECDSASignatureProvider.ECDSA.valueOf(getAlgorithm()).getSignatureLength();
            byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : ECDSASignatureProvider.concatenatedRSToASN1DER(signature, expectedSize);
            return super.verify(data, derSignature);
        } catch (Exception e) {
            throw new VerificationException("Signing failed", e);
        }
    }
}
KEYCLOAK-9651 Wrong ECDSA signature R and S encoding 2019-11-01 13:44:56 +00:00			`package org.keycloak.crypto;`

			`import org.keycloak.common.VerificationException;`
			`import org.keycloak.jose.jws.JWSInput;`
			`import org.keycloak.keys.loader.PublicKeyStorageManager;`
			`import org.keycloak.models.ClientModel;`
			`import org.keycloak.models.KeycloakSession;`

			`public class ClientECDSASignatureVerifierContext extends AsymmetricSignatureVerifierContext {`
			`public ClientECDSASignatureVerifierContext(KeycloakSession session, ClientModel client, JWSInput input) throws VerificationException {`
			`super(getKey(session, client, input));`
			`}`

			`private static KeyWrapper getKey(KeycloakSession session, ClientModel client, JWSInput input) throws VerificationException {`
			`KeyWrapper key = PublicKeyStorageManager.getClientPublicKeyWrapper(session, client, input);`
			`if (key == null) {`
			`throw new VerificationException("Key not found");`
			`}`
Issue #9194: Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256 2021-12-20 07:58:30 +00:00			`if (!KeyType.EC.equals(key.getType())) {`
			`throw new VerificationException("Key Type is not EC: " + key.getType());`
			`}`
			`if (key.getAlgorithm() == null) {`
			`// defaults to the algorithm set to the JWS`
			`// validations should be performed prior to verifying signature in case there are restrictions on the algorithms`
			`// that can used for signing`
			`key.setAlgorithm(input.getHeader().getRawAlgorithm());`
			`} else if (!key.getAlgorithm().equals(input.getHeader().getRawAlgorithm())) {`
			`throw new VerificationException("Key Algorithms are different, key-algorithm=" + key.getAlgorithm()`
			`+ " jwt-algorithm=" + input.getHeader().getRawAlgorithm());`
			`}`
KEYCLOAK-9651 Wrong ECDSA signature R and S encoding 2019-11-01 13:44:56 +00:00			`return key;`
			`}`

			`@Override`
			`public boolean verify(byte[] data, byte[] signature) throws VerificationException {`
			`try {`
			`/*`
			`Fallback for backwards compatibility of ECDSA signed tokens which were issued in previous versions.`
			`TODO remove by https://issues.jboss.org/browse/KEYCLOAK-11911`
			`*/`
			`int expectedSize = ECDSASignatureProvider.ECDSA.valueOf(getAlgorithm()).getSignatureLength();`
			`byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : ECDSASignatureProvider.concatenatedRSToASN1DER(signature, expectedSize);`
			`return super.verify(data, derSignature);`
			`} catch (Exception e) {`
			`throw new VerificationException("Signing failed", e);`
			`}`
			`}`
			`}`