Support for vault and AES and HMAC algorithms to JavaKeystoreKeyProvider
Closes #30880 Closes #29755 Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc
Marek Posolda
parent
2bd17cdc7c
commit
096e335a92
10 changed files with 306 additions and 94 deletions
|
|
@ -49,6 +49,7 @@ import org.bouncycastle.operator.OperatorCreationException;
|
||||||
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
||||||
import org.keycloak.common.util.BouncyIntegration;
|
import org.keycloak.common.util.BouncyIntegration;
|
||||||
import org.keycloak.common.crypto.CertificateUtilsProvider;
|
import org.keycloak.common.crypto.CertificateUtilsProvider;
|
||||||
|
import org.keycloak.crypto.JavaAlgorithm;
|
||||||
|
|
||||||
import java.io.ByteArrayInputStream;
|
import java.io.ByteArrayInputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
@ -188,7 +189,12 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
|
||||||
signerBuilder = new JcaContentSignerBuilder("SHA256WithECDSA")
|
signerBuilder = new JcaContentSignerBuilder("SHA256WithECDSA")
|
||||||
.setProvider(BouncyIntegration.PROVIDER);
|
.setProvider(BouncyIntegration.PROVIDER);
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
|
case JavaAlgorithm.Ed25519:
|
||||||
|
case JavaAlgorithm.Ed448: {
|
||||||
|
signerBuilder = new JcaContentSignerBuilder(privateKey.getAlgorithm())
|
||||||
|
.setProvider(BouncyIntegration.PROVIDER);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
throw new RuntimeException(String.format("Keytype %s is not supported.", privateKey.getAlgorithm()));
|
throw new RuntimeException(String.format("Keytype %s is not supported.", privateKey.getAlgorithm()));
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,7 @@ import org.bouncycastle.operator.OperatorCreationException;
|
||||||
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
||||||
import org.keycloak.common.util.BouncyIntegration;
|
import org.keycloak.common.util.BouncyIntegration;
|
||||||
import org.keycloak.common.crypto.CertificateUtilsProvider;
|
import org.keycloak.common.crypto.CertificateUtilsProvider;
|
||||||
|
import org.keycloak.crypto.JavaAlgorithm;
|
||||||
|
|
||||||
import java.io.ByteArrayInputStream;
|
import java.io.ByteArrayInputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
@ -193,7 +194,12 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
|
||||||
signerBuilder = new JcaContentSignerBuilder("SHA256WithECDSA")
|
signerBuilder = new JcaContentSignerBuilder("SHA256WithECDSA")
|
||||||
.setProvider(BouncyIntegration.PROVIDER);
|
.setProvider(BouncyIntegration.PROVIDER);
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
|
case JavaAlgorithm.Ed25519:
|
||||||
|
case JavaAlgorithm.Ed448: {
|
||||||
|
signerBuilder = new JcaContentSignerBuilder(privateKey.getAlgorithm())
|
||||||
|
.setProvider(BouncyIntegration.PROVIDER);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
throw new RuntimeException(String.format("Keytype %s is not supported.", privateKey.getAlgorithm()));
|
throw new RuntimeException(String.format("Keytype %s is not supported.", privateKey.getAlgorithm()));
|
||||||
|
|
|
||||||
|
|
@ -127,12 +127,20 @@ For the associated certificate chain to be loaded it must be imported to the Jav
|
||||||
. Click the *Providers* tab.
|
. Click the *Providers* tab.
|
||||||
. Click *Add provider* and select *java-keystore*.
|
. Click *Add provider* and select *java-keystore*.
|
||||||
. Enter a number in the *Priority* field. This number determines if the new key pair becomes the active key pair.
|
. Enter a number in the *Priority* field. This number determines if the new key pair becomes the active key pair.
|
||||||
. Enter a value for *Keystore*.
|
. Enter the desired *Algorithm*. Note that the algorithm should match the key type (for example `RS256` requires a RSA private key, `ES256` a EC private key or `AES` an AES secret key).
|
||||||
. Enter a value for *Keystore Password*.
|
. Enter a value for *Keystore*. Path to the keystore file.
|
||||||
. Enter a value for *Key Alias*.
|
. Enter the *Keystore Password*. The option can refer a value from an external <<_vault-administration,vault>>.
|
||||||
. Enter a value for *Key Password*.
|
. Enter a value for *Keystore Type* (`JKS`, `PKCS12` or `BCFKS`).
|
||||||
|
. Enter a value for the *Key Alias* to load from the keystore.
|
||||||
|
. Enter the *Key Password*. The option can refer a value from an external <<_vault-administration,vault>>.
|
||||||
|
. Enter a value for *Key Use* (`sig` for signing or `enc` for encryption). Note that the use should match the algorithm type (for example `RS256` is `sig` but `RSA-OAEP` is `enc`)
|
||||||
. Click *Save*.
|
. Click *Save*.
|
||||||
|
|
||||||
|
[WARNING]
|
||||||
|
====
|
||||||
|
Not all the keystore types support all types of keys. `JKS` and `PKCS12` in fips modes (provider `BCFIPS`) cannot store secret key entries.
|
||||||
|
====
|
||||||
|
|
||||||
==== Making keys passive
|
==== Making keys passive
|
||||||
|
|
||||||
.Procedure
|
.Procedure
|
||||||
|
|
|
||||||
|
|
@ -17,38 +17,42 @@
|
||||||
|
|
||||||
package org.keycloak.keys;
|
package org.keycloak.keys;
|
||||||
|
|
||||||
import org.keycloak.common.crypto.CryptoIntegration;
|
|
||||||
import org.keycloak.common.util.CertificateUtils;
|
|
||||||
import org.keycloak.common.util.KeyUtils;
|
import org.keycloak.common.util.KeyUtils;
|
||||||
import org.keycloak.common.util.KeystoreUtil;
|
import org.keycloak.common.util.KeystoreUtil;
|
||||||
import org.keycloak.component.ComponentModel;
|
import org.keycloak.component.ComponentModel;
|
||||||
import org.keycloak.crypto.Algorithm;
|
import org.keycloak.crypto.Algorithm;
|
||||||
|
import org.keycloak.crypto.JavaAlgorithm;
|
||||||
import org.keycloak.crypto.KeyStatus;
|
import org.keycloak.crypto.KeyStatus;
|
||||||
import org.keycloak.crypto.KeyType;
|
import org.keycloak.crypto.KeyType;
|
||||||
import org.keycloak.crypto.KeyUse;
|
import org.keycloak.crypto.KeyUse;
|
||||||
import org.keycloak.crypto.KeyWrapper;
|
import org.keycloak.crypto.KeyWrapper;
|
||||||
import org.keycloak.jose.jwe.JWEConstants;
|
import org.keycloak.jose.jwe.JWEConstants;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
|
import org.keycloak.vault.VaultTranscriber;
|
||||||
|
|
||||||
import java.io.FileInputStream;
|
import java.io.FileInputStream;
|
||||||
import java.io.FileNotFoundException;
|
import java.io.FileNotFoundException;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.security.GeneralSecurityException;
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.Key;
|
||||||
import java.security.KeyPair;
|
import java.security.KeyPair;
|
||||||
import java.security.KeyStore;
|
import java.security.KeyStore;
|
||||||
import java.security.KeyStoreException;
|
import java.security.KeyStoreException;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.PrivateKey;
|
|
||||||
import java.security.PublicKey;
|
import java.security.PublicKey;
|
||||||
import java.security.UnrecoverableKeyException;
|
import java.security.UnrecoverableKeyException;
|
||||||
import java.security.cert.CertPath;
|
import java.security.cert.CertPath;
|
||||||
import java.security.cert.CertPathValidator;
|
import java.security.cert.CertPathValidator;
|
||||||
|
import java.security.cert.Certificate;
|
||||||
import java.security.cert.CertificateException;
|
import java.security.cert.CertificateException;
|
||||||
import java.security.cert.CertificateFactory;
|
import java.security.cert.CertificateFactory;
|
||||||
import java.security.cert.PKIXParameters;
|
import java.security.cert.PKIXParameters;
|
||||||
import java.security.cert.TrustAnchor;
|
import java.security.cert.TrustAnchor;
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
import java.security.interfaces.ECPrivateKey;
|
import java.security.interfaces.ECPrivateKey;
|
||||||
|
import java.security.interfaces.EdECPrivateKey;
|
||||||
|
import java.security.interfaces.RSAPrivateCrtKey;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
|
|
@ -57,6 +61,7 @@ import java.util.Optional;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
import java.util.stream.Stream;
|
import java.util.stream.Stream;
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
|
|
@ -67,15 +72,18 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
|
|
||||||
private final ComponentModel model;
|
private final ComponentModel model;
|
||||||
|
|
||||||
|
private final VaultTranscriber vault;
|
||||||
|
|
||||||
private final KeyWrapper key;
|
private final KeyWrapper key;
|
||||||
|
|
||||||
private final String algorithm;
|
private final String algorithm;
|
||||||
|
|
||||||
public JavaKeystoreKeyProvider(RealmModel realm, ComponentModel model) {
|
public JavaKeystoreKeyProvider(RealmModel realm, ComponentModel model, VaultTranscriber vault) {
|
||||||
this.model = model;
|
this.model = model;
|
||||||
|
this.vault = vault;
|
||||||
this.status = KeyStatus.from(model.get(Attributes.ACTIVE_KEY, true), model.get(Attributes.ENABLED_KEY, true));
|
this.status = KeyStatus.from(model.get(Attributes.ACTIVE_KEY, true), model.get(Attributes.ENABLED_KEY, true));
|
||||||
|
|
||||||
String defaultAlgorithmKey = KeyUse.ENC.name().equals(model.get(Attributes.KEY_USE)) ? JWEConstants.RSA_OAEP : Algorithm.RS256;
|
String defaultAlgorithmKey = KeyUse.ENC.name().equalsIgnoreCase(model.get(Attributes.KEY_USE)) ? JWEConstants.RSA_OAEP : Algorithm.RS256;
|
||||||
this.algorithm = model.get(Attributes.ALGORITHM_KEY, defaultAlgorithmKey);
|
this.algorithm = model.get(Attributes.ALGORITHM_KEY, defaultAlgorithmKey);
|
||||||
|
|
||||||
if (model.hasNote(KeyWrapper.class.getName())) {
|
if (model.hasNote(KeyWrapper.class.getName())) {
|
||||||
|
|
@ -93,12 +101,19 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
String keyAlias = model.get(JavaKeystoreKeyProviderFactory.KEY_ALIAS_KEY);
|
String keyAlias = model.get(JavaKeystoreKeyProviderFactory.KEY_ALIAS_KEY);
|
||||||
|
|
||||||
return switch (algorithm) {
|
return switch (algorithm) {
|
||||||
case Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512,
|
case Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512 ->
|
||||||
Algorithm.RSA_OAEP, Algorithm.RSA1_5, Algorithm.RSA_OAEP_256 ->
|
loadRSAKey(keyStore, keyAlias, KeyUse.SIG);
|
||||||
loadRSAKey(realm, model, keyStore, keyAlias);
|
case Algorithm.RSA_OAEP, Algorithm.RSA1_5, Algorithm.RSA_OAEP_256 ->
|
||||||
case Algorithm.ES256, Algorithm.ES384, Algorithm.ES512 -> loadECKey(realm, model, keyStore, keyAlias);
|
loadRSAKey(keyStore, keyAlias, KeyUse.ENC);
|
||||||
default ->
|
case Algorithm.ES256, Algorithm.ES384, Algorithm.ES512 ->
|
||||||
throw new RuntimeException(String.format("Keys for algorithm %s are not supported.", algorithm));
|
loadECKey(keyStore, keyAlias, KeyUse.SIG);
|
||||||
|
case Algorithm.EdDSA ->
|
||||||
|
loadEdDSAKey(keyStore, keyAlias, KeyUse.SIG);
|
||||||
|
case Algorithm.AES ->
|
||||||
|
loadOctKey(keyStore, keyAlias, JavaAlgorithm.getJavaAlgorithm(algorithm), KeyUse.ENC);
|
||||||
|
case Algorithm.HS256, Algorithm.HS384, Algorithm.HS512 ->
|
||||||
|
loadOctKey(keyStore, keyAlias, JavaAlgorithm.getJavaAlgorithm(algorithm), KeyUse.SIG);
|
||||||
|
default -> throw new RuntimeException(String.format("Keys for algorithm %s are not supported.", algorithm));
|
||||||
};
|
};
|
||||||
} catch (KeyStoreException kse) {
|
} catch (KeyStoreException kse) {
|
||||||
throw new RuntimeException("KeyStore error on server. " + kse.getMessage(), kse);
|
throw new RuntimeException("KeyStore error on server. " + kse.getMessage(), kse);
|
||||||
|
|
@ -111,7 +126,7 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
} catch (CertificateException ce) {
|
} catch (CertificateException ce) {
|
||||||
throw new RuntimeException("Certificate error on server. " + ce.getMessage(), ce);
|
throw new RuntimeException("Certificate error on server. " + ce.getMessage(), ce);
|
||||||
} catch (UnrecoverableKeyException uke) {
|
} catch (UnrecoverableKeyException uke) {
|
||||||
throw new RuntimeException("Keystore on server can not be recovered. " + uke.getMessage(), uke);
|
throw new RuntimeException("Key in the keystore cannot be recovered. " + uke.getMessage(), uke);
|
||||||
} catch (GeneralSecurityException gse) {
|
} catch (GeneralSecurityException gse) {
|
||||||
throw new RuntimeException("Invalid certificate chain. Check the order of certificates.", gse);
|
throw new RuntimeException("Invalid certificate chain. Check the order of certificates.", gse);
|
||||||
}
|
}
|
||||||
|
|
@ -121,42 +136,90 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
// Use "JKS" as default type for backwards compatibility
|
// Use "JKS" as default type for backwards compatibility
|
||||||
String keystoreType = KeystoreUtil.getKeystoreType(model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_TYPE_KEY), keystorePath, "JKS");
|
String keystoreType = KeystoreUtil.getKeystoreType(model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_TYPE_KEY), keystorePath, "JKS");
|
||||||
KeyStore keyStore = KeyStore.getInstance(keystoreType);
|
KeyStore keyStore = KeyStore.getInstance(keystoreType);
|
||||||
keyStore.load(inputStream, model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_PASSWORD_KEY).toCharArray());
|
String keystorePwd = model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_PASSWORD_KEY);
|
||||||
|
keystorePwd = vault.getStringSecret(keystorePwd).get().orElse(keystorePwd);
|
||||||
|
keyStore.load(inputStream, keystorePwd.toCharArray());
|
||||||
return keyStore;
|
return keyStore;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void checkUsage(KeyUse keyUse) throws GeneralSecurityException {
|
||||||
private KeyWrapper loadECKey(RealmModel realm, ComponentModel model, KeyStore keyStore, String keyAlias) throws GeneralSecurityException {
|
String use = model.get(Attributes.KEY_USE);
|
||||||
ECPrivateKey privateKey = (ECPrivateKey) keyStore.getKey(keyAlias, model.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY).toCharArray());
|
if (use != null && !keyUse.name().equalsIgnoreCase(use)) {
|
||||||
String curve = AbstractEcdsaKeyProviderFactory.convertECDomainParmNistRepToSecRep(AbstractEcdsaKeyProviderFactory.convertAlgorithmToECDomainParmNistRep(algorithm));
|
throw new UnrecoverableKeyException(String.format("Invalid use %s for algorithm %s.", use, algorithm));
|
||||||
|
|
||||||
PublicKey publicKey = CryptoIntegration.getProvider().getEcdsaCryptoProvider().getPublicFromPrivate(privateKey);
|
|
||||||
|
|
||||||
KeyPair keyPair = new KeyPair(publicKey, privateKey);
|
|
||||||
|
|
||||||
return createKeyWrapper(keyPair, getCertificate(keyStore, keyPair, keyAlias, realm.getName()), loadCertificateChain(keyStore, keyAlias), KeyType.EC);
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
private X509Certificate getCertificate(KeyStore keyStore, KeyPair keyPair, String keyAlias, String realmName) throws KeyStoreException {
|
|
||||||
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
|
|
||||||
if (certificate == null) {
|
|
||||||
certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, realmName);
|
|
||||||
}
|
}
|
||||||
return certificate;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private KeyWrapper loadRSAKey(RealmModel realm, ComponentModel model, KeyStore keyStore, String keyAlias) throws GeneralSecurityException {
|
private X509Certificate checkCertificate(Certificate cert) throws GeneralSecurityException {
|
||||||
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, model.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY).toCharArray());
|
if (cert instanceof X509Certificate x509Cert) {
|
||||||
PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
|
return x509Cert;
|
||||||
|
}
|
||||||
|
throw new UnrecoverableKeyException(String.format("Invalid %s certificate in the entry.", (cert != null? cert.getType() : null)));
|
||||||
|
}
|
||||||
|
|
||||||
|
private <K extends KeyStore.Entry> K checkKeyEntry(KeyStore keyStore, String keyAlias, Class<K> clazz, KeyUse use) throws GeneralSecurityException {
|
||||||
|
checkUsage(use);
|
||||||
|
String keyPwd = model.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY);
|
||||||
|
keyPwd = vault.getStringSecret(keyPwd).get().orElse(keyPwd);
|
||||||
|
KeyStore.Entry keyEntry = keyStore.getEntry(keyAlias, new KeyStore.PasswordProtection(keyPwd.toCharArray()));
|
||||||
|
if (keyEntry == null) {
|
||||||
|
throw new UnrecoverableKeyException(String.format("Alias %s does not exists in the keystore.", keyAlias));
|
||||||
|
}
|
||||||
|
if (!clazz.isInstance(keyEntry)) {
|
||||||
|
throw new UnrecoverableKeyException(String.format("Invalid %s key for alias %s. Key is not %s.", algorithm, keyAlias, clazz.getSimpleName()));
|
||||||
|
}
|
||||||
|
return clazz.cast(keyEntry);
|
||||||
|
}
|
||||||
|
|
||||||
|
private <K extends Key> K checkKey(Key key, String keyAlias, Class<K> clazz, String javaAlgorithm) throws GeneralSecurityException {
|
||||||
|
if (!clazz.isInstance(key) || (javaAlgorithm != null && !javaAlgorithm.equalsIgnoreCase(key.getAlgorithm()))) {
|
||||||
|
throw new NoSuchAlgorithmException(String.format("Invalid %s key for alias %s. Algorithm is %s.", algorithm, keyAlias, key.getAlgorithm()));
|
||||||
|
}
|
||||||
|
return clazz.cast(key);
|
||||||
|
}
|
||||||
|
|
||||||
|
private KeyWrapper loadOctKey(KeyStore keyStore, String keyAlias, String javaAlgorithm, KeyUse keyUse) throws GeneralSecurityException {
|
||||||
|
KeyStore.SecretKeyEntry secretKeyEntry = checkKeyEntry(keyStore, keyAlias, KeyStore.SecretKeyEntry.class, keyUse);
|
||||||
|
SecretKey secretKey = checkKey(secretKeyEntry.getSecretKey(), keyAlias, SecretKey.class, javaAlgorithm);
|
||||||
|
|
||||||
|
return createKeyWrapper(secretKey, keyUse);
|
||||||
|
}
|
||||||
|
|
||||||
|
private KeyWrapper loadEdDSAKey(KeyStore keyStore, String keyAlias, KeyUse keyUse) throws GeneralSecurityException {
|
||||||
|
KeyStore.PrivateKeyEntry privateKeyEntry = checkKeyEntry(keyStore, keyAlias, KeyStore.PrivateKeyEntry.class, keyUse);
|
||||||
|
EdECPrivateKey privateKey = checkKey(privateKeyEntry.getPrivateKey(), keyAlias, EdECPrivateKey.class, null);
|
||||||
|
X509Certificate x509Cert = checkCertificate(privateKeyEntry.getCertificate());
|
||||||
|
try {
|
||||||
|
JavaAlgorithm.getJavaAlgorithmForHash(Algorithm.EdDSA, privateKey.getParams().getName());
|
||||||
|
} catch (RuntimeException e) {
|
||||||
|
throw new UnrecoverableKeyException(String.format("Invalid EdDSA curve for alias %s. Curve algorithm is %s.",
|
||||||
|
keyAlias, privateKey.getParams().getName()));
|
||||||
|
}
|
||||||
|
|
||||||
|
PublicKey publicKey = x509Cert.getPublicKey();
|
||||||
KeyPair keyPair = new KeyPair(publicKey, privateKey);
|
KeyPair keyPair = new KeyPair(publicKey, privateKey);
|
||||||
|
return createKeyWrapper(keyPair, x509Cert, loadCertificateChain(privateKeyEntry), KeyType.OKP, keyUse, privateKey.getParams().getName());
|
||||||
return createKeyWrapper(keyPair, getCertificate(keyStore, keyPair, keyAlias, realm.getName()), loadCertificateChain(keyStore, keyAlias), KeyType.RSA);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private List<X509Certificate> loadCertificateChain(KeyStore keyStore, String keyAlias) throws GeneralSecurityException {
|
private KeyWrapper loadECKey(KeyStore keyStore, String keyAlias, KeyUse keyUse) throws GeneralSecurityException {
|
||||||
List<X509Certificate> chain = Optional.ofNullable(keyStore.getCertificateChain(keyAlias))
|
KeyStore.PrivateKeyEntry privateKeyEntry = checkKeyEntry(keyStore, keyAlias, KeyStore.PrivateKeyEntry.class, keyUse);
|
||||||
|
ECPrivateKey privateKey = checkKey(privateKeyEntry.getPrivateKey(), keyAlias, ECPrivateKey.class, null);
|
||||||
|
X509Certificate x509Cert = checkCertificate(privateKeyEntry.getCertificate());
|
||||||
|
PublicKey publicKey = x509Cert.getPublicKey();
|
||||||
|
KeyPair keyPair = new KeyPair(publicKey, privateKey);
|
||||||
|
return createKeyWrapper(keyPair, x509Cert, loadCertificateChain(privateKeyEntry), KeyType.EC, keyUse, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
private KeyWrapper loadRSAKey(KeyStore keyStore, String keyAlias, KeyUse keyUse) throws GeneralSecurityException {
|
||||||
|
KeyStore.PrivateKeyEntry privateKeyEntry = checkKeyEntry(keyStore, keyAlias, KeyStore.PrivateKeyEntry.class, keyUse);
|
||||||
|
RSAPrivateCrtKey privateKey = checkKey(privateKeyEntry.getPrivateKey(), keyAlias, RSAPrivateCrtKey.class, null);
|
||||||
|
X509Certificate x509Cert = checkCertificate(privateKeyEntry.getCertificate());
|
||||||
|
PublicKey publicKey = x509Cert.getPublicKey();
|
||||||
|
KeyPair keyPair = new KeyPair(publicKey, privateKey);
|
||||||
|
return createKeyWrapper(keyPair, x509Cert, loadCertificateChain(privateKeyEntry), KeyType.RSA, keyUse, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
private List<X509Certificate> loadCertificateChain(KeyStore.PrivateKeyEntry privateKeyEntry) throws GeneralSecurityException {
|
||||||
|
List<X509Certificate> chain = Optional.ofNullable(privateKeyEntry.getCertificateChain())
|
||||||
.map(certificates -> Arrays.stream(certificates)
|
.map(certificates -> Arrays.stream(certificates)
|
||||||
.map(X509Certificate.class::cast)
|
.map(X509Certificate.class::cast)
|
||||||
.collect(Collectors.toList()))
|
.collect(Collectors.toList()))
|
||||||
|
|
@ -167,9 +230,8 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
return chain;
|
return chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
private KeyWrapper createKeyWrapper(KeyPair keyPair, X509Certificate certificate, List<X509Certificate> certificateChain, String type) {
|
private KeyWrapper createKeyWrapper(KeyPair keyPair, X509Certificate certificate, List<X509Certificate> certificateChain,
|
||||||
KeyUse keyUse = KeyUse.valueOf(model.get(Attributes.KEY_USE, KeyUse.SIG.getSpecName()).toUpperCase());
|
String type, KeyUse keyUse, String curve) {
|
||||||
|
|
||||||
KeyWrapper key = new KeyWrapper();
|
KeyWrapper key = new KeyWrapper();
|
||||||
|
|
||||||
key.setProviderId(model.getId());
|
key.setProviderId(model.getId());
|
||||||
|
|
@ -179,6 +241,7 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
key.setUse(keyUse);
|
key.setUse(keyUse);
|
||||||
key.setType(type);
|
key.setType(type);
|
||||||
key.setAlgorithm(algorithm);
|
key.setAlgorithm(algorithm);
|
||||||
|
key.setCurve(curve);
|
||||||
key.setStatus(status);
|
key.setStatus(status);
|
||||||
key.setPrivateKey(keyPair.getPrivate());
|
key.setPrivateKey(keyPair.getPrivate());
|
||||||
key.setPublicKey(keyPair.getPublic());
|
key.setPublicKey(keyPair.getPublic());
|
||||||
|
|
@ -195,6 +258,21 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
return key;
|
return key;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private KeyWrapper createKeyWrapper(SecretKey secretKey, KeyUse use) {
|
||||||
|
KeyWrapper keyWrapper = new KeyWrapper();
|
||||||
|
|
||||||
|
keyWrapper.setProviderId(model.getId());
|
||||||
|
keyWrapper.setProviderPriority(model.get("priority", 0l));
|
||||||
|
|
||||||
|
keyWrapper.setKid(model.get(Attributes.KID_KEY, KeycloakModelUtils.generateId()));
|
||||||
|
keyWrapper.setUse(use);
|
||||||
|
keyWrapper.setType(KeyType.OCT);
|
||||||
|
keyWrapper.setAlgorithm(algorithm);
|
||||||
|
keyWrapper.setStatus(status);
|
||||||
|
keyWrapper.setSecretKey(secretKey);
|
||||||
|
return keyWrapper;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* <p>Validates the giving certificate chain represented by {@code certificates}. If the list of certificates is empty
|
* <p>Validates the giving certificate chain represented by {@code certificates}. If the list of certificates is empty
|
||||||
* or does not have at least 2 certificates (end-user certificate plus intermediary/root CAs) this method does nothing.
|
* or does not have at least 2 certificates (end-user certificate plus intermediary/root CAs) this method does nothing.
|
||||||
|
|
@ -224,7 +302,6 @@ public class JavaKeystoreKeyProvider implements KeyProvider {
|
||||||
validator.validate(certPath, params);
|
validator.validate(certPath, params);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Stream<KeyWrapper> getKeysStream() {
|
public Stream<KeyWrapper> getKeysStream() {
|
||||||
return Stream.of(key);
|
return Stream.of(key);
|
||||||
|
|
|
||||||
|
|
@ -92,7 +92,7 @@ public class JavaKeystoreKeyProviderFactory implements KeyProviderFactory {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public KeyProvider create(KeycloakSession session, ComponentModel model) {
|
public KeyProvider create(KeycloakSession session, ComponentModel model) {
|
||||||
return new JavaKeystoreKeyProvider(session.getContext().getRealm(), model);
|
return new JavaKeystoreKeyProvider(session.getContext().getRealm(), model, session.vault());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
@ -109,7 +109,7 @@ public class JavaKeystoreKeyProviderFactory implements KeyProviderFactory {
|
||||||
.checkSingle(KEY_PASSWORD_PROPERTY, true);
|
.checkSingle(KEY_PASSWORD_PROPERTY, true);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
new JavaKeystoreKeyProvider(realm, model).loadKey(realm, model);
|
new JavaKeystoreKeyProvider(realm, model, session.vault()).loadKey(realm, model);
|
||||||
} catch (Throwable t) {
|
} catch (Throwable t) {
|
||||||
logger.error("Failed to load keys.", t);
|
logger.error("Failed to load keys.", t);
|
||||||
throw new ComponentValidationException("Failed to load keys. " + t.getMessage(), t);
|
throw new ComponentValidationException("Failed to load keys. " + t.getMessage(), t);
|
||||||
|
|
@ -118,9 +118,12 @@ public class JavaKeystoreKeyProviderFactory implements KeyProviderFactory {
|
||||||
|
|
||||||
// merge the algorithms supported for RSA and EC keys and provide them as one configuration property
|
// merge the algorithms supported for RSA and EC keys and provide them as one configuration property
|
||||||
private static ProviderConfigProperty mergedAlgorithmProperties() {
|
private static ProviderConfigProperty mergedAlgorithmProperties() {
|
||||||
List<String> ecAlgorithms = List.of(Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
|
List<String> algorithms = Stream.of(
|
||||||
List<String> algorithms = Stream.of(Attributes.RS_ALGORITHM_PROPERTY.getOptions(),
|
List.of(Algorithm.AES, Algorithm.EdDSA),
|
||||||
ecAlgorithms, Attributes.RS_ENC_ALGORITHM_PROPERTY.getOptions())
|
List.of(Algorithm.ES256, Algorithm.ES384, Algorithm.ES512),
|
||||||
|
Attributes.HS_ALGORITHM_PROPERTY.getOptions(),
|
||||||
|
Attributes.RS_ALGORITHM_PROPERTY.getOptions(),
|
||||||
|
Attributes.RS_ENC_ALGORITHM_PROPERTY.getOptions())
|
||||||
.flatMap(Collection::stream)
|
.flatMap(Collection::stream)
|
||||||
.toList();
|
.toList();
|
||||||
return new ProviderConfigProperty(Attributes.RS_ALGORITHM_PROPERTY.getName(), Attributes.RS_ALGORITHM_PROPERTY.getLabel(),
|
return new ProviderConfigProperty(Attributes.RS_ALGORITHM_PROPERTY.getName(), Attributes.RS_ALGORITHM_PROPERTY.getLabel(),
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
password
|
||||||
|
|
@ -3,7 +3,9 @@ package org.keycloak.testsuite.util;
|
||||||
import jakarta.ws.rs.core.Response;
|
import jakarta.ws.rs.core.Response;
|
||||||
import org.keycloak.admin.client.resource.RealmResource;
|
import org.keycloak.admin.client.resource.RealmResource;
|
||||||
import org.keycloak.common.crypto.CryptoIntegration;
|
import org.keycloak.common.crypto.CryptoIntegration;
|
||||||
|
import org.keycloak.common.util.BouncyIntegration;
|
||||||
import org.keycloak.common.util.MultivaluedHashMap;
|
import org.keycloak.common.util.MultivaluedHashMap;
|
||||||
|
import org.keycloak.crypto.JavaAlgorithm;
|
||||||
import org.keycloak.crypto.KeyStatus;
|
import org.keycloak.crypto.KeyStatus;
|
||||||
import org.keycloak.crypto.KeyType;
|
import org.keycloak.crypto.KeyType;
|
||||||
import org.keycloak.crypto.KeyUse;
|
import org.keycloak.crypto.KeyUse;
|
||||||
|
|
@ -28,6 +30,8 @@ import java.security.spec.X509EncodedKeySpec;
|
||||||
import java.util.Base64;
|
import java.util.Base64;
|
||||||
import java.util.function.Predicate;
|
import java.util.function.Predicate;
|
||||||
import java.util.stream.Stream;
|
import java.util.stream.Stream;
|
||||||
|
import javax.crypto.KeyGenerator;
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
|
@ -50,6 +54,16 @@ public class KeyUtils {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static KeyPair generateEdDSAKey(String curve) throws NoSuchAlgorithmException, NoSuchProviderException {
|
||||||
|
KeyPairGenerator kpg = CryptoIntegration.getProvider().getKeyPairGen(curve);
|
||||||
|
return kpg.generateKeyPair();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static SecretKey generateSecretKey(String algorithm, int keySize) throws NoSuchAlgorithmException, NoSuchProviderException {
|
||||||
|
KeyGenerator keyGen = KeyGenerator.getInstance(JavaAlgorithm.getJavaAlgorithm(algorithm), BouncyIntegration.PROVIDER);
|
||||||
|
keyGen.init(keySize);
|
||||||
|
return keyGen.generateKey();
|
||||||
|
}
|
||||||
|
|
||||||
public static PublicKey publicKeyFromString(String key) {
|
public static PublicKey publicKeyFromString(String key) {
|
||||||
try {
|
try {
|
||||||
|
|
|
||||||
|
|
@ -32,10 +32,12 @@ import java.io.File;
|
||||||
import java.io.FileOutputStream;
|
import java.io.FileOutputStream;
|
||||||
import java.security.KeyPair;
|
import java.security.KeyPair;
|
||||||
import java.security.KeyStore;
|
import java.security.KeyStore;
|
||||||
|
import java.security.PrivateKey;
|
||||||
import java.security.cert.Certificate;
|
import java.security.cert.Certificate;
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.stream.Stream;
|
import java.util.stream.Stream;
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
|
||||||
|
|
@ -64,26 +66,46 @@ public class KeystoreUtils {
|
||||||
}
|
}
|
||||||
|
|
||||||
public static KeystoreInfo generateKeystore(TemporaryFolder folder, KeystoreUtil.KeystoreFormat keystoreType, String subject, String keystorePassword, String keyPassword, KeyPair keyPair) throws Exception {
|
public static KeystoreInfo generateKeystore(TemporaryFolder folder, KeystoreUtil.KeystoreFormat keystoreType, String subject, String keystorePassword, String keyPassword, KeyPair keyPair) throws Exception {
|
||||||
String fileName = "keystore." + keystoreType.getPrimaryExtension();
|
|
||||||
|
|
||||||
X509Certificate certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, subject);
|
X509Certificate certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, subject);
|
||||||
|
return generateKeystore(folder, keystoreType, subject, keystorePassword, keyPassword, keyPair.getPrivate(), certificate);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static KeystoreInfo generateKeystore(TemporaryFolder folder, KeystoreUtil.KeystoreFormat keystoreType,
|
||||||
|
String subject, String keystorePassword, String keyPassword, PrivateKey privKey, Certificate certificate) throws Exception {
|
||||||
|
String fileName = "keystore." + keystoreType.getPrimaryExtension();
|
||||||
|
|
||||||
KeyStore keyStore = CryptoIntegration.getProvider().getKeyStore(keystoreType);
|
KeyStore keyStore = CryptoIntegration.getProvider().getKeyStore(keystoreType);
|
||||||
keyStore.load(null, null);
|
keyStore.load(null, null);
|
||||||
|
|
||||||
Certificate[] chain = {certificate};
|
Certificate[] chain = {certificate};
|
||||||
keyStore.setKeyEntry(subject, keyPair.getPrivate(), keyPassword.trim().toCharArray(), chain);
|
keyStore.setKeyEntry(subject, privKey, keyPassword.trim().toCharArray(), chain);
|
||||||
|
|
||||||
File file = folder.newFile(fileName);
|
File file = folder.newFile(fileName);
|
||||||
keyStore.store(new FileOutputStream(file), keystorePassword.trim().toCharArray());
|
keyStore.store(new FileOutputStream(file), keystorePassword.trim().toCharArray());
|
||||||
|
|
||||||
CertificateRepresentation certRep = new CertificateRepresentation();
|
CertificateRepresentation certRep = new CertificateRepresentation();
|
||||||
certRep.setPrivateKey(PemUtils.encodeKey(keyPair.getPrivate()));
|
certRep.setPrivateKey(PemUtils.encodeKey(privKey));
|
||||||
certRep.setPublicKey(PemUtils.encodeKey(keyPair.getPublic()));
|
certRep.setPublicKey(PemUtils.encodeKey(certificate.getPublicKey()));
|
||||||
certRep.setCertificate(PemUtils.encodeCertificate(certificate));
|
certRep.setCertificate(PemUtils.encodeCertificate(certificate));
|
||||||
return new KeystoreInfo(certRep, file);
|
return new KeystoreInfo(certRep, file);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static KeystoreInfo generateKeystore(TemporaryFolder folder, KeystoreUtil.KeystoreFormat keystoreType, String alias,
|
||||||
|
String keystorePassword, String keyPassword, SecretKey secretKey) throws Exception {
|
||||||
|
String fileName = "keystore." + keystoreType.getPrimaryExtension();
|
||||||
|
|
||||||
|
KeyStore keyStore = KeyStore.getInstance(keystoreType.name());
|
||||||
|
keyStore.load(null, null);
|
||||||
|
|
||||||
|
KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry(secretKey);
|
||||||
|
KeyStore.ProtectionParameter protection = new KeyStore.PasswordProtection(keyPassword.trim().toCharArray());
|
||||||
|
keyStore.setEntry(alias, secretKeyEntry, protection);
|
||||||
|
|
||||||
|
File file = folder.newFile(fileName);
|
||||||
|
keyStore.store(new FileOutputStream(file), keystorePassword.trim().toCharArray());
|
||||||
|
|
||||||
|
return new KeystoreInfo(null, file);
|
||||||
|
}
|
||||||
|
|
||||||
public static KeystoreInfo generateKeystore(TemporaryFolder folder, KeystoreUtil.KeystoreFormat keystoreType, String subject, String keystorePassword, String keyPassword) throws Exception {
|
public static KeystoreInfo generateKeystore(TemporaryFolder folder, KeystoreUtil.KeystoreFormat keystoreType, String subject, String keystorePassword, String keyPassword) throws Exception {
|
||||||
return generateKeystore(folder, keystoreType, subject, keystorePassword, keyPassword, KeyUtils.generateRsaKeyPair(2048));
|
return generateKeystore(folder, keystoreType, subject, keystorePassword, keyPassword, KeyUtils.generateRsaKeyPair(2048));
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -18,15 +18,20 @@
|
||||||
package org.keycloak.testsuite.keys;
|
package org.keycloak.testsuite.keys;
|
||||||
|
|
||||||
import jakarta.ws.rs.core.Response;
|
import jakarta.ws.rs.core.Response;
|
||||||
|
import org.hamcrest.MatcherAssert;
|
||||||
|
import org.hamcrest.Matchers;
|
||||||
import org.jboss.arquillian.graphene.page.Page;
|
import org.jboss.arquillian.graphene.page.Page;
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.junit.rules.TemporaryFolder;
|
import org.junit.rules.TemporaryFolder;
|
||||||
|
import org.keycloak.common.crypto.FipsMode;
|
||||||
import org.keycloak.common.util.KeystoreUtil;
|
import org.keycloak.common.util.KeystoreUtil;
|
||||||
import org.keycloak.common.util.MultivaluedHashMap;
|
import org.keycloak.common.util.MultivaluedHashMap;
|
||||||
import org.keycloak.common.util.PemUtils;
|
import org.keycloak.common.util.PemUtils;
|
||||||
import org.keycloak.crypto.Algorithm;
|
import org.keycloak.crypto.Algorithm;
|
||||||
|
import org.keycloak.crypto.KeyType;
|
||||||
import org.keycloak.jose.jws.AlgorithmType;
|
import org.keycloak.jose.jws.AlgorithmType;
|
||||||
|
import org.keycloak.keys.Attributes;
|
||||||
import org.keycloak.keys.JavaKeystoreKeyProviderFactory;
|
import org.keycloak.keys.JavaKeystoreKeyProviderFactory;
|
||||||
import org.keycloak.keys.KeyProvider;
|
import org.keycloak.keys.KeyProvider;
|
||||||
import org.keycloak.representations.idm.ComponentRepresentation;
|
import org.keycloak.representations.idm.ComponentRepresentation;
|
||||||
|
|
@ -37,6 +42,8 @@ import org.keycloak.testsuite.AbstractKeycloakTest;
|
||||||
import org.keycloak.testsuite.Assert;
|
import org.keycloak.testsuite.Assert;
|
||||||
import org.keycloak.testsuite.AssertEvents;
|
import org.keycloak.testsuite.AssertEvents;
|
||||||
import org.keycloak.testsuite.admin.ApiUtil;
|
import org.keycloak.testsuite.admin.ApiUtil;
|
||||||
|
import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
|
||||||
|
import org.keycloak.testsuite.arquillian.annotation.EnableVault;
|
||||||
import org.keycloak.testsuite.pages.AppPage;
|
import org.keycloak.testsuite.pages.AppPage;
|
||||||
import org.keycloak.testsuite.pages.LoginPage;
|
import org.keycloak.testsuite.pages.LoginPage;
|
||||||
import org.keycloak.testsuite.util.KeyUtils;
|
import org.keycloak.testsuite.util.KeyUtils;
|
||||||
|
|
@ -46,14 +53,13 @@ import java.security.PublicKey;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.assertTrue;
|
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
import static org.keycloak.common.util.KeystoreUtil.KeystoreFormat.PKCS12;
|
|
||||||
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
|
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
|
@EnableVault
|
||||||
public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
@Rule
|
@Rule
|
||||||
|
|
@ -78,41 +84,58 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void createJksRSA() throws Exception {
|
public void createJksRSA() throws Exception {
|
||||||
createSuccess(KeystoreUtil.KeystoreFormat.JKS, AlgorithmType.RSA);
|
createSuccess(KeystoreUtil.KeystoreFormat.JKS, AlgorithmType.RSA, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void createPkcs12RSA() throws Exception {
|
public void createPkcs12RSA() throws Exception {
|
||||||
createSuccess(PKCS12, AlgorithmType.RSA);
|
createSuccess(KeystoreUtil.KeystoreFormat.PKCS12, AlgorithmType.RSA, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void createBcfksRSA() throws Exception {
|
public void createBcfksRSA() throws Exception {
|
||||||
createSuccess(KeystoreUtil.KeystoreFormat.BCFKS, AlgorithmType.RSA);
|
createSuccess(KeystoreUtil.KeystoreFormat.BCFKS, AlgorithmType.RSA, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void createJksECDSA() throws Exception {
|
public void createJksECDSA() throws Exception {
|
||||||
createSuccess(KeystoreUtil.KeystoreFormat.JKS, AlgorithmType.ECDSA);
|
createSuccess(KeystoreUtil.KeystoreFormat.JKS, AlgorithmType.ECDSA, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void createPkcs12ECDSA() throws Exception {
|
public void createPkcs12ECDSA() throws Exception {
|
||||||
createSuccess(KeystoreUtil.KeystoreFormat.PKCS12, AlgorithmType.ECDSA);
|
createSuccess(KeystoreUtil.KeystoreFormat.PKCS12, AlgorithmType.ECDSA, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void createBcfksECDSA() throws Exception {
|
public void createBcfksECDSA() throws Exception {
|
||||||
createSuccess(KeystoreUtil.KeystoreFormat.BCFKS, AlgorithmType.ECDSA);
|
createSuccess(KeystoreUtil.KeystoreFormat.BCFKS, AlgorithmType.ECDSA, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void createSuccess(KeystoreUtil.KeystoreFormat keystoreType, AlgorithmType algorithmType) throws Exception {
|
@Test
|
||||||
|
public void createBcfksAES() throws Exception {
|
||||||
|
createSuccess(KeystoreUtil.KeystoreFormat.BCFKS, AlgorithmType.AES, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void createHMAC() throws Exception {
|
||||||
|
// BC provider fails storing HMAC in BCFKS (although BCFIPS works)
|
||||||
|
createSuccess(isFips()? KeystoreUtil.KeystoreFormat.BCFKS : KeystoreUtil.KeystoreFormat.PKCS12, AlgorithmType.HMAC, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void createJksEdDSA() throws Exception {
|
||||||
|
// BCFIPS does not support EdEC keys as it does not implement JDK interfaces
|
||||||
|
createSuccess(KeystoreUtil.KeystoreFormat.JKS, AlgorithmType.EDDSA, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void createSuccess(KeystoreUtil.KeystoreFormat keystoreType, AlgorithmType algorithmType, boolean vault) throws Exception {
|
||||||
KeystoreUtils.assumeKeystoreTypeSupported(keystoreType);
|
KeystoreUtils.assumeKeystoreTypeSupported(keystoreType);
|
||||||
generateKeystore(keystoreType, algorithmType);
|
generateKeystore(keystoreType, algorithmType);
|
||||||
|
|
||||||
long priority = System.currentTimeMillis();
|
long priority = System.currentTimeMillis();
|
||||||
|
|
||||||
ComponentRepresentation rep = createRep("valid", priority, keyAlgorithm);
|
ComponentRepresentation rep = createRep("valid", priority, keyAlgorithm, vault? "${vault.keystore_password}" : "password");
|
||||||
|
|
||||||
Response response = adminClient.realm("test").components().add(rep);
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
String id = ApiUtil.getCreatedId(response);
|
String id = ApiUtil.getCreatedId(response);
|
||||||
|
|
@ -121,8 +144,8 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
ComponentRepresentation createdRep = adminClient.realm("test").components().component(id).toRepresentation();
|
ComponentRepresentation createdRep = adminClient.realm("test").components().component(id).toRepresentation();
|
||||||
assertEquals(6, createdRep.getConfig().size());
|
assertEquals(6, createdRep.getConfig().size());
|
||||||
assertEquals(Long.toString(priority), createdRep.getConfig().getFirst("priority"));
|
assertEquals(Long.toString(priority), createdRep.getConfig().getFirst("priority"));
|
||||||
assertEquals(ComponentRepresentation.SECRET_VALUE, createdRep.getConfig().getFirst("keystorePassword"));
|
assertEquals(vault? "${vault.keystore_password}" : ComponentRepresentation.SECRET_VALUE, createdRep.getConfig().getFirst("keystorePassword"));
|
||||||
assertEquals(ComponentRepresentation.SECRET_VALUE, createdRep.getConfig().getFirst("keyPassword"));
|
assertEquals(vault? "${vault.keystore_password}" : ComponentRepresentation.SECRET_VALUE, createdRep.getConfig().getFirst("keyPassword"));
|
||||||
|
|
||||||
KeysMetadataRepresentation keys = adminClient.realm("test").keys().getKeyMetadata();
|
KeysMetadataRepresentation keys = adminClient.realm("test").keys().getKeyMetadata();
|
||||||
|
|
||||||
|
|
@ -130,22 +153,31 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
assertEquals(id, key.getProviderId());
|
assertEquals(id, key.getProviderId());
|
||||||
switch (algorithmType) {
|
switch (algorithmType) {
|
||||||
case RSA: {
|
case RSA -> {
|
||||||
assertEquals(algorithmType.name(), key.getType());
|
assertEquals(algorithmType.name(), key.getType());
|
||||||
PublicKey exp = PemUtils.decodePublicKey(generatedKeystore.getCertificateInfo().getPublicKey(), "RSA");
|
PublicKey exp = PemUtils.decodePublicKey(generatedKeystore.getCertificateInfo().getPublicKey(), KeyType.RSA);
|
||||||
PublicKey got = PemUtils.decodePublicKey(key.getPublicKey(), "RSA");
|
PublicKey got = PemUtils.decodePublicKey(key.getPublicKey(), KeyType.RSA);
|
||||||
assertEquals(exp, got);
|
assertEquals(exp, got);
|
||||||
break;
|
assertEquals(generatedKeystore.getCertificateInfo().getCertificate(), key.getCertificate());
|
||||||
}
|
}
|
||||||
case ECDSA:
|
case ECDSA -> {
|
||||||
assertEquals("EC", key.getType());
|
assertEquals("EC", key.getType());
|
||||||
PublicKey exp = PemUtils.decodePublicKey(generatedKeystore.getCertificateInfo().getPublicKey(), "EC");
|
PublicKey exp = PemUtils.decodePublicKey(generatedKeystore.getCertificateInfo().getPublicKey(), KeyType.EC);
|
||||||
PublicKey got = PemUtils.decodePublicKey(key.getPublicKey(), "EC");
|
PublicKey got = PemUtils.decodePublicKey(key.getPublicKey(), KeyType.EC);
|
||||||
assertEquals(exp, got);
|
assertEquals(exp, got);
|
||||||
|
assertEquals(generatedKeystore.getCertificateInfo().getCertificate(), key.getCertificate());
|
||||||
|
}
|
||||||
|
case AES, HMAC -> {
|
||||||
|
assertEquals(KeyType.OCT, key.getType());
|
||||||
|
assertEquals(keyAlgorithm, key.getAlgorithm());
|
||||||
|
}
|
||||||
|
case EDDSA -> {
|
||||||
|
assertEquals(KeyType.OKP, key.getType());
|
||||||
|
assertEquals(keyAlgorithm, key.getAlgorithm());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
assertEquals(priority, key.getProviderPriority());
|
assertEquals(priority, key.getProviderPriority());
|
||||||
assertEquals(generatedKeystore.getCertificateInfo().getCertificate(), key.getCertificate());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
@ -155,7 +187,7 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
rep.getConfig().putSingle("keystore", "/nosuchfile");
|
rep.getConfig().putSingle("keystore", "/nosuchfile");
|
||||||
|
|
||||||
Response response = adminClient.realm("test").components().add(rep);
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
assertErrror(response, "Failed to load keys. File not found on server.");
|
assertError(response, "Failed to load keys. File not found on server.");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
@ -165,7 +197,7 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
rep.getConfig().putSingle("keystore", "invalid");
|
rep.getConfig().putSingle("keystore", "invalid");
|
||||||
|
|
||||||
Response response = adminClient.realm("test").components().add(rep);
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
assertErrror(response, "Failed to load keys. File not found on server.");
|
assertError(response, "Failed to load keys. File not found on server.");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
@ -175,13 +207,13 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
rep.getConfig().putSingle("keyAlias", "invalid");
|
rep.getConfig().putSingle("keyAlias", "invalid");
|
||||||
|
|
||||||
Response response = adminClient.realm("test").components().add(rep);
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
assertErrror(response, "Failed to load keys. Error creating X509v1Certificate.");
|
assertError(response, "Alias invalid does not exists in the keystore.");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void invalidKeyPassword() throws Exception {
|
public void invalidKeyPassword() throws Exception {
|
||||||
KeystoreUtil.KeystoreFormat keystoreType = KeystoreUtils.getPreferredKeystoreType();
|
KeystoreUtil.KeystoreFormat keystoreType = KeystoreUtils.getPreferredKeystoreType();
|
||||||
if (keystoreType == PKCS12) {
|
if (keystoreType == KeystoreUtil.KeystoreFormat.PKCS12) {
|
||||||
// only the keyStore password is significant with PKCS12. Hence we need to test with different keystore type
|
// only the keyStore password is significant with PKCS12. Hence we need to test with different keystore type
|
||||||
String[] supportedKsTypes = KeystoreUtils.getSupportedKeystoreTypes();
|
String[] supportedKsTypes = KeystoreUtils.getSupportedKeystoreTypes();
|
||||||
if (supportedKsTypes.length <= 1) {
|
if (supportedKsTypes.length <= 1) {
|
||||||
|
|
@ -196,20 +228,43 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
Response response = adminClient.realm("test").components().add(rep);
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
Assert.assertEquals(400, response.getStatus());
|
Assert.assertEquals(400, response.getStatus());
|
||||||
assertErrror(response, "Failed to load keys. Keystore on server can not be recovered.");
|
assertError(response, "Failed to load keys. Key in the keystore cannot be recovered.");
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void assertErrror(Response response, String error) {
|
@Test
|
||||||
|
public void invalidKeyAlgorithmCreatedECButRegisteredRSA() throws Exception {
|
||||||
|
generateKeystore(KeystoreUtils.getPreferredKeystoreType(), AlgorithmType.ECDSA);
|
||||||
|
ComponentRepresentation rep = createRep("valid", System.currentTimeMillis(), Algorithm.RS256);
|
||||||
|
|
||||||
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
|
assertError(response, "Invalid RS256 key for alias keyalias. Algorithm is EC.");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void invalidKeyUsageForRS256() throws Exception {
|
||||||
|
generateKeystore(KeystoreUtils.getPreferredKeystoreType(), AlgorithmType.RSA);
|
||||||
|
ComponentRepresentation rep = createRep("valid", System.currentTimeMillis(), Algorithm.RS256);
|
||||||
|
rep.getConfig().putSingle(Attributes.KEY_USE, "enc");
|
||||||
|
|
||||||
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
|
assertError(response, "Invalid use enc for algorithm RS256.");
|
||||||
|
}
|
||||||
|
|
||||||
|
protected void assertError(Response response, String error) {
|
||||||
if (!response.hasEntity()) {
|
if (!response.hasEntity()) {
|
||||||
fail("No error message set");
|
fail("No error message set");
|
||||||
}
|
}
|
||||||
|
|
||||||
ErrorRepresentation errorRepresentation = response.readEntity(ErrorRepresentation.class);
|
ErrorRepresentation errorRepresentation = response.readEntity(ErrorRepresentation.class);
|
||||||
assertTrue(errorRepresentation.getErrorMessage().startsWith(error));
|
MatcherAssert.assertThat(errorRepresentation.getErrorMessage(), Matchers.containsString(error));
|
||||||
response.close();
|
response.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
protected ComponentRepresentation createRep(String name, long priority, String algorithm) {
|
protected ComponentRepresentation createRep(String name, long priority, String algorithm) {
|
||||||
|
return createRep(name, priority, algorithm, "password");
|
||||||
|
}
|
||||||
|
|
||||||
|
protected ComponentRepresentation createRep(String name, long priority, String algorithm, String password) {
|
||||||
ComponentRepresentation rep = new ComponentRepresentation();
|
ComponentRepresentation rep = new ComponentRepresentation();
|
||||||
rep.setName(name);
|
rep.setName(name);
|
||||||
rep.setParentId(adminClient.realm("test").toRepresentation().getId());
|
rep.setParentId(adminClient.realm("test").toRepresentation().getId());
|
||||||
|
|
@ -218,9 +273,9 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
rep.setConfig(new MultivaluedHashMap<>());
|
rep.setConfig(new MultivaluedHashMap<>());
|
||||||
rep.getConfig().putSingle("priority", Long.toString(priority));
|
rep.getConfig().putSingle("priority", Long.toString(priority));
|
||||||
rep.getConfig().putSingle("keystore", generatedKeystore.getKeystoreFile().getAbsolutePath());
|
rep.getConfig().putSingle("keystore", generatedKeystore.getKeystoreFile().getAbsolutePath());
|
||||||
rep.getConfig().putSingle("keystorePassword", "password");
|
rep.getConfig().putSingle("keystorePassword", password);
|
||||||
rep.getConfig().putSingle("keyAlias", "selfsigned");
|
rep.getConfig().putSingle("keyAlias", "keyalias");
|
||||||
rep.getConfig().putSingle("keyPassword", "password");
|
rep.getConfig().putSingle("keyPassword", password);
|
||||||
rep.getConfig().putSingle("algorithm", algorithm);
|
rep.getConfig().putSingle("algorithm", algorithm);
|
||||||
return rep;
|
return rep;
|
||||||
}
|
}
|
||||||
|
|
@ -231,16 +286,35 @@ public class JavaKeystoreKeyProviderTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
private void generateKeystore(KeystoreUtil.KeystoreFormat keystoreType, AlgorithmType algorithmType) throws Exception {
|
private void generateKeystore(KeystoreUtil.KeystoreFormat keystoreType, AlgorithmType algorithmType) throws Exception {
|
||||||
switch (algorithmType) {
|
switch (algorithmType) {
|
||||||
case RSA: {
|
case RSA -> {
|
||||||
this.generatedKeystore = KeystoreUtils.generateKeystore(folder, keystoreType, "selfsigned", "password", "password");
|
this.generatedKeystore = KeystoreUtils.generateKeystore(folder, keystoreType, "keyalias", "password", "password");
|
||||||
this.keyAlgorithm = Algorithm.RS256;
|
this.keyAlgorithm = Algorithm.RS256;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
case ECDSA:
|
case ECDSA -> {
|
||||||
this.generatedKeystore = KeystoreUtils.generateKeystore(folder, keystoreType, "selfsigned", "password", "password", KeyUtils.generateECKey(Algorithm.ES256));
|
this.generatedKeystore = KeystoreUtils.generateKeystore(folder, keystoreType, "keyalias", "password", "password",
|
||||||
|
KeyUtils.generateECKey(Algorithm.ES256));
|
||||||
this.keyAlgorithm = Algorithm.ES256;
|
this.keyAlgorithm = Algorithm.ES256;
|
||||||
|
}
|
||||||
|
case AES -> {
|
||||||
|
this.generatedKeystore = KeystoreUtils.generateKeystore(folder, keystoreType, "keyalias", "password", "password",
|
||||||
|
KeyUtils.generateSecretKey(Algorithm.AES, 256));
|
||||||
|
this.keyAlgorithm = Algorithm.AES;
|
||||||
|
}
|
||||||
|
case HMAC -> {
|
||||||
|
this.generatedKeystore = KeystoreUtils.generateKeystore(folder, keystoreType, "keyalias", "password", "password",
|
||||||
|
KeyUtils.generateSecretKey(Algorithm.HS256, 256));
|
||||||
|
this.keyAlgorithm = Algorithm.HS256;
|
||||||
|
}
|
||||||
|
case EDDSA -> {
|
||||||
|
this.generatedKeystore = KeystoreUtils.generateKeystore(folder, keystoreType, "keyalias", "password", "password",
|
||||||
|
KeyUtils.generateEdDSAKey(Algorithm.Ed25519));
|
||||||
|
this.keyAlgorithm = Algorithm.EdDSA;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static boolean isFips() {
|
||||||
|
return AuthServerTestEnricher.AUTH_SERVER_FIPS_MODE != FipsMode.DISABLED;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
password
|
||||||
Loading…
Reference in a new issue