libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-19519 Encryption algorithm RSA-OAEP with A256GCM (#8553)

Browse source 
Closes #10300
This commit is contained in:
Filipe Bojikian Rissi 2022-02-17 13:41:54 -03:00 committed by GitHub
parent 18581ca4f7
commit 323c08c8cc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 286 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
services/src/main/java/org/keycloak/keys/AbstractImportedRsaKeyProviderFactory.java Normal file
View file

@ -0,0 +1,98 @@
/*
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.keys;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.PemUtils;
import org.keycloak.component.ComponentModel;
import org.keycloak.component.ComponentValidationException;
import org.keycloak.crypto.KeyUse;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.provider.ConfigurationValidationHelper;
import org.keycloak.provider.ProviderConfigurationBuilder;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
* @author <a href="mailto:f.b.rissi@gmail.com">Filipe Bojikian Rissi</a>
*/
public abstract class AbstractImportedRsaKeyProviderFactory extends AbstractRsaKeyProviderFactory {
public final static ProviderConfigurationBuilder rsaKeyConfigurationBuilder() {
return ProviderConfigurationBuilder.create()
.property(Attributes.PRIORITY_PROPERTY)
.property(Attributes.ENABLED_PROPERTY)
.property(Attributes.ACTIVE_PROPERTY)
.property(Attributes.PRIVATE_KEY_PROPERTY)
.property(Attributes.CERTIFICATE_PROPERTY);
}
@Override
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel model) throws ComponentValidationException {
ConfigurationValidationHelper.check(model)
.checkLong(Attributes.PRIORITY_PROPERTY, false)
.checkBoolean(Attributes.ENABLED_PROPERTY, false)
.checkBoolean(Attributes.ACTIVE_PROPERTY, false)
.checkSingle(Attributes.PRIVATE_KEY_PROPERTY, true)
.checkSingle(Attributes.CERTIFICATE_PROPERTY, false);
KeyPair keyPair;
try {
PrivateKey privateKey = PemUtils.decodePrivateKey(model.get(Attributes.PRIVATE_KEY_KEY));
PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
keyPair = new KeyPair(publicKey, privateKey);
} catch (Throwable t) {
throw new ComponentValidationException("Failed to decode private key", t);
}
if (model.contains(Attributes.CERTIFICATE_KEY)) {
Certificate certificate = null;
try {
certificate = PemUtils.decodeCertificate(model.get(Attributes.CERTIFICATE_KEY));
} catch (Throwable t) {
throw new ComponentValidationException("Failed to decode certificate", t);
}
if (certificate == null) {
throw new ComponentValidationException("Failed to decode certificate");
}
if (!certificate.getPublicKey().equals(keyPair.getPublic())) {
throw new ComponentValidationException("Certificate does not match private key");
}
} else {
try {
Certificate certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, realm.getName());
model.put(Attributes.CERTIFICATE_KEY, PemUtils.encodeCertificate(certificate));
} catch (Throwable t) {
throw new ComponentValidationException("Failed to generate self-signed certificate");
}
}
}
abstract protected boolean isValidKeyUse(KeyUse keyUse);
abstract protected boolean isSupportedRsaAlgorithm(String algorithm);
}

5
services/src/main/java/org/keycloak/keys/AbstractRsaKeyProvider.java
View file

@ -20,6 +20,7 @@ package org.keycloak.keys;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.component.ComponentModel;
import org.keycloak.crypto.*;
import org.keycloak.jose.jwe.JWEConstants;
import org.keycloak.models.RealmModel;
import java.security.KeyPair;
@ -44,7 +45,9 @@ public abstract class AbstractRsaKeyProvider implements KeyProvider {
public AbstractRsaKeyProvider(RealmModel realm, ComponentModel model) {
this.model = model;
this.status = KeyStatus.from(model.get(Attributes.ACTIVE_KEY, true), model.get(Attributes.ENABLED_KEY, true));
this.algorithm = model.get(Attributes.ALGORITHM_KEY, Algorithm.RS256);
String defaultAlgorithmKey = KeyUse.ENC.name().equals(model.get(Attributes.KEY_USE)) ? JWEConstants.RSA_OAEP : Algorithm.RS256;
this.algorithm = model.get(Attributes.ALGORITHM_KEY, defaultAlgorithmKey);
if (model.hasNote(KeyWrapper.class.getName())) {
key = model.getNote(KeyWrapper.class.getName());

74
services/src/main/java/org/keycloak/keys/ImportedRsaEncKeyProviderFactory.java Normal file
View file

@ -0,0 +1,74 @@
/*
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.keys;
import org.keycloak.component.ComponentModel;
import org.keycloak.crypto.KeyUse;
import org.keycloak.jose.jwe.JWEConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.provider.ProviderConfigProperty;
import java.util.List;
/**
* @author <a href="mailto:f.b.rissi@gmail.com">Filipe Bojikian Rissi</a>
*/
public class ImportedRsaEncKeyProviderFactory extends AbstractImportedRsaKeyProviderFactory {
public static final String ID = "rsa-enc";
private static final String HELP_TEXT = "RSA for key encryption provider that can optionally generated a self-signed certificate";
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = AbstractImportedRsaKeyProviderFactory.rsaKeyConfigurationBuilder()
.property(Attributes.RS_ENC_ALGORITHM_PROPERTY)
.build();
@Override
public KeyProvider create(KeycloakSession session, ComponentModel model) {
model.put(Attributes.KEY_USE, KeyUse.ENC.name());
return new ImportedRsaKeyProvider(session.getContext().getRealm(), model);
}
@Override
public String getHelpText() {
return HELP_TEXT;
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return CONFIG_PROPERTIES;
}
@Override
protected boolean isValidKeyUse(KeyUse keyUse) {
return keyUse.equals(KeyUse.ENC);
}
@Override
protected boolean isSupportedRsaAlgorithm(String algorithm) {
return algorithm.equals(JWEConstants.RSA1_5)
|| algorithm.equals(JWEConstants.RSA_OAEP)
|| algorithm.equals(JWEConstants.RSA_OAEP_256);
}
@Override
public String getId() {
return ID;
}
}

83
services/src/main/java/org/keycloak/keys/ImportedRsaKeyProviderFactory.java
View file

@ -17,84 +17,36 @@
package org.keycloak.keys;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.PemUtils;
import org.keycloak.component.ComponentModel;
import org.keycloak.component.ComponentValidationException;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.KeyUse;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.provider.ConfigurationValidationHelper;
import org.keycloak.provider.ProviderConfigProperty;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.List;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
public class ImportedRsaKeyProviderFactory extends AbstractRsaKeyProviderFactory {
public class ImportedRsaKeyProviderFactory extends AbstractImportedRsaKeyProviderFactory {
public static final String ID = "rsa";
private static final String HELP_TEXT = "RSA key provider that can optionally generated a self-signed certificate";
private static final String HELP_TEXT = "RSA signature key provider that can optionally generated a self-signed certificate";
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = AbstractRsaKeyProviderFactory.configurationBuilder()
.property(Attributes.PRIVATE_KEY_PROPERTY)
.property(Attributes.CERTIFICATE_PROPERTY)
.property(Attributes.KEY_USE_PROPERTY)
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = AbstractImportedRsaKeyProviderFactory.rsaKeyConfigurationBuilder()
.property(Attributes.RS_ALGORITHM_PROPERTY)
.build();
@Override
public KeyProvider create(KeycloakSession session, ComponentModel model) {
if (model.getConfig().get(Attributes.KEY_USE) == null) {
// for backward compatibility : it allows "enc" key use for "rsa" provider
model.put(Attributes.KEY_USE, KeyUse.SIG.name());
}
return new ImportedRsaKeyProvider(session.getContext().getRealm(), model);
}
@Override
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel model) throws ComponentValidationException {
super.validateConfiguration(session, realm, model);
ConfigurationValidationHelper.check(model)
.checkSingle(Attributes.PRIVATE_KEY_PROPERTY, true)
.checkSingle(Attributes.CERTIFICATE_PROPERTY, false);
KeyPair keyPair;
try {
PrivateKey privateKey = PemUtils.decodePrivateKey(model.get(Attributes.PRIVATE_KEY_KEY));
PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
keyPair = new KeyPair(publicKey, privateKey);
} catch (Throwable t) {
throw new ComponentValidationException("Failed to decode private key", t);
}
if (model.contains(Attributes.CERTIFICATE_KEY)) {
Certificate certificate = null;
try {
certificate = PemUtils.decodeCertificate(model.get(Attributes.CERTIFICATE_KEY));
} catch (Throwable t) {
throw new ComponentValidationException("Failed to decode certificate", t);
}
if (certificate == null) {
throw new ComponentValidationException("Failed to decode certificate");
}
if (!certificate.getPublicKey().equals(keyPair.getPublic())) {
throw new ComponentValidationException("Certificate does not match private key");
}
} else {
try {
Certificate certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, realm.getName());
model.put(Attributes.CERTIFICATE_KEY, PemUtils.encodeCertificate(certificate));
} catch (Throwable t) {
throw new ComponentValidationException("Failed to generate self-signed certificate");
}
}
}
@Override
public String getHelpText() {
return HELP_TEXT;
@ -105,6 +57,21 @@ public class ImportedRsaKeyProviderFactory extends AbstractRsaKeyProviderFactory
return CONFIG_PROPERTIES;
}
@Override
protected boolean isValidKeyUse(KeyUse keyUse) {
return keyUse.equals(KeyUse.SIG);
}
@Override
protected boolean isSupportedRsaAlgorithm(String algorithm) {
return algorithm.equals(Algorithm.RS256)
|| algorithm.equals(Algorithm.PS256)
|| algorithm.equals(Algorithm.RS384)
|| algorithm.equals(Algorithm.PS384)
|| algorithm.equals(Algorithm.RS512)
|| algorithm.equals(Algorithm.PS512);
}
@Override
public String getId() {
return ID;

3
services/src/main/resources/META-INF/services/org.keycloak.keys.KeyProviderFactory
View file

@ -21,4 +21,5 @@ org.keycloak.keys.GeneratedRsaKeyProviderFactory
org.keycloak.keys.JavaKeystoreKeyProviderFactory
org.keycloak.keys.ImportedRsaKeyProviderFactory
org.keycloak.keys.GeneratedEcdsaKeyProviderFactory
org.keycloak.keys.GeneratedRsaEncKeyProviderFactory
org.keycloak.keys.GeneratedRsaEncKeyProviderFactory
org.keycloak.keys.ImportedRsaEncKeyProviderFactory

99
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/ImportedRsaKeyProviderTest.java
View file

@ -25,10 +25,12 @@ import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.PemUtils;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.KeyUse;
import org.keycloak.jose.jwe.JWEConstants;
import org.keycloak.jose.jws.AlgorithmType;
import org.keycloak.keys.Attributes;
import org.keycloak.keys.ImportedRsaEncKeyProviderFactory;
import org.keycloak.keys.ImportedRsaKeyProviderFactory;
import org.keycloak.keys.KeyMetadata;
import org.keycloak.keys.KeyProvider;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.ErrorRepresentation;
@ -69,13 +71,22 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
}
@Test
public void privateKeyOnly() throws Exception {
public void privateKeyOnlyForSig() throws Exception {
privateKeyOnly(ImportedRsaKeyProviderFactory.ID, KeyUse.SIG, Algorithm.RS256);
}
@Test
public void privateKeyOnlyForEnc() throws Exception {
privateKeyOnly(ImportedRsaEncKeyProviderFactory.ID, KeyUse.ENC, JWEConstants.RSA_OAEP);
}
private void privateKeyOnly(String providerId, KeyUse keyUse, String algorithm) throws Exception {
long priority = System.currentTimeMillis();
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
String kid = KeyUtils.createKeyId(keyPair.getPublic());
ComponentRepresentation rep = createRep("valid", ImportedRsaKeyProviderFactory.ID);
ComponentRepresentation rep = createRep("valid", providerId);
rep.getConfig().putSingle(Attributes.PRIVATE_KEY_KEY, PemUtils.encodeKey(keyPair.getPrivate()));
rep.getConfig().putSingle(Attributes.PRIORITY_KEY, Long.toString(priority));
@ -91,7 +102,7 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
KeysMetadataRepresentation keys = adminClient.realm("test").keys().getKeyMetadata();
assertEquals(kid, keys.getActive().get(Algorithm.RS256));
assertEquals(kid, keys.getActive().get(algorithm));
KeysMetadataRepresentation.KeyMetadataRepresentation key = keys.getKeys().get(0);
@ -101,17 +112,27 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
assertEquals(kid, key.getKid());
assertEquals(PemUtils.encodeKey(keyPair.getPublic()), keys.getKeys().get(0).getPublicKey());
assertEquals(keyPair.getPublic(), PemUtils.decodeCertificate(key.getCertificate()).getPublicKey());
assertEquals(keyUse, keys.getKeys().get(0).getUse());
}
@Test
public void keyAndCertificate() throws Exception {
public void keyAndCertificateForSig() throws Exception {
keyAndCertificate(ImportedRsaKeyProviderFactory.ID, KeyUse.SIG);
}
@Test
public void keyAndCertificateForEnc() throws Exception {
keyAndCertificate(ImportedRsaEncKeyProviderFactory.ID, KeyUse.ENC);
}
private void keyAndCertificate(String providerId, KeyUse keyUse) throws Exception {
long priority = System.currentTimeMillis();
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
Certificate certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, "test");
String certificatePem = PemUtils.encodeCertificate(certificate);
ComponentRepresentation rep = createRep("valid", ImportedRsaKeyProviderFactory.ID);
ComponentRepresentation rep = createRep("valid", providerId);
rep.getConfig().putSingle(Attributes.PRIVATE_KEY_KEY, PemUtils.encodeKey(keyPair.getPrivate()));
rep.getConfig().putSingle(Attributes.CERTIFICATE_KEY, certificatePem);
rep.getConfig().putSingle(Attributes.PRIORITY_KEY, Long.toString(priority));
@ -128,13 +149,23 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
KeysMetadataRepresentation.KeyMetadataRepresentation key = keys.getKeys().get(0);
assertEquals(certificatePem, key.getCertificate());
assertEquals(keyUse, keys.getKeys().get(0).getUse());
}
@Test
public void invalidPriority() throws Exception {
public void invalidPriorityForSig() throws Exception {
invalidPriority(ImportedRsaKeyProviderFactory.ID);
}
@Test
public void invalidPriorityForEnc() throws Exception {
invalidPriority(ImportedRsaEncKeyProviderFactory.ID);
}
private void invalidPriority(String providerId) throws Exception {
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
ComponentRepresentation rep = createRep("invalid", ImportedRsaKeyProviderFactory.ID);
ComponentRepresentation rep = createRep("invalid", providerId);
rep.getConfig().putSingle(Attributes.PRIVATE_KEY_KEY, PemUtils.encodeKey(keyPair.getPrivate()));
rep.getConfig().putSingle(Attributes.PRIORITY_KEY, "invalid");
@ -143,10 +174,19 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
}
@Test
public void invalidEnabled() throws Exception {
public void invalidEnabledForSig() throws Exception {
invalidEnabled(ImportedRsaKeyProviderFactory.ID);
}
@Test
public void invalidEnabledForEnc() throws Exception {
invalidEnabled(ImportedRsaEncKeyProviderFactory.ID);
}
private void invalidEnabled(String providerId) throws Exception {
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
ComponentRepresentation rep = createRep("invalid", ImportedRsaKeyProviderFactory.ID);
ComponentRepresentation rep = createRep("invalid", providerId);
rep.getConfig().putSingle(Attributes.PRIVATE_KEY_KEY, PemUtils.encodeKey(keyPair.getPrivate()));
rep.getConfig().putSingle(Attributes.ENABLED_KEY, "invalid");
@ -155,10 +195,19 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
}
@Test
public void invalidActive() throws Exception {
public void invalidActiveForSig() throws Exception {
invalidActive(ImportedRsaKeyProviderFactory.ID);
}
@Test
public void invalidActiveForEnc() throws Exception {
invalidActive(ImportedRsaEncKeyProviderFactory.ID);
}
private void invalidActive(String providerId) throws Exception {
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
ComponentRepresentation rep = createRep("invalid", ImportedRsaKeyProviderFactory.ID);
ComponentRepresentation rep = createRep("invalid", providerId);
rep.getConfig().putSingle(Attributes.PRIVATE_KEY_KEY, PemUtils.encodeKey(keyPair.getPrivate()));
rep.getConfig().putSingle(Attributes.ACTIVE_KEY, "invalid");
@ -167,10 +216,19 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
}
@Test
public void invalidPrivateKey() throws Exception {
public void invalidPrivateKeyForSig() throws Exception {
invalidPrivateKey(ImportedRsaKeyProviderFactory.ID);
}
@Test
public void invalidPrivateKeyForEnc() throws Exception {
invalidPrivateKey(ImportedRsaEncKeyProviderFactory.ID);
}
private void invalidPrivateKey(String providerId) throws Exception {
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
ComponentRepresentation rep = createRep("invalid", ImportedRsaKeyProviderFactory.ID);
ComponentRepresentation rep = createRep("invalid", providerId);
Response response = adminClient.realm("test").components().add(rep);
assertErrror(response, "'Private RSA Key' is required");
@ -185,11 +243,20 @@ public class ImportedRsaKeyProviderTest extends AbstractKeycloakTest {
}
@Test
public void invalidCertificate() throws Exception {
public void invalidCertificateForSig() throws Exception {
invalidCertificate(ImportedRsaKeyProviderFactory.ID);
}
@Test
public void invalidCertificateForEnc() throws Exception {
invalidCertificate(ImportedRsaEncKeyProviderFactory.ID);
}
private void invalidCertificate(String providerId) throws Exception {
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
Certificate invalidCertificate = CertificateUtils.generateV1SelfSignedCertificate(KeyUtils.generateRsaKeyPair(2048), "test");
ComponentRepresentation rep = createRep("invalid", ImportedRsaKeyProviderFactory.ID);
ComponentRepresentation rep = createRep("invalid", providerId);
rep.getConfig().putSingle(Attributes.PRIVATE_KEY_KEY, PemUtils.encodeKey(keyPair.getPrivate()));
rep.getConfig().putSingle(Attributes.CERTIFICATE_KEY, "nonsense");