libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Add active RSA key to decryption if deprecated mode (#25205)

Browse source 
Closes https://github.com/keycloak/keycloak/issues/24652

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
Ricardo Martin 2023-12-01 14:40:47 +01:00 committed by GitHub
parent 3fa2d155ca
commit 3b26e5d489
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
View file

@ -66,6 +66,7 @@ import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder; import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants; import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil; import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil;
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
import org.keycloak.saml.processing.core.util.XMLSignatureUtil; import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
import org.keycloak.saml.processing.web.util.PostBindingUtil; import org.keycloak.saml.processing.web.util.PostBindingUtil;
import org.keycloak.services.ErrorPage; import org.keycloak.services.ErrorPage;
@ -89,7 +90,9 @@ import jakarta.ws.rs.core.UriInfo;
import javax.xml.namespace.QName; import javax.xml.namespace.QName;
import java.io.IOException; import java.io.IOException;
import java.security.Key; import java.security.Key;
import java.security.PrivateKey;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Iterator; import java.util.Iterator;
import java.util.LinkedList; import java.util.LinkedList;
@ -458,14 +461,19 @@ public class SAMLEndpoint {
if (assertionIsEncrypted) { if (assertionIsEncrypted) {
try { try {
XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator = new SAMLDecryptionKeysLocator(session, realm, config.getEncryptionAlgorithm());
/* This code is deprecated and will be removed in Keycloak 24 */ /* This code is deprecated and will be removed in Keycloak 24 */
if (DEPRECATED_ENCRYPTION) { if (DEPRECATED_ENCRYPTION) {
KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm); KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
assertionElement = AssertionUtil.decryptAssertion(responseType, keys.getPrivateKey()); final XMLEncryptionUtil.DecryptionKeyLocator tmp = decryptionKeyLocator;
} else { decryptionKeyLocator = data -> {
/* End of deprecated code */ List<PrivateKey> result = new ArrayList<>(tmp.getKeys(data));
assertionElement = AssertionUtil.decryptAssertion(responseType, new SAMLDecryptionKeysLocator(session, realm, config.getEncryptionAlgorithm())); result.add(keys.getPrivateKey());
return result;
};
} }
/* End of deprecated code */
assertionElement = AssertionUtil.decryptAssertion(responseType, decryptionKeyLocator);
} catch (ProcessingException ex) { } catch (ProcessingException ex) {
logger.warnf(ex, "Not possible to decrypt SAML assertion. Please check realm keys of usage ENC in the realm '%s' and make sure there is a key able to decrypt the assertion encrypted by identity provider '%s'", realm.getName(), config.getAlias()); logger.warnf(ex, "Not possible to decrypt SAML assertion. Please check realm keys of usage ENC in the realm '%s' and make sure there is a key able to decrypt the assertion encrypted by identity provider '%s'", realm.getName(), config.getAlias());
throw new WebApplicationException(ex, Response.Status.BAD_REQUEST); throw new WebApplicationException(ex, Response.Status.BAD_REQUEST);
@ -511,14 +519,19 @@ public class SAMLEndpoint {
if (AssertionUtil.isIdEncrypted(responseType)) { if (AssertionUtil.isIdEncrypted(responseType)) {
try { try {
XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator = new SAMLDecryptionKeysLocator(session, realm, config.getEncryptionAlgorithm());
/* This code is deprecated and will be removed in Keycloak 24 */ /* This code is deprecated and will be removed in Keycloak 24 */
if (DEPRECATED_ENCRYPTION) { if (DEPRECATED_ENCRYPTION) {
KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm); KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
AssertionUtil.decryptId(responseType, data -> Collections.singletonList(keys.getPrivateKey())); final XMLEncryptionUtil.DecryptionKeyLocator tmp = decryptionKeyLocator;
} else { decryptionKeyLocator = data -> {
/* End of deprecated code */ List<PrivateKey> result = new ArrayList<>(tmp.getKeys(data));
AssertionUtil.decryptId(responseType, new SAMLDecryptionKeysLocator(session, realm, config.getEncryptionAlgorithm())); result.add(keys.getPrivateKey());
return result;
};
} }
/* End of deprecated code */
AssertionUtil.decryptId(responseType, decryptionKeyLocator);
} catch (ProcessingException ex) { } catch (ProcessingException ex) {
logger.warnf(ex, "Not possible to decrypt SAML encryptedId. Please check realm keys of usage ENC in the realm '%s' and make sure there is a key able to decrypt the encryptedId encrypted by identity provider '%s'", realm.getName(), config.getAlias()); logger.warnf(ex, "Not possible to decrypt SAML encryptedId. Please check realm keys of usage ENC in the realm '%s' and make sure there is a key able to decrypt the encryptedId encrypted by identity provider '%s'", realm.getName(), config.getAlias());
throw new WebApplicationException(ex, Response.Status.BAD_REQUEST); throw new WebApplicationException(ex, Response.Status.BAD_REQUEST);