From 3b721512c4d920a44046b318e0a32e38f5093fb8 Mon Sep 17 00:00:00 2001
From: coursar <coursar@gmail.com>
Date: Tue, 27 Feb 2024 17:59:51 +0300
Subject: [PATCH] x509Certificate AuthorityKeyIdentifierExtension (#27272)

closes #27271

Signed-off-by: coursar <coursar@gmail.com>
---
 .../def/BCCertificateUtilsProvider.java       |  2 +-
 .../elytron/ElytronCertificateUtils.java      | 23 ++++++++++++++++---
 .../fips/BCFIPSCertificateUtilsProvider.java  |  2 +-
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java b/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java
index d731bde9f3..311a1110d1 100755
--- a/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java
+++ b/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java
@@ -112,7 +112,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
 
             // Authority Key Identifier
             certGen.addExtension(Extension.authorityKeyIdentifier, false,
-                    x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo));
+                    x509ExtensionUtils.createAuthorityKeyIdentifier(caCert));
 
             // Key Usage
             certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign
diff --git a/crypto/elytron/src/main/java/org/keycloak/crypto/elytron/ElytronCertificateUtils.java b/crypto/elytron/src/main/java/org/keycloak/crypto/elytron/ElytronCertificateUtils.java
index 88add31161..fbcbfb38cf 100644
--- a/crypto/elytron/src/main/java/org/keycloak/crypto/elytron/ElytronCertificateUtils.java
+++ b/crypto/elytron/src/main/java/org/keycloak/crypto/elytron/ElytronCertificateUtils.java
@@ -41,6 +41,7 @@ import org.jboss.logging.Logger;
 import org.keycloak.common.crypto.CertificateUtilsProvider;
 import org.wildfly.security.asn1.ASN1;
 import org.wildfly.security.asn1.DERDecoder;
+import org.wildfly.security.x500.GeneralName;
 import org.wildfly.security.x500.X500;
 import org.wildfly.security.x500.cert.AuthorityKeyIdentifierExtension;
 import org.wildfly.security.x500.cert.BasicConstraintsExtension;
@@ -52,6 +53,7 @@ import org.wildfly.security.x500.cert.KeyUsageExtension;
 import org.wildfly.security.x500.cert.SubjectKeyIdentifierExtension;
 import org.wildfly.security.x500.cert.X509CertificateBuilder;
 import org.wildfly.security.x500.cert.X509CertificateExtension;
+import org.wildfly.security.x500.cert.util.KeyUtil;
 
 /**
  * The Class CertificateUtils provides utility functions for generation
@@ -103,6 +105,22 @@ public class ElytronCertificateUtils  implements CertificateUtilsProvider {
             ekuList.add(X500.OID_KP_EMAIL_PROTECTION);
             ekuList.add(X500.OID_KP_SERVER_AUTH);
 
+            // Authority Key Identifier
+            AuthorityKeyIdentifierExtension authorityKeyIdentifierExtension;
+            if (caCert != null) {
+                authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(
+                    KeyUtil.getKeyIdentifier(caCert.getPublicKey()),
+                    Collections.singletonList(new GeneralName.DirectoryName(caCert.getIssuerX500Principal().getName())),
+                    caCert.getSerialNumber()
+                );
+            } else {
+                authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(
+                    KeyUtil.getKeyIdentifier(keyPair.getPublic()),
+                    Collections.singletonList(new GeneralName.DirectoryName(issuerdn.getName())),
+                    serialNumber
+                );
+            }
+
             X509CertificateBuilder cbuilder = new X509CertificateBuilder()
                     .setSubjectDn(subjectdn)
                     .setIssuerDn(issuerdn)
@@ -110,7 +128,6 @@ public class ElytronCertificateUtils  implements CertificateUtilsProvider {
                     .setNotValidBefore(notBefore)
                     .setNotValidAfter(notAfter)
 
-                    .setSigningKey(keyPair.getPrivate())
                     .setPublicKey(keyPair.getPublic())
 
                     .setSerialNumber(serialNumber)
@@ -120,10 +137,10 @@ public class ElytronCertificateUtils  implements CertificateUtilsProvider {
                     .setSigningKey(caPrivateKey)
 
                     // Subject Key Identifier Extension
-                    .addExtension(new SubjectKeyIdentifierExtension(keyPair.getPublic().getEncoded()))
+                    .addExtension(new SubjectKeyIdentifierExtension(KeyUtil.getKeyIdentifier(keyPair.getPublic())))
 
                     // Authority Key Identifier
-                    .addExtension(new AuthorityKeyIdentifierExtension(keyPair.getPublic().getEncoded(), null, null))
+                    .addExtension(authorityKeyIdentifierExtension)
 
                     // Key Usage
                     .addExtension(
diff --git a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java
index d8344564de..2f5fe596bf 100755
--- a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java
+++ b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java
@@ -114,7 +114,7 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
 
             // Authority Key Identifier
             certGen.addExtension(Extension.authorityKeyIdentifier, false,
-                    x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo));
+                    x509ExtensionUtils.createAuthorityKeyIdentifier(caCert));
 
             // Key Usage
             certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign