x509Certificate AuthorityKeyIdentifierExtension (#27272)

closes #27271 

Signed-off-by: coursar <coursar@gmail.com>
This commit is contained in:
coursar 2024-02-27 17:59:51 +03:00 committed by GitHub
parent fd546f2fbb
commit 3b721512c4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 22 additions and 5 deletions

View file

@ -112,7 +112,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
// Authority Key Identifier
certGen.addExtension(Extension.authorityKeyIdentifier, false,
x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo));
x509ExtensionUtils.createAuthorityKeyIdentifier(caCert));
// Key Usage
certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign

View file

@ -41,6 +41,7 @@ import org.jboss.logging.Logger;
import org.keycloak.common.crypto.CertificateUtilsProvider;
import org.wildfly.security.asn1.ASN1;
import org.wildfly.security.asn1.DERDecoder;
import org.wildfly.security.x500.GeneralName;
import org.wildfly.security.x500.X500;
import org.wildfly.security.x500.cert.AuthorityKeyIdentifierExtension;
import org.wildfly.security.x500.cert.BasicConstraintsExtension;
@ -52,6 +53,7 @@ import org.wildfly.security.x500.cert.KeyUsageExtension;
import org.wildfly.security.x500.cert.SubjectKeyIdentifierExtension;
import org.wildfly.security.x500.cert.X509CertificateBuilder;
import org.wildfly.security.x500.cert.X509CertificateExtension;
import org.wildfly.security.x500.cert.util.KeyUtil;
/**
* The Class CertificateUtils provides utility functions for generation
@ -103,6 +105,22 @@ public class ElytronCertificateUtils implements CertificateUtilsProvider {
ekuList.add(X500.OID_KP_EMAIL_PROTECTION);
ekuList.add(X500.OID_KP_SERVER_AUTH);
// Authority Key Identifier
AuthorityKeyIdentifierExtension authorityKeyIdentifierExtension;
if (caCert != null) {
authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(
KeyUtil.getKeyIdentifier(caCert.getPublicKey()),
Collections.singletonList(new GeneralName.DirectoryName(caCert.getIssuerX500Principal().getName())),
caCert.getSerialNumber()
);
} else {
authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(
KeyUtil.getKeyIdentifier(keyPair.getPublic()),
Collections.singletonList(new GeneralName.DirectoryName(issuerdn.getName())),
serialNumber
);
}
X509CertificateBuilder cbuilder = new X509CertificateBuilder()
.setSubjectDn(subjectdn)
.setIssuerDn(issuerdn)
@ -110,7 +128,6 @@ public class ElytronCertificateUtils implements CertificateUtilsProvider {
.setNotValidBefore(notBefore)
.setNotValidAfter(notAfter)
.setSigningKey(keyPair.getPrivate())
.setPublicKey(keyPair.getPublic())
.setSerialNumber(serialNumber)
@ -120,10 +137,10 @@ public class ElytronCertificateUtils implements CertificateUtilsProvider {
.setSigningKey(caPrivateKey)
// Subject Key Identifier Extension
.addExtension(new SubjectKeyIdentifierExtension(keyPair.getPublic().getEncoded()))
.addExtension(new SubjectKeyIdentifierExtension(KeyUtil.getKeyIdentifier(keyPair.getPublic())))
// Authority Key Identifier
.addExtension(new AuthorityKeyIdentifierExtension(keyPair.getPublic().getEncoded(), null, null))
.addExtension(authorityKeyIdentifierExtension)
// Key Usage
.addExtension(

View file

@ -114,7 +114,7 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
// Authority Key Identifier
certGen.addExtension(Extension.authorityKeyIdentifier, false,
x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo));
x509ExtensionUtils.createAuthorityKeyIdentifier(caCert));
// Key Usage
certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign