libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-5176 Strip headers from PEM when uploading to client

Browse source
This commit is contained in:
stianst 2017-12-04 15:47:35 +01:00 committed by Stian Thorgersen
parent 19cfbbf7ff
commit 4541acc628
4 changed files with 22 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/src/main/java/org/keycloak/common/util/PemUtils.java
View file

@ -149,7 +149,7 @@ public final class PemUtils {
return Base64.decode(pem);
}
private static String removeBeginEnd(String pem) {
public static String removeBeginEnd(String pem) {
pem = pem.replaceAll("-----BEGIN (.*)-----", "");
pem = pem.replaceAll("-----END (.*)----", "");
pem = pem.replaceAll("\r\n", "");

2
services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
View file

@ -190,6 +190,8 @@ public class ClientAttributeCertificateResource {
if (keystoreFormat.equals(CERTIFICATE_PEM)) {
String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
pem = PemUtils.removeBeginEnd(pem);
// Validate format
KeycloakModelUtils.getCertificate(pem);

17
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/CredentialsTest.java
View file

@ -165,6 +165,23 @@ public class CredentialsTest extends AbstractClientTest {
cert = certRsc.getKeyInfo();
assertEquals("cert properly set", certificate2, cert.getCertificate());
assertNull("privateKey nullified", cert.getPrivateKey());
// Upload certificate with header - should be stored without header
form = new MultipartFormDataOutput();
form.addFormData("keystoreFormat", "Certificate PEM", MediaType.TEXT_PLAIN_TYPE);
String certificate2WithHeaders = "-----BEGIN CERTIFICATE-----\n" + certificate2 + "\n-----END CERTIFICATE-----";
form.addFormData("file", certificate2WithHeaders.getBytes(Charset.forName("ASCII")), MediaType.APPLICATION_OCTET_STREAM_TYPE);
cert = certRsc.uploadJks(form);
assertNotNull("cert not null", cert);
assertEquals("cert properly extracted", certificate2, cert.getCertificate());
assertNull("privateKey not included", cert.getPrivateKey());
// Get the certificate again - to make sure cert is set, and privateKey is null
cert = certRsc.getKeyInfo();
assertEquals("cert properly set", certificate2, cert.getCertificate());
assertNull("privateKey nullified", cert.getPrivateKey());
}
@Test

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
View file

@ -43,11 +43,7 @@ import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
import org.keycloak.common.constants.ServiceAccountConstants;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.UriUtils;
import org.keycloak.common.util.*;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
@ -727,6 +723,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
}
private static void assertCertificate(ClientRepresentation client, String certOld, String pem) {
pem = PemUtils.removeBeginEnd(pem);
final String certNew = client.getAttributes().get(JWTClientAuthenticator.CERTIFICATE_ATTR);
assertNotEquals("The old and new certificates shouldn't match", certOld, certNew);
assertEquals("Certificates don't match", pem, certNew);