libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Support certificate creation for EC keys (#31817)

Browse source 
fixes #31816

Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>
This commit is contained in:
Pascal Knüppel 2024-08-02 11:52:48 +02:00 committed by GitHub
parent f537343545
commit 4a15e1c2b0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 62 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
core/src/test/java/org/keycloak/jose/jwk/JWKTest.java
View file

@ -42,7 +42,6 @@ import java.security.Signature;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey; import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec; import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPoint;
import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
@ -50,6 +49,7 @@ import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import static org.keycloak.common.util.CertificateUtils.generateV1SelfSignedCertificate; import static org.keycloak.common.util.CertificateUtils.generateV1SelfSignedCertificate;
import static org.keycloak.common.util.CertificateUtils.generateV3Certificate;
/** /**
* This is not tested in keycloak-core. The subclasses should be created in the crypto modules to make sure it is tested with corresponding modules (bouncycastle VS bouncycastle-fips) * This is not tested in keycloak-core. The subclasses should be created in the crypto modules to make sure it is tested with corresponding modules (bouncycastle VS bouncycastle-fips)
@ -143,6 +143,11 @@ public abstract class JWKTest {
ECGenParameterSpec ecSpec = new ECGenParameterSpec(algorithm); ECGenParameterSpec ecSpec = new ECGenParameterSpec(algorithm);
keyGen.initialize(ecSpec, randomGen); keyGen.initialize(ecSpec, randomGen);
KeyPair keyPair = keyGen.generateKeyPair(); KeyPair keyPair = keyGen.generateKeyPair();
KeyPair keyPair2 = keyGen.generateKeyPair();
X509Certificate certificate = generateV1SelfSignedCertificate(keyPair, "root");
X509Certificate certificate2 = generateV3Certificate(keyPair2, keyPair.getPrivate(), certificate, "child");
certificate.verify(keyPair.getPublic());
certificate2.verify(keyPair.getPublic());
ECPublicKey publicKey = (ECPublicKey) keyPair.getPublic(); ECPublicKey publicKey = (ECPublicKey) keyPair.getPublic();

13
crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java
View file

@ -130,7 +130,17 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
// Content Signer // Content Signer
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER).build(caPrivateKey); ContentSigner sigGen;
switch (keyPair.getPublic().getAlgorithm())
{
case "EC":
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
.build(caPrivateKey);
break;
default:
sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER)
.build(caPrivateKey);
}
// Certificate // Certificate
return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(certGen.build(sigGen)); return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(certGen.build(sigGen));
@ -185,6 +195,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
.setProvider(BouncyIntegration.PROVIDER); .setProvider(BouncyIntegration.PROVIDER);
break; break;
} }
case "EC":
case "ECDSA": { case "ECDSA": {
signerBuilder = new JcaContentSignerBuilder("SHA256WithECDSA") signerBuilder = new JcaContentSignerBuilder("SHA256WithECDSA")
.setProvider(BouncyIntegration.PROVIDER); .setProvider(BouncyIntegration.PROVIDER);

20
crypto/elytron/src/main/java/org/keycloak/crypto/elytron/ElytronCertificateUtilsProvider.java
View file

@ -112,8 +112,6 @@ public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider
.setSerialNumber(serialNumber) .setSerialNumber(serialNumber)
.setSignatureAlgorithmName("SHA256withRSA")
.setSigningKey(caPrivateKey) .setSigningKey(caPrivateKey)
// Subject Key Identifier Extension // Subject Key Identifier Extension
@ -135,6 +133,14 @@ public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider
// Basic Constraints // Basic Constraints
.addExtension(new BasicConstraintsExtension(true, true, 0)); .addExtension(new BasicConstraintsExtension(true, true, 0));
switch (caPrivateKey.getAlgorithm()){
case "EC":
cbuilder.setSignatureAlgorithmName("SHA256withECDSA");
break;
default:
cbuilder.setSignatureAlgorithmName("SHA256withRSA");
}
return cbuilder.build(); return cbuilder.build();
} catch (Exception e) { } catch (Exception e) {
@ -182,9 +188,15 @@ public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider
.setSigningKey(caKeyPair.getPrivate()) .setSigningKey(caKeyPair.getPrivate())
.setPublicKey(caKeyPair.getPublic()) .setPublicKey(caKeyPair.getPublic())
.setSerialNumber(serialNumber) .setSerialNumber(serialNumber);
.setSignatureAlgorithmName("SHA256withRSA"); switch (caKeyPair.getPrivate().getAlgorithm()){
case "EC":
cbuilder.setSignatureAlgorithmName("SHA256withECDSA");
break;
default:
cbuilder.setSignatureAlgorithmName("SHA256withRSA");
}
return cbuilder.build(); return cbuilder.build();

12
crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java
View file

@ -49,6 +49,7 @@ import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.keycloak.common.util.BouncyIntegration; import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.crypto.CertificateUtilsProvider; import org.keycloak.common.crypto.CertificateUtilsProvider;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.JavaAlgorithm; import org.keycloak.crypto.JavaAlgorithm;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
@ -132,7 +133,16 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
// Content Signer // Content Signer
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER).build(caPrivateKey); ContentSigner sigGen;
switch (caPrivateKey.getAlgorithm()){
case "EC":
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
.build(caPrivateKey);
break;
default:
sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER)
.build(caPrivateKey);
}
// Certificate // Certificate
return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(certGen.build(sigGen)); return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(certGen.build(sigGen));