Support certificate creation for EC keys (#31817)
fixes #31816 Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>
This commit is contained in:
parent
f537343545
commit
4a15e1c2b0
4 changed files with 62 additions and 24 deletions
|
@ -42,7 +42,6 @@ import java.security.Signature;
|
|||
import java.security.cert.X509Certificate;
|
||||
import java.security.interfaces.ECPublicKey;
|
||||
import java.security.spec.ECGenParameterSpec;
|
||||
import java.security.spec.ECPoint;
|
||||
|
||||
import static org.junit.Assert.assertArrayEquals;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
@ -50,6 +49,7 @@ import static org.junit.Assert.assertNotNull;
|
|||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.fail;
|
||||
import static org.keycloak.common.util.CertificateUtils.generateV1SelfSignedCertificate;
|
||||
import static org.keycloak.common.util.CertificateUtils.generateV3Certificate;
|
||||
|
||||
/**
|
||||
* This is not tested in keycloak-core. The subclasses should be created in the crypto modules to make sure it is tested with corresponding modules (bouncycastle VS bouncycastle-fips)
|
||||
|
@ -143,6 +143,11 @@ public abstract class JWKTest {
|
|||
ECGenParameterSpec ecSpec = new ECGenParameterSpec(algorithm);
|
||||
keyGen.initialize(ecSpec, randomGen);
|
||||
KeyPair keyPair = keyGen.generateKeyPair();
|
||||
KeyPair keyPair2 = keyGen.generateKeyPair();
|
||||
X509Certificate certificate = generateV1SelfSignedCertificate(keyPair, "root");
|
||||
X509Certificate certificate2 = generateV3Certificate(keyPair2, keyPair.getPrivate(), certificate, "child");
|
||||
certificate.verify(keyPair.getPublic());
|
||||
certificate2.verify(keyPair.getPublic());
|
||||
|
||||
ECPublicKey publicKey = (ECPublicKey) keyPair.getPublic();
|
||||
|
||||
|
|
|
@ -130,7 +130,17 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
|
|||
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
|
||||
|
||||
// Content Signer
|
||||
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER).build(caPrivateKey);
|
||||
ContentSigner sigGen;
|
||||
switch (keyPair.getPublic().getAlgorithm())
|
||||
{
|
||||
case "EC":
|
||||
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
|
||||
.build(caPrivateKey);
|
||||
break;
|
||||
default:
|
||||
sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER)
|
||||
.build(caPrivateKey);
|
||||
}
|
||||
|
||||
// Certificate
|
||||
return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(certGen.build(sigGen));
|
||||
|
@ -185,6 +195,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
|
|||
.setProvider(BouncyIntegration.PROVIDER);
|
||||
break;
|
||||
}
|
||||
case "EC":
|
||||
case "ECDSA": {
|
||||
signerBuilder = new JcaContentSignerBuilder("SHA256WithECDSA")
|
||||
.setProvider(BouncyIntegration.PROVIDER);
|
||||
|
|
|
@ -112,8 +112,6 @@ public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider
|
|||
|
||||
.setSerialNumber(serialNumber)
|
||||
|
||||
.setSignatureAlgorithmName("SHA256withRSA")
|
||||
|
||||
.setSigningKey(caPrivateKey)
|
||||
|
||||
// Subject Key Identifier Extension
|
||||
|
@ -135,6 +133,14 @@ public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider
|
|||
// Basic Constraints
|
||||
.addExtension(new BasicConstraintsExtension(true, true, 0));
|
||||
|
||||
switch (caPrivateKey.getAlgorithm()){
|
||||
case "EC":
|
||||
cbuilder.setSignatureAlgorithmName("SHA256withECDSA");
|
||||
break;
|
||||
default:
|
||||
cbuilder.setSignatureAlgorithmName("SHA256withRSA");
|
||||
}
|
||||
|
||||
return cbuilder.build();
|
||||
|
||||
} catch (Exception e) {
|
||||
|
@ -182,9 +188,15 @@ public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider
|
|||
.setSigningKey(caKeyPair.getPrivate())
|
||||
.setPublicKey(caKeyPair.getPublic())
|
||||
|
||||
.setSerialNumber(serialNumber)
|
||||
.setSerialNumber(serialNumber);
|
||||
|
||||
.setSignatureAlgorithmName("SHA256withRSA");
|
||||
switch (caKeyPair.getPrivate().getAlgorithm()){
|
||||
case "EC":
|
||||
cbuilder.setSignatureAlgorithmName("SHA256withECDSA");
|
||||
break;
|
||||
default:
|
||||
cbuilder.setSignatureAlgorithmName("SHA256withRSA");
|
||||
}
|
||||
|
||||
return cbuilder.build();
|
||||
|
||||
|
|
|
@ -49,6 +49,7 @@ import org.bouncycastle.operator.OperatorCreationException;
|
|||
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
||||
import org.keycloak.common.util.BouncyIntegration;
|
||||
import org.keycloak.common.crypto.CertificateUtilsProvider;
|
||||
import org.keycloak.crypto.Algorithm;
|
||||
import org.keycloak.crypto.JavaAlgorithm;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
|
@ -132,7 +133,16 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
|
|||
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
|
||||
|
||||
// Content Signer
|
||||
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER).build(caPrivateKey);
|
||||
ContentSigner sigGen;
|
||||
switch (caPrivateKey.getAlgorithm()){
|
||||
case "EC":
|
||||
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
|
||||
.build(caPrivateKey);
|
||||
break;
|
||||
default:
|
||||
sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER)
|
||||
.build(caPrivateKey);
|
||||
}
|
||||
|
||||
// Certificate
|
||||
return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(certGen.build(sigGen));
|
||||
|
|
Loading…
Reference in a new issue