libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Harmonize behaviour of different CertificateUtilsProvider implementations

Browse source 
Signed-off-by: coursar <coursar@gmail.com>
This commit is contained in:
coursar 2024-02-28 01:19:14 +03:00 committed by Marek Posolda
parent 2bd9f09e29
commit 4a357223b3
3 changed files with 13 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
crypto/elytron/src/main/java/org/keycloak/crypto/elytron/ElytronCertificateUtils.java → crypto/elytron/src/main/java/org/keycloak/crypto/elytron/ElytronCertificateUtilsProvider.java
View file

@ -29,7 +29,6 @@ import java.time.DateTimeException;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
@ -61,7 +60,7 @@ import org.wildfly.security.x500.cert.util.KeyUtil;
*
* @author <a href="mailto:david.anderson@redhat.com">David Anderson</a>
*/
public class ElytronCertificateUtils implements CertificateUtilsProvider {
public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider {
Logger log = Logger.getLogger(getClass());
@ -84,10 +83,7 @@ public class ElytronCertificateUtils implements CertificateUtilsProvider {
try {
X500Principal subjectdn = subjectToX500Principle(subject);
X500Principal issuerdn = subjectdn;
if (caCert != null) {
issuerdn = caCert.getSubjectX500Principal();
}
X500Principal issuerdn = caCert.getSubjectX500Principal();
// Validity
ZonedDateTime notBefore = ZonedDateTime.ofInstant(new Date(System.currentTimeMillis()).toInstant(),
@ -105,22 +101,6 @@ public class ElytronCertificateUtils implements CertificateUtilsProvider {
ekuList.add(X500.OID_KP_EMAIL_PROTECTION);
ekuList.add(X500.OID_KP_SERVER_AUTH);
// Authority Key Identifier
AuthorityKeyIdentifierExtension authorityKeyIdentifierExtension;
if (caCert != null) {
authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(
KeyUtil.getKeyIdentifier(caCert.getPublicKey()),
Collections.singletonList(new GeneralName.DirectoryName(caCert.getIssuerX500Principal().getName())),
caCert.getSerialNumber()
);
} else {
authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(
KeyUtil.getKeyIdentifier(keyPair.getPublic()),
Collections.singletonList(new GeneralName.DirectoryName(issuerdn.getName())),
serialNumber
);
}
X509CertificateBuilder cbuilder = new X509CertificateBuilder()
.setSubjectDn(subjectdn)
.setIssuerDn(issuerdn)
@ -140,7 +120,11 @@ public class ElytronCertificateUtils implements CertificateUtilsProvider {
.addExtension(new SubjectKeyIdentifierExtension(KeyUtil.getKeyIdentifier(keyPair.getPublic())))
// Authority Key Identifier
.addExtension(authorityKeyIdentifierExtension)
.addExtension(new AuthorityKeyIdentifierExtension(
KeyUtil.getKeyIdentifier(caCert.getPublicKey()),
Collections.singletonList(new GeneralName.DirectoryName(caCert.getIssuerX500Principal().getName())),
caCert.getSerialNumber()
))
// Key Usage
.addExtension(

3
crypto/elytron/src/main/java/org/keycloak/crypto/elytron/WildFlyElytronProvider.java
View file

@ -34,7 +34,6 @@ import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Supplier;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
@ -77,7 +76,7 @@ public class WildFlyElytronProvider implements CryptoProvider {
@Override
public CertificateUtilsProvider getCertificateUtils() {
return new ElytronCertificateUtils();
return new ElytronCertificateUtilsProvider();
}
@Override

12
crypto/elytron/src/test/java/org/keycloak/crypto/elytron/test/CRLDistributionPointTest.java
View file

@ -27,14 +27,12 @@ import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.junit.Test;
import org.keycloak.common.util.PemUtils;
import org.keycloak.crypto.elytron.ElytronCertificateUtils;
import org.keycloak.crypto.elytron.ElytronCertificateUtilsProvider;
import org.wildfly.security.x500.GeneralName;
import org.wildfly.security.x500.cert.CRLDistributionPoint;
import org.wildfly.security.x500.cert.CRLDistributionPoint.DistributionPointName;
@ -55,7 +53,7 @@ public class CRLDistributionPointTest {
expect.add("http://crl0.test0.com");
ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
List<String> crldp = bcutil.getCRLDistributionPoints(cert);
assertArrayEquals(expect.toArray(), crldp.toArray());
@ -70,7 +68,7 @@ public class CRLDistributionPointTest {
expect.add("http://crl0.test0.com");
expect.add("http://crl0.test1.com");
ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
List<String> crldp = bcutil.getCRLDistributionPoints(cert);
assertArrayEquals(expect.toArray(), crldp.toArray());
@ -87,7 +85,7 @@ public class CRLDistributionPointTest {
expect.add("http://crl1.test0.com");
expect.add("http://crl1.test1.com");
ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
List<String> crldp = bcutil.getCRLDistributionPoints(cert);
assertArrayEquals(expect.toArray(), crldp.toArray());
@ -101,7 +99,7 @@ public class CRLDistributionPointTest {
expect.add("http://localhost:8889/empty.crl");
expect.add("http://localhost:8889/intermediate-ca.crl");
ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
List<String> crldp = bcutil.getCRLDistributionPoints(cert);
assertArrayEquals(expect.toArray(), crldp.toArray());