Respecting key use of EC keys in JWKS

2023-04-04 00:06:25 +02:00 · 2023-04-04 00:06:25 +02:00 · 9f15cf432b
commit 9f15cf432b
parent 480b4d62bd
2 changed files with 8 additions and 4 deletions
--- a/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
+++ b/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
@ -39,7 +39,7 @@ import static org.keycloak.jose.jwk.JWKUtil.toIntegerBytes;
 */
 public class JWKBuilder {

-    public static final String DEFAULT_PUBLIC_KEY_USE = "sig";
+    public static final KeyUse DEFAULT_PUBLIC_KEY_USE = KeyUse.SIG;

    private String kid;

@ -105,13 +105,17 @@ public class JWKBuilder {

    public JWK rsa(Key key, KeyUse keyUse) {
        JWK k = rsa(key);
-        String keyUseString = keyUse == null ? DEFAULT_PUBLIC_KEY_USE : keyUse.getSpecName();
+        String keyUseString = keyUse == null ? DEFAULT_PUBLIC_KEY_USE.getSpecName() : keyUse.getSpecName();
        if (KeyUse.ENC == keyUse) keyUseString = "enc";
        k.setPublicKeyUse(keyUseString);
        return k;
    }

    public JWK ec(Key key) {
+        return ec(key, DEFAULT_PUBLIC_KEY_USE);
+    }
+
+    public JWK ec(Key key, KeyUse keyUse) {
        ECPublicKey ecKey = (ECPublicKey) key;

        ECPublicJWK k = new ECPublicJWK();
@ -122,7 +126,7 @@ public class JWKBuilder {
        k.setKeyId(kid);
        k.setKeyType(KeyType.EC);
        k.setAlgorithm(algorithm);
-        k.setPublicKeyUse(DEFAULT_PUBLIC_KEY_USE);
+        k.setPublicKeyUse(keyUse == null ? DEFAULT_PUBLIC_KEY_USE.getSpecName() : keyUse.getSpecName());
        k.setCrv("P-" + fieldSize);
        k.setX(Base64Url.encode(toIntegerBytes(ecKey.getW().getAffineX(), fieldSize)));
        k.setY(Base64Url.encode(toIntegerBytes(ecKey.getW().getAffineY(), fieldSize)));
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolService.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolService.java
@ -219,7 +219,7 @@ public class OIDCLoginProtocolService {
                    if (k.getType().equals(KeyType.RSA)) {
                        return b.rsa(k.getPublicKey(), certificates, k.getUse());
                    } else if (k.getType().equals(KeyType.EC)) {
-                        return b.ec(k.getPublicKey());
+                        return b.ec(k.getPublicKey(), k.getUse());
                    }
                    return null;
                })