libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Respecting key use of EC keys in JWKS

Browse source
This commit is contained in:
alwibrm 2023-04-04 00:06:25 +02:00 committed by GitHub
parent 480b4d62bd
commit 9f15cf432b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
View file

@ -39,7 +39,7 @@ import static org.keycloak.jose.jwk.JWKUtil.toIntegerBytes;
*/ */
public class JWKBuilder { public class JWKBuilder {
public static final String DEFAULT_PUBLIC_KEY_USE = "sig"; public static final KeyUse DEFAULT_PUBLIC_KEY_USE = KeyUse.SIG;
private String kid; private String kid;
@ -105,13 +105,17 @@ public class JWKBuilder {
public JWK rsa(Key key, KeyUse keyUse) { public JWK rsa(Key key, KeyUse keyUse) {
JWK k = rsa(key); JWK k = rsa(key);
String keyUseString = keyUse == null ? DEFAULT_PUBLIC_KEY_USE : keyUse.getSpecName(); String keyUseString = keyUse == null ? DEFAULT_PUBLIC_KEY_USE.getSpecName() : keyUse.getSpecName();
if (KeyUse.ENC == keyUse) keyUseString = "enc"; if (KeyUse.ENC == keyUse) keyUseString = "enc";
k.setPublicKeyUse(keyUseString); k.setPublicKeyUse(keyUseString);
return k; return k;
} }
public JWK ec(Key key) { public JWK ec(Key key) {
return ec(key, DEFAULT_PUBLIC_KEY_USE);
}
public JWK ec(Key key, KeyUse keyUse) {
ECPublicKey ecKey = (ECPublicKey) key; ECPublicKey ecKey = (ECPublicKey) key;
ECPublicJWK k = new ECPublicJWK(); ECPublicJWK k = new ECPublicJWK();
@ -122,7 +126,7 @@ public class JWKBuilder {
k.setKeyId(kid); k.setKeyId(kid);
k.setKeyType(KeyType.EC); k.setKeyType(KeyType.EC);
k.setAlgorithm(algorithm); k.setAlgorithm(algorithm);
k.setPublicKeyUse(DEFAULT_PUBLIC_KEY_USE); k.setPublicKeyUse(keyUse == null ? DEFAULT_PUBLIC_KEY_USE.getSpecName() : keyUse.getSpecName());
k.setCrv("P-" + fieldSize); k.setCrv("P-" + fieldSize);
k.setX(Base64Url.encode(toIntegerBytes(ecKey.getW().getAffineX(), fieldSize))); k.setX(Base64Url.encode(toIntegerBytes(ecKey.getW().getAffineX(), fieldSize)));
k.setY(Base64Url.encode(toIntegerBytes(ecKey.getW().getAffineY(), fieldSize))); k.setY(Base64Url.encode(toIntegerBytes(ecKey.getW().getAffineY(), fieldSize)));

2
services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolService.java
View file

@ -219,7 +219,7 @@ public class OIDCLoginProtocolService {
if (k.getType().equals(KeyType.RSA)) { if (k.getType().equals(KeyType.RSA)) {
return b.rsa(k.getPublicKey(), certificates, k.getUse()); return b.rsa(k.getPublicKey(), certificates, k.getUse());
} else if (k.getType().equals(KeyType.EC)) { } else if (k.getType().equals(KeyType.EC)) {
return b.ec(k.getPublicKey()); return b.ec(k.getPublicKey(), k.getUse());
} }
return null; return null;
}) })