libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

KEYCLOAK-4250 Include certificates without name for validation

Browse source 
Nameless certificates are now included for signature validation
in the SAML adapter when the certificate is downloaded from
metadataUrl.
This commit is contained in:
Hynek Mlnarik 2021-01-11 18:00:19 +01:00 committed by Hynek Mlnařík
parent 91a51c2dbe
commit acfea8ecd2
1 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/rotation/SamlDescriptorPublicKeyLocator.java
View file

@ -37,6 +37,8 @@ import org.keycloak.dom.saml.v2.metadata.KeyTypes;
import org.keycloak.rotation.KeyLocator;
import org.keycloak.saml.processing.api.util.KeyInfoTools;
import java.security.cert.CertificateException;
import java.util.UUID;
import javax.security.auth.x500.X500Principal;
/**
* This class defines a {@link KeyLocator} that looks up public keys and certificates in IdP's
@ -148,18 +150,25 @@ public class SamlDescriptorPublicKeyLocator implements KeyLocator, Iterable<Publ
for (KeyInfo ki : signingCerts) {
KeyName keyName = KeyInfoTools.getKeyName(ki);
X509Certificate x509certificate = KeyInfoTools.getX509Certificate(ki);
if (x509certificate == null) {
continue;
}
try {
x509certificate.checkValidity();
} catch (CertificateException ex) {
x509certificate = null;
continue;
}
if (x509certificate != null && keyName != null) {
if (keyName != null) {
LOG.tracef("Registering signing certificate %s", keyName.getName());
this.publicKeyCache.put(keyName.getName(), x509certificate.getPublicKey());
} else {
LOG.tracef("Ignoring certificate %s: %s", keyName, x509certificate);
final X500Principal principal = x509certificate.getSubjectX500Principal();
String name = (principal == null ? "unnamed" : principal.getName())
+ "@" + x509certificate.getSerialNumber() + "$" + UUID.randomUUID();
this.publicKeyCache.put(name, x509certificate.getPublicKey());
LOG.tracef("Adding certificate %s without a specific key name: %s", name, x509certificate);
}
}
return (kid == null ? null : this.publicKeyCache.get(kid));