diff --git a/services/src/main/java/org/keycloak/utils/CRLUtils.java b/services/src/main/java/org/keycloak/utils/CRLUtils.java index cded47fc3a..862b0d1549 100644 --- a/services/src/main/java/org/keycloak/utils/CRLUtils.java +++ b/services/src/main/java/org/keycloak/utils/CRLUtils.java @@ -118,8 +118,9 @@ public final class CRLUtils { X509Certificate currentCRLAnchorCertificate = crlSignatureCertificate; X500Principal currentCRLAnchorPrincipal = crlIssuerPrincipal; - while (true) { - if (certificateCAPrincipals.contains(currentCRLAnchorPrincipal)) { + + for (X500Principal certificateCAPrincipal : certificateCAPrincipals) { + if (certificateCAPrincipal.equals(currentCRLAnchorPrincipal)) { log.tracef("Found trust anchor of the CRL issuer '%s' in the CA chain. Anchor is '%s'", crlIssuerPrincipal, currentCRLAnchorPrincipal); break; } diff --git a/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.keystore.bcfks b/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.keystore.bcfks index 8986206409..5fb48629fe 100644 Binary files a/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.keystore.bcfks and b/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.keystore.bcfks differ diff --git a/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.bcfks b/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.bcfks index b6914e5547..63fcbe82a3 100644 Binary files a/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.bcfks and b/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.bcfks differ diff --git a/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.pkcs12 b/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.pkcs12 index 82c9ee5b28..ef831e2116 100644 Binary files a/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.pkcs12 and b/testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.pkcs12 differ diff --git a/testsuite/integration-arquillian/servers/auth-server/common/keystore/invalid.crl b/testsuite/integration-arquillian/servers/auth-server/common/keystore/invalid.crl new file mode 100644 index 0000000000..14e0b23655 --- /dev/null +++ b/testsuite/integration-arquillian/servers/auth-server/common/keystore/invalid.crl @@ -0,0 +1,18 @@ +-----BEGIN X509 CRL----- +MIIC5DCBzQIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzELMAkGA1UE +CAwCVVMxETAPBgNVBAoMCEFjbWUgTHRkMQ0wCwYDVQQLDARBY21lMQ0wCwYDVQQD +DARBY21lMRwwGgYJKoZIhvcNAQkBFg1hY21lQGFjbWUub3JnFw0yMzA2MDYxMzAx +MTJaFw0yMzA3MDYxMzAxMTJaoDAwLjAfBgNVHSMEGDAWgBQ8WSQPg23WvN49G2fQ +X7D4ta8Z7DALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQELBQADggIBAAkiYmLNfGkj +iM0CyduWsYoMH1JeZcYYIxTBvRn8w9VSRRtgqS81IrFA9c2wnK2z9kl6wk+qHp4o +keahJgXKWEH+uO3Eg9q+cFQR8ixf9s7nYFJJ62WO/7YQp1yhDzpSF6txJ8kxvfpP +YSeeYYy7JBKmH20Iks0fjCoQNOefTj7ZQD74LVwDcsLD0YNpNh7fAtAIpuGXO/ab +y0v/bDwXAOXWmKBk4g8uWYrxnGGGyMeW6tw6pch9bZ0lome/1kFb+ysDzVMw217J +XMbsQEqDj/OVq7Qt1St0HjOxeZIFVKu+D/40PJyDohxfh1q5ldMVYeW4LhsXxkBN +8lomXApPCZVGQBVwwYl1uPjqlCRB/9joMSUbnY6djchqRT3CPYygudiRO4uvMtXg +19GK4qHSix9hpi2NvsFdCn56MX/qLXYzZp9yzTAzEiz3ief66+u12uYlDC7+IJYa +SfbUBcPFZdauqykl4MoiZ4rpyBP6vaRDVocHjIUYZ83dYtF33czh4dzOCDqx5MXa +jsI4ck0rJXx891Vx+ecZWF2XWr1ubW7LzHgrswc80hAJ0ZcJVDVDi9JFsZf7rgdU +6pqjlz2u8qFiXhnzZ+cPM5VkosXnQYgiOLyhPVIxqlbL4sYelEQ5m7UIOlw/HOvm +UWF048Tt2totAF+jQqKJWcfAmK3V00IM +-----END X509 CRL----- diff --git a/testsuite/integration-arquillian/servers/auth-server/common/keystore/keycloak.truststore b/testsuite/integration-arquillian/servers/auth-server/common/keystore/keycloak.truststore index dc1610b14e..2c8fdd7093 100644 Binary files a/testsuite/integration-arquillian/servers/auth-server/common/keystore/keycloak.truststore and b/testsuite/integration-arquillian/servers/auth-server/common/keystore/keycloak.truststore differ diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java index 7ce26358b5..c9a70337a7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java @@ -93,6 +93,7 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe public static final String INTERMEDIATE_CA_CRL_PATH = "intermediate-ca.crl"; public static final String INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH = "intermediate-ca-invalid-signature.crl"; public static final String INTERMEDIATE_CA_3_CRL_PATH = "intermediate-ca-3.crl"; + public static final String INVALID_CRL_PATH = "invalid.crl"; protected final Logger log = Logger.getLogger(this.getClass()); static final String REQUIRED = "REQUIRED"; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/CRLRule.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/CRLRule.java index a6352dbf48..0b086e5597 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/CRLRule.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/CRLRule.java @@ -60,6 +60,7 @@ public class CRLRule extends ExternalResource { pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH)); pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH)); pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH)); + pathHandler.addExactPath(AbstractX509AuthenticationTest.INVALID_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INVALID_CRL_PATH)); crlResponder = Undertow.builder().addHttpListener(CRL_RESPONDER_PORT, CRL_RESPONDER_HOST) .setHandler( diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserCRLTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserCRLTest.java index 7b7b58a923..ca456b3cb2 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserCRLTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserCRLTest.java @@ -174,6 +174,21 @@ public class X509BrowserCRLTest extends AbstractX509AuthenticationTest { assertLoginFailedDueRevokedCertificate(); } + @Test + public void loginWithMultipleRevocationListsUsingInvalidCert() { + X509AuthenticatorConfigModel config = + new X509AuthenticatorConfigModel() + .setCRLEnabled(true) + .setCRLRelativePath(CRLRule.CRL_RESPONDER_ORIGIN + "/" + INVALID_CRL_PATH) + .setConfirmationPageAllowed(true) + .setMappingSourceType(SUBJECTDN_EMAIL) + .setUserIdentityMapperType(USERNAME_EMAIL); + AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig()); + String cfgId = createConfig(browserExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + x509BrowserLogin(config, userId, "test-user@localhost", "test-user@localhost"); + } @Test public void loginFailedWithRevocationListFromDistributionPoints() {