libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Avoid iterating indefinetly when checking CRLs

Browse source 
Closes #20725
This commit is contained in:
Pedro Igor 2023-06-06 10:21:46 -03:00 committed by Marek Posolda
parent c1e96564dc
commit af975d20f1
9 changed files with 38 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
services/src/main/java/org/keycloak/utils/CRLUtils.java
View file

@ -118,8 +118,9 @@ public final class CRLUtils {
X509Certificate currentCRLAnchorCertificate = crlSignatureCertificate; X509Certificate currentCRLAnchorCertificate = crlSignatureCertificate;
X500Principal currentCRLAnchorPrincipal = crlIssuerPrincipal; X500Principal currentCRLAnchorPrincipal = crlIssuerPrincipal;
while (true) {
if (certificateCAPrincipals.contains(currentCRLAnchorPrincipal)) { for (X500Principal certificateCAPrincipal : certificateCAPrincipals) {
if (certificateCAPrincipal.equals(currentCRLAnchorPrincipal)) {
log.tracef("Found trust anchor of the CRL issuer '%s' in the CA chain. Anchor is '%s'", crlIssuerPrincipal, currentCRLAnchorPrincipal); log.tracef("Found trust anchor of the CRL issuer '%s' in the CA chain. Anchor is '%s'", crlIssuerPrincipal, currentCRLAnchorPrincipal);
break; break;
} }

BIN
testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.keystore.bcfks
View file

Binary file not shown.

BIN
testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.bcfks
View file

Binary file not shown.

BIN
testsuite/integration-arquillian/servers/auth-server/common/fips/keycloak-fips.truststore.pkcs12
View file

Binary file not shown.

18
testsuite/integration-arquillian/servers/auth-server/common/keystore/invalid.crl Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN X509 CRL-----
MIIC5DCBzQIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCVVMxETAPBgNVBAoMCEFjbWUgTHRkMQ0wCwYDVQQLDARBY21lMQ0wCwYDVQQD
DARBY21lMRwwGgYJKoZIhvcNAQkBFg1hY21lQGFjbWUub3JnFw0yMzA2MDYxMzAx
MTJaFw0yMzA3MDYxMzAxMTJaoDAwLjAfBgNVHSMEGDAWgBQ8WSQPg23WvN49G2fQ
X7D4ta8Z7DALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQELBQADggIBAAkiYmLNfGkj
iM0CyduWsYoMH1JeZcYYIxTBvRn8w9VSRRtgqS81IrFA9c2wnK2z9kl6wk+qHp4o
keahJgXKWEH+uO3Eg9q+cFQR8ixf9s7nYFJJ62WO/7YQp1yhDzpSF6txJ8kxvfpP
YSeeYYy7JBKmH20Iks0fjCoQNOefTj7ZQD74LVwDcsLD0YNpNh7fAtAIpuGXO/ab
y0v/bDwXAOXWmKBk4g8uWYrxnGGGyMeW6tw6pch9bZ0lome/1kFb+ysDzVMw217J
XMbsQEqDj/OVq7Qt1St0HjOxeZIFVKu+D/40PJyDohxfh1q5ldMVYeW4LhsXxkBN
8lomXApPCZVGQBVwwYl1uPjqlCRB/9joMSUbnY6djchqRT3CPYygudiRO4uvMtXg
19GK4qHSix9hpi2NvsFdCn56MX/qLXYzZp9yzTAzEiz3ief66+u12uYlDC7+IJYa
SfbUBcPFZdauqykl4MoiZ4rpyBP6vaRDVocHjIUYZ83dYtF33czh4dzOCDqx5MXa
jsI4ck0rJXx891Vx+ecZWF2XWr1ubW7LzHgrswc80hAJ0ZcJVDVDi9JFsZf7rgdU
6pqjlz2u8qFiXhnzZ+cPM5VkosXnQYgiOLyhPVIxqlbL4sYelEQ5m7UIOlw/HOvm
UWF048Tt2totAF+jQqKJWcfAmK3V00IM
-----END X509 CRL-----

BIN
testsuite/integration-arquillian/servers/auth-server/common/keystore/keycloak.truststore
View file

Binary file not shown.

1
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
View file

@ -93,6 +93,7 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe
public static final String INTERMEDIATE_CA_CRL_PATH = "intermediate-ca.crl"; public static final String INTERMEDIATE_CA_CRL_PATH = "intermediate-ca.crl";
public static final String INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH = "intermediate-ca-invalid-signature.crl"; public static final String INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH = "intermediate-ca-invalid-signature.crl";
public static final String INTERMEDIATE_CA_3_CRL_PATH = "intermediate-ca-3.crl"; public static final String INTERMEDIATE_CA_3_CRL_PATH = "intermediate-ca-3.crl";
public static final String INVALID_CRL_PATH = "invalid.crl";
protected final Logger log = Logger.getLogger(this.getClass()); protected final Logger log = Logger.getLogger(this.getClass());
static final String REQUIRED = "REQUIRED"; static final String REQUIRED = "REQUIRED";

1
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/CRLRule.java
View file

@ -60,6 +60,7 @@ public class CRLRule extends ExternalResource {
pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH)); pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH));
pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH)); pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH));
pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH)); pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH));
pathHandler.addExactPath(AbstractX509AuthenticationTest.INVALID_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INVALID_CRL_PATH));
crlResponder = Undertow.builder().addHttpListener(CRL_RESPONDER_PORT, CRL_RESPONDER_HOST) crlResponder = Undertow.builder().addHttpListener(CRL_RESPONDER_PORT, CRL_RESPONDER_HOST)
.setHandler( .setHandler(

15
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserCRLTest.java
View file

@ -174,6 +174,21 @@ public class X509BrowserCRLTest extends AbstractX509AuthenticationTest {
assertLoginFailedDueRevokedCertificate(); assertLoginFailedDueRevokedCertificate();
} }
@Test
public void loginWithMultipleRevocationListsUsingInvalidCert() {
X509AuthenticatorConfigModel config =
new X509AuthenticatorConfigModel()
.setCRLEnabled(true)
.setCRLRelativePath(CRLRule.CRL_RESPONDER_ORIGIN + "/" + INVALID_CRL_PATH)
.setConfirmationPageAllowed(true)
.setMappingSourceType(SUBJECTDN_EMAIL)
.setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
String cfgId = createConfig(browserExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
x509BrowserLogin(config, userId, "test-user@localhost", "test-user@localhost");
}
@Test @Test
public void loginFailedWithRevocationListFromDistributionPoints() { public void loginFailedWithRevocationListFromDistributionPoints() {