Avoid iterating indefinetly when checking CRLs

Closes #20725

services/src/main/java/org/keycloak/utils/CRLUtils.java

@@ -118,8 +118,9 @@ public final class CRLUtils {
 
         X509Certificate currentCRLAnchorCertificate = crlSignatureCertificate;
         X500Principal currentCRLAnchorPrincipal = crlIssuerPrincipal;
-        while (true) {
-            if (certificateCAPrincipals.contains(currentCRLAnchorPrincipal)) {
+
+        for (X500Principal certificateCAPrincipal : certificateCAPrincipals) {
+            if (certificateCAPrincipal.equals(currentCRLAnchorPrincipal)) {
                 log.tracef("Found trust anchor of the CRL issuer '%s' in the CA chain. Anchor is '%s'", crlIssuerPrincipal, currentCRLAnchorPrincipal);
                 break;
             }

testsuite/integration-arquillian/servers/auth-server/common/keystore/invalid.crl

@@ -0,0 +1,18 @@
+-----BEGIN X509 CRL-----
+MIIC5DCBzQIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCVVMxETAPBgNVBAoMCEFjbWUgTHRkMQ0wCwYDVQQLDARBY21lMQ0wCwYDVQQD
+DARBY21lMRwwGgYJKoZIhvcNAQkBFg1hY21lQGFjbWUub3JnFw0yMzA2MDYxMzAx
+MTJaFw0yMzA3MDYxMzAxMTJaoDAwLjAfBgNVHSMEGDAWgBQ8WSQPg23WvN49G2fQ
+X7D4ta8Z7DALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQELBQADggIBAAkiYmLNfGkj
+iM0CyduWsYoMH1JeZcYYIxTBvRn8w9VSRRtgqS81IrFA9c2wnK2z9kl6wk+qHp4o
+keahJgXKWEH+uO3Eg9q+cFQR8ixf9s7nYFJJ62WO/7YQp1yhDzpSF6txJ8kxvfpP
+YSeeYYy7JBKmH20Iks0fjCoQNOefTj7ZQD74LVwDcsLD0YNpNh7fAtAIpuGXO/ab
+y0v/bDwXAOXWmKBk4g8uWYrxnGGGyMeW6tw6pch9bZ0lome/1kFb+ysDzVMw217J
+XMbsQEqDj/OVq7Qt1St0HjOxeZIFVKu+D/40PJyDohxfh1q5ldMVYeW4LhsXxkBN
+8lomXApPCZVGQBVwwYl1uPjqlCRB/9joMSUbnY6djchqRT3CPYygudiRO4uvMtXg
+19GK4qHSix9hpi2NvsFdCn56MX/qLXYzZp9yzTAzEiz3ief66+u12uYlDC7+IJYa
+SfbUBcPFZdauqykl4MoiZ4rpyBP6vaRDVocHjIUYZ83dYtF33czh4dzOCDqx5MXa
+jsI4ck0rJXx891Vx+ecZWF2XWr1ubW7LzHgrswc80hAJ0ZcJVDVDi9JFsZf7rgdU
+6pqjlz2u8qFiXhnzZ+cPM5VkosXnQYgiOLyhPVIxqlbL4sYelEQ5m7UIOlw/HOvm
+UWF048Tt2totAF+jQqKJWcfAmK3V00IM
+-----END X509 CRL-----

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java

@@ -93,6 +93,7 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe
     public static final String INTERMEDIATE_CA_CRL_PATH = "intermediate-ca.crl";
     public static final String INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH = "intermediate-ca-invalid-signature.crl";
     public static final String INTERMEDIATE_CA_3_CRL_PATH = "intermediate-ca-3.crl";
+    public static final String INVALID_CRL_PATH = "invalid.crl";
     protected final Logger log = Logger.getLogger(this.getClass());
 
     static final String REQUIRED = "REQUIRED";

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/CRLRule.java

@@ -60,6 +60,7 @@ public class CRLRule extends ExternalResource {
         pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH));
         pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH));
         pathHandler.addExactPath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INTERMEDIATE_CA_3_CRL_PATH));
+        pathHandler.addExactPath(AbstractX509AuthenticationTest.INVALID_CRL_PATH, new CRLHandler(AbstractX509AuthenticationTest.INVALID_CRL_PATH));
 
         crlResponder = Undertow.builder().addHttpListener(CRL_RESPONDER_PORT, CRL_RESPONDER_HOST)
                 .setHandler(

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserCRLTest.java

@@ -174,6 +174,21 @@ public class X509BrowserCRLTest extends AbstractX509AuthenticationTest {
         assertLoginFailedDueRevokedCertificate();
     }
 
+    @Test
+    public void loginWithMultipleRevocationListsUsingInvalidCert() {
+        X509AuthenticatorConfigModel config =
+                new X509AuthenticatorConfigModel()
+                        .setCRLEnabled(true)
+                        .setCRLRelativePath(CRLRule.CRL_RESPONDER_ORIGIN + "/" + INVALID_CRL_PATH)
+                        .setConfirmationPageAllowed(true)
+                        .setMappingSourceType(SUBJECTDN_EMAIL)
+                        .setUserIdentityMapperType(USERNAME_EMAIL);
+        AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
+        String cfgId = createConfig(browserExecution.getId(), cfg);
+        Assert.assertNotNull(cfgId);
+
+        x509BrowserLogin(config, userId, "test-user@localhost", "test-user@localhost");
+    }
 
     @Test
     public void loginFailedWithRevocationListFromDistributionPoints() {