From bf951a5554d0edea910d58488abd0b477aea2984 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pascal=20Kn=C3=BCppel?= Date: Wed, 7 Aug 2024 12:41:12 +0200 Subject: [PATCH] Fix certificate creation with cross-keys (#31866) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fixes #31864 Signed-off-by: Pascal Knüppel --- .../java/org/keycloak/jose/jwk/JWKTest.java | 30 +++++++++++++++++++ .../def/BCCertificateUtilsProvider.java | 5 ++-- .../fips/BCFIPSCertificateUtilsProvider.java | 6 ++-- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java b/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java index 48266878d1..d93d88e3b2 100644 --- a/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java +++ b/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java @@ -183,6 +183,36 @@ public abstract class JWKTest { verify(data, sign, JavaAlgorithm.ES256, publicKeyFromJwk); } + @Test + public void testCertificateGenerationWithRsaAndEc() throws Exception { + KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA); + KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC); + SecureRandom randomGen = new SecureRandom(); + ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1"); + keyGenEc.initialize(ecSpec, randomGen); + KeyPair keyPairRsa = keyGenRsa.generateKeyPair(); + KeyPair keyPairEc = keyGenEc.generateKeyPair(); + X509Certificate certificateRsa = generateV1SelfSignedCertificate(keyPairRsa, "root"); + X509Certificate certificateEc = generateV3Certificate(keyPairEc, keyPairRsa.getPrivate(), certificateRsa, "child"); + certificateRsa.verify(keyPairRsa.getPublic()); + certificateEc.verify(keyPairRsa.getPublic()); + } + + @Test + public void testCertificateGenerationWithEcAndRsa() throws Exception { + KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA); + KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC); + SecureRandom randomGen = new SecureRandom(); + ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1"); + keyGenEc.initialize(ecSpec, randomGen); + KeyPair keyPairRsa = keyGenRsa.generateKeyPair(); + KeyPair keyPairEc = keyGenEc.generateKeyPair(); + X509Certificate certificateEc = generateV1SelfSignedCertificate(keyPairEc, "root"); + X509Certificate certificateRsa = generateV3Certificate(keyPairRsa, keyPairEc.getPrivate(), certificateEc, "child"); + certificateRsa.verify(keyPairEc.getPublic()); + certificateEc.verify(keyPairEc.getPublic()); + } + @Test public void publicEs256P256() throws Exception { testPublicEs256("secp256r1"); diff --git a/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java b/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java index ab99ef756b..cddba3f950 100755 --- a/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java +++ b/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java @@ -84,10 +84,9 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider { * @param caCert the CA certificate * @param subject the subject name * @return the x509 certificate - * @throws Exception the exception */ public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, - String subject) throws Exception { + String subject) { try { X500Name subjectDN = new X500Name("CN=" + subject); @@ -131,7 +130,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider { // Content Signer ContentSigner sigGen; - switch (keyPair.getPublic().getAlgorithm()) + switch (caCert.getPublicKey().getAlgorithm()) { case "EC": sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER) diff --git a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java index 5885bae79a..03ed5b8110 100755 --- a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java +++ b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java @@ -86,11 +86,9 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{ * @param subject the subject name * * @return the x509 certificate - * - * @throws Exception the exception */ public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, - String subject) throws Exception { + String subject) { try { X500Name subjectDN = new X500Name("CN=" + subject); @@ -134,7 +132,7 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{ // Content Signer ContentSigner sigGen; - switch (caPrivateKey.getAlgorithm()){ + switch (caCert.getPublicKey().getAlgorithm()){ case "EC": sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER) .build(caPrivateKey);