Fix certificate creation with cross-keys (#31866)

fixes #31864

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>

core/src/test/java/org/keycloak/jose/jwk/JWKTest.java

@@ -183,6 +183,36 @@ public abstract class JWKTest {
         verify(data, sign, JavaAlgorithm.ES256, publicKeyFromJwk);
     }
 
+    @Test
+    public void testCertificateGenerationWithRsaAndEc() throws Exception {
+        KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
+        KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
+        SecureRandom randomGen = new SecureRandom();
+        ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
+        keyGenEc.initialize(ecSpec, randomGen);
+        KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
+        KeyPair keyPairEc = keyGenEc.generateKeyPair();
+        X509Certificate certificateRsa = generateV1SelfSignedCertificate(keyPairRsa, "root");
+        X509Certificate certificateEc = generateV3Certificate(keyPairEc, keyPairRsa.getPrivate(), certificateRsa, "child");
+        certificateRsa.verify(keyPairRsa.getPublic());
+        certificateEc.verify(keyPairRsa.getPublic());
+    }
+
+    @Test
+    public void testCertificateGenerationWithEcAndRsa() throws Exception {
+        KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
+        KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
+        SecureRandom randomGen = new SecureRandom();
+        ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
+        keyGenEc.initialize(ecSpec, randomGen);
+        KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
+        KeyPair keyPairEc = keyGenEc.generateKeyPair();
+        X509Certificate certificateEc = generateV1SelfSignedCertificate(keyPairEc, "root");
+        X509Certificate certificateRsa = generateV3Certificate(keyPairRsa, keyPairEc.getPrivate(), certificateEc, "child");
+        certificateRsa.verify(keyPairEc.getPublic());
+        certificateEc.verify(keyPairEc.getPublic());
+    }
+
     @Test
     public void publicEs256P256() throws Exception {
         testPublicEs256("secp256r1");

crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java

@@ -84,10 +84,9 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
      * @param caCert       the CA certificate
      * @param subject      the subject name
      * @return the x509 certificate
-     * @throws Exception the exception
      */
     public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
-                                                 String subject) throws Exception {
+                                                 String subject) {
         try {
             X500Name subjectDN = new X500Name("CN=" + subject);
 
@@ -131,7 +130,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
 
             // Content Signer
             ContentSigner sigGen;
-            switch (keyPair.getPublic().getAlgorithm())
+            switch (caCert.getPublicKey().getAlgorithm())
             {
                 case "EC":
                     sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)

crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java

@@ -86,11 +86,9 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
      * @param subject the subject name
      *
      * @return the x509 certificate
-     *
-     * @throws Exception the exception
      */
     public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
-            String subject) throws Exception {
+            String subject) {
         try {
             X500Name subjectDN = new X500Name("CN=" + subject);
 
@@ -134,7 +132,7 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
 
             // Content Signer
             ContentSigner sigGen;
-            switch (caPrivateKey.getAlgorithm()){
+            switch (caCert.getPublicKey().getAlgorithm()){
                 case "EC":
                     sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
                                                                            .build(caPrivateKey);