libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Fix certificate creation with cross-keys (#31866)

Browse source 
fixes #31864

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
This commit is contained in:
Pascal Knüppel 2024-08-07 12:41:12 +02:00 committed by GitHub
parent 35c8c09b8d
commit bf951a5554
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 34 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
core/src/test/java/org/keycloak/jose/jwk/JWKTest.java
View file

@ -183,6 +183,36 @@ public abstract class JWKTest {
verify(data, sign, JavaAlgorithm.ES256, publicKeyFromJwk);
}
@Test
public void testCertificateGenerationWithRsaAndEc() throws Exception {
KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
SecureRandom randomGen = new SecureRandom();
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
keyGenEc.initialize(ecSpec, randomGen);
KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
KeyPair keyPairEc = keyGenEc.generateKeyPair();
X509Certificate certificateRsa = generateV1SelfSignedCertificate(keyPairRsa, "root");
X509Certificate certificateEc = generateV3Certificate(keyPairEc, keyPairRsa.getPrivate(), certificateRsa, "child");
certificateRsa.verify(keyPairRsa.getPublic());
certificateEc.verify(keyPairRsa.getPublic());
}
@Test
public void testCertificateGenerationWithEcAndRsa() throws Exception {
KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
SecureRandom randomGen = new SecureRandom();
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
keyGenEc.initialize(ecSpec, randomGen);
KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
KeyPair keyPairEc = keyGenEc.generateKeyPair();
X509Certificate certificateEc = generateV1SelfSignedCertificate(keyPairEc, "root");
X509Certificate certificateRsa = generateV3Certificate(keyPairRsa, keyPairEc.getPrivate(), certificateEc, "child");
certificateRsa.verify(keyPairEc.getPublic());
certificateEc.verify(keyPairEc.getPublic());
}
@Test
public void publicEs256P256() throws Exception {
testPublicEs256("secp256r1");

5
crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java
View file

@ -84,10 +84,9 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
* @param caCert the CA certificate
* @param subject the subject name
* @return the x509 certificate
* @throws Exception the exception
*/
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
String subject) throws Exception {
String subject) {
try {
X500Name subjectDN = new X500Name("CN=" + subject);
@ -131,7 +130,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
// Content Signer
ContentSigner sigGen;
switch (keyPair.getPublic().getAlgorithm())
switch (caCert.getPublicKey().getAlgorithm())
{
case "EC":
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)

6
crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java
View file

@ -86,11 +86,9 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
* @param subject the subject name
*
* @return the x509 certificate
*
* @throws Exception the exception
*/
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
String subject) throws Exception {
String subject) {
try {
X500Name subjectDN = new X500Name("CN=" + subject);
@ -134,7 +132,7 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
// Content Signer
ContentSigner sigGen;
switch (caPrivateKey.getAlgorithm()){
switch (caCert.getPublicKey().getAlgorithm()){
case "EC":
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
.build(caPrivateKey);