Fix for certificate revalidation

closes https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-5291542
2023-05-30 10:33:53 +02:00 · 2023-05-30 10:33:53 +02:00 · bf9c5821cb
commit bf9c5821cb
parent 30c7808d9d
6 changed files with 75 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/CertificateValidator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/CertificateValidator.java
@ -585,7 +585,7 @@ public class CertificateValidator {

        TruststoreProvider truststoreProvider = session.getProvider(TruststoreProvider.class);
        if (truststoreProvider == null || truststoreProvider.getTruststore() == null) {
-            logger.error("Cannot validate client certificate trust: Truststore not available");
+            throw new GeneralSecurityException("Cannot validate client certificate trust: Truststore not available. Please make sure to correctly configure truststore provider in order to be able to revalidate certificate trust");
        }
        else
        {
--- a/services/src/main/java/org/keycloak/truststore/FileTruststoreProviderFactory.java
+++ b/services/src/main/java/org/keycloak/truststore/FileTruststoreProviderFactory.java
@ -62,6 +62,11 @@ public class FileTruststoreProviderFactory implements TruststoreProviderFactory
        return provider;
    }

+    // For testing purposes
+    public void setProvider(TruststoreProvider provider) {
+        this.provider = provider;
+    }
+
    @Override
    public void init(Config.Scope config) {

--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java
@ -88,6 +88,8 @@ import org.keycloak.testsuite.runonserver.RunOnServer;
 import org.keycloak.testsuite.runonserver.SerializationUtil;
 import org.keycloak.testsuite.util.FeatureDeployerUtil;
 import org.keycloak.timer.TimerProvider;
+import org.keycloak.truststore.FileTruststoreProviderFactory;
+import org.keycloak.truststore.TruststoreProvider;
 import org.keycloak.util.JsonSerialization;
 import org.keycloak.utils.MediaType;

@ -132,13 +134,16 @@ public class TestingResourceProvider implements RealmResourceProvider {

    private final HttpRequest request;

+    private final TestingResourceProviderFactory factory;
+
    @Override
    public Object getResource() {
        return this;
    }

-    public TestingResourceProvider(KeycloakSession session, Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks) {
+    public TestingResourceProvider(KeycloakSession session, TestingResourceProviderFactory factory, Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks) {
        this.session = session;
+        this.factory = factory;
        this.suspendedTimerTasks = suspendedTimerTasks;
        this.request = session.getContext().getHttpRequest();
    }
@ -1064,4 +1069,24 @@ public class TestingResourceProvider implements RealmResourceProvider {
        return realm;
    }

+    @GET
+    @Path("/disable-truststore-spi")
+    @NoCache
+    public void disableTruststoreSpi() {
+        FileTruststoreProviderFactory factory = (FileTruststoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(TruststoreProvider.class);
+        this.factory.truststoreProvider = factory.create(session);
+        factory.setProvider(null);
+    }
+
+    @GET
+    @Path("/reenable-truststore-spi")
+    @NoCache
+    public void reenableTruststoreSpi() {
+        if (this.factory.truststoreProvider == null) {
+            throw new IllegalStateException("Cannot reenable provider as it was not disabled");
+        }
+        FileTruststoreProviderFactory factory = (FileTruststoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(TruststoreProvider.class);
+        factory.setProvider(this.factory.truststoreProvider);
+    }
+
 }
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProviderFactory.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProviderFactory.java
@ -26,6 +26,7 @@ import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.services.resource.RealmResourceProvider;
 import org.keycloak.services.resource.RealmResourceProviderFactory;
 import org.keycloak.timer.TimerProvider;
+import org.keycloak.truststore.TruststoreProvider;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -34,9 +35,11 @@ public class TestingResourceProviderFactory implements RealmResourceProviderFact

    private Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks = new ConcurrentHashMap<>();

+    protected TruststoreProvider truststoreProvider;
+
    @Override
    public RealmResourceProvider create(KeycloakSession session) {
-        return new TestingResourceProvider(session, suspendedTimerTasks);
+        return new TestingResourceProvider(session, this, suspendedTimerTasks);
    }

    @Override
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/resources/TestingResource.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/resources/TestingResource.java
@ -398,4 +398,21 @@ public interface TestingResource {
    @Path("/get-provider-implementation-class")
    @Produces(MediaType.APPLICATION_JSON)
    String getProviderClassName(@QueryParam("providerClass") String providerClass, @QueryParam("providerId") String providerId);
+
+    /**
+     * Temporarily disables truststore SPI from the file. Useful for example to test some error scenarios, which require truststore SPI to be unset (or set incorrectly)
+     */
+    @GET
+    @Path("/disable-truststore-spi")
+    @NoCache
+    void disableTruststoreSpi();
+
+    /**
+     * Re-enable truststore SPI after it was temporarily disabled by {@link #disableTruststoreSpi()}
+     */
+    @GET
+    @Path("/reenable-truststore-spi")
+    @NoCache
+    void reenableTruststoreSpi();
+
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
@ -119,6 +119,28 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest {
        x509BrowserLogin(createLoginSubjectEmailWithRevalidateCert(true), userId, "test-user@localhost", "test-user@localhost");
    }

+    @Test
+    public void loginWithRevalidateCertEnabledCertWithIncorrectTruststoreConfig() throws Exception {
+        try {
+            // Simulate disabling of Truststore SPI on server
+            testingClient.testing().disableTruststoreSpi();
+
+            AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginSubjectEmailWithRevalidateCert(true).getConfig());
+            String cfgId = createConfig(browserExecution.getId(), cfg);
+            Assert.assertNotNull(cfgId);
+
+            loginConfirmationPage.open();
+            loginPage.assertCurrent();
+
+            // Verify there is an error message
+            Assert.assertNotNull(loginPage.getError());
+
+            Assert.assertThat(loginPage.getError(), containsString("Certificate validation's failed."));
+        } finally {
+            testingClient.testing().reenableTruststoreSpi();
+        }
+    }
+
    @Test
    public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception {
        // Set the X509 authenticator configuration