libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Refactor BouncyIntegration (#12244)

Browse source 
Closes #12243
This commit is contained in:
Stian Thorgersen 2022-06-07 09:02:00 +02:00 committed by GitHub
parent df72cf72f2
commit e49e8335e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
29 changed files with 108 additions and 212 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
common/src/main/java/org/keycloak/common/util/BouncyIntegration.java
View file

@ -17,8 +17,10 @@
package org.keycloak.common.util; package org.keycloak.common.util;
import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.jboss.logging.Logger;
import java.lang.reflect.Constructor;
import java.security.Provider;
import java.security.Security; import java.security.Security;
/** /**
@ -26,11 +28,37 @@ import java.security.Security;
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class BouncyIntegration { public class BouncyIntegration {
static {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider()); private static final Logger log = Logger.getLogger(BouncyIntegration.class);
private static final String[] providerClassNames = {
"org.bouncycastle.jce.provider.BouncyCastleProvider",
"org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"
};
public static final String PROVIDER = loadProvider();
private static String loadProvider() {
for (String providerClassName : providerClassNames) {
try {
Class<?> providerClass = Class.forName(providerClassName, true, BouncyIntegration.class.getClassLoader());
Constructor<Provider> constructor = (Constructor<Provider>) providerClass.getConstructor();
Provider provider = constructor.newInstance();
if (Security.getProvider(provider.getName()) == null) {
Security.addProvider(provider);
log.debugv("Loaded {0} security provider", providerClassName);
} else {
log.debugv("Security provider {0} already loaded", providerClassName);
}
return provider.getName();
} catch (Exception e) {
log.debugv("Failed to load {0}", e, providerClassName);
}
}
throw new RuntimeException("Failed to load required security provider: BouncyCastleProvider or BouncyCastleFipsProvider");
} }
public static void init() {
// empty, the static class does it
}
} }

7
common/src/main/java/org/keycloak/common/util/CertificateUtils.java
View file

@ -57,9 +57,6 @@ import java.util.Date;
* @version $Revision: 2 $ * @version $Revision: 2 $
*/ */
public class CertificateUtils { public class CertificateUtils {
static {
BouncyIntegration.init();
}
/** /**
* Generates version 3 {@link java.security.cert.X509Certificate}. * Generates version 3 {@link java.security.cert.X509Certificate}.
@ -119,10 +116,10 @@ public class CertificateUtils {
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
// Content Signer // Content Signer
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider("BC").build(caPrivateKey); ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER).build(caPrivateKey);
// Certificate // Certificate
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(certGen.build(sigGen));
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException("Error creating X509v3Certificate.", e); throw new RuntimeException("Error creating X509v3Certificate.", e);
} }

11
common/src/main/java/org/keycloak/common/util/DerUtils.java
View file

@ -38,9 +38,6 @@ import java.security.spec.X509EncodedKeySpec;
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public final class DerUtils { public final class DerUtils {
static {
BouncyIntegration.init();
}
private DerUtils() { private DerUtils() {
} }
@ -55,19 +52,19 @@ public final class DerUtils {
PKCS8EncodedKeySpec spec = PKCS8EncodedKeySpec spec =
new PKCS8EncodedKeySpec(keyBytes); new PKCS8EncodedKeySpec(keyBytes);
KeyFactory kf = KeyFactory.getInstance("RSA", "BC"); KeyFactory kf = KeyFactory.getInstance("RSA", BouncyIntegration.PROVIDER);
return kf.generatePrivate(spec); return kf.generatePrivate(spec);
} }
public static PublicKey decodePublicKey(byte[] der) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException { public static PublicKey decodePublicKey(byte[] der) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
X509EncodedKeySpec spec = X509EncodedKeySpec spec =
new X509EncodedKeySpec(der); new X509EncodedKeySpec(der);
KeyFactory kf = KeyFactory.getInstance("RSA", "BC"); KeyFactory kf = KeyFactory.getInstance("RSA", BouncyIntegration.PROVIDER);
return kf.generatePublic(spec); return kf.generatePublic(spec);
} }
public static X509Certificate decodeCertificate(InputStream is) throws Exception { public static X509Certificate decodeCertificate(InputStream is) throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); CertificateFactory cf = CertificateFactory.getInstance("X.509", BouncyIntegration.PROVIDER);
X509Certificate cert = (X509Certificate) cf.generateCertificate(is); X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
is.close(); is.close();
return cert; return cert;
@ -76,7 +73,7 @@ public final class DerUtils {
public static PrivateKey decodePrivateKey(byte[] der) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException { public static PrivateKey decodePrivateKey(byte[] der) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
PKCS8EncodedKeySpec spec = PKCS8EncodedKeySpec spec =
new PKCS8EncodedKeySpec(der); new PKCS8EncodedKeySpec(der);
KeyFactory kf = KeyFactory.getInstance("RSA", "BC"); KeyFactory kf = KeyFactory.getInstance("RSA", BouncyIntegration.PROVIDER);
return kf.generatePrivate(spec); return kf.generatePrivate(spec);
} }
} }

2
common/src/main/java/org/keycloak/common/util/KeyUtils.java
View file

@ -46,7 +46,7 @@ public class KeyUtils {
public static KeyPair generateRsaKeyPair(int keysize) { public static KeyPair generateRsaKeyPair(int keysize) {
try { try {
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", BouncyIntegration.PROVIDER);
generator.initialize(keysize); generator.initialize(keysize);
KeyPair keyPair = generator.generateKeyPair(); KeyPair keyPair = generator.generateKeyPair();
return keyPair; return keyPair;

5
common/src/main/java/org/keycloak/common/util/KeystoreUtil.java
View file

@ -32,9 +32,6 @@ import java.security.PublicKey;
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class KeystoreUtil { public class KeystoreUtil {
static {
BouncyIntegration.init();
}
public enum KeystoreFormat { public enum KeystoreFormat {
JKS, JKS,
@ -72,7 +69,7 @@ public class KeystoreUtil {
if (format == KeystoreFormat.JKS) { if (format == KeystoreFormat.JKS) {
keyStore = KeyStore.getInstance(format.toString()); keyStore = KeyStore.getInstance(format.toString());
} else { } else {
keyStore = KeyStore.getInstance(format.toString(), "BC"); keyStore = KeyStore.getInstance(format.toString(), BouncyIntegration.PROVIDER);
} }
keyStore.load(stream, storePassword.toCharArray()); keyStore.load(stream, storePassword.toCharArray());

11
common/src/main/java/org/keycloak/common/util/PemUtils.java
View file

@ -17,13 +17,16 @@
package org.keycloak.common.util; package org.keycloak.common.util;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter; import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.IOException; import java.io.IOException;
import java.io.StringWriter; import java.io.StringWriter;
import java.security.*; import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
@ -38,10 +41,6 @@ public final class PemUtils {
public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
public static final String END_CERT = "-----END CERTIFICATE-----"; public static final String END_CERT = "-----END CERTIFICATE-----";
static {
BouncyIntegration.init();
}
private PemUtils() { private PemUtils() {
} }

14
core/src/main/java/org/keycloak/jose/jwe/JWE.java
View file

@ -17,15 +17,10 @@
package org.keycloak.jose.jwe; package org.keycloak.jose.jwe;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.spec.KeySpec;
import org.keycloak.common.util.Base64; import org.keycloak.common.util.Base64;
import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.jose.JOSEHeader;
import org.keycloak.jose.JOSE; import org.keycloak.jose.JOSE;
import org.keycloak.jose.JOSEHeader;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider; import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider; import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.keycloak.util.JsonSerialization; import org.keycloak.util.JsonSerialization;
@ -34,16 +29,15 @@ import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory; import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.spec.KeySpec;
/** /**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/ */
public class JWE implements JOSE { public class JWE implements JOSE {
static {
BouncyIntegration.init();
}
private JWEHeader header; private JWEHeader header;
private String base64Header; private String base64Header;

5
core/src/main/java/org/keycloak/jose/jwe/enc/AesCbcHmacShaEncryptionProvider.java
View file

@ -34,6 +34,7 @@ import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.jose.jwe.JWE; import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEKeyStorage; import org.keycloak.jose.jwe.JWEKeyStorage;
import org.keycloak.jose.jwe.JWEUtils; import org.keycloak.jose.jwe.JWEUtils;
@ -116,7 +117,7 @@ public abstract class AesCbcHmacShaEncryptionProvider implements JWEEncryptionPr
private byte[] encryptBytes(byte[] contentBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException { private byte[] encryptBytes(byte[] contentBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", BouncyIntegration.PROVIDER);
AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes); AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes);
cipher.init(Cipher.ENCRYPT_MODE, aesKey, ivParamSpec); cipher.init(Cipher.ENCRYPT_MODE, aesKey, ivParamSpec);
return cipher.doFinal(contentBytes); return cipher.doFinal(contentBytes);
@ -124,7 +125,7 @@ public abstract class AesCbcHmacShaEncryptionProvider implements JWEEncryptionPr
private byte[] decryptBytes(byte[] encryptedBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException { private byte[] decryptBytes(byte[] encryptedBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", BouncyIntegration.PROVIDER);
AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes); AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes);
cipher.init(Cipher.DECRYPT_MODE, aesKey, ivParamSpec); cipher.init(Cipher.DECRYPT_MODE, aesKey, ivParamSpec);
return cipher.doFinal(encryptedBytes); return cipher.doFinal(encryptedBytes);

5
core/src/main/java/org/keycloak/jose/jwe/enc/AesGcmEncryptionProvider.java
View file

@ -27,6 +27,7 @@ import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.jose.jwe.JWE; import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEKeyStorage; import org.keycloak.jose.jwe.JWEKeyStorage;
import org.keycloak.jose.jwe.JWEUtils; import org.keycloak.jose.jwe.JWEUtils;
@ -88,7 +89,7 @@ public abstract class AesGcmEncryptionProvider implements JWEEncryptionProvider
} }
private byte[] encryptBytes(byte[] contentBytes, byte[] ivBytes, Key aesKey, byte[] aad) throws GeneralSecurityException { private byte[] encryptBytes(byte[] contentBytes, byte[] ivBytes, Key aesKey, byte[] aad) throws GeneralSecurityException {
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC"); Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", BouncyIntegration.PROVIDER);
GCMParameterSpec gcmParams = new GCMParameterSpec(AUTH_TAG_SIZE_BYTE * 8, ivBytes); GCMParameterSpec gcmParams = new GCMParameterSpec(AUTH_TAG_SIZE_BYTE * 8, ivBytes);
cipher.init(Cipher.ENCRYPT_MODE, aesKey, gcmParams); cipher.init(Cipher.ENCRYPT_MODE, aesKey, gcmParams);
cipher.updateAAD(aad); cipher.updateAAD(aad);
@ -98,7 +99,7 @@ public abstract class AesGcmEncryptionProvider implements JWEEncryptionProvider
} }
private byte[] decryptBytes(byte[] encryptedBytes, byte[] ivBytes, Key aesKey, byte[] aad) throws GeneralSecurityException { private byte[] decryptBytes(byte[] encryptedBytes, byte[] ivBytes, Key aesKey, byte[] aad) throws GeneralSecurityException {
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC"); Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", BouncyIntegration.PROVIDER);
GCMParameterSpec gcmParams = new GCMParameterSpec(AUTH_TAG_SIZE_BYTE * 8, ivBytes); GCMParameterSpec gcmParams = new GCMParameterSpec(AUTH_TAG_SIZE_BYTE * 8, ivBytes);
cipher.init(Cipher.DECRYPT_MODE, aesKey, gcmParams); cipher.init(Cipher.DECRYPT_MODE, aesKey, gcmParams);
cipher.updateAAD(aad); cipher.updateAAD(aad);

7
core/src/test/java/org/keycloak/AtHashTest.java
View file

@ -17,14 +17,11 @@
package org.keycloak; package org.keycloak;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;
import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.Algorithm;
import org.keycloak.jose.jws.crypto.HashUtils; import org.keycloak.jose.jws.crypto.HashUtils;
import java.security.Security;
/** /**
* See "at_hash" in OIDC specification * See "at_hash" in OIDC specification
* *
@ -32,10 +29,6 @@ import java.security.Security;
*/ */
public class AtHashTest { public class AtHashTest {
static {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
}
@Test @Test
public void testAtHashRsa() { public void testAtHashRsa() {
verifyHash(Algorithm.RS256,"jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y", "77QmUPtjPfzWtF2AnpK9RQ"); verifyHash(Algorithm.RS256,"jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y", "77QmUPtjPfzWtF2AnpK9RQ");

4
core/src/test/java/org/keycloak/RSAVerifierTest.java
View file

@ -70,10 +70,6 @@ public class RSAVerifierTest {
private static X509Certificate[] clientCertificateChain; private static X509Certificate[] clientCertificateChain;
private AccessToken token; private AccessToken token;
static {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
}
public static X509Certificate generateTestCertificate(String subject, String issuer, KeyPair pair) public static X509Certificate generateTestCertificate(String subject, String issuer, KeyPair pair)
throws CertificateException, InvalidKeyException, IOException, throws CertificateException, InvalidKeyException, IOException,
NoSuchProviderException, OperatorCreationException, NoSuchProviderException, OperatorCreationException,

5
core/src/test/java/org/keycloak/jose/jwk/JWKTest.java
View file

@ -21,6 +21,7 @@ import java.util.Arrays;
import java.util.List; import java.util.List;
import org.junit.Test; import org.junit.Test;
import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.KeyUtils; import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.PemUtils; import org.keycloak.common.util.PemUtils;
import org.keycloak.crypto.JavaAlgorithm; import org.keycloak.crypto.JavaAlgorithm;
@ -128,9 +129,7 @@ public class JWKTest {
@Test @Test
public void publicEs256() throws Exception { public void publicEs256() throws Exception {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC", BouncyIntegration.PROVIDER);
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
SecureRandom randomGen = SecureRandom.getInstance("SHA1PRNG"); SecureRandom randomGen = SecureRandom.getInstance("SHA1PRNG");
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1"); ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
keyGen.initialize(ecSpec, randomGen); keyGen.initialize(ecSpec, randomGen);

2
saml-core/src/main/java/org/keycloak/saml/processing/core/util/ProvidersUtil.java
View file

@ -44,7 +44,7 @@ public class ProvidersUtil {
// register Apache Santuario 1.5.x XMLDSig version // register Apache Santuario 1.5.x XMLDSig version
addXMLDSigRI(); addXMLDSigRI();
// register BC provider if available (to have additional encryption algorithms, etc.) // register BC provider if available (to have additional encryption algorithms, etc.)
addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider"); // addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
return true; return true;
} }
}); });

6
server-spi-private/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
View file

@ -18,6 +18,7 @@
package org.keycloak.credential.hash; package org.keycloak.credential.hash;
import org.keycloak.common.util.Base64; import org.keycloak.common.util.Base64;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.models.PasswordPolicy; import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.credential.PasswordCredentialModel; import org.keycloak.models.credential.PasswordCredentialModel;
@ -25,6 +26,7 @@ import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.PBEKeySpec;
import java.io.IOException; import java.io.IOException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException; import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec; import java.security.spec.KeySpec;
@ -124,8 +126,8 @@ public class Pbkdf2PasswordHashProvider implements PasswordHashProvider {
private SecretKeyFactory getSecretKeyFactory() { private SecretKeyFactory getSecretKeyFactory() {
try { try {
return SecretKeyFactory.getInstance(pbkdf2Algorithm); return SecretKeyFactory.getInstance(pbkdf2Algorithm, BouncyIntegration.PROVIDER);
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
throw new RuntimeException("PBKDF2 algorithm not found", e); throw new RuntimeException("PBKDF2 algorithm not found", e);
} }
} }

5
services/src/main/java/org/keycloak/authentication/authenticators/x509/CertificateValidator.java
View file

@ -21,6 +21,7 @@ package org.keycloak.authentication.authenticators.x509;
import org.apache.http.HttpResponse; import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpGet;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.Time; import org.keycloak.common.util.Time;
import org.keycloak.connections.httpclient.HttpClientProvider; import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
@ -654,11 +655,11 @@ public class CertificateValidator {
intermediateCerts.add(clientCert); intermediateCerts.add(clientCert);
} }
CertStore intermediateCertStore = CertStore.getInstance("Collection", CertStore intermediateCertStore = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(intermediateCerts), "BC"); new CollectionCertStoreParameters(intermediateCerts), BouncyIntegration.PROVIDER);
pkixParams.addCertStore(intermediateCertStore); pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain // Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyIntegration.PROVIDER);
PKIXCertPathBuilderResult result = PKIXCertPathBuilderResult result =
(PKIXCertPathBuilderResult) builder.build(pkixParams); (PKIXCertPathBuilderResult) builder.build(pkixParams);
return result; return result;

11
services/src/main/java/org/keycloak/authentication/authenticators/x509/OCSPUtils.java
View file

@ -78,11 +78,6 @@ import org.apache.http.impl.client.CloseableHttpClient;
public final class OCSPUtils { public final class OCSPUtils {
static {
BouncyIntegration.init();
}
private final static Logger logger = Logger.getLogger(""+OCSPUtils.class); private final static Logger logger = Logger.getLogger(""+OCSPUtils.class);
private static int OCSP_CONNECT_TIMEOUT = 10000; // 10 sec private static int OCSP_CONNECT_TIMEOUT = 10000; // 10 sec
@ -314,7 +309,7 @@ public final class OCSPUtils {
for (X509CertificateHolder certHolder : certs) { for (X509CertificateHolder certHolder : certs) {
try { try {
X509Certificate tempCert = new JcaX509CertificateConverter() X509Certificate tempCert = new JcaX509CertificateConverter()
.setProvider("BC").getCertificate(certHolder); .setProvider(BouncyIntegration.PROVIDER).getCertificate(certHolder);
X500Name respName = new X500Name(tempCert.getSubjectX500Principal().getName()); X500Name respName = new X500Name(tempCert.getSubjectX500Principal().getName());
if (responderName.equals(respName)) { if (responderName.equals(respName)) {
signingCert = tempCert; signingCert = tempCert;
@ -332,7 +327,7 @@ public final class OCSPUtils {
for (X509CertificateHolder certHolder : certs) { for (X509CertificateHolder certHolder : certs) {
try { try {
X509Certificate tempCert = new JcaX509CertificateConverter() X509Certificate tempCert = new JcaX509CertificateConverter()
.setProvider("BC").getCertificate(certHolder); .setProvider(BouncyIntegration.PROVIDER).getCertificate(certHolder);
SubjectKeyIdentifier subjectKeyIdentifier = null; SubjectKeyIdentifier subjectKeyIdentifier = null;
if (certHolder.getExtensions() != null) { if (certHolder.getExtensions() != null) {
@ -452,7 +447,7 @@ public final class OCSPUtils {
private static boolean verifySignature(BasicOCSPResp basicOcspResponse, X509Certificate cert) { private static boolean verifySignature(BasicOCSPResp basicOcspResponse, X509Certificate cert) {
try { try {
ContentVerifierProvider contentVerifier = new JcaContentVerifierProviderBuilder() ContentVerifierProvider contentVerifier = new JcaContentVerifierProviderBuilder()
.setProvider("BC").build(cert.getPublicKey()); .setProvider(BouncyIntegration.PROVIDER).build(cert.getPublicKey());
return basicOcspResponse.isSignatureValid(contentVerifier); return basicOcspResponse.isSignatureValid(contentVerifier);
} catch (OperatorCreationException e) { } catch (OperatorCreationException e) {
logger.log(Level.FINE, "Unable to construct OCSP content signature verifier\n{0}", e.getMessage()); logger.log(Level.FINE, "Unable to construct OCSP content signature verifier\n{0}", e.getMessage());

6
services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
View file

@ -22,6 +22,8 @@ import org.jboss.resteasy.plugins.providers.multipart.InputPart;
import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataInput; import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataInput;
import javax.ws.rs.NotAcceptableException; import javax.ws.rs.NotAcceptableException;
import javax.ws.rs.NotFoundException; import javax.ws.rs.NotFoundException;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.PemUtils; import org.keycloak.common.util.PemUtils;
import org.keycloak.common.util.StreamUtil; import org.keycloak.common.util.StreamUtil;
import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.OperationType;
@ -228,7 +230,7 @@ public class ClientAttributeCertificateResource {
try { try {
KeyStore keyStore = null; KeyStore keyStore = null;
if (keystoreFormat.equals("JKS")) keyStore = KeyStore.getInstance("JKS"); if (keystoreFormat.equals("JKS")) keyStore = KeyStore.getInstance("JKS");
else keyStore = KeyStore.getInstance(keystoreFormat, "BC"); else keyStore = KeyStore.getInstance(keystoreFormat, BouncyIntegration.PROVIDER);
keyStore.load(inputParts.get(0).getBody(InputStream.class, null), storePassword); keyStore.load(inputParts.get(0).getBody(InputStream.class, null), storePassword);
try { try {
privateKey = (PrivateKey)keyStore.getKey(keyAlias, keyPassword); privateKey = (PrivateKey)keyStore.getKey(keyAlias, keyPassword);
@ -332,7 +334,7 @@ public class ClientAttributeCertificateResource {
String format = config.getFormat(); String format = config.getFormat();
KeyStore keyStore; KeyStore keyStore;
if (format.equals("JKS")) keyStore = KeyStore.getInstance("JKS"); if (format.equals("JKS")) keyStore = KeyStore.getInstance("JKS");
else keyStore = KeyStore.getInstance(format, "BC"); else keyStore = KeyStore.getInstance(format, BouncyIntegration.PROVIDER);
keyStore.load(null, null); keyStore.load(null, null);
String keyAlias = config.getKeyAlias(); String keyAlias = config.getKeyAlias();
if (keyAlias == null) keyAlias = client.getClientId(); if (keyAlias == null) keyAlias = client.getClientId();

5
services/src/main/java/org/keycloak/services/x509/NginxProxySslClientCertificateLookup.java
View file

@ -24,6 +24,7 @@ import java.util.Set;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.jboss.logging.Logger.Level; import org.jboss.logging.Logger.Level;
import org.jboss.resteasy.spi.HttpRequest; import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.PemException; import org.keycloak.common.util.PemException;
import org.keycloak.common.util.PemUtils; import org.keycloak.common.util.PemUtils;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
@ -185,11 +186,11 @@ public class NginxProxySslClientCertificateLookup extends AbstractClientCertific
// Adding the list of intermediate certificates + end user certificate // Adding the list of intermediate certificates + end user certificate
intermediateCerts.add(end_user_auth_cert); intermediateCerts.add(end_user_auth_cert);
CollectionCertStoreParameters intermediateCA_userCert = new CollectionCertStoreParameters(intermediateCerts); CollectionCertStoreParameters intermediateCA_userCert = new CollectionCertStoreParameters(intermediateCerts);
CertStore intermediateCertStore = CertStore.getInstance("Collection", intermediateCA_userCert, "BC"); CertStore intermediateCertStore = CertStore.getInstance("Collection", intermediateCA_userCert, BouncyIntegration.PROVIDER);
pkixParams.addCertStore(intermediateCertStore); pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain (revocation status excluded) // Build and verify the certification chain (revocation status excluded)
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX","BC"); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX",BouncyIntegration.PROVIDER);
CertPath certPath = certPathBuilder.build(pkixParams).getCertPath(); CertPath certPath = certPathBuilder.build(pkixParams).getCertPath();
log.debug("Certification path building OK, and contains " + certPath.getCertificates().size() + " X509 Certificates"); log.debug("Certification path building OK, and contains " + certPath.getCertificates().size() + " X509 Certificates");

5
services/src/main/java/org/keycloak/utils/CRLUtils.java
View file

@ -55,11 +55,6 @@ public final class CRLUtils {
private static final Logger log = Logger.getLogger(CRLUtils.class); private static final Logger log = Logger.getLogger(CRLUtils.class);
static {
BouncyIntegration.init();
}
private static final String CRL_DISTRIBUTION_POINTS_OID = "2.5.29.31"; private static final String CRL_DISTRIBUTION_POINTS_OID = "2.5.29.31";
/** /**

47
services/src/test/java/org/keycloak/test/RealmKeyGenerator.java
View file

@ -1,47 +0,0 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.test;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.keycloak.common.util.PemUtils;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class RealmKeyGenerator {
static {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
}
public static void main(String[] args) throws Exception {
KeyPair keyPair = null;
try {
keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
System.out.println("privateKey : " + PemUtils.encodeKey(keyPair.getPrivate()));
System.out.println("publicKey : " + PemUtils.encodeKey(keyPair.getPublic()));
}
}

13
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KeyUtils.java
View file

@ -7,6 +7,7 @@ import org.keycloak.representations.idm.KeysMetadataRepresentation;
import java.security.KeyFactory; import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey; import java.security.PrivateKey;
import java.security.PublicKey; import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException; import java.security.spec.InvalidKeySpecException;
@ -18,27 +19,23 @@ import java.util.Base64;
* @author mhajas * @author mhajas
*/ */
public class KeyUtils { public class KeyUtils {
static {
BouncyIntegration.init();
}
public static PublicKey publicKeyFromString(String key) { public static PublicKey publicKeyFromString(String key) {
try { try {
KeyFactory kf = KeyFactory.getInstance("RSA"); KeyFactory kf = KeyFactory.getInstance("RSA", BouncyIntegration.PROVIDER);
byte[] encoded = Base64.getDecoder().decode(key); byte[] encoded = Base64.getDecoder().decode(key);
return kf.generatePublic(new X509EncodedKeySpec(encoded)); return kf.generatePublic(new X509EncodedKeySpec(encoded));
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) { } catch (NoSuchAlgorithmException | InvalidKeySpecException | NoSuchProviderException e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} }
public static PrivateKey privateKeyFromString(String key) { public static PrivateKey privateKeyFromString(String key) {
try { try {
KeyFactory kf = KeyFactory.getInstance("RSA"); KeyFactory kf = KeyFactory.getInstance("RSA", BouncyIntegration.PROVIDER);
byte[] encoded = Base64.getDecoder().decode(key); byte[] encoded = Base64.getDecoder().decode(key);
return kf.generatePrivate(new PKCS8EncodedKeySpec(encoded)); return kf.generatePrivate(new PKCS8EncodedKeySpec(encoded));
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) { } catch (NoSuchAlgorithmException | InvalidKeySpecException | NoSuchProviderException e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} }

3
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TokenSignatureUtil.java
View file

@ -30,6 +30,7 @@ import org.jboss.logging.Logger;
import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.ClientResource; import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.util.Base64; import org.keycloak.common.util.Base64;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.JavaAlgorithm; import org.keycloak.crypto.JavaAlgorithm;
@ -188,7 +189,7 @@ public class TokenSignatureUtil {
private static Signature getSignature(String sigAlgName) { private static Signature getSignature(String sigAlgName) {
try { try {
// use Bouncy Castle for signature verification intentionally // use Bouncy Castle for signature verification intentionally
Signature signature = Signature.getInstance(JavaAlgorithm.getJavaAlgorithm(sigAlgName), "BC"); Signature signature = Signature.getInstance(JavaAlgorithm.getJavaAlgorithm(sigAlgName), BouncyIntegration.PROVIDER);
return signature; return signature;
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);

9
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientPoliciesTest.java
View file

@ -188,11 +188,6 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
private static final ObjectMapper objectMapper = new ObjectMapper(); private static final ObjectMapper objectMapper = new ObjectMapper();
@BeforeClass
public static void beforeClientPoliciesTest() {
BouncyIntegration.init();
}
@Rule @Rule
public AssertEvents events = new AssertEvents(this); public AssertEvents events = new AssertEvents(this);
@ -405,14 +400,14 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
private PrivateKey decodePrivateKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException { private PrivateKey decodePrivateKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(der); PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(der);
String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm); String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm);
KeyFactory kf = KeyFactory.getInstance(keyAlg, "BC"); KeyFactory kf = KeyFactory.getInstance(keyAlg, BouncyIntegration.PROVIDER);
return kf.generatePrivate(spec); return kf.generatePrivate(spec);
} }
private PublicKey decodePublicKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException { private PublicKey decodePublicKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
X509EncodedKeySpec spec = new X509EncodedKeySpec(der); X509EncodedKeySpec spec = new X509EncodedKeySpec(der);
String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm); String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm);
KeyFactory kf = KeyFactory.getInstance(keyAlg, "BC"); KeyFactory kf = KeyFactory.getInstance(keyAlg, BouncyIntegration.PROVIDER);
return kf.generatePublic(spec); return kf.generatePublic(spec);
} }

23
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
View file

@ -27,10 +27,8 @@ import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair; import org.apache.http.message.BasicNameValuePair;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -80,6 +78,9 @@ import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.testsuite.util.UserInfoClientUtil; import org.keycloak.testsuite.util.UserInfoClientUtil;
import org.keycloak.testsuite.util.UserManager; import org.keycloak.testsuite.util.UserManager;
import org.keycloak.util.BasicAuthHelper; import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil;
import org.openqa.selenium.By;
import javax.ws.rs.client.Client; import javax.ws.rs.client.Client;
import javax.ws.rs.client.Entity; import javax.ws.rs.client.Entity;
@ -90,34 +91,29 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriBuilder;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.security.Security;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.allOf; import static org.hamcrest.Matchers.allOf;
import static org.hamcrest.Matchers.greaterThanOrEqualTo; import static org.hamcrest.Matchers.greaterThanOrEqualTo;
import static org.hamcrest.Matchers.lessThanOrEqualTo;
import static org.hamcrest.Matchers.hasItemInArray; import static org.hamcrest.Matchers.hasItemInArray;
import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.lessThanOrEqualTo;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotEquals; import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.Assert.assertExpiration;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
import static org.keycloak.testsuite.admin.ApiUtil.findClientByClientId; import static org.keycloak.testsuite.admin.ApiUtil.findClientByClientId;
import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername; import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsernameId; import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsernameId;
import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT; import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT;
import static org.keycloak.testsuite.util.ProtocolMapperUtil.createRoleNameMapper; import static org.keycloak.testsuite.util.ProtocolMapperUtil.createRoleNameMapper;
import static org.keycloak.testsuite.Assert.assertExpiration; import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil;
import org.openqa.selenium.By;
/** /**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -133,11 +129,6 @@ public class AccessTokenTest extends AbstractKeycloakTest {
super.beforeAbstractKeycloakTest(); super.beforeAbstractKeycloakTest();
} }
@BeforeClass
public static void addBouncyCastleProvider() {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
}
@Before @Before
public void clientConfiguration() { public void clientConfiguration() {
ClientManager.realm(adminClient.realm("test")).clientId("test-app").directAccessGrant(true); ClientManager.realm(adminClient.realm("test")).clientId("test-app").directAccessGrant(true);

18
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
View file

@ -32,7 +32,6 @@ import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair; import org.apache.http.message.BasicNameValuePair;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -80,6 +79,7 @@ import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude; import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
import org.keycloak.testsuite.auth.page.AuthRealm; import org.keycloak.testsuite.auth.page.AuthRealm;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls; import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource; import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
@ -91,6 +91,7 @@ import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder; import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization; import org.keycloak.util.JsonSerialization;
import javax.ws.rs.core.Response;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
@ -115,15 +116,11 @@ import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import javax.ws.rs.core.Response;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotEquals; import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
/** /**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
* @author Vaclav Muzikar <vmuzikar@redhat.com> * @author Vaclav Muzikar <vmuzikar@redhat.com>
@ -139,11 +136,6 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
private static ClientRepresentation app1, app2, app3; private static ClientRepresentation app1, app2, app3;
private static UserRepresentation defaultUser, serviceAccountUser; private static UserRepresentation defaultUser, serviceAccountUser;
@BeforeClass
public static void beforeClientAuthSignedJWTTest() {
BouncyIntegration.init();
}
@Override @Override
public void beforeAbstractKeycloakTest() throws Exception { public void beforeAbstractKeycloakTest() throws Exception {
super.beforeAbstractKeycloakTest(); super.beforeAbstractKeycloakTest();
@ -1389,7 +1381,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
} }
private static KeyStore getKeystore(InputStream is, String storePassword, String format) throws Exception { private static KeyStore getKeystore(InputStream is, String storePassword, String format) throws Exception {
KeyStore keyStore = format.equals("JKS") ? KeyStore.getInstance(format) : KeyStore.getInstance(format, "BC"); KeyStore keyStore = format.equals("JKS") ? KeyStore.getInstance(format) : KeyStore.getInstance(format, BouncyIntegration.PROVIDER);
keyStore.load(is, storePassword.toCharArray()); keyStore.load(is, storePassword.toCharArray());
return keyStore; return keyStore;
} }
@ -1462,14 +1454,14 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
private static PrivateKey decodePrivateKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException { private static PrivateKey decodePrivateKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(der); PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(der);
String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm); String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm);
KeyFactory kf = KeyFactory.getInstance(keyAlg, "BC"); KeyFactory kf = KeyFactory.getInstance(keyAlg, BouncyIntegration.PROVIDER);
return kf.generatePrivate(spec); return kf.generatePrivate(spec);
} }
private static PublicKey decodePublicKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException { private static PublicKey decodePublicKey(byte[] der, String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
X509EncodedKeySpec spec = new X509EncodedKeySpec(der); X509EncodedKeySpec spec = new X509EncodedKeySpec(der);
String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm); String keyAlg = getKeyAlgorithmFromJwaAlgorithm(algorithm);
KeyFactory kf = KeyFactory.getInstance(keyAlg, "BC"); KeyFactory kf = KeyFactory.getInstance(keyAlg, BouncyIntegration.PROVIDER);
return kf.generatePublic(spec); return kf.generatePublic(spec);
} }

12
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
View file

@ -17,11 +17,9 @@
package org.keycloak.testsuite.oauth; package org.keycloak.testsuite.oauth;
import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.JsonNode;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -33,7 +31,6 @@ import org.keycloak.common.enums.SslRequired;
import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.Algorithm;
import org.keycloak.events.Details; import org.keycloak.events.Details;
import org.keycloak.events.Errors; import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSHeader; import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
@ -76,7 +73,6 @@ import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriBuilder;
import java.net.URI; import java.net.URI;
import java.security.Security;
import java.util.List; import java.util.List;
import static org.hamcrest.Matchers.allOf; import static org.hamcrest.Matchers.allOf;
@ -89,14 +85,13 @@ import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.keycloak.protocol.oidc.OIDCConfigAttributes.CLIENT_SESSION_IDLE_TIMEOUT; import static org.keycloak.protocol.oidc.OIDCConfigAttributes.CLIENT_SESSION_IDLE_TIMEOUT;
import static org.keycloak.protocol.oidc.OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN; import static org.keycloak.protocol.oidc.OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN;
import static org.keycloak.testsuite.Assert.assertExpiration; import static org.keycloak.testsuite.Assert.assertExpiration;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername; import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT; import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT;
import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
/** /**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -116,11 +111,6 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
super.beforeAbstractKeycloakTest(); super.beforeAbstractKeycloakTest();
} }
@BeforeClass
public static void addBouncyCastleProvider() {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
}
@Before @Before
public void clientConfiguration() { public void clientConfiguration() {
ClientManager.realm(adminClient.realm("test")).clientId("test-app").directAccessGrant(true); ClientManager.realm(adminClient.realm("test")).clientId("test-app").directAccessGrant(true);

12
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ResourceOwnerPasswordCredentialsGrantTest.java
View file

@ -24,7 +24,6 @@ import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair; import org.apache.http.message.BasicNameValuePair;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -49,7 +48,6 @@ import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken; import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation; import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.AbstractKeycloakTest;
@ -66,8 +64,10 @@ import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.testsuite.util.UserBuilder; import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.testsuite.util.UserManager; import org.keycloak.testsuite.util.UserManager;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.security.Security;
import java.util.HashMap; import java.util.HashMap;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
@ -77,11 +77,6 @@ import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import javax.validation.constraints.AssertTrue;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
/** /**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/ */
@ -101,7 +96,6 @@ public class ResourceOwnerPasswordCredentialsGrantTest extends AbstractKeycloakT
@Override @Override
public void beforeAbstractKeycloakTest() throws Exception { public void beforeAbstractKeycloakTest() throws Exception {
super.beforeAbstractKeycloakTest(); super.beforeAbstractKeycloakTest();
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
} }
@Override @Override

13
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCPublicClientTest.java
View file

@ -18,13 +18,8 @@
package org.keycloak.testsuite.oidc; package org.keycloak.testsuite.oidc;
import java.security.Security;
import java.util.List;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -39,6 +34,9 @@ import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.util.ClientManager; import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.OAuthClient;
import java.util.List;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNotNull;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
@ -57,11 +55,6 @@ public class OIDCPublicClientTest extends AbstractKeycloakTest {
super.beforeAbstractKeycloakTest(); super.beforeAbstractKeycloakTest();
} }
@BeforeClass
public static void addBouncyCastleProvider() {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
}
@Before @Before
public void clientConfiguration() { public void clientConfiguration() {
ClientManager.realm(adminClient.realm("test")).clientId("test-app").directAccessGrant(true); ClientManager.realm(adminClient.realm("test")).clientId("test-app").directAccessGrant(true);

14
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java
View file

@ -17,9 +17,7 @@
package org.keycloak.testsuite.oidc.flows; package org.keycloak.testsuite.oidc.flows;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.graphene.page.Page;
import org.junit.BeforeClass;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuthErrorException; import org.keycloak.OAuthErrorException;
@ -32,9 +30,9 @@ import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.representations.IDToken; import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.EventRepresentation; import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.Assert; import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.admin.AbstractAdminTest; import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.AppPage;
@ -45,13 +43,12 @@ import org.keycloak.testsuite.util.TokenSignatureUtil;
import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriBuilder;
import java.io.IOException; import java.io.IOException;
import java.security.Security;
import java.util.List; import java.util.List;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
/** /**
* Abstract test for various values of response_type * Abstract test for various values of response_type
@ -60,11 +57,6 @@ import static org.junit.Assert.assertNull;
*/ */
public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeycloakTest { public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeycloakTest {
@BeforeClass
public static void addBouncyCastleProvider() {
if (Security.getProvider("BC") == null) Security.addProvider(new BouncyCastleProvider());
}
@Rule @Rule
public AssertEvents events = new AssertEvents(this); public AssertEvents events = new AssertEvents(this);