Merge pull request #1207 from patriot1burke/master

bump default key sizes

broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java

@@ -42,15 +42,13 @@ import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConsta
 import org.keycloak.saml.processing.core.util.JAXPValidationUtil;
 import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
 import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
+import org.keycloak.saml.processing.web.util.PostBindingUtil;
 import org.keycloak.services.ErrorPage;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.messages.Messages;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
-import org.keycloak.services.ErrorPage;
-import org.keycloak.services.managers.AuthenticationManager;
-import org.keycloak.services.messages.Messages;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.FormParam;
@@ -447,7 +445,9 @@ public class SAMLEndpoint {
         }
         @Override
         protected SAMLDocumentHolder extractResponseDocument(String response) {
-            return SAMLRequestParser.parseResponsePostBinding(response);
+            byte[] samlBytes = PostBindingUtil.base64Decode(response);
+            String xml = new String(samlBytes);
+            return SAMLRequestParser.parseResponseDocument(samlBytes);
         }
 
         @Override

model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java

@@ -111,7 +111,9 @@ public final class KeycloakModelUtils {
     public static void generateRealmKeys(RealmModel realm) {
         KeyPair keyPair = null;
         try {
-            keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+            KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+            generator.initialize(2048);
+            keyPair = generator.generateKeyPair();
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(e);
         }
@@ -142,7 +144,9 @@ public final class KeycloakModelUtils {
         String subject = client.getClientId();
         KeyPair keyPair = null;
         try {
-            keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+            KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+            generator.initialize(2048);
+            keyPair = generator.generateKeyPair();
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(e);
         }

proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyServerBuilder.java

@@ -417,7 +417,9 @@ public class ProxyServerBuilder {
                 log.warn("Generating temporary SSL cert");
                 KeyPair keyPair = null;
                 try {
-                    keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+                    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+                    generator.initialize(2048);
+                    keyPair = generator.generateKeyPair();
                 } catch (NoSuchAlgorithmException e) {
                     throw new RuntimeException(e);
                 }

saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/KeyStoreUtil.java

@@ -119,20 +119,6 @@ public class KeyStoreUtil {
         return ks;
     }
 
-    /**
-     * Generate a Key Pair
-     *
-     * @param algo (RSA, DSA etc)
-     *
-     * @return
-     *
-     * @throws GeneralSecurityException
-     */
-    public static KeyPair generateKeyPair(String algo) throws GeneralSecurityException {
-        KeyPairGenerator kpg = KeyPairGenerator.getInstance(algo);
-        return kpg.genKeyPair();
-    }
-
     /**
      * Get the Public Key from the keystore
      *

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAMLRequestParser.java

@@ -47,9 +47,12 @@ public class SAMLRequestParser {
     }
 
     public static SAMLDocumentHolder parseResponsePostBinding(String samlMessage) {
-        InputStream is;
         byte[] samlBytes = PostBindingUtil.base64Decode(samlMessage);
-        is = new ByteArrayInputStream(samlBytes);
+        return parseResponseDocument(samlBytes);
+    }
+
+    public static SAMLDocumentHolder parseResponseDocument(byte[] samlBytes) {
+        InputStream is = new ByteArrayInputStream(samlBytes);
         SAML2Response response = new SAML2Response();
         try {
             response.getSAML2ObjectFromStream(is);
@@ -61,8 +64,7 @@ public class SAMLRequestParser {
     }
 
     public static SAMLDocumentHolder parseResponseRedirectBinding(String samlMessage) {
-        InputStream is;
+        InputStream is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
-        is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
         SAML2Response response = new SAML2Response();
         try {
             response.getSAML2ObjectFromStream(is);

services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java

@@ -154,7 +154,7 @@ public class TokenManager {
                 throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token");
             }
             refreshToken = jws.readJsonContent(RefreshToken.class);
-        } catch (IOException e) {
+        } catch (Exception e) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", e);
         }
         if (refreshToken.isExpired()) {

services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java

@@ -111,7 +111,9 @@ public class ClientAttributeCertificateResource {
         String subject = client.getClientId();
         KeyPair keyPair = null;
         try {
-            keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+            KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+            generator.initialize(2048);
+            keyPair = generator.generateKeyPair();
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(e);
         }