Merge pull request #5009 from pedroigor/KEYCLOAK-6116

[KEYCLOAK-6116] - Get email attribute from 'subject alternative name' using X509 certificate
This commit is contained in:
Pedro Igor 2018-03-12 09:58:02 -03:00 committed by GitHub
commit f824582aac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 2639 additions and 6 deletions

View file

@ -57,6 +57,7 @@ public abstract class AbstractX509ClientCertificateAuthenticator implements Auth
public static final String MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection"; public static final String MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection";
public static final String MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression"; public static final String MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression";
public static final String MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail"; public static final String MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail";
public static final String MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL = "Subject's Alternative Name E-mail";
public static final String MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name"; public static final String MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name";
public static final String MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression"; public static final String MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression";
public static final String MAPPING_SOURCE_CERT_ISSUERDN_EMAIL = "Issuer's e-mail"; public static final String MAPPING_SOURCE_CERT_ISSUERDN_EMAIL = "Issuer's e-mail";
@ -146,6 +147,9 @@ public abstract class AbstractX509ClientCertificateAuthenticator implements Auth
.either(UserIdentityExtractor.getX500NameExtractor(BCStyle.EmailAddress, subject)) .either(UserIdentityExtractor.getX500NameExtractor(BCStyle.EmailAddress, subject))
.or(UserIdentityExtractor.getX500NameExtractor(BCStyle.E, subject)); .or(UserIdentityExtractor.getX500NameExtractor(BCStyle.E, subject));
break; break;
case SUBJECTALTNAME_EMAIL:
extractor = UserIdentityExtractor.getSubjectAltNameExtractor(1);
break;
case ISSUERDN_CN: case ISSUERDN_CN:
extractor = UserIdentityExtractor.getX500NameExtractor(BCStyle.CN, issuer); extractor = UserIdentityExtractor.getX500NameExtractor(BCStyle.CN, issuer);
break; break;

View file

@ -43,6 +43,7 @@ import static org.keycloak.authentication.authenticators.x509.AbstractX509Client
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_CN; import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_CN;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_EMAIL; import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_EMAIL;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SERIALNUMBER; import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SERIALNUMBER;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN; import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_CN; import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_CN;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL; import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL;
@ -68,6 +69,7 @@ public abstract class AbstractX509ClientCertificateAuthenticatorFactory implemen
private static final String[] mappingSources = { private static final String[] mappingSources = {
MAPPING_SOURCE_CERT_SUBJECTDN, MAPPING_SOURCE_CERT_SUBJECTDN,
MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL, MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL,
MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL,
MAPPING_SOURCE_CERT_SUBJECTDN_CN, MAPPING_SOURCE_CERT_SUBJECTDN_CN,
MAPPING_SOURCE_CERT_ISSUERDN, MAPPING_SOURCE_CERT_ISSUERDN,
MAPPING_SOURCE_CERT_ISSUERDN_EMAIL, MAPPING_SOURCE_CERT_ISSUERDN_EMAIL,

View file

@ -25,7 +25,11 @@ import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils; import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.keycloak.services.ServicesLogger; import org.keycloak.services.ServicesLogger;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function; import java.util.function.Function;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@ -92,6 +96,52 @@ public abstract class UserIdentityExtractor {
} }
} }
/**
* Extracts the subject identifier from the subjectAltName extension.
*/
static class SubjectAltNameExtractor extends UserIdentityExtractor {
private final int generalName;
/**
* Creates a new instance
*
* @param generalName an integer representing the general name. See {@link X509Certificate#getSubjectAlternativeNames()}
*/
SubjectAltNameExtractor(int generalName) {
this.generalName = generalName;
}
@Override
public Object extractUserIdentity(X509Certificate[] certs) {
if (certs == null || certs.length == 0) {
throw new IllegalArgumentException();
}
try {
Collection<List<?>> subjectAlternativeNames = certs[0].getSubjectAlternativeNames();
if (subjectAlternativeNames == null) {
return null;
}
Iterator<List<?>> iterator = subjectAlternativeNames.iterator();
while (iterator.hasNext()) {
List<?> next = iterator.next();
if (Integer.class.cast(next.get(0)) == generalName) {
return next.get(1);
}
}
} catch (CertificateParsingException cause) {
logger.errorf(cause, "Failed to obtain identity from subjectAltName extension");
}
return null;
}
}
static class PatternMatcher extends UserIdentityExtractor { static class PatternMatcher extends UserIdentityExtractor {
private final String _pattern; private final String _pattern;
private final Function<X509Certificate[],String> _f; private final Function<X509Certificate[],String> _f;
@ -143,6 +193,16 @@ public abstract class UserIdentityExtractor {
return new X500NameRDNExtractor(identifier, x500Name); return new X500NameRDNExtractor(identifier, x500Name);
} }
/**
* Obtains the subjectAltName given a <code>generalName</code>.
*
* @param generalName an integer representing the general name. See {@link X509Certificate#getSubjectAlternativeNames()}
* @return the value from the subjectAltName extension
*/
public static SubjectAltNameExtractor getSubjectAltNameExtractor(int generalName) {
return new SubjectAltNameExtractor(generalName);
}
public static OrBuilder either(UserIdentityExtractor extractor) { public static OrBuilder either(UserIdentityExtractor extractor) {
return new OrBuilder(extractor); return new OrBuilder(extractor);
} }

View file

@ -60,6 +60,7 @@ public class X509AuthenticatorConfigModel extends AuthenticatorConfigModel {
ISSUERDN(MAPPING_SOURCE_CERT_ISSUERDN), ISSUERDN(MAPPING_SOURCE_CERT_ISSUERDN),
SUBJECTDN_CN(MAPPING_SOURCE_CERT_SUBJECTDN_CN), SUBJECTDN_CN(MAPPING_SOURCE_CERT_SUBJECTDN_CN),
SUBJECTDN_EMAIL(MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL), SUBJECTDN_EMAIL(MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL),
SUBJECTALTNAME_EMAIL(MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL),
SUBJECTDN(MAPPING_SOURCE_CERT_SUBJECTDN); SUBJECTDN(MAPPING_SOURCE_CERT_SUBJECTDN);
private String name; private String name;

View file

@ -0,0 +1,8 @@
# Keycloak Arquillian Integration Testsuite
This directory contains a OpenSSL CA and Intermediate CA that can be used to manage certificates.
## Passwords
Passwords for any key file is `password`.

View file

@ -0,0 +1,35 @@
-----BEGIN CERTIFICATE-----
MIIF/jCCA+agAwIBAgIJAOMEN39fZf7uMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwH
UmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENB
MSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QGtleWNsb2FrLm9yZzAeFw0xODAyMjAx
OTQ3NTFaFw00NTA3MDgxOTQ3NTFaMIGLMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
TUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwI
S2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENBMSMwIQYJKoZIhvcNAQkBFhRj
b250YWN0QGtleWNsb2FrLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAJlGjg05FzCm3f3YdIbMHNYuORfiP2n6YhX7vQyDjF/4gh7EYEYgE7spJ864
/DySQenJ55Jn22K/1MQ1rOHcqfTioIgN3eEAyyuMDx60KU3frMBRYeCgLJVZQHr0
6x+Sh/+SbbIYq/558+g/6PSZjmPBindHsPzGuBPaLOW4Jz47CA73L/su2qnJGeAi
UaK/tXmANs1bqJbiNRDr9IJFkdusx1mql2ElfknJT8U+LBPOOID/S7Xd83SKtpFI
Q8Vikb6C0SKnopOJiG2uWg5g7CYlNYxJpAM25zhDqp71bl8zOsIL2tFfUAvvoBnh
N31kDIl8RZJ5ELnh+t5SCfwbgdfMzS7uht8qVTeZ0/BG80Lzl1gfzNR8q45gsKC9
7mg7Voj68kt2aZr+E3Ng1guK69gePMxCpqLyjwlKz187mNUme+zxg2gL2egs4M6u
ffqsEd0c5QryrRSTcIXi8Bim6PDhL93dBsenAIg25DOJNA6Vt2LELoe9w0TkL48U
wUvU6GYB7/zM/z3EW45ZkRhHWK+HZppqDAb05lgJeeKUxxdUSy+ot7ls6cSqACYo
fVjPoVHPD5Ncx+6NGHPGM5N3FGvMMh64PYpChyVWDTEfrZIS7Yyj9Iz/2eCxV3cO
cO4bU0K6kx/dWRic5B5ymVtRME93+Of/hQuta4uLhlo8ZxRpAgMBAAGjYzBhMB0G
A1UdDgQWBBQiuPS7cwDHKT+TgKX2HFICast6UjAfBgNVHSMEGDAWgBQiuPS7cwDH
KT+TgKX2HFICast6UjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN
BgkqhkiG9w0BAQsFAAOCAgEAVCVXdx79ooKyOaL+S49S4agP7mE4IxuDefDwQ2dm
996wpk3nntg0y54Auu1Y2plJirBhTvYZ1RedLNBMVBypm6BQpNn37u5TI39/FYso
GFPINu1EzLTYl0bFKc0w7UFlFusje9zXLWISm8uTNzxJ1RGLrcnv9gfiXPKxAmN0
cz9WY0vm+0+OV50HvLyUyqGKxyWmt2ek4jV+oEhsMMSO/MVNNXHEo2MAGcA23XPe
7FZkiFB1suDIMzzUFCrRBtoZjYSUeyN9Pd0Yg3twl96CLqld4xFjsKMIsz0ACGRI
8OpzeHAsePH4yS94E6nLwWH9YTi6pgTtoXSaVBLvIYpVHi8UAyIBFNqLMCukoq0O
BlOdkO0zescmpEtp8GiUWMuB7x+kkaSxmsujEfL3mRWshkqaz/ZHPKXaNtPBUtIM
jQnTMBF/wQjZxCGAps8dOMZ9pYnZcmVz0KeXpBJe1j+47MhItgt1wQNoyr4iBaxE
3fAF/Arr/IZtIf0erXOjc7P6dEQW+WiKWvEA5Mp+4tV3Zj2pwSSX5bKDKx4RAkoW
1jLTE1KN5RWvF8phStLty83gTd5wgykFSl65Lu7KIBW9HH3LIK46fb+cOBOZfSn3
mdQXrbuXNUXgbhrsetnBfPNMAkJjaBQLNTxebIvXndiTIEsWqHS7h1x+kBkDOKhw
SCc=
-----END CERTIFICATE-----

View file

@ -0,0 +1,38 @@
-----BEGIN CERTIFICATE-----
MIIGtDCCBJygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYcxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJNQTEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xv
YWsxITAfBgNVBAMMGEtleWNsb2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3
DQEJARYUY29udGFjdEBrZXljbG9hay5vcmcwHhcNMTgwMjIwMjAwNzMwWhcNNDUw
NzA4MjAwNzMwWjBkMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcM
BkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxEjAQ
BgNVBAMMCXRlc3QtdXNlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AOmK2D4VdRvGOUjAPWXol5/hkMwCNKXgO0ZrgTmBrzIn8F8O/QCYvkNgRATIBIN2
+nNK+Pej96tHHzhPC07O7KMDLncjSEjjmZ2xmvh2FjPr+xooT+x0mzv3a9MhVCYj
WHM7x+LWuAAMne4xPx14AMVZa+P7YTmzabbMWHM9g9Itxjyl/jpkt9LmWsZh2Xvt
96NgP4CG1Vegml0nNnR6AIwKlKl2x5NMuXrhCs2yn0PrSVwzHsdIajqaTDGedwhW
pLzCy//k3KLT9ydRahhbUKWK48DPLf+cJubVGcE/hdiAQqA1C/3Um/kXR1PcIjG3
YLeXavhmT/7H53lRe1mdHmUn1b7Vr6oYX7uln8wZqBMvceOK23wkKY970j2N46Uj
ABcw9fnUckKYgjpv8I029PgnIgBjX3rZyMmRB8Khw+McVIx0DsFx7oJcc5ZV16RM
4tHx107F084OBkDkqJ0k42pw1gpsovln+PVKGetBGFbAAsNwMMZxmJT/r1RVWk4u
pe/HfzWz1PvwcTjaRD8MzhC16xOr7HR8uDRDFU40+X5mkEJkzvT5+ih7a64TsQNZ
uU/Dx3j5ncYptLMl0FvzlNlfDkZ3XCUQfkr9o/nxdq9DTBGpy6nMaC5BMf8PKzjX
C6lioUBQTFJGrHsc59PTI0GSOXkls/gO494SmbIkCmarAgMBAAGjggFKMIIBRjAJ
BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3Bl
blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBT6Y/aV
XWxkiC3QOuN6nKCjZgRdbTAfBgNVHSMEGDAWgBRHEnyJC0dXGVQK9QMEzZ+GopZ2
lDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MCoGA1UdHwQjMCEwH6AdoBuGGWh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9jcmwwNgYI
KwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHRwOi8vbG9jYWxob3N0Ojg4ODgv
b3NjcDAeBgNVHREEFzAVgRN0ZXN0LXVzZXJAbG9jYWxob3N0MA0GCSqGSIb3DQEB
CwUAA4ICAQCiKCFfS/CxkFcPqu4Xg2bSxd0ge5oXYOtkr5Pe6C6nMXjvSirHTWiX
eUkxB+8FrU7TZGVUalbROsdZLCaOwPD5Xed7fjRoOKiAk7/JZxkIBjz8q9uAOXql
fFZOwrAe5DHGaux/hZBmDLc/JRy5eZY5NsW/YfP5WhhZr/zsi1R0Fxkd3QsSr5yl
SDyaq3yKWAojkGMSmsYsisPL2LXJlEz961YNtok22fTd7mlSREFL13/RcXf/Fegi
2pjhGwrLjILkil1PTdbxOav6H1UScX2Q2S13rmJmPjmAVcHQAPd/UAQN2n0MLGzB
iyFT5b7q97vgPCRAzGNE/t9So687bgw+CMPDGprz2yt1StTJnbDbWfgOZk1aj7Y8
p8TJ2zmifD8VlAfa7+RDeNIfnSMI6Zh7vJWG0IxttKcrPNZxqfoTQKRTZBz1lOGE
Q06Cs/We6YKWctpf/5UPE29ncjLkT9XX9yqyNKLJnQWlcfltSyDRUTmhNsbhI/Pl
fxNceHMSY7ewkvfQ0FQMOj4HuXYGaTNfOknTRMRue2gmj0ezH0yxwmLsZShRgKmx
+rEdeplmwKaFRQcQc8TYGmws3uICUf5KbcL4pt2Pi0Yy2hjc/jCrf4RUw/trtwPJ
7xk/PGGFQBWwzCmZP86ZPUL3BaWOQWauNl8XWCLC9xx9e+mkaUI50w==
-----END CERTIFICATE-----

View file

@ -0,0 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,58507FBFA90F44D96D42E8ED4989032F
eO/DUxz7PGUmyv6Nu89tWvad4O2Jzdr6kNCMsRcaG1JFJsMdGUNtuXjKyEaIKo9B
MLXAoFgtyW4t0TozNVzsS8mSwkU9eOP+cAGLReoHZ8C+w5y+Dm7Kuc37X+HF0HCL
4UkfNGKwgVJuXbVFVTTRVypB0Ul9Q2s43iN0YUfsYK333FHdDHxYyk7X+zvbposO
Q33oFsa0D4Ga2VdE8FQX5pDBqPOjXt8a3LaZxi5r8pZDRY+mcE04qnZLdUk6jCeQ
u4zHjsn/F+aW+EhAHH9vAwHLJ7lQOBtsdGxj2QXUAnU3LnRs2XxvYtZbxkG/p4sb
FCAP57bBxmkL51RJTM4fgnq/b1JRtGwS1kRbHSiKTnrDO8JHcmILKSoIUG9IcwNp
SFcKVZiabEdNSAiY9J+nvZMR8d946SqAQ/kA2Z7WH/6pbs4pd0ODIpYbNYwUfPcP
51tQI/fna2fyvGA0xxr5MUi3Ua8kp9KmoZaX+ghjwh8QLa82mcvOjbYaV6c2OT4m
92Eq7Si+u82fq2l5TjmKXLT5dwAUqZU1GnbG2Qd7/HW2h7PFIuReITL9UZhbCMoi
zOSz3wKniP/npE+I4+hYTRxKaV2mkAd1FC4+QhSZbmupf3WOxbtaJP6V8gd4BgRQ
O6mN9BvXYihSWyn7zQ/4MuGq5/k+XmTsxhfPZ7KW7DyeDGdl7qTcW5I7k+i6Lnh6
YozNJn+CVQnZ67x4OhkQ9GQSBkEXudGurzWOJ3xNHOMtAGfQZRjHepcf1TeRN8C1
voyY0Yx4V95XfbCMzbQckxhDigHJqCBk0bewp0LYXbn0traawZXNJ9nZHDFMyuX9
Oztjx5cFdH/kxSjy0Qquzy9rtEzw72CnBw/AisaGMkMaxQWP92n0hav5XSKg5eD3
OD42fsFWvbTN12kFXETDeQGuSJoJ3X2R9UnG2GL1Uc4lEFOu7LVpQX1hVi0qJjsv
NqFO/4pbB+IpwwHV/6Nh7hwBXQVXKcGq3fq9+iCWk4hmZLutTSrsdsLWyqxF+r+1
a3mk2nZgpTVkmfNsOf7vY1R4fWkUu7M7Pb0R0eQ9vG8w7Aodym6snkxdZBwl09TM
YpxofsvgVGcteZWK7hgESODpBklZstNXOIk4hsDhm8+PPfWuOndBEkocAf0D/4OE
lPGcdG9gTc8HOiJLtK8QSJUbtfauJHqp9Dzkc3qNZuSTwwCvk4v2oYV7FrCzZfcC
yPgN2AhOx8EDT3vx2IV62dbHeamWlT+hpdCIiEXnyL5MVBvO3Td+g3BM+RRVSmaB
ZBgfZaFjlZvDDeqH8eOGNoKN06tGdpxeGJaPr5G3ksrmupBVB1Gay+T98Kux4zAk
fw0oFPDEyRiup+iOXpltRtP7d3SH7ngjapm6aDBs2weWrnLrcjZx5iyOed8z8zWG
Ygmar31qn0qMUf/8HZb4c3DYkc1mjpKZLQnyouP82p++1VTN8S27Kf06eTob5zYa
pWhCDHPWA8FFNF9d1zgSTBLEFawryM59rLJteg7G7yiSN43OBk7THNI2OwK8y2Mv
KvwMoyStvMbiMn4qVR8mcnLrAYUd2RhuDGX3NOExI+9EBSGpwUP22I/nQ9HRlJ9D
OoKaTIdqv0twC3QYIbYf6RUngD2Yzo8ie9Ys31dZqJidSRj9xnpkb8Xe4S5J2Sxm
HP7VJsjjlPH9X+Q+xRWqwvzPi/hDBozo5GR1wrLGOVTRSYsXHjrULu+ael+65m+m
VXg8Ufzl1j/8KttWjvHOi3RJuusOx8Z6U3E/9YoVCqyuR3rXX7ILHq6UrOLPmLhg
cOyZy3LJXH2MpLbfhVQ6C5xKUJLQm88FBzdfKTt5aSCHzGa0nmT+qzu+x/s4B37H
hk9/B0W6hUf8TCy8YYRx7vK6IKpo4qVG3R0n/brtWtw5fYCYHna1qPknQWzROUeK
2sLW1Xv7Tk1koGcDs4Xv6p3jVCgAYE3DsubqGu7y9j49t9D08IukOMbtY6tc5+b6
zIrZfz8+XpdM9BmQ+5N5yVv2Ut0t7SGoEQ+pHOwsBu2H2dcW+DdfwyCk7izC0eUR
Fkv//R+uTaX4g3WSI3++ghDtQlcRf0nFn3c3uCK4HSP2E6doPQuuguKXXnJ+syDD
rsUZUV0Ia8X8ZCLkza7WfFgoJ2hXe6rehU7YLnvBekCMu0S99/a/oJ3t/JJFB0LF
5aw9nSlunrcCce9umPwKxc2pMcrIEAAjmmUhXza3LgHJsDiYYSDDo2e1Cbb5j61s
qCbFxB+WFYc2rRnzK/CLIDhIayWcwyelHAelpQOQ+gReh7ZZSSu5c0Rl9brTZ9tN
HfMPY5/6eBbASXxA9BStFbasLnlOARojkRgEAMOMv4ZyN4gn949Dd3nwC4gr9f++
IjqV/YgQOKtL4rOMgvLvb5Y0rhDFOiXTdpZBqhk/6bZo1T2j4ts72FdkAmr2u5gp
VxVyLv8L/KJv8jKqGbqJeMntarl30wfq4SRNe5te81DbSWrUGaQQyYqLL0/ixL2F
E6O+0bajYmrz45ZGhJqXJRxnlwyDWL1kPy+f8IlItyXp72WqHqKb/IyImvHgxnnm
IDv06cjX1LvX+fO3B2/9AveksSqnifrMBRjtFhRxTHdLEt9E1kSOJMb4tOlm/QpI
UQV0HkQRsUE3F6N7OEmfuA88jwiNRTSjl6WbFQ0O01lKFeKmy4cPJfnSOvHNL34Z
zztSboe9Red6qXzkR1mjh8BO/5Nu2ihlk8spqxNFUoPteUU57KITanXr63IudaSX
hDA7viBAqcmjPy/j4YY0UVvvWBCqIK0ejcEghxHJak/n3qpiSm0mYMMubi51O5UT
rxzZ9aqVfw4zmmZqrh+UIAwHJRpQw+zmXIN1h7pdTR1JGuSqStNgSgL53FoX2v9K
I0QQ6RbGJ7Yleb4P8DUHkaY9ljARsioVdbmzQgYDpt45KG9iFeREadvA0WpuapKE
/WePOmKMJ+qhnvENPSLLrf5ssho95GWf/6pGEV4PmMLanQ5iGV48wLXMtbQ/ud9N
qA7XQd2Vb4fNEVQ1aNdXg1gjB3QYyJoB0/exCOm/xLrewfd7zlXk8BERXwV1yQ5f
tYumN2X4RS2+Y0s9K6ujwEkYi7HUph6vPuq3il4DcSNFj8Wop/f6AAXSml3mqxYd
-----END RSA PRIVATE KEY-----

View file

@ -0,0 +1 @@
V 450708195701Z 1000 unknown /C=US/ST=MA/O=Red Hat/OU=Keycloak/CN=Keycloak Intermediate CA/emailAddress=contact@keycloak.org

View file

@ -0,0 +1,131 @@
# OpenSSL root CA configuration file.
[ ca ]
# `man ca`
default_ca = Keycloak
[ Keycloak ]
# Directory and file locations.
dir = ./
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = MA
localityName_default = Boston
0.organizationName_default = Red Hat
organizationalUnitName_default = Keycloak
emailAddress_default = contact@keycloak.org
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

View file

@ -0,0 +1,69 @@
-----BEGIN CERTIFICATE-----
MIIF9jCCA96gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0
MREwDwYDVQQLDAhLZXljbG9hazEUMBIGA1UEAwwLS2V5Y2xvYWsgQ0ExIzAhBgkq
hkiG9w0BCQEWFGNvbnRhY3RAa2V5Y2xvYWsub3JnMB4XDTE4MDIyMDE5NTcwMVoX
DTQ1MDcwODE5NTcwMVowgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4G
A1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxITAfBgNVBAMMGEtleWNs
b2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3DQEJARYUY29udGFjdEBrZXlj
bG9hay5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYix1zJTa6
TTsmPjctc1R56vYPsIhEeyRis7HL8s+EbFbBpO8jWSSSaJp0MWkahUtWidu9cWK5
yPC0ezUD3LYclktG1Y6zxeY6G5RnNCUgV8EYkeCJAmlGVhgFjU+7r6HNh1L2sLJe
jUOKMsKcIxt1TpiUbph/3J1TrqPWDD1jIwB9337dvZfXdwIa45phk1Sb7wgR6aB4
mJPKBpekkh/5Wh5QRXI+2+Vv1Mhq6Stx1MdE4P2u8lblICOlnCaIWiI6B27yot2x
hcie1wvFwa1iqtBr4tIHLIn0XNKwqoeooM+WHlkwjMF/Yp1zYJJJmkXjh1a3ZIT5
7We1U3RxJrLfxE0D4Gm/S7Q302xxiAuDdycHx6oz4qYYwIYZVk+/8q4CDXVyo0aC
Y4e9fsAPmJvy5TwKZOKocoj+BFAyRwPd1iVrSGeAQTJBPcMgu70o9xVBnU8Pgsif
O5HzpXw9LTRrDaTS4BZ/rYA9PDLzexMVrgVCg+X1dRd3T9IsLPOlo+HCpfNGhfgR
lwp8/SRGmBuiaG5k6kaScP5mimSGYOvhjRHLNkY+Rgtl+hrMDn8DFd75PibM95hG
ia9k1qbrjmj9gRGA4xz1QBqewd2TTgAhaKxDFqQec+cJ15vf5AxB4A/KqFmqYXYX
AQpKczbt2goTyb2Annhpa5WJe/sYvYqTUwIDAQABo2YwZDAdBgNVHQ4EFgQURxJ8
iQtHVxlUCvUDBM2fhqKWdpQwHwYDVR0jBBgwFoAUIrj0u3MAxyk/k4Cl9hxSAmrL
elIwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
AQELBQADggIBAFwmiG2sd77dmX+klIeLVIYq4X3VwNijwzpuilDPMqSfSlBawj8f
PjwFJYzpcl2pe/Lq6sq96VMkN65/AUs/XZOW+ybgE7ZuJlfT12sk48TPgaVvP2dJ
5ud2l+DWYaH6KjU3B/xx8xttN73BilMobaJMDy02TLK6VgHPtV3bRyPOQNsGrOmp
wJMPi7t9UjcMm0THhVHdP881ryGXraNb38x5AgTILUwRYmwjtc1Rrlls0eKLtoAl
n5oScPDPeZELVunFFJ/ZX2lx5yApWpP1sMyzvJxnZhruuzfxsW60Tp+6Q8rHkabw
ZnnkHgi53/Gnp3H7l/kszM+hNYJXTDTHdPTQMETHEHqiWOzYttBTM8p/ffb3haTm
UnPb5fuRXJxX8vMxA1h6nSFWtQEQbvlGiS2oGNAOi5XlTsE+mjYMALuAPID9v8Yx
3eTyI7a4I+qy3a+0Q1iBFsAM75q6cbne7LK8FjLHDnZvHOnredoR/tmebgphD4C3
p4xNlwocSs+Fhjqsf6L5AvAc8fLP1206f/lp/9qEnvD0kocw2KvxwZY2yDtf115z
aHxhil32iWME340LVSYyQZqwPPr3N2t4CGZsgGs8vPXLECAGqrT3V2/I3iZNF3J5
i0GE63/1Q35BPHxPAJcqB/a5woBwo/Ae40u6qWR15keFp3UaJ0M/C9GR
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF/jCCA+agAwIBAgIJAOMEN39fZf7uMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwH
UmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENB
MSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QGtleWNsb2FrLm9yZzAeFw0xODAyMjAx
OTQ3NTFaFw00NTA3MDgxOTQ3NTFaMIGLMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
TUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwI
S2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENBMSMwIQYJKoZIhvcNAQkBFhRj
b250YWN0QGtleWNsb2FrLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAJlGjg05FzCm3f3YdIbMHNYuORfiP2n6YhX7vQyDjF/4gh7EYEYgE7spJ864
/DySQenJ55Jn22K/1MQ1rOHcqfTioIgN3eEAyyuMDx60KU3frMBRYeCgLJVZQHr0
6x+Sh/+SbbIYq/558+g/6PSZjmPBindHsPzGuBPaLOW4Jz47CA73L/su2qnJGeAi
UaK/tXmANs1bqJbiNRDr9IJFkdusx1mql2ElfknJT8U+LBPOOID/S7Xd83SKtpFI
Q8Vikb6C0SKnopOJiG2uWg5g7CYlNYxJpAM25zhDqp71bl8zOsIL2tFfUAvvoBnh
N31kDIl8RZJ5ELnh+t5SCfwbgdfMzS7uht8qVTeZ0/BG80Lzl1gfzNR8q45gsKC9
7mg7Voj68kt2aZr+E3Ng1guK69gePMxCpqLyjwlKz187mNUme+zxg2gL2egs4M6u
ffqsEd0c5QryrRSTcIXi8Bim6PDhL93dBsenAIg25DOJNA6Vt2LELoe9w0TkL48U
wUvU6GYB7/zM/z3EW45ZkRhHWK+HZppqDAb05lgJeeKUxxdUSy+ot7ls6cSqACYo
fVjPoVHPD5Ncx+6NGHPGM5N3FGvMMh64PYpChyVWDTEfrZIS7Yyj9Iz/2eCxV3cO
cO4bU0K6kx/dWRic5B5ymVtRME93+Of/hQuta4uLhlo8ZxRpAgMBAAGjYzBhMB0G
A1UdDgQWBBQiuPS7cwDHKT+TgKX2HFICast6UjAfBgNVHSMEGDAWgBQiuPS7cwDH
KT+TgKX2HFICast6UjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN
BgkqhkiG9w0BAQsFAAOCAgEAVCVXdx79ooKyOaL+S49S4agP7mE4IxuDefDwQ2dm
996wpk3nntg0y54Auu1Y2plJirBhTvYZ1RedLNBMVBypm6BQpNn37u5TI39/FYso
GFPINu1EzLTYl0bFKc0w7UFlFusje9zXLWISm8uTNzxJ1RGLrcnv9gfiXPKxAmN0
cz9WY0vm+0+OV50HvLyUyqGKxyWmt2ek4jV+oEhsMMSO/MVNNXHEo2MAGcA23XPe
7FZkiFB1suDIMzzUFCrRBtoZjYSUeyN9Pd0Yg3twl96CLqld4xFjsKMIsz0ACGRI
8OpzeHAsePH4yS94E6nLwWH9YTi6pgTtoXSaVBLvIYpVHi8UAyIBFNqLMCukoq0O
BlOdkO0zescmpEtp8GiUWMuB7x+kkaSxmsujEfL3mRWshkqaz/ZHPKXaNtPBUtIM
jQnTMBF/wQjZxCGAps8dOMZ9pYnZcmVz0KeXpBJe1j+47MhItgt1wQNoyr4iBaxE
3fAF/Arr/IZtIf0erXOjc7P6dEQW+WiKWvEA5Mp+4tV3Zj2pwSSX5bKDKx4RAkoW
1jLTE1KN5RWvF8phStLty83gTd5wgykFSl65Lu7KIBW9HH3LIK46fb+cOBOZfSn3
mdQXrbuXNUXgbhrsetnBfPNMAkJjaBQLNTxebIvXndiTIEsWqHS7h1x+kBkDOKhw
SCc=
-----END CERTIFICATE-----

View file

@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF9jCCA96gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0
MREwDwYDVQQLDAhLZXljbG9hazEUMBIGA1UEAwwLS2V5Y2xvYWsgQ0ExIzAhBgkq
hkiG9w0BCQEWFGNvbnRhY3RAa2V5Y2xvYWsub3JnMB4XDTE4MDIyMDE5NTcwMVoX
DTQ1MDcwODE5NTcwMVowgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4G
A1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxITAfBgNVBAMMGEtleWNs
b2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3DQEJARYUY29udGFjdEBrZXlj
bG9hay5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYix1zJTa6
TTsmPjctc1R56vYPsIhEeyRis7HL8s+EbFbBpO8jWSSSaJp0MWkahUtWidu9cWK5
yPC0ezUD3LYclktG1Y6zxeY6G5RnNCUgV8EYkeCJAmlGVhgFjU+7r6HNh1L2sLJe
jUOKMsKcIxt1TpiUbph/3J1TrqPWDD1jIwB9337dvZfXdwIa45phk1Sb7wgR6aB4
mJPKBpekkh/5Wh5QRXI+2+Vv1Mhq6Stx1MdE4P2u8lblICOlnCaIWiI6B27yot2x
hcie1wvFwa1iqtBr4tIHLIn0XNKwqoeooM+WHlkwjMF/Yp1zYJJJmkXjh1a3ZIT5
7We1U3RxJrLfxE0D4Gm/S7Q302xxiAuDdycHx6oz4qYYwIYZVk+/8q4CDXVyo0aC
Y4e9fsAPmJvy5TwKZOKocoj+BFAyRwPd1iVrSGeAQTJBPcMgu70o9xVBnU8Pgsif
O5HzpXw9LTRrDaTS4BZ/rYA9PDLzexMVrgVCg+X1dRd3T9IsLPOlo+HCpfNGhfgR
lwp8/SRGmBuiaG5k6kaScP5mimSGYOvhjRHLNkY+Rgtl+hrMDn8DFd75PibM95hG
ia9k1qbrjmj9gRGA4xz1QBqewd2TTgAhaKxDFqQec+cJ15vf5AxB4A/KqFmqYXYX
AQpKczbt2goTyb2Annhpa5WJe/sYvYqTUwIDAQABo2YwZDAdBgNVHQ4EFgQURxJ8
iQtHVxlUCvUDBM2fhqKWdpQwHwYDVR0jBBgwFoAUIrj0u3MAxyk/k4Cl9hxSAmrL
elIwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
AQELBQADggIBAFwmiG2sd77dmX+klIeLVIYq4X3VwNijwzpuilDPMqSfSlBawj8f
PjwFJYzpcl2pe/Lq6sq96VMkN65/AUs/XZOW+ybgE7ZuJlfT12sk48TPgaVvP2dJ
5ud2l+DWYaH6KjU3B/xx8xttN73BilMobaJMDy02TLK6VgHPtV3bRyPOQNsGrOmp
wJMPi7t9UjcMm0THhVHdP881ryGXraNb38x5AgTILUwRYmwjtc1Rrlls0eKLtoAl
n5oScPDPeZELVunFFJ/ZX2lx5yApWpP1sMyzvJxnZhruuzfxsW60Tp+6Q8rHkabw
ZnnkHgi53/Gnp3H7l/kszM+hNYJXTDTHdPTQMETHEHqiWOzYttBTM8p/ffb3haTm
UnPb5fuRXJxX8vMxA1h6nSFWtQEQbvlGiS2oGNAOi5XlTsE+mjYMALuAPID9v8Yx
3eTyI7a4I+qy3a+0Q1iBFsAM75q6cbne7LK8FjLHDnZvHOnredoR/tmebgphD4C3
p4xNlwocSs+Fhjqsf6L5AvAc8fLP1206f/lp/9qEnvD0kocw2KvxwZY2yDtf115z
aHxhil32iWME340LVSYyQZqwPPr3N2t4CGZsgGs8vPXLECAGqrT3V2/I3iZNF3J5
i0GE63/1Q35BPHxPAJcqB/a5woBwo/Ae40u6qWR15keFp3UaJ0M/C9GR
-----END CERTIFICATE-----

View file

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIE3jCCAsYCAQAwgZgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UE
BwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0MREwDwYDVQQLDAhLZXljbG9hazEh
MB8GA1UEAwwYS2V5Y2xvYWsgSW50ZXJtZWRpYXRlIENBMSMwIQYJKoZIhvcNAQkB
FhRjb250YWN0QGtleWNsb2FrLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBANiLHXMlNrpNOyY+Ny1zVHnq9g+wiER7JGKzscvyz4RsVsGk7yNZJJJo
mnQxaRqFS1aJ271xYrnI8LR7NQPcthyWS0bVjrPF5joblGc0JSBXwRiR4IkCaUZW
GAWNT7uvoc2HUvawsl6NQ4oywpwjG3VOmJRumH/cnVOuo9YMPWMjAH3fft29l9d3
AhrjmmGTVJvvCBHpoHiYk8oGl6SSH/laHlBFcj7b5W/UyGrpK3HUx0Tg/a7yVuUg
I6WcJohaIjoHbvKi3bGFyJ7XC8XBrWKq0Gvi0gcsifRc0rCqh6igz5YeWTCMwX9i
nXNgkkmaReOHVrdkhPntZ7VTdHEmst/ETQPgab9LtDfTbHGIC4N3JwfHqjPiphjA
hhlWT7/yrgINdXKjRoJjh71+wA+Ym/LlPApk4qhyiP4EUDJHA93WJWtIZ4BBMkE9
wyC7vSj3FUGdTw+CyJ87kfOlfD0tNGsNpNLgFn+tgD08MvN7ExWuBUKD5fV1F3dP
0iws86Wj4cKl80aF+BGXCnz9JEaYG6JobmTqRpJw/maKZIZg6+GNEcs2Rj5GC2X6
GswOfwMV3vk+Jsz3mEaJr2TWpuuOaP2BEYDjHPVAGp7B3ZNOACForEMWpB5z5wnX
m9/kDEHgD8qoWaphdhcBCkpzNu3aChPJvYCeeGlrlYl7+xi9ipNTAgMBAAGgADAN
BgkqhkiG9w0BAQsFAAOCAgEAtZp+hULw+DW9TCzW1Sm1+r4cb6QN/DpWe4lvbSoU
ah0oiUAa/xF9AaDR2woHvMWXzMehc42Z+4F40L+XSdM1VAg6B36BKM7fYiyGQExo
bJF0oUqeRD6WneZNCd4APnmzAiMCU6uWzgLbkoUXw9JtNr3uxhIXvg3E+BasU5/F
pb9UqTHBsSc1yAxhMT9zLOXLpkvX+mrWzkkbc09Schus8wM6naf6oWhgW5uNVQaw
M3ZemlVmY7LYUwJKamNr7CRpzSPnFed+a77ogOFY1IjfuknYLPKlAaPtBuV5kEWB
Bx0JjMNoGoqL+FxUqpX6+8RzksSGCecje6q3+j4nm8p2RrhVf4/dfupSTDI3ijGl
Z0Y+eV0H88EySvnw6TKi9QCHBEc4TVKKA4wD6nASzMK2GtuqdutLJpd3ADgV/p32
BZ/NM8aB2iGo5S4nnDwjvGIzaHgamZbLkAuFBTQtjzghgwJK0D5FtFmWxn+0PpP4
IKntdvJXQVMuLL/CYa0L9BFcUbSNbglykfggGAv/kU0tOmDNdW6wv8IlN1c34KOM
W2GYKDmcn5LTSzRmvN8E9kjvMLYVyFf8TeBpo8K34dkMRODu6LTQVu3EhKN2OZt9
QXf79Y5zjNQwfdm2s4GBDK/+fkL04Hg69sbOeOID8aYQxy8fyxELad1fYsnas6P6
u1I=
-----END CERTIFICATE REQUEST-----

View file

@ -0,0 +1 @@
V 450708200730Z 1000 unknown /C=US/ST=MA/L=Boston/O=Red Hat/OU=Keycloak/CN=test-user

View file

@ -0,0 +1,38 @@
-----BEGIN CERTIFICATE-----
MIIGtDCCBJygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYcxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJNQTEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xv
YWsxITAfBgNVBAMMGEtleWNsb2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3
DQEJARYUY29udGFjdEBrZXljbG9hay5vcmcwHhcNMTgwMjIwMjAwNzMwWhcNNDUw
NzA4MjAwNzMwWjBkMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcM
BkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxEjAQ
BgNVBAMMCXRlc3QtdXNlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AOmK2D4VdRvGOUjAPWXol5/hkMwCNKXgO0ZrgTmBrzIn8F8O/QCYvkNgRATIBIN2
+nNK+Pej96tHHzhPC07O7KMDLncjSEjjmZ2xmvh2FjPr+xooT+x0mzv3a9MhVCYj
WHM7x+LWuAAMne4xPx14AMVZa+P7YTmzabbMWHM9g9Itxjyl/jpkt9LmWsZh2Xvt
96NgP4CG1Vegml0nNnR6AIwKlKl2x5NMuXrhCs2yn0PrSVwzHsdIajqaTDGedwhW
pLzCy//k3KLT9ydRahhbUKWK48DPLf+cJubVGcE/hdiAQqA1C/3Um/kXR1PcIjG3
YLeXavhmT/7H53lRe1mdHmUn1b7Vr6oYX7uln8wZqBMvceOK23wkKY970j2N46Uj
ABcw9fnUckKYgjpv8I029PgnIgBjX3rZyMmRB8Khw+McVIx0DsFx7oJcc5ZV16RM
4tHx107F084OBkDkqJ0k42pw1gpsovln+PVKGetBGFbAAsNwMMZxmJT/r1RVWk4u
pe/HfzWz1PvwcTjaRD8MzhC16xOr7HR8uDRDFU40+X5mkEJkzvT5+ih7a64TsQNZ
uU/Dx3j5ncYptLMl0FvzlNlfDkZ3XCUQfkr9o/nxdq9DTBGpy6nMaC5BMf8PKzjX
C6lioUBQTFJGrHsc59PTI0GSOXkls/gO494SmbIkCmarAgMBAAGjggFKMIIBRjAJ
BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3Bl
blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBT6Y/aV
XWxkiC3QOuN6nKCjZgRdbTAfBgNVHSMEGDAWgBRHEnyJC0dXGVQK9QMEzZ+GopZ2
lDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MCoGA1UdHwQjMCEwH6AdoBuGGWh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9jcmwwNgYI
KwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHRwOi8vbG9jYWxob3N0Ojg4ODgv
b3NjcDAeBgNVHREEFzAVgRN0ZXN0LXVzZXJAbG9jYWxob3N0MA0GCSqGSIb3DQEB
CwUAA4ICAQCiKCFfS/CxkFcPqu4Xg2bSxd0ge5oXYOtkr5Pe6C6nMXjvSirHTWiX
eUkxB+8FrU7TZGVUalbROsdZLCaOwPD5Xed7fjRoOKiAk7/JZxkIBjz8q9uAOXql
fFZOwrAe5DHGaux/hZBmDLc/JRy5eZY5NsW/YfP5WhhZr/zsi1R0Fxkd3QsSr5yl
SDyaq3yKWAojkGMSmsYsisPL2LXJlEz961YNtok22fTd7mlSREFL13/RcXf/Fegi
2pjhGwrLjILkil1PTdbxOav6H1UScX2Q2S13rmJmPjmAVcHQAPd/UAQN2n0MLGzB
iyFT5b7q97vgPCRAzGNE/t9So687bgw+CMPDGprz2yt1StTJnbDbWfgOZk1aj7Y8
p8TJ2zmifD8VlAfa7+RDeNIfnSMI6Zh7vJWG0IxttKcrPNZxqfoTQKRTZBz1lOGE
Q06Cs/We6YKWctpf/5UPE29ncjLkT9XX9yqyNKLJnQWlcfltSyDRUTmhNsbhI/Pl
fxNceHMSY7ewkvfQ0FQMOj4HuXYGaTNfOknTRMRue2gmj0ezH0yxwmLsZShRgKmx
+rEdeplmwKaFRQcQc8TYGmws3uICUf5KbcL4pt2Pi0Yy2hjc/jCrf4RUw/trtwPJ
7xk/PGGFQBWwzCmZP86ZPUL3BaWOQWauNl8XWCLC9xx9e+mkaUI50w==
-----END CERTIFICATE-----

View file

@ -0,0 +1,139 @@
# OpenSSL intermediate CA configuration file.
[ ca ]
# `man ca`
default_ca = KeycloakICA
[ KeycloakICA ]
# Directory and file locations.
dir = ./intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
email_in_dn = no
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = MA
localityName_default = Boston
0.organizationName_default = Red Hat
organizationalUnitName_default = Keycloak
emailAddress_default = contact@keycloak.org
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
crlDistributionPoints = URI:http://localhost:8888/crl
authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
subjectAltName=email:copy
subjectAltName=email:move
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://localhost:8888/crl
authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

View file

@ -0,0 +1,135 @@
# OpenSSL intermediate CA configuration file.
[ ca ]
# `man ca`
default_ca = KeycloakICA
[ KeycloakICA ]
# Directory and file locations.
dir = ./intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = MA
localityName_default = Boston
0.organizationName_default = Red Hat
organizationalUnitName_default =
emailAddress_default = contact@keycloak.org
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
crlDistributionPoints = URI:http://localhost:8888/crl
authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://localhost:8888/crl
authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

View file

@ -0,0 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,55738491E62D25465F4122B4D81938FA
rivJE7agWr1e9e2zPd8OZttFzBve49d99hdvxpScz6Bl0gVwV2VGiFonGdCzKnB7
adJgoU1R7nC9jKLoviCM1qd1bnzY7EudnCBsGMbaNhuoeaS6Sc0lEMBNryDIHdQj
XaBgbDU9drELn2f7AW2l23kofQYTfY/et4qasDlRSH9pdUOTHsMArkCNamg/FCJ2
/5InAqOZlIOENPmEPWF7gpBLiIdsrb56CezYhxy4Cz9hTGaQrVW/9fFpfEcmA+7F
7f8TyWGb5pDTPSnBUkYXk5tFqCLghPcooI+hhkGUJR43L5SRg8SqpArYou0enHkT
r/Hbat5zXZgJAp6qJ1Xi3lH1hqO6m+5aW45SCL4MZhDahLQI632zLcJ/MQMMWLEp
bYC+l/UWTAh2JGbS+vTwZ/hluOh4qZMC/cti6QJ1oqOzDxDuN7A8UY8RKBSsA1OM
aX1L80kHHTyN4i91JNNjsGxH1lmBDS19YdWQu1XHpsM8KANRoRVqAMeU12Ip0lVD
wp5pUzTaNXRlFnoxDpu6fUTjcNxitv08EnjVNeFT5SmneVBH7ZPopLWErd1pTdnU
fMDnyrNcr7g0HkahmCRoMy4WroRz1yQ1BX0BOoMO+jrLbCR+bDFiyapl5VG7zOW1
p5tG/ra8fuB7tkXxzqqINSLKCHaqsEsl7hJ9CJNX45ypT6jlehc0E9OGI3W5x2hK
6fG+T1gzu99YwcnAsSlsTqGgxj/VO8wwS/fPN3QA4iQMFSVdhnjt2jLO2TpbAudW
6/2G7ulYpj/G7JwdWJD7V91U9LUx6fyOja4NJbV/WB9la84VHluGjGFQul5fMuvU
nVOv1fdmuJA1WIohczH2nADunzv79rswfr0oZKXezvQUkIRC1kOg1SM6vlQcsGva
Y4obtLNDmwsJ2qyx51NTkkrewrlMuuf2AeoIy2fBZ6mhEdNCFUkvk+dwb5UsX2fG
6w8klofTwQxnsdq07+QbDQOVw/MANl3hQPAjtsE19kGWeHNyYp8X0RxGDSoS6qGp
c+Y2jG0xzK0Mo/m+GFG8AHDHbpC+hVhxU4/ll1L3QL7ZpY9ZNi+YYjI1abqexU/t
/pf2n9vjAvyrST37SvW3n3bb5ltmDDIqVHarn63Bm2ZM8cvnmK3S65FOxTp0wZ+q
tZ5fWqcyWMWxnYVV0yGqtlsZOsssYosrsMNV1NGxLI8Gkmz69/4qs2jToNqIsjNa
SBeweGKTqofFt5VtVjWURvfJMM2wleKMJ8KSOA1HS+c8577gblSrIS1ZtAo8hNlO
lKqPTuyf0SAe1lyYfzijn5k1v3XfpdC7VbGbprK6jSw9pSFYDwDeVq7rMgHFSGTR
Jv1mfHt0D3O/C9p8lVz68ROmblQgq7XjbllYmjTBEZOB3HQdRGPV0h8ag3UHHGD+
lhV0L2RDkzwHfjjwlvJxtBUchKuN4Kxpb0aQAVVt3DzOv49sLAkUyCPzkHu8WliB
lfXf8alQ9XGbSANWhZxZJ78E/zLInaHBkMlkH4vcsuEsZ2Lwxm36v5ES6RJgjCad
sNSBg6EHRNfnnFPOVZBtzA/APsR3yMmfw9t8Qcp5vFudhtwxQ26QcWrgj29yZyJm
Qyvn4d34JIhZM122090lhGbKWDaViEZ88a26SBiMC1qeX9Aomlow+mwEaYpS4EmT
tNADYipjU2yWB07FXw5tmGaEuAFmsC3t7PcbsYULUlbdjuirbyTiG6QxruecPjW5
KKBMb5zqcxSxKgeEPa3DsDggMcimLugKu/sc6+mBKu9ngvl40gLEvroSb2fySFJP
gGdIrjro1nNjaHAIR5U9QJFNaViOiIEiOlDHc53bRWnJadPceH3xdvGJC8d6Tm0d
T55j2OYBkAxGSwQrrt6C7oo0xoscumkz9etTLZghA6VWZh25m+Xw2sh/qVKDTrHx
2fw9NKJfSDXDfejqJDR7SWUjZ5ygLs3JI4qj8+5XYFKbat9l5EGPrpqrxWmzy2EM
CiceOWPHhWUkoAqPgfDCp8AIvtpDJyW8pyz+sMtBSTSidsM9BqacfyIySZKmDxau
SicM+9M5ggKJkmm7hJ2w0+tHjqzA+2j/HRm2+Ti2aKSBjclcGU70/CxwJooPJ+lk
dQvlW6FP9enK7sYcZgQ52NPHcsuha0VOyLdnjV5cyCv1VEDFv5XIX2KZveqNeKDS
A84D/Q2k+I3x4Rc0G5ge1uVuNJV67BiYF2agSfiyr7Gb9RAIZXuqjtPToRqXfs1f
YKfd/s9/Rq2gB//RRzXtwLdXtZ7GDAGBNsFahk1X/F9DhYg3mkfdqsAjJp6l+UOu
8khW2LwIGAmstltiC3G9I+66cYz/Z7xv2ycCoTUZ4IjXhpzw0dv3yVzu4Y7mYfls
oDyDy8Y+Z9QwQl2IYTycxOG07OuwpGmcNDzj2lUGBLLWQEZRfLa+rwFXtx9AbhZZ
qRAIeI2fAkM9qR3Txarz8HfxqeQV3uHmXMrLVhbL1KPVRvFlCic8VohzNHDa3XMV
FHn8BGkemhp/5WaaHa2O9b4EF5Ydo7SmNhxQTTkqUTfHaiL/i22ItOtyUVWiMmS3
D7LnERSegQVA75QYe/4QFsXPa9WSY63bjfWb6QUX1LP4xeqBhl/m6VgxAvCBSknI
nAbUuyItm/dLTlelsQ7LtKDeGHZ5CWxArmSbfR7kPuCf2OiVoOGyMd+Ygnok51bS
htWN1mwVN9oHUPSN2twqDUEyuIARCzJhXl4goSm2/CtOc+ZPUuRD895AU41FEMRA
qZ6SRe6sgUh4gqpTKPaXT6z7+UKd04UKIBhfGmoUSrLwP1tbPSB6C0ppvv7WqsZl
DL7VYcHASMo0zVmMAw/zIwd0qF0SDiajXfhiSfPypAzHHavz8clq7Po6AvpgWZC3
vjfCb7MVEXRDXCUMzCALdiaW0YGZv5D20Yj16I9lSmYijAflReGN/j28xhsSuZZz
uBFHHpD/kN/L25VvDYZslc0KUWkS0kRshkgMtuHEC/YbZy0ptan6MUZ3uWHrUHzs
FAMDf9j90CGr1dS0amXMZD0IvJ4nNatvt92OvjNCUc76fc4RJ1QGC7oHdUuJEdxF
IPl4SYWfUPh/cvEPHqPag2G5tFIsBv9252nzr+v+7ochdbDL7ZLOrrmgBAxTubY1
-----END RSA PRIVATE KEY-----

View file

@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF9jCCA96gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0
MREwDwYDVQQLDAhLZXljbG9hazEUMBIGA1UEAwwLS2V5Y2xvYWsgQ0ExIzAhBgkq
hkiG9w0BCQEWFGNvbnRhY3RAa2V5Y2xvYWsub3JnMB4XDTE4MDIyMDE5NTcwMVoX
DTQ1MDcwODE5NTcwMVowgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4G
A1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxITAfBgNVBAMMGEtleWNs
b2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3DQEJARYUY29udGFjdEBrZXlj
bG9hay5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYix1zJTa6
TTsmPjctc1R56vYPsIhEeyRis7HL8s+EbFbBpO8jWSSSaJp0MWkahUtWidu9cWK5
yPC0ezUD3LYclktG1Y6zxeY6G5RnNCUgV8EYkeCJAmlGVhgFjU+7r6HNh1L2sLJe
jUOKMsKcIxt1TpiUbph/3J1TrqPWDD1jIwB9337dvZfXdwIa45phk1Sb7wgR6aB4
mJPKBpekkh/5Wh5QRXI+2+Vv1Mhq6Stx1MdE4P2u8lblICOlnCaIWiI6B27yot2x
hcie1wvFwa1iqtBr4tIHLIn0XNKwqoeooM+WHlkwjMF/Yp1zYJJJmkXjh1a3ZIT5
7We1U3RxJrLfxE0D4Gm/S7Q302xxiAuDdycHx6oz4qYYwIYZVk+/8q4CDXVyo0aC
Y4e9fsAPmJvy5TwKZOKocoj+BFAyRwPd1iVrSGeAQTJBPcMgu70o9xVBnU8Pgsif
O5HzpXw9LTRrDaTS4BZ/rYA9PDLzexMVrgVCg+X1dRd3T9IsLPOlo+HCpfNGhfgR
lwp8/SRGmBuiaG5k6kaScP5mimSGYOvhjRHLNkY+Rgtl+hrMDn8DFd75PibM95hG
ia9k1qbrjmj9gRGA4xz1QBqewd2TTgAhaKxDFqQec+cJ15vf5AxB4A/KqFmqYXYX
AQpKczbt2goTyb2Annhpa5WJe/sYvYqTUwIDAQABo2YwZDAdBgNVHQ4EFgQURxJ8
iQtHVxlUCvUDBM2fhqKWdpQwHwYDVR0jBBgwFoAUIrj0u3MAxyk/k4Cl9hxSAmrL
elIwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
AQELBQADggIBAFwmiG2sd77dmX+klIeLVIYq4X3VwNijwzpuilDPMqSfSlBawj8f
PjwFJYzpcl2pe/Lq6sq96VMkN65/AUs/XZOW+ybgE7ZuJlfT12sk48TPgaVvP2dJ
5ud2l+DWYaH6KjU3B/xx8xttN73BilMobaJMDy02TLK6VgHPtV3bRyPOQNsGrOmp
wJMPi7t9UjcMm0THhVHdP881ryGXraNb38x5AgTILUwRYmwjtc1Rrlls0eKLtoAl
n5oScPDPeZELVunFFJ/ZX2lx5yApWpP1sMyzvJxnZhruuzfxsW60Tp+6Q8rHkabw
ZnnkHgi53/Gnp3H7l/kszM+hNYJXTDTHdPTQMETHEHqiWOzYttBTM8p/ffb3haTm
UnPb5fuRXJxX8vMxA1h6nSFWtQEQbvlGiS2oGNAOi5XlTsE+mjYMALuAPID9v8Yx
3eTyI7a4I+qy3a+0Q1iBFsAM75q6cbne7LK8FjLHDnZvHOnredoR/tmebgphD4C3
p4xNlwocSs+Fhjqsf6L5AvAc8fLP1206f/lp/9qEnvD0kocw2KvxwZY2yDtf115z
aHxhil32iWME340LVSYyQZqwPPr3N2t4CGZsgGs8vPXLECAGqrT3V2/I3iZNF3J5
i0GE63/1Q35BPHxPAJcqB/a5woBwo/Ae40u6qWR15keFp3UaJ0M/C9GR
-----END CERTIFICATE-----

View file

@ -0,0 +1,131 @@
# OpenSSL root CA configuration file.
[ ca ]
# `man ca`
default_ca = Keycloak
[ Keycloak ]
# Directory and file locations.
dir = ./
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = MA
localityName_default = Boston
0.organizationName_default = Red Hat
organizationalUnitName_default = Keycloak
emailAddress_default = contact@keycloak.org
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

View file

@ -0,0 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,0DB2418CD45582213A6DA1664904B74D
hCr065CBgHEofMLubxh+GPmnVeLFF/x1w+FhSLxGysTkFARjU2tSxE71LWB45WBX
eb1cta3aJJTdZWn1c6X/NDWHl91JM4nY3vMsA279SrSZi7/Bb/uJl+Hi4vFKyUpq
qf0AW5mDQURKZ+WsqiQqCMNXHqeFbBFRmcnN7uhnN30KnwAQyo7rgkimeMg+OWnO
VFfWT5xgpBx4ki6om8I8SETNsJWLdHmuMLUsTkRQFp+SOxCJ4vQisAiiQVuQjnZX
wqeGvSf97oSpyYUPF3qgf1kE3hdG9XswOk13rHpYc+fUFi3F/aLeuQWH1Tvc586Z
mhxGHs0Z4VmTZkMEZ7HeNa5bjszuADyh+Nyk1eXdf/TChLPaFi+JQsz0kdt5MsHE
eiUfhbQfUxQPdH6r+RPhZK4vSeE3CXY5gdKQmHIUgnoZOkr8jelK/vO6AJ0Tmzig
gL5W9w++QzuIp6YbRXF0gy804U5CWzvY86a0eX5Ao4w6esDfinT9FNHeF8GR1wkh
KUvNHQPOyFNR2DOMjFCPTfBiWrYGIral3mDp+zLIMgEIWG8sHzhVfPqup7fokYxb
/JW3jxuZXatFwUy0FwlqntcoqBZmb7wR42hi9X2uDWfWr/rVh/Vf9fMqDndTz9aF
9VjyibwJWRLXX+rtzGcG4KxJu6Tg1xjs+7zALCnQ84KifbJdG6HnItu5ME7lY1Cf
S7+qxERzASla4NYCQK8+/7p0CrSe5jer64AJbSz/PGRCR8Vs7ZCJYBJao27L0MKJ
fNgDaY/ipv2/ENgd7GUoyz++8q841iY8Q1IWzjbg7/DStVcZwQRD1aiCfzyIo83z
YwQtAy/epj9x2Jj4s+FDJsBZ+V7aGwhEEvXrfZllDfB2uw+/idopLQUJQThZWRQT
q9pHfqKNbmvwdviD2E07CNojtNh9TKU1rvzmC0dJIti9hfEGTQJipvQ8tdA7jLyQ
TIF9KekSWpvTQ1g+4x0NfmvdKTsjgM+71zUyGScOK7WuBDOURBT9bOjqvl4+AYKV
cqk6TNIf5Rf3hPBYsgNvd24hIpdA1Jab6OrF+zpbaeAVf3voFMn8Ze/QpDn76qsE
X7quBKaaWsEfZf39P44aCVYLva9jm1MI6PpFZdOsHaq/TLITcTPM1Q1ql4BQJl4t
3SYC9xDDUrJN11W8sFD/V6B4PdraxtlZ2Uehk4TU6KXksVbUkw02aNFtWPwJCMBN
+9NA5ymPtNQGm4G4VhZzm6ywHEflZ/2rUtG+pe6U4WTmU1yrinaTV9WkGV9qP3SJ
ttFrUvcJgRxxkfKCTKMfQvIKU7R3P4WbCjAuLO+W9aC8/6ljr4ALSHOXuFc5OrTs
Xkl2Z3l5xl4JY8cFagXKEZHfjWvNRNwURNQwFC/9aWFqSjuZBrJfpRbshL1HM8lb
Nef1fww7GgRtjZstjd77BgBF1pLfF6ERUmo1HrbSYtjpMUMgMp78Okj53hAYj7qQ
VO+U7ARvgDzGAkqBcRMoHD03fp+YvLrao73PQR+lMn/QfkiPFP5KZHulNKf0tJHD
ASB+v6WaNFWHAvKCSDvKcvAiVvCWd4baKGJUh72cFeVF3S0pqlKrUhdCdOVrf6Oq
HF0Qmkva8OHj6NC9vrXqOK1QlwqcKfJ6DZUYFEqc8fiWf/+sLuDcCQNmusDMzEC5
YXHZek5JFgiGZ1OcH6UyQZwnmHcElxm8u9c0vAe3BJnmu9nBVaph8MMF0XKhEalS
c+J5FPtc1ioM/2lSy8S2eiKlwX3MiQ1kAD7bohd+AGL4hZChNLHVlTmb3n/rr3N9
9JISLU876c1AkIvAF+dQXsZRUFiqvbMS4cwdOX2ykRBIqrCcsxZXxoBdUd9CvWvj
ABJ6780R7LD8YYrPfiGMLvAWfIBbiesACRIU2pZwIYbTRKO+wZ7dG2paZSZqskNf
DQjzW7VL19VDTchnmMcaYUk8HEYuwQt8n1Qk7qntLSH2ANDzopCF0IEtBDL4irgp
c93zzecmgilVtnfFlBm5vT7Gv7ryU/R7vJgnmYwUIAwPF3oedaPloSAXKw/KKoxT
SJBcZRhpdl8eMlp1H5OYdWiYBsjJtJuh7oHC2QplG13GN0GdGhZ4H9nFuZG3TLWP
oBE+j4StCiSxaxENc6Op9J5/xMUwCrTlxD6yVfAijqpvdZ0XIRKdnZLD1+bLFv6k
Xo6I2Qf9ruSwslaYa7UqUN1eLkyAkouyhN12XYhroQ/I7JTaUnqwMl45a4p9nArh
7vUQ4Sa52tWXbpgDQ67qHQf5g/3P4dncVbd78YiAs03pqZQ0cSCA/exKCahTuLpy
nTQy8TiSI1jTRGV86bbga//SuAnJJFkcZAhOMU+dRFYAlzENGJZaacyeEjWF0mpg
VSMmkZI4YCSmY19PjDk9wKxJYBAZulsK5fqEqBjbC4whrc9N8rPFtuNOG2T5DEoB
wuKzmJFHPKiY0+/6cd63B4L7yvNJYh6t7uHQJdsW8nzxPkp8Bddtxf5yEDy6Ej3b
eayKFDLdjzc/Pf7zL8CnKXjZNw218p0vAaHJ0zN/dwyR52GBm4uTlJDxiWVr7Gua
Uz2KBcPy/h0cAHSCedrecdqkCYKGRf/wpc9Ov7jEOgi/ahgt1qjd4ZkTKpvZ3P/b
/ZxyHRVGLlfHs17AFHEXxwRvWFvC42tnsiBJBsJPfj7qkpxTHqEtE9x4xfEdwNf3
+faMaPkx7okYDfCkDrnqEshOxS8vOHjVyrYkOHiYVUX8+8tYdwJlNo0/V7ugT8ge
EIjTyR29N1TOR5ZuhYOAuhR3QNhG0iHf0mXTsA/qNx4UBAQMpg2aWPYepWDMaND4
n1xGkzBt4qWKNR7umbjzC3JoQACSnI+Qp46rXc1WH8GEpVfcCQry2BGDjFRWlOd9
fRe4ZAdgEh9mZocbkTDqVqUHZ//Y7jLzkYdZQwqFCegtDGC1RztVocaZUO/Yqcto
yVs6DWqMlcZsZtM3awXbX/UOJIfx+n7AFJ/IRbptob/p8E3MylcLZXuMIOgcJGF2
GVOEMTXQlmgyHfUDp8PGTNJdfdtz6CZWNmx/dcrzFrX/OS9M3E9j2qhgpC2XwGza
ahuTcE9Eu+xxeEycvQkv/5pSO+phCSyfj1Zmk/o0SvUGYAMke5Bm0xCyCyGh5/Qo
-----END RSA PRIVATE KEY-----

View file

@ -245,6 +245,13 @@
<include>empty.crl</include> <include>empty.crl</include>
</includes> </includes>
</resource> </resource>
<resource>
<directory>${common.resources}/pki/root/ca</directory>
<includes>
<include>certs/clients/test-user-san-email@localhost.cert.pem</include>
<include>certs/clients/test-user@localhost.key.pem</include>
</includes>
</resource>
</resources> </resources>
</configuration> </configuration>
</execution> </execution>

View file

@ -17,7 +17,10 @@
package org.keycloak.testsuite.drone; package org.keycloak.testsuite.drone;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
import java.util.List;
import java.util.Map; import java.util.Map;
import org.jboss.arquillian.config.descriptor.api.ArquillianDescriptor; import org.jboss.arquillian.config.descriptor.api.ArquillianDescriptor;
@ -25,9 +28,11 @@ import org.jboss.arquillian.drone.spi.Configurator;
import org.jboss.arquillian.drone.spi.DronePoint; import org.jboss.arquillian.drone.spi.DronePoint;
import org.jboss.arquillian.drone.webdriver.configuration.WebDriverConfiguration; import org.jboss.arquillian.drone.webdriver.configuration.WebDriverConfiguration;
import org.jboss.arquillian.drone.webdriver.factory.BrowserCapabilitiesList; import org.jboss.arquillian.drone.webdriver.factory.BrowserCapabilitiesList;
import org.jboss.arquillian.drone.webdriver.factory.BrowserCapabilitiesList.PhantomJS;
import org.jboss.arquillian.drone.webdriver.factory.WebDriverFactory; import org.jboss.arquillian.drone.webdriver.factory.WebDriverFactory;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebDriver;
import org.openqa.selenium.phantomjs.PhantomJSDriverService;
/** /**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@ -47,11 +52,36 @@ public class KeycloakWebDriverConfigurator extends WebDriverFactory implements C
if (webDriverCfg.getBrowser().equals("htmlUnit")) { if (webDriverCfg.getBrowser().equals("htmlUnit")) {
updateCapabilities(webDriverCfg); updateCapabilities(webDriverCfg);
} else if (webDriverCfg.getBrowser().equals("phantomjs")) {
configurePhantomJSDriver(webDriverCfg);
} }
return webDriverCfg; return webDriverCfg;
} }
private void configurePhantomJSDriver(WebDriverConfiguration webDriverCfg) {
webDriverCfg.setBrowserInternal(new PhantomJS() {
@Override
public Map<String, ?> getRawCapabilities() {
List<String> cliArgs = new ArrayList<>();
String cliArgsProperty = System.getProperty("keycloak.phantomjs.cli.args");
if (cliArgsProperty != null) {
cliArgs = Arrays.asList(cliArgsProperty.split(" "));
} else {
cliArgs.add("--ignore-ssl-errors=true");
cliArgs.add("--web-security=false");
}
Map<String, Object> mergedCapabilities = new HashMap<>(super.getRawCapabilities());
mergedCapabilities.put(PhantomJSDriverService.PHANTOMJS_CLI_ARGS, cliArgs.toArray(new String[cliArgs.size()]));
return mergedCapabilities;
}
});
}
// This is to ensure that default value of capabilities like "version" will be used just for the HtmlUnitDriver, but not for other drivers. // This is to ensure that default value of capabilities like "version" will be used just for the HtmlUnitDriver, but not for other drivers.
// Hence in configs we have "htmlUnit.version" instead of "version" // Hence in configs we have "htmlUnit.version" instead of "version"

View file

@ -21,6 +21,7 @@ package org.keycloak.testsuite.x509;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule; import org.junit.Rule;
import org.keycloak.admin.client.resource.AuthenticationManagementResource; import org.keycloak.admin.client.resource.AuthenticationManagementResource;
import org.keycloak.authentication.AuthenticationFlow; import org.keycloak.authentication.AuthenticationFlow;
@ -57,6 +58,7 @@ import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorC
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE; import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN; import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN_CN; import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN_CN;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTALTNAME_EMAIL;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_CN; import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_CN;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL; import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL;
@ -100,6 +102,27 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe
return true; return true;
} }
@BeforeClass
public static void onBeforeTestClass() {
if (Boolean.parseBoolean(System.getProperty("auth.server.jboss"))) {
String authServerHome = System.getProperty("auth.server.home");
if (authServerHome != null && System.getProperty("auth.server.ssl.required") != null) {
authServerHome = authServerHome + "/standalone/configuration";
StringBuilder cliArgs = new StringBuilder();
cliArgs.append("--ignore-ssl-errors=true ");
cliArgs.append("--web-security=false ");
cliArgs.append("--ssl-certificates-path=" + authServerHome + "/ca.crt ");
cliArgs.append("--ssl-client-certificate-file=" + authServerHome + "/client.crt ");
cliArgs.append("--ssl-client-key-file=" + authServerHome + "/client.key ");
cliArgs.append("--ssl-client-key-passphrase=secret ");
System.setProperty("keycloak.phantomjs.cli.args", cliArgs.toString());
}
}
}
@Before @Before
public void configureFlows() { public void configureFlows() {
authMgmtResource = adminClient.realms().realm(REALM_NAME).flows(); authMgmtResource = adminClient.realms().realm(REALM_NAME).flows();
@ -301,6 +324,13 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe
.setUserIdentityMapperType(USERNAME_EMAIL); .setUserIdentityMapperType(USERNAME_EMAIL);
} }
protected static X509AuthenticatorConfigModel createLoginSubjectAltNameEmail2UsernameOrEmailConfig() {
return new X509AuthenticatorConfigModel()
.setConfirmationPageAllowed(true)
.setMappingSourceType(SUBJECTALTNAME_EMAIL)
.setUserIdentityMapperType(USERNAME_EMAIL);
}
protected static X509AuthenticatorConfigModel createLoginSubjectEmailWithKeyUsage(String keyUsage) { protected static X509AuthenticatorConfigModel createLoginSubjectEmailWithKeyUsage(String keyUsage) {
return createLoginSubjectEmail2UsernameOrEmailConfig() return createLoginSubjectEmail2UsernameOrEmailConfig()
.setKeyUsage(keyUsage); .setKeyUsage(keyUsage);

View file

@ -0,0 +1,97 @@
/*
* Copyright 2018 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.x509;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
import org.keycloak.events.Details;
import org.keycloak.representations.idm.AuthenticatorConfigRepresentation;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.x509.X509IdentityConfirmationPage;
/**
* @author <a href="mailto:brat000012001@gmail.com">Peter Nalyvayko</a>
* @version $Revision: 1 $
* @date 8/12/2016
*/
public class X509BrowserLoginSubjectAltNameEmailTest extends AbstractX509AuthenticationTest {
@Page
protected AppPage appPage;
@Page
protected X509IdentityConfirmationPage loginConfirmationPage;
@Page
protected LoginPage loginPage;
@BeforeClass
public static void onBeforeTestClass() {
if (Boolean.parseBoolean(System.getProperty("auth.server.jboss"))) {
String authServerHome = System.getProperty("auth.server.home");
if (authServerHome != null && System.getProperty("auth.server.ssl.required") != null) {
authServerHome = authServerHome + "/standalone/configuration";
StringBuilder cliArgs = new StringBuilder();
cliArgs.append("--ignore-ssl-errors=true ");
cliArgs.append("--web-security=false ");
cliArgs.append("--ssl-certificates-path=" + authServerHome + "/ca.crt ");
cliArgs.append("--ssl-client-certificate-file=" + authServerHome + "/certs/clients/test-user-san-email@localhost.cert.pem ");
cliArgs.append("--ssl-client-key-file=" + authServerHome + "/certs/clients/test-user@localhost.key.pem ");
cliArgs.append("--ssl-client-key-passphrase=password");
System.setProperty("keycloak.phantomjs.cli.args", cliArgs.toString());
}
}
}
private void login(X509AuthenticatorConfigModel config, String userId, String username, String attemptedUsername) {
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
String cfgId = createConfig(browserExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
loginConfirmationPage.open();
Assert.assertTrue(loginConfirmationPage.getSubjectDistinguishedNameText().equals("CN=test-user, OU=Keycloak, O=Red Hat, L=Boston, ST=MA, C=US"));
Assert.assertEquals(username, loginConfirmationPage.getUsernameText());
loginConfirmationPage.confirm();
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
events.expectLogin()
.user(userId)
.detail(Details.USERNAME, attemptedUsername)
.removeDetail(Details.REDIRECT_URI)
.assertEvent();
}
@Test
public void loginAsUserFromCertSubjectEmail() {
login(createLoginSubjectAltNameEmail2UsernameOrEmailConfig(), userId, "test-user@localhost", "test-user@localhost");
}
}

View file

@ -33,9 +33,6 @@
<property name="htmlUnit.version">${htmlUnitBrowserVersion}</property> <property name="htmlUnit.version">${htmlUnitBrowserVersion}</property>
<property name="htmlUnitWebClientOptions">cssEnabled=false;historyPageCacheLimit=1</property> <property name="htmlUnitWebClientOptions">cssEnabled=false;historyPageCacheLimit=1</property>
<!-- phantomjs -->
<property name="phantomjs.cli.args">${phantomjs.cli.args}</property>
<!-- firefox --> <!-- firefox -->
<property name="firefox_binary">${firefox_binary}</property> <property name="firefox_binary">${firefox_binary}</property>
<property name="firefoxLogLevel">OFF</property> <property name="firefoxLogLevel">OFF</property>
@ -59,7 +56,6 @@
<property name="firefox_binary">${firefox_binary}</property> <property name="firefox_binary">${firefox_binary}</property>
<property name="chromeDriverBinary">${webdriver.chrome.driver}</property> <property name="chromeDriverBinary">${webdriver.chrome.driver}</property>
<property name="chromeArguments">${js.chromeArguments}</property> <property name="chromeArguments">${js.chromeArguments}</property>
<property name="phantomjs.cli.args">${phantomjs.cli.args} --ssl-certificates-path=${client.certificate.ca.path} --ssl-client-certificate-file=${client.certificate.file} --ssl-client-key-file=${client.key.file} --ssl-client-key-passphrase=${client.key.passphrase}</property>
</extension> </extension>
<extension qualifier="graphene-secondbrowser"> <extension qualifier="graphene-secondbrowser">

View file

@ -108,7 +108,6 @@
<js.browser>phantomjs</js.browser> <js.browser>phantomjs</js.browser>
<js.chromeArguments>--headless</js.chromeArguments> <js.chromeArguments>--headless</js.chromeArguments>
<htmlUnitBrowserVersion>chrome</htmlUnitBrowserVersion> <htmlUnitBrowserVersion>chrome</htmlUnitBrowserVersion>
<phantomjs.cli.args>--ignore-ssl-errors=true --web-security=false --ssl-certificates-path=${client.certificate.ca.path} --ssl-client-certificate-file=${client.certificate.file} --ssl-client-key-file=${client.key.file} --ssl-client-key-passphrase=${client.key.passphrase}</phantomjs.cli.args>
<firefox_binary>/usr/bin/firefox</firefox_binary> <firefox_binary>/usr/bin/firefox</firefox_binary>
<firefoxLegacyDriver>true</firefoxLegacyDriver> <firefoxLegacyDriver>true</firefoxLegacyDriver>
<chromeBinary/> <chromeBinary/>
@ -285,7 +284,6 @@
<ieDriverArch>${ieDriverArch}</ieDriverArch> <ieDriverArch>${ieDriverArch}</ieDriverArch>
<firefox_binary>${firefox_binary}</firefox_binary> <firefox_binary>${firefox_binary}</firefox_binary>
<phantomjs.cli.args>${phantomjs.cli.args}</phantomjs.cli.args>
<chromeBinary>${chromeBinary}</chromeBinary> <chromeBinary>${chromeBinary}</chromeBinary>
<chromeArguments>${chromeArguments}</chromeArguments> <chromeArguments>${chromeArguments}</chromeArguments>