KeyCloak/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-26 13:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Load client keys using SubjectPublicKeyInfo and upload jwks type into the jwks attributes for OIDC ones

Browse Source 
Closes #33820

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc
2024-10-13 12:23:57 +02:00
committed by Marek Posolda
parent 01026fab79
commit 6d52520730
6 changed files with 138 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crypto/default/src/main/java/org/keycloak/crypto/def/BCPemUtilsProvider.java
+19
View File
@@ -17,6 +17,8 @@
package org.keycloak.crypto.def;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.keycloak.common.util.DerUtils;
import org.keycloak.common.util.PemException;
@@ -24,6 +26,7 @@ import org.keycloak.common.crypto.PemUtilsProvider;
import java.io.StringWriter;
import java.security.PrivateKey;
import java.security.PublicKey;
/**
* Encodes Key or Certificates to PEM format string
@@ -59,6 +62,22 @@ public class BCPemUtilsProvider extends PemUtilsProvider {
}
}
@Override
public PublicKey decodePublicKey(String pem) {
try {
// try to decode using SubjectPublicKeyInfo which allows to know the key type
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(pemToDer(pem));
if (publicKeyInfo != null && publicKeyInfo.getAlgorithm() != null) {
return new JcaPEMKeyConverter().getPublicKey(publicKeyInfo);
}
} catch (Exception e) {
// error reading PEM object just go to previous RSA forced key
}
// assume RSA if it cannot be decoded from BC knowing the key
return decodePublicKey(pem, "RSA");
}
@Override
public PrivateKey decodePrivateKey(String pem) {
if (pem == null) {
crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSPemUtilsProvider.java
+18 -3
View File
@@ -18,12 +18,12 @@
package org.keycloak.crypto.fips;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.DerUtils;
import org.keycloak.common.util.PemException;
import org.keycloak.common.crypto.PemUtilsProvider;
import org.keycloak.common.util.PemUtils;
@@ -31,9 +31,8 @@ import org.keycloak.common.util.PemUtils;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.PublicKey;
/**
* Encodes Key or Certificates to PEM format string
@@ -69,6 +68,22 @@ public class BCFIPSPemUtilsProvider extends PemUtilsProvider {
}
}
@Override
public PublicKey decodePublicKey(String pem) {
try {
// try to decode using SubjectPublicKeyInfo which allows to know the key type
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(pemToDer(pem));
if (publicKeyInfo != null && publicKeyInfo.getAlgorithm() != null) {
return new JcaPEMKeyConverter().getPublicKey(publicKeyInfo);
}
} catch (Exception e) {
// error reading PEM object just go to previous RSA forced key
}
// assume RSA if it cannot be decoded from BC knowing the key
return decodePublicKey(pem, "RSA");
}
@Override
public PrivateKey decodePrivateKey(String pem) {
if (pem == null) {