KeyCloak/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-26 13:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reorder X509 validation to check revocation after trust

Browse Source 
Close #46742

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
Ricardo Martin
2026-05-21 15:30:03 +02:00
committed by GitHub
parent 3b940e65b5
commit 7a76787e3e
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java
+4 -4
View File
@@ -75,12 +75,12 @@ public class ValidateX509CertificateUsername extends AbstractX509ClientCertifica
try {
CertificateValidator.CertificateValidatorBuilder builder = certificateValidationParameters(context.getSession(), config);
CertificateValidator validator = builder.build(certs);
validator.checkRevocationStatus()
.validateTrust()
validator.validateTrust()
.validateTimestamps()
.validateKeyUsage()
.validateExtendedKeyUsage()
.validateTimestamps()
.validatePolicy();
.validatePolicy()
.checkRevocationStatus();
} catch(Exception e) {
logger.error(e.getMessage(), e);
// TODO use specific locale to load error messages
services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java
+3 -3
View File
@@ -90,12 +90,12 @@ public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertif
try {
CertificateValidator.CertificateValidatorBuilder builder = certificateValidationParameters(context.getSession(), config);
CertificateValidator validator = builder.build(certs);
validator.checkRevocationStatus()
.validateTrust()
validator.validateTrust()
.validateTimestamps()
.validateKeyUsage()
.validateExtendedKeyUsage()
.validatePolicy()
.validateTimestamps();
.checkRevocationStatus();
} catch(Exception e) {
logger.error(e.getMessage(), e);
// TODO use specific locale to load error messages