Example 1 with KeyName
use of javax.xml.crypto.dsig.keyinfo.KeyName in project keycloak by keycloak.
the class HttpAdapterUtilsTest method testExtractKeysFromSamlDescriptor.
@Test
public void testExtractKeysFromSamlDescriptor() throws ParsingException {
InputStream xmlStream = HttpAdapterUtilsTest.class.getResourceAsStream("saml-descriptor-valid.xml");
MultivaluedHashMap<String, KeyInfo> res = HttpAdapterUtils.extractKeysFromSamlDescriptor(xmlStream);
assertThat(res, notNullValue());
assertThat(res.keySet(), hasItems(KeyTypes.SIGNING.value()));
assertThat(res.get(KeycloakSamlAdapterV1QNames.ATTR_SIGNING.getQName().getLocalPart()), notNullValue());
assertThat(res.get(KeycloakSamlAdapterV1QNames.ATTR_SIGNING.getQName().getLocalPart()).size(), equalTo(2));
KeyInfo ki;
KeyName keyName;
X509Data x509data;
X509Certificate x509certificate;
Matcher<Iterable<? super XMLStructure>> x509DataMatcher = hasItem(instanceOf(X509Data.class));
Matcher<Iterable<? super XMLStructure>> keyNameMatcher = hasItem(instanceOf(KeyName.class));
ki = res.get(KeycloakSamlAdapterV1QNames.ATTR_SIGNING.getQName().getLocalPart()).get(0);
assertThat(ki.getContent().size(), equalTo(2));
assertThat((Iterable<? super XMLStructure>) ki.getContent(), x509DataMatcher);
assertThat((Iterable<? super XMLStructure>) ki.getContent(), keyNameMatcher);
keyName = getContent(ki.getContent(), KeyName.class);
assertThat(keyName.getName(), equalTo("rJkJlvowmv1Id74GznieaAC5jU5QQp_ILzuG-GsweTI"));
x509data = getContent(ki.getContent(), X509Data.class);
assertThat(x509data, notNullValue());
x509certificate = getContent(x509data.getContent(), X509Certificate.class);
assertThat(x509certificate, notNullValue());
assertThat(x509certificate.getSigAlgName(), equalTo("SHA256withRSA"));
ki = res.get(KeycloakSamlAdapterV1QNames.ATTR_SIGNING.getQName().getLocalPart()).get(1);
assertThat(ki.getContent().size(), equalTo(2));
assertThat((Iterable<? super XMLStructure>) ki.getContent(), x509DataMatcher);
assertThat((Iterable<? super XMLStructure>) ki.getContent(), keyNameMatcher);
keyName = getContent(ki.getContent(), KeyName.class);
assertThat(keyName.getName(), equalTo("BzYc4GwL8HVrAhNyNdp-lTah2DvU9jU03kby9Ynohr4"));
x509data = getContent(ki.getContent(), X509Data.class);
assertThat(x509data, notNullValue());
x509certificate = getContent(x509data.getContent(), X509Certificate.class);
assertThat(x509certificate, notNullValue());
assertThat(x509certificate.getSigAlgName(), equalTo("SHA256withRSA"));
}
Also used :
KeyName(javax.xml.crypto.dsig.keyinfo.KeyName)
KeyInfo(javax.xml.crypto.dsig.keyinfo.KeyInfo)
InputStream(java.io.InputStream)
XMLStructure(javax.xml.crypto.XMLStructure)
X509Data(javax.xml.crypto.dsig.keyinfo.X509Data)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 2 with KeyName
use of javax.xml.crypto.dsig.keyinfo.KeyName in project keycloak by keycloak.
the class SamlDescriptorPublicKeyLocator method refreshCertificateCacheAndGet.
private synchronized PublicKey refreshCertificateCacheAndGet(String kid) {
if (this.descriptorUrl == null) {
return null;
}
this.lastRequestTime = Time.currentTime();
LOG.debugf("Refreshing public key cache from %s", this.descriptorUrl);
List<KeyInfo> signingCerts;
try {
MultivaluedHashMap<String, KeyInfo> certs = HttpAdapterUtils.downloadKeysFromSamlDescriptor(client, this.descriptorUrl);
signingCerts = certs.get(KeyTypes.SIGNING.value());
} catch (HttpClientAdapterException ex) {
LOG.error("Could not refresh certificates from the server", ex);
return null;
}
if (signingCerts == null) {
return null;
}
LOG.debugf("Certificates retrieved from server, filling public key cache");
// Only clear cache after it is certain that the SAML descriptor has been read successfully
this.publicKeyCache.clear();
for (KeyInfo ki : signingCerts) {
KeyName keyName = KeyInfoTools.getKeyName(ki);
X509Certificate x509certificate = KeyInfoTools.getX509Certificate(ki);
if (x509certificate == null) {
continue;
}
try {
x509certificate.checkValidity();
} catch (CertificateException ex) {
continue;
}
if (keyName != null) {
LOG.tracef("Registering signing certificate %s", keyName.getName());
this.publicKeyCache.put(keyName.getName(), x509certificate.getPublicKey());
} else {
final X500Principal principal = x509certificate.getSubjectX500Principal();
String name = (principal == null ? "unnamed" : principal.getName()) + "@" + x509certificate.getSerialNumber() + "$" + UUID.randomUUID();
this.publicKeyCache.put(name, x509certificate.getPublicKey());
LOG.tracef("Adding certificate %s without a specific key name: %s", name, x509certificate);
}
}
return (kid == null ? null : this.publicKeyCache.get(kid));
}
Also used :
KeyName(javax.xml.crypto.dsig.keyinfo.KeyName)
KeyInfo(javax.xml.crypto.dsig.keyinfo.KeyInfo)
X500Principal(javax.security.auth.x500.X500Principal)
CertificateException(java.security.cert.CertificateException)
HttpClientAdapterException(org.keycloak.adapters.cloned.HttpClientAdapterException)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
X509Certificate (java.security.cert.X509Certificate)2
KeyInfo (javax.xml.crypto.dsig.keyinfo.KeyInfo)2
KeyName (javax.xml.crypto.dsig.keyinfo.KeyName)2
InputStream (java.io.InputStream)1
CertificateException (java.security.cert.CertificateException)1
X500Principal (javax.security.auth.x500.X500Principal)1
XMLStructure (javax.xml.crypto.XMLStructure)1
X509Data (javax.xml.crypto.dsig.keyinfo.X509Data)1
Test (org.junit.Test)1
HttpClientAdapterException (org.keycloak.adapters.cloned.HttpClientAdapterException)1
