Example 1 with KeyUse
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class DefaultKeyManager method getActiveKey.
@Override
public KeyWrapper getActiveKey(RealmModel realm, KeyUse use, String algorithm) {
KeyWrapper activeKey = getActiveKey(getProviders(realm), realm, use, algorithm);
if (activeKey != null) {
return activeKey;
}
logger.debugv("Failed to find active key for realm, trying fallback: realm={0} algorithm={1} use={2}", realm.getName(), algorithm, use.name());
Optional<KeyProviderFactory> keyProviderFactory = session.getKeycloakSessionFactory().getProviderFactoriesStream(KeyProvider.class).map(KeyProviderFactory.class::cast).filter(kf -> kf.createFallbackKeys(session, use, algorithm)).findFirst();
if (keyProviderFactory.isPresent()) {
providersMap.remove(realm.getId());
List<KeyProvider> providers = getProviders(realm);
activeKey = getActiveKey(providers, realm, use, algorithm);
if (activeKey != null) {
logger.infov("No keys found for realm={0} and algorithm={1} for use={2}. Generating keys.", realm.getName(), algorithm, use.name());
return activeKey;
}
}
logger.errorv("Failed to create fallback key for realm: realm={0} algorithm={1} use={2", realm.getName(), algorithm, use.name());
throw new RuntimeException("Failed to find key: realm=" + realm.getName() + " algorithm=" + algorithm + " use=" + use.name());
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
KeyWrapper(org.keycloak.crypto.KeyWrapper)
RealmModel(org.keycloak.models.RealmModel)
Logger(org.jboss.logging.Logger)
KeycloakSession(org.keycloak.models.KeycloakSession)
Algorithm(org.keycloak.crypto.Algorithm)
PublicKey(java.security.PublicKey)
HashMap(java.util.HashMap)
Collectors(java.util.stream.Collectors)
KeyManager(org.keycloak.models.KeyManager)
Objects(java.util.Objects)
Consumer(java.util.function.Consumer)
List(java.util.List)
Certificate(java.security.cert.Certificate)
Stream(java.util.stream.Stream)
KeyUse(org.keycloak.crypto.KeyUse)
PrivateKey(java.security.PrivateKey)
Map(java.util.Map)
ComponentModel(org.keycloak.component.ComponentModel)
Optional(java.util.Optional)
SecretKey(javax.crypto.SecretKey)
Comparator(java.util.Comparator)
ProviderFactory(org.keycloak.provider.ProviderFactory)
Example 2 with KeyUse
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class ImportedRsaKeyProvider method loadKey.
@Override
public KeyWrapper loadKey(RealmModel realm, ComponentModel model) {
String privateRsaKeyPem = model.getConfig().getFirst(Attributes.PRIVATE_KEY_KEY);
String certificatePem = model.getConfig().getFirst(Attributes.CERTIFICATE_KEY);
PrivateKey privateKey = PemUtils.decodePrivateKey(privateRsaKeyPem);
PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
KeyPair keyPair = new KeyPair(publicKey, privateKey);
X509Certificate certificate = PemUtils.decodeCertificate(certificatePem);
KeyUse keyUse = KeyUse.valueOf(model.get(Attributes.KEY_USE, KeyUse.SIG.name()).toUpperCase());
return createKeyWrapper(keyPair, certificate, keyUse);
}
Also used :
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
PublicKey(java.security.PublicKey)
KeyUse(org.keycloak.crypto.KeyUse)
X509Certificate(java.security.cert.X509Certificate)
Example 3 with KeyUse
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class JavaKeystoreKeyProvider method loadKey.
@Override
protected KeyWrapper loadKey(RealmModel realm, ComponentModel model) {
try (FileInputStream is = new FileInputStream(model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_KEY))) {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(is, model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_PASSWORD_KEY).toCharArray());
String keyAlias = model.get(JavaKeystoreKeyProviderFactory.KEY_ALIAS_KEY);
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, model.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY).toCharArray());
PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
KeyPair keyPair = new KeyPair(publicKey, privateKey);
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
if (certificate == null) {
certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, realm.getName());
}
KeyUse keyUse = KeyUse.valueOf(model.get(Attributes.KEY_USE, KeyUse.SIG.getSpecName()).toUpperCase());
return createKeyWrapper(keyPair, certificate, loadCertificateChain(keyStore, keyAlias), keyUse);
} catch (KeyStoreException kse) {
throw new RuntimeException("KeyStore error on server. " + kse.getMessage(), kse);
} catch (FileNotFoundException fnfe) {
throw new RuntimeException("File not found on server. " + fnfe.getMessage(), fnfe);
} catch (IOException ioe) {
throw new RuntimeException("IO error on server. " + ioe.getMessage(), ioe);
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException("Algorithm not available on server. " + nsae.getMessage(), nsae);
} catch (CertificateException ce) {
throw new RuntimeException("Certificate error on server. " + ce.getMessage(), ce);
} catch (UnrecoverableKeyException uke) {
throw new RuntimeException("Keystore on server can not be recovered. " + uke.getMessage(), uke);
} catch (GeneralSecurityException gse) {
throw new RuntimeException("Invalid certificate chain. Check the order of certificates.", gse);
}
}
Also used :
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
PublicKey(java.security.PublicKey)
GeneralSecurityException(java.security.GeneralSecurityException)
FileNotFoundException(java.io.FileNotFoundException)
CertificateException(java.security.cert.CertificateException)
KeyUse(org.keycloak.crypto.KeyUse)
KeyStoreException(java.security.KeyStoreException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
KeyStore(java.security.KeyStore)
FileInputStream(java.io.FileInputStream)
X509Certificate(java.security.cert.X509Certificate)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
Example 4 with KeyUse
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class TestingOIDCEndpointsApplicationResource method getJwks.
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/get-jwks")
@NoCache
public JSONWebKeySet getJwks() {
JSONWebKeySet keySet = new JSONWebKeySet();
KeyPair keyPair = clientData.getKeyPair();
String keyAlgorithm = clientData.getKeyAlgorithm();
String keyType = clientData.getKeyType();
KeyUse keyUse = clientData.getKeyUse();
if (keyPair == null) {
keySet.setKeys(new JWK[] {});
} else if (KeyType.RSA.equals(keyType)) {
keySet.setKeys(new JWK[] { JWKBuilder.create().algorithm(keyAlgorithm).rsa(keyPair.getPublic(), keyUse) });
} else if (KeyType.EC.equals(keyType)) {
keySet.setKeys(new JWK[] { JWKBuilder.create().algorithm(keyAlgorithm).ec(keyPair.getPublic()) });
} else {
keySet.setKeys(new JWK[] {});
}
return keySet;
}Example 5 with KeyUse
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class TestingOIDCEndpointsApplicationResource method generateKeys.
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/generate-keys")
@NoCache
public Map<String, String> generateKeys(@QueryParam("jwaAlgorithm") String jwaAlgorithm, @QueryParam("advertiseJWKAlgorithm") Boolean advertiseJWKAlgorithm) {
try {
KeyPair keyPair = null;
KeyUse keyUse = KeyUse.SIG;
if (jwaAlgorithm == null)
jwaAlgorithm = Algorithm.RS256;
String keyType = null;
switch(jwaAlgorithm) {
case Algorithm.RS256:
case Algorithm.RS384:
case Algorithm.RS512:
case Algorithm.PS256:
case Algorithm.PS384:
case Algorithm.PS512:
keyType = KeyType.RSA;
keyPair = KeyUtils.generateRsaKeyPair(2048);
break;
case Algorithm.ES256:
keyType = KeyType.EC;
keyPair = generateEcdsaKey("secp256r1");
break;
case Algorithm.ES384:
keyType = KeyType.EC;
keyPair = generateEcdsaKey("secp384r1");
break;
case Algorithm.ES512:
keyType = KeyType.EC;
keyPair = generateEcdsaKey("secp521r1");
break;
case JWEConstants.RSA1_5:
case JWEConstants.RSA_OAEP:
case JWEConstants.RSA_OAEP_256:
// for JWE KEK Key Encryption
keyType = KeyType.RSA;
keyUse = KeyUse.ENC;
keyPair = KeyUtils.generateRsaKeyPair(2048);
break;
default:
throw new RuntimeException("Unsupported signature algorithm");
}
clientData.setKeyPair(keyPair);
clientData.setKeyType(keyType);
if (advertiseJWKAlgorithm == null || Boolean.TRUE.equals(advertiseJWKAlgorithm)) {
clientData.setKeyAlgorithm(jwaAlgorithm);
} else {
clientData.setKeyAlgorithm(null);
}
clientData.setKeyUse(keyUse);
} catch (Exception e) {
throw new BadRequestException("Error generating signing keypair", e);
}
return getKeysAsPem();
}
Also used :
KeyPair(java.security.KeyPair)
BadRequestException(javax.ws.rs.BadRequestException)
KeyUse(org.keycloak.crypto.KeyUse)
OAuthErrorException(org.keycloak.OAuthErrorException)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
BadRequestException(javax.ws.rs.BadRequestException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
IOException(java.io.IOException)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
NoCache(org.jboss.resteasy.annotations.cache.NoCache)
Aggregations
KeyUse (org.keycloak.crypto.KeyUse)5
KeyPair (java.security.KeyPair)4
PrivateKey (java.security.PrivateKey)3
PublicKey (java.security.PublicKey)3
IOException (java.io.IOException)2
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
X509Certificate (java.security.cert.X509Certificate)2
GET (javax.ws.rs.GET)2
Path (javax.ws.rs.Path)2
Produces (javax.ws.rs.Produces)2
NoCache (org.jboss.resteasy.annotations.cache.NoCache)2
FileInputStream (java.io.FileInputStream)1
FileNotFoundException (java.io.FileNotFoundException)1
GeneralSecurityException (java.security.GeneralSecurityException)1
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)1
KeyStore (java.security.KeyStore)1
KeyStoreException (java.security.KeyStoreException)1
UnrecoverableKeyException (java.security.UnrecoverableKeyException)1
Certificate (java.security.cert.Certificate)1
CertificateException (java.security.cert.CertificateException)1
