use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class DefaultKeyManager method getActiveKey.
@Override
public KeyWrapper getActiveKey(RealmModel realm, KeyUse use, String algorithm) {
KeyWrapper activeKey = getActiveKey(getProviders(realm), realm, use, algorithm);
if (activeKey != null) {
return activeKey;
}
logger.debugv("Failed to find active key for realm, trying fallback: realm={0} algorithm={1} use={2}", realm.getName(), algorithm, use.name());
Optional<KeyProviderFactory> keyProviderFactory = session.getKeycloakSessionFactory().getProviderFactoriesStream(KeyProvider.class).map(KeyProviderFactory.class::cast).filter(kf -> kf.createFallbackKeys(session, use, algorithm)).findFirst();
if (keyProviderFactory.isPresent()) {
providersMap.remove(realm.getId());
List<KeyProvider> providers = getProviders(realm);
activeKey = getActiveKey(providers, realm, use, algorithm);
if (activeKey != null) {
logger.infov("No keys found for realm={0} and algorithm={1} for use={2}. Generating keys.", realm.getName(), algorithm, use.name());
return activeKey;
}
}
logger.errorv("Failed to create fallback key for realm: realm={0} algorithm={1} use={2", realm.getName(), algorithm, use.name());
throw new RuntimeException("Failed to find key: realm=" + realm.getName() + " algorithm=" + algorithm + " use=" + use.name());
}
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class ImportedRsaKeyProvider method loadKey.
@Override
public KeyWrapper loadKey(RealmModel realm, ComponentModel model) {
String privateRsaKeyPem = model.getConfig().getFirst(Attributes.PRIVATE_KEY_KEY);
String certificatePem = model.getConfig().getFirst(Attributes.CERTIFICATE_KEY);
PrivateKey privateKey = PemUtils.decodePrivateKey(privateRsaKeyPem);
PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
KeyPair keyPair = new KeyPair(publicKey, privateKey);
X509Certificate certificate = PemUtils.decodeCertificate(certificatePem);
KeyUse keyUse = KeyUse.valueOf(model.get(Attributes.KEY_USE, KeyUse.SIG.name()).toUpperCase());
return createKeyWrapper(keyPair, certificate, keyUse);
}
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class JavaKeystoreKeyProvider method loadKey.
@Override
protected KeyWrapper loadKey(RealmModel realm, ComponentModel model) {
try (FileInputStream is = new FileInputStream(model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_KEY))) {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(is, model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_PASSWORD_KEY).toCharArray());
String keyAlias = model.get(JavaKeystoreKeyProviderFactory.KEY_ALIAS_KEY);
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, model.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY).toCharArray());
PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
KeyPair keyPair = new KeyPair(publicKey, privateKey);
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
if (certificate == null) {
certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, realm.getName());
}
KeyUse keyUse = KeyUse.valueOf(model.get(Attributes.KEY_USE, KeyUse.SIG.getSpecName()).toUpperCase());
return createKeyWrapper(keyPair, certificate, loadCertificateChain(keyStore, keyAlias), keyUse);
} catch (KeyStoreException kse) {
throw new RuntimeException("KeyStore error on server. " + kse.getMessage(), kse);
} catch (FileNotFoundException fnfe) {
throw new RuntimeException("File not found on server. " + fnfe.getMessage(), fnfe);
} catch (IOException ioe) {
throw new RuntimeException("IO error on server. " + ioe.getMessage(), ioe);
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException("Algorithm not available on server. " + nsae.getMessage(), nsae);
} catch (CertificateException ce) {
throw new RuntimeException("Certificate error on server. " + ce.getMessage(), ce);
} catch (UnrecoverableKeyException uke) {
throw new RuntimeException("Keystore on server can not be recovered. " + uke.getMessage(), uke);
} catch (GeneralSecurityException gse) {
throw new RuntimeException("Invalid certificate chain. Check the order of certificates.", gse);
}
}
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class TestingOIDCEndpointsApplicationResource method getJwks.
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/get-jwks")
@NoCache
public JSONWebKeySet getJwks() {
JSONWebKeySet keySet = new JSONWebKeySet();
KeyPair keyPair = clientData.getKeyPair();
String keyAlgorithm = clientData.getKeyAlgorithm();
String keyType = clientData.getKeyType();
KeyUse keyUse = clientData.getKeyUse();
if (keyPair == null) {
keySet.setKeys(new JWK[] {});
} else if (KeyType.RSA.equals(keyType)) {
keySet.setKeys(new JWK[] { JWKBuilder.create().algorithm(keyAlgorithm).rsa(keyPair.getPublic(), keyUse) });
} else if (KeyType.EC.equals(keyType)) {
keySet.setKeys(new JWK[] { JWKBuilder.create().algorithm(keyAlgorithm).ec(keyPair.getPublic()) });
} else {
keySet.setKeys(new JWK[] {});
}
return keySet;
}
use of org.keycloak.crypto.KeyUse in project keycloak by keycloak.
the class TestingOIDCEndpointsApplicationResource method generateKeys.
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/generate-keys")
@NoCache
public Map<String, String> generateKeys(@QueryParam("jwaAlgorithm") String jwaAlgorithm, @QueryParam("advertiseJWKAlgorithm") Boolean advertiseJWKAlgorithm) {
try {
KeyPair keyPair = null;
KeyUse keyUse = KeyUse.SIG;
if (jwaAlgorithm == null)
jwaAlgorithm = Algorithm.RS256;
String keyType = null;
switch(jwaAlgorithm) {
case Algorithm.RS256:
case Algorithm.RS384:
case Algorithm.RS512:
case Algorithm.PS256:
case Algorithm.PS384:
case Algorithm.PS512:
keyType = KeyType.RSA;
keyPair = KeyUtils.generateRsaKeyPair(2048);
break;
case Algorithm.ES256:
keyType = KeyType.EC;
keyPair = generateEcdsaKey("secp256r1");
break;
case Algorithm.ES384:
keyType = KeyType.EC;
keyPair = generateEcdsaKey("secp384r1");
break;
case Algorithm.ES512:
keyType = KeyType.EC;
keyPair = generateEcdsaKey("secp521r1");
break;
case JWEConstants.RSA1_5:
case JWEConstants.RSA_OAEP:
case JWEConstants.RSA_OAEP_256:
// for JWE KEK Key Encryption
keyType = KeyType.RSA;
keyUse = KeyUse.ENC;
keyPair = KeyUtils.generateRsaKeyPair(2048);
break;
default:
throw new RuntimeException("Unsupported signature algorithm");
}
clientData.setKeyPair(keyPair);
clientData.setKeyType(keyType);
if (advertiseJWKAlgorithm == null || Boolean.TRUE.equals(advertiseJWKAlgorithm)) {
clientData.setKeyAlgorithm(jwaAlgorithm);
} else {
clientData.setKeyAlgorithm(null);
}
clientData.setKeyUse(keyUse);
} catch (Exception e) {
throw new BadRequestException("Error generating signing keypair", e);
}
return getKeysAsPem();
}
Aggregations