Example 6 with KeyWrapper
use of org.keycloak.crypto.KeyWrapper in project keycloak by keycloak.
the class PublicKeyStorageManager method getClientPublicKey.
public static PublicKey getClientPublicKey(KeycloakSession session, ClientModel client, JWSInput input) {
KeyWrapper keyWrapper = getClientPublicKeyWrapper(session, client, input);
PublicKey publicKey = null;
if (keyWrapper != null) {
publicKey = (PublicKey) keyWrapper.getPublicKey();
}
return publicKey;
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
PublicKey(java.security.PublicKey)
Example 7 with KeyWrapper
use of org.keycloak.crypto.KeyWrapper in project keycloak by keycloak.
the class TestingOIDCEndpointsApplicationResource method setOidcRequest.
private void setOidcRequest(Object oidcRequest, String jwaAlgorithm, String clientSecret) {
if (!isSupportedAlgorithm(jwaAlgorithm))
throw new BadRequestException("Unknown argument: " + jwaAlgorithm);
if ("none".equals(jwaAlgorithm)) {
clientData.setOidcRequest(new JWSBuilder().jsonContent(oidcRequest).none());
} else {
SignatureSignerContext signer;
switch(jwaAlgorithm) {
case Algorithm.HS256:
case Algorithm.HS384:
case Algorithm.HS512:
KeyWrapper keyWrapper = new KeyWrapper();
SecretKey secretKey = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JavaAlgorithm.getJavaAlgorithm(jwaAlgorithm));
keyWrapper.setSecretKey(secretKey);
String kid = KeyUtils.createKeyId(secretKey);
keyWrapper.setKid(kid);
keyWrapper.setAlgorithm(jwaAlgorithm);
keyWrapper.setUse(KeyUse.SIG);
keyWrapper.setType(KeyType.OCT);
signer = new MacSignatureSignerContext(keyWrapper);
clientData.setOidcRequest(new JWSBuilder().kid(kid).jsonContent(oidcRequest).sign(signer));
break;
default:
throw new BadRequestException("Unknown jwaAlgorithm: " + jwaAlgorithm);
}
}
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
SecretKey(javax.crypto.SecretKey)
ServerECDSASignatureSignerContext(org.keycloak.crypto.ServerECDSASignatureSignerContext)
MacSignatureSignerContext(org.keycloak.crypto.MacSignatureSignerContext)
AsymmetricSignatureSignerContext(org.keycloak.crypto.AsymmetricSignatureSignerContext)
SignatureSignerContext(org.keycloak.crypto.SignatureSignerContext)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
BadRequestException(javax.ws.rs.BadRequestException)
MacSignatureSignerContext(org.keycloak.crypto.MacSignatureSignerContext)
JWSBuilder(org.keycloak.jose.jws.JWSBuilder)
Example 8 with KeyWrapper
use of org.keycloak.crypto.KeyWrapper in project keycloak by keycloak.
the class ClientPublicKeyLoader method loadKeys.
@Override
public Map<String, KeyWrapper> loadKeys() throws Exception {
OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientModel(client);
if (config.isUseJwksUrl()) {
String jwksUrl = config.getJwksUrl();
jwksUrl = ResolveRelative.resolveRelativeUri(session, client.getRootUrl(), jwksUrl);
JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
return JWKSUtils.getKeyWrappersForUse(jwks, keyUse);
} else if (config.isUseJwksString()) {
JSONWebKeySet jwks = JsonSerialization.readValue(config.getJwksString(), JSONWebKeySet.class);
return JWKSUtils.getKeyWrappersForUse(jwks, keyUse);
} else if (keyUse == JWK.Use.SIG) {
try {
CertificateRepresentation certInfo = CertificateInfoHelper.getCertificateFromClient(client, JWTClientAuthenticator.ATTR_PREFIX);
KeyWrapper publicKey = getSignatureValidationKey(certInfo);
return Collections.singletonMap(publicKey.getKid(), publicKey);
} catch (ModelException me) {
logger.warnf(me, "Unable to retrieve publicKey for verify signature of client '%s' . Error details: %s", client.getClientId(), me.getMessage());
return Collections.emptyMap();
}
} else {
logger.warnf("Unable to retrieve publicKey of client '%s' for the specified purpose other than verifying signature", client.getClientId());
return Collections.emptyMap();
}
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
ModelException(org.keycloak.models.ModelException)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet)
CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)
Example 9 with KeyWrapper
use of org.keycloak.crypto.KeyWrapper in project keycloak by keycloak.
the class ClientPublicKeyLoader method getSignatureValidationKey.
private static KeyWrapper getSignatureValidationKey(CertificateRepresentation certInfo) throws ModelException {
KeyWrapper keyWrapper = new KeyWrapper();
String encodedCertificate = certInfo.getCertificate();
String encodedPublicKey = certInfo.getPublicKey();
if (encodedCertificate == null && encodedPublicKey == null) {
throw new ModelException("Client doesn't have certificate or publicKey configured");
}
if (encodedCertificate != null && encodedPublicKey != null) {
throw new ModelException("Client has both publicKey and certificate configured");
}
keyWrapper.setAlgorithm(Algorithm.RS256);
keyWrapper.setType(KeyType.RSA);
keyWrapper.setUse(KeyUse.SIG);
String kid = null;
if (encodedCertificate != null) {
X509Certificate clientCert = KeycloakModelUtils.getCertificate(encodedCertificate);
// Check if we have kid in DB, generate otherwise
kid = certInfo.getKid() != null ? certInfo.getKid() : KeyUtils.createKeyId(clientCert.getPublicKey());
keyWrapper.setKid(kid);
keyWrapper.setPublicKey(clientCert.getPublicKey());
keyWrapper.setCertificate(clientCert);
} else {
PublicKey publicKey = KeycloakModelUtils.getPublicKey(encodedPublicKey);
// Check if we have kid in DB, generate otherwise
kid = certInfo.getKid() != null ? certInfo.getKid() : KeyUtils.createKeyId(publicKey);
keyWrapper.setKid(kid);
keyWrapper.setPublicKey(publicKey);
}
return keyWrapper;
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
ModelException(org.keycloak.models.ModelException)
PublicKey(java.security.PublicKey)
X509Certificate(java.security.cert.X509Certificate)
Example 10 with KeyWrapper
use of org.keycloak.crypto.KeyWrapper in project keycloak by keycloak.
the class OIDCIdentityProviderPublicKeyLoader method loadKeys.
@Override
public Map<String, KeyWrapper> loadKeys() throws Exception {
if (config.isUseJwksUrl()) {
String jwksUrl = config.getJwksUrl();
JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
return JWKSUtils.getKeyWrappersForUse(jwks, JWK.Use.SIG);
} else {
try {
KeyWrapper publicKey = getSavedPublicKey();
if (publicKey == null) {
return Collections.emptyMap();
}
return Collections.singletonMap(publicKey.getKid(), publicKey);
} catch (Exception e) {
logger.warnf(e, "Unable to retrieve publicKey for verify signature of identityProvider '%s' . Error details: %s", config.getAlias(), e.getMessage());
return Collections.emptyMap();
}
}
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet)
Aggregations
KeyWrapper (org.keycloak.crypto.KeyWrapper)19
PublicKey (java.security.PublicKey)5
PrivateKey (java.security.PrivateKey)3
SecretKey (javax.crypto.SecretKey)3
SignatureSignerContext (org.keycloak.crypto.SignatureSignerContext)3
JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)3
UnsupportedEncodingException (java.io.UnsupportedEncodingException)2
Key (java.security.Key)2
Comparator (java.util.Comparator)2
Optional (java.util.Optional)2
Stream (java.util.stream.Stream)2
SecretKeySpec (javax.crypto.spec.SecretKeySpec)2
Logger (org.jboss.logging.Logger)2
Algorithm (org.keycloak.crypto.Algorithm)2
CekManagementProvider (org.keycloak.crypto.CekManagementProvider)2
ContentEncryptionProvider (org.keycloak.crypto.ContentEncryptionProvider)2
KeyUse (org.keycloak.crypto.KeyUse)2
JWEException (org.keycloak.jose.jwe.JWEException)2
JWEAlgorithmProvider (org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)2
JWEEncryptionProvider (org.keycloak.jose.jwe.enc.JWEEncryptionProvider)2
