Search in sources :

Example 6 with CertificateRepresentation

use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.

the class CertificateInfoHelper method getCertificateFromClient.

// CLIENT MODEL METHODS
public static CertificateRepresentation getCertificateFromClient(ClientModel client, String attributePrefix) {
    String privateKeyAttribute = attributePrefix + "." + PRIVATE_KEY;
    String certificateAttribute = attributePrefix + "." + X509CERTIFICATE;
    String publicKeyAttribute = attributePrefix + "." + PUBLIC_KEY;
    String kidAttribute = attributePrefix + "." + KID;
    CertificateRepresentation rep = new CertificateRepresentation();
    rep.setCertificate(client.getAttribute(certificateAttribute));
    rep.setPublicKey(client.getAttribute(publicKeyAttribute));
    rep.setPrivateKey(client.getAttribute(privateKeyAttribute));
    rep.setKid(client.getAttribute(kidAttribute));
    return rep;
}
Also used : CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)

Example 7 with CertificateRepresentation

use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.

the class SamlProtocolFactory method setupClientDefaults.

@Override
public void setupClientDefaults(ClientRepresentation clientRep, ClientModel newClient) {
    SamlRepresentationAttributes rep = new SamlRepresentationAttributes(clientRep.getAttributes());
    SamlClient client = new SamlClient(newClient);
    if (clientRep.isStandardFlowEnabled() == null)
        newClient.setStandardFlowEnabled(true);
    if (rep.getCanonicalizationMethod() == null) {
        client.setCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE);
    }
    if (rep.getSignatureAlgorithm() == null) {
        client.setSignatureAlgorithm(SignatureAlgorithm.RSA_SHA256);
    }
    if (rep.getNameIDFormat() == null) {
        client.setNameIDFormat("username");
    }
    if (rep.getIncludeAuthnStatement() == null) {
        client.setIncludeAuthnStatement(true);
    }
    if (rep.getForceNameIDFormat() == null) {
        client.setForceNameIDFormat(false);
    }
    if (rep.getSamlServerSignature() == null) {
        client.setRequiresRealmSignature(true);
    }
    if (rep.getForcePostBinding() == null) {
        client.setForcePostBinding(true);
    }
    if (rep.getClientSignature() == null) {
        client.setRequiresClientSignature(true);
    }
    if (client.requiresClientSignature() && client.getClientSigningCertificate() == null) {
        CertificateRepresentation info = KeycloakModelUtils.generateKeyPairCertificate(newClient.getClientId());
        client.setClientSigningCertificate(info.getCertificate());
        client.setClientSigningPrivateKey(info.getPrivateKey());
    }
    if (clientRep.isFrontchannelLogout() == null) {
        newClient.setFrontchannelLogout(true);
    }
    client.setArtifactBindingIdentifierFrom(clientRep.getClientId());
}
Also used : CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)

Example 8 with CertificateRepresentation

use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.

the class ClientPublicKeyLoader method loadKeys.

@Override
public Map<String, KeyWrapper> loadKeys() throws Exception {
    OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientModel(client);
    if (config.isUseJwksUrl()) {
        String jwksUrl = config.getJwksUrl();
        jwksUrl = ResolveRelative.resolveRelativeUri(session, client.getRootUrl(), jwksUrl);
        JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
        return JWKSUtils.getKeyWrappersForUse(jwks, keyUse);
    } else if (config.isUseJwksString()) {
        JSONWebKeySet jwks = JsonSerialization.readValue(config.getJwksString(), JSONWebKeySet.class);
        return JWKSUtils.getKeyWrappersForUse(jwks, keyUse);
    } else if (keyUse == JWK.Use.SIG) {
        try {
            CertificateRepresentation certInfo = CertificateInfoHelper.getCertificateFromClient(client, JWTClientAuthenticator.ATTR_PREFIX);
            KeyWrapper publicKey = getSignatureValidationKey(certInfo);
            return Collections.singletonMap(publicKey.getKid(), publicKey);
        } catch (ModelException me) {
            logger.warnf(me, "Unable to retrieve publicKey for verify signature of client '%s' . Error details: %s", client.getClientId(), me.getMessage());
            return Collections.emptyMap();
        }
    } else {
        logger.warnf("Unable to retrieve publicKey of client '%s' for the specified purpose other than verifying signature", client.getClientId());
        return Collections.emptyMap();
    }
}
Also used : KeyWrapper(org.keycloak.crypto.KeyWrapper) ModelException(org.keycloak.models.ModelException) OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)

Example 9 with CertificateRepresentation

use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.

the class ClientAttributeCertificateResource method getCertFromRequest.

private CertificateRepresentation getCertFromRequest(MultipartFormDataInput input) throws IOException {
    auth.clients().requireManage(client);
    CertificateRepresentation info = new CertificateRepresentation();
    Map<String, List<InputPart>> uploadForm = input.getFormDataMap();
    List<InputPart> keystoreFormatPart = uploadForm.get("keystoreFormat");
    if (keystoreFormatPart == null)
        throw new BadRequestException();
    String keystoreFormat = keystoreFormatPart.get(0).getBodyAsString();
    List<InputPart> inputParts = uploadForm.get("file");
    if (keystoreFormat.equals(CERTIFICATE_PEM)) {
        String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
        pem = PemUtils.removeBeginEnd(pem);
        // Validate format
        KeycloakModelUtils.getCertificate(pem);
        info.setCertificate(pem);
        return info;
    } else if (keystoreFormat.equals(PUBLIC_KEY_PEM)) {
        String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
        // Validate format
        KeycloakModelUtils.getPublicKey(pem);
        info.setPublicKey(pem);
        return info;
    } else if (keystoreFormat.equals(JSON_WEB_KEY_SET)) {
        InputStream stream = inputParts.get(0).getBody(InputStream.class, null);
        JSONWebKeySet keySet = JsonSerialization.readValue(stream, JSONWebKeySet.class);
        JWK publicKeyJwk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
        if (publicKeyJwk == null) {
            throw new IllegalStateException("Certificate not found for use sig");
        } else {
            PublicKey publicKey = JWKParser.create(publicKeyJwk).toPublicKey();
            String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
            info.setPublicKey(publicKeyPem);
            info.setKid(publicKeyJwk.getKeyId());
            return info;
        }
    }
    String keyAlias = uploadForm.get("keyAlias").get(0).getBodyAsString();
    List<InputPart> keyPasswordPart = uploadForm.get("keyPassword");
    char[] keyPassword = keyPasswordPart != null ? keyPasswordPart.get(0).getBodyAsString().toCharArray() : null;
    List<InputPart> storePasswordPart = uploadForm.get("storePassword");
    char[] storePassword = storePasswordPart != null ? storePasswordPart.get(0).getBodyAsString().toCharArray() : null;
    PrivateKey privateKey = null;
    X509Certificate certificate = null;
    try {
        KeyStore keyStore = null;
        if (keystoreFormat.equals("JKS"))
            keyStore = KeyStore.getInstance("JKS");
        else
            keyStore = KeyStore.getInstance(keystoreFormat, "BC");
        keyStore.load(inputParts.get(0).getBody(InputStream.class, null), storePassword);
        try {
            privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword);
        } catch (Exception e) {
        // ignore
        }
        certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    if (privateKey != null) {
        String privateKeyPem = KeycloakModelUtils.getPemFromKey(privateKey);
        info.setPrivateKey(privateKeyPem);
    }
    if (certificate != null) {
        String certPem = KeycloakModelUtils.getPemFromCertificate(certificate);
        info.setCertificate(certPem);
    }
    return info;
}
Also used : PrivateKey(java.security.PrivateKey) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation) InputStream(java.io.InputStream) PublicKey(java.security.PublicKey) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) ErrorResponseException(org.keycloak.services.ErrorResponseException) BadRequestException(javax.ws.rs.BadRequestException) NotAcceptableException(javax.ws.rs.NotAcceptableException) IOException(java.io.IOException) NotFoundException(javax.ws.rs.NotFoundException) InputPart(org.jboss.resteasy.plugins.providers.multipart.InputPart) BadRequestException(javax.ws.rs.BadRequestException) List(java.util.List) JWK(org.keycloak.jose.jwk.JWK)

Example 10 with CertificateRepresentation

use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.

the class ClientAttributeCertificateResource method getKeyInfo.

/**
 * Get key info
 *
 * @return
 */
@GET
@NoCache
@Produces(MediaType.APPLICATION_JSON)
public CertificateRepresentation getKeyInfo() {
    auth.clients().requireView(client);
    CertificateRepresentation info = CertificateInfoHelper.getCertificateFromClient(client, attributePrefix);
    return info;
}
Also used : CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Aggregations

CertificateRepresentation (org.keycloak.representations.idm.CertificateRepresentation)17 Produces (javax.ws.rs.Produces)6 POST (javax.ws.rs.POST)5 Path (javax.ws.rs.Path)5 Test (org.junit.Test)5 ErrorResponseException (org.keycloak.services.ErrorResponseException)5 X509Certificate (java.security.cert.X509Certificate)4 Consumes (javax.ws.rs.Consumes)4 NoCache (org.jboss.resteasy.annotations.cache.NoCache)4 ClientAttributeCertificateResource (org.keycloak.admin.client.resource.ClientAttributeCertificateResource)4 KeyStore (java.security.KeyStore)3 NotAcceptableException (javax.ws.rs.NotAcceptableException)3 JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 IOException (java.io.IOException)2 Key (java.security.Key)2 PublicKey (java.security.PublicKey)2 Certificate (java.security.cert.Certificate)2 NotFoundException (javax.ws.rs.NotFoundException)2 JWK (org.keycloak.jose.jwk.JWK)2