Example 6 with CertificateRepresentation
use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.
the class CertificateInfoHelper method getCertificateFromClient.
// CLIENT MODEL METHODS
public static CertificateRepresentation getCertificateFromClient(ClientModel client, String attributePrefix) {
String privateKeyAttribute = attributePrefix + "." + PRIVATE_KEY;
String certificateAttribute = attributePrefix + "." + X509CERTIFICATE;
String publicKeyAttribute = attributePrefix + "." + PUBLIC_KEY;
String kidAttribute = attributePrefix + "." + KID;
CertificateRepresentation rep = new CertificateRepresentation();
rep.setCertificate(client.getAttribute(certificateAttribute));
rep.setPublicKey(client.getAttribute(publicKeyAttribute));
rep.setPrivateKey(client.getAttribute(privateKeyAttribute));
rep.setKid(client.getAttribute(kidAttribute));
return rep;
}
Also used :
CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)
Example 7 with CertificateRepresentation
use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.
the class SamlProtocolFactory method setupClientDefaults.
@Override
public void setupClientDefaults(ClientRepresentation clientRep, ClientModel newClient) {
SamlRepresentationAttributes rep = new SamlRepresentationAttributes(clientRep.getAttributes());
SamlClient client = new SamlClient(newClient);
if (clientRep.isStandardFlowEnabled() == null)
newClient.setStandardFlowEnabled(true);
if (rep.getCanonicalizationMethod() == null) {
client.setCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE);
}
if (rep.getSignatureAlgorithm() == null) {
client.setSignatureAlgorithm(SignatureAlgorithm.RSA_SHA256);
}
if (rep.getNameIDFormat() == null) {
client.setNameIDFormat("username");
}
if (rep.getIncludeAuthnStatement() == null) {
client.setIncludeAuthnStatement(true);
}
if (rep.getForceNameIDFormat() == null) {
client.setForceNameIDFormat(false);
}
if (rep.getSamlServerSignature() == null) {
client.setRequiresRealmSignature(true);
}
if (rep.getForcePostBinding() == null) {
client.setForcePostBinding(true);
}
if (rep.getClientSignature() == null) {
client.setRequiresClientSignature(true);
}
if (client.requiresClientSignature() && client.getClientSigningCertificate() == null) {
CertificateRepresentation info = KeycloakModelUtils.generateKeyPairCertificate(newClient.getClientId());
client.setClientSigningCertificate(info.getCertificate());
client.setClientSigningPrivateKey(info.getPrivateKey());
}
if (clientRep.isFrontchannelLogout() == null) {
newClient.setFrontchannelLogout(true);
}
client.setArtifactBindingIdentifierFrom(clientRep.getClientId());
}
Also used :
CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)
Example 8 with CertificateRepresentation
use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.
the class ClientPublicKeyLoader method loadKeys.
@Override
public Map<String, KeyWrapper> loadKeys() throws Exception {
OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientModel(client);
if (config.isUseJwksUrl()) {
String jwksUrl = config.getJwksUrl();
jwksUrl = ResolveRelative.resolveRelativeUri(session, client.getRootUrl(), jwksUrl);
JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
return JWKSUtils.getKeyWrappersForUse(jwks, keyUse);
} else if (config.isUseJwksString()) {
JSONWebKeySet jwks = JsonSerialization.readValue(config.getJwksString(), JSONWebKeySet.class);
return JWKSUtils.getKeyWrappersForUse(jwks, keyUse);
} else if (keyUse == JWK.Use.SIG) {
try {
CertificateRepresentation certInfo = CertificateInfoHelper.getCertificateFromClient(client, JWTClientAuthenticator.ATTR_PREFIX);
KeyWrapper publicKey = getSignatureValidationKey(certInfo);
return Collections.singletonMap(publicKey.getKid(), publicKey);
} catch (ModelException me) {
logger.warnf(me, "Unable to retrieve publicKey for verify signature of client '%s' . Error details: %s", client.getClientId(), me.getMessage());
return Collections.emptyMap();
}
} else {
logger.warnf("Unable to retrieve publicKey of client '%s' for the specified purpose other than verifying signature", client.getClientId());
return Collections.emptyMap();
}
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
ModelException(org.keycloak.models.ModelException)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet)
CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)
Example 9 with CertificateRepresentation
use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.
the class ClientAttributeCertificateResource method getCertFromRequest.
private CertificateRepresentation getCertFromRequest(MultipartFormDataInput input) throws IOException {
auth.clients().requireManage(client);
CertificateRepresentation info = new CertificateRepresentation();
Map<String, List<InputPart>> uploadForm = input.getFormDataMap();
List<InputPart> keystoreFormatPart = uploadForm.get("keystoreFormat");
if (keystoreFormatPart == null)
throw new BadRequestException();
String keystoreFormat = keystoreFormatPart.get(0).getBodyAsString();
List<InputPart> inputParts = uploadForm.get("file");
if (keystoreFormat.equals(CERTIFICATE_PEM)) {
String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
pem = PemUtils.removeBeginEnd(pem);
// Validate format
KeycloakModelUtils.getCertificate(pem);
info.setCertificate(pem);
return info;
} else if (keystoreFormat.equals(PUBLIC_KEY_PEM)) {
String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
// Validate format
KeycloakModelUtils.getPublicKey(pem);
info.setPublicKey(pem);
return info;
} else if (keystoreFormat.equals(JSON_WEB_KEY_SET)) {
InputStream stream = inputParts.get(0).getBody(InputStream.class, null);
JSONWebKeySet keySet = JsonSerialization.readValue(stream, JSONWebKeySet.class);
JWK publicKeyJwk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
if (publicKeyJwk == null) {
throw new IllegalStateException("Certificate not found for use sig");
} else {
PublicKey publicKey = JWKParser.create(publicKeyJwk).toPublicKey();
String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
info.setPublicKey(publicKeyPem);
info.setKid(publicKeyJwk.getKeyId());
return info;
}
}
String keyAlias = uploadForm.get("keyAlias").get(0).getBodyAsString();
List<InputPart> keyPasswordPart = uploadForm.get("keyPassword");
char[] keyPassword = keyPasswordPart != null ? keyPasswordPart.get(0).getBodyAsString().toCharArray() : null;
List<InputPart> storePasswordPart = uploadForm.get("storePassword");
char[] storePassword = storePasswordPart != null ? storePasswordPart.get(0).getBodyAsString().toCharArray() : null;
PrivateKey privateKey = null;
X509Certificate certificate = null;
try {
KeyStore keyStore = null;
if (keystoreFormat.equals("JKS"))
keyStore = KeyStore.getInstance("JKS");
else
keyStore = KeyStore.getInstance(keystoreFormat, "BC");
keyStore.load(inputParts.get(0).getBody(InputStream.class, null), storePassword);
try {
privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword);
} catch (Exception e) {
// ignore
}
certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
} catch (Exception e) {
throw new RuntimeException(e);
}
if (privateKey != null) {
String privateKeyPem = KeycloakModelUtils.getPemFromKey(privateKey);
info.setPrivateKey(privateKeyPem);
}
if (certificate != null) {
String certPem = KeycloakModelUtils.getPemFromCertificate(certificate);
info.setCertificate(certPem);
}
return info;
}
Also used :
PrivateKey(java.security.PrivateKey)
JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet)
CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)
InputStream(java.io.InputStream)
PublicKey(java.security.PublicKey)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
BadRequestException(javax.ws.rs.BadRequestException)
NotAcceptableException(javax.ws.rs.NotAcceptableException)
IOException(java.io.IOException)
NotFoundException(javax.ws.rs.NotFoundException)
InputPart(org.jboss.resteasy.plugins.providers.multipart.InputPart)
BadRequestException(javax.ws.rs.BadRequestException)
List(java.util.List)
JWK(org.keycloak.jose.jwk.JWK)
Example 10 with CertificateRepresentation
use of org.keycloak.representations.idm.CertificateRepresentation in project keycloak by keycloak.
the class ClientAttributeCertificateResource method getKeyInfo.
/**
* Get key info
*
* @return
*/
@GET
@NoCache
@Produces(MediaType.APPLICATION_JSON)
public CertificateRepresentation getKeyInfo() {
auth.clients().requireView(client);
CertificateRepresentation info = CertificateInfoHelper.getCertificateFromClient(client, attributePrefix);
return info;
}
Also used :
CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
NoCache(org.jboss.resteasy.annotations.cache.NoCache)
Aggregations
CertificateRepresentation (org.keycloak.representations.idm.CertificateRepresentation)17
Produces (javax.ws.rs.Produces)6
POST (javax.ws.rs.POST)5
Path (javax.ws.rs.Path)5
Test (org.junit.Test)5
ErrorResponseException (org.keycloak.services.ErrorResponseException)5
X509Certificate (java.security.cert.X509Certificate)4
Consumes (javax.ws.rs.Consumes)4
NoCache (org.jboss.resteasy.annotations.cache.NoCache)4
ClientAttributeCertificateResource (org.keycloak.admin.client.resource.ClientAttributeCertificateResource)4
KeyStore (java.security.KeyStore)3
NotAcceptableException (javax.ws.rs.NotAcceptableException)3
JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
IOException (java.io.IOException)2
Key (java.security.Key)2
PublicKey (java.security.PublicKey)2
Certificate (java.security.cert.Certificate)2
NotFoundException (javax.ws.rs.NotFoundException)2
JWK (org.keycloak.jose.jwk.JWK)2
