Example 6 with TruststoreProvider
use of org.keycloak.truststore.TruststoreProvider in project keycloak by keycloak.
the class CertificateValidator method validateTrust.
public CertificateValidator validateTrust() throws GeneralSecurityException {
if (!_trustValidationEnabled)
return this;
TruststoreProvider truststoreProvider = session.getProvider(TruststoreProvider.class);
if (truststoreProvider == null || truststoreProvider.getTruststore() == null) {
logger.error("Cannot validate client certificate trust: Truststore not available");
} else {
Set<X509Certificate> trustedRootCerts = truststoreProvider.getRootCertificates().entrySet().stream().map(t -> t.getValue()).collect(Collectors.toSet());
Set<X509Certificate> trustedIntermediateCerts = truststoreProvider.getIntermediateCertificates().entrySet().stream().map(t -> t.getValue()).collect(Collectors.toSet());
logger.debugf("Found %d trusted root certs, %d trusted intermediate certs", trustedRootCerts.size(), trustedIntermediateCerts.size());
verifyCertificateTrust(_certChain, trustedRootCerts, trustedIntermediateCerts);
}
return this;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
Arrays(java.util.Arrays)
CertificateFactory(java.security.cert.CertificateFactory)
URISyntaxException(java.net.URISyntaxException)
X509CRL(java.security.cert.X509CRL)
CERTIFICATE_POLICY_MODE_ANY(org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CERTIFICATE_POLICY_MODE_ANY)
XMLSignatureUtil(org.keycloak.saml.processing.core.util.XMLSignatureUtil)
NamingException(javax.naming.NamingException)
EntityUtils(org.apache.http.util.EntityUtils)
Attribute(javax.naming.directory.Attribute)
GeneralSecurityException(java.security.GeneralSecurityException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Map(java.util.Map)
CertPathBuilder(java.security.cert.CertPathBuilder)
URI(java.net.URI)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
Time(org.keycloak.common.util.Time)
X509CertSelector(java.security.cert.X509CertSelector)
Collection(java.util.Collection)
Set(java.util.Set)
Collectors(java.util.stream.Collectors)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
List(java.util.List)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
HttpGet(org.apache.http.client.methods.HttpGet)
Attributes(javax.naming.directory.Attributes)
CRLException(java.security.cert.CRLException)
TrustAnchor(java.security.cert.TrustAnchor)
DataInputStream(java.io.DataInputStream)
X500Principal(javax.security.auth.x500.X500Principal)
Constants(org.keycloak.models.Constants)
CertificatePolicies(org.bouncycastle.asn1.x509.CertificatePolicies)
ServicesLogger(org.keycloak.services.ServicesLogger)
CRLUtils(org.keycloak.utils.CRLUtils)
InitialDirContext(javax.naming.directory.InitialDirContext)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
TruststoreProvider(org.keycloak.truststore.TruststoreProvider)
Context(javax.naming.Context)
HttpClientProvider(org.keycloak.connections.httpclient.HttpClientProvider)
LinkedList(java.util.LinkedList)
Hashtable(java.util.Hashtable)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
DirContext(javax.naming.directory.DirContext)
KeycloakSession(org.keycloak.models.KeycloakSession)
IOException(java.io.IOException)
FileInputStream(java.io.FileInputStream)
CertificateException(java.security.cert.CertificateException)
File(java.io.File)
Extensions(org.bouncycastle.asn1.x509.Extensions)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
CertStore(java.security.cert.CertStore)
PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult)
HttpResponse(org.apache.http.HttpResponse)
Collections(java.util.Collections)
InputStream(java.io.InputStream)
TruststoreProvider(org.keycloak.truststore.TruststoreProvider)
X509Certificate(java.security.cert.X509Certificate)
Example 7 with TruststoreProvider
use of org.keycloak.truststore.TruststoreProvider in project keycloak by keycloak.
the class CertificateValidator method findCAInTruststore.
private X509Certificate findCAInTruststore(X500Principal issuer) throws GeneralSecurityException {
TruststoreProvider truststoreProvider = session.getProvider(TruststoreProvider.class);
if (truststoreProvider == null || truststoreProvider.getTruststore() == null) {
return null;
}
Map<X500Principal, X509Certificate> rootCerts = truststoreProvider.getRootCertificates();
X509Certificate ca = rootCerts.get(issuer);
if (ca == null) {
// fallback to lookup the issuer from the list of intermediary CAs
ca = truststoreProvider.getIntermediateCertificates().get(issuer);
}
if (ca != null) {
ca.checkValidity();
}
return ca;
}
Also used :
X500Principal(javax.security.auth.x500.X500Principal)
TruststoreProvider(org.keycloak.truststore.TruststoreProvider)
X509Certificate(java.security.cert.X509Certificate)
Example 8 with TruststoreProvider
use of org.keycloak.truststore.TruststoreProvider in project keycloak by keycloak.
the class CRLUtils method findCRLSignatureCertificateInTruststore.
private static X509Certificate findCRLSignatureCertificateInTruststore(KeycloakSession session, X509Certificate[] certs, X500Principal crlIssuerPrincipal) throws GeneralSecurityException {
TruststoreProvider truststoreProvider = session.getProvider(TruststoreProvider.class);
if (truststoreProvider == null || truststoreProvider.getTruststore() == null) {
throw new GeneralSecurityException("Truststore not available");
}
Map<X500Principal, X509Certificate> rootCerts = truststoreProvider.getRootCertificates();
Map<X500Principal, X509Certificate> intermediateCerts = truststoreProvider.getIntermediateCertificates();
X509Certificate crlSignatureCertificate = intermediateCerts.get(crlIssuerPrincipal);
if (crlSignatureCertificate == null) {
crlSignatureCertificate = rootCerts.get(crlIssuerPrincipal);
}
if (crlSignatureCertificate == null) {
throw new GeneralSecurityException("Not available certificate for CRL issuer '" + crlIssuerPrincipal + "' in the truststore, nor in the CA chain");
} else {
log.tracef("Found CRL issuer certificate with subject '%s' in the truststore. Verifying trust anchor", crlIssuerPrincipal);
}
// Check if CRL issuer has trust anchor with the checked certificate (See https://tools.ietf.org/html/rfc5280#section-6.3.3 , paragraph (f))
Set<X500Principal> certificateCAPrincipals = Arrays.asList(certs).stream().map(X509Certificate::getSubjectX500Principal).collect(Collectors.toSet());
// Remove the checked certificate itself
certificateCAPrincipals.remove(certs[0].getSubjectX500Principal());
X509Certificate currentCRLAnchorCertificate = crlSignatureCertificate;
X500Principal currentCRLAnchorPrincipal = crlIssuerPrincipal;
while (true) {
if (certificateCAPrincipals.contains(currentCRLAnchorPrincipal)) {
log.tracef("Found trust anchor of the CRL issuer '%s' in the CA chain. Anchor is '%s'", crlIssuerPrincipal, currentCRLAnchorPrincipal);
break;
}
// Try to see the anchor
currentCRLAnchorPrincipal = currentCRLAnchorCertificate.getIssuerX500Principal();
currentCRLAnchorCertificate = intermediateCerts.get(currentCRLAnchorPrincipal);
if (currentCRLAnchorCertificate == null) {
currentCRLAnchorCertificate = rootCerts.get(currentCRLAnchorPrincipal);
}
if (currentCRLAnchorCertificate == null) {
throw new GeneralSecurityException("Certificate for CRL issuer '" + crlIssuerPrincipal + "' available in the truststore, but doesn't have trust anchors with the CA chain.");
}
}
return crlSignatureCertificate;
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
X500Principal(javax.security.auth.x500.X500Principal)
TruststoreProvider(org.keycloak.truststore.TruststoreProvider)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
TruststoreProvider (org.keycloak.truststore.TruststoreProvider)8
IOException (java.io.IOException)3
X509Certificate (java.security.cert.X509Certificate)3
NamingException (javax.naming.NamingException)3
X500Principal (javax.security.auth.x500.X500Principal)3
GeneralSecurityException (java.security.GeneralSecurityException)2
KeyStoreTrustAnchorsProvider (com.webauthn4j.anchor.KeyStoreTrustAnchorsProvider)1
TrustAnchorsResolverImpl (com.webauthn4j.anchor.TrustAnchorsResolverImpl)1
NullCertPathTrustworthinessValidator (com.webauthn4j.validator.attestation.trustworthiness.certpath.NullCertPathTrustworthinessValidator)1
TrustAnchorCertPathTrustworthinessValidator (com.webauthn4j.validator.attestation.trustworthiness.certpath.TrustAnchorCertPathTrustworthinessValidator)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
DataInputStream (java.io.DataInputStream)1
File (java.io.File)1
FileInputStream (java.io.FileInputStream)1
InputStream (java.io.InputStream)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
KeyStore (java.security.KeyStore)1
CRLException (java.security.cert.CRLException)1
CertPathBuilder (java.security.cert.CertPathBuilder)1
