Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support for vault and AES and HMAC algorithms to JavaKeystoreKeyProvider #30957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 1 commit into from
Jul 11, 2024
Merged

Support for vault and AES and HMAC algorithms to JavaKeystoreKeyProvider #30957

mposolda merged 1 commit into from
Jul 11, 2024
+299 −87

Conversation

@rmartinc
Copy link
Contributor

@rmartinc rmartinc commented Jul 1, 2024

Closes #30880
Closes #29755

Adding all the algorithms to the java-keystore key provider. Besides the passwords (store and key) can also be configured through the vault. This way all the realm keys can be externalized to an external keystore file. There are some discrepancies between what keys can be stored in the different store types and in the different security providers:

  • JKS store type cannot store secret keys (AES or HMAC) in any provider.
  • PKCS12 allows to store all key types in non-fips mode but BCFIPS does not allow to store secret keys either (so in both fips modes this store cannot contain secret keys).
  • BCFKS is weird in the BC provider (non-fips) and, for example, HMAC keys do not work (bug?) although they work on BCFIPS (fips modes).

I have discovered that EdDSA keys do not work in fips modes at all because BCFIPS does not implement for them the standard JDK 15+ interfaces that keycloak uses to manage them (EdEC, EdECPrivateKey and EdECPublicKey). This is a different story. Probably we need an issue even if we just document this fact.

So in general the standard PKCS12 format seems to be the best for non-fips and BCFKS for fips modes.

Little changes in how the JavaKeystoreKeyProvider loads the keys. The public key for asymmetric keys is loaded using the certificate as it should always be there.

Tests added with the limitations in the store/providers commented above.

@rmartinc rmartinc requested review from a team as code owners July 1, 2024 07:01
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Jul 1, 2024
Closed
jonkoops
jonkoops approved these changes Jul 9, 2024
View reviewed changes
Copy link
Contributor

@jonkoops jonkoops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff!

mposolda
mposolda approved these changes Jul 11, 2024
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rmartinc @jonkoops Thanks for this and for the review!

@mposolda mposolda merged commit 096e335 into keycloak:main Jul 11, 2024
@mposolda mposolda mentioned this pull request Jul 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

+1 more reviewer

@jonkoops jonkoops jonkoops approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

flaky-test team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add vault support to JavaKeystoreKeyProvider Support AES and HMAC Key-Imports for the JavaKeystoreKeyProvider

3 participants

@rmartinc @jonkoops @mposolda