Use CryptoIntegration for Keystore SPI

Author: tsaarni

common/src/main/java/org/keycloak/common/util/DerUtils.java

@@ -52,14 +52,15 @@ public static PrivateKey decodePrivateKey(InputStream is)
         dis.readFully(keyBytes);
         dis.close();
 
-        PKCS8EncodedKeySpec spec =
-                new PKCS8EncodedKeySpec(keyBytes);
-        KeyFactory kf =CryptoIntegration.getProvider().getKeyFactory("RSA");
-        return kf.generatePrivate(spec);
+        return decodePrivateKey(keyBytes);
     }
 
     public static PublicKey decodePublicKey(byte[] der) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
-        return decodePublicKey(der, "RSA");
+        try {
+            return decodePublicKey(der, "RSA");
+        } catch (InvalidKeySpecException e) {
+            return decodePublicKey(der, "EC");
+        }
     }
 
     public static PublicKey decodePublicKey(byte[] der, String type) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
@@ -79,7 +80,10 @@ public static X509Certificate decodeCertificate(InputStream is) throws Exception
     public static PrivateKey decodePrivateKey(byte[] der) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
         PKCS8EncodedKeySpec spec =
                 new PKCS8EncodedKeySpec(der);
-        KeyFactory kf = CryptoIntegration.getProvider().getKeyFactory("RSA");
-        return kf.generatePrivate(spec);
+        try {
+            return CryptoIntegration.getProvider().getKeyFactory("RSA").generatePrivate(spec);
+        } catch (InvalidKeySpecException e) {
+            return CryptoIntegration.getProvider().getKeyFactory("EC").generatePrivate(spec);
+        }
     }
 }

common/src/main/java/org/keycloak/common/util/PemUtils.java

@@ -23,6 +23,10 @@
 import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
 
 import org.keycloak.common.crypto.CryptoIntegration;
 
@@ -53,6 +57,23 @@ public static X509Certificate decodeCertificate(String cert) {
         return CryptoIntegration.getProvider().getPemUtils().decodeCertificate(cert);
     }
 
+    /**
+     * Decode one or more X509 Certificates from a PEM string (certificate bundle)
+     *
+     * @param certs
+     * @return
+     * @throws Exception
+     */
+    public static X509Certificate[] decodeCertificates(String certs) {
+        String[] pemBlocks = certs.split(END_CERT);
+
+        List<X509Certificate> x509Certificates = Arrays.stream(pemBlocks)
+                .filter(pemBlock -> pemBlock != null && !pemBlock.trim().isEmpty())
+                .map(pemBlock -> PemUtils.decodeCertificate(pemBlock + END_CERT))
+                .collect(Collectors.toList());
+
+        return x509Certificates.toArray(new X509Certificate[x509Certificates.size()]);
+    }
 
     /**
      * Decode a Public Key from a PEM string

services/src/main/java/org/keycloak/keystore/DefaultKeyStoreProvider.java

@@ -23,6 +23,7 @@
 import java.security.KeyStore.Builder;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.cert.CertificateException;
 import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
@@ -135,7 +136,7 @@ private KeyStore.Builder getKeyStore(Scope config, String prefix) {
                 log.infov("Loading credentials for {0}: {1}", prefix, keyStoreFile);
                 keyStoreBuilder = ReloadingKeyStore.Builder
                         .fromKeyStoreFile(keyStoreType, Paths.get(keyStoreFile), keyStorePassword);
-            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
+            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException | NoSuchProviderException e) {
                 throw new RuntimeException("Failed to initialize " + prefix + " keystore: " + e.toString());
             }
         }

services/src/main/java/org/keycloak/keystore/DelegatingKeyStoreSpi.java

@@ -25,6 +25,7 @@
 import java.security.KeyStoreException;
 import java.security.KeyStoreSpi;
 import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -65,7 +66,7 @@ public abstract class DelegatingKeyStoreSpi extends KeyStoreSpi {
      * Reloads the delegate KeyStore if the underlying files have changed on disk.
      */
     abstract void refresh() throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException,
-            InvalidKeySpecException;
+            InvalidKeySpecException, NoSuchProviderException;
 
     /**
      * Calls {@link #refresh()} to refresh the cached KeyStore and if more than

services/src/main/java/org/keycloak/keystore/PemCredentialFactory.java

@@ -23,6 +23,7 @@
 import java.security.KeyStoreException;
 import java.security.KeyStoreSpi;
 import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.cert.CertificateException;
 import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
@@ -124,7 +125,7 @@ public ProtectionParameter getProtectionParameter(String alias) {
          */
         public static KeyStore.Builder fromKeyStoreFile(String type, Path path, String password)
                 throws NoSuchAlgorithmException, CertificateException, KeyStoreException,
-                IOException {
+                IOException, NoSuchProviderException {
             return new Builder(new ReloadingKeyStore(new ReloadingKeyStoreFileSpi(type, path, password)),
                     password.toCharArray());
         }
@@ -140,7 +141,7 @@ public static KeyStore.Builder fromKeyStoreFile(String type, Path path, String p
          */
         public static KeyStore.Builder fromKeyStoreFile(String type, Path path, String password,
                 Map<String, char[]> aliasPasswords)
-                throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException {
+                throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException, NoSuchProviderException {
             return new Builder(new ReloadingKeyStore(new ReloadingKeyStoreFileSpi(type, path, password)),
                     password.toCharArray(), aliasPasswords);
         }