Resolve merge conflicts by adopting changes from main branch

hanpen24 · Feb 28, 2024 · e4e4fd5 · e4e4fd5
2 parents ac71f0f + 941e7cc
commit e4e4fd5
Show file tree

Hide file tree

Showing 43 changed files with 2,375 additions and 542 deletions.
diff --git a/.github/workflows/js-ci.yml b/.github/workflows/js-ci.yml
@@ -327,6 +327,15 @@ jobs:
           name: admin-ui-server-log-${{ matrix.container }}-${{ matrix.browser }}
           path: ~/server.log
 
+      - name: Upload Cypress videos
+        uses: actions/upload-artifact@v3
+        if: github.repository != 'keycloak/keycloak-private'
+        with:
+          name: cypress-videos-${{ matrix.container }}-${{ matrix.browser }}
+          path: js/apps/admin-ui/cypress/videos
+          if-no-files-found: ignore
+          retention-days: 10
+
   check:
     name: Status Check - Keycloak JavaScript CI
     if: always()

diff --git a/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java b/crypto/default/src/main/java/org/keycloak/crypto/def/BCCertificateUtilsProvider.java
@@ -112,7 +112,7 @@ public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPriva
 
             // Authority Key Identifier
             certGen.addExtension(Extension.authorityKeyIdentifier, false,
-                    x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo));
+                    x509ExtensionUtils.createAuthorityKeyIdentifier(caCert));
 
             // Key Usage
             certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign

diff --git a/...ypto/elytron/ElytronCertificateUtils.java → ...tron/ElytronCertificateUtilsProvider.java b/...ypto/elytron/ElytronCertificateUtils.java → ...tron/ElytronCertificateUtilsProvider.java
@@ -29,7 +29,6 @@
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Calendar;
 import java.util.Collections;
 import java.util.Date;
@@ -41,6 +40,7 @@
 import org.keycloak.common.crypto.CertificateUtilsProvider;
 import org.wildfly.security.asn1.ASN1;
 import org.wildfly.security.asn1.DERDecoder;
+import org.wildfly.security.x500.GeneralName;
 import org.wildfly.security.x500.X500;
 import org.wildfly.security.x500.cert.AuthorityKeyIdentifierExtension;
 import org.wildfly.security.x500.cert.BasicConstraintsExtension;
@@ -52,14 +52,15 @@
 import org.wildfly.security.x500.cert.SubjectKeyIdentifierExtension;
 import org.wildfly.security.x500.cert.X509CertificateBuilder;
 import org.wildfly.security.x500.cert.X509CertificateExtension;
+import org.wildfly.security.x500.cert.util.KeyUtil;
 
 /**
  * The Class CertificateUtils provides utility functions for generation
  * and usage of X.509 certificates
  *
  * @author <a href="mailto:[email protected]">David Anderson</a>
  */
-public class ElytronCertificateUtils  implements CertificateUtilsProvider {
+public class ElytronCertificateUtilsProvider implements CertificateUtilsProvider {
 
     Logger log = Logger.getLogger(getClass());
 
@@ -82,10 +83,7 @@ public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPriva
         try {
 
             X500Principal subjectdn = subjectToX500Principle(subject);
-            X500Principal issuerdn = subjectdn;
-            if (caCert != null) {
-                issuerdn = caCert.getSubjectX500Principal();
-            }
+            X500Principal issuerdn = caCert.getSubjectX500Principal();
 
             // Validity
             ZonedDateTime notBefore = ZonedDateTime.ofInstant(new Date(System.currentTimeMillis()).toInstant(),
@@ -110,7 +108,6 @@ public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPriva
                     .setNotValidBefore(notBefore)
                     .setNotValidAfter(notAfter)
 
-                    .setSigningKey(keyPair.getPrivate())
                     .setPublicKey(keyPair.getPublic())
 
                     .setSerialNumber(serialNumber)
@@ -120,10 +117,14 @@ public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPriva
                     .setSigningKey(caPrivateKey)
 
                     // Subject Key Identifier Extension
-                    .addExtension(new SubjectKeyIdentifierExtension(keyPair.getPublic().getEncoded()))
+                    .addExtension(new SubjectKeyIdentifierExtension(KeyUtil.getKeyIdentifier(keyPair.getPublic())))
 
                     // Authority Key Identifier
-                    .addExtension(new AuthorityKeyIdentifierExtension(keyPair.getPublic().getEncoded(), null, null))
+                    .addExtension(new AuthorityKeyIdentifierExtension(
+                            KeyUtil.getKeyIdentifier(caCert.getPublicKey()),
+                            Collections.singletonList(new GeneralName.DirectoryName(caCert.getIssuerX500Principal().getName())),
+                            caCert.getSerialNumber()
+                    ))
 
                     // Key Usage
                     .addExtension(

diff --git a/crypto/elytron/src/main/java/org/keycloak/crypto/elytron/WildFlyElytronProvider.java b/crypto/elytron/src/main/java/org/keycloak/crypto/elytron/WildFlyElytronProvider.java
@@ -34,7 +34,6 @@
 import java.security.spec.ECParameterSpec;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.function.Supplier;
 
 import javax.crypto.Cipher;
 import javax.crypto.NoSuchPaddingException;
@@ -77,7 +76,7 @@ public <T> T getAlgorithmProvider(Class<T> clazz, String algorithm) {
 
     @Override
     public CertificateUtilsProvider getCertificateUtils() {
-        return new ElytronCertificateUtils();
+        return new ElytronCertificateUtilsProvider();
     }
 
     @Override

diff --git a/crypto/elytron/src/test/java/org/keycloak/crypto/elytron/test/CRLDistributionPointTest.java b/crypto/elytron/src/test/java/org/keycloak/crypto/elytron/test/CRLDistributionPointTest.java
@@ -27,14 +27,12 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Base64;
 import java.util.List;
 
 import javax.security.auth.x500.X500Principal;
 
 import org.junit.Test;
-import org.keycloak.common.util.PemUtils;
-import org.keycloak.crypto.elytron.ElytronCertificateUtils;
+import org.keycloak.crypto.elytron.ElytronCertificateUtilsProvider;
 import org.wildfly.security.x500.GeneralName;
 import org.wildfly.security.x500.cert.CRLDistributionPoint;
 import org.wildfly.security.x500.cert.CRLDistributionPoint.DistributionPointName;
@@ -55,7 +53,7 @@ public void getCrlDistPoint() throws CertificateException, NoSuchAlgorithmExcept
          expect.add("http://crl0.test0.com");
 
 
-         ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
+         ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
           List<String> crldp = bcutil.getCRLDistributionPoints(cert);
 
           assertArrayEquals(expect.toArray(), crldp.toArray());
@@ -70,7 +68,7 @@ public void getCrlDistPointMultiNames() throws CertificateException, NoSuchAlgor
          expect.add("http://crl0.test0.com");
          expect.add("http://crl0.test1.com");
 
-         ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
+         ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
           List<String> crldp = bcutil.getCRLDistributionPoints(cert);
 
           assertArrayEquals(expect.toArray(), crldp.toArray());
@@ -87,7 +85,7 @@ public void getMultiCrlDistPointMultiNames() throws CertificateException, NoSuch
          expect.add("http://crl1.test0.com");
          expect.add("http://crl1.test1.com");
 
-         ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
+         ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
           List<String> crldp = bcutil.getCRLDistributionPoints(cert);
 
           assertArrayEquals(expect.toArray(), crldp.toArray());
@@ -101,7 +99,7 @@ public void revokedCertCRLDistTest() throws CertificateException, IOException {
          expect.add("http://localhost:8889/empty.crl");
          expect.add("http://localhost:8889/intermediate-ca.crl");
 
-         ElytronCertificateUtils bcutil = new ElytronCertificateUtils();
+         ElytronCertificateUtilsProvider bcutil = new ElytronCertificateUtilsProvider();
           List<String> crldp = bcutil.getCRLDistributionPoints(cert);
 
           assertArrayEquals(expect.toArray(), crldp.toArray());

diff --git a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSCertificateUtilsProvider.java
@@ -114,7 +114,7 @@ public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPriva
 
             // Authority Key Identifier
             certGen.addExtension(Extension.authorityKeyIdentifier, false,
-                    x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo));
+                    x509ExtensionUtils.createAuthorityKeyIdentifier(caCert));
 
             // Key Usage
             certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign