org.keycloak.services.resources.admin.ClientAttributeCertificateResource クラス

org.keycloak.services.resources.admin.ClientAttributeCertificateResource 連携図

公開メンバ関数
	ClientAttributeCertificateResource (RealmModel realm, AdminPermissionEvaluator auth, ClientModel client, KeycloakSession session, String attributePrefix, AdminEventBuilder adminEvent)
CertificateRepresentation	getKeyInfo ()
CertificateRepresentation	generate ()
CertificateRepresentation	uploadJks (MultipartFormDataInput input) throws IOException
CertificateRepresentation	uploadJksCertificate (MultipartFormDataInput input) throws IOException
byte []	getKeystore (final KeyStoreConfig config)
byte []	generateAndGetKeystore (final KeyStoreConfig config)

静的公開変数類
static final String	CERTIFICATE_PEM = "Certificate PEM"
static final String	PUBLIC_KEY_PEM = "Public Key PEM"
static final String	JSON_WEB_KEY_SET = "JSON Web Key Set"

限定公開変数類
RealmModel	realm
ClientModel	client
KeycloakSession	session
AdminEventBuilder	adminEvent
String	attributePrefix

非公開メンバ関数
CertificateRepresentation	getCertFromRequest (MultipartFormDataInput input) throws IOException
byte []	getKeystore (KeyStoreConfig config, String privatePem, String certPem)

非公開変数類
AdminPermissionEvaluator	auth

詳解

Client Attribute Certificate

著者

Bill Burke

バージョン

Revision

1

構築子と解体子

ClientAttributeCertificateResource()

org.keycloak.services.resources.admin.ClientAttributeCertificateResource.ClientAttributeCertificateResource ( RealmModel  realm, AdminPermissionEvaluator  auth, ClientModel  client, KeycloakSession  session, String  attributePrefix, AdminEventBuilder  adminEvent  )

inline

                                                                                                                                                                                                  {
        this.realm = realm;
        this.auth = auth;
        this.client = client;
        this.session = session;
        this.attributePrefix = attributePrefix;
        this.adminEvent = adminEvent.resource(ResourceType.CLIENT);
    }

関数詳解

generate()

CertificateRepresentation org.keycloak.services.resources.admin.ClientAttributeCertificateResource.generate ( )

inline

Generate a new certificate with new key pair

戻り値

                                                {
        auth.clients().requireConfigure(client);

        CertificateRepresentation info = KeycloakModelUtils.generateKeyPairCertificate(client.getClientId());

        CertificateInfoHelper.updateClientModelCertificateInfo(client, info, attributePrefix);

        adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();

        return info;
    }

generateAndGetKeystore()

byte [] org.keycloak.services.resources.admin.ClientAttributeCertificateResource.generateAndGetKeystore ( final KeyStoreConfig  config )

inline

Generate a new keypair and certificate, and get the private key file

Generates a keypair and certificate and serves the private key in a specified keystore format. Only generated public certificate is saved in Keycloak DB - the private key is not.

引数

config

Keystore configuration as JSON

戻り値

                                                                      {
        auth.clients().requireConfigure(client);

        if (config.getFormat() != null && !config.getFormat().equals("JKS") && !config.getFormat().equals("PKCS12")) {
            throw new NotAcceptableException("Only support jks or pkcs12 format.");
        }
        if (config.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks generation and download", Response.Status.BAD_REQUEST);
        }
        if (config.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks generation and download", Response.Status.BAD_REQUEST);
        }

        CertificateRepresentation info = KeycloakModelUtils.generateKeyPairCertificate(client.getClientId());
        byte[] rtn = getKeystore(config, info.getPrivateKey(), info.getCertificate());

        info.setPrivateKey(null);

        CertificateInfoHelper.updateClientModelCertificateInfo(client, info, attributePrefix);

        adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();
        return rtn;
    }

getCertFromRequest()

CertificateRepresentation org.keycloak.services.resources.admin.ClientAttributeCertificateResource.getCertFromRequest ( MultipartFormDataInput  input ) throws IOException

inlineprivate

                                                                                                          {
        auth.clients().requireManage(client);
        CertificateRepresentation info = new CertificateRepresentation();
        Map<String, List<InputPart>> uploadForm = input.getFormDataMap();
        List<InputPart> keystoreFormatPart = uploadForm.get("keystoreFormat");
        if (keystoreFormatPart == null) throw new BadRequestException();
        String keystoreFormat = keystoreFormatPart.get(0).getBodyAsString();
        List<InputPart> inputParts = uploadForm.get("file");
        if (keystoreFormat.equals(CERTIFICATE_PEM)) {
            String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));

            pem = PemUtils.removeBeginEnd(pem);

            // Validate format
            KeycloakModelUtils.getCertificate(pem);

            info.setCertificate(pem);
            return info;
        } else if (keystoreFormat.equals(PUBLIC_KEY_PEM)) {
            String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));

            // Validate format
            KeycloakModelUtils.getPublicKey(pem);

            info.setPublicKey(pem);
            return info;
        } else if (keystoreFormat.equals(JSON_WEB_KEY_SET)) {
            InputStream stream = inputParts.get(0).getBody(InputStream.class, null);
            JSONWebKeySet keySet = JsonSerialization.readValue(stream, JSONWebKeySet.class);
            JWK publicKeyJwk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
            if (publicKeyJwk == null) {
                throw new IllegalStateException("Certificate not found for use sig");
            } else {
                PublicKey publicKey = JWKParser.create(publicKeyJwk).toPublicKey();
                String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
                info.setPublicKey(publicKeyPem);
                info.setKid(publicKeyJwk.getKeyId());
                return info;
            }
        }


        String keyAlias = uploadForm.get("keyAlias").get(0).getBodyAsString();
        List<InputPart> keyPasswordPart = uploadForm.get("keyPassword");
        char[] keyPassword = keyPasswordPart != null ? keyPasswordPart.get(0).getBodyAsString().toCharArray() : null;

        List<InputPart> storePasswordPart = uploadForm.get("storePassword");
        char[] storePassword = storePasswordPart != null ? storePasswordPart.get(0).getBodyAsString().toCharArray() : null;
        PrivateKey privateKey = null;
        X509Certificate certificate = null;
        try {
            KeyStore keyStore = null;
            if (keystoreFormat.equals("JKS")) keyStore = KeyStore.getInstance("JKS");
            else keyStore = KeyStore.getInstance(keystoreFormat, "BC");
            keyStore.load(inputParts.get(0).getBody(InputStream.class, null), storePassword);
            try {
                privateKey = (PrivateKey)keyStore.getKey(keyAlias, keyPassword);
            } catch (Exception e) {
                // ignore
            }
            certificate = (X509Certificate)keyStore.getCertificate(keyAlias);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }

        if (privateKey != null) {
            String privateKeyPem = KeycloakModelUtils.getPemFromKey(privateKey);
            info.setPrivateKey(privateKeyPem);
        }

        if (certificate != null) {
            String certPem = KeycloakModelUtils.getPemFromCertificate(certificate);
            info.setCertificate(certPem);
        }

        return info;
    }

getKeyInfo()

CertificateRepresentation org.keycloak.services.resources.admin.ClientAttributeCertificateResource.getKeyInfo ( )

inline

Get key info

戻り値

                                                  {
        auth.clients().requireView(client);

        CertificateRepresentation info = CertificateInfoHelper.getCertificateFromClient(client, attributePrefix);
        return info;
    }

getKeystore() [1/2]

byte [] org.keycloak.services.resources.admin.ClientAttributeCertificateResource.getKeystore ( final KeyStoreConfig  config )

inline

Get a keystore file for the client, containing private key and public certificate

引数

config

Keystore configuration as JSON

戻り値

                                                           {
        auth.clients().requireView(client);

        if (config.getFormat() != null && !config.getFormat().equals("JKS") && !config.getFormat().equals("PKCS12")) {
            throw new NotAcceptableException("Only support jks or pkcs12 format.");
        }

        CertificateRepresentation info = CertificateInfoHelper.getCertificateFromClient(client, attributePrefix);
        String privatePem = info.getPrivateKey();
        String certPem = info.getCertificate();

        if (privatePem == null && certPem == null) {
            throw new NotFoundException("keypair not generated for client");
        }
        if (privatePem != null && config.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks download", Response.Status.BAD_REQUEST);
        }
        if (config.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks download", Response.Status.BAD_REQUEST);
        }

        byte[] rtn = getKeystore(config, privatePem, certPem);
        return rtn;
    }

getKeystore() [2/2]

byte [] org.keycloak.services.resources.admin.ClientAttributeCertificateResource.getKeystore ( KeyStoreConfig  config, String  privatePem, String  certPem  )

inlineprivate

                                                                                         {
        try {
            String format = config.getFormat();
            KeyStore keyStore;
            if (format.equals("JKS")) keyStore = KeyStore.getInstance("JKS");
            else keyStore = KeyStore.getInstance(format, "BC");
            keyStore.load(null, null);
            String keyAlias = config.getKeyAlias();
            if (keyAlias == null) keyAlias = client.getClientId();
            if (privatePem != null) {
                PrivateKey privateKey = PemUtils.decodePrivateKey(privatePem);
                X509Certificate clientCert = PemUtils.decodeCertificate(certPem);


                Certificate[] chain =  {clientCert};

                keyStore.setKeyEntry(keyAlias, privateKey, config.getKeyPassword().trim().toCharArray(), chain);
            } else {
                X509Certificate clientCert = PemUtils.decodeCertificate(certPem);
                keyStore.setCertificateEntry(keyAlias, clientCert);
            }


            if (config.isRealmCertificate() == null || config.isRealmCertificate().booleanValue()) {
                KeyManager keys = session.keys();
                String kid = keys.getActiveRsaKey(realm).getKid();
                Certificate certificate = keys.getRsaCertificate(realm, kid);
                String certificateAlias = config.getRealmAlias();
                if (certificateAlias == null) certificateAlias = realm.getName();
                keyStore.setCertificateEntry(certificateAlias, certificate);

            }
            ByteArrayOutputStream stream = new ByteArrayOutputStream();
            keyStore.store(stream, config.getStorePassword().trim().toCharArray());
            stream.flush();
            stream.close();
            byte[] rtn = stream.toByteArray();
            return rtn;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

uploadJks()

CertificateRepresentation org.keycloak.services.resources.admin.ClientAttributeCertificateResource.uploadJks ( MultipartFormDataInput  input ) throws IOException

inline

Upload certificate and eventually private key

引数

input

戻り値

例外

IOException

                                                                                                {
        auth.clients().requireConfigure(client);

        try {
            CertificateRepresentation info = getCertFromRequest(input);
            CertificateInfoHelper.updateClientModelCertificateInfo(client, info, attributePrefix);

            adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();
            return info;
        } catch (IllegalStateException ise) {
            throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
        }
    }

uploadJksCertificate()

CertificateRepresentation org.keycloak.services.resources.admin.ClientAttributeCertificateResource.uploadJksCertificate ( MultipartFormDataInput  input ) throws IOException

inline

Upload only certificate, not private key

引数

input

戻り値

information extracted from uploaded certificate - not necessarily the new state of certificate on the server

例外

IOException

                                                                                                           {
        auth.clients().requireConfigure(client);

        try {
            CertificateRepresentation info = getCertFromRequest(input);
            info.setPrivateKey(null);
            CertificateInfoHelper.updateClientModelCertificateInfo(client, info, attributePrefix);

            adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();
            return info;
        } catch (IllegalStateException ise) {
            throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
        }
    }

メンバ詳解

adminEvent

AdminEventBuilder org.keycloak.services.resources.admin.ClientAttributeCertificateResource.adminEvent

protected

attributePrefix

String org.keycloak.services.resources.admin.ClientAttributeCertificateResource.attributePrefix

protected

auth

AdminPermissionEvaluator org.keycloak.services.resources.admin.ClientAttributeCertificateResource.auth

private

CERTIFICATE_PEM

final String org.keycloak.services.resources.admin.ClientAttributeCertificateResource.CERTIFICATE_PEM = "Certificate PEM"

static

client

ClientModel org.keycloak.services.resources.admin.ClientAttributeCertificateResource.client

protected

JSON_WEB_KEY_SET

final String org.keycloak.services.resources.admin.ClientAttributeCertificateResource.JSON_WEB_KEY_SET = "JSON Web Key Set"

static

PUBLIC_KEY_PEM

final String org.keycloak.services.resources.admin.ClientAttributeCertificateResource.PUBLIC_KEY_PEM = "Public Key PEM"

static

realm

RealmModel org.keycloak.services.resources.admin.ClientAttributeCertificateResource.realm

protected

session

KeycloakSession org.keycloak.services.resources.admin.ClientAttributeCertificateResource.session

protected

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java