-
-
Save girirajsharma/8d59a674a28560ca0a91 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Keycloak first cut for PKI and certificate Management. | |
// https://github.com/girirajsharma/keycloak/commit/d53f20febbeea12bc295e0f23672f38afee05d3e | |
/* We're looking to provide a API to easily enable Key and Certificate Management to | |
Keycloak-based applications.The idea is turn a realm into a Certification Authority, | |
responsible for issue, validate, revoke and renew certificates for the identity types | |
(eg.: realms, users, applications etc) associated with it. Thus, realm will act | |
as the root CA or realm's certificate(X509v1) will be self signed and certificates(X509v3) of | |
identity types will be signed with realm's certificate. | |
So, there will be a pki module with key and certificate authority which will be able to | |
perform all key and certificate related functions and hence will be used as per requirements | |
by identity types(eg.: realms, users, applications etc). | |
In the future, we also want to provide: | |
- RESTful Endpoints to perform not only certificate operations, but also manage keys. | |
Specially public keys. Probably using JSON Web Keys (JWK). | |
- Better support for HTML5 and mobile applications that require some kind of support for certificates, | |
asymmetric keys, signature and encryption. Specially when using JWT and JOSE. | |
- Support Java KeyStores to load and store keys. | |
After some initial work, I think we have an initial design. Still have to think about, | |
specially regarding the configuration and storage. | |
Basically, what we have so far are two main components: CertificateAuthority and KeyAuthority. | |
The first is about managing keys (eg.: RSA keys) for realm and identity types. | |
The second one is about managing certificates using the keys for a particular type. | |
The first thing we should do is create a keypair for a specific type as follows: */ | |
@Inject | |
private KeyAuthority keyAuthority; | |
KeyPair generate(); | |
KeyPair generate(X509Certificate certificate); | |
// One we have the keys we can issue certificates like this | |
@Inject | |
private CertificateAuthority certificateAuthority; | |
CertificateAuthorityConfig getConfiguration(); | |
CertificateAuthorityConfig getConfiguration(X509Certificate caCertificate); | |
X509Certificate issue(KeyPair caKeyPair, String realmName); | |
X509Certificate issue(X509Certificate caCertificate, KeyPair caKeyPair, | |
String username, KeyPair userKeyPair); | |
X509Certificate issue(X509Certificate caCertificate, KeyPair caKeyPair, | |
CertificateRequest request, KeyPair userKeyPair); | |
X509CRLHolder createCRLHolder(KeyPair caKeyPair, X509Certificate caCertificate); | |
boolean validate(X509CRLHolder crlHolder, X509Certificate certificate, KeyPair caKeyPair); | |
X509CRLHolder revoke(X509CRLHolder crlHolder, KeyPair caKeyPair, | |
X509Certificate caCertificate, X509Certificate userCertificate); | |
boolean isRevoked(X509CRLHolder crlHolder, X509Certificate certificate); | |
// Key Interfaces | |
org.keycloak.pki.key.KeyAuthority.java | |
org.keycloak.pki.key.EncryptionAuthority.java | |
org.keycloak.pki.key.DecryptionAuthority.java | |
// Certificate Interfaces | |
org.keycloak.pki.cert.CertificateAuthority.java | |
org.keycloak.pki.cert.CertificateAuthorityConfig.java | |
org.keycloak.pki.cert.CertificateRequest.java | |
// Default Key Interfaces implementations | |
org.keycloak.pki.internal.DefaultKeyAuthority.java | |
org.keycloak.pki.internal.DefaultEncryptionAuthority.java | |
org.keycloak.pki.internal.DefaultDecryptionAuthority.java | |
// Default Certificate Interfaces implementations | |
org.keycloak.pki.internal.DefaultCertificateAuthority.java | |
org.keycloak.pki.internal.DefaultCertificateAuthorityConfig.java | |
org.keycloak.pki.internal.DefaultCertificateRequest.java | |
// Certificate Util class | |
org.keycloak.pki.internal.util.X509Util.java | |
// Test Classes | |
org.keycloak.pki.test.key.KeyAuthorityTestCase.java | |
org.keycloak.pki.test.key.RSACipherTest.java | |
org.keycloak.pki.test.cert.CertificateAuthorityTestCase.java | |
org.keycloak.pki.test.cert.CertificateRevocationTestCase.java | |
org.keycloak.pki.test.WeldRunner.java | |
org.keycloak.pki.test.cert.WeldServletScopesSupportForSe.java | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment