// Keycloak first cut for PKI and certificate Management. | |
// https://github.com/girirajsharma/keycloak/commit/d53f20febbeea12bc295e0f23672f38afee05d3e | |
/* We're looking to provide a API to easily enable Key and Certificate Management to | |
Keycloak-based applications.The idea is turn a realm into a Certification Authority, | |
responsible for issue, validate, revoke and renew certificates for the identity types | |
(eg.: realms, users, applications etc) associated with it. Thus, realm will act | |
as the root CA or realm's certificate(X509v1) will be self signed and certificates(X509v3) of | |
identity types will be signed with realm's certificate. | |
So, there will be a pki module with key and certificate authority which will be able to | |
perform all key and certificate related functions and hence will be used as per requirements | |
by identity types(eg.: realms, users, applications etc). | |
In the future, we also want to provide: | |
- RESTful Endpoints to perform not only certificate operations, but also manage keys. | |
Specially public keys. Probably using JSON Web Keys (JWK). | |
- Better support for HTML5 and mobile applications that require some kind of support for certificates, | |
asymmetric keys, signature and encryption. Specially when using JWT and JOSE. | |
- Support Java KeyStores to load and store keys. | |
After some initial work, I think we have an initial design. Still have to think about, | |
specially regarding the configuration and storage. | |
Basically, what we have so far are two main components: CertificateAuthority and KeyAuthority. | |
The first is about managing keys (eg.: RSA keys) for realm and identity types. | |
The second one is about managing certificates using the keys for a particular type. | |
The first thing we should do is create a keypair for a specific type as follows: */ | |
@Inject | |
private KeyAuthority keyAuthority; | |
KeyPair generate(); | |
KeyPair generate(X509Certificate certificate); | |
// One we have the keys we can issue certificates like this | |
@Inject | |
private CertificateAuthority certificateAuthority; | |
CertificateAuthorityConfig getConfiguration(); | |
CertificateAuthorityConfig getConfiguration(X509Certificate caCertificate); | |
X509Certificate issue(KeyPair caKeyPair, String realmName); | |
X509Certificate issue(X509Certificate caCertificate, KeyPair caKeyPair, | |
String username, KeyPair userKeyPair); | |
X509Certificate issue(X509Certificate caCertificate, KeyPair caKeyPair, | |
CertificateRequest request, KeyPair userKeyPair); | |
X509CRLHolder createCRLHolder(KeyPair caKeyPair, X509Certificate caCertificate); | |
boolean validate(X509CRLHolder crlHolder, X509Certificate certificate, KeyPair caKeyPair); | |
X509CRLHolder revoke(X509CRLHolder crlHolder, KeyPair caKeyPair, | |
X509Certificate caCertificate, X509Certificate userCertificate); | |
boolean isRevoked(X509CRLHolder crlHolder, X509Certificate certificate); | |
// Key Interfaces | |
org.keycloak.pki.key.KeyAuthority.java | |
org.keycloak.pki.key.EncryptionAuthority.java | |
org.keycloak.pki.key.DecryptionAuthority.java | |
// Certificate Interfaces | |
org.keycloak.pki.cert.CertificateAuthority.java | |
org.keycloak.pki.cert.CertificateAuthorityConfig.java | |
org.keycloak.pki.cert.CertificateRequest.java | |
// Default Key Interfaces implementations | |
org.keycloak.pki.internal.DefaultKeyAuthority.java | |
org.keycloak.pki.internal.DefaultEncryptionAuthority.java | |
org.keycloak.pki.internal.DefaultDecryptionAuthority.java | |
// Default Certificate Interfaces implementations | |
org.keycloak.pki.internal.DefaultCertificateAuthority.java | |
org.keycloak.pki.internal.DefaultCertificateAuthorityConfig.java | |
org.keycloak.pki.internal.DefaultCertificateRequest.java | |
// Certificate Util class | |
org.keycloak.pki.internal.util.X509Util.java | |
// Test Classes | |
org.keycloak.pki.test.key.KeyAuthorityTestCase.java | |
org.keycloak.pki.test.key.RSACipherTest.java | |
org.keycloak.pki.test.cert.CertificateAuthorityTestCase.java | |
org.keycloak.pki.test.cert.CertificateRevocationTestCase.java | |
org.keycloak.pki.test.WeldRunner.java | |
org.keycloak.pki.test.cert.WeldServletScopesSupportForSe.java | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment