All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.quarkus.oidc.runtime.TrustStoreUtils Maven / Gradle / Ivy

Go to download

Secure your applications with OpenID Connect Adapter and IDP such as Keycloak

There is a newer version: 3.18.0.CR1
Show newest version
package io.quarkus.oidc.runtime;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStore.Entry;
import java.security.KeyStore.TrustedCertificateEntry;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;

import org.jboss.logging.Logger;
import org.jose4j.keys.X509Util;

import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.runtime.util.ClassPathUtils;

public class TrustStoreUtils {
    private static final Logger LOGGER = Logger.getLogger(TrustStoreUtils.class.getName());

    public static Set getTrustedCertificateThumbprints(Path path, String trustStoreSecret,
            Optional trustStoreCertAlias, Optional trustStoreFileType) {
        URL trustStoreFileUrl = null;
        if ((trustStoreFileUrl = Thread.currentThread().getContextClassLoader()
                .getResource(ClassPathUtils.toResourceName(path))) != null) {
            return readTrustStore(path, trustStoreFileUrl, trustStoreSecret, trustStoreCertAlias, trustStoreFileType);
        } else if (Files.exists(path)) {
            try {
                return readTrustStore(path, path.toUri().toURL(), trustStoreSecret, trustStoreCertAlias, trustStoreFileType);
            } catch (MalformedURLException e) {
                LOGGER.errorf("Keystore %s location is not a valid URL", path.toUri());
                throw new RuntimeException(e);
            }
        } else {
            LOGGER.errorf("Keystore %s can not be found on the classpath and the file system", path.toUri());
            throw new RuntimeException();
        }
    }

    private static Set readTrustStore(Path path, URL trustStoreFileUrl, String trustStoreSecret,
            Optional trustStoreCertAlias, Optional trustStoreFileType) {

        try (InputStream fis = trustStoreFileUrl.openStream()) {
            KeyStore keyStore = KeyStore.getInstance(OidcCommonUtils.getKeyStoreType(trustStoreFileType, path));
            keyStore.load(fis, trustStoreSecret.toCharArray());

            Set allThumbprints = new HashSet<>();
            if (trustStoreCertAlias.isPresent()) {
                addThumbprints(keyStore, allThumbprints, trustStoreCertAlias.get());
            } else {
                for (Enumeration aliases = keyStore.aliases(); aliases.hasMoreElements();) {
                    addThumbprints(keyStore, allThumbprints, aliases.nextElement());
                }
            }

            if (allThumbprints.isEmpty()) {
                LOGGER.errorf("Keystore %s entries can not be loaded", trustStoreFileUrl.toString());
                throw new RuntimeException();
            }

            return allThumbprints;
        } catch (IOException e) {
            LOGGER.errorf("Keystore %s can not be loaded", trustStoreFileUrl.toString());
            throw new RuntimeException(e);
        } catch (Exception e) {
            LOGGER.errorf("Keystore %s entries can not be loaded", trustStoreFileUrl.toString());
            throw new RuntimeException(e);
        }
    }

    private static void addThumbprints(KeyStore keyStore, Set allThumbprints, String alias)
            throws Exception {
        Entry entry = keyStore.getEntry(alias, null);
        if (entry instanceof TrustedCertificateEntry) {
            X509Certificate cert = (X509Certificate) ((TrustedCertificateEntry) entry).getTrustedCertificate();
            allThumbprints.add(calculateThumprint(cert));
        }
    }

    public static String calculateThumprint(X509Certificate cert) {
        return X509Util.x5tS256(cert);
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy