mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2025-12-20 14:00:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

Support for RSA Key Size of 3072

Browse Source 
Closes #41551

Signed-off-by: Bjoern Eickvonder <bjoern.eickvonder@inform-software.com>
This commit is contained in:
Björn Eickvonder
2025-07-31 13:30:33 +02:00
committed by GitHub
parent e1b3afb686
commit c7cc162f6b
8 changed files with 23 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/scripts/run-fips-it.sh vendored
View File

@@ -9,7 +9,7 @@ if [ $? -ne 0 ]; then
fi
STRICT_OPTIONS=""
if [ "$1" = "strict" ]; then
STRICT_OPTIONS="-Dauth.server.fips.mode=strict -Dauth.server.supported.keystore.types=BCFKS -Dauth.server.keystore.type=bcfks -Dauth.server.supported.rsa.key.sizes=2048,4096"
STRICT_OPTIONS="-Dauth.server.fips.mode=strict -Dauth.server.supported.keystore.types=BCFKS -Dauth.server.keystore.type=bcfks -Dauth.server.supported.rsa.key.sizes=2048,3072,4096"
fi
echo "STRICT_OPTIONS: $STRICT_OPTIONS"
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips`

2
common/src/main/java/org/keycloak/common/crypto/CryptoProvider.java
View File

@@ -135,6 +135,6 @@ public interface CryptoProvider {
* @return Allowed key sizes of RSA key modulus, which this cryptoProvider supports
*/
default String[] getSupportedRsaKeySizes() {
return new String[] {"1024", "2048", "4096"};
return new String[] {"1024", "2048", "3072", "4096"};
}
}

2
crypto/fips1402/src/main/java/org/keycloak/crypto/fips/Fips1402StrictCryptoProvider.java
View File

@@ -18,6 +18,6 @@ public class Fips1402StrictCryptoProvider extends FIPS1402Provider {
@Override
public String[] getSupportedRsaKeySizes() {
// RSA key of 1024 bits not supported in BCFIPS approved mode
return new String[] {"2048", "4096"};
return new String[] {"2048", "3072", "4096"};
}
}

17
services/src/main/java/org/keycloak/keys/AbstractGeneratedRsaKeyProviderFactory.java
View File

@@ -23,6 +23,7 @@ import java.security.cert.Certificate;
import java.security.interfaces.RSAPrivateKey;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.MultivaluedHashMap;
@@ -33,10 +34,13 @@ import org.keycloak.crypto.KeyUse;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.provider.ConfigurationValidationHelper;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
public abstract class AbstractGeneratedRsaKeyProviderFactory extends AbstractRsaKeyProviderFactory {
private int defaultKeySize = 2048;
abstract protected Logger getLogger();
public final static ProviderConfigurationBuilder rsaKeyConfigurationBuilder() {
@@ -46,6 +50,17 @@ public abstract class AbstractGeneratedRsaKeyProviderFactory extends AbstractRsa
.property(Attributes.ACTIVE_PROPERTY);
}
protected ProviderConfigurationBuilder generatedRsaKeyConfigurationBuilder() {
ProviderConfigProperty prop = Attributes.KEY_SIZE_PROPERTY.get();
prop.setDefaultValue(defaultKeySize);
return rsaKeyConfigurationBuilder().property(prop);
}
@Override
public void init(Config.Scope config) {
this.defaultKeySize = config.getInt(Attributes.KEY_SIZE_KEY, 2048);
}
@Override
public boolean createFallbackKeys(KeycloakSession session, KeyUse keyUse, String algorithm) {
if (isValidKeyUse(keyUse) && isSupportedRsaAlgorithm(algorithm)) {
@@ -80,7 +95,7 @@ public abstract class AbstractGeneratedRsaKeyProviderFactory extends AbstractRsa
ConfigurationValidationHelper.check(model).checkList(Attributes.KEY_SIZE_PROPERTY.get(), false);
int size = model.get(Attributes.KEY_SIZE_KEY, 2048);
int size = model.get(Attributes.KEY_SIZE_KEY, this.defaultKeySize);
if (!(model.contains(Attributes.PRIVATE_KEY_KEY) && model.contains(Attributes.CERTIFICATE_KEY))) {
generateKeys(realm, model, size);

3
services/src/main/java/org/keycloak/keys/GeneratedRsaEncKeyProviderFactory.java
View File

@@ -51,8 +51,7 @@ public class GeneratedRsaEncKeyProviderFactory extends AbstractGeneratedRsaKeyPr
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return AbstractGeneratedRsaKeyProviderFactory.rsaKeyConfigurationBuilder()
.property(Attributes.KEY_SIZE_PROPERTY.get())
return generatedRsaKeyConfigurationBuilder()
.property(Attributes.RS_ENC_ALGORITHM_PROPERTY)
.build();
}

3
services/src/main/java/org/keycloak/keys/GeneratedRsaKeyProviderFactory.java
View File

@@ -53,8 +53,7 @@ public class GeneratedRsaKeyProviderFactory extends AbstractGeneratedRsaKeyProvi
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return AbstractGeneratedRsaKeyProviderFactory.rsaKeyConfigurationBuilder()
.property(Attributes.KEY_SIZE_PROPERTY.get())
return generatedRsaKeyConfigurationBuilder()
.property(Attributes.RS_ALGORITHM_PROPERTY)
.build();
}

2
testsuite/integration-arquillian/HOW-TO-RUN.md
View File

@@ -656,7 +656,7 @@ For running testsuite with server using BCFIPS approved mode, those additional p
-Dauth.server.fips.mode=strict \
-Dauth.server.supported.keystore.types=BCFKS \
-Dauth.server.keystore.type=bcfks \
-Dauth.server.supported.rsa.key.sizes=2048,4096
-Dauth.server.supported.rsa.key.sizes=2048,3072,4096
```
The log should contain `KeycloakFipsSecurityProvider` mentioning "Approved mode". Something like:
```

2
testsuite/integration-arquillian/tests/pom.xml
View File

@@ -259,7 +259,7 @@
<auth.server.quarkus.cluster.config>local</auth.server.quarkus.cluster.config>
<auth.server.fips.mode>disabled</auth.server.fips.mode>
<auth.server.supported.keystore.types>JKS,PKCS12,BCFKS</auth.server.supported.keystore.types>
<auth.server.supported.rsa.key.sizes>1024,2048,4096</auth.server.supported.rsa.key.sizes>
<auth.server.supported.rsa.key.sizes>1024,2048,3072,4096</auth.server.supported.rsa.key.sizes>
<auth.server.kerberos.supported>true</auth.server.kerberos.supported>
</properties>