Package org.keycloak.services.x509
Class Rfc9440ClientCertificateLookup
java.lang.Object
org.keycloak.services.x509.Rfc9440ClientCertificateLookup
- All Implemented Interfaces:
Provider,X509ClientCertificateLookup
The provider allows to extract a client certificate forwarded
to the keycloak middleware configured behind a reverse proxy that is
compliant with RFC 9440.
- Since:
- 12/30/2024
- Version:
- $Revision: 1 $
- Author:
- Stephan Seifermann
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classstatic classstatic class -
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionRfc9440ClientCertificateLookup(String sslClientCertHttpHeader, String sslCertChainHttpHeader, int certificateChainLength) -
Method Summary
Modifier and TypeMethodDescriptionvoidclose()getCertificateChain(HttpRequest httpRequest) Returns a client certificate, and optionally any certificates in the certificate chain.protected List<X509Certificate>getClientCertificateChainFromHeader(HttpRequest httpRequest) Extract the certificate chain from thesslCertChainHttpHeaderheader.protected X509CertificategetClientCertificateFromHeader(HttpRequest httpRequest) Extract the client certificate from thesslClientCertHttpHeaderheader.protected static X509CertificateparseCertificateFromHttpByteSequence(String byteSequence) Parses a X509 certificate from a byte sequence encoded according to sec.
-
Field Details
-
sslClientCertHttpHeader
-
sslCertChainHttpHeader
-
certificateChainLength
protected final int certificateChainLength
-
-
Constructor Details
-
Rfc9440ClientCertificateLookup
-
-
Method Details
-
getCertificateChain
public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws GeneralSecurityException Description copied from interface:X509ClientCertificateLookupReturns a client certificate, and optionally any certificates in the certificate chain.- Specified by:
getCertificateChainin interfaceX509ClientCertificateLookup- Returns:
- Throws:
GeneralSecurityException
-
close
public void close() -
getClientCertificateFromHeader
protected X509Certificate getClientCertificateFromHeader(HttpRequest httpRequest) throws Rfc9440ClientCertificateLookup.RfcViolationException Extract the client certificate from thesslClientCertHttpHeaderheader.- Parameters:
httpRequest- The request containing the headers.- Returns:
- The extracted certificate or null if no certificate was presented.
- Throws:
Rfc9440ClientCertificateLookup.RfcViolationException- thrown if the header is missing or its value do not comply with the relevant RFCs.
-
getClientCertificateChainFromHeader
protected List<X509Certificate> getClientCertificateChainFromHeader(HttpRequest httpRequest) throws Rfc9440ClientCertificateLookup.RfcViolationException, GeneralSecurityException Extract the certificate chain from thesslCertChainHttpHeaderheader.- Parameters:
httpRequest- The request containing the headers.- Returns:
- A list of extracted certificates in the order of occurrence in the header.
- Throws:
Rfc9440ClientCertificateLookup.RfcViolationException- thrown if the header values do not comply with the relevant RFCs.GeneralSecurityException- thrown if the length of the chain is bigger than the configured maximum length (seecertificateChainLength).
-
parseCertificateFromHttpByteSequence
protected static X509Certificate parseCertificateFromHttpByteSequence(String byteSequence) throws Rfc9440ClientCertificateLookup.RfcViolationException Parses a X509 certificate from a byte sequence encoded according to sec. 2.1 of RFC 9440.- Parameters:
byteSequence- the byte sequence of a certificate encoded according to sec. 2.1 of RFC 9440- Returns:
- the extracted X509 certificate
- Throws:
Rfc9440ClientCertificateLookup.RfcViolationException- thrown if input does not conform to RFC
-