Make CertificateUtils class to work with both fips and non-fips (#12499)
Closes #12498
This commit is contained in:
parent
df41f233d5
commit
e856a62fb2
|
@ -17,10 +17,7 @@
|
|||
|
||||
package org.keycloak.common.util;
|
||||
|
||||
import org.bouncycastle.asn1.ASN1Sequence;
|
||||
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
|
||||
import org.bouncycastle.asn1.x500.X500Name;
|
||||
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
|
||||
import org.bouncycastle.asn1.x509.BasicConstraints;
|
||||
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
|
||||
import org.bouncycastle.asn1.x509.Extension;
|
||||
|
@ -28,17 +25,11 @@ import org.bouncycastle.asn1.x509.KeyPurposeId;
|
|||
import org.bouncycastle.asn1.x509.KeyUsage;
|
||||
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
|
||||
import org.bouncycastle.cert.X509CertificateHolder;
|
||||
import org.bouncycastle.cert.X509ExtensionUtils;
|
||||
import org.bouncycastle.cert.X509v1CertificateBuilder;
|
||||
import org.bouncycastle.cert.X509v3CertificateBuilder;
|
||||
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
|
||||
import org.bouncycastle.crypto.util.PrivateKeyFactory;
|
||||
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
|
||||
import org.bouncycastle.operator.ContentSigner;
|
||||
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
|
||||
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
|
||||
import org.bouncycastle.operator.DigestCalculator;
|
||||
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
|
||||
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
|
||||
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
||||
|
||||
import java.math.BigInteger;
|
||||
|
@ -89,9 +80,7 @@ public class CertificateUtils {
|
|||
X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(new X500Name(caCert.getSubjectDN().getName()),
|
||||
serialNumber, notBefore, notAfter, subjectDN, subjPubKeyInfo);
|
||||
|
||||
DigestCalculator digCalc = new BcDigestCalculatorProvider()
|
||||
.get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
|
||||
X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc);
|
||||
JcaX509ExtensionUtils x509ExtensionUtils = new JcaX509ExtensionUtils();
|
||||
|
||||
// Subject Key Identifier
|
||||
certGen.addExtension(Extension.subjectKeyIdentifier, false,
|
||||
|
@ -167,11 +156,9 @@ public class CertificateUtils {
|
|||
*/
|
||||
public static ContentSigner createSigner(PrivateKey privateKey) {
|
||||
try {
|
||||
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption");
|
||||
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
|
||||
|
||||
return new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
|
||||
.build(PrivateKeyFactory.createKey(privateKey.getEncoded()));
|
||||
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
|
||||
.setProvider(BouncyIntegration.PROVIDER);
|
||||
return signerBuilder.build(privateKey);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Could not create content signer.", e);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue