From 0aa7b3373a385e9e6b5395ff78f82f8af8c4e47e Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 7 Aug 2024 13:48:39 -0400 Subject: [PATCH] chore(ci): Remove keytool step - instead of a JKS encrypted with 'password', just store self-signed CA as a plain text pkcs12 file --- .github/scripts/init-temp-keys.cmd | 3 +- .github/scripts/init-temp-keys.sh | 23 ++------- docker-compose.yaml | 6 +-- sdk/internal/oauth/oauth_test.go | 6 +-- sdk/internal/oauth/testdata/ca.jks | Bin 2010 -> 0 bytes sdk/internal/oauth/testdata/ca.p12 | Bin 0 -> 2531 bytes sdk/internal/oauth/testdata/keycloak-ca.pem | 30 +++++------ sdk/internal/oauth/testdata/keycloak-ca.srl | 1 + sdk/internal/oauth/testdata/localhost.crt | 32 ++++++------ sdk/internal/oauth/testdata/localhost.key | 52 ++++++++++---------- sdk/internal/oauth/testdata/sampleuser.crt | 31 ++++++------ sdk/internal/oauth/testdata/sampleuser.key | 52 ++++++++++---------- 12 files changed, 113 insertions(+), 123 deletions(-) delete mode 100644 sdk/internal/oauth/testdata/ca.jks create mode 100644 sdk/internal/oauth/testdata/ca.p12 create mode 100644 sdk/internal/oauth/testdata/keycloak-ca.srl diff --git a/.github/scripts/init-temp-keys.cmd b/.github/scripts/init-temp-keys.cmd index 27c0f5897..8c69925a1 100644 --- a/.github/scripts/init-temp-keys.cmd +++ b/.github/scripts/init-temp-keys.cmd @@ -20,5 +20,4 @@ set "hostKeyDir=%cd%" set hostKeyDir=%hostKeyDir%/keys set "hostKeyDir=%hostKeyDir:\=/%" -openssl pkcs12 -export -in keys/keycloak-ca.pem -inkey keys/keycloak-ca-private.pem -out keys/ca.p12 -nodes -passout pass:password -docker run -v %hostKeyDir%:/keys --entrypoint keytool cgr.dev/chainguard/keycloak@sha256:37895558d2e0e93ffff75da5900f9ae7e79ec6d1c390b18b2ecea6cee45ec26f -importkeystore -srckeystore /keys/ca.p12 -srcstoretype PKCS12 -destkeystore /keys/ca.jks -deststoretype JKS -srcstorepass "password" -deststorepass "password" -noprompt +openssl pkcs12 -export -in keys/keycloak-ca.pem -inkey keys/keycloak-ca-private.pem -out keys/ca.p12 -keypbe NONE -certpbe NONE -passout pass: diff --git a/.github/scripts/init-temp-keys.sh b/.github/scripts/init-temp-keys.sh index 80a8c82a5..30036fc7f 100755 --- a/.github/scripts/init-temp-keys.sh +++ b/.github/scripts/init-temp-keys.sh @@ -47,24 +47,11 @@ openssl req -x509 -nodes -newkey ec:ecparams.tmp -subj "/CN=kas" -keyout "$opt_o mkdir -p keys openssl req -x509 -nodes -newkey RSA:2048 -subj "/CN=ca" -keyout keys/keycloak-ca-private.pem -out keys/keycloak-ca.pem -days 365 -printf "subjectAltName=DNS:localhost,IP:127.0.0.1" > keys/sanX509.conf -printf "[req]\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]\n[alt_names]\nDNS.1=localhost\nIP.1=127.0.0.1" > keys/req.conf +printf "subjectAltName=DNS:localhost,IP:127.0.0.1" >keys/sanX509.conf +printf "[req]\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]\n[alt_names]\nDNS.1=localhost\nIP.1=127.0.0.1" >keys/req.conf openssl req -new -nodes -newkey rsa:2048 -keyout keys/localhost.key -out keys/localhost.req -batch -subj "/CN=localhost" -config keys/req.conf -openssl x509 -req -in keys/localhost.req -CA keys/keycloak-ca.pem -CAkey keys/keycloak-ca-private.pem -CAcreateserial -out keys/localhost.crt -days 3650 -sha256 -extfile keys/sanX509.conf +openssl x509 -req -in keys/localhost.req -CA keys/keycloak-ca.pem -CAkey keys/keycloak-ca-private.pem -CAcreateserial -out keys/localhost.crt -days 3650 -sha256 -extfile keys/sanX509.conf openssl req -new -nodes -newkey rsa:2048 -keyout keys/sampleuser.key -out keys/sampleuser.req -batch -subj "/CN=sampleuser" -openssl x509 -req -in keys/sampleuser.req -CA keys/keycloak-ca.pem -CAkey keys/keycloak-ca-private.pem -CAcreateserial -out keys/sampleuser.crt -days 3650 +openssl x509 -req -in keys/sampleuser.req -CA keys/keycloak-ca.pem -CAkey keys/keycloak-ca-private.pem -CAcreateserial -out keys/sampleuser.crt -days 3650 -openssl pkcs12 -export -in keys/keycloak-ca.pem -inkey keys/keycloak-ca-private.pem -out keys/ca.p12 -nodes -passout pass:password -docker run \ - -v $(pwd)/keys:/keys \ - --entrypoint keytool \ - --user $(id -u):$(id -g) \ - cgr.dev/chainguard/keycloak@sha256:37895558d2e0e93ffff75da5900f9ae7e79ec6d1c390b18b2ecea6cee45ec26f \ - -importkeystore \ - -srckeystore /keys/ca.p12 \ - -srcstoretype PKCS12 \ - -destkeystore /keys/ca.jks \ - -deststoretype JKS \ - -srcstorepass "password" \ - -deststorepass "password" \ - -noprompt +openssl pkcs12 -export -in keys/keycloak-ca.pem -inkey keys/keycloak-ca-private.pem -out keys/ca.p12 -keypbe NONE -certpbe NONE -passout pass: diff --git a/docker-compose.yaml b/docker-compose.yaml index a1a15f9b8..33f2a90a2 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -6,16 +6,15 @@ services: volumes: - ./keys/localhost.crt:/etc/x509/tls/localhost.crt - ./keys/localhost.key:/etc/x509/tls/localhost.key - - ./keys/ca.jks:/truststore/truststore.jks + - ./keys/ca.p12:/truststore/truststore.p12 # This is kc 24.0.1 with opentdf protocol mapper on board image: cgr.dev/chainguard/keycloak@sha256:37895558d2e0e93ffff75da5900f9ae7e79ec6d1c390b18b2ecea6cee45ec26f restart: always command: - "start-dev" - "--verbose" - - "-Djavax.net.ssl.trustStorePassword=password" - "-Djavax.net.ssl.HostnameVerifier=AllowAll" - - "-Djavax.net.ssl.trustStore=/truststore/truststore.jks" + - "--truststore-paths=/truststore/truststore.p12" - "--spi-truststore-file-hostname-verification-policy=ANY" environment: KC_PROXY: edge @@ -38,7 +37,6 @@ services: KC_FEATURES: "preview,token-exchange" KC_HEALTH_ENABLED: "true" KC_HTTPS_KEY_STORE_PASSWORD: "password" - KC_HTTPS_KEY_STORE_FILE: "/truststore/truststore.jks" KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/tls/localhost.crt" KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/tls/localhost.key" KC_HTTPS_CLIENT_AUTH: "request" diff --git a/sdk/internal/oauth/oauth_test.go b/sdk/internal/oauth/oauth_test.go index 6bdbb1e92..8379213d7 100644 --- a/sdk/internal/oauth/oauth_test.go +++ b/sdk/internal/oauth/oauth_test.go @@ -544,11 +544,11 @@ func setupKeycloak(ctx context.Context, t *testing.T) (tc.Container, string, str Cmd: []string{"start-dev", "--http-port=8082", "--https-port=8083", "--features=preview", "--verbose", "-Djavax.net.ssl.trustStorePassword=password", "-Djavax.net.ssl.HostnameVerifier=AllowAll", "-Djavax.net.debug=ssl", - "-Djavax.net.ssl.trustStore=/truststore/truststore.jks", + "-Djavax.net.ssl.trustStore=/truststore/truststore.p12", "--spi-truststore-file-hostname-verification-policy=ANY", }, Files: []tc.ContainerFile{ - {HostFilePath: "testdata/ca.jks", ContainerFilePath: "/truststore/truststore.jks", FileMode: int64(0o777)}, + {HostFilePath: "testdata/ca.p12", ContainerFilePath: "/truststore/truststore.p12", FileMode: int64(0o777)}, {HostFilePath: "testdata/localhost.crt", ContainerFilePath: "/etc/x509/tls/localhost.crt", FileMode: int64(0o777)}, {HostFilePath: "testdata/localhost.key", ContainerFilePath: "/etc/x509/tls/localhost.key", FileMode: int64(0o777)}, }, @@ -556,7 +556,7 @@ func setupKeycloak(ctx context.Context, t *testing.T) (tc.Container, string, str "KEYCLOAK_ADMIN": "admin", "KEYCLOAK_ADMIN_PASSWORD": "admin", "KC_HTTPS_KEY_STORE_PASSWORD": "password", - "KC_HTTPS_KEY_STORE_FILE": "/truststore/truststore.jks", + "KC_HTTPS_KEY_STORE_FILE": "/truststore/truststore.p12", "KC_HTTPS_CERTIFICATE_FILE": "/etc/x509/tls/localhost.crt", "KC_HTTPS_CERTIFICATE_KEY_FILE": "/etc/x509/tls/localhost.key", "KC_HTTPS_CLIENT_AUTH": "request", diff --git a/sdk/internal/oauth/testdata/ca.jks b/sdk/internal/oauth/testdata/ca.jks deleted file mode 100644 index 74ece2351792ac3f7a55095e8543420113ee1cca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2010 zcmV<02POFa?f&fm0006200031000310Wkmo0gn>(Gy?zt1pY9B1o|)x1_~<%0R#am z0uccL1cC(UD0e7{Ld0~j;NtR7i{9pA+~sMpb|AzTTET8H3mcZEk7Fa9c>}S6&c`TdmD5> z5O7+qR6#))wXEl=?6_2n+nHp0Zm6j&i>kpu2)Tr!!k>*oDr!S`S#jC0g};Io;=Rro z9#FZmRrSQPiMS4cc1gVqlyWo**kK{0Em31$-W&mGIcFl%YOhK(_Kh+6plO0RNCzjY zQEYVD=4qvQ%p`d3f21&_JYpXQLs6qZ#^T0Ot8U21;3VwUZ)c}RmchYH6z73;_~yT? z!N)MK*+2iMU0tt!#wXTHqZ@rg#%FSU5ATT!8(r4xJf+%|%=%ls_*Z9N|!v1#n-<$zLe69bntDm*PP{h#pS!=UZL>LFPJ4#L}2 zqZezhWDsxj*lfR~Wj@+cm^G$t!%F8j@;GN{!HNQck^2k`wI zO+`49b!aF|*RbrIf~)Rmh5IVgW143TG!^4ZUcKgT`2l7w`gQ5A=)jWI%W|>)IOG{1 zou)C6J4(Q-m;PlGgIVFD0hPNw5jsH)O5}qY5Cr69g{?~8)G>tJRBERy#*l|Snn;UE z)Q+(nV6-VSY{Ja%GR80fAM6aHp`Bgnbd#McksH3K%miuGjk!}Mt4`<5 zXEj1+W<;_O1Tv@XK7$0Hhw0$+aK%{ct-8`cJ8P2X(aJK4K(p=iXNs)( zi+jIyeodH*esd0-@8T^fYp*Gqu2rFFirQI|AcJd=)+~RtRGw9O6Aa)K4E#*@G0%^R z2AoMFT!PW#I)?@V+L0t~%d|BZXo`;nOR!7b%BCWEAD;aScW+kbj`;-(fhorMpiFBP zPONNEsOUYD!;v$>11!skR{)a32I3BCirTwM+ve^*HTJVi^`s`Mya6QW!^ z(}bw2r}5F!nI*sTlZTK?+>xGE24WY3lEtQz9j7RiFdae{D0|%+gK-*J(iJ}iBjUSA zxG)Umvai>3jmPHrJ}RgqaxlH6R-LFq%llz0#G7673uqm%Yn*FyCC~YuS*>uPc`MN3 zn_J)1agF$u0N)DlNfAyv3N6&?4uFulv{eNhZh9*w*E-!o^k*5;zf9c z@%E2Q1R(kEJkH)9hEFa-d`7&V!Zc9dXf5&)_h~w8+ZK(OPJv;3qhntliD`BDIF^j@ zjStnb{v`g0=R2OhJQKLke!TR{Z`kvc{c9Rna^0dwKVo=zLKr$4`X}iBQrF$y-Dr3M zRJB_&I7z>)vENUOA#BONfN+g+GAABT0WNY39Y$;aa>F_anR2oFJ?2oY|voM+|$kaA2fAA71% z+(8rB|K|-+st`~f&x3qq0000100mesH842<00NpYf&!K>f&qR42>_d)o*ico|0OUD z1_>&LNQUlt_y1xvK)yr6-&FhWPKKL3=2L&|2D=LGpFuf(BCs1W z!hN_9pFZ`1-<1nq-1--zH}-)?GNf%C5s>E$QnwC z0s{d60Wb{)2`Yw2hW8Bt0Sg5H1A+ko09&!vm+v>a!?`Q`G|Z_o7;}47UKx!X*^v5? zKyHnujF4SOa!(l=+41gLRJ-HDv|zh>Q@F=4z)CtlhuZ332~w=-!+hZiPgWfp8WrCg7rn~MrtImX%He5c z&k*aGo4=!e{T_;4$f*z{W7q?&%Jz&p+E*jb5l+c&L9kLY&{^5@{UxdP02IPuLkKo^ zK)bzk7GFVfgj&kM);5In8a2^F0VW`Z%d4k390~T!*}e$&kyIsJfspiL0^WOE|CoCm saJD+~)_d8=IN@N(7X8Gj+;DTAUc(Dry-}LEq`xqT0REl}kqd1laB=&cdjJ3c diff --git a/sdk/internal/oauth/testdata/ca.p12 b/sdk/internal/oauth/testdata/ca.p12 new file mode 100644 index 0000000000000000000000000000000000000000..37dfb020670540079e43443866dddbb2f5cdb8ba GIT binary patch literal 2531 zcmai$X*3jy8^&kG%-FX#)Lz5AR{mz z&rAU0nenGM6p3e8|0O~5@eChN(F6zxI9)@(6d=<1=K*0yS|gQzooq-6FjrZG@05=_ zWZC;s8sjaxVhRYv1VFMunf~VrVuk>a=b_9l1Y@8l0~ja^=CUdbo}+E~d&G7I)+>@w zA>nui7j_-nhJhSBSs;%7FeHFSFM>~njJm(5AX-`5-yd7JT@2ByZ|z2fgnTq1BKr11 zB;lljcuRIasqMP9NbT)|mmhm0wJ%Ya=7OZtOI_Z6?oiAyw~dJ{D(Nh7nhCS^{tA5G z5-MIZoN)BegA-S(pRNZrEb~S`(X46KlvWCKy@93Q?oa%(fL>K(0N+j}e$RcYZYt>Z?hOR0q*W}4dJ*l(d9`V%g$t$rvox>XYx?m z7Oe|2nbNwlE1pK84%xag4(%HX<=!6FHt)vW9DBqpsb+x~xfeaN?TUs%$&#s}(Vnh% zCdvzzuMyt38q%%pY|8COPMs^nrGr>&*Mj=W5U71YQ~NuY-a`^WqOyyD_pwC{2WLJp zfwnu>z^Lw@%102u8a9QKjw|0c8JK(7>}(>zRQ6bR)M~$~qTY-@(>|Uy-yItiiau&7 zV-?ynK{~D9qCH|{QE8c|M=i-~&;QV@qv+Wqx(5HASHu9F-36LHGCPml81Xb7+mS_C z^^PLLmr-euQMue=0Dp=Y=!si}Dz~Z^%$a*(|}aqV30pO<^mIBQyNQr`LrBu{5S@R;No84dQUx#%~Z zYD{jz6i7tH^F`kWIC}Q|sA*sOSKnyEX*OJ4+%mHWzNtDnT4zpXdD7kZWB;{XKIW*W zD%l^(&SHnRlM*%pE*|{l5WJF7BO3TrcxiC`+T>j^@m_hudzpvHUz_twNRb`4Nw&Ku zC>`HI)>alV^3Hvbv+5zEAJ2eEe?*R~g}C%Fy}bQR)(8J{N!o7ZFj?GAeGbY?>$wiY z7Jqx4-nSEVI$iTkatFZPuQZcUSbi^R_FVJtrR~T@DHqoRb9~G$zA0U_yU-=jZ1lk5 zoaE*9m2f3-jh16_RL7^-znp#(0erQM-Y2CjqQ89g!i{TiTJysPTd*GXpc0!h3-G&K zW+~sIq>O4MZs4oNwYpqH{+V7s>PS!MNizUKg%_}39j1|ZNZild{#yi)M_@c8=oI^( zjvtiu{~f``0tB6k=u>#{zk*LJP>_Op9_U^zdI2RJB`5u7@Na#v?-#GlP#C`mr^LE6 zeFNjcLl+wMO!FU2TdUi4ajjK-ahw}>EC{xK9k*(kQKC+vJ~hTpmZSi)iDz-%(n5#D zGj(Vhy|!+8N?Q|w6EJjT#I(7mCnBtFT_!sr@*;iHUO{c;r!>AZU-J$5{DZV@;jLd~ zcU~*?w#v={+guYv$4WJ0kwDn%b6U!M@k+3rje9k_JEL3j&K>y=3Ne4Y3EJ@TFGq~skz!|(KW9N7sXL`Y$xk8+`B6>4(H`H`EXVALntbXWa zt6msGwr+iNNgI_jsbgYcCqySi#OD5=Zv2VQM!-h;6yC-a)1f0?|82w6*)`h-qA<-{ zD9S6=i?c%betW4ie0K4> z&wn_yUnGQ?&YE5c^~Y%M(A$JU<;%jW`m}GAxr5KkCuFlg4D}hp=F%Q*^+tAt^mq|1ovN)Alal~15ot+vm9R?c3OCxx8XXHfx^1=o zS&Um`!DuAC&+CUCLh z5{w7J-beG|2wDmBAvo^8iO5gHQ6ll87VY-QhEMBJjxtVu-?2mYY z)0eP5iU=uPJ>AggsL`2~-n-uk@_99VJ4B$&BjGIgLcLKBeBSMBgJYtZkMd#bkR_nF z1EyYh`NL#*@VJKlQsSoj-fQ`kY#}xcl)Z^#=k+k}qfb0mQ3HSm`8F}^HK-Yo+P87l z``O}29|m(F$ZiSe@Ja7#a{4PLCdQY9CooWKikBDS7$H6OBB>9Guc4^%TM{XHb9=`v6SP1*FJkg>n0C%0`?(@Nd>k)g5z|NaB zD?&PimjV)HnTK(jQ-9R-u>`4g0DjL37Z^D%ZmtY}Yho+m#Fnlsi4^}?w9I_UXTZFk zcSJP8U0?{SC*<+EE=p6T8&VLdi&RFk|9p!;KnMUV5-iwnT|ujz