0 Replies Latest reply on Sep 8, 2019 1:33 PM by pgnd42

    where to specify kcadm.sh EC PrivateKey Implementation usage?

    pgnd42
    pgnd42 Sep 8, 2019 1:33 PM

      I've a valid/usable self-signed EC client cert, originally created by openssl,

          openssl x509 -text -in /etc/ssl/localhost.client.EC.crt.pem | grep -i "signature algorithm"
              Signature Algorithm: ecdsa-with-SHA256

      With my own CA's cert, MY_CA.crt, it's converted to a pkcs12 chain,

          openssl pkcs12 \
          -export \
          -passout pass:keypass \
          -in    /etc/ssl/localhost.client.EC.crt.pem \
          -inkey /etc/ssl/localhost.client.EC.key.pem \
          -caname MY_CA -CAfile /etc/ssl/MY_CA.crt.pem \
          -chain -out /etc/ssl/localhost.client.EC.crt.p12
          -name alias-client-ssl

      and then imported to a keycloak keystore,

          keytool -v -importkeystore \
           -srckeystore /etc/ssl/localhost.client.EC.crt.p12 \
           -srcalias  alias-client-ssl \
           -srcstoretype PKCS12 \
           -srcstorepass  keypass \
           -destkeypass   keypass \
           -deststorepass keypass \
           -storetype pkcs12 \
           -destalias alias-client-ks \
          -destkeystore /etc/keycloak/keystore.client.pkcs12

          keytool -list \
           -storetype pkcs12 \
           -storepass keypass \
           -keystore /etc/keycloak/keystore.client.pkcs12

              Keystore type: PKCS12
              Keystore provider: SUN

              Your keystore contains 1 entry

              alias-client-ks, Sep 6, 2019, PrivateKeyEntry,
              Certificate fingerprint (SHA-256): 1F:...:6F

      Setting up keycloak 7.0.0, initially, without SSL, insecure kcadm.sh usage

          /opt/keycloak/bin/kcadm.sh config credentials \
           --server http://localhost:8080/auth \
           --user admuser --password admpass \
           --realm master

      works as expected.

      After setting up Elytron with ssl-contexts, and 2-way SSL for both Admin & Management interfaces,
      secure web UI access to both

          https://localhost:8443/auth/admin

      &

          https://localhost:9993

      works as expected as well.

      Checking jboss-cli.sh secure access,

          /opt/keycloak/bin/jboss-cli.sh -c \
           --properties=/etc/keycloak/jboss.properties \
           -Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.pkcs12 \
           -Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.pkcs12 \
           -Djavax.net.ssl.trustStorePassword=keypass \
           -Djavax.net.ssl.keyStorePassword=keypass \
          version

      also works correctly.


      But, kcadm.sh SECURE access FAILs, expecting an RSA key

          /opt/keycloak/bin/kcadm.sh config credentials \
           -x \
           --server https://localhost:9993/auth --user admuser --password admpass \
           --truststore /etc/keycloak/truststore.client.pkcs12 --trustpass keypass \
           --keystore /etc/keycloak/keystore.client.pkcs12 --storepass keypass \
           --realm master \
           --client alias-client-ks

              Logging into https://localhost:9993/auth as user admuser of realm master
              java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
              java.lang.RuntimeException: java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
                      at org.keycloak.jose.jws.crypto.RSAProvider.sign(RSAProvider.java:63)
                      at org.keycloak.jose.jws.JWSBuilder$EncodingBuilder.sign(JWSBuilder.java:139)
                      at org.keycloak.jose.jws.JWSBuilder$EncodingBuilder.rsa256(JWSBuilder.java:148)
                      at org.keycloak.client.admin.cli.util.AuthUtil.getSignedRequestToken(AuthUtil.java:202)
                      at org.keycloak.client.admin.cli.commands.ConfigCredentialsCmd.process(ConfigCredentialsCmd.java:168)
                      at org.keycloak.client.admin.cli.commands.ConfigCredentialsCmd.execute(ConfigCredentialsCmd.java:90)
                      at org.keycloak.client.admin.cli.commands.ConfigCmd.execute(ConfigCmd.java:47)
                      at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63)
                      at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48)
                      at org.keycloak.client.admin.cli.aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54)
                      at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
                      at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                      at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                      at java.base/java.lang.Thread.run(Thread.java:834)
              Caused by: java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
                      at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source)
                      at java.base/java.security.Signature$Delegate.init(Signature.java:1180)
                      at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1140)
                      at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1204)
                      at java.base/java.security.Signature.initSign(Signature.java:546)
                      at org.keycloak.jose.jws.crypto.RSAProvider.sign(RSAProvider.java:59)
                      ... 13 more

      I assume that kcadm is EC-ready, & that I've missed, somewhere, explicitly specifying the PrivateKey algorithm type.

      Where is kcadm.sh to be 'told' to expect/use the provided EC key?