where to specify kcadm.sh EC PrivateKey Implementation usage?
pgnd42 Sep 8, 2019 1:33 PMI've a valid/usable self-signed EC client cert, originally created by openssl,
openssl x509 -text -in /etc/ssl/localhost.client.EC.crt.pem | grep -i "signature algorithm"
Signature Algorithm: ecdsa-with-SHA256
With my own CA's cert, MY_CA.crt, it's converted to a pkcs12 chain,
openssl pkcs12 \
-export \
-passout pass:keypass \
-in /etc/ssl/localhost.client.EC.crt.pem \
-inkey /etc/ssl/localhost.client.EC.key.pem \
-caname MY_CA -CAfile /etc/ssl/MY_CA.crt.pem \
-chain -out /etc/ssl/localhost.client.EC.crt.p12
-name alias-client-ssl
and then imported to a keycloak keystore,
keytool -v -importkeystore \
-srckeystore /etc/ssl/localhost.client.EC.crt.p12 \
-srcalias alias-client-ssl \
-srcstoretype PKCS12 \
-srcstorepass keypass \
-destkeypass keypass \
-deststorepass keypass \
-storetype pkcs12 \
-destalias alias-client-ks \
-destkeystore /etc/keycloak/keystore.client.pkcs12
keytool -list \
-storetype pkcs12 \
-storepass keypass \
-keystore /etc/keycloak/keystore.client.pkcs12
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
alias-client-ks, Sep 6, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1F:...:6F
Setting up keycloak 7.0.0, initially, without SSL, insecure kcadm.sh usage
/opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080/auth \
--user admuser --password admpass \
--realm master
works as expected.
After setting up Elytron with ssl-contexts, and 2-way SSL for both Admin & Management interfaces,
secure web UI access to both
https://localhost:8443/auth/admin
&
https://localhost:9993
works as expected as well.
Checking jboss-cli.sh secure access,
/opt/keycloak/bin/jboss-cli.sh -c \
--properties=/etc/keycloak/jboss.properties \
-Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.pkcs12 \
-Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.pkcs12 \
-Djavax.net.ssl.trustStorePassword=keypass \
-Djavax.net.ssl.keyStorePassword=keypass \
version
also works correctly.
But, kcadm.sh SECURE access FAILs, expecting an RSA key
/opt/keycloak/bin/kcadm.sh config credentials \
-x \
--server https://localhost:9993/auth --user admuser --password admpass \
--truststore /etc/keycloak/truststore.client.pkcs12 --trustpass keypass \
--keystore /etc/keycloak/keystore.client.pkcs12 --storepass keypass \
--realm master \
--client alias-client-ks
Logging into https://localhost:9993/auth as user admuser of realm master
java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
java.lang.RuntimeException: java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
at org.keycloak.jose.jws.crypto.RSAProvider.sign(RSAProvider.java:63)
at org.keycloak.jose.jws.JWSBuilder$EncodingBuilder.sign(JWSBuilder.java:139)
at org.keycloak.jose.jws.JWSBuilder$EncodingBuilder.rsa256(JWSBuilder.java:148)
at org.keycloak.client.admin.cli.util.AuthUtil.getSignedRequestToken(AuthUtil.java:202)
at org.keycloak.client.admin.cli.commands.ConfigCredentialsCmd.process(ConfigCredentialsCmd.java:168)
at org.keycloak.client.admin.cli.commands.ConfigCredentialsCmd.execute(ConfigCredentialsCmd.java:90)
at org.keycloak.client.admin.cli.commands.ConfigCmd.execute(ConfigCmd.java:47)
at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63)
at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48)
at org.keycloak.client.admin.cli.aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source)
at java.base/java.security.Signature$Delegate.init(Signature.java:1180)
at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1140)
at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1204)
at java.base/java.security.Signature.initSign(Signature.java:546)
at org.keycloak.jose.jws.crypto.RSAProvider.sign(RSAProvider.java:59)
... 13 more
I assume that kcadm is EC-ready, & that I've missed, somewhere, explicitly specifying the PrivateKey algorithm type.
Where is kcadm.sh to be 'told' to expect/use the provided EC key?