fix for createing thumbprint for oidc signing key

Evolveum · May 19, 2023 · 221f6ec · 221f6ec
1 parent 3033eeb
commit 221f6ec
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 9 deletions.
diff --git a/...olveum/midpoint/authentication/impl/module/configuration/OidcAdditionalConfiguration.java b/...olveum/midpoint/authentication/impl/module/configuration/OidcAdditionalConfiguration.java
@@ -6,7 +6,13 @@
  */
 package com.evolveum.midpoint.authentication.impl.module.configuration;
 
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+
 import com.nimbusds.jose.util.Base64URL;
+import org.apache.commons.codec.DecoderException;
+import org.apache.commons.codec.binary.Hex;
+import org.jetbrains.annotations.NotNull;
 
 import java.io.Serializable;
 import java.security.interfaces.RSAPrivateKey;
@@ -18,6 +24,8 @@
 
 public class OidcAdditionalConfiguration implements Serializable {
 
+    private static final Trace LOGGER = TraceManager.getTrace(OidcAdditionalConfiguration.class);
+
     private final String singingAlg;
     private final RSAPublicKey publicKey;
     private final RSAPrivateKey privateKey;
@@ -29,8 +37,8 @@ private OidcAdditionalConfiguration(
         this.singingAlg = singingAlg;
         this.publicKey = publicKey;
         this.privateKey = privateKey;
-        this.thumbprint = thumbprint != null ? Base64URL.encode(thumbprint) : null;
-        this.thumbprint256 = thumbprint256 != null ? Base64URL.encode(thumbprint256) : null;
+        this.thumbprint = thumbprint != null ? createBase64(thumbprint) : null;
+        this.thumbprint256 = thumbprint256 != null ? createBase64(thumbprint256) : null;
     }
 
     public String getSingingAlg() {
@@ -53,6 +61,15 @@ public Base64URL getThumbprint256() {
         return thumbprint256;
     }
 
+    private Base64URL createBase64(@NotNull String thumbprint) {
+        try {
+            return Base64URL.encode(Hex.decodeHex(thumbprint.toUpperCase()));
+        } catch (DecoderException e) {
+            LOGGER.error("Couldn't decode thumbprint " + thumbprint, e);
+        }
+        return null;
+    }
+
     public static Builder builder() {
         return new Builder();
     }

diff --git a/...nt/authentication/impl/module/configuration/OidcClientModuleWebSecurityConfiguration.java b/...nt/authentication/impl/module/configuration/OidcClientModuleWebSecurityConfiguration.java
@@ -203,8 +203,8 @@ private static void initializeProofKey(AbstractSimpleKeyType key, OidcAdditional
         try {
             Certificate certificate = getCertificate(key, protector);
             publicKey = certificate.getPublicKey();
-            builder.thumbprint256(DigestUtils.sha256Hex(certificate.getEncoded()));
-            builder.thumbprint(DigestUtils.sha1Hex(certificate.getEncoded()));
+            builder.thumbprint256(DigestUtils.sha256Hex(certificate.getEncoded()))
+                    .thumbprint(DigestUtils.sha1Hex(certificate.getEncoded()));
         } catch (Base64Exception | EncryptionException | CertificateException e) {
             throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate from " + key, e);
         }
@@ -233,8 +233,8 @@ private static void initializeProofKey(AbstractKeyStoreKeyType key, OidcAddition
         try {
             Certificate certificate = getCertificate(key, protector);
             publicKey = certificate.getPublicKey();
-            builder.thumbprint256(DigestUtils.sha256Hex(certificate.getEncoded()));
-            builder.thumbprint(DigestUtils.sha1Hex(certificate.getEncoded()));
+            builder.thumbprint256(DigestUtils.sha256Hex(certificate.getEncoded()))
+                    .thumbprint(DigestUtils.sha1Hex(certificate.getEncoded()));
         } catch (EncryptionException | CertificateException  | KeyStoreException | IOException | NoSuchAlgorithmException e) {
             throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate from " + key, e);
         }

diff --git a/.../src/main/java/com/evolveum/midpoint/authentication/impl/provider/OidcClientProvider.java b/.../src/main/java/com/evolveum/midpoint/authentication/impl/provider/OidcClientProvider.java
@@ -16,12 +16,9 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 
 import com.nimbusds.jose.Algorithm;
-import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.OctetSequenceKey;
 import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.util.Base64URL;
-import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.AuthenticationServiceException;
@@ -111,6 +108,10 @@ private void initJwkResolver() {
                 String signingAlg = additionalConfiguration.get(clientRegistration.getRegistrationId()).getSingingAlg();
                 builder.algorithm(Algorithm.parse(signingAlg));
                 builder.x509CertThumbprint(config.getThumbprint());
+
+                // sha-1 is deprecated, but some servers don't allow 'x5t#S256' header
+                //builder.x509CertSHA256Thumbprint(config.getThumbprint256());
+
                 builder.keyID(null);  //hack without it resolver can't find key
                 return builder.build();
             }