Merge pull request #43304 from michalvavrik/feauture/oidc-support-jwt…

…-cred-stored-in-p12

OIDC: Support using PKCS12 keystores for creating signed JWT tokens

docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc

@@ -197,7 +197,7 @@ quarkus.oidc.credentials.jwt.key-file=privateKey.pem
 ----
 quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
 quarkus.oidc.client-id=quarkus-app
-quarkus.oidc.credentials.jwt.key-store-file=keystore.jks
+quarkus.oidc.credentials.jwt.key-store-file=keystore.pkcs12
 quarkus.oidc.credentials.jwt.key-store-password=mypassword
 quarkus.oidc.credentials.jwt.key-password=mykeypassword
 

docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

@@ -786,7 +786,7 @@ quarkus.oidc-client.credentials.jwt.key-file=privateKey.pem
 ----
 quarkus.oidc-client.auth-server-url=http://localhost:8180/auth/realms/quarkus/
 quarkus.oidc-client.client-id=quarkus-app
-quarkus.oidc-client.credentials.jwt.key-store-file=keystore.jks
+quarkus.oidc-client.credentials.jwt.key-store-file=keystore.pkcs12
 quarkus.oidc-client.credentials.jwt.key-store-password=mypassword
 quarkus.oidc-client.credentials.jwt.key-password=mykeypassword
 

extensions/oidc-client/deployment/pom.xml

@@ -93,13 +93,15 @@
                 <filtering>true</filtering>
                 <excludes>
                   <exclude>keystore.jks</exclude>
+                  <exclude>keystore.pkcs12</exclude>
                 </excludes>
             </testResource>
             <testResource>
                 <directory>src/test/resources</directory>
                 <filtering>false</filtering>
                 <includes>
                   <include>keystore.jks</include>
+                  <include>keystore.pkcs12</include>
                 </includes>
             </testResource>
         </testResources>

extensions/oidc-client/deployment/src/test/java/io/quarkus/oidc/client/OidcClientCredentialsJwtPrivateP12KeyStoreTest.java

@@ -0,0 +1,34 @@
+package io.quarkus.oidc.client;
+
+import static org.hamcrest.Matchers.equalTo;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.restassured.RestAssured;
+
+@QuarkusTestResource(KeycloakRealmClientCredentialsJwtPrivateKeyStoreManager.class)
+public class OidcClientCredentialsJwtPrivateP12KeyStoreTest {
+
+    @RegisterExtension
+    static final QuarkusUnitTest test = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(OidcClientResource.class, ProtectedResource.class)
+                    .addAsResource("application-oidc-client-credentials-jwt-private-p12-key-store.properties",
+                            "application.properties")
+                    .addAsResource("exportedCertificate.pem")
+                    .addAsResource("exportedPrivateKey.pem")
+                    .addAsResource("keystore.pkcs12"));
+
+    @Test
+    public void testClientCredentialsToken() {
+        String token = RestAssured.when().get("/client/token").body().asString();
+        RestAssured.given().auth().oauth2(token)
+                .when().get("/protected")
+                .then()
+                .statusCode(200)
+                .body(equalTo("service-account-quarkus-app"));
+    }
+}

extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials-jwt-private-p12-key-store.properties

@@ -0,0 +1,9 @@
+quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus6/
+quarkus.oidc.client-id=quarkus-app
+
+quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
+quarkus.oidc-client.credentials.jwt.key-store-file=keystore.pkcs12
+quarkus.oidc-client.credentials.jwt.key-store-password=password
+quarkus.oidc-client.credentials.jwt.key-id=keycloak
+quarkus.oidc-client.credentials.jwt.key-password=password

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java

@@ -212,7 +212,10 @@ public static String getKeyStoreType(Optional<String> fileType, Path storePath)
         if (fileType.isPresent()) {
             return fileType.get().toUpperCase();
         }
-        final String pathName = storePath.toString();
+        return inferKeyStoreTypeFromFileExtension(storePath.toString());
+    }
+
+    private static String inferKeyStoreTypeFromFileExtension(String pathName) {
         if (pathName.endsWith(".p12") || pathName.endsWith(".pkcs12") || pathName.endsWith(".pfx")) {
             return "PKCS12";
         } else {
@@ -390,8 +393,9 @@ public static Key clientJwtKey(Credentials creds) {
                     key = KeyUtils.readSigningKey(creds.jwt.getKeyFile().get(), creds.jwt.keyId.orElse(null),
                             getSignatureAlgorithm(creds, SignatureAlgorithm.RS256));
                 } else if (creds.jwt.keyStoreFile.isPresent()) {
-                    KeyStore ks = KeyStore.getInstance("JKS");
-                    InputStream is = ResourceUtils.getResourceStream(creds.jwt.keyStoreFile.get());
+                    var keyStoreFile = creds.jwt.keyStoreFile.get();
+                    KeyStore ks = KeyStore.getInstance(inferKeyStoreTypeFromFileExtension(keyStoreFile));
+                    InputStream is = ResourceUtils.getResourceStream(keyStoreFile);
 
                     if (creds.jwt.keyStorePassword.isPresent()) {
                         ks.load(is, creds.jwt.keyStorePassword.get().toCharArray());