Merge pull request #39063 from sberyozkin/oidc_cert_chain_cname

Fix the OIDC token verification failure with the inlined cert chain
quarkusio · Mar 1, 2024 · 2fa75a1 · 2fa75a1
2 parents efd8745 + 105fc00
commit 2fa75a1
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 16 deletions.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -176,14 +176,32 @@ public void setIncludeClientId(boolean includeClientId) {
 
     /**
      * Configuration of the certificate chain which can be used to verify tokens.
-     * If the certificate chain trusstore is configured, the tokens can be verified using the certificate
+     * If the certificate chain truststore is configured, the tokens can be verified using the certificate
      * chain inlined in the Base64-encoded format as an `x5c` header in the token itself.
+     * <p/>
+     * The certificate chain inlined in the token is verified.
+     * Signature of every certificate in the chain but the root certificate is verified by the next certificate in the chain.
+     * Thumbprint of the root certificate in the chain must match a thumbprint of one of the certificates in the truststore.
+     * <p/>
+     * Additionally, a direct trust in the leaf chain certificate which will be used to verify the token signature must
+     * be established.
+     * By default, the leaf certificate's thumbprint must match a thumbprint of one of the certificates in the truststore.
+     * If the truststore does not have the leaf certificate imported, then the leaf certificate must be identified by its Common
+     * Name.
      */
     @ConfigItem
     public CertificateChain certificateChain = new CertificateChain();
 
     @ConfigGroup
     public static class CertificateChain {
+        /**
+         * Common name of the leaf certificate. It must be set if the {@link #trustStoreFile} does not have
+         * this certificate imported.
+         *
+         */
+        @ConfigItem
+        public Optional<String> leafCertificateName = Optional.empty();
+
         /**
          * Truststore file which keeps thumbprints of the trusted certificates.
          */
@@ -233,6 +251,14 @@ public Optional<String> getTrustStoreFileType() {
         public void setTrustStoreFileType(Optional<String> trustStoreFileType) {
             this.trustStoreFileType = trustStoreFileType;
         }
+
+        public Optional<String> getLeafCertificateName() {
+            return leafCertificateName;
+        }
+
+        public void setLeafCertificateName(String leafCertificateName) {
+            this.leafCertificateName = Optional.of(leafCertificateName);
+        }
     }
 
     /**

diff --git a/...nsions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CertChainPublicKeyResolver.java b/...nsions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CertChainPublicKeyResolver.java
@@ -3,6 +3,7 @@
 import java.security.Key;
 import java.security.cert.X509Certificate;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
 import org.jboss.logging.Logger;
@@ -12,11 +13,13 @@
 
 import io.quarkus.oidc.OidcTenantConfig.CertificateChain;
 import io.quarkus.runtime.configuration.ConfigurationException;
+import io.quarkus.security.runtime.X509IdentityProvider;
 import io.vertx.ext.auth.impl.CertificateHelper;
 
 public class CertChainPublicKeyResolver implements RefreshableVerificationKeyResolver {
     private static final Logger LOG = Logger.getLogger(OidcProvider.class);
     final Set<String> thumbprints;
+    final Optional<String> expectedLeafCertificateName;
 
     public CertChainPublicKeyResolver(CertificateChain chain) {
         if (chain.trustStorePassword.isEmpty()) {
@@ -25,6 +28,7 @@ public CertChainPublicKeyResolver(CertificateChain chain) {
         }
         this.thumbprints = TrustStoreUtils.getTrustedCertificateThumbprints(chain.trustStoreFile.get(),
                 chain.trustStorePassword.get(), chain.trustStoreCertAlias, chain.getTrustStoreFileType());
+        this.expectedLeafCertificateName = chain.leafCertificateName;
     }
 
     @Override
@@ -37,9 +41,29 @@ public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContex
                 LOG.debug("Token does not have an 'x5c' certificate chain header");
                 return null;
             }
-            String thumbprint = TrustStoreUtils.calculateThumprint(chain.get(0));
-            if (!thumbprints.contains(thumbprint)) {
-                throw new UnresolvableKeyException("Certificate chain thumprint is invalid");
+            if (chain.size() == 0) {
+                LOG.debug("Token 'x5c' certificate chain is empty");
+                return null;
+            }
+            LOG.debug("Checking a thumbprint of the root chain certificate");
+            String rootThumbprint = TrustStoreUtils.calculateThumprint(chain.get(chain.size() - 1));
+            if (!thumbprints.contains(rootThumbprint)) {
+                LOG.error("Thumprint of the root chain certificate is invalid");
+                throw new UnresolvableKeyException("Thumprint of the root chain certificate is invalid");
+            }
+            if (expectedLeafCertificateName.isEmpty()) {
+                LOG.debug("Checking a thumbprint of the leaf chain certificate");
+                String thumbprint = TrustStoreUtils.calculateThumprint(chain.get(0));
+                if (!thumbprints.contains(thumbprint)) {
+                    LOG.error("Thumprint of the leaf chain certificate is invalid");
+                    throw new UnresolvableKeyException("Thumprint of the leaf chain certificate is invalid");
+                }
+            } else {
+                String leafCertificateName = X509IdentityProvider.getCommonName(chain.get(0).getSubjectX500Principal());
+                if (!expectedLeafCertificateName.get().equals(leafCertificateName)) {
+                    LOG.errorf("Wrong leaf certificate common name: %s", leafCertificateName);
+                    throw new UnresolvableKeyException("Wrong leaf certificate common name");
+                }
             }
             //TODO: support revocation lists
             CertificateHelper.checkValidity(chain, null);
@@ -50,6 +74,8 @@ public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContex
                 root.verify(root.getPublicKey());
             }
             return chain.get(0).getPublicKey();
+        } catch (UnresolvableKeyException ex) {
+            throw ex;
         } catch (Exception ex) {
             throw new UnresolvableKeyException("Invalid certificate chain", ex);
         }

diff --git a/...ions/security/runtime/src/main/java/io/quarkus/security/runtime/X509IdentityProvider.java b/...ions/security/runtime/src/main/java/io/quarkus/security/runtime/X509IdentityProvider.java
@@ -60,7 +60,7 @@ private Set<String> extractRoles(X509Certificate certificate, Map<String, Set<St
         return Set.of();
     }
 
-    private static String getCommonName(X500Principal principal) {
+    public static String getCommonName(X500Principal principal) {
         try {
             LdapName ldapDN = new LdapName(principal.getName());
 

diff --git a/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/AdminResource.java b/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/AdminResource.java
@@ -61,6 +61,14 @@ public String bearerCertificateFullChain() {
         return "granted:" + identity.getRoles();
     }
 
+    @Path("bearer-certificate-full-chain-root-only")
+    @GET
+    @RolesAllowed("admin")
+    @Produces(MediaType.APPLICATION_JSON)
+    public String bearerCertificateFullChainRootOnly() {
+        return "granted:" + identity.getRoles();
+    }
+
     @Path("bearer-kid-or-chain")
     @GET
     @RolesAllowed("admin")

diff --git a/integration-tests/oidc-wiremock/src/main/resources/application.properties b/integration-tests/oidc-wiremock/src/main/resources/application.properties
@@ -104,7 +104,6 @@ quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.credentials.client-sec
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.credentials.client-secret.method=query
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-cert-alias=fullchain
 
 
 quarkus.oidc.code-flow-token-introspection.provider=github
@@ -134,7 +133,6 @@ quarkus.oidc.bearer-kid-or-chain.token.audience=https://service.example.com
 quarkus.oidc.bearer-kid-or-chain.allow-token-introspection-cache=false
 quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-cert-alias=fullchain
 
 quarkus.oidc.bearer-id.auth-server-url=${keycloak.url}/realms/quarkus/
 quarkus.oidc.bearer-id.client-id=quarkus-app
@@ -156,7 +154,6 @@ quarkus.oidc.bearer-azure.token.lifespan-grace=2147483647
 quarkus.oidc.bearer-azure.token.customizer-name=azure-access-token-customizer
 quarkus.oidc.bearer-azure.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.bearer-azure.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.bearer-azure.certificate-chain.trust-store-cert-alias=fullchain
 
 quarkus.oidc.bearer-role-claim-path.auth-server-url=${keycloak.url}/realms/quarkus/
 quarkus.oidc.bearer-role-claim-path.client-id=quarkus-app
@@ -173,7 +170,14 @@ quarkus.oidc.bearer-no-introspection.token.allow-jwt-introspection=false
 
 quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-cert-alias=fullchain
+
+quarkus.oidc.bearer-certificate-full-chain-root-only.certificate-chain.trust-store-file=truststore-rootcert.p12
+quarkus.oidc.bearer-certificate-full-chain-root-only.certificate-chain.trust-store-password=storepassword
+quarkus.oidc.bearer-certificate-full-chain-root-only.certificate-chain.leaf-certificate-name=www.quarkustest.com
+
+quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-file=truststore-rootcert.p12
+quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-password=storepassword
+quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.leaf-certificate-name=www.quarkusio.com
 
 quarkus.oidc.bearer-key-without-kid-thumbprint.auth-server-url=${keycloak.url}/realms/quarkus/
 quarkus.oidc.bearer-key-without-kid-thumbprint.discovery-enabled=false

diff --git a/integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12 b/integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12
diff --git a/integration-tests/oidc-wiremock/src/main/resources/truststore.p12 b/integration-tests/oidc-wiremock/src/main/resources/truststore.p12
diff --git a/...ests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java b/...ests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java
@@ -65,12 +65,12 @@ public void testAccessResourceAzure() throws Exception {
         wireMockServer.stubFor(WireMock.get("/auth/azure/jwk")
                 .withHeader("Authorization", matching("Access token: " + azureToken))
                 .willReturn(WireMock.aResponse().withBody(azureJwk)));
-        //        RestAssured.given().auth().oauth2(azureToken)
-        //                .when().get("/api/admin/bearer-azure")
-        //                .then()
-        //                .statusCode(200)
-        //                .body(Matchers.equalTo(
-        //                        "Name:[email protected],Issuer:https://sts.windows.net/e7861267-92c5-4a03-bdb2-2d3e491e7831/"));
+        RestAssured.given().auth().oauth2(azureToken)
+                .when().get("/api/admin/bearer-azure")
+                .then()
+                .statusCode(200)
+                .body(Matchers.equalTo(
+                        "Name:[email protected],Issuer:https://sts.windows.net/e7861267-92c5-4a03-bdb2-2d3e491e7831/"));
 
         String accessTokenWithCert = TestUtils.createTokenWithInlinedCertChain("alice-certificate");
 
@@ -217,7 +217,7 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
                 .then()
                 .statusCode(401);
 
-        // Send the token with the valid certificates but which are are in the wrong order in the chain
+        // Send the token with the valid certificates but which are in the wrong order in the chain
         accessToken = getAccessTokenWithCertChain(
                 List.of(intermediateCert, subjectCert, rootCert),
                 subjectPrivateKey);
@@ -246,6 +246,58 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
 
     }
 
+    @Test
+    public void testFullCertChainWithOnlyRootInTruststore() throws Exception {
+        X509Certificate rootCert = KeyUtils.getCertificate(ResourceUtils.readResource("/ca.cert.pem"));
+        X509Certificate intermediateCert = KeyUtils.getCertificate(ResourceUtils.readResource("/intermediate.cert.pem"));
+        X509Certificate subjectCert = KeyUtils.getCertificate(ResourceUtils.readResource("/www.quarkustest.com.cert.pem"));
+        PrivateKey subjectPrivateKey = KeyUtils.readPrivateKey("/www.quarkustest.com.key.pem");
+
+        // Send the token with the valid certificate chain
+        String accessToken = getAccessTokenWithCertChain(
+                List.of(subjectCert, intermediateCert, rootCert),
+                subjectPrivateKey);
+
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(200)
+                .body(Matchers.containsString("admin"));
+
+        // Send the same token to the service expecting a different leaf certificate name
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only-wrongcname")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the valid certificates but which are in the wrong order in the chain
+        accessToken = getAccessTokenWithCertChain(
+                List.of(intermediateCert, subjectCert, rootCert),
+                subjectPrivateKey);
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the valid certificates but with the intermediate one omitted from the chain
+        accessToken = getAccessTokenWithCertChain(
+                List.of(subjectCert, rootCert),
+                subjectPrivateKey);
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the only the last valid certificate
+        accessToken = getAccessTokenWithCertChain(
+                List.of(subjectCert),
+                subjectPrivateKey);
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(401);
+    }
+
     @Test
     public void testAccessAdminResourceWithKidOrChain() throws Exception {
         // token with a matching kid, not x5c