Skip to content

Add AuthzClientCryptoProvider for authorization client cryptographic operations #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
everettbu wants to merge 1 commit into
base: feature-authz-crypto-baseline
Choose a base branch
from
Open

Add AuthzClientCryptoProvider for authorization client cryptographic operations #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions authz/client/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,17 @@
<artifactId>jackson-annotations</artifactId>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest</artifactId>
<scope>test</scope>
</dependency>
</dependencies>

<build>
Expand Down
2 changes: 2 additions & 0 deletions authz/client/src/main/java/org/keycloak/authorization/client/AuthzClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import org.keycloak.authorization.client.resource.ProtectionResource;
import org.keycloak.authorization.client.util.Http;
import org.keycloak.authorization.client.util.TokenCallable;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.util.SystemPropertiesJsonParserFactory;
Expand Down Expand Up @@ -91,6 +92,7 @@ public static AuthzClient create(InputStream configStream) throws RuntimeExcepti
* @return a new instance
*/
public static AuthzClient create(Configuration configuration) {
CryptoIntegration.init(AuthzClient.class.getClassLoader());
return new AuthzClient(configuration);
}

Expand Down
203 changes: 203 additions & 0 deletions authz/client/src/main/java/org/keycloak/authorization/client/util/crypto/ASN1Decoder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,203 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/

package org.keycloak.authorization.client.util.crypto;

import java.io.ByteArrayInputStream;
import java.io.EOFException;
import java.io.IOException;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.List;

/**
*
* @author rmartinc
*/
class ASN1Decoder {

private final ByteArrayInputStream is;
private final int limit;
private int count;

ASN1Decoder(byte[] bytes) {
is = new ByteArrayInputStream(bytes);
count = 0;
limit = bytes.length;
}

public static ASN1Decoder create(byte[] bytes) {
return new ASN1Decoder(bytes);
}

public List<byte[]> readSequence() throws IOException {
int tag = readTag();
int tagNo = readTagNumber(tag);
if (tagNo != ASN1Encoder.SEQUENCE) {
throw new IOException("Invalid Sequence tag " + tagNo);
}
int length = readLength();
List<byte[]> result = new ArrayList<>();
while (length > 0) {
byte[] bytes = readNext();
result.add(bytes);
length = length - bytes.length;
}
return result;
}
Comment on lines +49 to +63

@coderabbitai coderabbitai Bot Jul 30, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Validate remaining length in readSequence to prevent negative values.

The method subtracts bytes.length from length without checking if it would go negative, which could happen with corrupted data.

     public List<byte[]> readSequence() throws IOException {
         int tag = readTag();
         int tagNo = readTagNumber(tag);
         if (tagNo != ASN1Encoder.SEQUENCE) {
             throw new IOException("Invalid Sequence tag " + tagNo);
         }
         int length = readLength();
         List<byte[]> result = new ArrayList<>();
         while (length > 0) {
             byte[] bytes = readNext();
+            if (bytes.length > length) {
+                throw new IOException("Sequence element length exceeds remaining sequence length");
+            }
             result.add(bytes);
             length = length - bytes.length;
         }
+        if (length != 0) {
+            throw new IOException("Sequence length mismatch: " + length + " bytes remaining");
+        }
         return result;
     }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
public List<byte[]> readSequence() throws IOException {
int tag = readTag();
int tagNo = readTagNumber(tag);
if (tagNo != ASN1Encoder.SEQUENCE) {
throw new IOException("Invalid Sequence tag " + tagNo);
}
int length = readLength();
List<byte[]> result = new ArrayList<>();
while (length > 0) {
byte[] bytes = readNext();
result.add(bytes);
length = length - bytes.length;
}
return result;
}
public List<byte[]> readSequence() throws IOException {
int tag = readTag();
int tagNo = readTagNumber(tag);
if (tagNo != ASN1Encoder.SEQUENCE) {
throw new IOException("Invalid Sequence tag " + tagNo);
}
int length = readLength();
List<byte[]> result = new ArrayList<>();
while (length > 0) {
byte[] bytes = readNext();
if (bytes.length > length) {
throw new IOException("Sequence element length exceeds remaining sequence length");
}
result.add(bytes);
length = length - bytes.length;
}
if (length != 0) {
throw new IOException("Sequence length mismatch: " + length + " bytes remaining");
}
return result;
}
🤖 Prompt for AI Agents 
In
authz/client/src/main/java/org/keycloak/authorization/client/util/crypto/ASN1Decoder.java
between lines 49 and 63, the readSequence method subtracts bytes.length from
length without validating if length remains non-negative, risking negative
values with corrupted data. Add a check after subtracting bytes.length to ensure
length does not become negative, and if it does, throw an IOException indicating
corrupted or invalid ASN.1 data to prevent further processing.


public BigInteger readInteger() throws IOException {
int tag = readTag();
int tagNo = readTagNumber(tag);
if (tagNo != ASN1Encoder.INTEGER) {
throw new IOException("Invalid Integer tag " + tagNo);
}
int length = readLength();
byte[] bytes = read(length);
return new BigInteger(bytes);
}

byte[] readNext() throws IOException {
mark();
int tag = readTag();
readTagNumber(tag);
int length = readLength();
length += reset();
return read(length);
}

int readTag() throws IOException {
int tag = read();
if (tag < 0) {
throw new EOFException("EOF found inside tag value.");
}
return tag;
}

int readTagNumber(int tag) throws IOException {
int tagNo = tag & 0x1f;

//
// with tagged object tag number is bottom 5 bits, or stored at the start of the content
//
if (tagNo == 0x1f) {
tagNo = 0;

int b = read();

// X.690-0207 8.1.2.4.2
// "c) bits 7 to 1 of the first subsequent octet shall not all be zero."
if ((b & 0x7f) == 0) // Note: -1 will pass
{
throw new IOException("corrupted stream - invalid high tag number found");
}

while ((b >= 0) && ((b & 0x80) != 0)) {
tagNo |= (b & 0x7f);
tagNo <<= 7;
b = read();
}

if (b < 0) {
throw new EOFException("EOF found inside tag value.");
}

tagNo |= (b & 0x7f);
}

return tagNo;
}

int readLength() throws IOException {
int length = read();
if (length < 0) {
throw new EOFException("EOF found when length expected");
}

if (length == 0x80) {
return -1; // indefinite-length encoding
}
Comment on lines +127 to +135

@coderabbitai coderabbitai Bot Jul 30, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Handle indefinite-length encoding or throw an exception.

The code detects indefinite-length encoding (0x80) but returns -1 without proper handling in calling methods.

     int readLength() throws IOException {
         int length = read();
         if (length < 0) {
             throw new EOFException("EOF found when length expected");
         }
 
         if (length == 0x80) {
-            return -1;      // indefinite-length encoding
+            throw new IOException("Indefinite-length encoding not supported");
         }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
int readLength() throws IOException {
int length = read();
if (length < 0) {
throw new EOFException("EOF found when length expected");
}
if (length == 0x80) {
return -1; // indefinite-length encoding
}
int readLength() throws IOException {
int length = read();
if (length < 0) {
throw new EOFException("EOF found when length expected");
}
if (length == 0x80) {
throw new IOException("Indefinite-length encoding not supported");
}
// ... rest of method unchanged ...
}
🤖 Prompt for AI Agents 
In
authz/client/src/main/java/org/keycloak/authorization/client/util/crypto/ASN1Decoder.java
around lines 127 to 135, the method readLength detects indefinite-length
encoding by returning -1 but does not properly handle this case in the calling
methods. Update the code to either fully support indefinite-length encoding by
implementing the necessary logic or throw a specific exception when encountering
0x80 to prevent silent failures. Ensure that calling methods are updated
accordingly to handle this new behavior.


if (length > 127) {
int size = length & 0x7f;

// Note: The invalid long form "0xff" (see X.690 8.1.3.5c) will be caught here
if (size > 4) {
throw new IOException("DER length more than 4 bytes: " + size);
}

length = 0;
for (int i = 0; i < size; i++) {
int next = read();

if (next < 0) {
throw new EOFException("EOF found reading length");
}

length = (length << 8) + next;
}

if (length < 0) {
throw new IOException("corrupted stream - negative length found");
}

if (length >= limit) // after all we must have read at least 1 byte
{
throw new IOException("corrupted stream - out of bounds length found");
}
}

return length;
}

byte[] read(int length) throws IOException {
byte[] bytes = new byte[length];
int totalBytesRead = 0;

while (totalBytesRead < length) {
int bytesRead = is.read(bytes, totalBytesRead, length - totalBytesRead);
if (bytesRead == -1) {
throw new IOException(String.format("EOF found reading %d bytes", length));
}
totalBytesRead += bytesRead;
}
count += length;
return bytes;
}

void mark() {
count = 0;
is.mark(is.available());
}

int reset() {
int tmp = count;
is.reset();
return tmp;
}
Comment on lines +184 to +193

@coderabbitai coderabbitai Bot Jul 30, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add mark support validation.

The code uses mark/reset without checking if the stream supports marking.

     void mark() {
+        if (!is.markSupported()) {
+            throw new IllegalStateException("Mark not supported by the underlying stream");
+        }
         count = 0;
         is.mark(is.available());
     }
🤖 Prompt for AI Agents 
In
authz/client/src/main/java/org/keycloak/authorization/client/util/crypto/ASN1Decoder.java
between lines 184 and 193, the mark() and reset() methods use the input stream's
mark and reset functions without verifying if the stream supports marking. To
fix this, add a check using is.markSupported() before calling is.mark() and
is.reset(). If marking is not supported, handle it appropriately, such as
throwing an exception or avoiding the mark/reset calls to prevent runtime
errors.


int read() {
int tmp = is.read();
if (tmp >= 0) {
count++;
}
return tmp;
}
}

101 changes: 101 additions & 0 deletions authz/client/src/main/java/org/keycloak/authorization/client/util/crypto/ASN1Encoder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/

package org.keycloak.authorization.client.util.crypto;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;

/**
*
* @author rmartinc
*/
class ASN1Encoder {

static final int INTEGER = 0x02;
static final int SEQUENCE = 0x10;
static final int CONSTRUCTED = 0x20;

private final ByteArrayOutputStream os;

private ASN1Encoder() {
this.os = new ByteArrayOutputStream();
}

static public ASN1Encoder create() {
return new ASN1Encoder();
}

public ASN1Encoder write(BigInteger value) throws IOException {
writeEncoded(INTEGER, value.toByteArray());
return this;
}

public ASN1Encoder writeDerSeq(ASN1Encoder... objects) throws IOException {
writeEncoded(CONSTRUCTED | SEQUENCE, concatenate(objects));
return this;
}

public byte[] toByteArray() {
return os.toByteArray();
}

void writeEncoded(int tag, byte[] bytes) throws IOException {
write(tag);
writeLength(bytes.length);
write(bytes);
}

void writeLength(int length) throws IOException {
if (length > 127) {
int size = 1;
int val = length;

while ((val >>>= 8) != 0) {
size++;
}

write((byte) (size | 0x80));

for (int i = (size - 1) * 8; i >= 0; i -= 8) {
write((byte) (length >> i));
}
} else {
write((byte) length);
}
}

void write(byte[] bytes) throws IOException {
os.write(bytes);
}

void write(int b) throws IOException {
os.write(b);
}

byte[] concatenate(ASN1Encoder... objects) throws IOException {
ByteArrayOutputStream tmp = new ByteArrayOutputStream();
for (ASN1Encoder object : objects) {
tmp.write(object.toByteArray());
}
return tmp.toByteArray();
}
}

Loading