Merge pull request #38 from adorsys/issue-37

Fix: modify deployment scripts to fit branch keycloak-oid4vc#target-20240525-0

0.start-kc-oid4vci.sh

@@ -24,13 +24,12 @@ fi
 # checkout keycloak
 if [ ! -d "$TARGET_DIR/$KC_OID4VCI" ]; then
     echo "Directory $TARGET_DIR/$KC_OID4VCI does not exist, cloning repo..."
-    cd $TARGET_DIR && git clone --depth 1 https://github.com/keycloak/keycloak.git $TARGET_DIR/$KC_OID4VCI
+    cd $TARGET_DIR && git clone --depth 1 --branch $KC_TARGET_BRANCH https://github.com/adorsys/keycloak-oid4vc.git $TARGET_DIR/$KC_OID4VCI
     echo "Keycloak cloned into $TARGET_DIR/$KC_OID4VCI."
 else
     echo "Directory $TARGET_DIR/$KC_OID4VCI already exists."
 fi
 
-
 # change into keycloak directory & build keycloak
 if [ ! -f "$TARGET_DIR/$KC_OID4VCI/quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz" ]; then
     echo "File $TARGET_DIR/$KC_OID4VCI/quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz does not exist, building keycloak..."

1.oid4vci_test_deployment.sh

@@ -10,42 +10,222 @@ if [ ! -n "$keycloak_pid" ]; then
     exit 1
 fi
 
-
-# Checkout this project. Shall have been done, we wouldn't see this file
-# cd $TOOLS_DIR && git clone https://github.com/adorsys/keycloak-ssi-deployment.git
-
 # Get admin token using environment variables for credentials
 echo "Obtaining admin token..."
 $KC_INSTALL_DIR/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user $KEYCLOAK_ADMIN --password $KEYCLOAK_ADMIN_PASSWORD
 
-# Create client for oid4vci
-echo "Creating OID4VCI client..."
-$KC_INSTALL_DIR/bin/kcadm.sh create clients -o -f - < $WORK_DIR/client-oid4vc.json || { echo 'Client creation failed' ; exit 1; }
+# Collect the 4 active keys to be disabled.
+RSA_OAEP_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(RSA-OAEP)' | jq -r '.active."RSA-OAEP"')
+RSA_OAEP_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+echo "Generated RSA-OAEP key will be disbled... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
+
+# HS512_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(HS512)' | jq -r '.active.HS512')
+# HS512_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+# echo "Generated HS512 key will be disbled... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
+
+RS256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(RS256)' | jq -r '.active.RS256')
+RS256_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+echo "Generated RS256 key will be disbled... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
+
+# AES_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(AES)' | jq -r '.active.AES')
+# AES_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$AES_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+# echo "Generated AES key will be disbled... KID=$AES_KID PROV_ID=$AES_PROV_ID"
+
+# Delete keystore if one exists
+# change into keycloak directory & build keycloak
+if [ -f "$KEYCLOAK_KEYSTORE_FILE" ]; then
+    echo "File $KEYCLOAK_KEYSTORE_FILE exists, will be deleted..."
+    rm "$KEYCLOAK_KEYSTORE_FILE"
+fi
+
+
+# Generate a keypairs into a PKCS12 keystore using java. We prefer an external file, as content will be shared among servers.
+keytool \
+  -genkeypair \
+  -keyalg EC \
+  -keysize 256 \
+  -keystore $KEYCLOAK_KEYSTORE_FILE \
+  -storepass $KEYCLOAK_KEYSTORE_PASSWORD \
+  -alias $KEYCLOAK_KEYSTORE_ECDSA_KEY_ALIAS \
+  -keypass $KEYCLOAK_KEYSTORE_PASSWORD \
+  -storetype $KEYCLOAK_KEYSTORE_TYPE \
+  -dname "CN=ECDSA Signing Key, OU=Keycloak Competence Center, O=Adorsys Lab, L=Bangante, ST=West, C=Cameroon"
+
+keytool \
+  -genkeypair \
+  -keyalg RSA \
+  -keysize 3072 \
+  -keystore $KEYCLOAK_KEYSTORE_FILE \
+  -storepass $KEYCLOAK_KEYSTORE_PASSWORD \
+  -alias $KEYCLOAK_KEYSTORE_RSA_SIG_KEY_ALIAS \
+  -keypass $KEYCLOAK_KEYSTORE_PASSWORD \
+  -storetype $KEYCLOAK_KEYSTORE_TYPE \
+  -dname "CN=RSA Signing Key, OU=Keycloak Competence Center, O=Adorsys Lab, L=Bangante, ST=West, C=Cameroon" 
+
+keytool \
+  -genkeypair \
+  -keyalg RSA \
+  -keysize 3072 \
+  -keystore $KEYCLOAK_KEYSTORE_FILE \
+  -storepass $KEYCLOAK_KEYSTORE_PASSWORD \
+  -alias $KEYCLOAK_KEYSTORE_RSA_ENC_KEY_ALIAS \
+  -keypass $KEYCLOAK_KEYSTORE_PASSWORD \
+  -storetype $KEYCLOAK_KEYSTORE_TYPE \
+  -dname "CN=RSA Encryption Key, OU=Keycloak Competence Center, O=Adorsys Lab, L=Bangante, ST=West, C=Cameroon" 
+
+# keytool \
+#   -genseckey \
+#   -keyalg HmacSHA512 \
+#   -keysize 512 \
+#   -keystore $KEYCLOAK_KEYSTORE_FILE \
+#   -storepass $KEYCLOAK_KEYSTORE_PASSWORD \
+#   -alias $KEYCLOAK_KEYSTORE_HMAC_SIG_KEY_ALIAS \
+#   -keypass $KEYCLOAK_KEYSTORE_PASSWORD \
+#   -storetype $KEYCLOAK_KEYSTORE_TYPE
+
+# keytool \
+#   -genseckey \
+#   -keyalg AES \
+#   -keysize 256 \
+#   -keystore $KEYCLOAK_KEYSTORE_FILE \
+#   -storepass $KEYCLOAK_KEYSTORE_PASSWORD \
+#   -alias $KEYCLOAK_KEYSTORE_AES_ENC_KEY_ALIAS \
+#   -keypass $KEYCLOAK_KEYSTORE_PASSWORD \
+#   -storetype $KEYCLOAK_KEYSTORE_TYPE 
+
+# Add concret info and passwords to key provider
+echo "Configuring ecdsa key provider..."
+less $WORK_DIR/issuer_key_ecdsa.json | \
+  jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
+  --arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+  --arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
+  --arg keyAlias "$KEYCLOAK_KEYSTORE_ECDSA_KEY_ALIAS" \
+  --arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+  '.config.keystore = [$keystore] | 
+   .config.keystorePassword = [$keystorePassword] |
+   .config.keystoreType = [$keystoreType] | 
+   .config.keyAlias = [$keyAlias] | 
+   .config.keyPassword = [$keyPassword]' \
+  > $TARGET_DIR/issuer_key_ecdsa-tmp.json 
+
+echo "Configuring rsa signing key provider..."
+less $WORK_DIR/issuer_key_rsa.json | \
+  jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
+  --arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+  --arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
+  --arg keyAlias "$KEYCLOAK_KEYSTORE_RSA_SIG_KEY_ALIAS" \
+  --arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+  '.config.keystore = [$keystore] | 
+   .config.keystorePassword = [$keystorePassword] |
+   .config.keystoreType = [$keystoreType] | 
+   .config.keyAlias = [$keyAlias] | 
+   .config.keyPassword = [$keyPassword]' \
+  > $TARGET_DIR/issuer_key_rsa-tmp.json 
+
+echo "Configuring rsa enc key provider..."
+less $WORK_DIR/encryption_key_rsa.json | \
+  jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
+  --arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+  --arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
+  --arg keyAlias "$KEYCLOAK_KEYSTORE_RSA_ENC_KEY_ALIAS" \
+  --arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+  '.config.keystore = [$keystore] | 
+   .config.keystorePassword = [$keystorePassword] |
+   .config.keystoreType = [$keystoreType] | 
+   .config.keyAlias = [$keyAlias] | 
+   .config.keyPassword = [$keyPassword]' \
+  > $TARGET_DIR/encryption_key_rsa-tmp.json 
+
+# echo "Configuring hmac signature key provider..."
+# HMAC_SIG_KEY_ID=$(uuidgen)
+# less $WORK_DIR/signature_key_hmac.json | \
+#   jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
+#   --arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+#   --arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
+#   --arg keyAlias "$KEYCLOAK_KEYSTORE_HMAC_SIG_KEY_ALIAS" \
+#   --arg kid "$HMAC_SIG_KEY_ID" \
+#   --arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+#   '.config.keystore = [$keystore] | 
+#    .config.keystorePassword = [$keystorePassword] |
+#    .config.keystoreType = [$keystoreType] | 
+#    .config.keyAlias = [$keyAlias] | 
+#    .config.kid = [$kid] | 
+#    .config.keyPassword = [$keyPassword]' \
+#   > $TARGET_DIR/signature_key_hmac-tmp.json 
+
+# echo "Configuring aes enc key provider..."
+# AES_ENC_KEY_ID=$(uuidgen)
+# less $WORK_DIR/encryption_key_aes.json | \
+#   jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
+#   --arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+#   --arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
+#   --arg keyAlias "$KEYCLOAK_KEYSTORE_AES_ENC_KEY_ALIAS" \
+#   --arg kid "$AES_ENC_KEY_ID" \
+#   --arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
+#   '.config.keystore = [$keystore] | 
+#    .config.keystorePassword = [$keystorePassword] |
+#    .config.keystoreType = [$keystoreType] | 
+#    .config.keyAlias = [$keyAlias] | 
+#    .config.kid = [$kid] | 
+#    .config.keyPassword = [$keyPassword]' \
+#   > $TARGET_DIR/encryption_key_aes-tmp.json 
 
-# Manually copy the content of your PEM file into issuer-key.json if you generate a new PEM file
 # Register the EC-key with Keycloak
-echo "Registering issuer key..."
-$KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $WORK_DIR/issuer_key.json || { echo 'Key registration failed' ; exit 1; }
+echo "Registering issuer key ecdsa..."
+$KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/issuer_key_ecdsa-tmp.json || { echo 'ECDSA Issuer Key registration failed' ; exit 1; }
+echo "Registering issuer key rsa..."
+$KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/issuer_key_rsa-tmp.json || { echo 'RSA Issuer Key registration failed' ; exit 1; }
+echo "Registering encryption key rsa..."
+$KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/encryption_key_rsa-tmp.json || { echo 'RSA Encryption Key registration failed' ; exit 1; }
+# echo "Registering signature key hmac..."
+# $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/signature_key_hmac-tmp.json || { echo 'Hmac Signature Key registration failed' ; exit 1; }
+# echo "Registering issuer key ecdsa..."
+# $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/encryption_key_aes-tmp.json || { echo 'AES Encryption Key registration failed' ; exit 1; }
+
+# Disable generated keys
+echo "Deactivating generated RSA-OAEP... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
+$KC_INSTALL_DIR/bin/kcadm.sh update components/$RSA_OAEP_PROV_ID -s 'config.active=["false"]' || { echo 'Updating RSA_OAEP provider failed' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)'
+
+# echo "Deactivating generated HS512 key... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
+# $KC_INSTALL_DIR/bin/kcadm.sh update components/$HS512_PROV_ID -s 'config.active=["false"]' || { echo 'Updating HS512 provider failed' ; exit 1; }
+# $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)'
+
+echo "Deactivating generated RS256 key... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
+$KC_INSTALL_DIR/bin/kcadm.sh update components/$RS256_PROV_ID -s 'config.active=["false"]' || { echo 'Updating RS256 provider failed' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)'
+
+# echo "Deactivating generated AES key will... KID=$AES_KID PROV_ID=$AES_PROV_ID"
+# $KC_INSTALL_DIR/bin/kcadm.sh update components/$AES_PROV_ID -s 'config.active=["false"]' || { echo 'Updating AES provider failed' ; exit 1; }
+# $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$AES_KID" '.keys[] | select(.kid == $kid)'
+
 
 # Export keyid into an environment variable
-export ES256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(ES256)' | jq -r '.active.ES256')
+ES256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(ES256)' | jq -r '.active.ES256') || { echo 'ES256 keyId failed' ; exit 1; }
 echo "ES256 Key ID: $ES256_KID"
 
 # Write keyid into a copy of the signing_service.json
 echo "Configuring signing service with Key ID..."
-less $WORK_DIR/signing_service.json | jq --arg kid "$ES256_KID" '.config.keyId = [$kid]'  > $TARGET_DIR/signing_service-tmp.json
+less "$WORK_DIR/signing_service.json" | \
+  jq --arg kid "$ES256_KID" \
+     '.config.keyId = [$kid]' \
+  > "$TARGET_DIR/signing_service-tmp.json"
 
 # Create the signing service component
 echo "Creating signing service component..."
 $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/signing_service-tmp.json  || { echo 'Could not create signing service' ; exit 1; }
 
+# Create client for oid4vci
+echo "Creating OID4VCI client..."
+$KC_INSTALL_DIR/bin/kcadm.sh create clients -o -f - < $WORK_DIR/client-oid4vc.json || { echo 'Client creation failed' ; exit 1; }
+
 # Useful link to check the configuration
 # Ensure keycloak with oid4vc-vci profile is running
-keycloak_pid=$(ps aux | grep -i '[k]eycloak' | awk '{print $2}')
-if [ ! -n "$keycloak_pid" ]; then
-    echo "Keycloak not running. Start keycloak using 0.start-kc-oid4vci first..."
-    exit 1  # Exit with an error code
-fi
+# keycloak_pid=$(ps aux | grep -i '[k]eycloak' | awk '{print $2}')
+# if [ ! -n "$keycloak_pid" ]; then
+#     echo "Keycloak not running. Start keycloak using 0.start-kc-oid4vci first..."
+#     exit 1  # Exit with an error code
+# fi
 
 # Read all realm attributes
 # echo "Reading all realm attributes..."

3.retrieve_credential.sh

@@ -84,7 +84,7 @@ CREDENTIAL=$(curl -s http://localhost:8080/realms/master/protocol/oid4vc/credent
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $CREDENTIAL_ACCESS_TOKEN" \
-    -d '{"format": "sd-jwt_vc", "credential_identifier": "test-credential"}')
+    -d '{"format": "vc+sd-jwt", "credential_identifier": "test-credential"}')
 
 
 # Stop if CREDENTIAL is not retrieved

client-oid4vc.json

@@ -7,7 +7,7 @@
   "publicClient": true,
   "attributes": {
     "vc.test-credential.expiry_in_s": 100,
-    "vc.test-credential.format": "sd-jwt_vc",
+    "vc.test-credential.format": "vc+sd-jwt",
     "vc.test-credential.scope": "VerifiableCredential"
   },
   "protocolMappers": [

common_vars.sh

@@ -8,12 +8,24 @@ TARGET_DIR=$WORK_DIR/target
 TOOLS_DIR=$TARGET_DIR/tools
 
 # Dev dir where to clone keycloak
-KC_OID4VCI=keycloak-oid4vci
+# KC_TARGET_BRANCH=main
+KC_TARGET_BRANCH=target-20240525-0
+KC_OID4VCI="keycloak_"$KC_TARGET_BRANCH
 
 # Ensure all sensitive data like passwords and keys are passed through environment variables or secure stores.
 KEYCLOAK_ADMIN=admin
 KEYCLOAK_ADMIN_PASSWORD=admin
 
+KEYCLOAK_KEYSTORE_FILE=$TARGET_DIR/kc_keystore.pkcs12
+KEYCLOAK_KEYSTORE_TYPE=PKCS12
+KEYCLOAK_KEYSTORE_PASSWORD=store_key_password
+
+KEYCLOAK_KEYSTORE_ECDSA_KEY_ALIAS=ecdsa_key
+KEYCLOAK_KEYSTORE_RSA_SIG_KEY_ALIAS=rsa_sig_key
+KEYCLOAK_KEYSTORE_RSA_ENC_KEY_ALIAS=rsa_enc_key
+KEYCLOAK_KEYSTORE_HMAC_SIG_KEY_ALIAS=hmac_sig_key
+KEYCLOAK_KEYSTORE_AES_ENC_KEY_ALIAS=aes_enc_key
+
 # Navigate to the keycloak client tools directory
 #### If you are running from you ide
 # KC_INSTALL_DIR=$DEV_DIR/keycloak/quarkus/dist/target/keycloak-client-tools

encryption_key_aes.json

@@ -0,0 +1,28 @@
+{
+  "id": "aes-encryption-key",
+  "name": "aes-encryption-key",
+  "providerId": "java-keystore",
+  "providerType": "org.keycloak.keys.KeyProvider",
+  "config": {
+    "keystore": [
+      "$KEYCLOAK_KEYSTORE_FILE"
+    ],
+    "keystoreType": [
+      "$KEYCLOAK_KEYSTORE_TYPE"
+    ],
+    "keystorePassword": [
+      "$KEYCLOAK_KEYSTORE_PASSWORD"
+    ],
+    "keyAlias":[
+      "$KEYCLOAK_KEYSTORE_AES_ENC_KEY_ALIAS"
+    ],
+    "keyPassword": [
+      "$KEYCLOAK_KEYSTORE_PASSWORD"
+    ],
+    "active": ["true"],
+    "priority": ["0"],
+    "enabled": ["true"],
+    "algorithm": ["AES"],
+    "kid": ["UUID-HERE"]    
+  }
+}

encryption_key_rsa.json

@@ -0,0 +1,28 @@
+{
+  "id": "rsa-encryption-key",
+  "name": "rsa-encryption-key",
+  "providerId": "java-keystore",
+  "providerType": "org.keycloak.keys.KeyProvider",
+  "config": {
+    "keystore": [
+      "$KEYCLOAK_KEYSTORE_FILE"
+    ],
+    "keystoreType": [
+      "$KEYCLOAK_KEYSTORE_TYPE"
+    ],
+    "keystorePassword": [
+      "$KEYCLOAK_KEYSTORE_PASSWORD"
+    ],
+    "keyAlias":[
+      "$KEYCLOAK_KEYSTORE_RSA_ENC_KEY_ALIAS"
+    ],
+    "keyPassword": [
+      "$KEYCLOAK_KEYSTORE_PASSWORD"
+    ],
+    "active": ["true"],
+    "priority": ["0"],
+    "enabled": ["true"],
+    "algorithm": ["RSA-OAEP"],
+    "keyUse": ["enc"]
+  }
+}