Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supported encrypted pem files in the TLS registry #44262

Closed
shawkins opened this issue Nov 1, 2024 · 9 comments · Fixed by #44549
Closed

Supported encrypted pem files in the TLS registry #44262

shawkins opened this issue Nov 1, 2024 · 9 comments · Fixed by #44549
Assignees
@cescoffier
Labels
area/security area/tls TLS Registry related issues and PR area/vertx kind/enhancement New feature or request
Milestone
3.18.0.CR1

Comments

@shawkins
Copy link
Contributor

shawkins commented Nov 1, 2024

Description

When specifying pem files for https the current expectation is that keys are unencrypted. It would be good if encrypted pem were supported as well.

See keycloak/keycloak#27437

Implementation ideas

No response
@shawkins shawkins added the kind/enhancement New feature or request label Nov 1, 2024
@shawkins shawkins mentioned this issue Nov 1, 2024
Open
@phillip-kruger
Copy link
Member

maybe @cescoffier or @sberyozkin

@cescoffier
Copy link
Member

That's something I have on my todo list. We never had the request (even before the TLS registry) so I always postponed it.

The workaround right now is to use p12.

@cescoffier
Copy link
Member

Forgot to mention. The main issue is that I do not want to include bouncycastle as a mandatory runtime dependency. Thus, it makes things slightly more complicated.

Alternatively, this could be implemented as a separate (quarkiverse) extension (the TLS registry allows extension to register certificates)

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Nov 4, 2024

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)

@cescoffier cescoffier changed the title Supported encrypted pem files for https key Supported encrypted pem files in the TLS registry Nov 4, 2024
@cescoffier cescoffier self-assigned this Nov 4, 2024
@cescoffier
Copy link
Member

BTW - this enhancement would NOT be backported to the 3.15 (LTS).

@cescoffier cescoffier added the area/tls TLS Registry related issues and PR label Nov 4, 2024
@sberyozkin
Copy link
Member

Hi @cescoffier

Makes sense to avoid the BC dependency... One thing that I'd like to ask is to have, if possible, some shared utility code in quarkus vertx http, as I'd like to support this option for the non-TLS case, OIDC Private Key JWT authentication... (this is when a JWT token is generated and then signed with the private key, as a form of the client authentication, instead of the name and password, we briefly discussed it when Michal was migrating OIDC to use TLS registry)

@sberyozkin
Copy link
Member

Or may be even in the quarkus-security extension - as quarkus-oidc and quarkus-oidc-client need to support it, with the latter not depending on quarkus-vertx-http, but I can propose a utility code move from it down to the quarkus-security extension later...

@cescoffier
Copy link
Member

@sberyozkin sure, having shared code would makes sense, but it should not be in vert.x http, probably in the TLS registry itself.

@cescoffier
Copy link
Member

FTR, I've made progress on this in the certificate generator, which now provides some utilities to decrypt encrypted PEM. Still need a bit of polishing, but the hard technical point is behind.

cescoffier added a commit to cescoffier/quarkus that referenced this issue Nov 17, 2024
@cescoffier
Add support for encrypted PKCS#8
3c764a4 
Add support for encrypted PEM file (encrypted PKCS#8) to the TLS registry. This is invisible for the extensions, the key being decrypted and passed unencrypted to the extensions (the unencrypted key is never written on disk).

Fix quarkusio#44262
@cescoffier cescoffier mentioned this issue Nov 17, 2024
Merged
@quarkus-bot quarkus-bot bot added this to the 3.18 - main milestone Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cescoffier cescoffier

Labels
area/security area/tls TLS Registry related issues and PR area/vertx kind/enhancement New feature or request
Projects
None yet
Milestone
3.18.0.CR1
Development

Successfully merging a pull request may close this issue.

Add support for encrypted PKCS#8 cescoffier/quarkus
5 participants
@cescoffier @sberyozkin @shawkins @geoand @phillip-kruger