SigningService.java

/*
 * Copyright 2024 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.keycloak.protocol.oid4vc.issuance.signing;

import org.keycloak.common.VerificationException;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKParser;
import org.keycloak.jose.jwk.OKPPublicJWK;
import org.keycloak.models.KeycloakSession;

/**
 * Abstract base class to provide the Signing Services common functionality
 *
 * @author <a href="https://github.com/wistefan">Stefan Wiedemann</a>
 */
public abstract class SigningService<T> implements VerifiableCredentialsSigningService<T> {

    protected final KeycloakSession keycloakSession;
    protected final String keyId;

    // values of the type field are defined by the implementing service. Could f.e. the security suite for ldp_vc or the algorithm to be used for jwt_vc
    protected final String type;

    // As the type is not identical to the format, we use the format as a factory to
    // instantiate provider.
    protected final String format;

    protected SigningService(KeycloakSession keycloakSession, String keyId, String format, String type) {
        this.keycloakSession = keycloakSession;
        this.keyId = keyId;
        this.format = format;
        this.type = type;
    }

    @Override
    public String locator() {
        // Future implementation might consider credential type or even configuration specific signers.
        // See: org.keycloak.protocol.oid4vc.issuance.signing.SdJwtSigningService.locator
        return  VerifiableCredentialsSigningService.locator(format, null, null);
    }

    /**
     * Returns the key stored under kid, or the active key for the given jws algorithm,
     *
     * @param kid
     * @param algorithm
     * @return
     */
    protected KeyWrapper getKey(String kid, String algorithm) {
        // Allow the service to work with the active key if keyId is null
        // And we still have to figure out how to proceed with key rotation
        if (keyId == null) {
            return keycloakSession.keys().getActiveKey(keycloakSession.getContext().getRealm(), KeyUse.SIG, algorithm);
        }
        return keycloakSession.keys().getKey(keycloakSession.getContext().getRealm(), kid, KeyUse.SIG, algorithm);
    }

    protected SignatureVerifierContext getVerifier(JWK jwk, String jwsAlgorithm) throws VerificationException {
        SignatureProvider signatureProvider = keycloakSession.getProvider(SignatureProvider.class, jwsAlgorithm);
        return signatureProvider.verifier(getKeyWrapper(jwk, jwsAlgorithm, KeyUse.SIG));
    }

    private KeyWrapper getKeyWrapper(JWK jwk, String algorithm, KeyUse keyUse) {
        KeyWrapper keyWrapper = new KeyWrapper();
        keyWrapper.setType(jwk.getKeyType());

        // Use the algorithm provided by the caller, and not the one inside the jwk (if any)
        // As jws validation will also check that one against the value "none"
        keyWrapper.setAlgorithm(algorithm);

        // Set the curve if any
        if (jwk.getOtherClaims().get(OKPPublicJWK.CRV) != null) {
            keyWrapper.setCurve((String) jwk.getOtherClaims().get(OKPPublicJWK.CRV));
        }

        keyWrapper.setUse(keyUse);
        JWKParser parser = JWKParser.create(jwk);
        keyWrapper.setPublicKey(parser.toPublicKey());
        return keyWrapper;
    }

    @Override
    public void close() {
        // no-op
    }
}