REF-6: Resolve keystore alias case-insensitively (issue #73)#85
Open
thomasnymand wants to merge 1 commit into
Open
REF-6: Resolve keystore alias case-insensitively (issue #73)#85thomasnymand wants to merge 1 commit into
thomasnymand wants to merge 1 commit into
Conversation
Configuring oiosaml.servlet.keystore.alias with any casing other than all-lowercase failed with a misleading "incorrect keystore password" error. Java's PKCS12 KeyStore lowercases aliases on load, so the key-password map was keyed by the lowercased alias while OpenSAML's KeyStoreCredentialResolver looked the password up by the configured alias verbatim. A mixed-case alias therefore resolved no password and the private key could not be decrypted. Key the password map by the configured alias instead; PKCS12 key lookup is already case-insensitive, so alias resolution is now fully case-insensitive. Add CredentialServiceTest with a keystore whose alias is configured in a different case than stored. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #73
Summary
Configuring
oiosaml.servlet.keystore.aliaswith any casing other than all-lowercase failed with a misleading "incorrect keystore password" error.Root cause: Java's PKCS12
KeyStorelowercases aliases on load, so inCredentialService.getBasicX509Credential()the key-password map was keyed by the keystore's (lowercased) alias, while OpenSAML'sKeyStoreCredentialResolverlooks the password up by the configured alias verbatim. A mixed-case alias therefore resolved no password, the private key couldn't be decrypted, and the failure surfaced as a wrong-password error.Fix: key the password map by the configured
aliasinstead ofks.aliases().nextElement(). PKCS12 key lookup is already case-insensitive, so alias resolution is now fully case-insensitive — no configuration or documentation workaround needed.Test
Adds
CredentialServiceTestwith a new keystoremixedcase-alias.p12(key entry created asTestKeyAlias, which PKCS12 stores astestkeyalias). The test configures the alias in a different case and asserts the credential resolves.Verified red → green: the test errors on the previous code (
Malformed configuration in 'oiosaml.servlet.keystore') and passes with the fix. Full suite:Tests run: 108, Failures: 0, Errors: 0.Notes
🤖 Generated with Claude Code