Version 3.5.7 UpdateX509 Not Compatible with Keycloak 26.1.2 and BouncyCastle FIPS

When using version 3.5.7 and Keycloak 26.1.2 in FIPS-enabled mode (BouncyCastle FIPS libraries), the `UpdateX509` action crashes:
```
2025-03-04 14:54:36,895 INFO  [dod.p1.keycloak.registration.X509Tools] (executor-thread-192) ZacsOCSPProvider Mode Set: false
2025-03-04 14:54:36,895 INFO  [dod.p1.keycloak.registration.X509Tools] (executor-thread-192) P1_X509_TOOLS_GET_X509_IDENTITY_FROM_CHAIN_d51cf4a6-5363-4ac2-85ff-89c45d9d3e3a checking cert policy 2.16.840.1.101.2.1.11.42
2025-03-04 14:54:36,895 ERROR [org.keycloak.crypto.fips.BCFIPSUserIdentityExtractorProvider] (executor-thread-192) Failed to parse subjectAltName: java.lang.IllegalArgumentException: illegal object in getInstance: org.bouncycastle.asn1.DEROctetString
	at org.bouncycastle.asn1.DERUTF8String.getInstance(Unknown Source)
	at org.keycloak.crypto.fips.BCFIPSUserIdentityExtractorProvider$SubjectAltNameExtractorBCProvider.extractUserIdentity(BCFIPSUserIdentityExtractorProvider.java:169)
	at dod.p1.keycloak.registration.X509Tools.lambda$getX509IdentityFromCertChain$2(X509Tools.java:300)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.HashMap$ValueSpliterator.tryAdvance(HashMap.java:1808)
	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
	at dod.p1.keycloak.registration.X509Tools.getX509IdentityFromCertChain(X509Tools.java:301)
	at dod.p1.keycloak.registration.X509Tools.getX509Identity(X509Tools.java:326)
	at dod.p1.keycloak.registration.X509Tools.getX509Username(X509Tools.java:109)
	at dod.p1.keycloak.registration.X509Tools.isX509Registered(X509Tools.java:68)
	at dod.p1.keycloak.registration.X509Tools.isX509Registered(X509Tools.java:94)
	at dod.p1.keycloak.registration.UpdateX509.evaluateTriggers(UpdateX509.java:64)
	at org.keycloak.services.managers.AuthenticationManager.evaluateRequiredAction(AuthenticationManager.java:1463)
	at org.keycloak.services.managers.AuthenticationManager.lambda$evaluateRequiredActionTriggers$19(AuthenticationManager.java:1434)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
--
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.
```

I understand that 3.5.7 is not intended to support Keycloak 26, but my team had to upgrade to be compliant with IAVA releases. Simply upgrading the plugin might fix this.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Version 3.5.7 UpdateX509 Not Compatible with Keycloak 26.1.2 and BouncyCastle FIPS #5

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Version 3.5.7 UpdateX509 Not Compatible with Keycloak 26.1.2 and BouncyCastle FIPS #5

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions