feat(saml): implementation of saml for ZITADEL v2 (#3618)

2025-08-11 21:37:32 +00:00 · 2022-09-12 17:18:08 +01:00
parent 01a92ba5d9
commit 7a5f7f82cf
134 changed files with 5570 additions and 1293 deletions
--- a/internal/crypto/rsa.go
+++ b/internal/crypto/rsa.go
@@ -1,11 +1,16 @@
 package crypto

 import (
+	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/pem"
 	"errors"
+	"fmt"
+	"math/big"
+	"time"
 )

 func GenerateKeyPair(bits int) (*rsa.PrivateKey, *rsa.PublicKey, error) {
@@ -24,6 +29,104 @@ func GenerateEncryptedKeyPair(bits int, alg EncryptionAlgorithm) (*CryptoValue,
 	return EncryptKeys(privateKey, publicKey, alg)
 }

+type CertificateInformations struct {
+	SerialNumber *big.Int
+	Organisation []string
+	CommonName   string
+	NotBefore    time.Time
+	NotAfter     time.Time
+	KeyUsage     x509.KeyUsage
+	ExtKeyUsage  []x509.ExtKeyUsage
+}
+
+func GenerateEncryptedKeyPairWithCACertificate(bits int, keyAlg, certAlg EncryptionAlgorithm, informations *CertificateInformations) (*CryptoValue, *CryptoValue, *CryptoValue, error) {
+	privateKey, publicKey, cert, err := GenerateCACertificate(bits, informations)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	encryptPriv, encryptPub, encryptCaCert, err := EncryptKeysAndCert(privateKey, publicKey, cert, keyAlg, certAlg)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return encryptPriv, encryptPub, encryptCaCert, nil
+}
+
+func GenerateEncryptedKeyPairWithCertificate(bits int, keyAlg, certAlg EncryptionAlgorithm, caPrivateKey *rsa.PrivateKey, caCertificate []byte, informations *CertificateInformations) (*CryptoValue, *CryptoValue, *CryptoValue, error) {
+	privateKey, publicKey, cert, err := GenerateCertificate(bits, caPrivateKey, caCertificate, informations)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	encryptPriv, encryptPub, encryptCaCert, err := EncryptKeysAndCert(privateKey, publicKey, cert, keyAlg, certAlg)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return encryptPriv, encryptPub, encryptCaCert, nil
+}
+
+func GenerateCACertificate(bits int, informations *CertificateInformations) (*rsa.PrivateKey, *rsa.PublicKey, []byte, error) {
+	return generateCertificate(bits, nil, nil, informations)
+}
+
+func GenerateCertificate(bits int, caPrivateKey *rsa.PrivateKey, ca []byte, informations *CertificateInformations) (*rsa.PrivateKey, *rsa.PublicKey, []byte, error) {
+	return generateCertificate(bits, caPrivateKey, ca, informations)
+}
+
+func generateCertificate(bits int, caPrivateKey *rsa.PrivateKey, ca []byte, informations *CertificateInformations) (*rsa.PrivateKey, *rsa.PublicKey, []byte, error) {
+	notBefore := time.Now()
+	if !informations.NotBefore.IsZero() {
+		notBefore = informations.NotBefore
+	}
+	cert := &x509.Certificate{
+		SerialNumber: informations.SerialNumber,
+		Subject: pkix.Name{
+			CommonName:   informations.CommonName,
+			Organization: informations.Organisation,
+		},
+		NotBefore:   notBefore,
+		NotAfter:    informations.NotAfter,
+		KeyUsage:    informations.KeyUsage,
+		ExtKeyUsage: informations.ExtKeyUsage,
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, bits)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	certBytes := make([]byte, 0)
+	if ca == nil {
+		cert.IsCA = true
+		cert.BasicConstraintsValid = true
+
+		certBytes, err = x509.CreateCertificate(rand.Reader, cert, cert, &certPrivKey.PublicKey, certPrivKey)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	} else {
+		caCert, err := x509.ParseCertificate(ca)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		certBytes, err = x509.CreateCertificate(rand.Reader, cert, caCert, &certPrivKey.PublicKey, caPrivateKey)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+
+	x509Cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	certPem, err := CertificateToBytes(x509Cert)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return certPrivKey, &certPrivKey.PublicKey, certPem, nil
+}
+
 func PrivateKeyToBytes(priv *rsa.PrivateKey) []byte {
 	return pem.EncodeToMemory(
 		&pem.Block{
@@ -101,3 +204,34 @@ func EncryptKeys(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey, alg Encry
 	}
 	return encryptedPrivateKey, encryptedPublicKey, nil
 }
+
+func CertificateToBytes(cert *x509.Certificate) ([]byte, error) {
+	certPem := new(bytes.Buffer)
+	if err := pem.Encode(certPem, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	}); err != nil {
+		return nil, err
+	}
+	return certPem.Bytes(), nil
+}
+
+func BytesToCertificate(data []byte) ([]byte, error) {
+	block, _ := pem.Decode(data)
+	if block == nil || block.Type != "CERTIFICATE" {
+		return nil, fmt.Errorf("failed to decode PEM block containing public key")
+	}
+	return block.Bytes, nil
+}
+
+func EncryptKeysAndCert(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey, cert []byte, keyAlg, certAlg EncryptionAlgorithm) (*CryptoValue, *CryptoValue, *CryptoValue, error) {
+	encryptedPrivateKey, encryptedPublicKey, err := EncryptKeys(privateKey, publicKey, keyAlg)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	encryptedCertificate, err := Encrypt(cert, certAlg)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return encryptedPrivateKey, encryptedPublicKey, encryptedCertificate, nil
+}