UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects

Version 3.5.7 UpdateX509 Not Compatible with Keycloak 26.1.2 and BouncyCastle FIPS

When using version 3.5.7 and Keycloak 26.1.2 in FIPS-enabled mode (BouncyCastle FIPS libraries), the UpdateX509 action crashes:

2025-03-04 14:54:36,895 INFO  [dod.p1.keycloak.registration.X509Tools] (executor-thread-192) ZacsOCSPProvider Mode Set: false
2025-03-04 14:54:36,895 INFO  [dod.p1.keycloak.registration.X509Tools] (executor-thread-192) P1_X509_TOOLS_GET_X509_IDENTITY_FROM_CHAIN_d51cf4a6-5363-4ac2-85ff-89c45d9d3e3a checking cert policy 2.16.840.1.101.2.1.11.42
2025-03-04 14:54:36,895 ERROR [org.keycloak.crypto.fips.BCFIPSUserIdentityExtractorProvider] (executor-thread-192) Failed to parse subjectAltName: java.lang.IllegalArgumentException: illegal object in getInstance: org.bouncycastle.asn1.DEROctetString
	at org.bouncycastle.asn1.DERUTF8String.getInstance(Unknown Source)
	at org.keycloak.crypto.fips.BCFIPSUserIdentityExtractorProvider$SubjectAltNameExtractorBCProvider.extractUserIdentity(BCFIPSUserIdentityExtractorProvider.java:169)
	at dod.p1.keycloak.registration.X509Tools.lambda$getX509IdentityFromCertChain$2(X509Tools.java:300)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.HashMap$ValueSpliterator.tryAdvance(HashMap.java:1808)
	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
	at dod.p1.keycloak.registration.X509Tools.getX509IdentityFromCertChain(X509Tools.java:301)
	at dod.p1.keycloak.registration.X509Tools.getX509Identity(X509Tools.java:326)
	at dod.p1.keycloak.registration.X509Tools.getX509Username(X509Tools.java:109)
	at dod.p1.keycloak.registration.X509Tools.isX509Registered(X509Tools.java:68)
	at dod.p1.keycloak.registration.X509Tools.isX509Registered(X509Tools.java:94)
	at dod.p1.keycloak.registration.UpdateX509.evaluateTriggers(UpdateX509.java:64)
	at org.keycloak.services.managers.AuthenticationManager.evaluateRequiredAction(AuthenticationManager.java:1463)
	at org.keycloak.services.managers.AuthenticationManager.lambda$evaluateRequiredActionTriggers$19(AuthenticationManager.java:1434)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
--
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.

I understand that 3.5.7 is not intended to support Keycloak 26, but my team had to upgrade to be compliant with IAVA releases. Simply upgrading the plugin might fix this.

UNCLASSIFIED - NO CUI