-
Notifications
You must be signed in to change notification settings - Fork 8
/
1.oid4vci_test_deployment.sh
executable file
·216 lines (176 loc) · 11.3 KB
/
1.oid4vci_test_deployment.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
#!/bin/bash
# Source common env variables
. load_env.sh
# Ensure keycloak with oid4vc-vci profile is running
# Function to get the Keycloak PID based on the OS
get_keycloak_pid() {
if [[ "$OSTYPE" == "darwin"* ]]; then
# macOS
echo $(ps aux | grep -i '[q]uarkus' | awk '{print $2}')
else
# Linux
echo $(ps aux | grep -i '[k]eycloak' | awk '{print $2}')
fi
}
# Get the Keycloak PID
keycloak_pid=$(get_keycloak_pid)
# Check if Keycloak is running
if [ -z "$keycloak_pid" ]; then
echo "Keycloak not running. Start Keycloak using 0.start-kc-oid4vci first..."
exit 1
fi
echo "Keycloak is running with PID: $keycloak_pid"
# Get admin token using environment variables for credentials
echo "Obtaining admin token..."
$KC_INSTALL_DIR/bin/kcadm.sh config truststore --trustpass $KC_TRUST_STORE_PASS $KC_TRUST_STORE
$KC_INSTALL_DIR/bin/kcadm.sh config credentials --server $KEYCLOAK_ADMIN_ADDR --realm master --user $KEYCLOAK_ADMIN --password $KEYCLOAK_ADMIN_PASSWORD
# Create new realm
$KC_INSTALL_DIR/bin/kcadm.sh create realms -s realm=$KEYCLOAK_REALM -s enabled=true
# Collect the 4 active keys to be disabled.
RSA_OAEP_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM --fields 'active(RSA-OAEP)' | jq -r '.active."RSA-OAEP"')
RSA_OAEP_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
echo "Generated RSA-OAEP key will be disabled... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
# HS512_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(HS512)' | jq -r '.active.HS512')
# HS512_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
# echo "Generated HS512 key will be disbled... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
RS256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM --fields 'active(RS256)' | jq -r '.active.RS256')
RS256_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
echo "Generated RS256 key will be disabled... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
# AES_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(AES)' | jq -r '.active.AES')
# AES_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$AES_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
# echo "Generated AES key will be disbled... KID=$AES_KID PROV_ID=$AES_PROV_ID"
# Keystore must have been set up at build time.
# Find relative path for the following config to remain valid
# should the database be reconnected to a dockerized Keycloak.
cd $KC_INSTALL_DIR
KEYCLOAK_KEYSTORE_FILE="../../$(basename $KEYCLOAK_KEYSTORE_FILE)"
# Add concret info and passwords to key provider
echo "Configuring ecdsa key provider..."
ECDSA_KEY_PROVIDER=$(cat $WORK_DIR/issuer_key_ecdsa.json | \
jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
--arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
--arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
--arg keyAlias "$KEYCLOAK_KEYSTORE_ECDSA_KEY_ALIAS" \
--arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
'.config.keystore = [$keystore] |
.config.keystorePassword = [$keystorePassword] |
.config.keystoreType = [$keystoreType] |
.config.keyAlias = [$keyAlias] |
.config.keyPassword = [$keyPassword]')
echo "Configuring rsa signing key provider..."
RSA_KEY_PROVIDER=$(cat $WORK_DIR/issuer_key_rsa.json | \
jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
--arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
--arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
--arg keyAlias "$KEYCLOAK_KEYSTORE_RSA_SIG_KEY_ALIAS" \
--arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
'.config.keystore = [$keystore] |
.config.keystorePassword = [$keystorePassword] |
.config.keystoreType = [$keystoreType] |
.config.keyAlias = [$keyAlias] |
.config.keyPassword = [$keyPassword]')
echo "Configuring rsa enc key provider..."
RSA_ENC_KEY_PROVIDER=$(cat $WORK_DIR/encryption_key_rsa.json | \
jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
--arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
--arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
--arg keyAlias "$KEYCLOAK_KEYSTORE_RSA_ENC_KEY_ALIAS" \
--arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
'.config.keystore = [$keystore] |
.config.keystorePassword = [$keystorePassword] |
.config.keystoreType = [$keystoreType] |
.config.keyAlias = [$keyAlias] |
.config.keyPassword = [$keyPassword]')
# echo "Configuring hmac signature key provider..."
# HMAC_SIG_KEY_ID=$(uuidgen)
# less $WORK_DIR/signature_key_hmac.json | \
# jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
# --arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
# --arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
# --arg keyAlias "$KEYCLOAK_KEYSTORE_HMAC_SIG_KEY_ALIAS" \
# --arg kid "$HMAC_SIG_KEY_ID" \
# --arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
# '.config.keystore = [$keystore] |
# .config.keystorePassword = [$keystorePassword] |
# .config.keystoreType = [$keystoreType] |
# .config.keyAlias = [$keyAlias] |
# .config.kid = [$kid] |
# .config.keyPassword = [$keyPassword]' \
# > $TARGET_DIR/signature_key_hmac-tmp.json
# echo "Configuring aes enc key provider..."
# AES_ENC_KEY_ID=$(uuidgen)
# less $WORK_DIR/encryption_key_aes.json | \
# jq --arg keystore "$KEYCLOAK_KEYSTORE_FILE" \
# --arg keystorePassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
# --arg keystoreType "$KEYCLOAK_KEYSTORE_TYPE" \
# --arg keyAlias "$KEYCLOAK_KEYSTORE_AES_ENC_KEY_ALIAS" \
# --arg kid "$AES_ENC_KEY_ID" \
# --arg keyPassword "$KEYCLOAK_KEYSTORE_PASSWORD" \
# '.config.keystore = [$keystore] |
# .config.keystorePassword = [$keystorePassword] |
# .config.keystoreType = [$keystoreType] |
# .config.keyAlias = [$keyAlias] |
# .config.kid = [$kid] |
# .config.keyPassword = [$keyPassword]' \
# > $TARGET_DIR/encryption_key_aes-tmp.json
# Register the EC-key with Keycloak
echo "Registering issuer key ecdsa..."
echo "$ECDSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'ECDSA Issuer Key registration failed' ; exit 1; }
echo "Registering issuer key rsa..."
echo "$RSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'RSA Issuer Key registration failed' ; exit 1; }
echo "Registering encryption key rsa..."
echo "$RSA_ENC_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'RSA Encryption Key registration failed' ; exit 1; }
# echo "Registering signature key hmac..."
# $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - < $TARGET_DIR/signature_key_hmac-tmp.json || { echo 'Hmac Signature Key registration failed' ; exit 1; }
# echo "Registering issuer key ecdsa..."
# $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - < $TARGET_DIR/encryption_key_aes-tmp.json || { echo 'AES Encryption Key registration failed' ; exit 1; }
# Disable generated keys
echo "Deactivating generated RSA-OAEP... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
$KC_INSTALL_DIR/bin/kcadm.sh update components/$RSA_OAEP_PROV_ID -r $KEYCLOAK_REALM -s 'config.active=["false"]' || { echo 'Updating RSA_OAEP provider failed' ; exit 1; }
$KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)'
# echo "Deactivating generated HS512 key... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
# $KC_INSTALL_DIR/bin/kcadm.sh update components/$HS512_PROV_ID -s 'config.active=["false"]' || { echo 'Updating HS512 provider failed' ; exit 1; }
# $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)'
echo "Deactivating generated RS256 key... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
$KC_INSTALL_DIR/bin/kcadm.sh update components/$RS256_PROV_ID -r $KEYCLOAK_REALM -s 'config.active=["false"]' || { echo 'Updating RS256 provider failed' ; exit 1; }
$KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)'
# echo "Deactivating generated AES key will... KID=$AES_KID PROV_ID=$AES_PROV_ID"
# $KC_INSTALL_DIR/bin/kcadm.sh update components/$AES_PROV_ID -s 'config.active=["false"]' || { echo 'Updating AES provider failed' ; exit 1; }
# $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$AES_KID" '.keys[] | select(.kid == $kid)'
# Create the signing service component for SteuerberaterCredential
echo "Creating signing service component for SteuerberaterCredential..."
SIGNING_SERVICE_TEST_CRED=$(cat $WORK_DIR/signing_service-SteuerberaterCredential.json)
echo "$SIGNING_SERVICE_TEST_CRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'Could not create signing service component for SteuerberaterCredential' ; exit 1; }
echo "Creating signing service component for IdentityCredential..."
SIGNING_SERVICE_IDENTITYCRED=$(cat $WORK_DIR/signing_service-IdentityCredential.json)
echo "$SIGNING_SERVICE_IDENTITYCRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'Could not create signing service component for IdentityCredential' ; exit 1; }
# Create client for oid4vci
echo "Creating OID4VCI client..."
OID4VCI_CLIENT=$(cat $WORK_DIR/client-oid4vc.json)
echo "$OID4VCI_CLIENT" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -r $KEYCLOAK_REALM -o -f - || { echo 'OID4VCIClient creation failed' ; exit 1; }
# Passing openid4vc-rest-api.json to jq to fill it with the secret before exporting config to keycloak
CONFIG=$(cat $WORK_DIR/openid4vc-rest-api.json | jq --arg CLIENT_SECRET "$CLIENT_SECRET" '.secret = $CLIENT_SECRET')
# Create client for openid4vc-rest-api
echo "Creating OPENID4VC-REST-API client..."
echo "$CONFIG" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -r $KEYCLOAK_REALM -o -f - || { echo 'OPENID4VC-REST-API client creation failed' ; exit 1; }
# Clear the CONFIG variable
unset CONFIG
# Add realm attribute issuerDid
echo "Updating realm attributes for issuerDid..."
$KC_INSTALL_DIR/bin/kcadm.sh update realms/$KEYCLOAK_REALM -s attributes.issuerDid=$ISSUER_DID || { echo 'Could not set issuer did' ; exit 1; }
# Increase lifespan of preauth code
echo "Updating realm attributes for preAuthorizedCodeLifespanS..."
$KC_INSTALL_DIR/bin/kcadm.sh update realms/$KEYCLOAK_REALM -s attributes.preAuthorizedCodeLifespanS=120 || { echo 'Could not set preAuthorizedCodeLifespanS' ; exit 1; }
# Check server status and oid4vc-vci feature
response=$(curl -k -s $KEYCLOAK_ADMIN_ADDR/realms/$KEYCLOAK_REALM/.well-known/openid-credential-issuer)
if ! jq -e '."credential_configurations_supported"."SteuerberaterCredential"' <<< "$response" > /dev/null; then
echo "Server started but error occurred. 'SteuerberaterCredential' not found in OID4VCI configuration."
exit 1 # Exit with an error code
fi
if ! jq -e '."credential_configurations_supported"."IdentityCredential"' <<< "$response" > /dev/null; then
echo "Server started but error occurred. 'IdentityCredential' not found in OID4VCI configuration."
exit 1 # Exit with an error code
fi
# Server is up and OID4VCI feature with 'SteuerberaterCredential' seems installed
echo "Keycloak server is running with OID4VCI feature and credentials 'SteuerberaterCredential, IdentityCredential' configured."
echo "Deployment script completed."