diff --git a/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc
index d74fa1823fb..d7f507213cb 100644
--- a/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc
@@ -136,6 +136,14 @@ This endpoint supports filters and pagination.
= CLI import placeholder replacement
-The CLI command `kc.[sh|bat] import` now has placeholder replacement enabled. Previously placeholder replacement was only enabled for realm import at startup.
+The CLI command `kc.[sh|bat] import` now has placeholder replacement enabled. Previously placeholder replacement was only enabled for realm import at startup.
If you wish to disable placeholder replacement for the `import` command, add the system property `-Dkeycloak.migration.replace-placeholders=false`
+
+= Keystore and trust store default format change
+
+{project_name} now determines the format of the keystore and trust store based on the file extension. If the file extension is `.p12`, `.pkcs12` or `.pfx`, the format is PKCS12. If the file extension is `.jks`, `.keystore` or `.truststore`, the format is JKS. If the file extension is `.pem`, `.crt` or `.key`, the format is PEM.
+
+You can still override automatic detection by specifying the `https-key-store-type` and `https-trust-store-type` explicitly. The same applies to the management interface and its `https-management-key-store-type`. Restrictions for the FIPS strict mode stay unchanged.
+
+NOTE: The `+spi-truststore-file-*+` options and the truststore related options `+https-trust-store-*+` are deprecated, we strongly recommend to use System Truststore. For more details refer to the relevant https://www.keycloak.org/server/keycloak-truststore[guide].
diff --git a/operator/pom.xml b/operator/pom.xml
index 6d4b6cc1f48..f37ab5b4437 100644
--- a/operator/pom.xml
+++ b/operator/pom.xml
@@ -165,7 +165,7 @@
- true
+ true
diff --git a/pom.xml b/pom.xml
index b5f81e0b6ec..a5919edbf83 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,8 +51,8 @@
jboss-snapshots-repository
https://s01.oss.sonatype.org/content/repositories/snapshots/
- 3.8.5
- 3.8.5
+ 3.13.2
+ 3.13.2
${timestamp}
@@ -111,7 +111,7 @@
2.0.0.Final
1.2.17
4.7.7.Final
- 6.2.7.Final
+ 6.2.9.Final
${resteasy.version}
20240325.1
2.0.6
@@ -124,7 +124,7 @@
${undertow-legacy.version}
2.2.24.Final
2.3.2.Final
- 2.2.3.Final
+ 2.5.0.Final
1.9.0.Final
6.0.3
1.5.4.Final-format-001
@@ -148,7 +148,7 @@
1.3.3
1.1
- 4.25.1
+ 4.27.0
1.0.2.Final
2.0.0.Final
4.1.2
@@ -159,12 +159,12 @@
16
16.1
2.3.1
- 42.7.2
+ 42.7.3
10.11
- 3.3.3
+ 3.4.0
2022-latest
- 12.4.2.jre11
+ 12.6.3.jre11
19.3
23.3.0.23.09
diff --git a/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java b/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java
index 8020f893899..f8d8883342c 100644
--- a/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java
+++ b/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java
@@ -87,7 +87,7 @@ public class HttpOptions {
public static final Option HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
.category(OptionCategory.HTTP)
.description("The type of the key store file. " +
- "If not given, the type is automatically detected based on the file name. " +
+ "If not given, the type is automatically detected based on the file extension. " +
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.")
.build();
@@ -106,7 +106,7 @@ public class HttpOptions {
public static final Option HTTPS_TRUST_STORE_TYPE = new OptionBuilder<>("https-trust-store-type", String.class)
.category(OptionCategory.HTTP)
.description("The type of the trust store file. " +
- "If not given, the type is automatically detected based on the file name. " +
+ "If not given, the type is automatically detected based on the file extension. " +
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.")
.deprecated("Use the System Truststore instead, see the docs for details.")
.build();
diff --git a/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java b/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
index b24d7cdddd6..d8958d79bc6 100644
--- a/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
+++ b/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
@@ -22,7 +22,6 @@ import io.quarkus.agroal.spi.JdbcDataSourceBuildItem;
import io.quarkus.agroal.spi.JdbcDriverBuildItem;
import io.quarkus.arc.deployment.AnnotationsTransformerBuildItem;
import io.quarkus.arc.deployment.BuildTimeConditionBuildItem;
-import io.quarkus.arc.processor.AnnotationsTransformer;
import io.quarkus.bootstrap.logging.InitialConfigurator;
import io.quarkus.datasource.deployment.spi.DevServicesDatasourceResultBuildItem;
import io.quarkus.deployment.IsDevelopment;
@@ -50,10 +49,12 @@ import io.quarkus.vertx.http.deployment.RouteBuildItem;
import io.smallrye.config.ConfigValue;
import org.eclipse.microprofile.health.Readiness;
import org.hibernate.cfg.AvailableSettings;
+import org.hibernate.jpa.boot.spi.PersistenceUnitDescriptor;
import org.hibernate.jpa.boot.internal.ParsedPersistenceXmlDescriptor;
import org.hibernate.jpa.boot.internal.PersistenceXmlParser;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
+import org.jboss.jandex.AnnotationTransformation;
import org.jboss.jandex.ClassInfo;
import org.jboss.jandex.DotName;
import org.jboss.jandex.IndexView;
@@ -318,7 +319,7 @@ class KeycloakProcessor {
List userManagedEntities = new ArrayList<>();
for (PersistenceXmlDescriptorBuildItem item : descriptors) {
- ParsedPersistenceXmlDescriptor descriptor = item.getDescriptor();
+ ParsedPersistenceXmlDescriptor descriptor = (ParsedPersistenceXmlDescriptor) item.getDescriptor();
if ("keycloak-default".equals(descriptor.getName())) {
defaultUnitDescriptor = descriptor;
@@ -469,7 +470,7 @@ class KeycloakProcessor {
Map preConfiguredProviders, Spi spi) {
descriptors.stream()
.map(PersistenceXmlDescriptorBuildItem::getDescriptor)
- .map(ParsedPersistenceXmlDescriptor::getName)
+ .map(PersistenceUnitDescriptor::getName)
.filter(Predicate.not("keycloak-default"::equals)).forEach((String unitName) -> {
NamedJpaConnectionProviderFactory factory = new NamedJpaConnectionProviderFactory();
@@ -625,9 +626,9 @@ class KeycloakProcessor {
// bean without the @Readiness annotation so it won't be used as a health check on it's own.
@BuildStep
AnnotationsTransformerBuildItem disableDefaultDataSourceHealthCheck() {
- return new AnnotationsTransformerBuildItem(AnnotationsTransformer.appliedToClass()
+ return new AnnotationsTransformerBuildItem(AnnotationTransformation.forClasses()
.whenClass(c -> c.name().equals(DotName.createSimple(DataSourceHealthCheck.class)))
- .thenTransform(t -> t.remove(
+ .transform(t -> t.remove(
a -> a.name().equals(DotName.createSimple(Readiness.class)))));
}
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java
index 6b7bbadece6..fc493a93d16 100644
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java
@@ -23,4 +23,8 @@ public class PropertyException extends RuntimeException {
super(message);
}
+ public PropertyException(String message, Throwable throwable) {
+ super(message, throwable);
+ }
+
}
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java
index a4be7f0e386..fc5bb63b349 100644
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java
@@ -23,6 +23,7 @@ import static org.keycloak.quarkus.runtime.Environment.isDevProfile;
import static org.keycloak.quarkus.runtime.cli.Picocli.println;
import static org.keycloak.quarkus.runtime.configuration.ConfigArgsConfigSource.getAllCliArgs;
+import io.quarkus.runtime.LaunchMode;
import org.keycloak.config.OptionCategory;
import org.keycloak.quarkus.runtime.Environment;
import org.keycloak.quarkus.runtime.Messages;
@@ -31,7 +32,6 @@ import org.keycloak.quarkus.runtime.configuration.Configuration;
import io.quarkus.bootstrap.runner.QuarkusEntryPoint;
import io.quarkus.bootstrap.runner.RunnerClassLoader;
-import io.quarkus.runtime.configuration.ProfileManager;
import io.smallrye.config.ConfigValue;
import picocli.CommandLine;
import picocli.CommandLine.Command;
@@ -131,7 +131,7 @@ public final class Build extends AbstractCommand implements Runnable {
}
private void cleanTempResources() {
- if (!ProfileManager.getLaunchMode().isDevOrTest()) {
+ if (!LaunchMode.current().isDevOrTest()) {
// only needed for dev/testing purposes
getHomePath().resolve("quarkus-artifact.properties").toFile().delete();
}
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java
index 721e38e6ed4..f131bdf3140 100644
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java
@@ -30,6 +30,7 @@ import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.regex.Pattern;
+import io.smallrye.config.ConfigValue;
import io.smallrye.config.PropertiesConfigSource;
import org.keycloak.quarkus.runtime.cli.command.Main;
@@ -91,15 +92,14 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
}
@Override
- public String getValue(String propertyName) {
- Map properties = getProperties();
- String value = properties.get(propertyName);
+ public ConfigValue getConfigValue(String propertyName) {
+ ConfigValue value = super.getConfigValue(propertyName);
if (value != null) {
return value;
}
- return properties.get(propertyName.replace(OPTION_PART_SEPARATOR_CHAR, '.'));
+ return super.getConfigValue(propertyName.replace(OPTION_PART_SEPARATOR_CHAR, '.'));
}
private static Map parseArguments() {
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java
index a91feda9a1d..e09069bf906 100644
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java
@@ -63,7 +63,21 @@ public class KeycloakPropertiesConfigSource extends AbstractLocationConfigSource
@Override
protected ConfigSource loadConfigSource(URL url, int ordinal) throws IOException {
- return new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal);
+ // a workaround for https://github.com/smallrye/smallrye-config/issues/1207
+ // replace by the following line when fixed:
+ // return new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal);
+ var cs = new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal) {
+ private String name;
+ @Override
+ public String getName() {
+ return name;
+ }
+ public void setName(String name) {
+ this.name = name;
+ }
+ };
+ cs.setName(url.toString());
+ return cs;
}
public static class InClassPath extends KeycloakPropertiesConfigSource implements ConfigSourceProvider {
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java
index ede35466acf..688846cdd61 100644
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java
@@ -32,6 +32,7 @@ import java.util.function.Supplier;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
+import io.smallrye.config.ConfigValue;
import io.smallrye.config.PropertiesConfigSource;
import org.keycloak.quarkus.runtime.Environment;
@@ -54,7 +55,7 @@ public final class PersistedConfigSource extends PropertiesConfigSource {
private static final ThreadLocal ENABLED = ThreadLocal.withInitial(() -> true);
private PersistedConfigSource() {
- super(readProperties(), "", 200);
+ super(readProperties(), NAME, 200);
}
public static PersistedConfigSource getInstance() {
@@ -67,15 +68,15 @@ public final class PersistedConfigSource extends PropertiesConfigSource {
}
@Override
- public String getValue(String propertyName) {
+ public ConfigValue getConfigValue(String propertyName) {
if (isEnabled()) {
- String value = super.getValue(propertyName);
+ ConfigValue value = super.getConfigValue(propertyName);
if (value != null) {
return value;
}
- return super.getValue(propertyName.replace(Configuration.OPTION_PART_SEPARATOR_CHAR, '.'));
+ return super.getConfigValue(propertyName.replace(Configuration.OPTION_PART_SEPARATOR_CHAR, '.'));
}
return null;
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java
index b04878816ba..d433739540d 100644
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java
@@ -57,7 +57,10 @@ public final class QuarkusPropertiesConfigSource extends AbstractLocationConfigS
return false;
}
- return NAME.equals(value.getConfigSourceName());
+ // workaround for https://github.com/smallrye/smallrye-config/issues/1207
+ // replace by the following line when fixed:
+ // return NAME.equals(value.getConfigSourceName());
+ return value.getConfigSourceName() != null && value.getConfigSourceName().endsWith(FILE_NAME);
}
public static Path getConfigurationFile() {
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java
index 944d033fe60..439f90d3768 100644
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java
@@ -1,5 +1,7 @@
package org.keycloak.quarkus.runtime.configuration.mappers;
+import io.quarkus.vertx.http.runtime.CertificateConfig;
+import io.quarkus.vertx.http.runtime.options.TlsUtils;
import io.smallrye.config.ConfigSourceInterceptorContext;
import org.keycloak.common.crypto.FipsMode;
@@ -11,6 +13,7 @@ import org.keycloak.quarkus.runtime.cli.PropertyException;
import org.keycloak.quarkus.runtime.configuration.Configuration;
import java.io.File;
+import java.io.IOException;
import java.nio.file.Paths;
import java.util.Optional;
import java.util.function.BiFunction;
@@ -127,6 +130,52 @@ public final class HttpPropertyMappers {
public static void validateConfig() {
boolean enabled = isHttpEnabled(Configuration.getOptionalKcValue(HttpOptions.HTTP_ENABLED.getKey()));
+ boolean trustStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_FILE.getKey()).isPresent();
+ boolean keyStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_FILE.getKey()).isPresent();
+
+ if (trustStoreFile) {
+ CertificateConfig config = new CertificateConfig();
+
+ config.trustStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_FILE.getKey()).map(Paths::get);
+ config.trustStorePassword = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_PASSWORD.getKey());
+ config.trustStoreFileType = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_TYPE.getKey());
+ config.trustStoreProvider = Configuration.getOptionalValue("quarkus.http.ssl.certificate.trust-store-provider");
+ config.trustStoreCertAlias = Configuration.getOptionalValue("quarkus.http.ssl.certificate.trust-store-cert-alias");
+ config.trustStoreFiles = Optional.empty();
+
+ try {
+ TlsUtils.computeTrustOptions(config, config.trustStorePassword);
+ } catch (IOException e) {
+ throw new PropertyException("Failed to load 'https-trust-store' material.", e);
+ } catch (IllegalArgumentException e) {
+ throw new PropertyException("Unable to determine 'https-trust-store-type' automatically. " +
+ "Adjust the file extension or specify the property.", e);
+ }
+ }
+
+ if (keyStoreFile) {
+ CertificateConfig config = new CertificateConfig();
+
+ config.keyStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_FILE.getKey()).map(Paths::get);
+ config.keyStorePassword = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_PASSWORD.getKey());
+ config.keyStoreFileType = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_TYPE.getKey());
+ config.keyStoreProvider = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-provider");
+ config.keyStoreAlias = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-alias");
+ config.keyStoreAliasPassword = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-alias-password");
+ config.keyStoreAliasPasswordKey = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-alias-password-key");
+ config.keyStoreKeyAlias = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-key-alias");
+ config.keyFiles = Optional.empty();
+ config.files = Optional.empty();
+
+ try {
+ TlsUtils.computeKeyStoreOptions(config, config.keyStorePassword, config.keyStoreAliasPassword);
+ } catch (IOException e) {
+ throw new PropertyException("Failed to load 'https-key-store' material.", e);
+ } catch (IllegalArgumentException e) {
+ throw new PropertyException("Unable to determine 'https-key-store-type' automatically. " +
+ "Adjust the file extension or specify the property.", e);
+ }
+ }
if (!enabled) {
Optional value = Configuration.getOptionalKcValue(HttpOptions.HTTPS_CERTIFICATE_FILE.getKey());
diff --git a/quarkus/runtime/src/main/resources/application.properties b/quarkus/runtime/src/main/resources/application.properties
index 06e86ee212b..ed44b1c173c 100644
--- a/quarkus/runtime/src/main/resources/application.properties
+++ b/quarkus/runtime/src/main/resources/application.properties
@@ -18,7 +18,7 @@ quarkus.transaction-manager.default-transaction-timeout=300
quarkus.arc.ignored-split-packages=org.keycloak.*
# No need to generate dependencies list
-quarkus.package.include-dependency-list=false
+quarkus.package.jar.include-dependency-list=false
# we do not want running dev services in distribution
quarkus.devservices.enabled=false
diff --git a/quarkus/server/src/main/resources/application.properties b/quarkus/server/src/main/resources/application.properties
index a679430a979..8936b963767 100644
--- a/quarkus/server/src/main/resources/application.properties
+++ b/quarkus/server/src/main/resources/application.properties
@@ -1,7 +1,7 @@
# Inherit all configuration from the default runtime settings and sets those specific to the distribution
quarkus.package.output-name=keycloak
-quarkus.package.type=mutable-jar
+quarkus.package.jar.type=mutable-jar
quarkus.package.output-directory=lib
-quarkus.package.user-providers-directory=../providers
+quarkus.package.jar.user-providers-directory=../providers
quarkus.package.main-class=keycloak
\ No newline at end of file
diff --git a/quarkus/tests/integration/pom.xml b/quarkus/tests/integration/pom.xml
index bd2901ffa0d..df7b4c9bc7c 100644
--- a/quarkus/tests/integration/pom.xml
+++ b/quarkus/tests/integration/pom.xml
@@ -117,6 +117,7 @@
-Djdk.net.hosts.file=${project.build.testOutputDirectory}/hosts_file -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError --add-opens=java.base/java.security=ALL-UNNAMED -Djava.util.concurrent.ForkJoinPool.common.threadFactory=io.quarkus.bootstrap.forkjoin.QuarkusForkJoinWorkerThreadFactory
${kc.quarkus.tests.dist}
+ org.jboss.logmanager.LogManager
diff --git a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java
index 26786c0281e..cf16e198e3d 100644
--- a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java
+++ b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java
@@ -147,9 +147,19 @@ public class FipsDistTest {
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
Path truststorePath = rawDist.getDistPath().resolve("conf").resolve("server.keystore").toAbsolutePath();
- // https-trust-store-type should be automatically set to pkcs12 in fips-mode=non-strict
CLIResult cliResult = dist.run("--verbose", "start", "--fips-mode=non-strict", "--https-key-store-password=passwordpassword",
"--https-trust-store-file=" + truststorePath, "--https-trust-store-password=passwordpassword");
+ cliResult.assertError("Unable to determine 'https-trust-store-type' automatically. Adjust the file extension or specify the property.");
+
+ dist.stop();
+
+ dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.p12"));
+
+ rawDist = dist.unwrap(RawKeycloakDistribution.class);
+ truststorePath = rawDist.getDistPath().resolve("conf").resolve("server.p12").toAbsolutePath();
+
+ cliResult = dist.run("--verbose", "start", "--fips-mode=non-strict", "--https-key-store-password=passwordpassword",
+ "--https-trust-store-file=" + truststorePath, "--https-trust-store-password=passwordpassword");
cliResult.assertStarted();
});
}
diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt
index f22a75ecaf1..e04de0ed5a0 100644
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt
@@ -165,8 +165,8 @@ HTTP(S):
The password of the key store file. Default: password.
--https-key-store-type
The type of the key store file. If not given, the type is automatically
- detected based on the file name. If 'fips-mode' is set to 'strict' and no
- value is set, it defaults to 'BCFKS'.
+ detected based on the file extension. If 'fips-mode' is set to 'strict' and
+ no value is set, it defaults to 'BCFKS'.
--https-port The used HTTPS port. Default: 8443.
--https-protocols
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
@@ -179,7 +179,7 @@ HTTP(S):
instead, see the docs for details.
--https-trust-store-type
DEPRECATED. The type of the trust store file. If not given, the type is
- automatically detected based on the file name. If 'fips-mode' is set to
+ automatically detected based on the file extension. If 'fips-mode' is set to
'strict' and no value is set, it defaults to 'BCFKS'. Use the System
Truststore instead, see the docs for details.
diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
index 219e41e586c..f38f8bc5667 100644
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
@@ -237,8 +237,8 @@ HTTP(S):
The password of the key store file. Default: password.
--https-key-store-type
The type of the key store file. If not given, the type is automatically
- detected based on the file name. If 'fips-mode' is set to 'strict' and no
- value is set, it defaults to 'BCFKS'.
+ detected based on the file extension. If 'fips-mode' is set to 'strict' and
+ no value is set, it defaults to 'BCFKS'.
--https-port The used HTTPS port. Default: 8443.
--https-protocols
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
@@ -251,7 +251,7 @@ HTTP(S):
instead, see the docs for details.
--https-trust-store-type
DEPRECATED. The type of the trust store file. If not given, the type is
- automatically detected based on the file name. If 'fips-mode' is set to
+ automatically detected based on the file extension. If 'fips-mode' is set to
'strict' and no value is set, it defaults to 'BCFKS'. Use the System
Truststore instead, see the docs for details.
diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt
index 057aab2d755..9fbadc571ad 100644
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt
@@ -166,8 +166,8 @@ HTTP(S):
The password of the key store file. Default: password.
--https-key-store-type
The type of the key store file. If not given, the type is automatically
- detected based on the file name. If 'fips-mode' is set to 'strict' and no
- value is set, it defaults to 'BCFKS'.
+ detected based on the file extension. If 'fips-mode' is set to 'strict' and
+ no value is set, it defaults to 'BCFKS'.
--https-port The used HTTPS port. Default: 8443.
--https-protocols
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
@@ -180,7 +180,7 @@ HTTP(S):
instead, see the docs for details.
--https-trust-store-type
DEPRECATED. The type of the trust store file. If not given, the type is
- automatically detected based on the file name. If 'fips-mode' is set to
+ automatically detected based on the file extension. If 'fips-mode' is set to
'strict' and no value is set, it defaults to 'BCFKS'. Use the System
Truststore instead, see the docs for details.
diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
index 3e2150f6ed9..f02608e8ca7 100644
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
@@ -238,8 +238,8 @@ HTTP(S):
The password of the key store file. Default: password.
--https-key-store-type
The type of the key store file. If not given, the type is automatically
- detected based on the file name. If 'fips-mode' is set to 'strict' and no
- value is set, it defaults to 'BCFKS'.
+ detected based on the file extension. If 'fips-mode' is set to 'strict' and
+ no value is set, it defaults to 'BCFKS'.
--https-port The used HTTPS port. Default: 8443.
--https-protocols
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
@@ -252,7 +252,7 @@ HTTP(S):
instead, see the docs for details.
--https-trust-store-type
DEPRECATED. The type of the trust store file. If not given, the type is
- automatically detected based on the file name. If 'fips-mode' is set to
+ automatically detected based on the file extension. If 'fips-mode' is set to
'strict' and no value is set, it defaults to 'BCFKS'. Use the System
Truststore instead, see the docs for details.
diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt
index 16d3d9d476e..935e0c9149f 100644
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt
@@ -145,8 +145,8 @@ HTTP(S):
The password of the key store file. Default: password.
--https-key-store-type
The type of the key store file. If not given, the type is automatically
- detected based on the file name. If 'fips-mode' is set to 'strict' and no
- value is set, it defaults to 'BCFKS'.
+ detected based on the file extension. If 'fips-mode' is set to 'strict' and
+ no value is set, it defaults to 'BCFKS'.
--https-port The used HTTPS port. Default: 8443.
--https-protocols
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
@@ -159,7 +159,7 @@ HTTP(S):
instead, see the docs for details.
--https-trust-store-type
DEPRECATED. The type of the trust store file. If not given, the type is
- automatically detected based on the file name. If 'fips-mode' is set to
+ automatically detected based on the file extension. If 'fips-mode' is set to
'strict' and no value is set, it defaults to 'BCFKS'. Use the System
Truststore instead, see the docs for details.
diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
index 2c4149899b9..317ffda597a 100644
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
@@ -217,8 +217,8 @@ HTTP(S):
The password of the key store file. Default: password.
--https-key-store-type
The type of the key store file. If not given, the type is automatically
- detected based on the file name. If 'fips-mode' is set to 'strict' and no
- value is set, it defaults to 'BCFKS'.
+ detected based on the file extension. If 'fips-mode' is set to 'strict' and
+ no value is set, it defaults to 'BCFKS'.
--https-port The used HTTPS port. Default: 8443.
--https-protocols
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
@@ -231,7 +231,7 @@ HTTP(S):
instead, see the docs for details.
--https-trust-store-type
DEPRECATED. The type of the trust store file. If not given, the type is
- automatically detected based on the file name. If 'fips-mode' is set to
+ automatically detected based on the file extension. If 'fips-mode' is set to
'strict' and no value is set, it defaults to 'BCFKS'. Use the System
Truststore instead, see the docs for details.
diff --git a/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java b/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java
index 41609a5ead9..9b6f20b68ba 100644
--- a/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java
+++ b/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java
@@ -192,7 +192,10 @@ public class DefaultEmailSenderProvider implements EmailSenderProvider {
props.put("mail.smtp.ssl.socketFactory", factory);
if (configurator.getProvider().getPolicy() == HostnameVerificationPolicy.ANY) {
props.setProperty("mail.smtp.ssl.trust", "*");
- props.put("mail.smtp.ssl.checkserveridentity", Boolean.FALSE.toString());
+ props.put("mail.smtp.ssl.checkserveridentity", Boolean.FALSE.toString()); // this should be the default but seems to be impl specific, so set it explicitly just to be sure
+ }
+ else {
+ props.put("mail.smtp.ssl.checkserveridentity", Boolean.TRUE.toString());
}
}
}