FAPI-SIG tool for tests 'FAPI1 - Advanced-Final: Brazil Dynamic Client Registration Authorization server test' #10422

fassumpcao · 2022-02-23T15:09:40Z

fassumpcao
Feb 23, 2022

We are trying to used FAPI-SIG tool for tests 'FAPI1 - Advanced-Final: Brazil Dynamic Client Registration Authorization server test' with MTLS Authentication.
We add success a new client using gateway for request a Keycloak registration endpoint. But, in the next step, that we need to receive an access_token with transport certificate (Certificate generate in Open Banking Brazil Directory), we receive a handshake error and the request stopped in load_balancer service.
When we tryied to request using 'client' or 'client2' certificates, the request make success on Keycloak.
I would like to someone help us to apply a correct configuration of server certificates on FAPI-SIG tools using Open Banking certificate.

tnorimat · 2022-02-23T22:56:25Z

tnorimat
Feb 23, 2022
Collaborator

@fassumpcao Hello,

we receive a handshake error and the request stopped in load_balancer service.

Could you tell me which kind of an error happens in detail?

1 reply

tnorimat Feb 23, 2022
Collaborator

@fassumpcao By the way, the current FAPI-SIG's automated conformance test run environment does not support Open Banking Brazil FAPI 1.0 Dynamic Client Registration conformance test while it supports other all conformance tests.

fassumpcao · 2022-02-24T17:45:36Z

fassumpcao
Feb 24, 2022
Author

Hello Takashi, I know that, but we created a gateway to extract software_statement of the origin DCR request and send to Keycloak registration endpoint, and it's working. But, in the next step, to get an access_token, we receive: Using Curl: curl: (35) error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown Using Postman: Error: write EPROTO 51945928:error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN:../../third_party/boringssl/src/ssl/tls_record.cc:594:SSL alert number 46 In other authorization servers from other Financial Institutions, we did the DCR step and the token using the same certificates and it worked.

…

____________________________________________________

______________________________ *Felipe P. de Assumpção* Em qua., 23 de fev. de 2022 às 20:04, Takashi Norimatsu < ***@***.***> escreveu:

@fassumpcao <https://github.com/fassumpcao> By the way, the current FAPI-SIG's automated conformance test run environment does not support Open Banking Brazil FAPI 1.0 Dynamic Client Registration conformance test while it supports other all conformance tests. — Reply to this email directly, view it on GitHub <#10422 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMBHIT52FFNU54NG2UJIMZLU4VRWFANCNFSM5PEUJ6JQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

2 replies

tnorimat Feb 24, 2022
Collaborator

I'm not familiar with OBB DCR specification but I'm afraid that keycloak fails to verify a client certificate during mutual TLS handshare.
I expect that keycloak does not hold an appropriate CA certificate (may be Brazil ICP ?) needed to verify a client certificate (may be issued by Brazil ICP ?) during mutual TLS handshare.

The following codes setup keycloak's truststore:
keycloak/Dockerfile:

# Add certificates
COPY server.pem /etc/x509/https/server.crt
COPY client-ca.pem /etc/x509/https/client-ca.crt

RUN \
  echo "Importing certificates into truststore" && \
  keytool -import -cacerts -storepass changeit -noprompt -file /etc/x509/https/server.crt -alias myservercrt && \
  keytool -import -cacerts -storepass changeit -noprompt -file /etc/x509/https/client-ca.crt  -alias myclientcacrt && \
  echo "Certificates imported"

How about adding an appropriate CA certificate (may be Brazil ICP ?) to this truststore?

tnorimat Feb 26, 2022
Collaborator

If you use wildfly based keycloak, how about adding an appripriate CA certificate to the following environment variable?

keycloak/Dockerfile.legacy:

ENV X509_CA_BUNDLE="/etc/x509/https/client-ca.crt /etc/x509/https/server.crt"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FAPI-SIG tool for tests 'FAPI1 - Advanced-Final: Brazil Dynamic Client Registration Authorization server test' #10422

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

FAPI-SIG tool for tests 'FAPI1 - Advanced-Final: Brazil Dynamic Client Registration Authorization server test' #10422

Uh oh!

fassumpcao Feb 23, 2022

Replies: 2 comments · 3 replies

Uh oh!

tnorimat Feb 23, 2022 Collaborator

Uh oh!

tnorimat Feb 23, 2022 Collaborator

Uh oh!

fassumpcao Feb 24, 2022 Author

Uh oh!

tnorimat Feb 24, 2022 Collaborator

Uh oh!

tnorimat Feb 26, 2022 Collaborator

fassumpcao
Feb 23, 2022

Replies: 2 comments 3 replies

tnorimat
Feb 23, 2022
Collaborator

tnorimat Feb 23, 2022
Collaborator

fassumpcao
Feb 24, 2022
Author

tnorimat Feb 24, 2022
Collaborator

tnorimat Feb 26, 2022
Collaborator