Keycloak mutual TLS client auth (CAC login) and DoD CA concerns

[bburky]

1. (Mitigated by 2 below) DoD CAs are merged with existing Java truststore, potentially allowing TLS client auth (CAC login) using public CAs.

   uds-identity-config creates a certs/ directory of DoD CA certs which are copied into /opt/keycloak/conf/truststores via an initContainer during Keycloak startup.

   However, this Keycloak truststores directory is merged with the existing Java trust store (/etc/pki/java/cacerts inside the Keycloak container) which contains publicly trusted WebPKI roots.

   The existing Java default truststore certs will always be trusted. If you need additional certificates, which will be the case if you have self-signed or internal certificate authorities that are not recognized by the JRE, they can be included in the conf/truststores directory or subdirectories.

   https://www.keycloak.org/server/keycloak-truststore (Emphasis mine.)

2. TLS client auth is actually implemented by Istio, which is correctly limited to only DoD certs:
   https://github.com/defenseunicorns/uds-core/blob/main/src/istio/values/config-tenant.yaml#L11-L12

   However, these certs are currently hardcoded in git with an automated task to regenerate the data. Is it possible to generate this at build time and avoid putting a possibly out of date value in git?

   • TODO: do an in depth review of Istio's client cert validation. It correctly limits to the right CAs. But does it enforce all the certificate rules correctly? I assume it at least implements Basic Constraints.

3. Keycloak probably isn't actually using these truststore certs at all, the default "Revalidate client certificate" configuration is off.
   https://www.keycloak.org/docs/latest/server_admin/#:~:text=Revalidate%20client%20certificate

   If we do want Keycloak to validate certificates, we should probably enable this and address 1. Otherwise, is it possible to skip configuring CA certs to Keycloak? This may reduce confusion in understanding the Keycloak configuration.