diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
index 6c265bd..b26d95a 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
@@ -86,6 +86,7 @@ import javax.ws.rs.core.UriInfo;
import java.security.PrivateKey;
import java.security.PublicKey;
+import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
@@ -268,6 +269,17 @@ public class RealmAdminResource {
}
}
+ if (!"GENERATE".equals(rep.getPublicKey()) && (rep.getCertificate() != null)) {
+ try {
+ X509Certificate cert = PemUtils.decodeCertificate(rep.getCertificate());
+ if (cert == null) {
+ return ErrorResponse.error("Failed to decode certificate", Status.BAD_REQUEST);
+ }
+ } catch (Exception e) {
+ return ErrorResponse.error("Failed to decode certificate", Status.BAD_REQUEST);
+ }
+ }
+
RepresentationToModel.updateRealm(rep, realm);
// Refresh periodic sync tasks for configured federationProviders
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
index 2ba3c5c..d2e6428 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
@@ -444,6 +444,19 @@ public class RealmTest extends AbstractAdminTest {
Assert.assertEquals(PUBLIC_KEY, realm.toRepresentation().getPublicKey());
+ rep.setPrivateKey("{}{}{}{}{}{}324re9gvj0r");
+ rep.setPublicKey("{}{}{}{}{}{}324re9gvj0r");
+ try {
+ realm.update(rep);
+ fail("Expected BadRequestException");
+ } catch (BadRequestException e) {
+ // Expected
+ assertAdminEvents.assertEmpty();
+ }
+
+ Assert.assertEquals(PUBLIC_KEY, realm.toRepresentation().getPublicKey());
+
+ rep.setPrivateKey(privateKey2048);
rep.setPublicKey(publicKey2048);
realm.update(rep);
@@ -478,7 +491,27 @@ public class RealmTest extends AbstractAdminTest {
realm.update(rep);
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, Matchers.nullValue(String.class), rep);
- assertEquals(certificate, rep.getCertificate());
+ assertEquals(certificate, realm.toRepresentation().getCertificate());
+
+ rep.setCertificate("{}{}{}{}{}{}324re9gvj0r");
+ try {
+ realm.update(rep);
+ fail("Expected BadRequestException");
+ } catch (BadRequestException e) {
+ // Expected
+ assertAdminEvents.assertEmpty();
+ }
+
+ rep.setCertificate("invalid");
+ try {
+ realm.update(rep);
+ fail("Expected BadRequestException");
+ } catch (BadRequestException e) {
+ // Expected
+ assertAdminEvents.assertEmpty();
+ }
+
+ assertEquals(certificate, realm.toRepresentation().getCertificate());
}
@Test
