Add AuthzClientCryptoProvider for authorization client cryptographic operations

[everettbu]

Test 3

[greptile-apps]

Greptile Summary

This PR introduces a new AuthzClientCryptoProvider to provide specialized cryptographic capabilities for Keycloak's authorization client module. The implementation focuses primarily on ECDSA signature format conversion between ASN.1 DER encoding and concatenated R|S format, which is essential for JWT signature processing in authorization flows.

Key Changes:

• New ASN.1 utilities: Added ASN1Encoder and ASN1Decoder classes to handle ASN.1 DER encoding/decoding operations without external dependencies like BouncyCastle
• AuthzClientCryptoProvider: A minimal CryptoProvider implementation that only supports ECDSA operations and basic keystore functionality, throwing UnsupportedOperationException for most other crypto operations
• Provider ordering system: Enhanced the CryptoProvider interface with an order() method to enable prioritized provider selection when multiple providers exist on the classpath
• Integration updates: Modified CryptoIntegration to sort providers by order (descending) and select the highest priority provider, plus initialized crypto integration in AuthzClient.create()
• Comprehensive testing: Added ECDSAAlgorithmTest to validate signature format conversions for ES256, ES384, and ES512 algorithms

The new provider has an order value of 100, making it lower priority than existing providers (DefaultCryptoProvider, FIPS1402Provider, WildFlyElytronProvider all at 200). This architectural approach allows the authorization client to have lightweight crypto capabilities while ensuring full-featured providers take precedence in server environments. The implementation enables the authz-client to handle JWT signature format conversions independently without requiring heavy cryptographic dependencies.

Confidence score: 2/5

• This PR has several critical implementation issues that could cause runtime failures and security vulnerabilities
• The getBouncyCastleProvider() method incorrectly returns a keystore provider instead of BouncyCastle, the ASN.1 parsing has potential buffer overflow vulnerabilities, and there are integer overflow risks in length calculations
• Files needing attention: AuthzClientCryptoProvider.java, ASN1Decoder.java, ASN1Encoder.java

_{12 files reviewed, 5 comments}

_{Edit Code Review Bot Settings | Greptile}

[greptile-apps]

logic: bit shifting could cause integer overflow for large length values, consider using Math.addExact() or similar overflow checking

[greptile-apps]

logic: method lacks default implementation which will break existing CryptoProvider implementations that don't override this method

Suggested change

	int order();
	default int order() {
	return 0;
	}

[greptile-apps]

logic: incorrect provider returned - this returns the default keystore provider instead of BouncyCastle provider, which will break cryptographic operations expecting BC functionality

[greptile-apps]

style: these encoder calls create objects that are immediately discarded - remove these unused lines

Suggested change

	ASN1Encoder.create().write(rBigInteger);
	ASN1Encoder.create().write(sBigInteger);
	return ASN1Encoder.create()
	.writeDerSeq(
	ASN1Encoder.create().write(rBigInteger),
	ASN1Encoder.create().write(sBigInteger))
	.toByteArray();

[greptile-apps]

logic: Trailing comma will be added to the logged string for all ignored providers