[ 
https://issues.apache.org/jira/browse/KNOX-3359?focusedWorklogId=1028509&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1028509
 ]

ASF GitHub Bot logged work on KNOX-3359:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 07/Jul/26 18:04
            Start Date: 07/Jul/26 18:04
    Worklog Time Spent: 10m 
      Work Description: pzampino commented on code in PR #1291:
URL: https://github.com/apache/knox/pull/1291#discussion_r3538535417


##########
gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java:
##########
@@ -818,6 +818,45 @@ public String getHttpClientTruststorePasswordAlias() {
     return get(HTTP_CLIENT_TRUSTSTORE_PASSWORD_ALIAS, 
DEFAULT_HTTP_CLIENT_TRUSTSTORE_PASSWORD_ALIAS);
   }
 
+  @Override
+  public String getHttpClientKeystorePath() {
+    return get(HTTP_CLIENT_KEYSTORE_PATH);
+  }
+
+  @Override
+  public String getHttpClientKeystoreType() {
+    return get(HTTP_CLIENT_KEYSTORE_TYPE, DEFAULT_HTTP_CLIENT_KEYSTORE_TYPE);
+  }
+
+  @Override
+  public String getHttpClientKeystorePasswordAlias() {
+    return get(HTTP_CLIENT_KEYSTORE_PASSWORD_ALIAS, 
DEFAULT_HTTP_CLIENT_KEYSTORE_PASSWORD_ALIAS);
+  }
+
+  @Override
+  public String getHttpClientKeyAlias() {
+    return get(HTTP_CLIENT_KEY_ALIAS, DEFAULT_HTTP_CLIENT_KEY_ALIAS);
+  }
+
+  @Override
+  public String getHttpClientKeyPassphraseAlias() {
+    return get(HTTP_CLIENT_KEY_PASSPHRASE_ALIAS, 
DEFAULT_HTTP_CLIENT_KEY_PASSPHRASE_ALIAS);
+  }
+
+  @Override
+  public boolean isSingleEkuEnabled() {
+    return getBoolean(TLS_SINGLE_EKU_ENABLED, DEFAULT_TLS_SINGLE_EKU_ENABLED);
+  }
+
+  @Override
+  public boolean isHttpClientTwoWaySslEnabled() {
+    String configured = get(HTTP_CLIENT_TWO_WAY_SSL_ENABLED);
+    if (configured != null) {
+      return Boolean.parseBoolean(configured);

Review Comment:
   I believe parseBoolean returns false for null, so I think you could 
eliminate the null check unless this method intends to fall back to 
isSingleEkuEnabled() IFF two-way SSL is NOT explicitly configured. Is that the 
intent here? If so, this only applies to HTTP clients employed by Knox?



##########
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java:
##########
@@ -132,6 +141,116 @@ private void logAndValidateCertificate(GatewayConfig 
config) throws ServiceLifec
     }
   }
 
+  // Package private for unit test access.
+  // When single-EKU mode is enabled, refuse to start unless:
+  //   - the outbound client-identity keystore is present and holds a usable 
key entry,
+  //   - inbound client authentication is enforced (server truststore + 
client-auth),
+  //   - the outbound HTTP client truststore is configured, and
+  //   - both identities are single-purpose: the client identity carries 
clientAuth (not serverAuth)
+  //     and the server identity carries serverAuth (not clientAuth).
+  // Fail closed: never fall back to the server identity certificate for 
outbound calls, and never
+  // defer a cross-wired/dual-purpose certificate to a runtime handshake 
failure.
+  void validateSingleEkuConfig(GatewayConfig config) throws 
ServiceLifecycleException {
+    // 1. Outbound client-identity keystore must be configured and contain the 
configured key entry.
+    String clientKeystorePath = config.getHttpClientKeystorePath();
+    if (clientKeystorePath == null || clientKeystorePath.isEmpty()) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled (" + 
GatewayConfig.TLS_SINGLE_EKU_ENABLED
+          + "=true) but the HTTP client keystore path (" + 
GatewayConfig.HTTP_CLIENT_KEYSTORE_PATH
+          + ") is not configured. Server will not start.");
+    }
+    String clientKeyAlias = config.getHttpClientKeyAlias();
+    KeyStore clientKeystore;
+    try {
+      clientKeystore = keystoreService.getKeystoreForHttpClient();
+      if (clientKeystore == null || 
!clientKeystore.isKeyEntry(clientKeyAlias)) {
+        throw new ServiceLifecycleException("Single-EKU mode is enabled but 
the HTTP client keystore at "
+            + clientKeystorePath + " does not contain a key entry for alias '" 
+ clientKeyAlias
+            + "' (" + GatewayConfig.HTTP_CLIENT_KEY_ALIAS + "). Server will 
not start.");
+      }
+    } catch (KeystoreServiceException | KeyStoreException e) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled but the 
HTTP client keystore at "
+          + clientKeystorePath + " could not be loaded. Server will not 
start.", e);
+    }
+
+    // 2. Inbound client authentication must be enforced (server truststore + 
client-auth).
+    if (config.getTruststorePath() == null) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled but the 
server truststore ("

Review Comment:
   Again, is it not permissible to have single-purpose certs enabled for Knox 
without assuming/requireing two-way SSL?



##########
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java:
##########
@@ -132,6 +141,116 @@ private void logAndValidateCertificate(GatewayConfig 
config) throws ServiceLifec
     }
   }
 
+  // Package private for unit test access.
+  // When single-EKU mode is enabled, refuse to start unless:
+  //   - the outbound client-identity keystore is present and holds a usable 
key entry,
+  //   - inbound client authentication is enforced (server truststore + 
client-auth),
+  //   - the outbound HTTP client truststore is configured, and
+  //   - both identities are single-purpose: the client identity carries 
clientAuth (not serverAuth)
+  //     and the server identity carries serverAuth (not clientAuth).
+  // Fail closed: never fall back to the server identity certificate for 
outbound calls, and never
+  // defer a cross-wired/dual-purpose certificate to a runtime handshake 
failure.
+  void validateSingleEkuConfig(GatewayConfig config) throws 
ServiceLifecycleException {
+    // 1. Outbound client-identity keystore must be configured and contain the 
configured key entry.
+    String clientKeystorePath = config.getHttpClientKeystorePath();
+    if (clientKeystorePath == null || clientKeystorePath.isEmpty()) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled (" + 
GatewayConfig.TLS_SINGLE_EKU_ENABLED
+          + "=true) but the HTTP client keystore path (" + 
GatewayConfig.HTTP_CLIENT_KEYSTORE_PATH
+          + ") is not configured. Server will not start.");
+    }
+    String clientKeyAlias = config.getHttpClientKeyAlias();
+    KeyStore clientKeystore;
+    try {
+      clientKeystore = keystoreService.getKeystoreForHttpClient();
+      if (clientKeystore == null || 
!clientKeystore.isKeyEntry(clientKeyAlias)) {
+        throw new ServiceLifecycleException("Single-EKU mode is enabled but 
the HTTP client keystore at "
+            + clientKeystorePath + " does not contain a key entry for alias '" 
+ clientKeyAlias
+            + "' (" + GatewayConfig.HTTP_CLIENT_KEY_ALIAS + "). Server will 
not start.");
+      }
+    } catch (KeystoreServiceException | KeyStoreException e) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled but the 
HTTP client keystore at "
+          + clientKeystorePath + " could not be loaded. Server will not 
start.", e);
+    }
+
+    // 2. Inbound client authentication must be enforced (server truststore + 
client-auth).
+    if (config.getTruststorePath() == null) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled but the 
server truststore ("
+          + GatewayConfig.GATEWAY_TRUSTSTORE_PATH + ") is not configured. 
Server will not start.");
+    }
+    if (!config.isClientAuthNeeded() && !config.isClientAuthWanted()) {

Review Comment:
   Here too it seems two-way SSL is required just because single-purpose certs 
are enabled.



##########
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java:
##########
@@ -132,6 +141,116 @@ private void logAndValidateCertificate(GatewayConfig 
config) throws ServiceLifec
     }
   }
 
+  // Package private for unit test access.
+  // When single-EKU mode is enabled, refuse to start unless:
+  //   - the outbound client-identity keystore is present and holds a usable 
key entry,
+  //   - inbound client authentication is enforced (server truststore + 
client-auth),
+  //   - the outbound HTTP client truststore is configured, and
+  //   - both identities are single-purpose: the client identity carries 
clientAuth (not serverAuth)
+  //     and the server identity carries serverAuth (not clientAuth).
+  // Fail closed: never fall back to the server identity certificate for 
outbound calls, and never
+  // defer a cross-wired/dual-purpose certificate to a runtime handshake 
failure.
+  void validateSingleEkuConfig(GatewayConfig config) throws 
ServiceLifecycleException {
+    // 1. Outbound client-identity keystore must be configured and contain the 
configured key entry.
+    String clientKeystorePath = config.getHttpClientKeystorePath();
+    if (clientKeystorePath == null || clientKeystorePath.isEmpty()) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled (" + 
GatewayConfig.TLS_SINGLE_EKU_ENABLED

Review Comment:
   Is it not valid to have single-purpose certs enabled WITHOUT two-way SSL, 
thus not requiring the client identity keystore?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1028509)
    Time Spent: 0.5h  (was: 20m)

> Support Single-Purpose EKU Certificates
> ---------------------------------------
>
>                 Key: KNOX-3359
>                 URL: https://issues.apache.org/jira/browse/KNOX-3359
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> h1. Background
> Knox currently supports a single certificate per host. This certificate 
> carries both the serverAuth and clientAuth Extended Key Usages (EKUs), 
> meaning the same key and certificate is used whether the service running on 
> the host is acting as a TLS server or as a client in a mutual-TLS (mTLS) 
> handshake.
>  
> Industry standards and public CAs (like DigiCert) are sunsetting multi-use 
> certificates, making Knox's current requirement for dual serverAuth and 
> clientAuth EKUs difficult to manage.
> h1. Overview:
> Knox will need separate keystores and truststores for client authentication 
> and server authentication.
>  # Keystores:
>  * 
>  -- Knox to assert its identity as a server
>  -- Knox to assert its identity as a client (to downstream services)
>        2.Truststores:
>  * 
>  -- Clients asserting identity to Knox
>  -- Servers asserting identity to Knox



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to