moresandeep commented on code in PR #1291:
URL: https://github.com/apache/knox/pull/1291#discussion_r3538716966


##########
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java:
##########
@@ -132,6 +141,116 @@ private void logAndValidateCertificate(GatewayConfig 
config) throws ServiceLifec
     }
   }
 
+  // Package private for unit test access.
+  // When single-EKU mode is enabled, refuse to start unless:
+  //   - the outbound client-identity keystore is present and holds a usable 
key entry,
+  //   - inbound client authentication is enforced (server truststore + 
client-auth),
+  //   - the outbound HTTP client truststore is configured, and
+  //   - both identities are single-purpose: the client identity carries 
clientAuth (not serverAuth)
+  //     and the server identity carries serverAuth (not clientAuth).
+  // Fail closed: never fall back to the server identity certificate for 
outbound calls, and never
+  // defer a cross-wired/dual-purpose certificate to a runtime handshake 
failure.
+  void validateSingleEkuConfig(GatewayConfig config) throws 
ServiceLifecycleException {
+    // 1. Outbound client-identity keystore must be configured and contain the 
configured key entry.
+    String clientKeystorePath = config.getHttpClientKeystorePath();
+    if (clientKeystorePath == null || clientKeystorePath.isEmpty()) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled (" + 
GatewayConfig.TLS_SINGLE_EKU_ENABLED

Review Comment:
   single-purpose certs need to have two-way SSL, this was pointed out by 
@smolnar82 in his offline review 
   
   > This means Knox in "single-EKU mode" will start happily with a client 
keystore holding a serverAuth-only or dual-purpose cert — exactly the 
misconfiguration this feature exists to catch. The validation gives a false 
sense of assurance, and the tests reflect the gap (JettySSLServiceTest covers 
path-missing, truststore-missing, client-auth-disabled, and cert-not-a-key, but 
there is no EKU test). 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to