pzampino commented on code in PR #1291:
URL: https://github.com/apache/knox/pull/1291#discussion_r3539419781


##########
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java:
##########
@@ -132,6 +141,116 @@ private void logAndValidateCertificate(GatewayConfig 
config) throws ServiceLifec
     }
   }
 
+  // Package private for unit test access.
+  // When single-EKU mode is enabled, refuse to start unless:
+  //   - the outbound client-identity keystore is present and holds a usable 
key entry,
+  //   - inbound client authentication is enforced (server truststore + 
client-auth),
+  //   - the outbound HTTP client truststore is configured, and
+  //   - both identities are single-purpose: the client identity carries 
clientAuth (not serverAuth)
+  //     and the server identity carries serverAuth (not clientAuth).
+  // Fail closed: never fall back to the server identity certificate for 
outbound calls, and never
+  // defer a cross-wired/dual-purpose certificate to a runtime handshake 
failure.
+  void validateSingleEkuConfig(GatewayConfig config) throws 
ServiceLifecycleException {
+    // 1. Outbound client-identity keystore must be configured and contain the 
configured key entry.
+    String clientKeystorePath = config.getHttpClientKeystorePath();
+    if (clientKeystorePath == null || clientKeystorePath.isEmpty()) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled (" + 
GatewayConfig.TLS_SINGLE_EKU_ENABLED
+          + "=true) but the HTTP client keystore path (" + 
GatewayConfig.HTTP_CLIENT_KEYSTORE_PATH
+          + ") is not configured. Server will not start.");
+    }
+    String clientKeyAlias = config.getHttpClientKeyAlias();
+    KeyStore clientKeystore;
+    try {
+      clientKeystore = keystoreService.getKeystoreForHttpClient();
+      if (clientKeystore == null || 
!clientKeystore.isKeyEntry(clientKeyAlias)) {
+        throw new ServiceLifecycleException("Single-EKU mode is enabled but 
the HTTP client keystore at "
+            + clientKeystorePath + " does not contain a key entry for alias '" 
+ clientKeyAlias
+            + "' (" + GatewayConfig.HTTP_CLIENT_KEY_ALIAS + "). Server will 
not start.");
+      }
+    } catch (KeystoreServiceException | KeyStoreException e) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled but the 
HTTP client keystore at "
+          + clientKeystorePath + " could not be loaded. Server will not 
start.", e);
+    }
+
+    // 2. Inbound client authentication must be enforced (server truststore + 
client-auth).
+    if (config.getTruststorePath() == null) {
+      throw new ServiceLifecycleException("Single-EKU mode is enabled but the 
server truststore ("
+          + GatewayConfig.GATEWAY_TRUSTSTORE_PATH + ") is not configured. 
Server will not start.");
+    }
+    if (!config.isClientAuthNeeded() && !config.isClientAuthWanted()) {

Review Comment:
   I don't think support for single-purpose certs necessitates mTLS; I think 
they are orthogonal concerns, but I may be wrong.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to