[ 
https://issues.apache.org/jira/browse/KNOX-3359?focusedWorklogId=1027866&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1027866
 ]

ASF GitHub Bot logged work on KNOX-3359:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/Jul/26 19:27
            Start Date: 01/Jul/26 19:27
    Worklog Time Spent: 10m 
      Work Description: moresandeep opened a new pull request, #1291:
URL: https://github.com/apache/knox/pull/1291

   (It is very **important** that you created an Apache Knox JIRA for this 
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
   
   [KNOX-3359](https://issues.apache.org/jira/browse/KNOX-3359) - Support 
Single-Purpose EKU Certificates
   
   Public CAs are retiring dual purpose certificates that carry both serverAuth 
and clientAuth Extended Key Usages. This change allows Knox to use two separate 
keystores, one for its inbound TLS server identity (serverAuth only) and one 
for its outbound mTLS client identity (clientAuth only).
   
   ## What changes were proposed in this pull request?
   
   - `gateway.tls.single.eku.enabled` — new toggle that activates single-EKU 
mode. Off by default all existing behavior is unchanged when it is off.
   - GatewayConfigImpl / GatewayConfig — new config accessors for the HTTP 
client keystore path, type, alias, and truststore, startup validation 
(validateSingleEkuConfig) that fails fast if any prerequisite is missing or 
misconfigured (wrong alias type, wrong EKU, missing truststore). Knox refuses 
to start rather than silently falling back to the server identity.
   - DefaultKeystoreService.getKeystoreForHttpClient() / 
DefaultAliasService.getHttpClientKeyPassphrase() — load the dedicated 
client-identity keystore using the configured path, type, and alias.
   - DefaultHttpClientFactory.createSSLContext() — when single-EKU is on and 
two-way SSL is active, loads the client keystore instead of the gateway server 
keystore.
   - JettySSLService - enforce that the server keystore alias carries only 
serverAuth in single-EKU mode.
   - `gateway.httpclient.twoWaySsl.enabled` — new global flag to activate 
outbound mTLS across all dispatches without requiring use-two-way-ssl="true" on 
every service definition. Automatically defaults to true when 
`gateway.tls.single.eku.enabled=true`, so enabling single-EKU mode is a single 
config change with sane defaults.
   
   
   ## How was this patch tested?
   
   ### Unit Tests
   - Unit tests added for GatewayConfigImpl, DefaultKeystoreService, 
DefaultAliasService, JettySSLService, and DefaultHttpClientFactory covering the 
single-EKU happy path, wrong-passphrase fail-closed, one-way SSL guard (no 
client cert presented), and the global flag OR-ing with the per-dispatch 
parameter.
   
   ### Manual Tests
   Tested the following scenarios 
   
   #### Happy path: clientAuth cert + basic auth → 200, backend sees knox-client
   ```
   curl -sk --cert 
/Users/smore/projects/Cloudera/CDPD-103449-Knox-Single-EKU/testing/certs/curl-client.crt
 --key 
/Users/smore/projects/Cloudera/CDPD-103449-Knox-Single-EKU/testing/certs/curl-client.key
 -u guest:guest-password https://localhost:8443/gateway/sandbox/testmtls/hello
   ```
   ```
   
{"service":"test-https-backend","path":"/hello?user.name=guest","authenticated_client_cn":"knox-client","message":"mTLS
 OK 

Issue Time Tracking
-------------------

            Worklog Id:     (was: 1027866)
    Remaining Estimate: 0h
            Time Spent: 10m

> Support Single-Purpose EKU Certificates
> ---------------------------------------
>
>                 Key: KNOX-3359
>                 URL: https://issues.apache.org/jira/browse/KNOX-3359
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h1. Background
> Knox currently supports a single certificate per host. This certificate 
> carries both the serverAuth and clientAuth Extended Key Usages (EKUs), 
> meaning the same key and certificate is used whether the service running on 
> the host is acting as a TLS server or as a client in a mutual-TLS (mTLS) 
> handshake.
>  
> Industry standards and public CAs (like DigiCert) are sunsetting multi-use 
> certificates, making Knox's current requirement for dual serverAuth and 
> clientAuth EKUs difficult to manage.
> h1. Overview:
> Knox will need separate keystores and truststores for client authentication 
> and server authentication.
>  # Keystores:
>  * 
>  -- Knox to assert its identity as a server
>  -- Knox to assert its identity as a client (to downstream services)
>        2.Truststores:
>  * 
>  -- Clients asserting identity to Knox
>  -- Servers asserting identity to Knox



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to