moresandeep commented on code in PR #1291:
URL: https://github.com/apache/knox/pull/1291#discussion_r3538716966
##########
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java:
##########
@@ -132,6 +141,116 @@ private void logAndValidateCertificate(GatewayConfig
config) throws ServiceLifec
}
}
+ // Package private for unit test access.
+ // When single-EKU mode is enabled, refuse to start unless:
+ // - the outbound client-identity keystore is present and holds a usable
key entry,
+ // - inbound client authentication is enforced (server truststore +
client-auth),
+ // - the outbound HTTP client truststore is configured, and
+ // - both identities are single-purpose: the client identity carries
clientAuth (not serverAuth)
+ // and the server identity carries serverAuth (not clientAuth).
+ // Fail closed: never fall back to the server identity certificate for
outbound calls, and never
+ // defer a cross-wired/dual-purpose certificate to a runtime handshake
failure.
+ void validateSingleEkuConfig(GatewayConfig config) throws
ServiceLifecycleException {
+ // 1. Outbound client-identity keystore must be configured and contain the
configured key entry.
+ String clientKeystorePath = config.getHttpClientKeystorePath();
+ if (clientKeystorePath == null || clientKeystorePath.isEmpty()) {
+ throw new ServiceLifecycleException("Single-EKU mode is enabled (" +
GatewayConfig.TLS_SINGLE_EKU_ENABLED
Review Comment:
single-purpose certs need to have two-way SSL, this was pointed out by
@smolnar82 in his offline review
> This means Knox in "single-EKU mode" will start happily with a client
keystore holding a serverAuth-only or dual-purpose cert — exactly the
misconfiguration this feature exists to catch. The validation gives a false
sense of assurance, and the tests reflect the gap (JettySSLServiceTest covers
path-missing, truststore-missing, client-auth-disabled, and cert-not-a-key, but
there is no EKU test).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]