Support routing based on TLS client certificate presence/signer for mixed-auth endpoints on shared port (#1769)

Author: akrambek

runtime/binding-tls/pom.xml

@@ -117,8 +117,10 @@
         <configuration>
           <excludes>
             <exclude>**/keys</exclude>
+            <exclude>**/keys2</exclude>
             <exclude>**/trust</exclude>
             <exclude>**/signers</exclude>
+            <exclude>**/signers2</exclude>
             <exclude>**/*.csr</exclude>
             <exclude>**/*.crt</exclude>
           </excludes>

runtime/binding-tls/src/main/java/io/aklivity/zilla/runtime/binding/tls/config/TlsConditionConfig.java

@@ -15,6 +15,7 @@
  */
 package io.aklivity.zilla.runtime.binding.tls.config;
 
+import java.util.List;
 import java.util.function.Function;
 
 import io.aklivity.zilla.runtime.engine.config.ConditionConfig;
@@ -24,6 +25,8 @@ public final class TlsConditionConfig extends ConditionConfig
     public final String authority;
     public final String alpn;
     public final int[] ports;
+    public final List<String> trust;
+    public final TlsMutualConfig mutual;
 
     public static TlsConditionConfigBuilder<TlsConditionConfig> builder()
     {
@@ -39,10 +42,14 @@ public static <T> TlsConditionConfigBuilder<T> builder(
     TlsConditionConfig(
         String authority,
         String alpn,
-        int[] ports)
+        int[] ports,
+        List<String> trust,
+        TlsMutualConfig mutual)
     {
         this.authority = authority;
         this.alpn = alpn;
         this.ports = ports;
+        this.trust = trust;
+        this.mutual = mutual;
     }
 }

runtime/binding-tls/src/main/java/io/aklivity/zilla/runtime/binding/tls/config/TlsConditionConfigBuilder.java

@@ -15,6 +15,8 @@
  */
 package io.aklivity.zilla.runtime.binding.tls.config;
 
+import java.util.ArrayList;
+import java.util.List;
 import java.util.function.Function;
 
 import org.agrona.collections.IntArrayList;
@@ -29,6 +31,8 @@ public final class TlsConditionConfigBuilder<T> extends ConfigBuilder<T, TlsCond
     private String authority;
     private String alpn;
     private IntArrayList ports;
+    private List<String> trust;
+    private TlsMutualConfig mutual;
 
     TlsConditionConfigBuilder(
         Function<ConditionConfig, T> mapper)
@@ -75,10 +79,35 @@ public TlsConditionConfigBuilder<T> ports(
         return this;
     }
 
+    public TlsConditionConfigBuilder<T> trust(
+        String alias)
+    {
+        if (trust == null)
+        {
+            trust = new ArrayList<>();
+        }
+        trust.add(alias);
+        return this;
+    }
+
+    public TlsConditionConfigBuilder<T> trust(
+        List<String> aliases)
+    {
+        this.trust = aliases != null ? new ArrayList<>(aliases) : null;
+        return this;
+    }
+
+    public TlsConditionConfigBuilder<T> mutual(
+        TlsMutualConfig mutual)
+    {
+        this.mutual = mutual;
+        return this;
+    }
+
     @Override
     public T build()
     {
         final int[] portsArray = ports != null ? ports.toIntArray() : null;
-        return mapper.apply(new TlsConditionConfig(authority, alpn, portsArray));
+        return mapper.apply(new TlsConditionConfig(authority, alpn, portsArray, trust, mutual));
     }
 }

runtime/binding-tls/src/main/java/io/aklivity/zilla/runtime/binding/tls/internal/config/TlsBindingConfig.java

@@ -26,6 +26,7 @@
 
 import java.security.KeyStore;
 import java.security.SecureRandom;
+import java.security.cert.Certificate;
 import java.util.List;
 import java.util.Optional;
 import java.util.stream.Collectors;
@@ -128,6 +129,11 @@ public void init(
             this.context = context;
             this.clientHttpsIdentification = config.clientHttpsIdentification();
             this.clientServerNameIndication = config.clientServerNameIndication();
+
+            for (TlsRouteConfig route : routes)
+            {
+                route.init(vault);
+            }
         }
         catch (Exception ex)
         {
@@ -148,7 +154,7 @@ public TlsRouteConfig resolve(
 
         int port = resolveDestinationPort(beginEx);
 
-        return resolve(authorization, authority, alpn, port);
+        return resolve(authorization, authority, alpn, port, null);
     }
 
     public TlsRouteConfig resolvePortOnly(
@@ -193,10 +199,12 @@ public TlsRouteConfig resolve(
         long authorization,
         String hostname,
         String alpn,
-        int port)
+        int port,
+        Certificate[] clientCerts)
     {
         return routes.stream()
-                .filter(r -> r.authorized(authorization) && r.matches(hostname, alpn, port))
+                .filter(r -> r.authorized(authorization) &&
+                    r.matches(hostname, alpn, port, clientCerts))
                 .findFirst()
                 .orElse(null);
     }
@@ -364,7 +372,7 @@ private String selectAlpn(
                             }
 
                             if (route.authorized(authorization) &&
-                                route.matches(authority, protocol, port))
+                                route.matchesIgnoringCert(authority, protocol, port))
                             {
                                 selected = protocol;
                                 break;
@@ -386,7 +394,7 @@ private String selectAlpn(
                     }
 
                     if (route.authorized(authorization) &&
-                        route.matches(null, protocol, port))
+                        route.matchesIgnoringCert(null, protocol, port))
                     {
                         selected = protocol;
                         break;

runtime/binding-tls/src/main/java/io/aklivity/zilla/runtime/binding/tls/internal/config/TlsConditionConfigAdapter.java

@@ -15,6 +15,8 @@
  */
 package io.aklivity.zilla.runtime.binding.tls.internal.config;
 
+import java.util.ArrayList;
+import java.util.List;
 import java.util.stream.IntStream;
 
 import jakarta.json.Json;
@@ -32,6 +34,7 @@
 
 import io.aklivity.zilla.runtime.binding.tls.config.TlsConditionConfig;
 import io.aklivity.zilla.runtime.binding.tls.config.TlsConditionConfigBuilder;
+import io.aklivity.zilla.runtime.binding.tls.config.TlsMutualConfig;
 import io.aklivity.zilla.runtime.binding.tls.internal.TlsBinding;
 import io.aklivity.zilla.runtime.engine.config.ConditionConfig;
 import io.aklivity.zilla.runtime.engine.config.ConditionConfigAdapterSpi;
@@ -41,6 +44,8 @@ public final class TlsConditionConfigAdapter implements ConditionConfigAdapterSp
     private static final String AUTHORITY_NAME = "authority";
     private static final String ALPN_NAME = "alpn";
     private static final String PORT_NAME = "port";
+    private static final String TRUST_NAME = "trust";
+    private static final String MUTUAL_NAME = "mutual";
 
     @Override
     public String type()
@@ -84,6 +89,21 @@ public JsonObject adaptToJson(
             }
         }
 
+        if (tlsCondition.trust != null)
+        {
+            JsonArrayBuilder trustArray = Json.createArrayBuilder();
+            for (String alias : tlsCondition.trust)
+            {
+                trustArray.add(alias);
+            }
+            object.add(TRUST_NAME, trustArray);
+        }
+
+        if (tlsCondition.mutual != null)
+        {
+            object.add(MUTUAL_NAME, tlsCondition.mutual.name().toLowerCase());
+        }
+
         return object.build();
     }
 
@@ -126,6 +146,19 @@ public ConditionConfig adaptFromJson(
             tlsCondition.ports(ports);
         }
 
+        if (object.containsKey(TRUST_NAME))
+        {
+            JsonArray trustArray = object.getJsonArray(TRUST_NAME);
+            List<String> trust = new ArrayList<>(trustArray.size());
+            trustArray.forEach(value -> trust.add(((JsonString) value).getString()));
+            tlsCondition.trust(trust);
+        }
+
+        if (object.containsKey(MUTUAL_NAME))
+        {
+            tlsCondition.mutual(TlsMutualConfig.valueOf(object.getString(MUTUAL_NAME).toUpperCase()));
+        }
+
         return tlsCondition.build();
     }
 

runtime/binding-tls/src/main/java/io/aklivity/zilla/runtime/binding/tls/internal/config/TlsConditionMatcher.java

@@ -15,29 +15,58 @@
  */
 package io.aklivity.zilla.runtime.binding.tls.internal.config;
 
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
 import org.agrona.collections.IntHashSet;
 
 import io.aklivity.zilla.runtime.binding.tls.config.TlsConditionConfig;
+import io.aklivity.zilla.runtime.binding.tls.config.TlsMutualConfig;
 
 public final class TlsConditionMatcher
 {
     public final Matcher authorityMatch;
     public final Matcher alpnMatch;
     public final IntHashSet ports;
+    public final TlsMutualConfig mutual;
+    public final TrustManagerFactory trustFactory;
 
     public TlsConditionMatcher(
-        TlsConditionConfig condition)
+        TlsConditionConfig condition,
+        TrustManagerFactory trustFactory)
     {
         this.authorityMatch = condition.authority != null ? asMatcher(condition.authority) : null;
         this.alpnMatch = condition.alpn != null ? asMatcher(condition.alpn) : null;
         this.ports = condition.ports != null ? asIntHashSet(condition.ports) : null;
+        // `trust` implies `mutual: required`
+        this.mutual = condition.mutual != null
+            ? condition.mutual
+            : condition.trust != null ? TlsMutualConfig.REQUIRED : null;
+        this.trustFactory = trustFactory;
     }
 
     public boolean matches(
+        String authority,
+        String alpn,
+        int port,
+        Certificate[] clientCerts)
+    {
+        return matchesAuthority(authority) &&
+                matchesAlpn(alpn) &&
+                matchesPort(port) &&
+                matchesMutual(clientCerts) &&
+                matchesTrust(clientCerts);
+    }
+
+    public boolean matchesIgnoringCert(
         String authority,
         String alpn,
         int port)
@@ -71,6 +100,72 @@ private boolean matchesPort(
         return ports == null || ports.contains(port);
     }
 
+    private boolean matchesMutual(
+        Certificate[] clientCerts)
+    {
+        boolean matches = true;
+        boolean present = clientCerts != null && clientCerts.length > 0;
+        if (mutual == TlsMutualConfig.REQUIRED)
+        {
+            matches = present;
+        }
+        else if (mutual == TlsMutualConfig.NONE)
+        {
+            matches = !present;
+        }
+        return matches;
+    }
+
+    private boolean matchesTrust(
+        Certificate[] clientCerts)
+    {
+        boolean matches = true;
+        if (trustFactory != null)
+        {
+            matches = false;
+            if (clientCerts != null && clientCerts.length > 0)
+            {
+                X509Certificate[] chain = asX509Chain(clientCerts);
+                if (chain != null)
+                {
+                    String authType = chain[0].getPublicKey().getAlgorithm();
+                    for (TrustManager tm : trustFactory.getTrustManagers())
+                    {
+                        if (tm instanceof X509TrustManager x509tm)
+                        {
+                            try
+                            {
+                                x509tm.checkClientTrusted(chain, authType);
+                                matches = true;
+                                break;
+                            }
+                            catch (CertificateException ex)
+                            {
+                                // not trusted by this trust manager
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return matches;
+    }
+
+    private static X509Certificate[] asX509Chain(
+        Certificate[] certs)
+    {
+        X509Certificate[] chain = new X509Certificate[certs.length];
+        for (int i = 0; i < certs.length; i++)
+        {
+            if (!(certs[i] instanceof X509Certificate x509))
+            {
+                return null;
+            }
+            chain[i] = x509;
+        }
+        return chain;
+    }
+
     private static Matcher asMatcher(
         String wildcard)
     {