Update HTTP-TPC to ignore whether certificates have allowed namespace

Motivation: Namespace checking rejects certificates if the subject DN is not one of the allowed values for that certificate's CA. A list of allowed subject DNs is maintained by IGTF for their trust store. There are two problems with this approach. 1. it is IGTF specific. There is no equivalent for CA/B, making interoperability with CA/B-approved CAs non-trivial. 2. for HTTP-TPC, the check is pointless. It protects the certificate's Subject DN, which plays no role in the identity of the remote site. Instead, the X.509 v3 Subject Alternative Name is used, instead. Modification: Update the SSLContext (which includes the certificate chain validation) for the Apache HTTP client. There is (no longer) any namespace checking for such certificates. Note that the namespace checking for client X.509 certificates (which is the intended target of namespace checking) is unaffected by this change. Result: HTTP-TPC now works with remote sites that have a CA/B certificate and using the system standard trust store. Closes: italiangrid#65
paulmillar · Nov 27, 2024 · c558bbf · c558bbf
1 parent 515285d
commit c558bbf
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/src/main/java/org/italiangrid/storm/webdav/spring/AppConfig.java b/src/main/java/org/italiangrid/storm/webdav/spring/AppConfig.java
@@ -33,6 +33,7 @@
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Function;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
@@ -201,25 +202,31 @@ HealthCheckRegistry healthCheckRegistry() {
 
   @Bean
   X509CertChainValidatorExt canlCertChainValidator(ServiceConfiguration configuration) {
+    return canlCertChainCustomValidator(configuration,
+            b -> b.namespaceChecks(NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS_REQUIRE));
+  }
+
+  private X509CertChainValidatorExt canlCertChainCustomValidator(ServiceConfiguration configuration,
+          Function<CertificateValidatorBuilder,CertificateValidatorBuilder> customiseValidatorBuilder) {
 
     CANLListener l = new org.italiangrid.storm.webdav.server.util.CANLListener();
-    CertificateValidatorBuilder builder = new CertificateValidatorBuilder();
 
     long refreshInterval =
         TimeUnit.SECONDS.toMillis(configuration.getTrustAnchorsRefreshIntervalInSeconds());
 
-    return builder.namespaceChecks(NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS_REQUIRE)
+    CertificateValidatorBuilder builder = new CertificateValidatorBuilder()
       .crlChecks(CrlCheckingMode.IF_VALID)
       .ocspChecks(OCSPCheckingMode.IGNORE)
       .lazyAnchorsLoading(false)
       .storeUpdateListener(l)
       .validationErrorListener(l)
       .trustAnchorsDir(configuration.getTrustAnchorsDir())
-      .trustAnchorsUpdateInterval(refreshInterval)
-      .build();
+      .trustAnchorsUpdateInterval(refreshInterval);
 
+    return customiseValidatorBuilder.apply(builder).build();
   }
 
+
   @Bean
   PathResolver pathResolver(ServiceConfiguration conf) {
     return new DefaultPathResolver(storageAreaConfiguration(conf));
@@ -242,7 +249,9 @@ HttpClientConnectionManager tpcClientConnectionManager(ThirdPartyCopyProperties
       NoSuchAlgorithmException, NoSuchProviderException, KeyManagementException {
     PEMCredential serviceCredential = serviceCredential(conf);
 
-    SSLTrustManager tm = new SSLTrustManager(canlCertChainValidator(conf));
+    X509CertChainValidatorExt validator = canlCertChainCustomValidator(conf,
+            b -> b.namespaceChecks(NamespaceCheckingMode.IGNORE));
+    SSLTrustManager tm = new SSLTrustManager(validator);
 
     SSLContext ctx;