added dedicated cli module

src/main/kotlin/net/woggioni/gbcs/auth/ClientCertificateValidator.kt

@@ -0,0 +1,77 @@
+package net.woggioni.gbcs.auth
+
+import java.security.KeyStore
+import java.security.cert.CertPathValidator
+import java.security.cert.CertificateFactory
+import java.security.cert.PKIXParameters
+import java.security.cert.PKIXRevocationChecker
+import java.security.cert.X509Certificate
+import java.util.EnumSet
+import io.netty.channel.ChannelHandlerContext
+import io.netty.channel.ChannelInboundHandlerAdapter
+import io.netty.handler.ssl.SslHandler
+import io.netty.handler.ssl.SslHandshakeCompletionEvent
+import javax.net.ssl.SSLSession
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509TrustManager
+
+
+class ClientCertificateValidator private constructor(
+    private val sslHandler : SslHandler,
+    private val x509TrustManager: X509TrustManager) : ChannelInboundHandlerAdapter() {
+    override fun userEventTriggered(ctx: ChannelHandlerContext, evt: Any) {
+        if (evt is SslHandshakeCompletionEvent) {
+            if (evt.isSuccess) {
+                val session: SSLSession = sslHandler.engine().session
+                val clientCertificateChain = session.peerCertificates as Array<X509Certificate>
+                val authType: String = clientCertificateChain[0].publicKey.algorithm
+                x509TrustManager.checkClientTrusted(clientCertificateChain, authType)
+            } else {
+                // Handle the failure, for example by closing the channel.
+            }
+        }
+        super.userEventTriggered(ctx, evt)
+    }
+
+    companion object {
+        fun getTrustManager(trustStore : KeyStore?, certificateRevocationEnabled : Boolean) : X509TrustManager {
+            return if(trustStore != null) {
+                val certificateFactory = CertificateFactory.getInstance("X.509")
+                val validator = CertPathValidator.getInstance("PKIX").apply {
+                    val rc = revocationChecker as PKIXRevocationChecker
+                    rc.options = EnumSet.of(
+                        PKIXRevocationChecker.Option.NO_FALLBACK)
+                }
+                val params = PKIXParameters(trustStore).apply {
+                    isRevocationEnabled = certificateRevocationEnabled
+                }
+                object : X509TrustManager {
+                    override fun checkClientTrusted(chain: Array<out X509Certificate>, authType: String) {
+                        val clientCertificateChain = certificateFactory.generateCertPath(chain.toList())
+                        validator.validate(clientCertificateChain, params)
+                    }
+
+                    override fun checkServerTrusted(chain: Array<out X509Certificate>, authType: String) {
+                        throw NotImplementedError()
+                    }
+
+                    private val acceptedIssuers = trustStore.aliases().asSequence()
+                        .filter (trustStore::isCertificateEntry)
+                        .map(trustStore::getCertificate)
+                        .map { it as X509Certificate }
+                        .toList()
+                        .toTypedArray()
+
+                    override fun getAcceptedIssuers() = acceptedIssuers
+                }
+            } else {
+                val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+                trustManagerFactory.trustManagers.asSequence().filter { it is X509TrustManager }.single() as X509TrustManager
+            }
+        }
+
+        fun of(sslHandler : SslHandler, trustStore : KeyStore?, certificateRevocationEnabled : Boolean) : ClientCertificateValidator {
+            return ClientCertificateValidator(sslHandler, getTrustManager(trustStore, certificateRevocationEnabled))
+        }
+    }
+}