* I2CP over SSL, enable with i2cp.SSL=true

2010-12-14 14:27:35 +00:00
parent 59af763dcd
commit 8efefeeb5b
6 changed files with 526 additions and 37 deletions
--- a/core/java/src/net/i2p/client/I2CPSSLSocketFactory.java
+++ b/core/java/src/net/i2p/client/I2CPSSLSocketFactory.java
@ -0,0 +1,183 @@
+package net.i2p.client;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.Socket;
+import java.security.KeyStore;
+import java.security.GeneralSecurityException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
+import net.i2p.I2PAppContext;
+import net.i2p.util.Log;
+
+/**
+ * Loads trusted ASCII certs from ~/.i2p/certificates/ and $CWD/certificates/.
+ * Keeps a single static SSLContext for the whole JVM.
+ *
+ * @author zzz
+ * @since 0.8.3
+ */
+class I2CPSSLSocketFactory {
+
+    private static final Object _initLock = new Object();
+    private static SSLSocketFactory _factory;
+    private static Log _log;
+
+    private static final String CERT_DIR = "certificates";
+
+    /**
+     * Initializes the static SSL Context if required, then returns a socket
+     * to the host.
+     *
+     * @param ctx just for logging
+     * @throws IOException on init error or usual socket errors
+     */
+    public static Socket createSocket(I2PAppContext ctx, String host, int port) throws IOException {
+        synchronized(_initLock) {
+            if (_factory == null) {
+                _log = ctx.logManager().getLog(I2CPSSLSocketFactory.class);
+                initSSLContext(ctx);
+                if (_factory == null)
+                    throw new IOException("Unable to create SSL Context for I2CP Client");
+                _log.info("I2CP Client-side SSL Context initialized");
+            }
+        }
+        return _factory.createSocket(host, port);
+    }
+
+    /**
+     *  Loads certs from
+     *  the ~/.i2p/certificates/ and $CWD/certificates/ directories.
+     */
+    private static void initSSLContext(I2PAppContext context) {
+        KeyStore ks;
+        try {
+            ks = KeyStore.getInstance(KeyStore.getDefaultType());
+            ks.load(null, "".toCharArray());
+        } catch (GeneralSecurityException gse) {
+            _log.error("Key Store init error", gse);
+            return;
+        } catch (IOException ioe) {
+            _log.error("Key Store init error", ioe);
+            return;
+        }
+
+        File dir = new File(context.getConfigDir(), CERT_DIR);
+        int adds = addCerts(dir, ks);
+        int totalAdds = adds;
+        if (adds > 0 && _log.shouldLog(Log.INFO))
+            _log.info("Loaded " + adds + " trusted certificates from " + dir.getAbsolutePath());
+
+        File dir2 = new File(System.getProperty("user.dir"), CERT_DIR);
+        if (!dir.getAbsolutePath().equals(dir2.getAbsolutePath())) {
+            adds = addCerts(dir2, ks);
+            totalAdds += adds;
+            if (adds > 0 && _log.shouldLog(Log.INFO))
+                _log.info("Loaded " + adds + " trusted certificates from " + dir.getAbsolutePath());
+        }
+        if (totalAdds > 0) {
+            if (_log.shouldLog(Log.INFO))
+                _log.info("Loaded total of " + totalAdds + " new trusted certificates");
+        } else {
+            _log.error("No trusted certificates loaded (looked in " +
+                       dir.getAbsolutePath() + (dir.getAbsolutePath().equals(dir2.getAbsolutePath()) ? "" : (" and " + dir2.getAbsolutePath())) +
+                       ", I2CP SSL client connections will fail. " +
+                       "Copy the file certificates/i2cp.local.crt from the router to the directory.");
+            // don't continue, since we didn't load the system keystore, we have nothing.
+            return;
+        }
+
+        try {
+            SSLContext sslc = SSLContext.getInstance("TLS");
+            TrustManagerFactory tmf =   TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(ks);
+            sslc.init(null, tmf.getTrustManagers(), context.random());
+            _factory = sslc.getSocketFactory();
+        } catch (GeneralSecurityException gse) {
+            _log.error("SSL context init error", gse);
+        }
+    }
+
+    /**
+     *  Load all X509 Certs from a directory and add them to the
+     *  trusted set of certificates in the key store
+     *
+     *  @return number successfully added
+     */
+    private static int addCerts(File dir, KeyStore ks) {
+        if (_log.shouldLog(Log.INFO))
+            _log.info("Looking for X509 Certificates in " + dir.getAbsolutePath());
+        int added = 0;
+        if (dir.exists() && dir.isDirectory()) {
+            File[] files = dir.listFiles();
+            if (files != null) {
+                for (int i = 0; i < files.length; i++) {
+                    File f = files[i];
+                    if (!f.isFile())
+                        continue;
+                    // use file name as alias
+                    String alias = f.getName().toLowerCase();
+                    boolean success = addCert(f, alias, ks);
+                    if (success)
+                        added++;
+                }
+            }
+        }
+        return added;
+    }
+
+    /**
+     *  Load an X509 Cert from a file and add it to the
+     *  trusted set of certificates in the key store
+     *
+     *  @return success
+     */
+    private static boolean addCert(File file, String alias, KeyStore ks) {
+        InputStream fis = null;
+        try {
+            fis = new FileInputStream(file);
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            X509Certificate cert = (X509Certificate)cf.generateCertificate(fis);
+            if (_log.shouldLog(Log.INFO)) {
+                _log.info("Read X509 Certificate from " + file.getAbsolutePath() +
+                          " Issuer: " + cert.getIssuerX500Principal() +
+                          "; Valid From: " + cert.getNotBefore() +
+                          " To: " + cert.getNotAfter());
+            }
+            try {
+                cert.checkValidity();
+            } catch (CertificateExpiredException cee) {
+                _log.error("Rejecting expired X509 Certificate: " + file.getAbsolutePath(), cee);
+                return false;
+            } catch (CertificateNotYetValidException cnyve) {
+                _log.error("Rejecting X509 Certificate not yet valid: " + file.getAbsolutePath(), cnyve);
+                return false;
+            }
+            ks.setCertificateEntry(alias, cert);
+            if (_log.shouldLog(Log.INFO))
+                _log.info("Now trusting X509 Certificate, Issuer: " + cert.getIssuerX500Principal());
+        } catch (GeneralSecurityException gse) {
+            _log.error("Error reading X509 Certificate: " + file.getAbsolutePath(), gse);
+            return false;
+        } catch (IOException ioe) {
+            _log.error("Error reading X509 Certificate: " + file.getAbsolutePath(), ioe);
+            return false;
+        } finally {
+            try { if (fis != null) fis.close(); } catch (IOException foo) {}
+        }
+        return true;
+    }
+}
--- a/core/java/src/net/i2p/client/I2PSessionImpl.java
+++ b/core/java/src/net/i2p/client/I2PSessionImpl.java
@ -131,6 +131,9 @@ abstract class I2PSessionImpl implements I2PSession, I2CPMessageReader.I2CPMessa
    private long _lastActivity;
    private boolean _isReduced;

+    /** SSL interface (only) @since 0.8.3 */
+    protected static final String PROP_ENABLE_SSL = "i2cp.SSL";
+
    void dateUpdated() {
        _dateReceived = true;
        synchronized (_dateReceivedLock) {
@ -181,7 +184,10 @@ abstract class I2PSessionImpl implements I2PSession, I2CPMessageReader.I2CPMessa
    protected void loadConfig(Properties options) {
        _options = new Properties();
        _options.putAll(filter(options));
-        if (!_context.isRouterContext()) {
+        if (_context.isRouterContext()) {
+            // just for logging
+            _hostname = "[internal connection]";
+        } else {
            _hostname = _options.getProperty(I2PClient.PROP_TCP_HOST, "127.0.0.1");
            String portNum = _options.getProperty(I2PClient.PROP_TCP_PORT, LISTEN_PORT + "");
            try {
@ -195,6 +201,7 @@ abstract class I2PSessionImpl implements I2PSession, I2CPMessageReader.I2CPMessa
        }

        // auto-add auth if required, not set in the options, and we are in the same JVM
+        // TODO bypass this on router side for internal connections
        if (_context.isRouterContext() &&
            Boolean.valueOf(_context.getProperty("i2cp.auth")).booleanValue() &&
            ((!options.containsKey("i2cp.username")) || (!options.containsKey("i2cp.password")))) {
@ -302,7 +309,10 @@ abstract class I2PSessionImpl implements I2PSession, I2CPMessageReader.I2CPMessa
                _queue = mgr.connect();
                _reader = new QueuedI2CPMessageReader(_queue, this);
            } else {
-                _socket = new Socket(_hostname, _portNum);
+                if (Boolean.valueOf(_options.getProperty(PROP_ENABLE_SSL)).booleanValue())
+                    _socket = I2CPSSLSocketFactory.createSocket(_context, _hostname, _portNum);
+                else
+                    _socket = new Socket(_hostname, _portNum);
                // _socket.setSoTimeout(1000000); // Uhmmm we could really-really use a real timeout, and handle it.
                _out = _socket.getOutputStream();
                synchronized (_out) {
--- a/core/java/src/net/i2p/client/I2PSimpleSession.java
+++ b/core/java/src/net/i2p/client/I2PSimpleSession.java
@ -23,7 +23,6 @@ import net.i2p.internal.I2CPMessageQueue;
 import net.i2p.internal.InternalClientManager;
 import net.i2p.internal.QueuedI2CPMessageReader;
 import net.i2p.util.I2PAppThread;
-import net.i2p.util.InternalSocket;

 /**
 * Create a new session for doing naming and bandwidth queries only. Do not create a Destination.
@ -80,7 +79,10 @@ class I2PSimpleSession extends I2PSessionImpl2 {
                _queue = mgr.connect();
                _reader = new QueuedI2CPMessageReader(_queue, this);
            } else {
-                _socket = new Socket(_hostname, _portNum);
+                if (Boolean.valueOf(getOptions().getProperty(PROP_ENABLE_SSL)).booleanValue())
+                    _socket = I2CPSSLSocketFactory.createSocket(_context, _hostname, _portNum);
+                else
+                    _socket = new Socket(_hostname, _portNum);
                _out = _socket.getOutputStream();
                synchronized (_out) {
                    _out.write(I2PClient.PROTOCOL_BYTE);