echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Crypto: More implementation for key certs

Browse Source 
- Support i2cp.destination.sigType option in TunnelController and
    I2PSocketManagerFactory
  - Fixup of Destination.create() and Destination.size()
  - Add generic off/len methods in DSAEngine, needed for streaming
  - Fixup of sign/verify in streaming Packet
  - Javadocs
This commit is contained in:
zzz
2014-01-03 00:22:44 +00:00
parent 5842e25205
commit e8e239616f
9 changed files with 149 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnel.java
View File

@ -1223,7 +1223,8 @@ public class I2PTunnel extends EventDispatcherImpl implements Logging {
}
/**
* Generate a new keypair
* Generate a new keypair.
* Does NOT support non-default sig types.
* Deprecated - only used by CLI
*
* Sets the event "genkeysResult" = "ok" or "error" after the generation is complete
@ -1266,7 +1267,8 @@ public class I2PTunnel extends EventDispatcherImpl implements Logging {
}
/**
* Generate a new keypair
* Generate a new keypair.
* Does NOT support non-default sig types.
* Deprecated - only used by CLI
*
* Sets the event "privateKey" = base64 of the privateKey stream and
@ -1275,7 +1277,7 @@ public class I2PTunnel extends EventDispatcherImpl implements Logging {
* @param l logger to receive events and output
*/
private static void runGenTextKeys(Logging l) {
ByteArrayOutputStream privkey = new ByteArrayOutputStream(512);
ByteArrayOutputStream privkey = new ByteArrayOutputStream(1024);
ByteArrayOutputStream pubkey = new ByteArrayOutputStream(512);
makeKey(privkey, pubkey, l);
l.log("Private key: " + Base64.encode(privkey.toByteArray()));
@ -1527,10 +1529,11 @@ public class I2PTunnel extends EventDispatcherImpl implements Logging {
/**
* Create a new destination, storing the destination and its private keys where
* instructed
* instructed.
* Does NOT support non-default sig types.
* Deprecated - only used by CLI
*
* @param writeTo location to store the private keys
* @param writeTo location to store the destination and private keys
* @param pubDest location to store the destination
* @param l logger to send messages to
*/

19
apps/i2ptunnel/java/src/net/i2p/i2ptunnel/TunnelController.java
View File

@ -7,11 +7,13 @@ import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import net.i2p.I2PAppContext;
import net.i2p.I2PException;
import net.i2p.client.I2PClient;
import net.i2p.client.I2PClientFactory;
import net.i2p.client.I2PSession;
import net.i2p.crypto.SigType;
import net.i2p.data.Base32;
import net.i2p.data.Destination;
import net.i2p.i2ptunnel.socks.I2PSOCKSTunnel;
@ -49,8 +51,8 @@ public class TunnelController implements Logging {
* the prefix should be used (and, in turn, that prefix should be stripped off
* before being interpreted by this controller)
*
* @param config original key=value mapping
* @param prefix beginning of key values that are relevent to this tunnel
* @param config original key=value mapping non-null
* @param prefix beginning of key values that are relevant to this tunnel
*/
public TunnelController(Properties config, String prefix) {
this(config, prefix, true);
@ -58,6 +60,8 @@ public class TunnelController implements Logging {
/**
*
* @param config original key=value mapping non-null
* @param prefix beginning of key values that are relevant to this tunnel
* @param createKey for servers, whether we want to create a brand new destination
* with private keys at the location specified or not (does not
* overwrite existing ones)
@ -99,7 +103,16 @@ public class TunnelController implements Logging {
FileOutputStream fos = null;
try {
fos = new SecureFileOutputStream(keyFile);
Destination dest = client.createDestination(fos);
SigType stype = I2PClient.DEFAULT_SIGTYPE;
String st = _config.getProperty("option." + I2PClient.PROP_SIGTYPE);
if (st != null) {
SigType type = SigType.parseSigType(st);
if (type != null)
stype = type;
else
log("Unsupported sig type " + st);
}
Destination dest = client.createDestination(fos, stype);
String destStr = dest.toBase64();
log("Private key created and saved in " + keyFile.getAbsolutePath());
log("You should backup this file in a secure place.");

14
apps/i2ptunnel/java/src/net/i2p/i2ptunnel/udpTunnel/I2PTunnelUDPClientBase.java
View File

@ -12,6 +12,7 @@ import net.i2p.client.I2PClient;
import net.i2p.client.I2PClientFactory;
import net.i2p.client.I2PSession;
import net.i2p.client.I2PSessionException;
import net.i2p.crypto.SigType;
import net.i2p.data.Destination;
import net.i2p.i2ptunnel.I2PTunnel;
import net.i2p.i2ptunnel.I2PTunnelTask;
@ -78,8 +79,17 @@ import net.i2p.util.EventDispatcher;
I2PClient client = I2PClientFactory.createClient();
byte[] key;
try {
ByteArrayOutputStream out = new ByteArrayOutputStream(512);
client.createDestination(out);
ByteArrayOutputStream out = new ByteArrayOutputStream(1024);
SigType stype = I2PClient.DEFAULT_SIGTYPE;
String st = tunnel.getClientOptions().getProperty(I2PClient.PROP_SIGTYPE);
if (st != null) {
SigType type = SigType.parseSigType(st);
if (type != null)
stype = type;
else
l.log("Unsupported sig type " + st);
}
client.createDestination(out, stype);
key = out.toByteArray();
} catch(Exception exc) {
throw new RuntimeException("failed to create i2p-destination", exc);

26
apps/ministreaming/java/src/net/i2p/client/streaming/I2PSocketManagerFactory.java
View File

@ -14,6 +14,7 @@ import net.i2p.client.I2PClient;
import net.i2p.client.I2PClientFactory;
import net.i2p.client.I2PSession;
import net.i2p.client.I2PSessionException;
import net.i2p.crypto.SigType;
import net.i2p.util.Log;
/**
@ -79,9 +80,9 @@ public class I2PSocketManagerFactory {
*/
public static I2PSocketManager createManager(String i2cpHost, int i2cpPort, Properties opts) {
I2PClient client = I2PClientFactory.createClient();
ByteArrayOutputStream keyStream = new ByteArrayOutputStream(512);
ByteArrayOutputStream keyStream = new ByteArrayOutputStream(1024);
try {
client.createDestination(keyStream);
client.createDestination(keyStream, getSigType(opts));
ByteArrayInputStream in = new ByteArrayInputStream(keyStream.toByteArray());
return createManager(in, i2cpHost, i2cpPort, opts);
} catch (IOException ioe) {
@ -168,9 +169,9 @@ public class I2PSocketManagerFactory {
int i2cpPort, Properties opts) throws I2PSessionException {
if (myPrivateKeyStream == null) {
I2PClient client = I2PClientFactory.createClient();
ByteArrayOutputStream keyStream = new ByteArrayOutputStream(512);
ByteArrayOutputStream keyStream = new ByteArrayOutputStream(1024);
try {
client.createDestination(keyStream);
client.createDestination(keyStream, getSigType(opts));
} catch (Exception e) {
throw new I2PSessionException("Error creating keys", e);
}
@ -257,6 +258,23 @@ public class I2PSocketManagerFactory {
return i2cpPort;
}
/**
* @param opts may be null
* @since 0.9.11
*/
private static SigType getSigType(Properties opts) {
if (opts != null) {
String st = opts.getProperty(I2PClient.PROP_SIGTYPE);
if (st != null) {
SigType rv = SigType.parseSigType(st);
if (rv != null)
return rv;
getLog().error("Unsupported sig type " + st);
}
}
return I2PClient.DEFAULT_SIGTYPE;
}
/** @since 0.9.7 */
private static Log getLog() {
return I2PAppContext.getGlobalContext().logManager().getLog(I2PSocketManagerFactory.class);

33
apps/streaming/java/src/net/i2p/client/streaming/Packet.java
View File

@ -397,13 +397,14 @@ class Packet {
* @throws IllegalStateException if there is data missing or otherwise b0rked
*/
public int writePacket(byte buffer[], int offset) throws IllegalStateException {
return writePacket(buffer, offset, true);
return writePacket(buffer, offset, 0);
}
/**
* @param includeSig if true, include the real signature, otherwise put zeroes
* in its place.
* @param fakeSigLen if 0, include the real signature in _optionSignature;
* if nonzero, leave space for that many bytes
*/
private int writePacket(byte buffer[], int offset, boolean includeSig) throws IllegalStateException {
private int writePacket(byte buffer[], int offset, int fakeSigLen) throws IllegalStateException {
int cur = offset;
DataHelper.toLong(buffer, cur, 4, (_sendStreamId >= 0 ? _sendStreamId : STREAM_ID_UNKNOWN));
cur += 4;
@ -438,7 +439,12 @@ class Packet {
if (isFlagSet(FLAG_MAX_PACKET_SIZE_INCLUDED))
optionSize += 2;
if (isFlagSet(FLAG_SIGNATURE_INCLUDED)) {
optionSize += _optionSignature.length();
if (fakeSigLen > 0)
optionSize += fakeSigLen;
else if (_optionSignature != null)
optionSize += _optionSignature.length();
else
throw new IllegalStateException();
}
DataHelper.toLong(buffer, cur, 2, optionSize);
@ -456,11 +462,14 @@ class Packet {
cur += 2;
}
if (isFlagSet(FLAG_SIGNATURE_INCLUDED)) {
if (includeSig)
if (fakeSigLen == 0) {
// we're signing (or validating)
System.arraycopy(_optionSignature.getData(), 0, buffer, cur, _optionSignature.length());
else // we're signing (or validating)
Arrays.fill(buffer, cur, cur + _optionSignature.length(), (byte)0x0);
cur += _optionSignature.length();
cur += _optionSignature.length();
} else {
Arrays.fill(buffer, cur, cur + fakeSigLen, (byte)0x0);
cur += fakeSigLen;
}
}
if (_payload != null) {
@ -661,7 +670,7 @@ class Packet {
if (buffer == null)
buffer = new byte[size];
int written = writePacket(buffer, 0, false);
int written = writePacket(buffer, 0, from.getSigningPublicKey().getType().getSigLen());
if (written != size) {
ctx.logManager().getLog(Packet.class).error("Written " + written + " size " + size + " for " + toString(), new Exception("moo"));
return false;
@ -692,7 +701,7 @@ class Packet {
*/
public int writeSignedPacket(byte buffer[], int offset, I2PAppContext ctx, SigningPrivateKey key) throws IllegalStateException {
setFlag(FLAG_SIGNATURE_INCLUDED);
int size = writePacket(buffer, offset, false);
int size = writePacket(buffer, offset, key.getType().getSigLen());
_optionSignature = ctx.dsa().sign(buffer, offset, size, key);
//if (false) {
// Log l = ctx.logManager().getLog(Packet.class);
@ -760,7 +769,7 @@ class Packet {
if (isFlagSet(FLAG_CLOSE)) buf.append(" CLOSE");
if (isFlagSet(FLAG_DELAY_REQUESTED)) buf.append(" DELAY ").append(_optionDelay);
if (isFlagSet(FLAG_ECHO)) buf.append(" ECHO");
if (isFlagSet(FLAG_FROM_INCLUDED)) buf.append(" FROM");
if (isFlagSet(FLAG_FROM_INCLUDED)) buf.append(" FROM ").append(_optionFrom.size());
if (isFlagSet(FLAG_MAX_PACKET_SIZE_INCLUDED)) buf.append(" MS ").append(_optionMaxSize);
if (isFlagSet(FLAG_PROFILE_INTERACTIVE)) buf.append(" INTERACTIVE");
if (isFlagSet(FLAG_RESET)) buf.append(" RESET");

5
core/java/src/net/i2p/client/I2PClient.java
View File

@ -41,6 +41,11 @@ public interface I2PClient {
/** @since 0.8.1 */
public final static String PROP_RELIABILITY_NONE = "none";
/** @since 0.9.11 */
public static final String PROP_SIGTYPE = "i2cp.destination.sigType";
/** @since 0.9.11 */
public static final SigType DEFAULT_SIGTYPE = SigType.DSA_SHA1;
/**
* For router->client payloads.
*

2
core/java/src/net/i2p/client/I2PClientImpl.java
View File

@ -47,7 +47,7 @@ class I2PClientImpl implements I2PClient {
* format is specified in {@link net.i2p.data.PrivateKeyFile PrivateKeyFile}
*/
public Destination createDestination(OutputStream destKeyStream) throws I2PException, IOException {
return createDestination(destKeyStream, SigType.DSA_SHA1);
return createDestination(destKeyStream, DEFAULT_SIGTYPE);
}
/**

77
core/java/src/net/i2p/crypto/DSAEngine.java
View File

@ -89,13 +89,20 @@ public class DSAEngine {
* Uses TheCrypto code for DSA-SHA1 unless configured to use the java.security libraries.
*/
public boolean verifySignature(Signature signature, byte signedData[], SigningPublicKey verifyingKey) {
return verifySignature(signature, signedData, 0, signedData.length, verifyingKey);
}
/**
* Verify using any sig type as of 0.9.11 (DSA only prior to that)
*/
public boolean verifySignature(Signature signature, byte signedData[], int offset, int size, SigningPublicKey verifyingKey) {
boolean rv;
SigType type = signature.getType();
if (type != verifyingKey.getType())
throw new IllegalArgumentException("type mismatch sig=" + signature.getType() + " key=" + verifyingKey.getType());
if (type != SigType.DSA_SHA1) {
try {
rv = altVerifySig(signature, signedData, verifyingKey);
rv = altVerifySig(signature, signedData, offset, size, verifyingKey);
if ((!rv) && _log.shouldLog(Log.WARN))
_log.warn(type + " Sig Verify Fail");
return rv;
@ -107,7 +114,7 @@ public class DSAEngine {
}
if (_useJavaLibs) {
try {
rv = altVerifySigSHA1(signature, signedData, verifyingKey);
rv = altVerifySigSHA1(signature, signedData, offset, size, verifyingKey);
if ((!rv) && _log.shouldLog(Log.WARN))
_log.warn("Lib DSA Sig Verify Fail");
return rv;
@ -117,19 +124,12 @@ public class DSAEngine {
// now try TheCrypto
}
}
rv = verifySignature(signature, signedData, 0, signedData.length, verifyingKey);
rv = verifySignature(signature, calculateHash(signedData, offset, size), verifyingKey);
if ((!rv) && _log.shouldLog(Log.WARN))
_log.warn("TheCrypto DSA Sig Verify Fail");
return rv;
}
/**
* Verify using DSA-SHA1 ONLY
*/
public boolean verifySignature(Signature signature, byte signedData[], int offset, int size, SigningPublicKey verifyingKey) {
return verifySignature(signature, calculateHash(signedData, offset, size), verifyingKey);
}
/**
* Verify using DSA-SHA1 ONLY
*/
@ -256,16 +256,26 @@ public class DSAEngine {
}
/**
* Sign using DSA-SHA1 or ECDSA.
* Sign using any key type.
* Uses TheCrypto code unless configured to use the java.security libraries.
*
* @return null on error
*/
public Signature sign(byte data[], SigningPrivateKey signingKey) {
return sign(data, 0, data.length, signingKey);
}
/**
* Sign using any key type as of 0.9.11 (DSA-SHA1 only prior to that)
*
* @return null on error
*/
public Signature sign(byte data[], int offset, int length, SigningPrivateKey signingKey) {
if ((signingKey == null) || (data == null) || (data.length <= 0)) return null;
SigType type = signingKey.getType();
if (type != SigType.DSA_SHA1) {
try {
return altSign(data, signingKey);
return altSign(data, offset, length, signingKey);
} catch (GeneralSecurityException gse) {
if (_log.shouldLog(Log.WARN))
_log.warn(type + " Sign Fail", gse);
@ -274,23 +284,13 @@ public class DSAEngine {
}
if (_useJavaLibs) {
try {
return altSignSHA1(data, signingKey);
return altSignSHA1(data, offset, length, signingKey);
} catch (GeneralSecurityException gse) {
if (_log.shouldLog(Log.WARN))
_log.warn("Lib Sign Fail, privkey = " + signingKey, gse);
// now try TheCrypto
}
}
return sign(data, 0, data.length, signingKey);
}
/**
* Sign using DSA-SHA1 ONLY
*
* @return null on error
*/
public Signature sign(byte data[], int offset, int length, SigningPrivateKey signingKey) {
if ((signingKey == null) || (data == null) || (data.length <= 0)) return null;
SHA1Hash h = calculateHash(data, offset, length);
return sign(h, signingKey);
}
@ -495,20 +495,20 @@ public class DSAEngine {
/**
* Generic verify DSA_SHA1, ECDSA, or RSA
* @throws GeneralSecurityException if algorithm unvailable or on other errors
* @since 0.9.9
* @since 0.9.9 added off/len 0.9.11
*/
private boolean altVerifySig(Signature signature, byte[] data, SigningPublicKey verifyingKey)
private boolean altVerifySig(Signature signature, byte[] data, int offset, int len, SigningPublicKey verifyingKey)
throws GeneralSecurityException {
SigType type = signature.getType();
if (type != verifyingKey.getType())
throw new IllegalArgumentException("type mismatch sig=" + type + " key=" + verifyingKey.getType());
if (type == SigType.DSA_SHA1)
return altVerifySigSHA1(signature, data, verifyingKey);
return altVerifySigSHA1(signature, data, offset, len, verifyingKey);
java.security.Signature jsig = java.security.Signature.getInstance(type.getAlgorithmName());
PublicKey pubKey = SigUtil.toJavaKey(verifyingKey);
jsig.initVerify(pubKey);
jsig.update(data);
jsig.update(data, offset, len);
boolean rv = jsig.verify(SigUtil.toJavaSig(signature));
return rv;
}
@ -555,13 +555,14 @@ public class DSAEngine {
/**
* Alternate to verifySignature() using java.security libraries.
* @throws GeneralSecurityException if algorithm unvailable or on other errors
* @since 0.8.7
* @since 0.8.7 added off/len 0.9.11
*/
private boolean altVerifySigSHA1(Signature signature, byte[] data, SigningPublicKey verifyingKey) throws GeneralSecurityException {
private boolean altVerifySigSHA1(Signature signature, byte[] data, int offset,
int len, SigningPublicKey verifyingKey) throws GeneralSecurityException {
java.security.Signature jsig = java.security.Signature.getInstance("SHA1withDSA");
PublicKey pubKey = SigUtil.toJavaDSAKey(verifyingKey);
jsig.initVerify(pubKey);
jsig.update(data);
jsig.update(data, offset, len);
boolean rv = jsig.verify(SigUtil.toJavaSig(signature));
//if (!rv) {
// System.out.println("BAD SIG\n" + net.i2p.util.HexDump.dump(signature.getData()));
@ -573,17 +574,18 @@ public class DSAEngine {
/**
* Generic sign DSA_SHA1, ECDSA, or RSA
* @throws GeneralSecurityException if algorithm unvailable or on other errors
* @since 0.9.9
* @since 0.9.9 added off/len 0.9.11
*/
private Signature altSign(byte[] data, SigningPrivateKey privateKey) throws GeneralSecurityException {
private Signature altSign(byte[] data, int offset, int len,
SigningPrivateKey privateKey) throws GeneralSecurityException {
SigType type = privateKey.getType();
if (type == SigType.DSA_SHA1)
return altSignSHA1(data, privateKey);
return altSignSHA1(data, offset, len, privateKey);
java.security.Signature jsig = java.security.Signature.getInstance(type.getAlgorithmName());
PrivateKey privKey = SigUtil.toJavaKey(privateKey);
jsig.initSign(privKey, _context.random());
jsig.update(data);
jsig.update(data, offset, len);
return SigUtil.fromJavaSig(jsig.sign(), type);
}
@ -622,13 +624,14 @@ public class DSAEngine {
/**
* Alternate to sign() using java.security libraries.
* @throws GeneralSecurityException if algorithm unvailable or on other errors
* @since 0.8.7
* @since 0.8.7 added off/len args 0.9.11
*/
private Signature altSignSHA1(byte[] data, SigningPrivateKey privateKey) throws GeneralSecurityException {
private Signature altSignSHA1(byte[] data, int offset, int len,
SigningPrivateKey privateKey) throws GeneralSecurityException {
java.security.Signature jsig = java.security.Signature.getInstance("SHA1withDSA");
PrivateKey privKey = SigUtil.toJavaDSAKey(privateKey);
jsig.initSign(privKey, _context.random());
jsig.update(data);
jsig.update(data, offset, len);
return SigUtil.fromJavaSig(jsig.sign(), SigType.DSA_SHA1);
}

26
core/java/src/net/i2p/data/Destination.java
View File

@ -57,6 +57,16 @@ public class Destination extends KeysAndCert {
PublicKey pk = PublicKey.create(in);
SigningPublicKey sk = SigningPublicKey.create(in);
Certificate c = Certificate.create(in);
byte[] padding;
if (c.getCertificateType() == Certificate.CERTIFICATE_TYPE_KEY) {
// convert SPK to new SPK and padding
KeyCertificate kcert = c.toKeyCertificate();
padding = sk.getPadding(kcert);
sk = sk.toTypedKey(kcert);
c = kcert;
} else {
padding = null;
}
Destination rv;
synchronized(_cache) {
rv = _cache.get(sk);
@ -67,7 +77,7 @@ public class Destination extends KeysAndCert {
}
//if (STATS)
// I2PAppContext.getGlobalContext().statManager().addRateData("DestCache", 0);
rv = new Destination(pk, sk, c);
rv = new Destination(pk, sk, c, padding);
_cache.put(sk, rv);
}
return rv;
@ -86,10 +96,11 @@ public class Destination extends KeysAndCert {
/**
* @since 0.9.9
*/
private Destination(PublicKey pk, SigningPublicKey sk, Certificate c) {
private Destination(PublicKey pk, SigningPublicKey sk, Certificate c, byte[] padding) {
_publicKey = pk;
_signingKey = sk;
_certificate = c;
_padding = padding;
}
/**
@ -138,7 +149,16 @@ public class Destination extends KeysAndCert {
****/
public int size() {
return PublicKey.KEYSIZE_BYTES + _signingKey.length() + _certificate.size();
int rv = PublicKey.KEYSIZE_BYTES + _signingKey.length();
if (_certificate.getCertificateType() == Certificate.CERTIFICATE_TYPE_KEY) {
// cert data included in keys
rv += 7;
if (_padding != null)
rv += _padding.length;
} else {
rv += _certificate.size();
}
return rv;
}
/**