Changeset 27042f9


Ignore:
Timestamp:
Feb 25, 2018 4:31:48 PM (2 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
7035db2
Parents:
4c02c1f
Message:

i2ptunnel: Add alt names in standard and irc client tunnel certs

Location:
apps/i2ptunnel/java/src/net/i2p/i2ptunnel
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelClientBase.java

    r4c02c1f r27042f9  
    1515import java.net.UnknownHostException;
    1616import java.util.ArrayList;
     17import java.util.HashSet;
    1718import java.util.List;
    1819import java.util.Properties;
     20import java.util.Set;
    1921import java.util.concurrent.RejectedExecutionException;
    2022import java.util.concurrent.ThreadPoolExecutor;
     
    701703            boolean useSSL = Boolean.parseBoolean(opts.getProperty(PROP_USE_SSL));
    702704            if (useSSL) {
    703                 // was already done in web/IndexBean.java when saving the config
    704                 boolean wasCreated = SSLClientUtil.verifyKeyStore(opts);
     705                // was already done in GeneralHelper.updateTunnelConfig() when saving the config
     706                // we should never be generating the cert here.
     707                // add the local interface and all targets to the cert
     708                Set<String> altNames = new HashSet<String>(4);
     709                String intfc = getTunnel().listenHost;
     710                if (intfc != null && !intfc.equals("0.0.0.0") && !intfc.equals("::") &&
     711                    !intfc.equals("0:0:0:0:0:0:0:0"))
     712                    altNames.add(intfc);
     713                // We can't easily get to the targetDestination property,
     714                // or the _addrs List in I2PTunnelClient, or the target argument in I2PTunnel from here,
     715                // but it shouldn't matter, we should never be generating the cert here.
     716                //String targets = ...
     717                //if (targets != null) {
     718                //    StringTokenizer tok = new StringTokenizer(targets, ", ");
     719                //    while (tok.hasMoreTokens()) {
     720                //        String h = tok.nextToken();
     721                //        int colon = h.indexOf(':');
     722                //        if (colon >= 0)
     723                //            h = h.substring(0, colon);
     724                //        altNames.add(h);
     725                //    }
     726                //}
     727                boolean wasCreated = SSLClientUtil.verifyKeyStore(opts, "", altNames);
    705728                if (wasCreated) {
    706729                    // From here, we can't save the config.
  • apps/i2ptunnel/java/src/net/i2p/i2ptunnel/SSLClientUtil.java

    r4c02c1f r27042f9  
    77import java.security.KeyStore;
    88import java.security.GeneralSecurityException;
     9import java.util.HashSet;
    910import java.util.Properties;
     11import java.util.Set;
    1012
    1113import javax.net.ssl.KeyManagerFactory;
     
    5759     */
    5860    public static boolean verifyKeyStore(Properties opts, String optPfx) throws IOException {
     61        return verifyKeyStore(opts, optPfx, null);
     62    }
     63
     64    /**
     65     *  Create a new selfsigned cert and keystore and pubkey cert if they don't exist.
     66     *  May take a while.
     67     *
     68     *  @param opts in/out, updated if rv is true
     69     *  @param optPfx add this prefix when getting/setting options
     70     *  @param altNames the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses.
     71     *                  cname, localhost, 127.0.0.1, and ::1 will be automatically added.
     72     *  @return false if it already exists; if true, caller must save opts
     73     *  @throws IOException on creation fail
     74     *  @since 0.9.34 added altNames param
     75     */
     76    public static boolean verifyKeyStore(Properties opts, String optPfx, Set<String> altNames) throws IOException {
    5977        String name = opts.getProperty(optPfx + PROP_KEY_ALIAS);
    6078        if (name == null) {
     
    8098                throw new IOException("Unable to create keystore " + ks);
    8199        }
    82         boolean rv = createKeyStore(ks, name, opts, optPfx);
     100        boolean rv = createKeyStore(ks, name, opts, optPfx, altNames);
    83101        if (!rv)
    84102            throw new IOException("Unable to create keystore " + ks);
     
    93111
    94112    /**
    95      *  Call out to keytool to create a new keystore with a keypair in it.
     113     *  Create a new keystore with a keypair in it.
    96114     *
    97115     *  @param name used in CNAME
    98116     *  @param opts in/out, updated if rv is true, must contain PROP_KEY_ALIAS
    99117     *  @param optPfx add this prefix when getting/setting options
     118     *  @param altNames the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses.
     119     *                  cname, localhost, 127.0.0.1, and ::1 will be automatically added.
    100120     *  @return success, if true, opts will have password properties added to be saved
    101121     */
    102     private static boolean createKeyStore(File ks, String name, Properties opts, String optPfx) {
     122    private static boolean createKeyStore(File ks, String name, Properties opts, String optPfx, Set<String> altNames) {
    103123        // make a random 48 character password (30 * 8 / 5)
    104124        String keyPassword = KeyStoreUtil.randomString();
     
    106126
    107127        String keyName = opts.getProperty(optPfx + PROP_KEY_ALIAS);
    108         boolean success = KeyStoreUtil.createKeys(ks, keyName, cname, "I2PTUNNEL", keyPassword);
     128        boolean success = KeyStoreUtil.createKeys(ks, keyName, cname, altNames, "I2PTUNNEL", keyPassword);
    109129        if (success) {
    110130            success = ks.exists();
     
    116136        if (success) {
    117137            logAlways("Created self-signed certificate for " + cname + " in keystore: " + ks.getAbsolutePath() + "\n" +
    118                            "The certificate was generated randomly, and is not associated with your " +
     138                      "The certificate was generated randomly.\n" +
     139                      "Unless you have changed the default settings, the certificate is not associated with your " +
    119140                           "IP address, host name, router identity, or destination keys.");
    120141        } else {
  • apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/GeneralHelper.java

    r4c02c1f r27042f9  
    44import java.io.IOException;
    55import java.util.ArrayList;
     6import java.util.HashSet;
    67import java.util.List;
    78import java.util.Map;
    89import java.util.Properties;
     10import java.util.Set;
    911import java.util.TreeMap;
    1012
     
    1517import net.i2p.data.DataHelper;
    1618import net.i2p.data.Destination;
     19import net.i2p.data.Hash;
    1720import net.i2p.data.PrivateKeyFile;
    1821import net.i2p.i2ptunnel.I2PTunnelClientBase;
     
    2629import net.i2p.i2ptunnel.TunnelControllerGroup;
    2730import net.i2p.i2ptunnel.web.Messages;
     31import net.i2p.util.ConvertToHash;
    2832import net.i2p.util.FileUtil;
    2933import net.i2p.util.Log;
     
    9599            //
    96100            if (Boolean.parseBoolean(props.getProperty(OPT + I2PTunnelClientBase.PROP_USE_SSL))) {
     101                // add the local interface and all targets to the cert
     102                String intfc = props.getProperty(TunnelController.PROP_INTFC);
     103                Set<String> altNames = new HashSet<String>(4);
     104                if (intfc != null && !intfc.equals("0.0.0.0") && !intfc.equals("::") &&
     105                    !intfc.equals("0:0:0:0:0:0:0:0"))
     106                    altNames.add(intfc);
     107                String tgts = props.getProperty(TunnelController.PROP_DEST);
     108                if (tgts != null) {
     109                    altNames.add(intfc);
     110                    String[] hosts = DataHelper.split(tgts, "[ ,]");
     111                    for (String h : hosts) {
     112                        int colon = h.indexOf(':');
     113                        if (colon >= 0)
     114                            h = h.substring(0, colon);
     115                        altNames.add(h);
     116                        if (!h.endsWith(".b32.i2p")) {
     117                            Hash hash = ConvertToHash.getHash(h);
     118                            if (hash != null)
     119                                altNames.add(hash.toBase32());
     120                        }
     121                    }
     122                }
    97123                try {
    98                     boolean created = SSLClientUtil.verifyKeyStore(props, OPT);
     124                    boolean created = SSLClientUtil.verifyKeyStore(props, OPT, altNames);
    99125                    if (created) {
    100126                        // config now contains new keystore props
Note: See TracChangeset for help on using the changeset viewer.