Changeset 981b708 for router


Ignore:
Timestamp:
Feb 9, 2016 8:48:23 PM (5 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
6ab5b84
Parents:
651c1b6
Message:

Crypto: Use new internal key generation instead of calling
out to keytool; save CRL for new su3 amd family keys
Allow su3 bulksign for xml files (news)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • router/java/src/net/i2p/router/crypto/FamilyKeyCrypto.java

    r651c1b6 r981b708  
    99import java.security.PrivateKey;
    1010import java.security.PublicKey;
     11import java.security.cert.X509Certificate;
     12import java.security.cert.X509CRL;
    1113import java.util.HashMap;
    1214import java.util.Map;
     
    5254    public static final String PROP_KEY_PASSWORD = "netdb.family.keyPassword";
    5355    public static final String CERT_SUFFIX = ".crt";
     56    public static final String CRL_SUFFIX = ".crl";
    5457    public static final String KEYSTORE_PREFIX = "family-";
    5558    public static final String KEYSTORE_SUFFIX = ".ks";
     
    6265    private static final String KS_DIR = "keystore";
    6366    private static final String CERT_DIR = "certificates/family";
     67    private static final String CRL_DIR = "crls";
    6468    public static final String OPT_NAME = "family";
    6569    public static final String OPT_SIG = "family.sig";
     
    271275            }
    272276        }
    273         createKeyStore(ks);
    274 
    275         // Now read it back out of the new keystore and save it in ascii form
    276         // where the clients can get to it.
    277         exportCert(ks);
     277
     278        try {
     279            createKeyStore(ks);
     280        } catch (IOException ioe) {
     281            throw new GeneralSecurityException("Failed to create NetDb family keystore", ioe);
     282        }
    278283    }
    279284
     
    287292     * @throws GeneralSecurityException on all errors
    288293     */
    289     private void createKeyStore(File ks) throws GeneralSecurityException {
     294    private void createKeyStore(File ks) throws GeneralSecurityException, IOException {
    290295        // make a random 48 character password (30 * 8 / 5)
    291296        String keyPassword = KeyStoreUtil.randomString();
     
    293298        String cname = _fname + CN_SUFFIX;
    294299
    295         boolean success = KeyStoreUtil.createKeys(ks, KeyStoreUtil.DEFAULT_KEYSTORE_PASSWORD, _fname, cname, "family",
     300        Object[] rv = KeyStoreUtil.createKeysAndCRL(ks, KeyStoreUtil.DEFAULT_KEYSTORE_PASSWORD, _fname, cname, "family",
    296301                                                  DEFAULT_KEY_VALID_DAYS, DEFAULT_KEY_ALGORITHM,
    297302                                                  DEFAULT_KEY_SIZE, keyPassword);
    298         if (success) {
    299             success = ks.exists();
    300             if (success) {
     303
    301304                Map<String, String> changes = new HashMap<String, String>();
    302305                changes.put(PROP_KEYSTORE_PASSWORD, KeyStoreUtil.DEFAULT_KEYSTORE_PASSWORD);
     
    304307                changes.put(PROP_FAMILY_NAME, _fname);
    305308                _context.router().saveConfig(changes, null);
    306             }
    307         }
    308         if (success) {
     309
    309310            _log.logAlways(Log.INFO, "Created new private key for netdb family \"" + _fname +
    310311                           "\" in keystore: " + ks.getAbsolutePath() + "\n" +
     
    315316                           PROP_KEY_PASSWORD + '=' + keyPassword);
    316317
    317         } else {
    318             String s = "Failed to create NetDb family keystore.\n" +
    319                        "This is for the Sun/Oracle keytool, others may be incompatible.\n" +
    320                        "If you create the keystore manually, you must add " + PROP_KEYSTORE_PASSWORD + " and " + PROP_KEY_PASSWORD +
    321                        " to " + (new File(_context.getConfigDir(), "router.config")).getAbsolutePath();
    322             _log.error(s);
    323             throw new GeneralSecurityException(s);
    324         }
    325     }
    326 
    327     /**
    328      * Pull the cert back OUT of the keystore and save it as ascii
     318        X509Certificate cert = (X509Certificate) rv[2];
     319        exportCert(cert);
     320        X509CRL crl = (X509CRL) rv[3];
     321        exportCRL(ks.getParentFile(), crl);
     322    }
     323
     324    /**
     325     * Save the public key certificate
    329326     * so the clients can get to it.
    330327     */
    331     private void exportCert(File ks) {
     328    private void exportCert(X509Certificate cert) {
    332329        File sdir = new SecureDirectory(_context.getConfigDir(), CERT_DIR);
    333330        if (sdir.exists() || sdir.mkdirs()) {
    334             String ksPass = _context.getProperty(PROP_KEYSTORE_PASSWORD, KeyStoreUtil.DEFAULT_KEYSTORE_PASSWORD);
    335331            String name = _fname.replace("@", "_at_") + CERT_SUFFIX;
    336332            File out = new File(sdir, name);
    337             boolean success = KeyStoreUtil.exportCert(ks, ksPass, _fname, out);
     333            boolean success = CertUtil.saveCert(cert, out);
    338334            if (success) {
    339335                _log.logAlways(Log.INFO, "Created new public key certificate for netdb family \"" + _fname +
     
    343339                           "Give this certificate to an I2P developer for inclusion in the next I2P release.");
    344340            } else {
    345                 _log.error("Error getting SSL cert to save as ASCII");
     341                _log.error("Error saving family key certificate");
    346342            }
    347343        } else {
    348             _log.error("Error saving ASCII SSL keys");
     344            _log.error("Error saving family key certificate");
     345        }
     346    }
     347
     348    /**
     349     * Save the CRL just in case.
     350     * @param ksdir parent of directory to save in
     351     * @since 0.9.25
     352     */
     353    private void exportCRL(File ksdir, X509CRL crl) {
     354        File sdir = new SecureDirectory(ksdir, CRL_DIR);
     355        if (sdir.exists() || sdir.mkdirs()) {
     356            String name = KEYSTORE_PREFIX + _fname.replace("@", "_at_") + '-' + System.currentTimeMillis() + CRL_SUFFIX;
     357            File out = new File(sdir, name);
     358            boolean success = CertUtil.saveCRL(crl, out);
     359            if (success) {
     360                _log.logAlways(Log.INFO, "Created certificate revocation list (CRL) for netdb family \"" + _fname +
     361                           "\" in file: " + out.getAbsolutePath() + "\n" +
     362                           "Back up the keystore and CRL files and keep them secure.\n" +
     363                           "If your private key is ever compromised, give the CRL to an I2P developer for publication.");
     364            } else {
     365                _log.error("Error saving family key CRL");
     366            }
     367        } else {
     368            _log.error("Error saving family key CRL");
    349369        }
    350370    }
Note: See TracChangeset for help on using the changeset viewer.