Opened 4 years ago

Closed 3 years ago

#1757 closed defect (wontfix)

Unable to install untrusted SU3 plugin with allowUntrustedPlugins set

Reported by: lazygravy Owned by:
Priority: minor Milestone: 0.9.27
Component: router/update Version: 0.9.24
Keywords: plugin Cc: zzz
Parent Tickets: Sensitive: no

Description

I am not able to install untrusted su3 plugins, even with routerconsole.allowUntrustedPlugins=true set. I have confirmed untrusted xpi2p installation works fine. Inspecting the code of http://i2p-javadocs.i2p/net/i2p/router/update/PluginUpdateRunner.html 's private method processSU3 looks like it does not do the check.

This change would be useful for plugin developers who want to test plugins before publishing them (i.e. getting their keys into the router).

Subtickets

Change History (4)

comment:1 Changed 4 years ago by cacapo

Wouldn't that demand a rewrite of core/java/src/net/i2p/crypto/SU3File.java around L 310? Looks to me like it will throw a gse regardless.

comment:2 Changed 4 years ago by zzz

OP's analysis is correct. SU3File can be set to ignore the signature, or to specify the public key certificate.

We don't want to just ignore the signature, as we don't want some known identity to be spoofed.

So we need to provide the public key from plugin.config. We don't have a public key certificate in there, just the key itself. So at a minimum we need to modify SU3File.

Also, to get the public key, we have to extract and unzip the su3 to a temp directory. See extractSUD().

So the way i would do it is in the catch block in PluginUpdateRunner? line 307:

  • check for allowuntrusted == true
  • set su3.setVerifySignature(false) (this should prevent cacapo's GSE)
  • call getSignerString()
  • look in the correct certificate dir (based on getContentType()) for an existing cert for that signer; if there is one, fail
  • call PluginStarter?.getPluginKeys() which goes thru all the plugin.config files and collects them all. If we can find one for this signer, that means a plugin is already installed, grab the public key and skip the next 3 steps… otherwise…
  • 1) call su3.verifyAndMigrate(toxxx) again, with a different to directory
  • 2) unzip the zip
  • 3) extract the public key from plugin.config
  • set su3.setVerifySignature(true)
  • call the new setPublicKey() method with the extracted public key
  • call su3.verifyAndMigrate(toyyy) a 3rd(!) time (with a different to directory)

Now you can see why it hasn't happened yet… kinda messy.
Not shown above: not sure if you can reuse the su3 object, it caches some results, may have to create new ones each time; also need to delete all those directories…

comment:3 Changed 4 years ago by zzz

Milestone: 0.9.25eventually
Status: newopen

comment:4 Changed 3 years ago by zzz

Milestone: eventually0.9.27
Resolution: wontfix
Status: openclosed

Closing as wontfix as it's way too hard, and there's an easy workaround which is actually better - just install your plugin public key certificate.

Through 0.9.26, you must install it in the I2P install dir; as of 0.9.26-5 (to be released as 0.9.27), the router will also look in the config dir.

The following instructions assume linux, with the install dir at ~/i2p and the config dir at ~/.i2p - adjust as necessary for other platforms, or for a deb package install.

For 0.9.26 or earlier:

  • Copy your su3 public key certificate, which was created when you ran 'ant plugin', from ~/.i2p-plugin-keys/plugin-su3-public-signing.crt to ~/i2p/certificates/plugin/you_at_mail.i2p.crt (must be named e.g. you_at_mail.i2p.crt where "you@…" is the signer name you used)

For 0.9.26-5 or higher, use the above instructions, or:

  • Make the directory ~/.i2p/certificates/plugin/
  • Copy your su3 public key certificate, which was created when you ran 'ant plugin', from ~/.i2p-plugin-keys/plugin-su3-public-signing.crt to ~/.i2p/certificates/plugin/you_at_mail.i2p.crt (must be named e.g. you_at_mail.i2p.crt where "you@…" is the signer name you used)
Note: See TracTickets for help on using tickets.