tlsconn.java

jxta_src_2.41b jxta 2.41b 最新版源码 from www.jxta.org

/*
 *
 * $Id: TlsConn.java,v 1.52 2005/11/04 04:59:31 bondolo Exp $
 *
 * Copyright (c) 2001 Sun Microsystems, Inc.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. The end-user documentation included with the redistribution,
 *    if any, must include the following acknowledgment:
 *       "This product includes software developed by the
 *       Sun Microsystems, Inc. for Project JXTA."
 *    Alternately, this acknowledgment may appear in the software itself,
 *    if and wherever such third-party acknowledgments normally appear.
 *
 * 4. The names "Sun", "Sun Microsystems, Inc.", "JXTA" and "Project JXTA"
 *    must not be used to endorse or promote products derived from this
 *    software without prior written permission. For written
 *    permission, please contact Project JXTA at http://www.jxta.org.
 *
 * 5. Products derived from this software may not be called "JXTA",
 *    nor may "JXTA" appear in their name, without prior written
 *    permission of Sun.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL SUN MICROSYSTEMS OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of Project JXTA.  For more
 * information on Project JXTA, please see
 * <http://www.jxta.org/>.
 *
 * This license is based on the BSD license adopted by the Apache Foundation.
 */

package net.jxta.impl.endpoint.tls;

import java.io.BufferedOutputStream;
import java.io.InputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.cert.X509Certificate;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;

import net.jxta.document.MimeMediaType;
import net.jxta.endpoint.EndpointAddress;
import net.jxta.endpoint.Message;
import net.jxta.endpoint.Messenger;
import net.jxta.endpoint.WireFormatMessage;
import net.jxta.endpoint.WireFormatMessageFactory;
import net.jxta.util.IgnoreFlushFilterOutputStream;

import net.jxta.impl.membership.pse.PSECredential;
import net.jxta.impl.util.TimeUtils;

import org.apache.log4j.Level;
import org.apache.log4j.Logger;
/**
 * This class implements the TLS connection between two peers.
 *
 *
 * <p/>Properties:
 *
 * <p/>net.jxta.impl.endpoint.tls.TMFAlgorithm - if defined provides the name of
 * the trust manager factory alogrithm to use.
 */
class TlsConn {
    
    /**
     *  Log4J Logger
     **/
    private static final Logger LOG = Logger.getLogger(TlsConn.class.getName());
    
    static final int BOSIZE = 16000;
    
    /**
     *  TLS transport this connection is working for.
     **/
    final TlsTransport transport;
    
    /**
     *  The address of the peer to which we will be forwarding ciphertext
     *  messages.
     **/
    final EndpointAddress destAddr;
    
    /**
     *  Are we client or server?
     **/
    private boolean client;
    
    /**
     *  State of the connection
     **/
    private volatile HandshakeState currentState;
    
    /**
     *  Are we currently closing? To prevent recursion in {@link close()}
     **/
    private boolean closing = false;
    
    /**
     *  Time that something "good" last happened on the connection
     **/
    long lastAccessed;
    final String lastAccessedLock = new String("lastAccessedLock");
    final String closeLock = new String("closeLock");
    
    /**
     *  Number of retransmissions we have received.
     **/
    int retrans;
    
    /**
     *  Our synthetic socket which sends and receives the ciphertext.
     **/
    final TlsSocket tlsSocket;
    
    private final SSLContext context;
    
    /**
     * For interfacing with TLS
     **/
    private SSLSocket ssls;
    
    /**
     * We write our plaintext to this stream
     **/
    private OutputStream plaintext_out = null;
    
    /**
     *  Reads plaintext from the
     **/
    private PlaintextMessageReader readerThread = null;
    
    /**
     *  A string which we can lock on while acquiring new messengers. We don't
     *  want to lock the whole connection object.
     **/
    private String acquireMessengerLock = new String("Messenger Acquire Lock");
    
    /**
     *  Cached messenger for sending to {@link destAddr}
     **/
    private Messenger outBoundMessenger = null;
    
    /**
     *  Tracks the state of our TLS connection with a remote peer.
     **/
    static class HandshakeState {
        
        /**
         *  Handshake is ready to begin. We will be the client side.
         **/
        public static final HandshakeState CLIENTSTART = new HandshakeState() {
            public String toString() {
                return "CLIENTSTART";
            }
        };
        
        /**
         *  Handshake is ready to begin. We will be the server side.
         **/
        public static final HandshakeState SERVERSTART = new HandshakeState() {
            public String toString() {
                return "SERVERSTART";
            }
        };
        
        /**
         *  Handshake is in progress.
         **/
        public static final HandshakeState HANDSHAKESTARTED = new HandshakeState() {
            public String toString() {
                return "HANDSHAKESTARTED";
            }
        };
        
        /**
         *  Handshake failed to complete.
         **/
        public static final HandshakeState HANDSHAKEFAILED = new HandshakeState() {
            public String toString() {
                return "HANDSHAKEFAILED";
            }
        };
        
        /**
         *  Handshake completed successfully.
         **/
        public static final HandshakeState HANDSHAKEFINISHED = new HandshakeState() {
            public String toString() {
                return "HANDSHAKEFINISHED";
            }
        };
        
        /**
         *  Connection is closing.
         **/
        public static final HandshakeState CONNECTIONCLOSING = new HandshakeState() {
            public String toString() {
                return "CONNECTIONCLOSING";
            }
        };
        
        /**
         *  Connection has died.
         **/
        public static final HandshakeState CONNECTIONDEAD = new HandshakeState() {
            public String toString() {
                return "CONNECTIONDEAD";
            }
        };
        
        /**
         *  Private Constructor. This class is only constants.
         **/
        private HandshakeState() {}
    }
    
    /**
     *  Create a new connection
     **/
    TlsConn(TlsTransport tp, EndpointAddress destAddr, boolean client) throws Exception {
        this.transport = tp;
        this.destAddr = destAddr;
        this.client = client;
        this.currentState = client ? HandshakeState.CLIENTSTART : HandshakeState.SERVERSTART;
        this.lastAccessed = TimeUtils.timeNow();
        
        if (LOG.isEnabledFor(Level.INFO)) {
            LOG.info((client ? "Initiating" : "Accepting") + " new connection for : " + destAddr.getProtocolAddress());
        }
        
        boolean choseTMF = false;
        javax.net.ssl.TrustManagerFactory tmf = null;
        String overrideTMF = System.getProperty( "net.jxta.impl.endpoint.tls.TMFAlgorithm" );
        
        if( (!choseTMF) && (null != overrideTMF) ) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance( overrideTMF );
            choseTMF = true;
        }
        
        Collection providers = Arrays.asList( Security.getProviders() );
        
        Set providerNames = new HashSet();
        
        Iterator eachProvider = providers.iterator();
        while( eachProvider.hasNext() ) {
            providerNames.add( ((Provider) eachProvider.next()).getName() );
        }
        
        if( (!choseTMF) && providerNames.contains( "SunJSSE" ) ) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
            choseTMF = true;
        }
        
        if( (!choseTMF) && providerNames.contains( "IBMJSSE" ) ) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance( "IbmX509", "IBMJSSE" );
            choseTMF = true;
        }
        
        // XXX 20040830 bondolo Other solutions go here!
        
        if( !choseTMF ) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance( javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm() );
            LOG.warn( "Using defeualt Trust Manager Factory algorithm. This may not work as expected." );
        }
        
        KeyStore trusted = transport.membership.getPSEConfig().getKeyStore();
        tmf.init( trusted );
        
        javax.net.ssl.TrustManager tms[] = tmf.getTrustManagers();
        
        javax.net.ssl.KeyManager kms[] = new javax.net.ssl.KeyManager[] { new PSECredentialKeyManager( transport.credential, trusted ) };
        
        context = SSLContext.getInstance( "TLS" );
        context.init( kms, tms, null );
        
        javax.net.ssl.SSLSocketFactory factory = context.getSocketFactory();
        
        // endpoint interface
        TlsSocket newConnect = new TlsSocket(new JTlsInputStream(this, tp.MIN_IDLE_RECONNECT), new JTlsOutputStream(transport, this));
        
        // open SSL socket and do the handshake
        ssls = (SSLSocket) factory.createSocket( newConnect, destAddr.getProtocolAddress(), JTlsDefs.FAKEPORT, true );
        ssls.setEnabledProtocols( new String[] {"TLSv1"} );
        ssls.setUseClientMode( client );
        if( !client ) {
            ssls.setNeedClientAuth( true );
        }
        
        // We have to delay initialization of this until we have set the
        // handshake mode.
        tlsSocket = newConnect;
    }
    
    /**
     *  @inheritDoc
     *
     *  <p/>An implementation which is useful for debugging.
     **/
    public String toString() {
        return super.toString() + "/" + getHandshakeState() + ":" + (client ? "Client" : "Server") + " for " + destAddr;
    }
    
    /**
     *  Returns the current state of the connection
     *
     *  @return the current state of the connection.
     **/
    HandshakeState getHandshakeState() {
        return currentState;
    }
    
    /**
     *  Changes the state of the connection. Calls
     *  {@link java.lang.Object#notifyAll()} to wake any threads waiting on
     *  connection state changes.
     *
     *  @param newstate the new connection state.
     *  @return the previous state of the connection.
     **/
    synchronized HandshakeState setHandshakeState(HandshakeState newstate) {
        
        HandshakeState oldstate = currentState;
        currentState = newstate;
        notifyAll();
        return oldstate;
    }
    
    /**
     * Open the connection with the remote peer.
     **/
    void finishHandshake() throws IOException {
        
        long startTime = 0;
        
        if (LOG.isEnabledFor(Level.INFO)) {
            startTime = TimeUtils.timeNow();
            LOG.info((client ? "Client:" : "Server:") + " Handshake START");
        }