tlsconn.java

JXTA&#8482 is a set of open, generalized peer-to-peer (P2P) protocols that allow any networked devi

/*
 * Copyright (c) 2001-2007 Sun Microsystems, Inc.  All rights reserved.
 *
 *  The Sun Project JXTA(TM) Software License
 *
 *  Redistribution and use in source and binary forms, with or without
 *  modification, are permitted provided that the following conditions are met:
 *
 *  1. Redistributions of source code must retain the above copyright notice,
 *     this list of conditions and the following disclaimer.
 *
 *  2. Redistributions in binary form must reproduce the above copyright notice,
 *     this list of conditions and the following disclaimer in the documentation
 *     and/or other materials provided with the distribution.
 *
 *  3. The end-user documentation included with the redistribution, if any, must
 *     include the following acknowledgment: "This product includes software 
 *     developed by Sun Microsystems, Inc. for JXTA(TM) technology." 
 *     Alternately, this acknowledgment may appear in the software itself, if
 *     and wherever such third-party acknowledgments normally appear.
 *
 *  4. The names "Sun", "Sun Microsystems, Inc.", "JXTA" and "Project JXTA" must
 *     not be used to endorse or promote products derived from this software
 *     without prior written permission. For written permission, please contact
 *     Project JXTA at http://www.jxta.org.
 *
 *  5. Products derived from this software may not be called "JXTA", nor may
 *     "JXTA" appear in their name, without prior written permission of Sun.
 *
 *  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
 *  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 *  FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SUN
 *  MICROSYSTEMS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 *  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
 *  OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 *  EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 *  JXTA is a registered trademark of Sun Microsystems, Inc. in the United
 *  States and other countries.
 *
 *  Please see the license information page at :
 *  <http://www.jxta.org/project/www/license.html> for instructions on use of
 *  the license in source files.
 *
 *  ====================================================================
 *
 *  This software consists of voluntary contributions made by many individuals
 *  on behalf of Project JXTA. For more information on Project JXTA, please see
 *  http://www.jxta.org.
 *
 *  This license is based on the BSD license adopted by the Apache Foundation.
 */

package net.jxta.impl.endpoint.tls;

import java.io.BufferedOutputStream;
import java.io.InputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.cert.X509Certificate;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import net.jxta.document.MimeMediaType;
import net.jxta.endpoint.EndpointAddress;
import net.jxta.endpoint.Message;
import net.jxta.endpoint.Messenger;
import net.jxta.endpoint.WireFormatMessage;
import net.jxta.endpoint.WireFormatMessageFactory;
import net.jxta.util.IgnoreFlushFilterOutputStream;
import net.jxta.impl.membership.pse.PSECredential;
import net.jxta.impl.util.TimeUtils;
import java.util.logging.Level;
import net.jxta.logging.Logging;
import java.util.logging.Logger;


/**
 * This class implements the TLS connection between two peers.
 *
 *
 * <p/>Properties:
 *
 * <p/>net.jxta.impl.endpoint.tls.TMFAlgorithm - if defined provides the name of
 * the trust manager factory algorithm to use.
 */
class TlsConn {

    /**
     *  Logger
     **/
    private static final transient Logger LOG = Logger.getLogger(TlsConn.class.getName());
    static final int BOSIZE = 16000;
    /**
     *  TLS transport this connection is working for.
     **/
    final TlsTransport transport;
    /**
     *  The address of the peer to which we will be forwarding ciphertext
     *  messages.
     **/
    final EndpointAddress destAddr;
    /**
     *  Are we client or server?
     **/
    private boolean client;
    /**
     *  State of the connection
     **/
    private volatile HandshakeState currentState;
    /**
     *  Are we currently closing? To prevent recursion in {@link close()}
     **/
    private boolean closing = false;
    /**
     *  Time that something "good" last happened on the connection
     **/
    long lastAccessed;
    final String lastAccessedLock = new String("lastAccessedLock");
    final String closeLock = new String("closeLock");
    /**
     *  Number of retransmissions we have received.
     **/
    int retrans;
    /**
     *  Our synthetic socket which sends and receives the ciphertext.
     **/
    final TlsSocket tlsSocket;
    private final SSLContext context;
    /**
     * For interfacing with TLS
     **/
    private SSLSocket ssls;
    /**
     * We write our plaintext to this stream
     **/
    private OutputStream plaintext_out = null;
    /**
     *  Reads plaintext from the
     **/
    private PlaintextMessageReader readerThread = null;
    /**
     *  A string which we can lock on while acquiring new messengers. We don't
     *  want to lock the whole connection object.
     **/
    private String acquireMessengerLock = new String("Messenger Acquire Lock");
    /**
     *  Cached messenger for sending to {@link destAddr}
     **/
    private Messenger outBoundMessenger = null;

/**
     *  Tracks the state of our TLS connection with a remote peer.
     **/
    enum HandshakeState {

        /**
         *  Handshake is ready to begin. We will be the client side.
         */
        CLIENTSTART

        , /**
         *  Handshake is ready to begin. We will be the server side.
         */
        SERVERSTART

        , /**
         *  Handshake is in progress.
         */
        HANDSHAKESTARTED

        , /**
         *  Handshake failed to complete.
         */
        HANDSHAKEFAILED

        , /**
         *  Handshake completed successfully.
         */
        HANDSHAKEFINISHED

        , /**
         *  Connection is closing.
         */
        CONNECTIONCLOSING

        , /**
         *  Connection has died.
         */
        CONNECTIONDEAD
    }

    /**
     *  Create a new connection
     **/
    TlsConn(TlsTransport tp, EndpointAddress destAddr, boolean client) throws Exception {
        this.transport = tp;
        this.destAddr = destAddr;
        this.client = client;
        this.currentState = client ? HandshakeState.CLIENTSTART : HandshakeState.SERVERSTART;
        this.lastAccessed = TimeUtils.timeNow();

        if (Logging.SHOW_INFO && LOG.isLoggable(Level.INFO)) {
            LOG.info((client ? "Initiating" : "Accepting") + " new connection for : " + destAddr.getProtocolAddress());
        }

        boolean choseTMF = false;
        javax.net.ssl.TrustManagerFactory tmf = null;
        String overrideTMF = System.getProperty("net.jxta.impl.endpoint.tls.TMFAlgorithm");

        if ((!choseTMF) && (null != overrideTMF)) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance(overrideTMF);
            choseTMF = true;
        }

        Collection providers = Arrays.asList(Security.getProviders());

        Set providerNames = new HashSet();

        Iterator eachProvider = providers.iterator();

        while (eachProvider.hasNext()) {
            providerNames.add(((Provider) eachProvider.next()).getName());
        }

        if ((!choseTMF) && providerNames.contains("SunJSSE")) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance("SunX509", "SunJSSE");
            choseTMF = true;
        }

        if ((!choseTMF) && providerNames.contains("IBMJSSE")) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance("IbmX509", "IBMJSSE");
            choseTMF = true;
        }

        // XXX 20040830 bondolo Other solutions go here!
        if (!choseTMF) {
            tmf = javax.net.ssl.TrustManagerFactory.getInstance(javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm());
            LOG.warning("Using defeualt Trust Manager Factory algorithm. This may not work as expected.");
        }

        KeyStore trusted = transport.membership.getPSEConfig().getKeyStore();

        tmf.init(trusted);

        javax.net.ssl.TrustManager[] tms = tmf.getTrustManagers();

        javax.net.ssl.KeyManager[] kms = new javax.net.ssl.KeyManager[]{new PSECredentialKeyManager(transport.credential, trusted)};

        context = SSLContext.getInstance("TLS");
        context.init(kms, tms, null);

        javax.net.ssl.SSLSocketFactory factory = context.getSocketFactory();

        // endpoint interface
        TlsSocket newConnect = new TlsSocket(new JTlsInputStream(this, tp.MIN_IDLE_RECONNECT), new JTlsOutputStream(transport, this));

        // open SSL socket and do the handshake
        ssls = (SSLSocket) factory.createSocket(newConnect, destAddr.getProtocolAddress(), JTlsDefs.FAKEPORT, true);
        ssls.setEnabledProtocols(new String[]{"TLSv1"});
        ssls.setUseClientMode(client);
        if (!client) {
            ssls.setNeedClientAuth(true);
        }

        // We have to delay initialization of this until we have set the
        // handshake mode.
        tlsSocket = newConnect;
    }

    /**
     *  @inheritDoc
     *
     *  <p/>An implementation which is useful for debugging.
     **/
    @Override
    public String toString() {
        return super.toString() + "/" + getHandshakeState() + ":" + (client ? "Client" : "Server") + " for " + destAddr;
    }

    /**
     *  Returns the current state of the connection
     *
     *  @return the current state of the connection.
     **/
    HandshakeState getHandshakeState() {
        return currentState;
    }

    /**
     *  Changes the state of the connection. Calls
     *  {@link java.lang.Object#notifyAll()} to wake any threads waiting on
     *  connection state changes.
     *
     *  @param newstate the new connection state.
     *  @return the previous state of the connection.
     **/
    synchronized HandshakeState setHandshakeState(HandshakeState newstate) {

        HandshakeState oldstate = currentState;

        currentState = newstate;
        notifyAll();
        return oldstate;
    }

    /**
     * Open the connection with the remote peer.
     **/
    void finishHandshake() throws IOException {

        long startTime = 0;

        if (Logging.SHOW_INFO && LOG.isLoggable(Level.INFO)) {
            startTime = TimeUtils.timeNow();
            LOG.info((client ? "Client:" : "Server:") + " Handshake START");
        }

        setHandshakeState(HandshakeState.HANDSHAKESTARTED);

        // this starts a handshake
        SSLSession newSession = ssls.getSession();

        if ("SSL_NULL_WITH_NULL_NULL".equals(newSession.getCipherSuite())) {
            setHandshakeState(HandshakeState.HANDSHAKEFAILED);
            throw new IOException("Handshake failed");
        }

        setHandshakeState(HandshakeState.HANDSHAKEFINISHED);

        if (Logging.SHOW_INFO && LOG.isLoggable(Level.INFO)) {
            long hsTime = TimeUtils.toRelativeTimeMillis(TimeUtils.timeNow(), startTime) / TimeUtils.ASECOND;

            LOG.info((client ? "Client:" : "Server:") + "Handshake DONE in " + hsTime + " secs");
        }

        // set up plain text i/o
        // writes to be encrypted
        plaintext_out = new BufferedOutputStream(ssls.getOutputStream(), BOSIZE);

        // Start reader thread
        readerThread = new PlaintextMessageReader(ssls.getInputStream());
    }

    /**
     *  Close this connection.
     *
     *  @param finalstate state that the connection will be in after close.
     **/
    void close(HandshakeState finalstate) throws IOException {
        synchronized (lastAccessedLock) {
            lastAccessed = Long.MIN_VALUE;
        }
        synchronized (closeLock) {
            closing = true;