File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / axTLS / samples / java / axssl.java
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Fri Sep 28 11:55:55 2012 UTC (12 years, 3 months ago) by misho
Branches: v1_4_8, MAIN
CVS tags: datecs, HEAD
axTLS

/*
 * Copyright (c) 2007, Cameron Rich
 * 
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice, 
 *   this list of conditions and the following disclaimer.
 * * Redistributions in binary form must reproduce the above copyright notice, 
 *   this list of conditions and the following disclaimer in the documentation 
 *   and/or other materials provided with the distribution.
 * * Neither the name of the axTLS project nor the names of its contributors 
 *   may be used to endorse or promote products derived from this software 
 *   without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * Demonstrate the use of the axTLS library in Java with a set of 
 * command-line parameters similar to openssl. In fact, openssl clients 
 * should be able to communicate with axTLS servers and visa-versa.  *
 * This code has various bits enabled depending on the configuration. To enable
 * the most interesting version, compile with the 'full mode' enabled.
 *
 * To see what options you have, run the following:
 * > java -jar axtls.jar s_server -?
 * > java -jar axtls.jar s_client -?
 *
 * The axtls/axtlsj shared libraries must be in the same directory or be found 
 * by the OS.
 */

import java.io.*;
import java.util.*;
import java.net.*;
import axTLSj.*;

public class axssl
{
   /*
     * Main()
     */
    public static void main(String[] args)
    {
        if (args.length == 1 && args[0].equals("version"))
        {
            System.out.println("axtls.jar " + SSLUtil.version());
            System.exit(0);
        }

        axssl runner = new axssl();

        try
        {
            if (args.length < 1 || 
                    (!args[0].equals("s_server") &&
                     !args[0].equals("s_client")))
            {
                runner.print_options(args.length > 0 ? args[0] : "");
            }

            int build_mode = SSLUtil.buildMode();

            if (args[0].equals("s_server"))
                runner.do_server(build_mode, args);
            else 
                runner.do_client(build_mode, args);
        }
        catch (Exception e) 
        {
            System.out.println(e);
        }
    }

    /*
     * do_server()
     */
    private void do_server(int build_mode, String[] args)
                    throws Exception
    {
        int i = 1;
        int port = 4433;
        int options = axtlsj.SSL_DISPLAY_CERTS;
        boolean quiet = false;
        String password = null;
        String private_key_file = null;

        /* organise the cert/ca_cert lists */
        int cert_size = SSLUtil.maxCerts();
        int ca_cert_size = SSLUtil.maxCACerts();
        String[] cert = new String[cert_size];
        String[] ca_cert = new String[ca_cert_size];
        int cert_index = 0;
        int ca_cert_index = 0;

        while (i < args.length)
        {
            if (args[i].equals("-accept"))
            {
                if (i >= args.length-1)
                {
                    print_server_options(build_mode, args[i]);
                }

                port = Integer.parseInt(args[++i]);
            }
            else if (args[i].equals("-quiet"))
            {
                quiet = true;
                options &= ~(int)axtlsj.SSL_DISPLAY_CERTS;
            }
            else if (build_mode >= axtlsj.SSL_BUILD_SERVER_ONLY)
            {
                if (args[i].equals("-cert"))
                {
                    if (i >= args.length-1 || cert_index >= cert_size)
                    {
                        print_server_options(build_mode, args[i]);
                    }

                    cert[cert_index++] = args[++i];
                }
                else if (args[i].equals("-key"))
                {
                    if (i >= args.length-1)
                    {
                        print_server_options(build_mode, args[i]);
                    }

                    private_key_file = args[++i];
                    options |= axtlsj.SSL_NO_DEFAULT_KEY;
                }
                else if (args[i].equals("-pass"))
                {
                    if (i >= args.length-1)
                    {
                        print_server_options(build_mode, args[i]);
                    }

                    password = args[++i];
                }
                else if (build_mode >= axtlsj.SSL_BUILD_ENABLE_VERIFICATION)
                {
                    if (args[i].equals("-verify"))
                    {
                        options |= axtlsj.SSL_CLIENT_AUTHENTICATION;
                    }
                    else if (args[i].equals("-CAfile"))
                    {
                        if (i >= args.length-1 || ca_cert_index >= ca_cert_size)
                        {
                            print_server_options(build_mode, args[i]);
                        }

                        ca_cert[ca_cert_index++] = args[++i];
                    }
                    else if (build_mode == axtlsj.SSL_BUILD_FULL_MODE)
                    {
                        if (args[i].equals("-debug"))
                        {
                            options |= axtlsj.SSL_DISPLAY_BYTES;
                        }
                        else if (args[i].equals("-state"))
                        {
                            options |= axtlsj.SSL_DISPLAY_STATES;
                        }
                        else if (args[i].equals("-show-rsa"))
                        {
                            options |= axtlsj.SSL_DISPLAY_RSA;
                        }
                        else
                            print_server_options(build_mode, args[i]);
                    }
                    else
                        print_server_options(build_mode, args[i]);
                }
                else 
                    print_server_options(build_mode, args[i]);
            }
            else 
                print_server_options(build_mode, args[i]);

            i++;
        }

        /* Create socket for incoming connections */
        ServerSocket server_sock = new ServerSocket(port);

        /**********************************************************************
         * This is where the interesting stuff happens. Up until now we've
         * just been setting up sockets etc. Now we do the SSL handshake.
         **********************************************************************/
        SSLServer ssl_ctx = new SSLServer(options, 
                                    axtlsj.SSL_DEFAULT_SVR_SESS);

        if (ssl_ctx == null)
            throw new Exception("Error: Server context is invalid");

        if (private_key_file != null)
        {
            int obj_type =  axtlsj.SSL_OBJ_RSA_KEY;

            if (private_key_file.endsWith(".p8"))
                obj_type = axtlsj.SSL_OBJ_PKCS8;
            else if (private_key_file.endsWith(".p12"))
                obj_type = axtlsj.SSL_OBJ_PKCS12;

            if (ssl_ctx.objLoad(obj_type, 
                            private_key_file, password) != axtlsj.SSL_OK)
            {
                throw new Exception("Error: Private key '" + private_key_file + 
                        "' is undefined.");
            }
        }

        for (i = 0; i < cert_index; i++)
        {
            if (ssl_ctx.objLoad(axtlsj.SSL_OBJ_X509_CERT, 
                                        cert[i], null) != axtlsj.SSL_OK)
            {
                throw new Exception("Certificate '" + cert[i] + 
                        "' is undefined.");
            }
        }

        for (i = 0; i < ca_cert_index; i++)
        {
            if (ssl_ctx.objLoad(axtlsj.SSL_OBJ_X509_CACERT, 
                                        ca_cert[i], null) != axtlsj.SSL_OK)
            {
                throw new Exception("Certificate '" + ca_cert[i] + 
                        "' is undefined.");
            }
        }

        int res;
        SSLReadHolder rh = new SSLReadHolder();

        for (;;)
        {
            if (!quiet)
            {
                System.out.println("ACCEPT");
            }

            Socket client_sock = server_sock.accept();

            SSL ssl = ssl_ctx.connect(client_sock);

            while ((res = ssl_ctx.read(ssl, rh)) == axtlsj.SSL_OK)
            {
                /* check when the connection has been established */
                if (ssl.handshakeStatus() == axtlsj.SSL_OK)
                    break;

                /* could do something else here */
            }

            if (res == axtlsj.SSL_OK) /* connection established and ok */
            {
                if (!quiet)
                {
                    display_session_id(ssl);
                    display_cipher(ssl);
                }

                /* now read (and display) whatever the client sends us */
                for (;;)
                {
                    /* keep reading until we get something interesting */
                    while ((res = ssl_ctx.read(ssl, rh)) == axtlsj.SSL_OK)
                    {
                        /* could do something else here */
                    }

                    if (res < axtlsj.SSL_OK)
                    {
                        if (!quiet)
                        {
                            System.out.println("CONNECTION CLOSED");
                        }

                        break;
                    }

                    /* convert to String */
                    byte[] buf = rh.getData();
                    char[] str = new char[res];

                    for (i = 0; i < res; i++)
                    {
                        str[i] = (char)buf[i];
                    }

                    System.out.print(str);
                }
            }
            else if (!quiet)
            {
                SSLUtil.displayError(res);
            }

            /* client was disconnected or the handshake failed. */
            ssl.dispose();
            client_sock.close();
        }

        /* ssl_ctx.dispose(); */
    }

    /*
     * do_client()
     */
    private void do_client(int build_mode, String[] args)
                    throws Exception
    {
        if (build_mode < axtlsj.SSL_BUILD_ENABLE_CLIENT)
            print_client_options(build_mode, args[1]);

        int i = 1, res;
        int port = 4433;
        boolean quiet = false;
        String password = null;
        int reconnect = 0;
        String private_key_file = null;
        String hostname = "127.0.0.1";

        /* organise the cert/ca_cert lists */
        int cert_index = 0;
        int ca_cert_index = 0;
        int cert_size = SSLUtil.maxCerts();
        int ca_cert_size = SSLUtil.maxCACerts();
        String[] cert = new String[cert_size];
        String[] ca_cert = new String[ca_cert_size];

        int options = axtlsj.SSL_SERVER_VERIFY_LATER|axtlsj.SSL_DISPLAY_CERTS;
        byte[] session_id = null;

        while (i < args.length)
        {
            if (args[i].equals("-connect"))
            {
                String host_port;

                if (i >= args.length-1)
                {
                    print_client_options(build_mode, args[i]);
                }

                host_port = args[++i];
                int index_colon;

                if ((index_colon = host_port.indexOf(':')) < 0)
                    print_client_options(build_mode, args[i]);

                hostname = new String(host_port.toCharArray(), 
                        0, index_colon);
                port = Integer.parseInt(new String(host_port.toCharArray(), 
                            index_colon+1, host_port.length()-index_colon-1));
            }
            else if (args[i].equals("-cert"))
            {
                if (i >= args.length-1 || cert_index >= cert_size)
                {
                    print_client_options(build_mode, args[i]);
                }

                cert[cert_index++] = args[++i];
            }
            else if (args[i].equals("-CAfile"))
            {
                if (i >= args.length-1 || ca_cert_index >= ca_cert_size)
                {
                    print_client_options(build_mode, args[i]);
                }

                ca_cert[ca_cert_index++] = args[++i];
            }
            else if (args[i].equals("-key"))
            {
                if (i >= args.length-1)
                {
                    print_client_options(build_mode, args[i]);
                }

                private_key_file = args[++i];
                options |= axtlsj.SSL_NO_DEFAULT_KEY;
            }
            else if (args[i].equals("-verify"))
            {
                options &= ~(int)axtlsj.SSL_SERVER_VERIFY_LATER;
            }
            else if (args[i].equals("-reconnect"))
            {
                reconnect = 4;
            }
            else if (args[i].equals("-quiet"))
            {
                quiet = true;
                options &= ~(int)axtlsj.SSL_DISPLAY_CERTS;
            }
            else if (args[i].equals("-pass"))
            {
                if (i >= args.length-1)
                {
                    print_server_options(build_mode, args[i]);
                }

                password = args[++i];
            }
            else if (build_mode == axtlsj.SSL_BUILD_FULL_MODE)
            {
                if (args[i].equals("-debug"))
                {
                    options |= axtlsj.SSL_DISPLAY_BYTES;
                }
                else if (args[i].equals("-state"))
                {
                    options |= axtlsj.SSL_DISPLAY_STATES;
                }
                else if (args[i].equals("-show-rsa"))
                {
                    options |= axtlsj.SSL_DISPLAY_RSA;
                }
                else
                    print_client_options(build_mode, args[i]);
            }
            else    /* don't know what this is */
                print_client_options(build_mode, args[i]);

            i++;
        }

        Socket client_sock = new Socket(hostname, port);

        if (!client_sock.isConnected())
        {
            System.out.println("could not connect");
            throw new Exception();
        }

        if (!quiet)
        {
            System.out.println("CONNECTED");
        }

        /**********************************************************************
         * This is where the interesting stuff happens. Up until now we've
         * just been setting up sockets etc. Now we do the SSL handshake.
         **********************************************************************/
        SSLClient ssl_ctx = new SSLClient(options, 
                                    axtlsj.SSL_DEFAULT_CLNT_SESS);

        if (ssl_ctx == null)
        {
            throw new Exception("Error: Client context is invalid");
        }

        if (private_key_file != null)
        {
            int obj_type =  axtlsj.SSL_OBJ_RSA_KEY;

            if (private_key_file.endsWith(".p8"))
                obj_type = axtlsj.SSL_OBJ_PKCS8;
            else if (private_key_file.endsWith(".p12"))
                obj_type = axtlsj.SSL_OBJ_PKCS12;

            if (ssl_ctx.objLoad(obj_type, 
                            private_key_file, password) != axtlsj.SSL_OK)
            {
                throw new Exception("Error: Private key '" + private_key_file + 
                        "' is undefined.");
            }
        }

        for (i = 0; i < cert_index; i++)
        {
            if (ssl_ctx.objLoad(axtlsj.SSL_OBJ_X509_CERT, 
                                        cert[i], null) != axtlsj.SSL_OK)
            {
                throw new Exception("Certificate '" + cert[i] + 
                        "' is undefined.");
            }
        }

        for (i = 0; i < ca_cert_index; i++)
        {
            if (ssl_ctx.objLoad(axtlsj.SSL_OBJ_X509_CACERT, 
                                        ca_cert[i], null) != axtlsj.SSL_OK)
            {
                throw new Exception("Certificate '" + ca_cert[i] + 
                        "' is undefined.");
            }
        }

        SSL ssl = null;

        /* Try session resumption? */
        if (reconnect > 0)
        {
            while (reconnect-- > 0)
            {
                ssl = ssl_ctx.connect(client_sock, session_id);

                if ((res = ssl.handshakeStatus()) != axtlsj.SSL_OK)
                {
                    if (!quiet)
                    {
                        SSLUtil.displayError(res);
                    }

                    ssl.dispose();
                    throw new Exception();
                }

                display_session_id(ssl);
                session_id = ssl.getSessionId();

                if (reconnect > 0)
                {
                    ssl.dispose();
                    client_sock.close();
                    
                    /* and reconnect */
                    client_sock = new Socket(hostname, port);
                }
            }
        }
        else
        {
            ssl = ssl_ctx.connect(client_sock, null);
        }

        /* check the return status */
        if ((res = ssl.handshakeStatus()) != axtlsj.SSL_OK)
        {
            if (!quiet)
            {
                SSLUtil.displayError(res);
            }

            throw new Exception();
        }

        if (!quiet)
        {
            String common_name =
                ssl.getCertificateDN(axtlsj.SSL_X509_CERT_COMMON_NAME);

            if (common_name != null)
            {
                System.out.println("Common Name:\t\t\t" + common_name);
            }

            display_session_id(ssl);
            display_cipher(ssl);
        }

        BufferedReader in = new BufferedReader(
                new InputStreamReader(System.in));

        for (;;)
        {
            String user_input = in.readLine();

            if (user_input == null)
                break;

            byte[] buf = new byte[user_input.length()+2];
            buf[buf.length-2] = (byte)'\n';     /* add the carriage return */
            buf[buf.length-1] = 0;              /* null terminate */

            for (i = 0; i < buf.length-2; i++)
            {
                buf[i] = (byte)user_input.charAt(i);
            }

            if ((res = ssl_ctx.write(ssl, buf)) < axtlsj.SSL_OK)
            {
                if (!quiet)
                {
                    SSLUtil.displayError(res);
                }

                break;
            }
        }

        ssl_ctx.dispose();
    }

    /**
     * We've had some sort of command-line error. Print out the basic options.
     */
    private void print_options(String option)
    {
        System.out.println("axssl: Error: '" + option + 
                "' is an invalid command.");
        System.out.println("usage: axtlsj.jar [s_server|s_client|version] " + 
                "[args ...]");
        System.exit(1);
    }

    /**
     * We've had some sort of command-line error. Print out the server options.
     */
    private void print_server_options(int build_mode, String option)
    {
        int cert_size = SSLUtil.maxCerts();
        int ca_cert_size = SSLUtil.maxCACerts();

        System.out.println("unknown option " + option);
        System.out.println("usage: s_server [args ...]");
        System.out.println(" -accept arg\t- port to accept on (default " + 
                "is 4433)");
        System.out.println(" -quiet\t\t- No server output");

        if (build_mode >= axtlsj.SSL_BUILD_SERVER_ONLY)
        {
            System.out.println(" -cert arg\t- certificate file to add (in " + 
                    "addition to default) to chain -");
            System.out.println("\t\t  Can repeat up to " + cert_size + " times");
            System.out.println(" -key arg\t- Private key file to use");
            System.out.println(" -pass\t\t- private key file pass phrase source");
        }

        if (build_mode >= axtlsj.SSL_BUILD_ENABLE_VERIFICATION)
        {
            System.out.println(" -verify\t- turn on peer certificate " +
                    "verification");
            System.out.println(" -CAfile arg\t- Certificate authority. ");
            System.out.println("\t\t  Can repeat up to " + 
                    ca_cert_size + " times");
        }

        if (build_mode == axtlsj.SSL_BUILD_FULL_MODE)
        {
            System.out.println(" -debug\t\t- Print more output");
            System.out.println(" -state\t\t- Show state messages");
            System.out.println(" -show-rsa\t- Show RSA state");
        }

        System.exit(1);
    }

    /**
     * We've had some sort of command-line error. Print out the client options.
     */
    private void print_client_options(int build_mode, String option)
    {
        int cert_size = SSLUtil.maxCerts();
        int ca_cert_size = SSLUtil.maxCACerts();

        System.out.println("unknown option " + option);

        if (build_mode >= axtlsj.SSL_BUILD_ENABLE_CLIENT)
        {
            System.out.println("usage: s_client [args ...]");
            System.out.println(" -connect host:port - who to connect to " + 
                    "(default is localhost:4433)");
            System.out.println(" -verify\t- turn on peer certificate " + 
                    "verification");
            System.out.println(" -cert arg\t- certificate file to use");
            System.out.println(" -key arg\t- Private key file to use");
            System.out.println("\t\t  Can repeat up to " + cert_size + 
                    " times");
            System.out.println(" -CAfile arg\t- Certificate authority.");
            System.out.println("\t\t  Can repeat up to " + ca_cert_size + 
                    " times");
            System.out.println(" -quiet\t\t- No client output");
            System.out.println(" -pass\t\t- private key file pass " + 
                        "phrase source");
            System.out.println(" -reconnect\t- Drop and re-make the " +
                    "connection with the same Session-ID");

            if (build_mode == axtlsj.SSL_BUILD_FULL_MODE)
            {
                System.out.println(" -debug\t\t- Print more output");
                System.out.println(" -state\t\t- Show state messages");
                System.out.println(" -show-rsa\t- Show RSA state");
            }
        }
        else 
        {
            System.out.println("Change configuration to allow this feature");
        }

        System.exit(1);
    }

    /**
     * Display what cipher we are using 
     */
    private void display_cipher(SSL ssl)
    {
        System.out.print("CIPHER is ");

        byte ciph_id = ssl.getCipherId();

        if (ciph_id == axtlsj.SSL_AES128_SHA)
            System.out.println("AES128-SHA");
        else if (ciph_id == axtlsj.SSL_AES256_SHA)
            System.out.println("AES256-SHA");
        else if (ciph_id == axtlsj.SSL_RC4_128_SHA)
            System.out.println("RC4-SHA");
        else if (ciph_id == axtlsj.SSL_RC4_128_MD5)
            System.out.println("RC4-MD5");
        else
            System.out.println("Unknown - " + ssl.getCipherId());
    }

    public char toHexChar(int i)
    {
        if ((0 <= i) && (i <= 9 ))
            return (char)('0' + i);
        else
            return (char)('a' + (i-10));
    }

    public void bytesToHex(byte[] data) 
    {
        StringBuffer buf = new StringBuffer();
        for (int i = 0; i < data.length; i++ ) 
        {
            buf.append(toHexChar((data[i]>>>4)&0x0F));
            buf.append(toHexChar(data[i]&0x0F));
        }

        System.out.println(buf);
    }


    /**
     * Display what session id we have.
     */
    private void display_session_id(SSL ssl)
    {    
        byte[] session_id = ssl.getSessionId();

        if (session_id.length > 0)
        {
            System.out.println("-----BEGIN SSL SESSION PARAMETERS-----");
            bytesToHex(session_id);
            System.out.println("-----END SSL SESSION PARAMETERS-----");
        }
    }
}

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>