author | xuelei |
Wed, 23 Mar 2016 12:25:08 +0000 | |
changeset 36661 | 044bf6a5474a |
parent 35287 | e59d934ce2ba |
child 36952 | 4500612ce068 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
36661
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
2 |
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
||
27 |
package sun.security.ssl; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.security.*; |
|
31 |
||
32 |
import javax.crypto.*; |
|
33 |
||
34 |
import javax.net.ssl.*; |
|
35 |
||
36 |
import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; |
|
16080 | 37 |
import sun.security.util.KeyUtil; |
2 | 38 |
|
39 |
/** |
|
40 |
* This is the client key exchange message (CLIENT --> SERVER) used with |
|
41 |
* all RSA key exchanges; it holds the RSA-encrypted pre-master secret. |
|
42 |
* |
|
43 |
* The message is encrypted using PKCS #1 block type 02 encryption with the |
|
44 |
* server's public key. The padding and resulting message size is a function |
|
45 |
* of this server's public key modulus size, but the pre-master secret is |
|
46 |
* always exactly 48 bytes. |
|
47 |
* |
|
48 |
*/ |
|
49 |
final class RSAClientKeyExchange extends HandshakeMessage { |
|
50 |
||
51 |
/* |
|
52 |
* The following field values were encrypted with the server's public |
|
53 |
* key (or temp key from server key exchange msg) and are presented |
|
54 |
* here in DECRYPTED form. |
|
55 |
*/ |
|
56 |
private ProtocolVersion protocolVersion; // preMaster [0,1] |
|
57 |
SecretKey preMaster; |
|
58 |
private byte[] encrypted; // same size as public modulus |
|
59 |
||
60 |
/* |
|
61 |
* Client randomly creates a pre-master secret and encrypts it |
|
62 |
* using the server's RSA public key; only the server can decrypt |
|
63 |
* it, using its RSA private key. Result is the same size as the |
|
64 |
* server's public key, and uses PKCS #1 block format 02. |
|
65 |
*/ |
|
27804
4659e70271c4
8066617: Suppress deprecation warnings in java.base module
darcy
parents:
25859
diff
changeset
|
66 |
@SuppressWarnings("deprecation") |
7039 | 67 |
RSAClientKeyExchange(ProtocolVersion protocolVersion, |
68 |
ProtocolVersion maxVersion, |
|
2 | 69 |
SecureRandom generator, PublicKey publicKey) throws IOException { |
70 |
if (publicKey.getAlgorithm().equals("RSA") == false) { |
|
71 |
throw new SSLKeyException("Public key not of type RSA"); |
|
72 |
} |
|
73 |
this.protocolVersion = protocolVersion; |
|
74 |
||
75 |
try { |
|
30904 | 76 |
String s = protocolVersion.useTLS12PlusSpec() ? |
77 |
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"; |
|
7043 | 78 |
KeyGenerator kg = JsseJce.getKeyGenerator(s); |
23733
b9b80421cfa7
8028192: Use of PKCS11-NSS provider in FIPS mode broken
xuelei
parents:
22309
diff
changeset
|
79 |
kg.init(new TlsRsaPremasterSecretParameterSpec( |
b9b80421cfa7
8028192: Use of PKCS11-NSS provider in FIPS mode broken
xuelei
parents:
22309
diff
changeset
|
80 |
maxVersion.v, protocolVersion.v), generator); |
2 | 81 |
preMaster = kg.generateKey(); |
82 |
||
83 |
Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); |
|
84 |
cipher.init(Cipher.WRAP_MODE, publicKey, generator); |
|
85 |
encrypted = cipher.wrap(preMaster); |
|
86 |
} catch (GeneralSecurityException e) { |
|
87 |
throw (SSLKeyException)new SSLKeyException |
|
88 |
("RSA premaster secret error").initCause(e); |
|
89 |
} |
|
90 |
} |
|
91 |
||
92 |
/* |
|
93 |
* Server gets the PKCS #1 (block format 02) data, decrypts |
|
94 |
* it with its private key. |
|
95 |
*/ |
|
27804
4659e70271c4
8066617: Suppress deprecation warnings in java.base module
darcy
parents:
25859
diff
changeset
|
96 |
@SuppressWarnings("deprecation") |
7039 | 97 |
RSAClientKeyExchange(ProtocolVersion currentVersion, |
98 |
ProtocolVersion maxVersion, |
|
99 |
SecureRandom generator, HandshakeInStream input, |
|
2 | 100 |
int messageSize, PrivateKey privateKey) throws IOException { |
101 |
||
102 |
if (privateKey.getAlgorithm().equals("RSA") == false) { |
|
103 |
throw new SSLKeyException("Private key not of type RSA"); |
|
104 |
} |
|
105 |
||
30904 | 106 |
if (currentVersion.useTLS10PlusSpec()) { |
2 | 107 |
encrypted = input.getBytes16(); |
108 |
} else { |
|
109 |
encrypted = new byte [messageSize]; |
|
110 |
if (input.read(encrypted) != messageSize) { |
|
22309 | 111 |
throw new SSLProtocolException( |
112 |
"SSL: read PreMasterSecret: short read"); |
|
2 | 113 |
} |
114 |
} |
|
115 |
||
35279 | 116 |
byte[] encoded = null; |
2 | 117 |
try { |
36661
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
118 |
boolean needFailover = false; |
2 | 119 |
Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); |
36661
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
120 |
try { |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
121 |
// Try UNWRAP_MODE mode firstly. |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
122 |
cipher.init(Cipher.UNWRAP_MODE, privateKey, |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
123 |
new TlsRsaPremasterSecretParameterSpec( |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
124 |
maxVersion.v, currentVersion.v), |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
125 |
generator); |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
126 |
|
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
127 |
// The provider selection can be delayed, please don't call |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
128 |
// any Cipher method before the call to Cipher.init(). |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
129 |
needFailover = !KeyUtil.isOracleJCEProvider( |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
130 |
cipher.getProvider().getName()); |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
131 |
} catch (InvalidKeyException | UnsupportedOperationException iue) { |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
132 |
if (debug != null && Debug.isOn("handshake")) { |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
133 |
System.out.println("The Cipher provider " + |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
134 |
cipher.getProvider().getName() + |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
135 |
" caused exception: " + iue.getMessage()); |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
136 |
} |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
137 |
|
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
138 |
needFailover = true; |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
139 |
} |
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
140 |
|
35279 | 141 |
if (needFailover) { |
36661
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
142 |
// Use DECRYPT_MODE and dispose the previous initialization. |
35279 | 143 |
cipher.init(Cipher.DECRYPT_MODE, privateKey); |
35287 | 144 |
boolean failed = false; |
145 |
try { |
|
146 |
encoded = cipher.doFinal(encrypted); |
|
147 |
} catch (BadPaddingException bpe) { |
|
148 |
// Note: encoded == null |
|
149 |
failed = true; |
|
150 |
} |
|
35279 | 151 |
encoded = KeyUtil.checkTlsPreMasterSecretKey( |
152 |
maxVersion.v, currentVersion.v, |
|
35287 | 153 |
generator, encoded, failed); |
35279 | 154 |
preMaster = generatePreMasterSecret( |
155 |
maxVersion.v, currentVersion.v, |
|
156 |
encoded, generator); |
|
157 |
} else { |
|
36661
044bf6a5474a
8149017: Delayed provider selection broken in RSA client key exchange
xuelei
parents:
35287
diff
changeset
|
158 |
// the cipher should have been initialized |
35279 | 159 |
preMaster = (SecretKey)cipher.unwrap(encrypted, |
160 |
"TlsRsaPremasterSecret", Cipher.SECRET_KEY); |
|
161 |
} |
|
23733
b9b80421cfa7
8028192: Use of PKCS11-NSS provider in FIPS mode broken
xuelei
parents:
22309
diff
changeset
|
162 |
} catch (InvalidKeyException ibk) { |
b9b80421cfa7
8028192: Use of PKCS11-NSS provider in FIPS mode broken
xuelei
parents:
22309
diff
changeset
|
163 |
// the message is too big to process with RSA |
22309 | 164 |
throw new SSLProtocolException( |
165 |
"Unable to process PreMasterSecret, may be too big"); |
|
166 |
} catch (Exception e) { |
|
167 |
// unlikely to happen, otherwise, must be a provider exception |
|
168 |
if (debug != null && Debug.isOn("handshake")) { |
|
169 |
System.out.println("RSA premaster secret decryption error:"); |
|
170 |
e.printStackTrace(System.out); |
|
171 |
} |
|
172 |
throw new RuntimeException("Could not generate dummy secret", e); |
|
173 |
} |
|
2 | 174 |
} |
175 |
||
35279 | 176 |
// generate a premaster secret with the specified version number |
177 |
@SuppressWarnings("deprecation") |
|
178 |
private static SecretKey generatePreMasterSecret( |
|
179 |
int clientVersion, int serverVersion, |
|
180 |
byte[] encodedSecret, SecureRandom generator) { |
|
181 |
||
182 |
if (debug != null && Debug.isOn("handshake")) { |
|
183 |
System.out.println("Generating a premaster secret"); |
|
184 |
} |
|
185 |
||
186 |
try { |
|
187 |
String s = ((clientVersion >= ProtocolVersion.TLS12.v) ? |
|
188 |
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"); |
|
189 |
KeyGenerator kg = JsseJce.getKeyGenerator(s); |
|
190 |
kg.init(new TlsRsaPremasterSecretParameterSpec( |
|
191 |
clientVersion, serverVersion, encodedSecret), |
|
192 |
generator); |
|
193 |
return kg.generateKey(); |
|
194 |
} catch (InvalidAlgorithmParameterException | |
|
195 |
NoSuchAlgorithmException iae) { |
|
196 |
// unlikely to happen, otherwise, must be a provider exception |
|
197 |
if (debug != null && Debug.isOn("handshake")) { |
|
198 |
System.out.println("RSA premaster secret generation error:"); |
|
199 |
iae.printStackTrace(System.out); |
|
200 |
} |
|
201 |
throw new RuntimeException("Could not generate premaster secret", iae); |
|
202 |
} |
|
203 |
} |
|
204 |
||
7039 | 205 |
@Override |
206 |
int messageType() { |
|
207 |
return ht_client_key_exchange; |
|
208 |
} |
|
209 |
||
210 |
@Override |
|
2 | 211 |
int messageLength() { |
30904 | 212 |
if (protocolVersion.useTLS10PlusSpec()) { |
2 | 213 |
return encrypted.length + 2; |
214 |
} else { |
|
215 |
return encrypted.length; |
|
216 |
} |
|
217 |
} |
|
218 |
||
7039 | 219 |
@Override |
2 | 220 |
void send(HandshakeOutStream s) throws IOException { |
30904 | 221 |
if (protocolVersion.useTLS10PlusSpec()) { |
2 | 222 |
s.putBytes16(encrypted); |
223 |
} else { |
|
224 |
s.write(encrypted); |
|
225 |
} |
|
226 |
} |
|
227 |
||
7039 | 228 |
@Override |
2 | 229 |
void print(PrintStream s) throws IOException { |
7039 | 230 |
s.println("*** ClientKeyExchange, RSA PreMasterSecret, " + |
231 |
protocolVersion); |
|
2 | 232 |
} |
233 |
} |