jdk-sandbox: src/java.base/share/classes/sun/security/ssl/X509Authentication.java@32a737f51e37 (annotated)

56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	2	* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	4	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	10	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	15	* accompanied this code).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	16	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	20	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	23	* questions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	24	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	25
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	26	package sun.security.ssl;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	27
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	28	import java.security.PrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	29	import java.security.PublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	30	import java.security.cert.X509Certificate;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	31	import java.security.interfaces.ECPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	32	import java.security.spec.ECParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	33	import java.util.AbstractMap.SimpleImmutableEntry;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	34	import java.util.Map;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	35	import javax.net.ssl.SSLEngine;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	36	import javax.net.ssl.SSLSocket;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	37	import javax.net.ssl.X509ExtendedKeyManager;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	38	import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	39	import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	40
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	41	enum X509Authentication implements SSLAuthentication {
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	42	// Require rsaEncryption public key
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	43	RSA ("RSA", new X509PossessionGenerator(
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	44	new String[]{"RSA"})),
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	45
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	46	// Require RSASSA-PSS public key
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	47	RSASSA_PSS ("RSASSA-PSS", new X509PossessionGenerator(
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	48	new String[] {"RSASSA-PSS"})),
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	49
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	50	// Require rsaEncryption or RSASSA-PSS public key
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	51	//
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	52	// Note that this is a specifical scheme for TLS 1.2. (EC)DHE_RSA cipher
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	53	// suites of TLS 1.2 can use either rsaEncryption or RSASSA-PSS public
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	54	// key for authentication and handshake.
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	55	RSA_OR_PSS ("RSA_OR_PSS", new X509PossessionGenerator(
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	56	new String[] {"RSA", "RSASSA-PSS"})),
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	57
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	58	// Require DSA public key
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	59	DSA ("DSA", new X509PossessionGenerator(
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	60	new String[] {"DSA"})),
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	61
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	62	// Require EC public key
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	63	EC ("EC", new X509PossessionGenerator(
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	64	new String[] {"EC"}));
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	65
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	66	final String keyType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	67	final SSLPossessionGenerator possessionGenerator;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	68
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	69	X509Authentication(String keyType,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	70	SSLPossessionGenerator possessionGenerator) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	71	this.keyType = keyType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	72	this.possessionGenerator = possessionGenerator;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	73	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	74
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	75	static X509Authentication valueOf(SignatureScheme signatureScheme) {
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	76	for (X509Authentication au: X509Authentication.values()) {
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	77	if (au.keyType.equals(signatureScheme.keyAlgorithm)) {
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	78	return au;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	79	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	80	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	81
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	82	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	83	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	84
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	85	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	86	public SSLPossession createPossession(HandshakeContext handshakeContext) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	87	return possessionGenerator.createPossession(handshakeContext);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	88	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	89
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	90	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	91	public SSLHandshake[] getRelatedHandshakers(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	92	HandshakeContext handshakeContext) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	93	if (!handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	94	return new SSLHandshake[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	95	SSLHandshake.CERTIFICATE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	96	SSLHandshake.CERTIFICATE_REQUEST
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	97	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	98	} // Otherwise, TLS 1.3 does not use this method.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	99
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	100	return new SSLHandshake[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	101	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	102
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	103	@SuppressWarnings({"unchecked", "rawtypes"})
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	104	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	105	public Map.Entry<Byte, HandshakeProducer>[] getHandshakeProducers(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	106	HandshakeContext handshakeContext) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	107	if (!handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	108	return (Map.Entry<Byte, HandshakeProducer>[])(new Map.Entry[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	109	new SimpleImmutableEntry<Byte, HandshakeProducer>(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	110	SSLHandshake.CERTIFICATE.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	111	SSLHandshake.CERTIFICATE
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	112	)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	113	});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	114	} // Otherwise, TLS 1.3 does not use this method.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	115
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	116	return (Map.Entry<Byte, HandshakeProducer>[])(new Map.Entry[0]);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	117	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	118
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	119	static final class X509Possession implements SSLPossession {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	120	// Proof of possession of the private key corresponding to the public
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	121	// key for which a certificate is being provided for authentication.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	122	final X509Certificate[] popCerts;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	123	final PrivateKey popPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	124
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	125	X509Possession(PrivateKey popPrivateKey,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	126	X509Certificate[] popCerts) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	127	this.popCerts = popCerts;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	128	this.popPrivateKey = popPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	129	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	130	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	131
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	132	static final class X509Credentials implements SSLCredentials {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	133	final X509Certificate[] popCerts;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	134	final PublicKey popPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	135
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	136	X509Credentials(PublicKey popPublicKey, X509Certificate[] popCerts) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	137	this.popCerts = popCerts;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	138	this.popPublicKey = popPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	139	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	140	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	141
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	142	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	143	class X509PossessionGenerator implements SSLPossessionGenerator {
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	144	private final String[] keyTypes;
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	145
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	146	private X509PossessionGenerator(String[] keyTypes) {
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	147	this.keyTypes = keyTypes;
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	148	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	149
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	150	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	151	public SSLPossession createPossession(HandshakeContext context) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	152	if (context.sslConfig.isClientMode) {
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	153	for (String keyType : keyTypes) {
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	154	SSLPossession poss = createClientPossession(
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	155	(ClientHandshakeContext)context, keyType);
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	156	if (poss != null) {
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	157	return poss;
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	158	}
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	159	}
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	160	} else {
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	161	for (String keyType : keyTypes) {
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	162	SSLPossession poss = createServerPossession(
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	163	(ServerHandshakeContext)context, keyType);
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	164	if (poss != null) {
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	165	return poss;
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	166	}
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	167	}
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	168	}
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	169
32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	170	return null;
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	171	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	172
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	173	// Used by TLS 1.3 only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	174	private SSLPossession createClientPossession(
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	175	ClientHandshakeContext chc, String keyType) {
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	176	X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	177	String clientAlias = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	178	if (chc.conContext.transport instanceof SSLSocketImpl) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	179	clientAlias = km.chooseClientAlias(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	180	new String[] { keyType },
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	181	null, (SSLSocket)chc.conContext.transport);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	182	} else if (chc.conContext.transport instanceof SSLEngineImpl) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	183	clientAlias = km.chooseEngineClientAlias(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	184	new String[] { keyType },
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	185	null, (SSLEngine)chc.conContext.transport);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	186	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	187
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	188	if (clientAlias == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	189	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	190	SSLLogger.finest("No X.509 cert selected for " + keyType);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	191	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	192	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	193	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	194
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	195	PrivateKey clientPrivateKey = km.getPrivateKey(clientAlias);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	196	if (clientPrivateKey == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	197	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	198	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	199	clientAlias + " is not a private key entry");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	200	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	201	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	202	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	203
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	204	X509Certificate[] clientCerts = km.getCertificateChain(clientAlias);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	205	if ((clientCerts == null) \|\| (clientCerts.length == 0)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	206	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56801 76025c6c6e29 Update on SSLKeyExchange.java and more xuelei parents: 56542 diff changeset	207	SSLLogger.finest(clientAlias +
76025c6c6e29 Update on SSLKeyExchange.java and more xuelei parents: 56542 diff changeset	208	" is a private key entry with no cert chain stored");
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	209	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	210	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	211	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	212
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	213	PublicKey clientPublicKey = clientCerts[0].getPublicKey();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	214	if ((!clientPrivateKey.getAlgorithm().equals(keyType))
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	215	\|\| (!clientPublicKey.getAlgorithm().equals(keyType))) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	216	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	217	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	218	clientAlias + " private or public key is not of " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	219	keyType + " algorithm");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	220	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	221	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	222	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	223
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	224	return new X509Possession(clientPrivateKey, clientCerts);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	225	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	226
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	227	private SSLPossession createServerPossession(
56806 32a737f51e37 Support RSASSS-PSS for TLS 1.2 xuelei parents: 56801 diff changeset	228	ServerHandshakeContext shc, String keyType) {
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	229	X509ExtendedKeyManager km = shc.sslContext.getX509KeyManager();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	230	String serverAlias = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	231	if (shc.conContext.transport instanceof SSLSocketImpl) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	232	serverAlias = km.chooseServerAlias(keyType,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	233	null, (SSLSocket)shc.conContext.transport);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	234	} else if (shc.conContext.transport instanceof SSLEngineImpl) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	235	serverAlias = km.chooseEngineServerAlias(keyType,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	236	null, (SSLEngine)shc.conContext.transport);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	237	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	238
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	239	if (serverAlias == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	240	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	241	SSLLogger.finest("No X.509 cert selected for " + keyType);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	242	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	243	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	244	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	245
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	246	PrivateKey serverPrivateKey = km.getPrivateKey(serverAlias);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	247	if (serverPrivateKey == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	248	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	249	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	250	serverAlias + " is not a private key entry");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	251	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	252	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	253	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	254
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	255	X509Certificate[] serverCerts = km.getCertificateChain(serverAlias);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	256	if ((serverCerts == null) \|\| (serverCerts.length == 0)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	257	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	258	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	259	serverAlias + " is not a certificate entry");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	260	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	261	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	262	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	263
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	264	PublicKey serverPublicKey = serverCerts[0].getPublicKey();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	265	if ((!serverPrivateKey.getAlgorithm().equals(keyType))
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	266	\|\| (!serverPublicKey.getAlgorithm().equals(keyType))) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	267	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	268	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	269	serverAlias + " private or public key is not of " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	270	keyType + " algorithm");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	271	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	272	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	273	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	274
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	275	// For ECC certs, check whether we support the EC domain
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	276	// parameters. If the client sent a SupportedEllipticCurves
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	277	// ClientHello extension, check against that too.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	278	if (keyType.equals("EC")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	279	if (!(serverPublicKey instanceof ECPublicKey)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	280	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	281	SSLLogger.warning(serverAlias +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	282	" public key is not an instance of ECPublicKey");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	283	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	284	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	285	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	286
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	287	// For ECC certs, check whether we support the EC domain
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	288	// parameters. If the client sent a SupportedEllipticCurves
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	289	// ClientHello extension, check against that too.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	290	ECParameterSpec params =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	291	((ECPublicKey)serverPublicKey).getParams();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	292	NamedGroup namedGroup = NamedGroup.valueOf(params);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	293	if ((namedGroup == null) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	294	(!SupportedGroups.isSupported(namedGroup)) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	295	((shc.clientRequestedNamedGroups != null) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	296	!shc.clientRequestedNamedGroups.contains(namedGroup))) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	297
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	298	if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	299	SSLLogger.warning(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	300	"Unsupported named group (" + namedGroup +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	301	") used in the " + serverAlias + " certificate");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	302	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	303
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	304	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	305	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	306	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	307
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	308	return new X509Possession(serverPrivateKey, serverCerts);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	309	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	310	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	311	}

author	xuelei
	Mon, 25 Jun 2018 08:14:11 -0700
branch	JDK-8145252-TLS13-branch
changeset 56806	32a737f51e37
parent 56801	76025c6c6e29
permissions	-rw-r--r--