jdk-sandbox: src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java@56aaa6cb3693 (annotated)

56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	2	* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	4	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	10	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	15	* accompanied this code).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	16	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	20	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	23	* questions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	24	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	25
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	26	package sun.security.ssl;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	27
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	28	import java.io.IOException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	29	import java.math.BigInteger;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	30	import java.security.GeneralSecurityException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	31	import java.security.InvalidKeyException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	32	import java.security.KeyFactory;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	33	import java.security.KeyPair;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	34	import java.security.KeyPairGenerator;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	35	import java.security.PrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	36	import java.security.PublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	37	import java.security.SecureRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	38	import java.security.spec.AlgorithmParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	39	import javax.crypto.KeyAgreement;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	40	import javax.crypto.SecretKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	41	import javax.crypto.interfaces.DHPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	42	import javax.crypto.spec.DHParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	43	import javax.crypto.spec.DHPublicKeySpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	44	import javax.crypto.spec.SecretKeySpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	45	import javax.net.ssl.SSLHandshakeException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	46	import sun.security.action.GetPropertyAction;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	47	import sun.security.ssl.CipherSuite.HashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	48	import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	49	import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	50	import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	51	import sun.security.ssl.X509Authentication.X509Possession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	52	import sun.security.util.KeyUtil;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	53
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	54	final class DHKeyExchange {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	55	static final SSLPossessionGenerator poGenerator =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	56	new DHEPossessionGenerator(false);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	57	static final SSLPossessionGenerator poExportableGenerator =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	58	new DHEPossessionGenerator(true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	59	static final SSLKeyAgreementGenerator kaGenerator =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	60	new DHEKAGenerator();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	61
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	62	static final class DHECredentials implements SSLCredentials {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	63	final DHPublicKey popPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	64	final NamedGroup namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	65
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	66	DHECredentials(DHPublicKey popPublicKey, NamedGroup namedGroup) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	67	this.popPublicKey = popPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	68	this.namedGroup = namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	69	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	70
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	71	static DHECredentials valueOf(NamedGroup ng,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	72	byte[] encodedPublic) throws IOException, GeneralSecurityException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	73
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	74	if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	75	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	76	"Credentials decoding: Not FFDHE named group");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	77	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	78
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	79	if (encodedPublic == null \|\| encodedPublic.length == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	80	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	81	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	82
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	83	DHParameterSpec params = (DHParameterSpec)ng.getParameterSpec();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	84	if (params == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	85	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	86	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	87
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	88	KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	89	DHPublicKeySpec spec = new DHPublicKeySpec(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	90	new BigInteger(1, encodedPublic),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	91	params.getP(), params.getG());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	92	DHPublicKey publicKey =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	93	(DHPublicKey)kf.generatePublic(spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	94
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	95	return new DHECredentials(publicKey, ng);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	96	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	97	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	98
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	99	static final class DHEPossession implements SSLPossession {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	100	final PrivateKey privateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	101	final DHPublicKey publicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	102	final NamedGroup namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	103
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	104	DHEPossession(NamedGroup namedGroup, SecureRandom random) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	105	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	106	KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	107	DHParameterSpec params =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	108	(DHParameterSpec)namedGroup.getParameterSpec();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	109	kpg.initialize(params, random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	110	KeyPair kp = generateDHKeyPair(kpg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	111	if (kp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	112	throw new RuntimeException("Could not generate DH keypair");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	113	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	114	privateKey = kp.getPrivate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	115	publicKey = (DHPublicKey)kp.getPublic();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	116	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	117	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	118	"Could not generate DH keypair", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	119	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	120
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	121	this.namedGroup = namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	122	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	123
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	124	DHEPossession(int keyLength, SecureRandom random) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	125	DHParameterSpec params =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	126	PredefinedDHParameterSpecs.definedParams.get(keyLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	127	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	128	KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DiffieHellman");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	129	if (params != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	130	kpg.initialize(params, random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	131	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	132	kpg.initialize(keyLength, random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	133	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	134
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	135	KeyPair kp = generateDHKeyPair(kpg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	136	if (kp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	137	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	138	"Could not generate DH keypair of " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	139	keyLength + " bits");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	140	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	141	privateKey = kp.getPrivate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	142	publicKey = (DHPublicKey)kp.getPublic();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	143	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	144	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	145	"Could not generate DH keypair", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	146	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	147
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	148	this.namedGroup = NamedGroup.valueOf(publicKey.getParams());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	149	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	150
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	151	DHEPossession(DHECredentials credentials, SecureRandom random) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	152	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	153	KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	154	kpg.initialize(credentials.popPublicKey.getParams(), random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	155	KeyPair kp = generateDHKeyPair(kpg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	156	if (kp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	157	throw new RuntimeException("Could not generate DH keypair");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	158	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	159	privateKey = kp.getPrivate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	160	publicKey = (DHPublicKey)kp.getPublic();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	161	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	162	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	163	"Could not generate DH keypair", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	164	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	165
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	166	this.namedGroup = credentials.namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	167	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	168
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	169	// Generate and validate DHPublicKeySpec
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	170	private KeyPair generateDHKeyPair(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	171	KeyPairGenerator kpg) throws GeneralSecurityException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	172	boolean doExtraValiadtion =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	173	(!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	174	boolean isRecovering = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	175	for (int i = 0; i <= 2; i++) { // Try to recove from failure.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	176	KeyPair kp = kpg.generateKeyPair();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	177	// validate the Diffie-Hellman public key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	178	if (doExtraValiadtion) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	179	DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	180	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	181	KeyUtil.validate(spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	182	} catch (InvalidKeyException ivke) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	183	if (isRecovering) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	184	throw ivke;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	185	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	186	// otherwise, ignore the exception and try again
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	187	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	188	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	189	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	190
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	191	return kp;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	192	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	193
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	194	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	195	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	196
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	197	private static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	198	if (key instanceof DHPublicKey) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	199	DHPublicKey dhKey = (DHPublicKey)key;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	200	DHParameterSpec params = dhKey.getParams();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	201	return new DHPublicKeySpec(dhKey.getY(),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	202	params.getP(), params.getG());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	203	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	204	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	205	KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	206	return factory.getKeySpec(key, DHPublicKeySpec.class);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	207	} catch (Exception e) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	208	throw new RuntimeException(e);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	209	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	210	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	211
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	212	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	213	public byte[] encode() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	214	// TODO: cannonical the return byte array length.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	215	return publicKey.getY().toByteArray();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	216	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	217	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	218
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	219	private static final class
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	220	DHEPossessionGenerator implements SSLPossessionGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	221	// Flag to use smart ephemeral DH key which size matches the corresponding
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	222	// authentication key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	223	private static final boolean useSmartEphemeralDHKeys;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	224
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	225	// Flag to use legacy ephemeral DH key which size is 512 bits for
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	226	// exportable cipher suites, and 768 bits for others
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	227	private static final boolean useLegacyEphemeralDHKeys;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	228
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	229	// The customized ephemeral DH key size for non-exportable cipher suites.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	230	private static final int customizedDHKeySize;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	231
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	232	// Is it for exportable cipher suite?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	233	private final boolean exportable;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	234
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	235	static {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	236	String property = GetPropertyAction.privilegedGetProperty(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	237	"jdk.tls.ephemeralDHKeySize");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	238	if (property == null \|\| property.length() == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	239	useLegacyEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	240	useSmartEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	241	customizedDHKeySize = -1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	242	} else if ("matched".equals(property)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	243	useLegacyEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	244	useSmartEphemeralDHKeys = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	245	customizedDHKeySize = -1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	246	} else if ("legacy".equals(property)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	247	useLegacyEphemeralDHKeys = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	248	useSmartEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	249	customizedDHKeySize = -1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	250	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	251	useLegacyEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	252	useSmartEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	253
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	254	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	255	// DH parameter generation can be extremely slow, best to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	256	// use one of the supported pre-computed DH parameters
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	257	// (see DHCrypt class).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	258	customizedDHKeySize = Integer.parseUnsignedInt(property);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	259	if (customizedDHKeySize < 1024 \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	260	customizedDHKeySize > 8192 \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	261	(customizedDHKeySize & 0x3f) != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	262	throw new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	263	"Unsupported customized DH key size: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	264	customizedDHKeySize + ". " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	265	"The key size must be multiple of 64, " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	266	"and range from 1024 to 8192 (inclusive)");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	267	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	268	} catch (NumberFormatException nfe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	269	throw new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	270	"Invalid system property jdk.tls.ephemeralDHKeySize");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	271	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	272	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	273	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	274
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	275	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	276	private DHEPossessionGenerator(boolean exportable) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	277	this.exportable = exportable;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	278	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	279
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	280	// Used for ServerKeyExchange, TLS 1.2 and prior versions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	281	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	282	public SSLPossession createPossession(HandshakeContext context) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	283	NamedGroup preferableNamedGroup = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	284	if (!useLegacyEphemeralDHKeys &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	285	(context.clientRequestedNamedGroups != null) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	286	(!context.clientRequestedNamedGroups.isEmpty())) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	287	preferableNamedGroup =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	288	SupportedGroups.getPreferredGroup(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	289	context.negotiatedProtocol,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	290	context.algorithmConstraints,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	291	NamedGroupType.NAMED_GROUP_FFDHE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	292	context.clientRequestedNamedGroups);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	293	if (preferableNamedGroup != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	294	return new DHEPossession(preferableNamedGroup,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	295	context.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	296	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	297	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	298
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	299	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	300	* 768 bits ephemeral DH private keys were used to be used in
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	301	* ServerKeyExchange except that exportable ciphers max out at 512
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	302	* bits modulus values. We still adhere to this behavior in legacy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	303	* mode (system property "jdk.tls.ephemeralDHKeySize" is defined
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	304	* as "legacy").
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	305	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	306	* Old JDK (JDK 7 and previous) releases don't support DH keys
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	307	* bigger than 1024 bits. We have to consider the compatibility
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	308	* requirement. 1024 bits DH key is always used for non-exportable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	309	* cipher suites in default mode (system property
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	310	* "jdk.tls.ephemeralDHKeySize" is not defined).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	311	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	312	* However, if applications want more stronger strength, setting
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	313	* system property "jdk.tls.ephemeralDHKeySize" to "matched"
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	314	* is a workaround to use ephemeral DH key which size matches the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	315	* corresponding authentication key. For example, if the public key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	316	* size of an authentication certificate is 2048 bits, then the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	317	* ephemeral DH key size should be 2048 bits accordingly unless
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	318	* the cipher suite is exportable. This key sizing scheme keeps
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	319	* the cryptographic strength consistent between authentication
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	320	* keys and key-exchange keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	321	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	322	* Applications may also want to customize the ephemeral DH key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	323	* size to a fixed length for non-exportable cipher suites. This
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	324	* can be approached by setting system property
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	325	* "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	326	* 1024 and 8192 bits, inclusive.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	327	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	328	* Note that the minimum acceptable key size is 1024 bits except
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	329	* exportable cipher suites or legacy mode.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	330	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	331	* Note that per RFC 2246, the key size limit of DH is 512 bits for
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	332	* exportable cipher suites. Because of the weakness, exportable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	333	* cipher suites are deprecated since TLS v1.1 and they are not
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	334	* enabled by default in Oracle provider. The legacy behavior is
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	335	* reserved and 512 bits DH key is always used for exportable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	336	* cipher suites.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	337	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	338	int keySize = exportable ? 512 : 1024; // default mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	339	if (!exportable) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	340	if (useLegacyEphemeralDHKeys) { // legacy mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	341	keySize = 768;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	342	} else if (useSmartEphemeralDHKeys) { // matched mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	343	PrivateKey key = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	344	ServerHandshakeContext shc =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	345	(ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	346	if (shc.interimAuthn instanceof X509Possession) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	347	key = ((X509Possession)shc.interimAuthn).popPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	348	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	349
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	350	if (key != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	351	int ks = KeyUtil.getKeySize(key);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	352
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	353	// DH parameter generation can be extremely slow, make
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	354	// sure to use one of the supported pre-computed DH
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	355	// parameters.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	356	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	357	// Old deployed applications may not be ready to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	358	// support DH key sizes bigger than 2048 bits. Please
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	359	// DON'T use value other than 1024 and 2048 at present.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	360	// May improve the underlying providers and key size
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	361	// limit in the future when the compatibility and
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	362	// interoperability impact is limited.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	363	keySize = ks <= 1024 ? 1024 : 2048;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	364	} // Otherwise, anonymous cipher suites, 1024-bit is used.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	365	} else if (customizedDHKeySize > 0) { // customized mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	366	keySize = customizedDHKeySize;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	367	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	368	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	369
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	370	return new DHEPossession(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	371	keySize, context.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	372	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	373	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	374
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	375	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	376	class DHEKAGenerator implements SSLKeyAgreementGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	377	static private DHEKAGenerator instance = new DHEKAGenerator();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	378
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	379	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	380	private DHEKAGenerator() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	381	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	382	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	383
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	384	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	385	public SSLKeyDerivation createKeyDerivation(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	386	HandshakeContext context) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	387	DHEPossession dhePossession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	388	DHECredentials dheCredentials = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	389	for (SSLPossession poss : context.handshakePossessions) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	390	if (!(poss instanceof DHEPossession)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	391	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	392	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	393
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	394	DHEPossession dhep = (DHEPossession)poss;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	395	for (SSLCredentials cred : context.handshakeCredentials) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	396	if (!(cred instanceof DHECredentials)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	397	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	398	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	399	DHECredentials dhec = (DHECredentials)cred;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	400	if (dhep.namedGroup != null && dhec.namedGroup != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	401	if (dhep.namedGroup.equals(dhec.namedGroup)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	402	dheCredentials = (DHECredentials)cred;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	403	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	404	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	405	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	406	DHParameterSpec pps = dhep.publicKey.getParams();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	407	DHParameterSpec cps = dhec.popPublicKey.getParams();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	408	if (pps.getP().equals(cps.getP()) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	409	pps.getG().equals(cps.getG())) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	410	dheCredentials = (DHECredentials)cred;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	411	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	412	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	413	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	414	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	415
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	416	if (dheCredentials != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	417	dhePossession = (DHEPossession)poss;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	418	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	419	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	420	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	421
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	422	if (dhePossession == null \|\| dheCredentials == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	423	context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	424	"No sufficient DHE key agreement parameters negotiated");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	425	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	426
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	427	return new DHEKAKeyDerivation(context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	428	dhePossession.privateKey, dheCredentials.popPublicKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	429	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	430
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	431	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	432	class DHEKAKeyDerivation implements SSLKeyDerivation {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	433	private final HandshakeContext context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	434	private final PrivateKey localPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	435	private final PublicKey peerPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	436
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	437	DHEKAKeyDerivation(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	438	PrivateKey localPrivateKey,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	439	PublicKey peerPublicKey) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	440	this.context = context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	441	this.localPrivateKey = localPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	442	this.peerPublicKey = peerPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	443	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	444
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	445	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	446	public SecretKey deriveKey(String algorithm,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	447	AlgorithmParameterSpec params) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	448	if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	449	return t12DeriveKey(algorithm, params);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	450	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	451	return t13DeriveKey(algorithm, params);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	452	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	453	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	454
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	455	private SecretKey t12DeriveKey(String algorithm,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	456	AlgorithmParameterSpec params) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	457	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	458	KeyAgreement ka = JsseJce.getKeyAgreement("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	459	ka.init(localPrivateKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	460	ka.doPhase(peerPublicKey, true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	461	SecretKey preMasterSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	462	ka.generateSecret("TlsPremasterSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	463	SSLMasterKeyDerivation mskd =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	464	SSLMasterKeyDerivation.valueOf(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	465	context.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	466	SSLKeyDerivation kd = mskd.createKeyDerivation(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	467	context, preMasterSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	468	return kd.deriveKey("TODO", params);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	469	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	470	throw (SSLHandshakeException) new SSLHandshakeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	471	"Could not generate secret").initCause(gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	472	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	473	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	474
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	475	private SecretKey t13DeriveKey(String algorithm,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	476	AlgorithmParameterSpec params) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	477	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	478	KeyAgreement ka = JsseJce.getKeyAgreement("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	479	ka.init(localPrivateKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	480	ka.doPhase(peerPublicKey, true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	481	SecretKey sharedSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	482	ka.generateSecret("TlsPremasterSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	483
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	484	HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	485	SSLKeyDerivation kd = context.handshakeKeyDerivation;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	486	HKDF hkdf = new HKDF(hashAlg.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	487	if (kd == null) { // No PSK is in use.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	488	// If PSK is not in use Early Secret will still be
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	489	// HKDF-Extract(0, 0).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	490	byte[] zeros = new byte[hashAlg.hashLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	491	SecretKeySpec ikm =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	492	new SecretKeySpec(zeros, "TlsPreSharedSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	493	SecretKey earlySecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	494	hkdf.extract(zeros, ikm, "TlsEarlySecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	495	kd = new SSLSecretDerivation(context, earlySecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	496	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	497
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	498	// derive salt secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	499	SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	500
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	501	// derive handshake secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	502	return hkdf.extract(saltSecret, sharedSecret, algorithm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	503	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	504	throw (SSLHandshakeException) new SSLHandshakeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	505	"Could not generate secret").initCause(gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	506	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	507	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	508	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	509	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	510	}

author	wetmore
	Fri, 11 May 2018 15:53:12 -0700
branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
child 56603	f103e0c2be1e
child 56855	ee6aa4c74a4b
permissions	-rw-r--r--