jdk-sandbox: src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java@68fa3d4026ea (annotated)

50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	2	* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	4	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	10	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	15	* accompanied this code).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	16	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	20	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	23	* questions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	24	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	25
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	26	package sun.security.ssl;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	27
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	28	import java.io.IOException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	29	import java.math.BigInteger;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	30	import java.security.GeneralSecurityException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	31	import java.security.InvalidKeyException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	32	import java.security.KeyFactory;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	33	import java.security.KeyPair;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	34	import java.security.KeyPairGenerator;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	35	import java.security.NoSuchAlgorithmException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	36	import java.security.PrivateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	37	import java.security.PublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	38	import java.security.SecureRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	39	import java.security.spec.AlgorithmParameterSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	40	import java.security.spec.InvalidKeySpecException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	41	import javax.crypto.KeyAgreement;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	42	import javax.crypto.SecretKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	43	import javax.crypto.interfaces.DHPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	44	import javax.crypto.spec.DHParameterSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	45	import javax.crypto.spec.DHPublicKeySpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	46	import javax.crypto.spec.SecretKeySpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	47	import javax.net.ssl.SSLHandshakeException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	48	import sun.security.action.GetPropertyAction;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	49	import sun.security.ssl.CipherSuite.HashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	50	import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	51	import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	52	import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	53	import sun.security.ssl.X509Authentication.X509Possession;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	54	import sun.security.util.KeyUtil;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	55
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	56	final class DHKeyExchange {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	57	static final SSLPossessionGenerator poGenerator =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	58	new DHEPossessionGenerator(false);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	59	static final SSLPossessionGenerator poExportableGenerator =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	60	new DHEPossessionGenerator(true);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	61	static final SSLKeyAgreementGenerator kaGenerator =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	62	new DHEKAGenerator();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	63
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	64	static final class DHECredentials implements SSLCredentials {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	65	final DHPublicKey popPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	66	final NamedGroup namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	67
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	68	DHECredentials(DHPublicKey popPublicKey, NamedGroup namedGroup) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	69	this.popPublicKey = popPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	70	this.namedGroup = namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	71	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	72
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	73	static DHECredentials valueOf(NamedGroup ng,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	74	byte[] encodedPublic) throws IOException, GeneralSecurityException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	75
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	76	if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	77	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	78	"Credentials decoding: Not FFDHE named group");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	79	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	80
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	81	if (encodedPublic == null \|\| encodedPublic.length == 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	82	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	83	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	84
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	85	DHParameterSpec params = (DHParameterSpec)ng.getParameterSpec();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	86	if (params == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	87	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	88	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	89
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	90	KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	91	DHPublicKeySpec spec = new DHPublicKeySpec(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	92	new BigInteger(1, encodedPublic),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	93	params.getP(), params.getG());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	94	DHPublicKey publicKey =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	95	(DHPublicKey)kf.generatePublic(spec);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	96
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	97	return new DHECredentials(publicKey, ng);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	98	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	99	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	100
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	101	static final class DHEPossession implements SSLPossession {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	102	final PrivateKey privateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	103	final DHPublicKey publicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	104	final NamedGroup namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	105
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	106	DHEPossession(NamedGroup namedGroup, SecureRandom random) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	107	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	108	KeyPairGenerator kpg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	109	JsseJce.getKeyPairGenerator("DiffieHellman");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	110	DHParameterSpec params =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	111	(DHParameterSpec)namedGroup.getParameterSpec();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	112	kpg.initialize(params, random);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	113	KeyPair kp = generateDHKeyPair(kpg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	114	if (kp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	115	throw new RuntimeException("Could not generate DH keypair");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	116	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	117	privateKey = kp.getPrivate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	118	publicKey = (DHPublicKey)kp.getPublic();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	119	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	120	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	121	"Could not generate DH keypair", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	122	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	123
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	124	this.namedGroup = namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	125	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	126
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	127	DHEPossession(int keyLength, SecureRandom random) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	128	DHParameterSpec params =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	129	PredefinedDHParameterSpecs.definedParams.get(keyLength);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	130	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	131	KeyPairGenerator kpg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	132	JsseJce.getKeyPairGenerator("DiffieHellman");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	133	if (params != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	134	kpg.initialize(params, random);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	135	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	136	kpg.initialize(keyLength, random);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	137	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	138
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	139	KeyPair kp = generateDHKeyPair(kpg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	140	if (kp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	141	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	142	"Could not generate DH keypair of " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	143	keyLength + " bits");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	144	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	145	privateKey = kp.getPrivate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	146	publicKey = (DHPublicKey)kp.getPublic();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	147	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	148	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	149	"Could not generate DH keypair", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	150	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	151
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	152	this.namedGroup = NamedGroup.valueOf(publicKey.getParams());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	153	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	154
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	155	DHEPossession(DHECredentials credentials, SecureRandom random) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	156	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	157	KeyPairGenerator kpg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	158	JsseJce.getKeyPairGenerator("DiffieHellman");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	159	kpg.initialize(credentials.popPublicKey.getParams(), random);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	160	KeyPair kp = generateDHKeyPair(kpg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	161	if (kp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	162	throw new RuntimeException("Could not generate DH keypair");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	163	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	164	privateKey = kp.getPrivate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	165	publicKey = (DHPublicKey)kp.getPublic();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	166	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	167	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	168	"Could not generate DH keypair", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	169	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	170
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	171	this.namedGroup = credentials.namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	172	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	173
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	174	// Generate and validate DHPublicKeySpec
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	175	private KeyPair generateDHKeyPair(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	176	KeyPairGenerator kpg) throws GeneralSecurityException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	177	boolean doExtraValiadtion =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	178	(!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	179	boolean isRecovering = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	180	for (int i = 0; i <= 2; i++) { // Try to recover from failure.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	181	KeyPair kp = kpg.generateKeyPair();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	182	// validate the Diffie-Hellman public key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	183	if (doExtraValiadtion) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	184	DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	185	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	186	KeyUtil.validate(spec);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	187	} catch (InvalidKeyException ivke) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	188	if (isRecovering) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	189	throw ivke;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	190	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	191	// otherwise, ignore the exception and try again
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	192	isRecovering = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	193	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	194	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	195	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	196
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	197	return kp;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	198	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	199
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	200	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	201	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	202
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	203	private static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	204	if (key instanceof DHPublicKey) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	205	DHPublicKey dhKey = (DHPublicKey)key;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	206	DHParameterSpec params = dhKey.getParams();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	207	return new DHPublicKeySpec(dhKey.getY(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	208	params.getP(), params.getG());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	209	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	210	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	211	KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	212	return factory.getKeySpec(key, DHPublicKeySpec.class);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	213	} catch (NoSuchAlgorithmException \| InvalidKeySpecException e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	214	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	215	throw new RuntimeException("Unable to get DHPublicKeySpec", e);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	216	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	217	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	218
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	219	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	220	public byte[] encode() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	221	// Note: the DH public value is encoded as a big-endian integer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	222	// and padded to the left with zeros to the size of p in bytes.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	223	byte[] encoded = publicKey.getY().toByteArray();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	224	int pSize = KeyUtil.getKeySize(publicKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	225	if (pSize > 0 && encoded.length < pSize) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	226	byte[] buffer = new byte[pSize];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	227	System.arraycopy(encoded, 0,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	228	buffer, pSize - encoded.length, encoded.length);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	229	encoded = buffer;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	230	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	231
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	232	return encoded;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	233	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	234	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	235
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	236	private static final class
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	237	DHEPossessionGenerator implements SSLPossessionGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	238	// Flag to use smart ephemeral DH key which size matches the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	239	// corresponding authentication key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	240	private static final boolean useSmartEphemeralDHKeys;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	241
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	242	// Flag to use legacy ephemeral DH key which size is 512 bits for
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	243	// exportable cipher suites, and 768 bits for others
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	244	private static final boolean useLegacyEphemeralDHKeys;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	245
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	246	// The customized ephemeral DH key size for non-exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	247	// cipher suites.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	248	private static final int customizedDHKeySize;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	249
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	250	// Is it for exportable cipher suite?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	251	private final boolean exportable;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	252
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	253	static {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	254	String property = GetPropertyAction.privilegedGetProperty(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	255	"jdk.tls.ephemeralDHKeySize");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	256	if (property == null \|\| property.length() == 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	257	useLegacyEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	258	useSmartEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	259	customizedDHKeySize = -1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	260	} else if ("matched".equals(property)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	261	useLegacyEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	262	useSmartEphemeralDHKeys = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	263	customizedDHKeySize = -1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	264	} else if ("legacy".equals(property)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	265	useLegacyEphemeralDHKeys = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	266	useSmartEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	267	customizedDHKeySize = -1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	268	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	269	useLegacyEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	270	useSmartEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	271
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	272	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	273	// DH parameter generation can be extremely slow, best to
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	274	// use one of the supported pre-computed DH parameters
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	275	// (see DHCrypt class).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	276	customizedDHKeySize = Integer.parseUnsignedInt(property);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	277	if (customizedDHKeySize < 1024 \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	278	customizedDHKeySize > 8192 \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	279	(customizedDHKeySize & 0x3f) != 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	280	throw new IllegalArgumentException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	281	"Unsupported customized DH key size: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	282	customizedDHKeySize + ". " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	283	"The key size must be multiple of 64, " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	284	"and range from 1024 to 8192 (inclusive)");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	285	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	286	} catch (NumberFormatException nfe) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	287	throw new IllegalArgumentException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	288	"Invalid system property jdk.tls.ephemeralDHKeySize");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	289	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	290	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	291	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	292
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	293	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	294	private DHEPossessionGenerator(boolean exportable) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	295	this.exportable = exportable;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	296	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	297
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	298	// Used for ServerKeyExchange, TLS 1.2 and prior versions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	299	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	300	public SSLPossession createPossession(HandshakeContext context) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	301	NamedGroup preferableNamedGroup = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	302	if (!useLegacyEphemeralDHKeys &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	303	(context.clientRequestedNamedGroups != null) &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	304	(!context.clientRequestedNamedGroups.isEmpty())) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	305	preferableNamedGroup =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	306	SupportedGroups.getPreferredGroup(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	307	context.negotiatedProtocol,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	308	context.algorithmConstraints,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	309	NamedGroupType.NAMED_GROUP_FFDHE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	310	context.clientRequestedNamedGroups);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	311	if (preferableNamedGroup != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	312	return new DHEPossession(preferableNamedGroup,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	313	context.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	314	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	315	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	316
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	317	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	318	* 768 bits ephemeral DH private keys were used to be used in
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	319	* ServerKeyExchange except that exportable ciphers max out at 512
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	320	* bits modulus values. We still adhere to this behavior in legacy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	321	* mode (system property "jdk.tls.ephemeralDHKeySize" is defined
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	322	* as "legacy").
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	323	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	324	* Old JDK (JDK 7 and previous) releases don't support DH keys
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	325	* bigger than 1024 bits. We have to consider the compatibility
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	326	* requirement. 1024 bits DH key is always used for non-exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	327	* cipher suites in default mode (system property
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	328	* "jdk.tls.ephemeralDHKeySize" is not defined).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	329	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	330	* However, if applications want more stronger strength, setting
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	331	* system property "jdk.tls.ephemeralDHKeySize" to "matched"
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	332	* is a workaround to use ephemeral DH key which size matches the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	333	* corresponding authentication key. For example, if the public key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	334	* size of an authentication certificate is 2048 bits, then the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	335	* ephemeral DH key size should be 2048 bits accordingly unless
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	336	* the cipher suite is exportable. This key sizing scheme keeps
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	337	* the cryptographic strength consistent between authentication
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	338	* keys and key-exchange keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	339	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	340	* Applications may also want to customize the ephemeral DH key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	341	* size to a fixed length for non-exportable cipher suites. This
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	342	* can be approached by setting system property
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	343	* "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	344	* 1024 and 8192 bits, inclusive.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	345	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	346	* Note that the minimum acceptable key size is 1024 bits except
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	347	* exportable cipher suites or legacy mode.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	348	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	349	* Note that per RFC 2246, the key size limit of DH is 512 bits for
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	350	* exportable cipher suites. Because of the weakness, exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	351	* cipher suites are deprecated since TLS v1.1 and they are not
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	352	* enabled by default in Oracle provider. The legacy behavior is
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	353	* reserved and 512 bits DH key is always used for exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	354	* cipher suites.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	355	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	356	int keySize = exportable ? 512 : 1024; // default mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	357	if (!exportable) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	358	if (useLegacyEphemeralDHKeys) { // legacy mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	359	keySize = 768;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	360	} else if (useSmartEphemeralDHKeys) { // matched mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	361	PrivateKey key = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	362	ServerHandshakeContext shc =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	363	(ServerHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	364	if (shc.interimAuthn instanceof X509Possession) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	365	key = ((X509Possession)shc.interimAuthn).popPrivateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	366	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	367
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	368	if (key != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	369	int ks = KeyUtil.getKeySize(key);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	370
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	371	// DH parameter generation can be extremely slow, make
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	372	// sure to use one of the supported pre-computed DH
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	373	// parameters.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	374	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	375	// Old deployed applications may not be ready to
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	376	// support DH key sizes bigger than 2048 bits. Please
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	377	// DON'T use value other than 1024 and 2048 at present.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	378	// May improve the underlying providers and key size
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	379	// limit in the future when the compatibility and
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	380	// interoperability impact is limited.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	381	keySize = ks <= 1024 ? 1024 : 2048;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	382	} // Otherwise, anonymous cipher suites, 1024-bit is used.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	383	} else if (customizedDHKeySize > 0) { // customized mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	384	keySize = customizedDHKeySize;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	385	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	386	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	387
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	388	return new DHEPossession(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	389	keySize, context.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	390	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	391	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	392
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	393	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	394	class DHEKAGenerator implements SSLKeyAgreementGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	395	static private DHEKAGenerator instance = new DHEKAGenerator();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	396
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	397	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	398	private DHEKAGenerator() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	399	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	400	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	401
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	402	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	403	public SSLKeyDerivation createKeyDerivation(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	404	HandshakeContext context) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	405	DHEPossession dhePossession = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	406	DHECredentials dheCredentials = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	407	for (SSLPossession poss : context.handshakePossessions) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	408	if (!(poss instanceof DHEPossession)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	409	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	410	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	411
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	412	DHEPossession dhep = (DHEPossession)poss;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	413	for (SSLCredentials cred : context.handshakeCredentials) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	414	if (!(cred instanceof DHECredentials)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	415	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	416	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	417	DHECredentials dhec = (DHECredentials)cred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	418	if (dhep.namedGroup != null && dhec.namedGroup != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	419	if (dhep.namedGroup.equals(dhec.namedGroup)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	420	dheCredentials = (DHECredentials)cred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	421	break;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	422	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	423	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	424	DHParameterSpec pps = dhep.publicKey.getParams();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	425	DHParameterSpec cps = dhec.popPublicKey.getParams();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	426	if (pps.getP().equals(cps.getP()) &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	427	pps.getG().equals(cps.getG())) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	428	dheCredentials = (DHECredentials)cred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	429	break;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	430	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	431	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	432	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	433
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	434	if (dheCredentials != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	435	dhePossession = (DHEPossession)poss;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	436	break;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	437	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	438	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	439
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	440	if (dhePossession == null \|\| dheCredentials == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	441	context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	442	"No sufficient DHE key agreement parameters negotiated");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	443	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	444
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	445	return new DHEKAKeyDerivation(context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	446	dhePossession.privateKey, dheCredentials.popPublicKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	447	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	448
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	449	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	450	class DHEKAKeyDerivation implements SSLKeyDerivation {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	451	private final HandshakeContext context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	452	private final PrivateKey localPrivateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	453	private final PublicKey peerPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	454
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	455	DHEKAKeyDerivation(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	456	PrivateKey localPrivateKey,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	457	PublicKey peerPublicKey) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	458	this.context = context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	459	this.localPrivateKey = localPrivateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	460	this.peerPublicKey = peerPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	461	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	462
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	463	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	464	public SecretKey deriveKey(String algorithm,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	465	AlgorithmParameterSpec params) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	466	if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	467	return t12DeriveKey(algorithm, params);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	468	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	469	return t13DeriveKey(algorithm, params);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	470	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	471	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	472
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	473	private SecretKey t12DeriveKey(String algorithm,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	474	AlgorithmParameterSpec params) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	475	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	476	KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	477	ka.init(localPrivateKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	478	ka.doPhase(peerPublicKey, true);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	479	SecretKey preMasterSecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	480	ka.generateSecret("TlsPremasterSecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	481	SSLMasterKeyDerivation mskd =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	482	SSLMasterKeyDerivation.valueOf(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	483	context.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	484	if (mskd == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	485	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	486	throw new SSLHandshakeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	487	"No expected master key derivation for protocol: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	488	context.negotiatedProtocol.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	489	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	490	SSLKeyDerivation kd = mskd.createKeyDerivation(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	491	context, preMasterSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	492	return kd.deriveKey("MasterSecret", params);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	493	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	494	throw (SSLHandshakeException) new SSLHandshakeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	495	"Could not generate secret").initCause(gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	496	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	497	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	498
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	499	private SecretKey t13DeriveKey(String algorithm,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	500	AlgorithmParameterSpec params) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	501	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	502	KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	503	ka.init(localPrivateKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	504	ka.doPhase(peerPublicKey, true);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	505	SecretKey sharedSecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	506	ka.generateSecret("TlsPremasterSecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	507
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	508	HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	509	SSLKeyDerivation kd = context.handshakeKeyDerivation;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	510	HKDF hkdf = new HKDF(hashAlg.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	511	if (kd == null) { // No PSK is in use.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	512	// If PSK is not in use Early Secret will still be
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	513	// HKDF-Extract(0, 0).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	514	byte[] zeros = new byte[hashAlg.hashLength];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	515	SecretKeySpec ikm =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	516	new SecretKeySpec(zeros, "TlsPreSharedSecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	517	SecretKey earlySecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	518	hkdf.extract(zeros, ikm, "TlsEarlySecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	519	kd = new SSLSecretDerivation(context, earlySecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	520	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	521
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	522	// derive salt secret
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	523	SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	524
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	525	// derive handshake secret
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	526	return hkdf.extract(saltSecret, sharedSecret, algorithm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	527	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	528	throw (SSLHandshakeException) new SSLHandshakeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	529	"Could not generate secret").initCause(gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	530	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	531	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	532	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	533	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	534	}

author	xuelei
	Mon, 25 Jun 2018 13:41:39 -0700
changeset 50768	68fa3d4026ea
child 53018	8bf9268df0e2
child 56858	829e9b5ace08
permissions	-rw-r--r--