jdk-sandbox: src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java@9c3209ff7550 (annotated)

50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1	/*
53359 cb4212fda8e4 8216045: The size of key_exchange may be wrong on FFDHE xuelei parents: 53064 diff changeset	2	* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	4	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	10	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	15	* accompanied this code).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	16	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	20	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	23	* questions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	24	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	25
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	26	package sun.security.ssl;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	27
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	28	import java.io.IOException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	29	import java.math.BigInteger;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	30	import java.security.GeneralSecurityException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	31	import java.security.InvalidKeyException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	32	import java.security.KeyFactory;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	33	import java.security.KeyPair;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	34	import java.security.KeyPairGenerator;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	35	import java.security.NoSuchAlgorithmException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	36	import java.security.PrivateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	37	import java.security.PublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	38	import java.security.SecureRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	39	import java.security.spec.InvalidKeySpecException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	40	import javax.crypto.interfaces.DHPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	41	import javax.crypto.spec.DHParameterSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	42	import javax.crypto.spec.DHPublicKeySpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	43	import sun.security.action.GetPropertyAction;
57718 a93b7b28f644 8226374: Restrict TLS signature schemes and named groups xuelei parents: 55353 diff changeset	44	import sun.security.ssl.NamedGroup.NamedGroupSpec;
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	45	import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	46	import sun.security.ssl.X509Authentication.X509Possession;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	47	import sun.security.util.KeyUtil;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	48
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	49	final class DHKeyExchange {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	50	static final SSLPossessionGenerator poGenerator =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	51	new DHEPossessionGenerator(false);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	52	static final SSLPossessionGenerator poExportableGenerator =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	53	new DHEPossessionGenerator(true);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	54	static final SSLKeyAgreementGenerator kaGenerator =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	55	new DHEKAGenerator();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	56
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	57	static final class DHECredentials implements NamedGroupCredentials {
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	58	final DHPublicKey popPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	59	final NamedGroup namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	60
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	61	DHECredentials(DHPublicKey popPublicKey, NamedGroup namedGroup) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	62	this.popPublicKey = popPublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	63	this.namedGroup = namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	64	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	65
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	66	@Override
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	67	public PublicKey getPublicKey() {
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	68	return popPublicKey;
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	69	}
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	70
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	71	@Override
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	72	public NamedGroup getNamedGroup() {
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	73	return namedGroup;
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	74	}
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	75
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	76	static DHECredentials valueOf(NamedGroup ng,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	77	byte[] encodedPublic) throws IOException, GeneralSecurityException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	78
57718 a93b7b28f644 8226374: Restrict TLS signature schemes and named groups xuelei parents: 55353 diff changeset	79	if (ng.spec != NamedGroupSpec.NAMED_GROUP_FFDHE) {
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	80	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	81	"Credentials decoding: Not FFDHE named group");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	82	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	83
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	84	if (encodedPublic == null \|\| encodedPublic.length == 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	85	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	86	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	87
57718 a93b7b28f644 8226374: Restrict TLS signature schemes and named groups xuelei parents: 55353 diff changeset	88	DHParameterSpec params = (DHParameterSpec)ng.keAlgParamSpec;
53734 cb1642ccc732 8217835: Remove the experimental SunJSSE FIPS compliant mode xuelei parents: 53359 diff changeset	89	KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	90	DHPublicKeySpec spec = new DHPublicKeySpec(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	91	new BigInteger(1, encodedPublic),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	92	params.getP(), params.getG());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	93	DHPublicKey publicKey =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	94	(DHPublicKey)kf.generatePublic(spec);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	95
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	96	return new DHECredentials(publicKey, ng);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	97	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	98	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	99
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	100	static final class DHEPossession implements NamedGroupPossession {
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	101	final PrivateKey privateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	102	final DHPublicKey publicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	103	final NamedGroup namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	104
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	105	DHEPossession(NamedGroup namedGroup, SecureRandom random) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	106	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	107	KeyPairGenerator kpg =
53734 cb1642ccc732 8217835: Remove the experimental SunJSSE FIPS compliant mode xuelei parents: 53359 diff changeset	108	KeyPairGenerator.getInstance("DiffieHellman");
57718 a93b7b28f644 8226374: Restrict TLS signature schemes and named groups xuelei parents: 55353 diff changeset	109	kpg.initialize(namedGroup.keAlgParamSpec, random);
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	110	KeyPair kp = generateDHKeyPair(kpg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	111	if (kp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	112	throw new RuntimeException("Could not generate DH keypair");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	113	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	114	privateKey = kp.getPrivate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	115	publicKey = (DHPublicKey)kp.getPublic();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	116	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	117	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	118	"Could not generate DH keypair", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	119	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	120
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	121	this.namedGroup = namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	122	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	123
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	124	DHEPossession(int keyLength, SecureRandom random) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	125	DHParameterSpec params =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	126	PredefinedDHParameterSpecs.definedParams.get(keyLength);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	127	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	128	KeyPairGenerator kpg =
53734 cb1642ccc732 8217835: Remove the experimental SunJSSE FIPS compliant mode xuelei parents: 53359 diff changeset	129	KeyPairGenerator.getInstance("DiffieHellman");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	130	if (params != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	131	kpg.initialize(params, random);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	132	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	133	kpg.initialize(keyLength, random);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	134	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	135
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	136	KeyPair kp = generateDHKeyPair(kpg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	137	if (kp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	138	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	139	"Could not generate DH keypair of " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	140	keyLength + " bits");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	141	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	142	privateKey = kp.getPrivate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	143	publicKey = (DHPublicKey)kp.getPublic();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	144	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	145	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	146	"Could not generate DH keypair", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	147	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	148
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	149	this.namedGroup = NamedGroup.valueOf(publicKey.getParams());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	150	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	151
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	152	DHEPossession(DHECredentials credentials, SecureRandom random) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	153	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	154	KeyPairGenerator kpg =
53734 cb1642ccc732 8217835: Remove the experimental SunJSSE FIPS compliant mode xuelei parents: 53359 diff changeset	155	KeyPairGenerator.getInstance("DiffieHellman");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	156	kpg.initialize(credentials.popPublicKey.getParams(), random);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	157	KeyPair kp = generateDHKeyPair(kpg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	158	if (kp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	159	throw new RuntimeException("Could not generate DH keypair");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	160	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	161	privateKey = kp.getPrivate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	162	publicKey = (DHPublicKey)kp.getPublic();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	163	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	164	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	165	"Could not generate DH keypair", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	166	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	167
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	168	this.namedGroup = credentials.namedGroup;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	169	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	170
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	171	// Generate and validate DHPublicKeySpec
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	172	private KeyPair generateDHKeyPair(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	173	KeyPairGenerator kpg) throws GeneralSecurityException {
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	174	boolean doExtraValidation =
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	175	(!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	176	boolean isRecovering = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	177	for (int i = 0; i <= 2; i++) { // Try to recover from failure.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	178	KeyPair kp = kpg.generateKeyPair();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	179	// validate the Diffie-Hellman public key
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	180	if (doExtraValidation) {
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	181	DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	182	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	183	KeyUtil.validate(spec);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	184	} catch (InvalidKeyException ivke) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	185	if (isRecovering) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	186	throw ivke;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	187	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	188	// otherwise, ignore the exception and try again
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	189	isRecovering = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	190	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	191	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	192	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	193
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	194	return kp;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	195	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	196
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	197	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	198	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	199
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	200	private static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	201	if (key instanceof DHPublicKey) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	202	DHPublicKey dhKey = (DHPublicKey)key;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	203	DHParameterSpec params = dhKey.getParams();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	204	return new DHPublicKeySpec(dhKey.getY(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	205	params.getP(), params.getG());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	206	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	207	try {
53734 cb1642ccc732 8217835: Remove the experimental SunJSSE FIPS compliant mode xuelei parents: 53359 diff changeset	208	KeyFactory factory = KeyFactory.getInstance("DiffieHellman");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	209	return factory.getKeySpec(key, DHPublicKeySpec.class);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	210	} catch (NoSuchAlgorithmException \| InvalidKeySpecException e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	211	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	212	throw new RuntimeException("Unable to get DHPublicKeySpec", e);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	213	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	214	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	215
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	216	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	217	public byte[] encode() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	218	// Note: the DH public value is encoded as a big-endian integer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	219	// and padded to the left with zeros to the size of p in bytes.
53359 cb4212fda8e4 8216045: The size of key_exchange may be wrong on FFDHE xuelei parents: 53064 diff changeset	220	byte[] encoded = Utilities.toByteArray(publicKey.getY());
cb4212fda8e4 8216045: The size of key_exchange may be wrong on FFDHE xuelei parents: 53064 diff changeset	221	int pSize = (KeyUtil.getKeySize(publicKey) + 7) >>> 3;
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	222	if (pSize > 0 && encoded.length < pSize) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	223	byte[] buffer = new byte[pSize];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	224	System.arraycopy(encoded, 0,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	225	buffer, pSize - encoded.length, encoded.length);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	226	encoded = buffer;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	227	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	228
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	229	return encoded;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	230	}
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	231
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	232	@Override
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	233	public PublicKey getPublicKey() {
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	234	return publicKey;
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	235	}
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	236
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	237	@Override
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	238	public NamedGroup getNamedGroup() {
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	239	return namedGroup;
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	240	}
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	241
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	242	@Override
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	243	public PrivateKey getPrivateKey() {
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	244	return privateKey;
946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	245	}
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	246	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	247
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	248	private static final class
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	249	DHEPossessionGenerator implements SSLPossessionGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	250	// Flag to use smart ephemeral DH key which size matches the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	251	// corresponding authentication key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	252	private static final boolean useSmartEphemeralDHKeys;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	253
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	254	// Flag to use legacy ephemeral DH key which size is 512 bits for
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	255	// exportable cipher suites, and 768 bits for others
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	256	private static final boolean useLegacyEphemeralDHKeys;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	257
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	258	// The customized ephemeral DH key size for non-exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	259	// cipher suites.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	260	private static final int customizedDHKeySize;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	261
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	262	// Is it for exportable cipher suite?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	263	private final boolean exportable;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	264
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	265	static {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	266	String property = GetPropertyAction.privilegedGetProperty(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	267	"jdk.tls.ephemeralDHKeySize");
53018 8bf9268df0e2 8215281: Use String.isEmpty() when applicable in java.base redestad parents: 50768 diff changeset	268	if (property == null \|\| property.isEmpty()) {
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	269	useLegacyEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	270	useSmartEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	271	customizedDHKeySize = -1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	272	} else if ("matched".equals(property)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	273	useLegacyEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	274	useSmartEphemeralDHKeys = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	275	customizedDHKeySize = -1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	276	} else if ("legacy".equals(property)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	277	useLegacyEphemeralDHKeys = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	278	useSmartEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	279	customizedDHKeySize = -1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	280	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	281	useLegacyEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	282	useSmartEphemeralDHKeys = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	283
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	284	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	285	// DH parameter generation can be extremely slow, best to
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	286	// use one of the supported pre-computed DH parameters
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	287	// (see DHCrypt class).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	288	customizedDHKeySize = Integer.parseUnsignedInt(property);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	289	if (customizedDHKeySize < 1024 \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	290	customizedDHKeySize > 8192 \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	291	(customizedDHKeySize & 0x3f) != 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	292	throw new IllegalArgumentException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	293	"Unsupported customized DH key size: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	294	customizedDHKeySize + ". " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	295	"The key size must be multiple of 64, " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	296	"and range from 1024 to 8192 (inclusive)");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	297	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	298	} catch (NumberFormatException nfe) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	299	throw new IllegalArgumentException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	300	"Invalid system property jdk.tls.ephemeralDHKeySize");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	301	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	302	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	303	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	304
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	305	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	306	private DHEPossessionGenerator(boolean exportable) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	307	this.exportable = exportable;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	308	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	309
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	310	// Used for ServerKeyExchange, TLS 1.2 and prior versions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	311	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	312	public SSLPossession createPossession(HandshakeContext context) {
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	313	NamedGroup preferableNamedGroup;
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	314	if (!useLegacyEphemeralDHKeys &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	315	(context.clientRequestedNamedGroups != null) &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	316	(!context.clientRequestedNamedGroups.isEmpty())) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	317	preferableNamedGroup =
57718 a93b7b28f644 8226374: Restrict TLS signature schemes and named groups xuelei parents: 55353 diff changeset	318	SupportedGroups.getPreferredGroup(context.negotiatedProtocol,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	319	context.algorithmConstraints,
57718 a93b7b28f644 8226374: Restrict TLS signature schemes and named groups xuelei parents: 55353 diff changeset	320	new NamedGroupSpec [] {
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups xuelei parents: 55353 diff changeset	321	NamedGroupSpec.NAMED_GROUP_FFDHE },
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	322	context.clientRequestedNamedGroups);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	323	if (preferableNamedGroup != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	324	return new DHEPossession(preferableNamedGroup,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	325	context.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	326	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	327	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	328
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	329	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	330	* 768 bits ephemeral DH private keys were used to be used in
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	331	* ServerKeyExchange except that exportable ciphers max out at 512
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	332	* bits modulus values. We still adhere to this behavior in legacy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	333	* mode (system property "jdk.tls.ephemeralDHKeySize" is defined
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	334	* as "legacy").
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	335	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	336	* Old JDK (JDK 7 and previous) releases don't support DH keys
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	337	* bigger than 1024 bits. We have to consider the compatibility
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	338	* requirement. 1024 bits DH key is always used for non-exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	339	* cipher suites in default mode (system property
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	340	* "jdk.tls.ephemeralDHKeySize" is not defined).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	341	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	342	* However, if applications want more stronger strength, setting
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	343	* system property "jdk.tls.ephemeralDHKeySize" to "matched"
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	344	* is a workaround to use ephemeral DH key which size matches the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	345	* corresponding authentication key. For example, if the public key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	346	* size of an authentication certificate is 2048 bits, then the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	347	* ephemeral DH key size should be 2048 bits accordingly unless
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	348	* the cipher suite is exportable. This key sizing scheme keeps
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	349	* the cryptographic strength consistent between authentication
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	350	* keys and key-exchange keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	351	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	352	* Applications may also want to customize the ephemeral DH key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	353	* size to a fixed length for non-exportable cipher suites. This
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	354	* can be approached by setting system property
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	355	* "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	356	* 1024 and 8192 bits, inclusive.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	357	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	358	* Note that the minimum acceptable key size is 1024 bits except
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	359	* exportable cipher suites or legacy mode.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	360	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	361	* Note that per RFC 2246, the key size limit of DH is 512 bits for
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	362	* exportable cipher suites. Because of the weakness, exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	363	* cipher suites are deprecated since TLS v1.1 and they are not
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	364	* enabled by default in Oracle provider. The legacy behavior is
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	365	* reserved and 512 bits DH key is always used for exportable
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	366	* cipher suites.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	367	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	368	int keySize = exportable ? 512 : 1024; // default mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	369	if (!exportable) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	370	if (useLegacyEphemeralDHKeys) { // legacy mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	371	keySize = 768;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	372	} else if (useSmartEphemeralDHKeys) { // matched mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	373	PrivateKey key = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	374	ServerHandshakeContext shc =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	375	(ServerHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	376	if (shc.interimAuthn instanceof X509Possession) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	377	key = ((X509Possession)shc.interimAuthn).popPrivateKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	378	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	379
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	380	if (key != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	381	int ks = KeyUtil.getKeySize(key);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	382
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	383	// DH parameter generation can be extremely slow, make
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	384	// sure to use one of the supported pre-computed DH
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	385	// parameters.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	386	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	387	// Old deployed applications may not be ready to
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	388	// support DH key sizes bigger than 2048 bits. Please
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	389	// DON'T use value other than 1024 and 2048 at present.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	390	// May improve the underlying providers and key size
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	391	// limit in the future when the compatibility and
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	392	// interoperability impact is limited.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	393	keySize = ks <= 1024 ? 1024 : 2048;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	394	} // Otherwise, anonymous cipher suites, 1024-bit is used.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	395	} else if (customizedDHKeySize > 0) { // customized mode
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	396	keySize = customizedDHKeySize;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	397	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	398	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	399
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	400	return new DHEPossession(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	401	keySize, context.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	402	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	403	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	404
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	405	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	406	class DHEKAGenerator implements SSLKeyAgreementGenerator {
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	407	private static final DHEKAGenerator instance = new DHEKAGenerator();
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	408
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	409	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	410	private DHEKAGenerator() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	411	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	412	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	413
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	414	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	415	public SSLKeyDerivation createKeyDerivation(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	416	HandshakeContext context) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	417	DHEPossession dhePossession = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	418	DHECredentials dheCredentials = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	419	for (SSLPossession poss : context.handshakePossessions) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	420	if (!(poss instanceof DHEPossession)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	421	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	422	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	423
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	424	DHEPossession dhep = (DHEPossession)poss;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	425	for (SSLCredentials cred : context.handshakeCredentials) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	426	if (!(cred instanceof DHECredentials)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	427	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	428	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	429	DHECredentials dhec = (DHECredentials)cred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	430	if (dhep.namedGroup != null && dhec.namedGroup != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	431	if (dhep.namedGroup.equals(dhec.namedGroup)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	432	dheCredentials = (DHECredentials)cred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	433	break;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	434	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	435	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	436	DHParameterSpec pps = dhep.publicKey.getParams();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	437	DHParameterSpec cps = dhec.popPublicKey.getParams();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	438	if (pps.getP().equals(cps.getP()) &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	439	pps.getG().equals(cps.getG())) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	440	dheCredentials = (DHECredentials)cred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	441	break;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	442	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	443	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	444	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	445
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	446	if (dheCredentials != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	447	dhePossession = (DHEPossession)poss;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	448	break;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	449	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	450	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	451
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	452	if (dhePossession == null \|\| dheCredentials == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53018 diff changeset	453	throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	454	"No sufficient DHE key agreement parameters negotiated");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	455	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	456
55353 946f7f2d321c 8171279: Support X25519 and X448 in TLS wetmore parents: 53734 diff changeset	457	return new KAKeyDerivation("DiffieHellman", context,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	458	dhePossession.privateKey, dheCredentials.popPublicKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	459	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	460	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	461	}

author	chegar
	Thu, 17 Oct 2019 20:54:25 +0100
branch	datagramsocketimpl-branch
changeset 58679	9c3209ff7550
parent 58678	9cf78a70fa4f
parent 57718	a93b7b28f644
permissions	-rw-r--r--