author | xuelei |
Mon, 12 Aug 2019 21:36:29 -0700 | |
changeset 57718 | a93b7b28f644 |
parent 53759 | e16b61a1395e |
permissions | -rw-r--r-- |
50768 | 1 |
/* |
53759
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
2 |
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. |
50768 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Oracle designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
24 |
*/ |
|
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
28 |
import java.io.ByteArrayInputStream; |
|
29 |
import java.io.IOException; |
|
30 |
import java.nio.ByteBuffer; |
|
31 |
import java.security.PublicKey; |
|
32 |
import java.security.cert.CertPathValidatorException; |
|
33 |
import java.security.cert.CertPathValidatorException.BasicReason; |
|
34 |
import java.security.cert.CertPathValidatorException.Reason; |
|
35 |
import java.security.cert.CertificateEncodingException; |
|
36 |
import java.security.cert.CertificateException; |
|
37 |
import java.security.cert.CertificateFactory; |
|
38 |
import java.security.cert.CertificateParsingException; |
|
39 |
import java.security.cert.X509Certificate; |
|
40 |
import java.text.MessageFormat; |
|
41 |
import java.util.ArrayList; |
|
42 |
import java.util.Arrays; |
|
43 |
import java.util.Collection; |
|
44 |
import java.util.Collections; |
|
45 |
import java.util.HashSet; |
|
46 |
import java.util.LinkedList; |
|
47 |
import java.util.List; |
|
48 |
import java.util.Locale; |
|
49 |
import javax.net.ssl.SSLEngine; |
|
50 |
import javax.net.ssl.SSLException; |
|
51 |
import javax.net.ssl.SSLProtocolException; |
|
52 |
import javax.net.ssl.SSLSocket; |
|
53 |
import javax.net.ssl.X509ExtendedTrustManager; |
|
54 |
import javax.net.ssl.X509TrustManager; |
|
55 |
import javax.security.auth.x500.X500Principal; |
|
56 |
import static sun.security.ssl.ClientAuthType.CLIENT_AUTH_REQUIRED; |
|
57 |
import sun.security.ssl.ClientHello.ClientHelloMessage; |
|
58 |
import sun.security.ssl.SSLHandshake.HandshakeMessage; |
|
59 |
import sun.security.ssl.X509Authentication.X509Credentials; |
|
60 |
import sun.security.ssl.X509Authentication.X509Possession; |
|
61 |
||
62 |
/** |
|
63 |
* Pack of the CertificateMessage handshake message. |
|
64 |
*/ |
|
65 |
final class CertificateMessage { |
|
66 |
static final SSLConsumer t12HandshakeConsumer = |
|
67 |
new T12CertificateConsumer(); |
|
68 |
static final HandshakeProducer t12HandshakeProducer = |
|
69 |
new T12CertificateProducer(); |
|
70 |
||
71 |
static final SSLConsumer t13HandshakeConsumer = |
|
72 |
new T13CertificateConsumer(); |
|
73 |
static final HandshakeProducer t13HandshakeProducer = |
|
74 |
new T13CertificateProducer(); |
|
75 |
||
76 |
/** |
|
77 |
* The Certificate handshake message for TLS 1.2 and previous |
|
78 |
* SSL/TLS protocol versions. |
|
79 |
* |
|
80 |
* In server mode, the certificate handshake message is sent whenever the |
|
81 |
* agreed-upon key exchange method uses certificates for authentication. |
|
82 |
* In client mode, this message is only sent if the server requests a |
|
83 |
* certificate for client authentication. |
|
84 |
* |
|
85 |
* opaque ASN.1Cert<1..2^24-1>; |
|
86 |
* |
|
87 |
* SSL 3.0: |
|
88 |
* struct { |
|
89 |
* ASN.1Cert certificate_list<1..2^24-1>; |
|
90 |
* } Certificate; |
|
91 |
* Note: For SSL 3.0 client authentication, if no suitable certificate |
|
92 |
* is available, the client should send a no_certificate alert instead. |
|
93 |
* This alert is only a warning; however, the server may respond with |
|
94 |
* a fatal handshake failure alert if client authentication is required. |
|
95 |
* |
|
96 |
* TLS 1.0/1.1/1.2: |
|
97 |
* struct { |
|
98 |
* ASN.1Cert certificate_list<0..2^24-1>; |
|
99 |
* } Certificate; |
|
100 |
*/ |
|
101 |
static final class T12CertificateMessage extends HandshakeMessage { |
|
102 |
final List<byte[]> encodedCertChain; |
|
103 |
||
104 |
T12CertificateMessage(HandshakeContext handshakeContext, |
|
105 |
X509Certificate[] certChain) throws SSLException { |
|
106 |
super(handshakeContext); |
|
107 |
||
108 |
List<byte[]> encodedCerts = new ArrayList<>(certChain.length); |
|
109 |
for (X509Certificate cert : certChain) { |
|
110 |
try { |
|
111 |
encodedCerts.add(cert.getEncoded()); |
|
112 |
} catch (CertificateEncodingException cee) { |
|
113 |
// unlikely |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
114 |
throw handshakeContext.conContext.fatal( |
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
115 |
Alert.INTERNAL_ERROR, |
50768 | 116 |
"Could not encode certificate (" + |
117 |
cert.getSubjectX500Principal() + ")", cee); |
|
118 |
} |
|
119 |
} |
|
120 |
||
121 |
this.encodedCertChain = encodedCerts; |
|
122 |
} |
|
123 |
||
124 |
T12CertificateMessage(HandshakeContext handshakeContext, |
|
125 |
ByteBuffer m) throws IOException { |
|
126 |
super(handshakeContext); |
|
127 |
||
128 |
int listLen = Record.getInt24(m); |
|
129 |
if (listLen > m.remaining()) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
130 |
throw handshakeContext.conContext.fatal( |
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
131 |
Alert.ILLEGAL_PARAMETER, |
50768 | 132 |
"Error parsing certificate message:no sufficient data"); |
133 |
} |
|
134 |
if (listLen > 0) { |
|
135 |
List<byte[]> encodedCerts = new LinkedList<>(); |
|
136 |
while (listLen > 0) { |
|
137 |
byte[] encodedCert = Record.getBytes24(m); |
|
138 |
listLen -= (3 + encodedCert.length); |
|
139 |
encodedCerts.add(encodedCert); |
|
140 |
} |
|
141 |
this.encodedCertChain = encodedCerts; |
|
142 |
} else { |
|
143 |
this.encodedCertChain = Collections.emptyList(); |
|
144 |
} |
|
145 |
} |
|
146 |
||
147 |
@Override |
|
148 |
public SSLHandshake handshakeType() { |
|
149 |
return SSLHandshake.CERTIFICATE; |
|
150 |
} |
|
151 |
||
152 |
@Override |
|
153 |
public int messageLength() { |
|
154 |
int msgLen = 3; |
|
155 |
for (byte[] encodedCert : encodedCertChain) { |
|
156 |
msgLen += (encodedCert.length + 3); |
|
157 |
} |
|
158 |
||
159 |
return msgLen; |
|
160 |
} |
|
161 |
||
162 |
@Override |
|
163 |
public void send(HandshakeOutStream hos) throws IOException { |
|
164 |
int listLen = 0; |
|
165 |
for (byte[] encodedCert : encodedCertChain) { |
|
166 |
listLen += (encodedCert.length + 3); |
|
167 |
} |
|
168 |
||
169 |
hos.putInt24(listLen); |
|
170 |
for (byte[] encodedCert : encodedCertChain) { |
|
171 |
hos.putBytes24(encodedCert); |
|
172 |
} |
|
173 |
} |
|
174 |
||
175 |
@Override |
|
176 |
public String toString() { |
|
177 |
if (encodedCertChain.isEmpty()) { |
|
178 |
return "\"Certificates\": <empty list>"; |
|
179 |
} |
|
180 |
||
181 |
Object[] x509Certs = new Object[encodedCertChain.size()]; |
|
182 |
try { |
|
183 |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
|
184 |
int i = 0; |
|
185 |
for (byte[] encodedCert : encodedCertChain) { |
|
186 |
Object obj; |
|
187 |
try { |
|
188 |
obj = (X509Certificate)cf.generateCertificate( |
|
189 |
new ByteArrayInputStream(encodedCert)); |
|
190 |
} catch (CertificateException ce) { |
|
191 |
obj = encodedCert; |
|
192 |
} |
|
193 |
x509Certs[i++] = obj; |
|
194 |
} |
|
195 |
} catch (CertificateException ce) { |
|
196 |
// no X.509 certificate factory service |
|
197 |
int i = 0; |
|
198 |
for (byte[] encodedCert : encodedCertChain) { |
|
199 |
x509Certs[i++] = encodedCert; |
|
200 |
} |
|
201 |
} |
|
202 |
||
203 |
MessageFormat messageFormat = new MessageFormat( |
|
204 |
"\"Certificates\": [\n" + |
|
205 |
"{0}\n" + |
|
206 |
"]", |
|
207 |
Locale.ENGLISH); |
|
208 |
Object[] messageFields = { |
|
209 |
SSLLogger.toString(x509Certs) |
|
210 |
}; |
|
211 |
||
212 |
return messageFormat.format(messageFields); |
|
213 |
} |
|
214 |
} |
|
215 |
||
216 |
/** |
|
217 |
* The "Certificate" handshake message producer for TLS 1.2 and |
|
218 |
* previous SSL/TLS protocol versions. |
|
219 |
*/ |
|
220 |
private static final |
|
221 |
class T12CertificateProducer implements HandshakeProducer { |
|
222 |
// Prevent instantiation of this class. |
|
223 |
private T12CertificateProducer() { |
|
224 |
// blank |
|
225 |
} |
|
226 |
||
227 |
@Override |
|
228 |
public byte[] produce(ConnectionContext context, |
|
229 |
HandshakeMessage message) throws IOException { |
|
230 |
// The producing happens in handshake context only. |
|
231 |
HandshakeContext hc = (HandshakeContext)context; |
|
232 |
if (hc.sslConfig.isClientMode) { |
|
233 |
return onProduceCertificate( |
|
234 |
(ClientHandshakeContext)context, message); |
|
235 |
} else { |
|
236 |
return onProduceCertificate( |
|
237 |
(ServerHandshakeContext)context, message); |
|
238 |
} |
|
239 |
} |
|
240 |
||
241 |
private byte[] onProduceCertificate(ServerHandshakeContext shc, |
|
242 |
SSLHandshake.HandshakeMessage message) throws IOException { |
|
243 |
X509Possession x509Possession = null; |
|
244 |
for (SSLPossession possession : shc.handshakePossessions) { |
|
245 |
if (possession instanceof X509Possession) { |
|
246 |
x509Possession = (X509Possession)possession; |
|
247 |
break; |
|
248 |
} |
|
249 |
} |
|
250 |
||
251 |
if (x509Possession == null) { // unlikely |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
252 |
throw shc.conContext.fatal(Alert.INTERNAL_ERROR, |
50768 | 253 |
"No expected X.509 certificate for server authentication"); |
254 |
} |
|
255 |
||
256 |
shc.handshakeSession.setLocalPrivateKey( |
|
257 |
x509Possession.popPrivateKey); |
|
258 |
shc.handshakeSession.setLocalCertificates(x509Possession.popCerts); |
|
259 |
T12CertificateMessage cm = |
|
260 |
new T12CertificateMessage(shc, x509Possession.popCerts); |
|
261 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
262 |
SSLLogger.fine( |
|
263 |
"Produced server Certificate handshake message", cm); |
|
264 |
} |
|
265 |
||
266 |
// Output the handshake message. |
|
267 |
cm.write(shc.handshakeOutput); |
|
268 |
shc.handshakeOutput.flush(); |
|
269 |
||
270 |
// The handshake message has been delivered. |
|
271 |
return null; |
|
272 |
} |
|
273 |
||
274 |
private byte[] onProduceCertificate(ClientHandshakeContext chc, |
|
275 |
SSLHandshake.HandshakeMessage message) throws IOException { |
|
276 |
X509Possession x509Possession = null; |
|
277 |
for (SSLPossession possession : chc.handshakePossessions) { |
|
278 |
if (possession instanceof X509Possession) { |
|
279 |
x509Possession = (X509Possession)possession; |
|
280 |
break; |
|
281 |
} |
|
282 |
} |
|
283 |
||
284 |
// Report to the server if no appropriate cert was found. For |
|
285 |
// SSL 3.0, send a no_certificate alert; TLS 1.0/1.1/1.2 uses |
|
286 |
// an empty cert chain instead. |
|
287 |
if (x509Possession == null) { |
|
288 |
if (chc.negotiatedProtocol.useTLS10PlusSpec()) { |
|
289 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
290 |
SSLLogger.fine( |
|
291 |
"No X.509 certificate for client authentication, " + |
|
292 |
"use empty Certificate message instead"); |
|
293 |
} |
|
294 |
||
295 |
x509Possession = |
|
296 |
new X509Possession(null, new X509Certificate[0]); |
|
297 |
} else { |
|
298 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
299 |
SSLLogger.fine( |
|
300 |
"No X.509 certificate for client authentication, " + |
|
301 |
"send a no_certificate alert"); |
|
302 |
} |
|
303 |
||
304 |
chc.conContext.warning(Alert.NO_CERTIFICATE); |
|
305 |
return null; |
|
306 |
} |
|
307 |
} |
|
308 |
||
309 |
chc.handshakeSession.setLocalPrivateKey( |
|
310 |
x509Possession.popPrivateKey); |
|
311 |
if (x509Possession.popCerts != null && |
|
312 |
x509Possession.popCerts.length != 0) { |
|
313 |
chc.handshakeSession.setLocalCertificates( |
|
314 |
x509Possession.popCerts); |
|
315 |
} else { |
|
316 |
chc.handshakeSession.setLocalCertificates(null); |
|
317 |
} |
|
318 |
T12CertificateMessage cm = |
|
319 |
new T12CertificateMessage(chc, x509Possession.popCerts); |
|
320 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
321 |
SSLLogger.fine( |
|
322 |
"Produced client Certificate handshake message", cm); |
|
323 |
} |
|
324 |
||
325 |
// Output the handshake message. |
|
326 |
cm.write(chc.handshakeOutput); |
|
327 |
chc.handshakeOutput.flush(); |
|
328 |
||
329 |
// The handshake message has been delivered. |
|
330 |
return null; |
|
331 |
} |
|
332 |
} |
|
333 |
||
334 |
/** |
|
335 |
* The "Certificate" handshake message consumer for TLS 1.2 and |
|
336 |
* previous SSL/TLS protocol versions. |
|
337 |
*/ |
|
338 |
static final |
|
339 |
class T12CertificateConsumer implements SSLConsumer { |
|
340 |
// Prevent instantiation of this class. |
|
341 |
private T12CertificateConsumer() { |
|
342 |
// blank |
|
343 |
} |
|
344 |
||
345 |
@Override |
|
346 |
public void consume(ConnectionContext context, |
|
347 |
ByteBuffer message) throws IOException { |
|
348 |
// The consuming happens in handshake context only. |
|
349 |
HandshakeContext hc = (HandshakeContext)context; |
|
350 |
||
351 |
// clean up this consumer |
|
352 |
hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id); |
|
353 |
||
354 |
T12CertificateMessage cm = new T12CertificateMessage(hc, message); |
|
355 |
if (hc.sslConfig.isClientMode) { |
|
356 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
357 |
SSLLogger.fine( |
|
358 |
"Consuming server Certificate handshake message", cm); |
|
359 |
} |
|
360 |
onCertificate((ClientHandshakeContext)context, cm); |
|
361 |
} else { |
|
362 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
363 |
SSLLogger.fine( |
|
364 |
"Consuming client Certificate handshake message", cm); |
|
365 |
} |
|
366 |
onCertificate((ServerHandshakeContext)context, cm); |
|
367 |
} |
|
368 |
} |
|
369 |
||
370 |
private void onCertificate(ServerHandshakeContext shc, |
|
371 |
T12CertificateMessage certificateMessage )throws IOException { |
|
372 |
List<byte[]> encodedCerts = certificateMessage.encodedCertChain; |
|
373 |
if (encodedCerts == null || encodedCerts.isEmpty()) { |
|
374 |
if (shc.sslConfig.clientAuthType != |
|
375 |
ClientAuthType.CLIENT_AUTH_REQUESTED) { |
|
376 |
// unexpected or require client authentication |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
377 |
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 378 |
"Empty server certificate chain"); |
379 |
} else { |
|
380 |
return; |
|
381 |
} |
|
382 |
} |
|
383 |
||
384 |
X509Certificate[] x509Certs = |
|
385 |
new X509Certificate[encodedCerts.size()]; |
|
386 |
try { |
|
387 |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
|
388 |
int i = 0; |
|
389 |
for (byte[] encodedCert : encodedCerts) { |
|
390 |
x509Certs[i++] = (X509Certificate)cf.generateCertificate( |
|
391 |
new ByteArrayInputStream(encodedCert)); |
|
392 |
} |
|
393 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
394 |
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 395 |
"Failed to parse server certificates", ce); |
396 |
} |
|
397 |
||
398 |
checkClientCerts(shc, x509Certs); |
|
399 |
||
400 |
// |
|
401 |
// update |
|
402 |
// |
|
403 |
shc.handshakeCredentials.add( |
|
404 |
new X509Credentials(x509Certs[0].getPublicKey(), x509Certs)); |
|
405 |
shc.handshakeSession.setPeerCertificates(x509Certs); |
|
406 |
} |
|
407 |
||
408 |
private void onCertificate(ClientHandshakeContext chc, |
|
409 |
T12CertificateMessage certificateMessage) throws IOException { |
|
410 |
List<byte[]> encodedCerts = certificateMessage.encodedCertChain; |
|
411 |
if (encodedCerts == null || encodedCerts.isEmpty()) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
412 |
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 413 |
"Empty server certificate chain"); |
414 |
} |
|
415 |
||
416 |
X509Certificate[] x509Certs = |
|
417 |
new X509Certificate[encodedCerts.size()]; |
|
418 |
try { |
|
419 |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
|
420 |
int i = 0; |
|
421 |
for (byte[] encodedCert : encodedCerts) { |
|
422 |
x509Certs[i++] = (X509Certificate)cf.generateCertificate( |
|
423 |
new ByteArrayInputStream(encodedCert)); |
|
424 |
} |
|
425 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
426 |
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 427 |
"Failed to parse server certificates", ce); |
428 |
} |
|
429 |
||
430 |
// Allow server certificate change in client side during |
|
431 |
// renegotiation after a session-resumption abbreviated |
|
432 |
// initial handshake? |
|
433 |
// |
|
434 |
// DO NOT need to check allowUnsafeServerCertChange here. We only |
|
435 |
// reserve server certificates when allowUnsafeServerCertChange is |
|
436 |
// false. |
|
437 |
if (chc.reservedServerCerts != null && |
|
438 |
!chc.handshakeSession.useExtendedMasterSecret) { |
|
439 |
// It is not necessary to check the certificate update if |
|
440 |
// endpoint identification is enabled. |
|
441 |
String identityAlg = chc.sslConfig.identificationProtocol; |
|
53018
8bf9268df0e2
8215281: Use String.isEmpty() when applicable in java.base
redestad
parents:
51574
diff
changeset
|
442 |
if ((identityAlg == null || identityAlg.isEmpty()) && |
50768 | 443 |
!isIdentityEquivalent(x509Certs[0], |
444 |
chc.reservedServerCerts[0])) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
445 |
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 446 |
"server certificate change is restricted " + |
447 |
"during renegotiation"); |
|
448 |
} |
|
449 |
} |
|
450 |
||
451 |
// ask the trust manager to verify the chain |
|
452 |
if (chc.staplingActive) { |
|
453 |
// Defer the certificate check until after we've received the |
|
454 |
// CertificateStatus message. If that message doesn't come in |
|
455 |
// immediately following this message we will execute the |
|
456 |
// check from CertificateStatus' absent handler. |
|
457 |
chc.deferredCerts = x509Certs; |
|
458 |
} else { |
|
459 |
// We're not doing stapling, so perform the check right now |
|
460 |
checkServerCerts(chc, x509Certs); |
|
461 |
} |
|
462 |
||
463 |
// |
|
464 |
// update |
|
465 |
// |
|
466 |
chc.handshakeCredentials.add( |
|
467 |
new X509Credentials(x509Certs[0].getPublicKey(), x509Certs)); |
|
468 |
chc.handshakeSession.setPeerCertificates(x509Certs); |
|
469 |
} |
|
470 |
||
471 |
/* |
|
472 |
* Whether the certificates can represent the same identity? |
|
473 |
* |
|
474 |
* The certificates can be used to represent the same identity: |
|
475 |
* 1. If the subject alternative names of IP address are present |
|
476 |
* in both certificates, they should be identical; otherwise, |
|
477 |
* 2. if the subject alternative names of DNS name are present in |
|
478 |
* both certificates, they should be identical; otherwise, |
|
479 |
* 3. if the subject fields are present in both certificates, the |
|
480 |
* certificate subjects and issuers should be identical. |
|
481 |
*/ |
|
482 |
private static boolean isIdentityEquivalent(X509Certificate thisCert, |
|
483 |
X509Certificate prevCert) { |
|
484 |
if (thisCert.equals(prevCert)) { |
|
485 |
return true; |
|
486 |
} |
|
487 |
||
488 |
// check subject alternative names |
|
489 |
Collection<List<?>> thisSubjectAltNames = null; |
|
490 |
try { |
|
491 |
thisSubjectAltNames = thisCert.getSubjectAlternativeNames(); |
|
492 |
} catch (CertificateParsingException cpe) { |
|
493 |
if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { |
|
494 |
SSLLogger.fine( |
|
495 |
"Attempt to obtain subjectAltNames extension failed!"); |
|
496 |
} |
|
497 |
} |
|
498 |
||
499 |
Collection<List<?>> prevSubjectAltNames = null; |
|
500 |
try { |
|
501 |
prevSubjectAltNames = prevCert.getSubjectAlternativeNames(); |
|
502 |
} catch (CertificateParsingException cpe) { |
|
503 |
if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { |
|
504 |
SSLLogger.fine( |
|
505 |
"Attempt to obtain subjectAltNames extension failed!"); |
|
506 |
} |
|
507 |
} |
|
508 |
||
509 |
if (thisSubjectAltNames != null && prevSubjectAltNames != null) { |
|
510 |
// check the iPAddress field in subjectAltName extension |
|
511 |
// |
|
512 |
// 7: subject alternative name of type IP. |
|
513 |
Collection<String> thisSubAltIPAddrs = |
|
514 |
getSubjectAltNames(thisSubjectAltNames, 7); |
|
515 |
Collection<String> prevSubAltIPAddrs = |
|
516 |
getSubjectAltNames(prevSubjectAltNames, 7); |
|
517 |
if (thisSubAltIPAddrs != null && prevSubAltIPAddrs != null && |
|
518 |
isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs)) { |
|
519 |
return true; |
|
520 |
} |
|
521 |
||
522 |
// check the dNSName field in subjectAltName extension |
|
523 |
// 2: subject alternative name of type IP. |
|
524 |
Collection<String> thisSubAltDnsNames = |
|
525 |
getSubjectAltNames(thisSubjectAltNames, 2); |
|
526 |
Collection<String> prevSubAltDnsNames = |
|
527 |
getSubjectAltNames(prevSubjectAltNames, 2); |
|
528 |
if (thisSubAltDnsNames != null && prevSubAltDnsNames != null && |
|
529 |
isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames)) { |
|
530 |
return true; |
|
531 |
} |
|
532 |
} |
|
533 |
||
534 |
// check the certificate subject and issuer |
|
535 |
X500Principal thisSubject = thisCert.getSubjectX500Principal(); |
|
536 |
X500Principal prevSubject = prevCert.getSubjectX500Principal(); |
|
537 |
X500Principal thisIssuer = thisCert.getIssuerX500Principal(); |
|
538 |
X500Principal prevIssuer = prevCert.getIssuerX500Principal(); |
|
539 |
||
540 |
return (!thisSubject.getName().isEmpty() && |
|
541 |
!prevSubject.getName().isEmpty() && |
|
542 |
thisSubject.equals(prevSubject) && |
|
543 |
thisIssuer.equals(prevIssuer)); |
|
544 |
} |
|
545 |
||
546 |
/* |
|
547 |
* Returns the subject alternative name of the specified type in the |
|
548 |
* subjectAltNames extension of a certificate. |
|
549 |
* |
|
550 |
* Note that only those subjectAltName types that use String data |
|
551 |
* should be passed into this function. |
|
552 |
*/ |
|
553 |
private static Collection<String> getSubjectAltNames( |
|
554 |
Collection<List<?>> subjectAltNames, int type) { |
|
555 |
HashSet<String> subAltDnsNames = null; |
|
556 |
for (List<?> subjectAltName : subjectAltNames) { |
|
557 |
int subjectAltNameType = (Integer)subjectAltName.get(0); |
|
558 |
if (subjectAltNameType == type) { |
|
559 |
String subAltDnsName = (String)subjectAltName.get(1); |
|
560 |
if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) { |
|
561 |
if (subAltDnsNames == null) { |
|
562 |
subAltDnsNames = |
|
563 |
new HashSet<>(subjectAltNames.size()); |
|
564 |
} |
|
565 |
subAltDnsNames.add(subAltDnsName); |
|
566 |
} |
|
567 |
} |
|
568 |
} |
|
569 |
||
570 |
return subAltDnsNames; |
|
571 |
} |
|
572 |
||
573 |
private static boolean isEquivalent(Collection<String> thisSubAltNames, |
|
574 |
Collection<String> prevSubAltNames) { |
|
575 |
for (String thisSubAltName : thisSubAltNames) { |
|
576 |
for (String prevSubAltName : prevSubAltNames) { |
|
577 |
// Only allow the exactly match. No wildcard character |
|
578 |
// checking. |
|
579 |
if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) { |
|
580 |
return true; |
|
581 |
} |
|
582 |
} |
|
583 |
} |
|
584 |
||
585 |
return false; |
|
586 |
} |
|
587 |
||
588 |
/** |
|
589 |
* Perform client-side checking of server certificates. |
|
590 |
* |
|
591 |
* @param certs an array of {@code X509Certificate} objects presented |
|
592 |
* by the server in the ServerCertificate message. |
|
593 |
* |
|
594 |
* @throws IOException if a failure occurs during validation or |
|
595 |
* the trust manager associated with the {@code SSLContext} is not |
|
596 |
* an {@code X509ExtendedTrustManager}. |
|
597 |
*/ |
|
598 |
static void checkServerCerts(ClientHandshakeContext chc, |
|
599 |
X509Certificate[] certs) throws IOException { |
|
600 |
||
601 |
X509TrustManager tm = chc.sslContext.getX509TrustManager(); |
|
602 |
||
603 |
// find out the key exchange algorithm used |
|
604 |
// use "RSA" for non-ephemeral "RSA_EXPORT" |
|
605 |
String keyExchangeString; |
|
606 |
if (chc.negotiatedCipherSuite.keyExchange == |
|
607 |
CipherSuite.KeyExchange.K_RSA_EXPORT || |
|
608 |
chc.negotiatedCipherSuite.keyExchange == |
|
609 |
CipherSuite.KeyExchange.K_DHE_RSA_EXPORT) { |
|
610 |
keyExchangeString = CipherSuite.KeyExchange.K_RSA.name; |
|
611 |
} else { |
|
612 |
keyExchangeString = chc.negotiatedCipherSuite.keyExchange.name; |
|
613 |
} |
|
614 |
||
615 |
try { |
|
616 |
if (tm instanceof X509ExtendedTrustManager) { |
|
617 |
if (chc.conContext.transport instanceof SSLEngine) { |
|
618 |
SSLEngine engine = (SSLEngine)chc.conContext.transport; |
|
619 |
((X509ExtendedTrustManager)tm).checkServerTrusted( |
|
620 |
certs.clone(), |
|
621 |
keyExchangeString, |
|
622 |
engine); |
|
623 |
} else { |
|
624 |
SSLSocket socket = (SSLSocket)chc.conContext.transport; |
|
625 |
((X509ExtendedTrustManager)tm).checkServerTrusted( |
|
626 |
certs.clone(), |
|
627 |
keyExchangeString, |
|
628 |
socket); |
|
629 |
} |
|
630 |
} else { |
|
631 |
// Unlikely to happen, because we have wrapped the old |
|
632 |
// X509TrustManager with the new X509ExtendedTrustManager. |
|
633 |
throw new CertificateException( |
|
634 |
"Improper X509TrustManager implementation"); |
|
635 |
} |
|
636 |
||
637 |
// Once the server certificate chain has been validated, set |
|
638 |
// the certificate chain in the TLS session. |
|
639 |
chc.handshakeSession.setPeerCertificates(certs); |
|
640 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
641 |
throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce); |
50768 | 642 |
} |
643 |
} |
|
644 |
||
645 |
private static void checkClientCerts(ServerHandshakeContext shc, |
|
646 |
X509Certificate[] certs) throws IOException { |
|
647 |
X509TrustManager tm = shc.sslContext.getX509TrustManager(); |
|
648 |
||
649 |
// find out the types of client authentication used |
|
650 |
PublicKey key = certs[0].getPublicKey(); |
|
651 |
String keyAlgorithm = key.getAlgorithm(); |
|
652 |
String authType; |
|
653 |
switch (keyAlgorithm) { |
|
654 |
case "RSA": |
|
655 |
case "DSA": |
|
656 |
case "EC": |
|
657 |
case "RSASSA-PSS": |
|
658 |
authType = keyAlgorithm; |
|
659 |
break; |
|
660 |
default: |
|
661 |
// unknown public key type |
|
662 |
authType = "UNKNOWN"; |
|
663 |
} |
|
664 |
||
665 |
try { |
|
666 |
if (tm instanceof X509ExtendedTrustManager) { |
|
667 |
if (shc.conContext.transport instanceof SSLEngine) { |
|
668 |
SSLEngine engine = (SSLEngine)shc.conContext.transport; |
|
669 |
((X509ExtendedTrustManager)tm).checkClientTrusted( |
|
670 |
certs.clone(), |
|
671 |
authType, |
|
672 |
engine); |
|
673 |
} else { |
|
674 |
SSLSocket socket = (SSLSocket)shc.conContext.transport; |
|
675 |
((X509ExtendedTrustManager)tm).checkClientTrusted( |
|
676 |
certs.clone(), |
|
677 |
authType, |
|
678 |
socket); |
|
679 |
} |
|
680 |
} else { |
|
681 |
// Unlikely to happen, because we have wrapped the old |
|
682 |
// X509TrustManager with the new X509ExtendedTrustManager. |
|
683 |
throw new CertificateException( |
|
684 |
"Improper X509TrustManager implementation"); |
|
685 |
} |
|
686 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
687 |
throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce); |
50768 | 688 |
} |
689 |
} |
|
690 |
||
691 |
/** |
|
692 |
* When a failure happens during certificate checking from an |
|
693 |
* {@link X509TrustManager}, determine what TLS alert description |
|
694 |
* to use. |
|
695 |
* |
|
696 |
* @param cexc The exception thrown by the {@link X509TrustManager} |
|
697 |
* |
|
698 |
* @return A byte value corresponding to a TLS alert description number. |
|
699 |
*/ |
|
700 |
private static Alert getCertificateAlert( |
|
701 |
ClientHandshakeContext chc, CertificateException cexc) { |
|
702 |
// The specific reason for the failure will determine how to |
|
703 |
// set the alert description value |
|
704 |
Alert alert = Alert.CERTIFICATE_UNKNOWN; |
|
705 |
||
706 |
Throwable baseCause = cexc.getCause(); |
|
707 |
if (baseCause instanceof CertPathValidatorException) { |
|
708 |
CertPathValidatorException cpve = |
|
709 |
(CertPathValidatorException)baseCause; |
|
710 |
Reason reason = cpve.getReason(); |
|
711 |
if (reason == BasicReason.REVOKED) { |
|
712 |
alert = chc.staplingActive ? |
|
713 |
Alert.BAD_CERT_STATUS_RESPONSE : |
|
714 |
Alert.CERTIFICATE_REVOKED; |
|
715 |
} else if ( |
|
716 |
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) { |
|
717 |
alert = chc.staplingActive ? |
|
718 |
Alert.BAD_CERT_STATUS_RESPONSE : |
|
719 |
Alert.CERTIFICATE_UNKNOWN; |
|
53759
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
720 |
} else if (reason == BasicReason.ALGORITHM_CONSTRAINED) { |
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
721 |
alert = Alert.UNSUPPORTED_CERTIFICATE; |
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
722 |
} else if (reason == BasicReason.EXPIRED) { |
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
723 |
alert = Alert.CERTIFICATE_EXPIRED; |
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
724 |
} else if (reason == BasicReason.INVALID_SIGNATURE || |
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
725 |
reason == BasicReason.NOT_YET_VALID) { |
e16b61a1395e
4919790: Errors in alert ssl message does not reflect the actual certificate status
xuelei
parents:
53064
diff
changeset
|
726 |
alert = Alert.BAD_CERTIFICATE; |
50768 | 727 |
} |
728 |
} |
|
729 |
||
730 |
return alert; |
|
731 |
} |
|
732 |
||
733 |
} |
|
734 |
||
735 |
/** |
|
736 |
* The certificate entry used in Certificate handshake message for TLS 1.3. |
|
737 |
*/ |
|
738 |
static final class CertificateEntry { |
|
739 |
final byte[] encoded; // encoded cert or public key |
|
740 |
private final SSLExtensions extensions; |
|
741 |
||
742 |
CertificateEntry(byte[] encoded, SSLExtensions extensions) { |
|
743 |
this.encoded = encoded; |
|
744 |
this.extensions = extensions; |
|
745 |
} |
|
746 |
||
747 |
private int getEncodedSize() { |
|
748 |
int extLen = extensions.length(); |
|
749 |
if (extLen == 0) { |
|
750 |
extLen = 2; // empty extensions |
|
751 |
} |
|
752 |
return 3 + encoded.length + extLen; |
|
753 |
} |
|
754 |
||
755 |
@Override |
|
756 |
public String toString() { |
|
757 |
MessageFormat messageFormat = new MessageFormat( |
|
758 |
"\n'{'\n" + |
|
759 |
"{0}\n" + // X.509 certificate |
|
760 |
" \"extensions\": '{'\n" + |
|
761 |
"{1}\n" + |
|
762 |
" '}'\n" + |
|
763 |
"'}',", Locale.ENGLISH); |
|
764 |
||
765 |
Object x509Certs; |
|
766 |
try { |
|
767 |
// Don't support certificate type extension (RawPublicKey) yet. |
|
768 |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
|
769 |
x509Certs = |
|
770 |
cf.generateCertificate(new ByteArrayInputStream(encoded)); |
|
771 |
} catch (CertificateException ce) { |
|
772 |
// no X.509 certificate factory service |
|
773 |
x509Certs = encoded; |
|
774 |
} |
|
775 |
||
776 |
Object[] messageFields = { |
|
777 |
SSLLogger.toString(x509Certs), |
|
778 |
Utilities.indent(extensions.toString(), " ") |
|
779 |
}; |
|
780 |
||
781 |
return messageFormat.format(messageFields); |
|
782 |
} |
|
783 |
} |
|
784 |
||
785 |
/** |
|
786 |
* The Certificate handshake message for TLS 1.3. |
|
787 |
*/ |
|
788 |
static final class T13CertificateMessage extends HandshakeMessage { |
|
789 |
private final byte[] requestContext; |
|
790 |
private final List<CertificateEntry> certEntries; |
|
791 |
||
792 |
T13CertificateMessage(HandshakeContext context, |
|
793 |
byte[] requestContext, X509Certificate[] certificates) |
|
794 |
throws SSLException, CertificateException { |
|
795 |
super(context); |
|
796 |
||
797 |
this.requestContext = requestContext.clone(); |
|
798 |
this.certEntries = new LinkedList<>(); |
|
799 |
for (X509Certificate cert : certificates) { |
|
800 |
byte[] encoded = cert.getEncoded(); |
|
801 |
SSLExtensions extensions = new SSLExtensions(this); |
|
802 |
certEntries.add(new CertificateEntry(encoded, extensions)); |
|
803 |
} |
|
804 |
} |
|
805 |
||
806 |
T13CertificateMessage(HandshakeContext handshakeContext, |
|
807 |
byte[] requestContext, List<CertificateEntry> certificates) { |
|
808 |
super(handshakeContext); |
|
809 |
||
810 |
this.requestContext = requestContext.clone(); |
|
811 |
this.certEntries = certificates; |
|
812 |
} |
|
813 |
||
814 |
T13CertificateMessage(HandshakeContext handshakeContext, |
|
815 |
ByteBuffer m) throws IOException { |
|
816 |
super(handshakeContext); |
|
817 |
||
818 |
// struct { |
|
819 |
// opaque certificate_request_context<0..2^8-1>; |
|
820 |
// CertificateEntry certificate_list<0..2^24-1>; |
|
821 |
// } Certificate; |
|
822 |
if (m.remaining() < 4) { |
|
823 |
throw new SSLProtocolException( |
|
824 |
"Invalid Certificate message: " + |
|
825 |
"insufficient data (length=" + m.remaining() + ")"); |
|
826 |
} |
|
827 |
this.requestContext = Record.getBytes8(m); |
|
828 |
||
829 |
if (m.remaining() < 3) { |
|
830 |
throw new SSLProtocolException( |
|
831 |
"Invalid Certificate message: " + |
|
832 |
"insufficient certificate entries data (length=" + |
|
833 |
m.remaining() + ")"); |
|
834 |
} |
|
835 |
||
836 |
int listLen = Record.getInt24(m); |
|
837 |
if (listLen != m.remaining()) { |
|
838 |
throw new SSLProtocolException( |
|
839 |
"Invalid Certificate message: " + |
|
840 |
"incorrect list length (length=" + listLen + ")"); |
|
841 |
} |
|
842 |
||
843 |
SSLExtension[] enabledExtensions = |
|
844 |
handshakeContext.sslConfig.getEnabledExtensions( |
|
845 |
SSLHandshake.CERTIFICATE); |
|
846 |
List<CertificateEntry> certList = new LinkedList<>(); |
|
847 |
while (m.hasRemaining()) { |
|
848 |
// Note: support only X509 CertificateType right now. |
|
849 |
byte[] encodedCert = Record.getBytes24(m); |
|
850 |
if (encodedCert.length == 0) { |
|
851 |
throw new SSLProtocolException( |
|
852 |
"Invalid Certificate message: empty cert_data"); |
|
853 |
} |
|
854 |
||
855 |
SSLExtensions extensions = |
|
856 |
new SSLExtensions(this, m, enabledExtensions); |
|
857 |
certList.add(new CertificateEntry(encodedCert, extensions)); |
|
858 |
} |
|
859 |
||
860 |
this.certEntries = Collections.unmodifiableList(certList); |
|
861 |
} |
|
862 |
||
863 |
@Override |
|
864 |
public SSLHandshake handshakeType() { |
|
865 |
return SSLHandshake.CERTIFICATE; |
|
866 |
} |
|
867 |
||
868 |
@Override |
|
869 |
public int messageLength() { |
|
870 |
int msgLen = 4 + requestContext.length; |
|
871 |
for (CertificateEntry entry : certEntries) { |
|
872 |
msgLen += entry.getEncodedSize(); |
|
873 |
} |
|
874 |
||
875 |
return msgLen; |
|
876 |
} |
|
877 |
||
878 |
@Override |
|
879 |
public void send(HandshakeOutStream hos) throws IOException { |
|
880 |
int entryListLen = 0; |
|
881 |
for (CertificateEntry entry : certEntries) { |
|
882 |
entryListLen += entry.getEncodedSize(); |
|
883 |
} |
|
884 |
||
885 |
hos.putBytes8(requestContext); |
|
886 |
hos.putInt24(entryListLen); |
|
887 |
for (CertificateEntry entry : certEntries) { |
|
888 |
hos.putBytes24(entry.encoded); |
|
889 |
// Is it an empty extensions? |
|
890 |
if (entry.extensions.length() == 0) { |
|
891 |
hos.putInt16(0); |
|
892 |
} else { |
|
893 |
entry.extensions.send(hos); |
|
894 |
} |
|
895 |
} |
|
896 |
} |
|
897 |
||
898 |
@Override |
|
899 |
public String toString() { |
|
900 |
MessageFormat messageFormat = new MessageFormat( |
|
901 |
"\"Certificate\": '{'\n" + |
|
902 |
" \"certificate_request_context\": \"{0}\",\n" + |
|
903 |
" \"certificate_list\": [{1}\n]\n" + |
|
904 |
"'}'", |
|
905 |
Locale.ENGLISH); |
|
906 |
||
907 |
StringBuilder builder = new StringBuilder(512); |
|
908 |
for (CertificateEntry entry : certEntries) { |
|
909 |
builder.append(entry.toString()); |
|
910 |
} |
|
911 |
||
912 |
Object[] messageFields = { |
|
913 |
Utilities.toHexString(requestContext), |
|
914 |
Utilities.indent(builder.toString()) |
|
915 |
}; |
|
916 |
||
917 |
return messageFormat.format(messageFields); |
|
918 |
} |
|
919 |
} |
|
920 |
||
921 |
/** |
|
922 |
* The "Certificate" handshake message producer for TLS 1.3. |
|
923 |
*/ |
|
924 |
private static final |
|
925 |
class T13CertificateProducer implements HandshakeProducer { |
|
926 |
// Prevent instantiation of this class. |
|
927 |
private T13CertificateProducer() { |
|
928 |
// blank |
|
929 |
} |
|
930 |
||
931 |
@Override |
|
932 |
public byte[] produce(ConnectionContext context, |
|
933 |
HandshakeMessage message) throws IOException { |
|
934 |
// The producing happens in handshake context only. |
|
935 |
HandshakeContext hc = (HandshakeContext)context; |
|
936 |
if (hc.sslConfig.isClientMode) { |
|
937 |
return onProduceCertificate( |
|
938 |
(ClientHandshakeContext)context, message); |
|
939 |
} else { |
|
940 |
return onProduceCertificate( |
|
941 |
(ServerHandshakeContext)context, message); |
|
942 |
} |
|
943 |
} |
|
944 |
||
945 |
private byte[] onProduceCertificate(ServerHandshakeContext shc, |
|
946 |
HandshakeMessage message) throws IOException { |
|
947 |
ClientHelloMessage clientHello = (ClientHelloMessage)message; |
|
948 |
||
949 |
SSLPossession pos = choosePossession(shc, clientHello); |
|
950 |
if (pos == null) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
951 |
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
50768 | 952 |
"No available authentication scheme"); |
953 |
} |
|
954 |
||
955 |
if (!(pos instanceof X509Possession)) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
956 |
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
50768 | 957 |
"No X.509 certificate for server authentication"); |
958 |
} |
|
959 |
||
960 |
X509Possession x509Possession = (X509Possession)pos; |
|
961 |
X509Certificate[] localCerts = x509Possession.popCerts; |
|
962 |
if (localCerts == null || localCerts.length == 0) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
963 |
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
50768 | 964 |
"No X.509 certificate for server authentication"); |
965 |
} |
|
966 |
||
967 |
// update the context |
|
968 |
shc.handshakePossessions.add(x509Possession); |
|
969 |
shc.handshakeSession.setLocalPrivateKey( |
|
970 |
x509Possession.popPrivateKey); |
|
971 |
shc.handshakeSession.setLocalCertificates(localCerts); |
|
972 |
T13CertificateMessage cm; |
|
973 |
try { |
|
974 |
cm = new T13CertificateMessage(shc, (new byte[0]), localCerts); |
|
975 |
} catch (SSLException | CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
976 |
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
50768 | 977 |
"Failed to produce server Certificate message", ce); |
978 |
} |
|
979 |
||
980 |
// Check the OCSP stapling extensions and attempt |
|
981 |
// to get responses. If the resulting stapleParams is non |
|
982 |
// null, it implies that stapling is enabled on the server side. |
|
983 |
shc.stapleParams = StatusResponseManager.processStapling(shc); |
|
984 |
shc.staplingActive = (shc.stapleParams != null); |
|
985 |
||
986 |
// Process extensions for each CertificateEntry. |
|
987 |
// Since there can be multiple CertificateEntries within a |
|
988 |
// single CT message, we will pin a specific CertificateEntry |
|
989 |
// into the ServerHandshakeContext so individual extension |
|
990 |
// producers know which X509Certificate it is processing in |
|
991 |
// each call. |
|
992 |
SSLExtension[] enabledCTExts = shc.sslConfig.getEnabledExtensions( |
|
993 |
SSLHandshake.CERTIFICATE, |
|
994 |
Arrays.asList(ProtocolVersion.PROTOCOLS_OF_13)); |
|
995 |
for (CertificateEntry certEnt : cm.certEntries) { |
|
996 |
shc.currentCertEntry = certEnt; |
|
997 |
certEnt.extensions.produce(shc, enabledCTExts); |
|
998 |
} |
|
999 |
||
1000 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1001 |
SSLLogger.fine("Produced server Certificate message", cm); |
|
1002 |
} |
|
1003 |
||
1004 |
// Output the handshake message. |
|
1005 |
cm.write(shc.handshakeOutput); |
|
1006 |
shc.handshakeOutput.flush(); |
|
1007 |
||
1008 |
// The handshake message has been delivered. |
|
1009 |
return null; |
|
1010 |
} |
|
1011 |
||
1012 |
private static SSLPossession choosePossession( |
|
1013 |
HandshakeContext hc, |
|
1014 |
ClientHelloMessage clientHello) throws IOException { |
|
1015 |
if (hc.peerRequestedCertSignSchemes == null || |
|
1016 |
hc.peerRequestedCertSignSchemes.isEmpty()) { |
|
1017 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1018 |
SSLLogger.warning( |
|
1019 |
"No signature_algorithms(_cert) in ClientHello"); |
|
1020 |
} |
|
1021 |
return null; |
|
1022 |
} |
|
1023 |
||
1024 |
Collection<String> checkedKeyTypes = new HashSet<>(); |
|
1025 |
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) { |
|
1026 |
if (checkedKeyTypes.contains(ss.keyAlgorithm)) { |
|
1027 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1028 |
SSLLogger.warning( |
|
1029 |
"Unsupported authentication scheme: " + ss.name); |
|
1030 |
} |
|
1031 |
continue; |
|
1032 |
} |
|
1033 |
||
1034 |
// Don't select a signature scheme unless we will be able to |
|
1035 |
// produce a CertificateVerify message later |
|
1036 |
if (SignatureScheme.getPreferableAlgorithm( |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
53759
diff
changeset
|
1037 |
hc.algorithmConstraints, |
51574
ed52ea83f830
8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
wetmore
parents:
50768
diff
changeset
|
1038 |
hc.peerRequestedSignatureSchemes, |
ed52ea83f830
8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
wetmore
parents:
50768
diff
changeset
|
1039 |
ss, hc.negotiatedProtocol) == null) { |
50768 | 1040 |
|
1041 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1042 |
SSLLogger.warning( |
|
1043 |
"Unable to produce CertificateVerify for " + |
|
1044 |
"signature scheme: " + ss.name); |
|
1045 |
} |
|
1046 |
checkedKeyTypes.add(ss.keyAlgorithm); |
|
1047 |
continue; |
|
1048 |
} |
|
1049 |
||
1050 |
SSLAuthentication ka = X509Authentication.valueOf(ss); |
|
1051 |
if (ka == null) { |
|
1052 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1053 |
SSLLogger.warning( |
|
1054 |
"Unsupported authentication scheme: " + ss.name); |
|
1055 |
} |
|
1056 |
checkedKeyTypes.add(ss.keyAlgorithm); |
|
1057 |
continue; |
|
1058 |
} |
|
1059 |
||
1060 |
SSLPossession pos = ka.createPossession(hc); |
|
1061 |
if (pos == null) { |
|
1062 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1063 |
SSLLogger.warning( |
|
1064 |
"Unavailable authentication scheme: " + ss.name); |
|
1065 |
} |
|
1066 |
continue; |
|
1067 |
} |
|
1068 |
||
1069 |
return pos; |
|
1070 |
} |
|
1071 |
||
1072 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1073 |
SSLLogger.warning("No available authentication scheme"); |
|
1074 |
} |
|
1075 |
return null; |
|
1076 |
} |
|
1077 |
||
1078 |
private byte[] onProduceCertificate(ClientHandshakeContext chc, |
|
1079 |
HandshakeMessage message) throws IOException { |
|
1080 |
ClientHelloMessage clientHello = (ClientHelloMessage)message; |
|
1081 |
SSLPossession pos = choosePossession(chc, clientHello); |
|
1082 |
X509Certificate[] localCerts; |
|
1083 |
if (pos == null) { |
|
1084 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1085 |
SSLLogger.fine("No available client authentication scheme"); |
|
1086 |
} |
|
1087 |
localCerts = new X509Certificate[0]; |
|
1088 |
} else { |
|
1089 |
chc.handshakePossessions.add(pos); |
|
1090 |
if (!(pos instanceof X509Possession)) { |
|
1091 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1092 |
SSLLogger.fine( |
|
1093 |
"No X.509 certificate for client authentication"); |
|
1094 |
} |
|
1095 |
localCerts = new X509Certificate[0]; |
|
1096 |
} else { |
|
1097 |
X509Possession x509Possession = (X509Possession)pos; |
|
1098 |
localCerts = x509Possession.popCerts; |
|
1099 |
chc.handshakeSession.setLocalPrivateKey( |
|
1100 |
x509Possession.popPrivateKey); |
|
1101 |
} |
|
1102 |
} |
|
1103 |
||
1104 |
if (localCerts != null && localCerts.length != 0) { |
|
1105 |
chc.handshakeSession.setLocalCertificates(localCerts); |
|
1106 |
} else { |
|
1107 |
chc.handshakeSession.setLocalCertificates(null); |
|
1108 |
} |
|
1109 |
||
1110 |
T13CertificateMessage cm; |
|
1111 |
try { |
|
1112 |
cm = new T13CertificateMessage( |
|
1113 |
chc, chc.certRequestContext, localCerts); |
|
1114 |
} catch (SSLException | CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
1115 |
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
50768 | 1116 |
"Failed to produce client Certificate message", ce); |
1117 |
} |
|
1118 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1119 |
SSLLogger.fine("Produced client Certificate message", cm); |
|
1120 |
} |
|
1121 |
||
1122 |
// Output the handshake message. |
|
1123 |
cm.write(chc.handshakeOutput); |
|
1124 |
chc.handshakeOutput.flush(); |
|
1125 |
||
1126 |
// The handshake message has been delivered. |
|
1127 |
return null; |
|
1128 |
} |
|
1129 |
} |
|
1130 |
||
1131 |
/** |
|
1132 |
* The "Certificate" handshake message consumer for TLS 1.3. |
|
1133 |
*/ |
|
1134 |
private static final class T13CertificateConsumer implements SSLConsumer { |
|
1135 |
// Prevent instantiation of this class. |
|
1136 |
private T13CertificateConsumer() { |
|
1137 |
// blank |
|
1138 |
} |
|
1139 |
||
1140 |
@Override |
|
1141 |
public void consume(ConnectionContext context, |
|
1142 |
ByteBuffer message) throws IOException { |
|
1143 |
// The consuming happens in handshake context only. |
|
1144 |
HandshakeContext hc = (HandshakeContext)context; |
|
1145 |
||
1146 |
// clean up this consumer |
|
1147 |
hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id); |
|
1148 |
T13CertificateMessage cm = new T13CertificateMessage(hc, message); |
|
1149 |
if (hc.sslConfig.isClientMode) { |
|
1150 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1151 |
SSLLogger.fine( |
|
1152 |
"Consuming server Certificate handshake message", cm); |
|
1153 |
} |
|
1154 |
onConsumeCertificate((ClientHandshakeContext)context, cm); |
|
1155 |
} else { |
|
1156 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1157 |
SSLLogger.fine( |
|
1158 |
"Consuming client Certificate handshake message", cm); |
|
1159 |
} |
|
1160 |
onConsumeCertificate((ServerHandshakeContext)context, cm); |
|
1161 |
} |
|
1162 |
} |
|
1163 |
||
1164 |
private void onConsumeCertificate(ServerHandshakeContext shc, |
|
1165 |
T13CertificateMessage certificateMessage )throws IOException { |
|
1166 |
if (certificateMessage.certEntries == null || |
|
1167 |
certificateMessage.certEntries.isEmpty()) { |
|
1168 |
if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
1169 |
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 1170 |
"Empty client certificate chain"); |
1171 |
} else { |
|
1172 |
// optional client authentication |
|
1173 |
return; |
|
1174 |
} |
|
1175 |
} |
|
1176 |
||
1177 |
// check client certificate entries |
|
1178 |
X509Certificate[] cliCerts = |
|
1179 |
checkClientCerts(shc, certificateMessage.certEntries); |
|
1180 |
||
1181 |
// |
|
1182 |
// update |
|
1183 |
// |
|
1184 |
shc.handshakeCredentials.add( |
|
1185 |
new X509Credentials(cliCerts[0].getPublicKey(), cliCerts)); |
|
1186 |
shc.handshakeSession.setPeerCertificates(cliCerts); |
|
1187 |
} |
|
1188 |
||
1189 |
private void onConsumeCertificate(ClientHandshakeContext chc, |
|
1190 |
T13CertificateMessage certificateMessage )throws IOException { |
|
1191 |
if (certificateMessage.certEntries == null || |
|
1192 |
certificateMessage.certEntries.isEmpty()) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
1193 |
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 1194 |
"Empty server certificate chain"); |
1195 |
} |
|
1196 |
||
1197 |
// Each CertificateEntry will have its own set of extensions |
|
1198 |
// which must be consumed. |
|
1199 |
SSLExtension[] enabledExtensions = |
|
1200 |
chc.sslConfig.getEnabledExtensions(SSLHandshake.CERTIFICATE); |
|
1201 |
for (CertificateEntry certEnt : certificateMessage.certEntries) { |
|
1202 |
certEnt.extensions.consumeOnLoad(chc, enabledExtensions); |
|
1203 |
} |
|
1204 |
||
1205 |
// check server certificate entries |
|
1206 |
X509Certificate[] srvCerts = |
|
1207 |
checkServerCerts(chc, certificateMessage.certEntries); |
|
1208 |
||
1209 |
// |
|
1210 |
// update |
|
1211 |
// |
|
1212 |
chc.handshakeCredentials.add( |
|
1213 |
new X509Credentials(srvCerts[0].getPublicKey(), srvCerts)); |
|
1214 |
chc.handshakeSession.setPeerCertificates(srvCerts); |
|
1215 |
} |
|
1216 |
||
1217 |
private static X509Certificate[] checkClientCerts( |
|
1218 |
ServerHandshakeContext shc, |
|
1219 |
List<CertificateEntry> certEntries) throws IOException { |
|
1220 |
X509Certificate[] certs = |
|
1221 |
new X509Certificate[certEntries.size()]; |
|
1222 |
try { |
|
1223 |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
|
1224 |
int i = 0; |
|
1225 |
for (CertificateEntry entry : certEntries) { |
|
1226 |
certs[i++] = (X509Certificate)cf.generateCertificate( |
|
1227 |
new ByteArrayInputStream(entry.encoded)); |
|
1228 |
} |
|
1229 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
1230 |
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 1231 |
"Failed to parse server certificates", ce); |
1232 |
} |
|
1233 |
||
1234 |
// find out the types of client authentication used |
|
1235 |
String keyAlgorithm = certs[0].getPublicKey().getAlgorithm(); |
|
1236 |
String authType; |
|
1237 |
switch (keyAlgorithm) { |
|
1238 |
case "RSA": |
|
1239 |
case "DSA": |
|
1240 |
case "EC": |
|
1241 |
case "RSASSA-PSS": |
|
1242 |
authType = keyAlgorithm; |
|
1243 |
break; |
|
1244 |
default: |
|
1245 |
// unknown public key type |
|
1246 |
authType = "UNKNOWN"; |
|
1247 |
} |
|
1248 |
||
1249 |
try { |
|
1250 |
X509TrustManager tm = shc.sslContext.getX509TrustManager(); |
|
1251 |
if (tm instanceof X509ExtendedTrustManager) { |
|
1252 |
if (shc.conContext.transport instanceof SSLEngine) { |
|
1253 |
SSLEngine engine = (SSLEngine)shc.conContext.transport; |
|
1254 |
((X509ExtendedTrustManager)tm).checkClientTrusted( |
|
1255 |
certs.clone(), |
|
1256 |
authType, |
|
1257 |
engine); |
|
1258 |
} else { |
|
1259 |
SSLSocket socket = (SSLSocket)shc.conContext.transport; |
|
1260 |
((X509ExtendedTrustManager)tm).checkClientTrusted( |
|
1261 |
certs.clone(), |
|
1262 |
authType, |
|
1263 |
socket); |
|
1264 |
} |
|
1265 |
} else { |
|
1266 |
// Unlikely to happen, because we have wrapped the old |
|
1267 |
// X509TrustManager with the new X509ExtendedTrustManager. |
|
1268 |
throw new CertificateException( |
|
1269 |
"Improper X509TrustManager implementation"); |
|
1270 |
} |
|
1271 |
||
1272 |
// Once the client certificate chain has been validated, set |
|
1273 |
// the certificate chain in the TLS session. |
|
1274 |
shc.handshakeSession.setPeerCertificates(certs); |
|
1275 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
1276 |
throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce); |
50768 | 1277 |
} |
1278 |
||
1279 |
return certs; |
|
1280 |
} |
|
1281 |
||
1282 |
private static X509Certificate[] checkServerCerts( |
|
1283 |
ClientHandshakeContext chc, |
|
1284 |
List<CertificateEntry> certEntries) throws IOException { |
|
1285 |
X509Certificate[] certs = |
|
1286 |
new X509Certificate[certEntries.size()]; |
|
1287 |
try { |
|
1288 |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
|
1289 |
int i = 0; |
|
1290 |
for (CertificateEntry entry : certEntries) { |
|
1291 |
certs[i++] = (X509Certificate)cf.generateCertificate( |
|
1292 |
new ByteArrayInputStream(entry.encoded)); |
|
1293 |
} |
|
1294 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
1295 |
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, |
50768 | 1296 |
"Failed to parse server certificates", ce); |
1297 |
} |
|
1298 |
||
1299 |
// find out the types of server authentication used |
|
1300 |
// |
|
1301 |
// Note that the "UNKNOWN" authentication type is sufficient to |
|
1302 |
// check the required digitalSignature KeyUsage for TLS 1.3. |
|
1303 |
String authType = "UNKNOWN"; |
|
1304 |
||
1305 |
try { |
|
1306 |
X509TrustManager tm = chc.sslContext.getX509TrustManager(); |
|
1307 |
if (tm instanceof X509ExtendedTrustManager) { |
|
1308 |
if (chc.conContext.transport instanceof SSLEngine) { |
|
1309 |
SSLEngine engine = (SSLEngine)chc.conContext.transport; |
|
1310 |
((X509ExtendedTrustManager)tm).checkServerTrusted( |
|
1311 |
certs.clone(), |
|
1312 |
authType, |
|
1313 |
engine); |
|
1314 |
} else { |
|
1315 |
SSLSocket socket = (SSLSocket)chc.conContext.transport; |
|
1316 |
((X509ExtendedTrustManager)tm).checkServerTrusted( |
|
1317 |
certs.clone(), |
|
1318 |
authType, |
|
1319 |
socket); |
|
1320 |
} |
|
1321 |
} else { |
|
1322 |
// Unlikely to happen, because we have wrapped the old |
|
1323 |
// X509TrustManager with the new X509ExtendedTrustManager. |
|
1324 |
throw new CertificateException( |
|
1325 |
"Improper X509TrustManager implementation"); |
|
1326 |
} |
|
1327 |
||
1328 |
// Once the server certificate chain has been validated, set |
|
1329 |
// the certificate chain in the TLS session. |
|
1330 |
chc.handshakeSession.setPeerCertificates(certs); |
|
1331 |
} catch (CertificateException ce) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
53018
diff
changeset
|
1332 |
throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce); |
50768 | 1333 |
} |
1334 |
||
1335 |
return certs; |
|
1336 |
} |
|
1337 |
||
1338 |
/** |
|
1339 |
* When a failure happens during certificate checking from an |
|
1340 |
* {@link X509TrustManager}, determine what TLS alert description |
|
1341 |
* to use. |
|
1342 |
* |
|
1343 |
* @param cexc The exception thrown by the {@link X509TrustManager} |
|
1344 |
* |
|
1345 |
* @return A byte value corresponding to a TLS alert description number. |
|
1346 |
*/ |
|
1347 |
private static Alert getCertificateAlert( |
|
1348 |
ClientHandshakeContext chc, CertificateException cexc) { |
|
1349 |
// The specific reason for the failure will determine how to |
|
1350 |
// set the alert description value |
|
1351 |
Alert alert = Alert.CERTIFICATE_UNKNOWN; |
|
1352 |
||
1353 |
Throwable baseCause = cexc.getCause(); |
|
1354 |
if (baseCause instanceof CertPathValidatorException) { |
|
1355 |
CertPathValidatorException cpve = |
|
1356 |
(CertPathValidatorException)baseCause; |
|
1357 |
Reason reason = cpve.getReason(); |
|
1358 |
if (reason == BasicReason.REVOKED) { |
|
1359 |
alert = chc.staplingActive ? |
|
1360 |
Alert.BAD_CERT_STATUS_RESPONSE : |
|
1361 |
Alert.CERTIFICATE_REVOKED; |
|
1362 |
} else if ( |
|
1363 |
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) { |
|
1364 |
alert = chc.staplingActive ? |
|
1365 |
Alert.BAD_CERT_STATUS_RESPONSE : |
|
1366 |
Alert.CERTIFICATE_UNKNOWN; |
|
1367 |
} |
|
1368 |
} |
|
1369 |
||
1370 |
return alert; |
|
1371 |
} |
|
1372 |
} |
|
1373 |
} |