| author | xuelei |
| Thu, 21 Nov 2019 18:42:33 -0800 | |
| changeset 59214 | e7df7c86eda1 |
| parent 57718 | a93b7b28f644 |
| permissions | -rw-r--r-- |
| 55353 | 1 |
/* |
2 |
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. |
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Oracle designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
24 |
*/ |
|
25 |
package sun.security.ssl; |
|
26 |
||
27 |
import javax.crypto.spec.DHParameterSpec; |
|
28 |
import javax.net.ssl.SSLException; |
|
29 |
import java.io.IOException; |
|
30 |
import java.security.*; |
|
31 |
import java.security.spec.*; |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
32 |
import java.util.Collections; |
| 55353 | 33 |
import java.util.EnumSet; |
34 |
import java.util.List; |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
35 |
import java.util.Set; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
36 |
import javax.crypto.KeyAgreement; |
| 55353 | 37 |
import sun.security.ssl.DHKeyExchange.DHEPossession; |
38 |
import sun.security.ssl.ECDHKeyExchange.ECDHEPossession; |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
39 |
import sun.security.util.CurveDB; |
| 55353 | 40 |
|
41 |
||
42 |
/** |
|
43 |
* An enum containing all known named groups for use in TLS. |
|
44 |
* |
|
45 |
* The enum also contains the required properties of each group and the |
|
46 |
* required functions (e.g. encoding/decoding). |
|
47 |
*/ |
|
48 |
enum NamedGroup {
|
|
49 |
// Elliptic Curves (RFC 4492) |
|
50 |
// |
|
51 |
// See sun.security.util.CurveDB for the OIDs |
|
52 |
// NIST K-163 |
|
53 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
54 |
SECT163_K1(0x0001, "sect163k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
55 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
56 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
57 |
CurveDB.lookup("sect163k1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
58 |
SECT163_R1(0x0002, "sect163r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
59 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
60 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
61 |
CurveDB.lookup("sect163r1")),
|
| 55353 | 62 |
|
63 |
// NIST B-163 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
64 |
SECT163_R2(0x0003, "sect163r2", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
65 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
66 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
67 |
CurveDB.lookup("sect163r2")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
68 |
SECT193_R1(0x0004, "sect193r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
69 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
70 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
71 |
CurveDB.lookup("sect193r1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
72 |
SECT193_R2(0x0005, "sect193r2", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
73 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
74 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
75 |
CurveDB.lookup("sect193r2")),
|
| 55353 | 76 |
|
77 |
// NIST K-233 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
78 |
SECT233_K1(0x0006, "sect233k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
79 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
80 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
81 |
CurveDB.lookup("sect233k1")),
|
| 55353 | 82 |
|
83 |
// NIST B-233 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
84 |
SECT233_R1(0x0007, "sect233r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
85 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
86 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
87 |
CurveDB.lookup("sect233r1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
88 |
SECT239_K1(0x0008, "sect239k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
89 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
90 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
91 |
CurveDB.lookup("sect239k1")),
|
| 55353 | 92 |
|
93 |
// NIST K-283 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
94 |
SECT283_K1(0x0009, "sect283k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
95 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
96 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
97 |
CurveDB.lookup("sect283k1")),
|
| 55353 | 98 |
|
99 |
// NIST B-283 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
100 |
SECT283_R1(0x000A, "sect283r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
101 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
102 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
103 |
CurveDB.lookup("sect283r1")),
|
| 55353 | 104 |
|
105 |
// NIST K-409 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
106 |
SECT409_K1(0x000B, "sect409k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
107 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
108 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
109 |
CurveDB.lookup("sect409k1")),
|
| 55353 | 110 |
|
111 |
// NIST B-409 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
112 |
SECT409_R1(0x000C, "sect409r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
113 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
114 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
115 |
CurveDB.lookup("sect409r1")),
|
| 55353 | 116 |
|
117 |
// NIST K-571 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
118 |
SECT571_K1(0x000D, "sect571k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
119 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
120 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
121 |
CurveDB.lookup("sect571k1")),
|
| 55353 | 122 |
|
123 |
// NIST B-571 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
124 |
SECT571_R1(0x000E, "sect571r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
125 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
126 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
127 |
CurveDB.lookup("sect571r1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
128 |
SECP160_K1(0x000F, "secp160k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
129 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
130 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
131 |
CurveDB.lookup("secp160k1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
132 |
SECP160_R1(0x0010, "secp160r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
133 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
134 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
135 |
CurveDB.lookup("secp160r1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
136 |
SECP160_R2(0x0011, "secp160r2", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
137 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
138 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
139 |
CurveDB.lookup("secp160r2")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
140 |
SECP192_K1(0x0012, "secp192k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
141 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
142 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
143 |
CurveDB.lookup("secp192k1")),
|
| 55353 | 144 |
|
145 |
// NIST P-192 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
146 |
SECP192_R1(0x0013, "secp192r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
147 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
148 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
149 |
CurveDB.lookup("secp192r1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
150 |
SECP224_K1(0x0014, "secp224k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
151 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
152 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
153 |
CurveDB.lookup("secp224k1")),
|
| 55353 | 154 |
|
155 |
// NIST P-224 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
156 |
SECP224_R1(0x0015, "secp224r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
157 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
158 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
159 |
CurveDB.lookup("secp224r1")),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
160 |
SECP256_K1(0x0016, "secp256k1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
161 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
162 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
163 |
CurveDB.lookup("secp256k1")),
|
| 55353 | 164 |
|
165 |
// NIST P-256 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
166 |
SECP256_R1(0x0017, "secp256r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
167 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
168 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
169 |
CurveDB.lookup("secp256r1")),
|
| 55353 | 170 |
|
171 |
// NIST P-384 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
172 |
SECP384_R1(0x0018, "secp384r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
173 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
174 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
175 |
CurveDB.lookup("secp384r1")),
|
| 55353 | 176 |
|
177 |
// NIST P-521 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
178 |
SECP521_R1(0x0019, "secp521r1", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
179 |
NamedGroupSpec.NAMED_GROUP_ECDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
180 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
181 |
CurveDB.lookup("secp521r1")),
|
| 55353 | 182 |
|
183 |
// x25519 and x448 (RFC 8422/8446) |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
184 |
X25519(0x001D, "x25519", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
185 |
NamedGroupSpec.NAMED_GROUP_XDH, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
186 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
187 |
NamedParameterSpec.X25519), |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
188 |
X448(0x001E, "x448", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
189 |
NamedGroupSpec.NAMED_GROUP_XDH, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
190 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
191 |
NamedParameterSpec.X448), |
| 55353 | 192 |
|
193 |
// Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919) |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
194 |
FFDHE_2048(0x0100, "ffdhe2048", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
195 |
NamedGroupSpec.NAMED_GROUP_FFDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
196 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
197 |
PredefinedDHParameterSpecs.ffdheParams.get(2048)), |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
198 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
199 |
FFDHE_3072(0x0101, "ffdhe3072", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
200 |
NamedGroupSpec.NAMED_GROUP_FFDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
201 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
202 |
PredefinedDHParameterSpecs.ffdheParams.get(3072)), |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
203 |
FFDHE_4096(0x0102, "ffdhe4096", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
204 |
NamedGroupSpec.NAMED_GROUP_FFDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
205 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
206 |
PredefinedDHParameterSpecs.ffdheParams.get(4096)), |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
207 |
FFDHE_6144(0x0103, "ffdhe6144", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
208 |
NamedGroupSpec.NAMED_GROUP_FFDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
209 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
210 |
PredefinedDHParameterSpecs.ffdheParams.get(6144)), |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
211 |
FFDHE_8192(0x0104, "ffdhe8192", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
212 |
NamedGroupSpec.NAMED_GROUP_FFDHE, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
213 |
ProtocolVersion.PROTOCOLS_TO_13, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
214 |
PredefinedDHParameterSpecs.ffdheParams.get(8192)), |
| 55353 | 215 |
|
216 |
// Elliptic Curves (RFC 4492) |
|
217 |
// |
|
218 |
// arbitrary prime and characteristic-2 curves |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
219 |
ARBITRARY_PRIME(0xFF01, "arbitrary_explicit_prime_curves", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
220 |
NamedGroupSpec.NAMED_GROUP_ARBITRARY, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
221 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
222 |
null), |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
223 |
ARBITRARY_CHAR2(0xFF02, "arbitrary_explicit_char2_curves", |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
224 |
NamedGroupSpec.NAMED_GROUP_ARBITRARY, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
225 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
226 |
null); |
| 55353 | 227 |
|
228 |
final int id; // hash + signature |
|
229 |
final String name; // literal name |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
230 |
final NamedGroupSpec spec; // group type |
| 55353 | 231 |
final ProtocolVersion[] supportedProtocols; |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
232 |
final String algorithm; // key exchange algorithm |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
233 |
final AlgorithmParameterSpec keAlgParamSpec; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
234 |
final AlgorithmParameters keAlgParams; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
235 |
final boolean isAvailable; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
236 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
237 |
// performance optimization |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
238 |
private static final Set<CryptoPrimitive> KEY_AGREEMENT_PRIMITIVE_SET = |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
239 |
Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT)); |
| 55353 | 240 |
|
241 |
// Constructor used for all NamedGroup types |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
242 |
private NamedGroup(int id, String name, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
243 |
NamedGroupSpec namedGroupSpec, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
244 |
ProtocolVersion[] supportedProtocols, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
245 |
AlgorithmParameterSpec keAlgParamSpec) {
|
| 55353 | 246 |
this.id = id; |
247 |
this.name = name; |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
248 |
this.spec = namedGroupSpec; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
249 |
this.algorithm = namedGroupSpec.algorithm; |
| 55353 | 250 |
this.supportedProtocols = supportedProtocols; |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
251 |
this.keAlgParamSpec = keAlgParamSpec; |
| 55353 | 252 |
|
|
59214
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
253 |
// Check if it is a supported named group. |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
254 |
AlgorithmParameters algParams = null; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
255 |
boolean mediator = (keAlgParamSpec != null); |
|
59214
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
256 |
|
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
257 |
// HACK CODE |
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
258 |
// |
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
259 |
// An EC provider, for example the SunEC provider, may support |
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
260 |
// AlgorithmParameters but not KeyPairGenerator or KeyAgreement. |
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
261 |
if (mediator && (namedGroupSpec == NamedGroupSpec.NAMED_GROUP_ECDHE)) {
|
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
262 |
mediator = JsseJce.isEcAvailable(); |
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
263 |
} |
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
264 |
|
|
e7df7c86eda1
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
xuelei
parents:
57718
diff
changeset
|
265 |
// Check the specific algorithm parameters. |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
266 |
if (mediator) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
267 |
try {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
268 |
algParams = |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
269 |
AlgorithmParameters.getInstance(namedGroupSpec.algorithm); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
270 |
algParams.init(keAlgParamSpec); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
271 |
} catch (InvalidParameterSpecException |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
272 |
| NoSuchAlgorithmException exp) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
273 |
if (namedGroupSpec != NamedGroupSpec.NAMED_GROUP_XDH) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
274 |
mediator = false; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
275 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
276 |
SSLLogger.warning( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
277 |
"No AlgorithmParameters for " + name, exp); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
278 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
279 |
} else {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
280 |
// HACK CODE |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
281 |
// |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
282 |
// Please remove the following code if the XDH/X25519/X448 |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
283 |
// AlgorithmParameters algorithms are supported in JDK. |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
284 |
algParams = null; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
285 |
try {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
286 |
KeyAgreement.getInstance(name); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
287 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
288 |
// The following service is also needed. But for |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
289 |
// performance, check the KeyAgreement impl only. |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
290 |
// |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
291 |
// KeyFactory.getInstance(name); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
292 |
// KeyPairGenerator.getInstance(name); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
293 |
// AlgorithmParameters.getInstance(name); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
294 |
} catch (NoSuchAlgorithmException nsae) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
295 |
mediator = false; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
296 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
297 |
SSLLogger.warning( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
298 |
"No AlgorithmParameters for " + name, nsae); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
299 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
300 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
301 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
302 |
} |
| 55353 | 303 |
} |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
304 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
305 |
this.isAvailable = mediator; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
306 |
this.keAlgParams = mediator ? algParams : null; |
| 55353 | 307 |
} |
308 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
309 |
// |
| 55353 | 310 |
// The next set of methods search & retrieve NamedGroups. |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
311 |
// |
| 55353 | 312 |
static NamedGroup valueOf(int id) {
|
313 |
for (NamedGroup group : NamedGroup.values()) {
|
|
314 |
if (group.id == id) {
|
|
315 |
return group; |
|
316 |
} |
|
317 |
} |
|
318 |
||
319 |
return null; |
|
320 |
} |
|
321 |
||
322 |
static NamedGroup valueOf(ECParameterSpec params) {
|
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
323 |
for (NamedGroup ng : NamedGroup.values()) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
324 |
if (ng.spec == NamedGroupSpec.NAMED_GROUP_ECDHE) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
325 |
if ((params == ng.keAlgParamSpec) || |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
326 |
(ng.keAlgParamSpec == CurveDB.lookup(params))) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
327 |
return ng; |
| 55353 | 328 |
} |
329 |
} |
|
330 |
} |
|
331 |
||
332 |
return null; |
|
333 |
} |
|
334 |
||
335 |
static NamedGroup valueOf(DHParameterSpec params) {
|
|
336 |
for (NamedGroup ng : NamedGroup.values()) {
|
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
337 |
if (ng.spec != NamedGroupSpec.NAMED_GROUP_FFDHE) {
|
| 55353 | 338 |
continue; |
339 |
} |
|
340 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
341 |
DHParameterSpec ngParams = (DHParameterSpec)ng.keAlgParamSpec; |
| 55353 | 342 |
if (ngParams.getP().equals(params.getP()) |
343 |
&& ngParams.getG().equals(params.getG())) {
|
|
344 |
return ng; |
|
345 |
} |
|
346 |
} |
|
347 |
||
348 |
return null; |
|
349 |
} |
|
350 |
||
351 |
static NamedGroup nameOf(String name) {
|
|
352 |
for (NamedGroup group : NamedGroup.values()) {
|
|
353 |
if (group.name.equals(name)) {
|
|
354 |
return group; |
|
355 |
} |
|
356 |
} |
|
357 |
||
358 |
return null; |
|
359 |
} |
|
360 |
||
361 |
static String nameOf(int id) {
|
|
362 |
for (NamedGroup group : NamedGroup.values()) {
|
|
363 |
if (group.id == id) {
|
|
364 |
return group.name; |
|
365 |
} |
|
366 |
} |
|
367 |
||
368 |
return "UNDEFINED-NAMED-GROUP(" + id + ")";
|
|
369 |
} |
|
370 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
371 |
// Is the NamedGroup available for the protocols desired? |
| 55353 | 372 |
boolean isAvailable(List<ProtocolVersion> protocolVersions) {
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
373 |
if (this.isAvailable) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
374 |
for (ProtocolVersion pv : supportedProtocols) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
375 |
if (protocolVersions.contains(pv)) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
376 |
return true; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
377 |
} |
| 55353 | 378 |
} |
379 |
} |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
380 |
|
| 55353 | 381 |
return false; |
382 |
} |
|
383 |
||
384 |
boolean isAvailable(ProtocolVersion protocolVersion) {
|
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
385 |
if (this.isAvailable) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
386 |
for (ProtocolVersion pv : supportedProtocols) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
387 |
if (protocolVersion == pv) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
388 |
return true; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
389 |
} |
| 55353 | 390 |
} |
391 |
} |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
392 |
|
| 55353 | 393 |
return false; |
394 |
} |
|
395 |
||
396 |
// Are the NamedGroups available for the ciphersuites desired? |
|
397 |
boolean isSupported(List<CipherSuite> cipherSuites) {
|
|
398 |
for (CipherSuite cs : cipherSuites) {
|
|
399 |
boolean isMatch = isAvailable(cs.supportedProtocols); |
|
400 |
if (isMatch && ((cs.keyExchange == null) |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
401 |
|| (NamedGroupSpec.arrayContains( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
402 |
cs.keyExchange.groupTypes, spec)))) {
|
| 55353 | 403 |
return true; |
404 |
} |
|
405 |
} |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
406 |
|
| 55353 | 407 |
return false; |
408 |
} |
|
409 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
410 |
boolean isPermitted(AlgorithmConstraints constraints) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
411 |
return constraints.permits(KEY_AGREEMENT_PRIMITIVE_SET, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
412 |
this.name, null) && |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
413 |
constraints.permits(KEY_AGREEMENT_PRIMITIVE_SET, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
414 |
this.algorithm, this.keAlgParams); |
| 55353 | 415 |
} |
416 |
||
417 |
byte[] encodePossessionPublicKey( |
|
418 |
NamedGroupPossession namedGroupPossession) {
|
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
419 |
return spec.encodePossessionPublicKey(namedGroupPossession); |
| 55353 | 420 |
} |
421 |
||
422 |
SSLCredentials decodeCredentials(byte[] encoded, |
|
423 |
AlgorithmConstraints constraints, |
|
424 |
ExceptionSupplier onConstraintFail) |
|
425 |
throws IOException, GeneralSecurityException {
|
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
426 |
return spec.decodeCredentials( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
427 |
this, encoded, constraints, onConstraintFail); |
| 55353 | 428 |
} |
429 |
||
430 |
SSLPossession createPossession(SecureRandom random) {
|
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
431 |
return spec.createPossession(this, random); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
432 |
} |
| 55353 | 433 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
434 |
SSLKeyDerivation createKeyDerivation( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
435 |
HandshakeContext hc) throws IOException {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
436 |
return spec.createKeyDerivation(hc); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
437 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
438 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
439 |
interface ExceptionSupplier {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
440 |
void apply(String s) throws SSLException; |
| 55353 | 441 |
} |
442 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
443 |
// A list of operations related to named groups. |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
444 |
private interface NamedGroupScheme {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
445 |
default void checkConstraints(PublicKey publicKey, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
446 |
AlgorithmConstraints constraints, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
447 |
ExceptionSupplier onConstraintFail) throws SSLException {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
448 |
if (!constraints.permits( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
449 |
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
450 |
onConstraintFail.apply("key share entry does not "
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
451 |
+ "comply with algorithm constraints"); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
452 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
453 |
} |
| 55353 | 454 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
455 |
byte[] encodePossessionPublicKey( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
456 |
NamedGroupPossession namedGroupPossession); |
| 55353 | 457 |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
458 |
SSLCredentials decodeCredentials( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
459 |
NamedGroup ng, byte[] encoded, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
460 |
AlgorithmConstraints constraints, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
461 |
ExceptionSupplier onConstraintFail |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
462 |
) throws IOException, GeneralSecurityException; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
463 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
464 |
SSLPossession createPossession(NamedGroup ng, SecureRandom random); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
465 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
466 |
SSLKeyDerivation createKeyDerivation( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
467 |
HandshakeContext hc) throws IOException; |
| 55353 | 468 |
} |
469 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
470 |
enum NamedGroupSpec implements NamedGroupScheme {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
471 |
// Elliptic Curve Groups (ECDHE) |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
472 |
NAMED_GROUP_ECDHE("EC", ECDHEScheme.instance),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
473 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
474 |
// Finite Field Groups (DHE) |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
475 |
NAMED_GROUP_FFDHE("DiffieHellman", FFDHEScheme.instance),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
476 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
477 |
// Finite Field Groups (XDH) |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
478 |
NAMED_GROUP_XDH("XDH", XDHScheme.instance),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
479 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
480 |
// arbitrary prime and curves (ECDHE) |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
481 |
NAMED_GROUP_ARBITRARY("EC", null),
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
482 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
483 |
// Not predefined named group |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
484 |
NAMED_GROUP_NONE("", null);
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
485 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
486 |
private final String algorithm; // key exchange name |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
487 |
private final NamedGroupScheme scheme; // named group operations |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
488 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
489 |
private NamedGroupSpec(String algorithm, NamedGroupScheme scheme) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
490 |
this.algorithm = algorithm; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
491 |
this.scheme = scheme; |
| 55353 | 492 |
} |
493 |
||
494 |
boolean isSupported(List<CipherSuite> cipherSuites) {
|
|
495 |
for (CipherSuite cs : cipherSuites) {
|
|
496 |
if (cs.keyExchange == null || |
|
497 |
arrayContains(cs.keyExchange.groupTypes, this)) {
|
|
498 |
return true; |
|
499 |
} |
|
500 |
} |
|
501 |
||
502 |
return false; |
|
503 |
} |
|
504 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
505 |
static boolean arrayContains(NamedGroupSpec[] namedGroupTypes, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
506 |
NamedGroupSpec namedGroupType) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
507 |
for (NamedGroupSpec ng : namedGroupTypes) {
|
| 55353 | 508 |
if (ng == namedGroupType) {
|
509 |
return true; |
|
510 |
} |
|
511 |
} |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
512 |
|
| 55353 | 513 |
return false; |
514 |
} |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
515 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
516 |
@Override |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
517 |
public byte[] encodePossessionPublicKey( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
518 |
NamedGroupPossession namedGroupPossession) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
519 |
if (scheme != null) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
520 |
return scheme.encodePossessionPublicKey(namedGroupPossession); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
521 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
522 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
523 |
return null; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
524 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
525 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
526 |
@Override |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
527 |
public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
528 |
AlgorithmConstraints constraints, |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
529 |
ExceptionSupplier onConstraintFail |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
530 |
) throws IOException, GeneralSecurityException {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
531 |
if (scheme != null) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
532 |
return scheme.decodeCredentials( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
533 |
ng, encoded, constraints, onConstraintFail); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
534 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
535 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
536 |
return null; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
537 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
538 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
539 |
@Override |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
540 |
public SSLPossession createPossession( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
541 |
NamedGroup ng, SecureRandom random) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
542 |
if (scheme != null) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
543 |
return scheme.createPossession(ng, random); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
544 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
545 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
546 |
return null; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
547 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
548 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
549 |
@Override |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
550 |
public SSLKeyDerivation createKeyDerivation( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
551 |
HandshakeContext hc) throws IOException {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
552 |
if (scheme != null) {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
553 |
return scheme.createKeyDerivation(hc); |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
554 |
} |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
555 |
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
556 |
return null; |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
557 |
} |
| 55353 | 558 |
} |
559 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
560 |
private static class FFDHEScheme implements NamedGroupScheme {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
561 |
private static final FFDHEScheme instance = new FFDHEScheme(); |
| 55353 | 562 |
|
563 |
@Override |
|
564 |
public byte[] encodePossessionPublicKey( |
|
565 |
NamedGroupPossession namedGroupPossession) {
|
|
566 |
return ((DHEPossession)namedGroupPossession).encode(); |
|
567 |
} |
|
568 |
||
569 |
@Override |
|
570 |
public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded, |
|
571 |
AlgorithmConstraints constraints, |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
572 |
ExceptionSupplier onConstraintFail |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
573 |
) throws IOException, GeneralSecurityException {
|
| 55353 | 574 |
|
575 |
DHKeyExchange.DHECredentials result |
|
576 |
= DHKeyExchange.DHECredentials.valueOf(ng, encoded); |
|
577 |
||
578 |
checkConstraints(result.getPublicKey(), constraints, |
|
579 |
onConstraintFail); |
|
580 |
||
581 |
return result; |
|
582 |
} |
|
583 |
||
584 |
@Override |
|
585 |
public SSLPossession createPossession( |
|
586 |
NamedGroup ng, SecureRandom random) {
|
|
587 |
return new DHKeyExchange.DHEPossession(ng, random); |
|
588 |
} |
|
589 |
||
590 |
@Override |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
591 |
public SSLKeyDerivation createKeyDerivation( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
592 |
HandshakeContext hc) throws IOException {
|
| 55353 | 593 |
|
594 |
return DHKeyExchange.kaGenerator.createKeyDerivation(hc); |
|
595 |
} |
|
596 |
} |
|
597 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
598 |
private static class ECDHEScheme implements NamedGroupScheme {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
599 |
private static final ECDHEScheme instance = new ECDHEScheme(); |
| 55353 | 600 |
|
601 |
@Override |
|
602 |
public byte[] encodePossessionPublicKey( |
|
603 |
NamedGroupPossession namedGroupPossession) {
|
|
604 |
return ((ECDHEPossession)namedGroupPossession).encode(); |
|
605 |
} |
|
606 |
||
607 |
@Override |
|
608 |
public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded, |
|
609 |
AlgorithmConstraints constraints, |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
610 |
ExceptionSupplier onConstraintFail |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
611 |
) throws IOException, GeneralSecurityException {
|
| 55353 | 612 |
|
613 |
ECDHKeyExchange.ECDHECredentials result |
|
614 |
= ECDHKeyExchange.ECDHECredentials.valueOf(ng, encoded); |
|
615 |
||
616 |
checkConstraints(result.getPublicKey(), constraints, |
|
617 |
onConstraintFail); |
|
618 |
||
619 |
return result; |
|
620 |
} |
|
621 |
||
622 |
@Override |
|
623 |
public SSLPossession createPossession( |
|
624 |
NamedGroup ng, SecureRandom random) {
|
|
625 |
return new ECDHKeyExchange.ECDHEPossession(ng, random); |
|
626 |
} |
|
627 |
||
628 |
@Override |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
629 |
public SSLKeyDerivation createKeyDerivation( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
630 |
HandshakeContext hc) throws IOException {
|
| 55353 | 631 |
return ECDHKeyExchange.ecdheKAGenerator.createKeyDerivation(hc); |
632 |
} |
|
633 |
} |
|
634 |
||
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
635 |
private static class XDHScheme implements NamedGroupScheme {
|
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
636 |
private static final XDHScheme instance = new XDHScheme(); |
| 55353 | 637 |
|
638 |
@Override |
|
639 |
public byte[] encodePossessionPublicKey(NamedGroupPossession poss) {
|
|
640 |
return ((XDHKeyExchange.XDHEPossession)poss).encode(); |
|
641 |
} |
|
642 |
||
643 |
@Override |
|
644 |
public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded, |
|
645 |
AlgorithmConstraints constraints, |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
646 |
ExceptionSupplier onConstraintFail |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
647 |
) throws IOException, GeneralSecurityException {
|
| 55353 | 648 |
|
649 |
XDHKeyExchange.XDHECredentials result |
|
650 |
= XDHKeyExchange.XDHECredentials.valueOf(ng, encoded); |
|
651 |
||
652 |
checkConstraints(result.getPublicKey(), constraints, |
|
653 |
onConstraintFail); |
|
654 |
||
655 |
return result; |
|
656 |
} |
|
657 |
||
658 |
@Override |
|
659 |
public SSLPossession createPossession( |
|
660 |
NamedGroup ng, SecureRandom random) {
|
|
661 |
return new XDHKeyExchange.XDHEPossession(ng, random); |
|
662 |
} |
|
663 |
||
664 |
@Override |
|
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
665 |
public SSLKeyDerivation createKeyDerivation( |
|
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
666 |
HandshakeContext hc) throws IOException {
|
| 55353 | 667 |
return XDHKeyExchange.xdheKAGenerator.createKeyDerivation(hc); |
668 |
} |
|
669 |
} |
|
670 |
} |