jdk-sandbox: src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java@f103e0c2be1e (annotated)

56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	2	* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	4	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	10	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	15	* accompanied this code).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	16	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	20	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	23	* questions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	24	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	25
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	26	package sun.security.ssl;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	27
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	28	import java.io.IOException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	29	import java.math.BigInteger;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	30	import java.security.GeneralSecurityException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	31	import java.security.InvalidKeyException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	32	import java.security.KeyFactory;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	33	import java.security.KeyPair;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	34	import java.security.KeyPairGenerator;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	35	import java.security.PrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	36	import java.security.PublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	37	import java.security.SecureRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	38	import java.security.spec.AlgorithmParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	39	import javax.crypto.KeyAgreement;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	40	import javax.crypto.SecretKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	41	import javax.crypto.interfaces.DHPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	42	import javax.crypto.spec.DHParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	43	import javax.crypto.spec.DHPublicKeySpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	44	import javax.crypto.spec.SecretKeySpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	45	import javax.net.ssl.SSLHandshakeException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	46	import sun.security.action.GetPropertyAction;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	47	import sun.security.ssl.CipherSuite.HashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	48	import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	49	import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	50	import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	51	import sun.security.ssl.X509Authentication.X509Possession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	52	import sun.security.util.KeyUtil;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	53
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	54	final class DHKeyExchange {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	55	static final SSLPossessionGenerator poGenerator =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	56	new DHEPossessionGenerator(false);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	57	static final SSLPossessionGenerator poExportableGenerator =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	58	new DHEPossessionGenerator(true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	59	static final SSLKeyAgreementGenerator kaGenerator =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	60	new DHEKAGenerator();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	61
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	62	static final class DHECredentials implements SSLCredentials {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	63	final DHPublicKey popPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	64	final NamedGroup namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	65
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	66	DHECredentials(DHPublicKey popPublicKey, NamedGroup namedGroup) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	67	this.popPublicKey = popPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	68	this.namedGroup = namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	69	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	70
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	71	static DHECredentials valueOf(NamedGroup ng,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	72	byte[] encodedPublic) throws IOException, GeneralSecurityException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	73
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	74	if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	75	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	76	"Credentials decoding: Not FFDHE named group");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	77	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	78
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	79	if (encodedPublic == null \|\| encodedPublic.length == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	80	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	81	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	82
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	83	DHParameterSpec params = (DHParameterSpec)ng.getParameterSpec();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	84	if (params == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	85	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	86	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	87
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	88	KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	89	DHPublicKeySpec spec = new DHPublicKeySpec(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	90	new BigInteger(1, encodedPublic),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	91	params.getP(), params.getG());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	92	DHPublicKey publicKey =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	93	(DHPublicKey)kf.generatePublic(spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	94
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	95	return new DHECredentials(publicKey, ng);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	96	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	97	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	98
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	99	static final class DHEPossession implements SSLPossession {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	100	final PrivateKey privateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	101	final DHPublicKey publicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	102	final NamedGroup namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	103
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	104	DHEPossession(NamedGroup namedGroup, SecureRandom random) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	105	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	106	KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	107	DHParameterSpec params =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	108	(DHParameterSpec)namedGroup.getParameterSpec();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	109	kpg.initialize(params, random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	110	KeyPair kp = generateDHKeyPair(kpg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	111	if (kp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	112	throw new RuntimeException("Could not generate DH keypair");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	113	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	114	privateKey = kp.getPrivate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	115	publicKey = (DHPublicKey)kp.getPublic();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	116	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	117	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	118	"Could not generate DH keypair", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	119	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	120
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	121	this.namedGroup = namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	122	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	123
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	124	DHEPossession(int keyLength, SecureRandom random) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	125	DHParameterSpec params =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	126	PredefinedDHParameterSpecs.definedParams.get(keyLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	127	try {
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	128	KeyPairGenerator kpg =
f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	129	JsseJce.getKeyPairGenerator("DiffieHellman");
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	130	if (params != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	131	kpg.initialize(params, random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	132	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	133	kpg.initialize(keyLength, random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	134	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	135
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	136	KeyPair kp = generateDHKeyPair(kpg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	137	if (kp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	138	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	139	"Could not generate DH keypair of " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	140	keyLength + " bits");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	141	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	142	privateKey = kp.getPrivate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	143	publicKey = (DHPublicKey)kp.getPublic();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	144	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	145	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	146	"Could not generate DH keypair", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	147	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	148
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	149	this.namedGroup = NamedGroup.valueOf(publicKey.getParams());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	150	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	151
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	152	DHEPossession(DHECredentials credentials, SecureRandom random) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	153	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	154	KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	155	kpg.initialize(credentials.popPublicKey.getParams(), random);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	156	KeyPair kp = generateDHKeyPair(kpg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	157	if (kp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	158	throw new RuntimeException("Could not generate DH keypair");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	159	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	160	privateKey = kp.getPrivate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	161	publicKey = (DHPublicKey)kp.getPublic();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	162	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	163	throw new RuntimeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	164	"Could not generate DH keypair", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	165	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	166
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	167	this.namedGroup = credentials.namedGroup;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	168	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	169
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	170	// Generate and validate DHPublicKeySpec
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	171	private KeyPair generateDHKeyPair(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	172	KeyPairGenerator kpg) throws GeneralSecurityException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	173	boolean doExtraValiadtion =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	174	(!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	175	boolean isRecovering = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	176	for (int i = 0; i <= 2; i++) { // Try to recove from failure.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	177	KeyPair kp = kpg.generateKeyPair();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	178	// validate the Diffie-Hellman public key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	179	if (doExtraValiadtion) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	180	DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	181	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	182	KeyUtil.validate(spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	183	} catch (InvalidKeyException ivke) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	184	if (isRecovering) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	185	throw ivke;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	186	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	187	// otherwise, ignore the exception and try again
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	188	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	189	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	190	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	191
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	192	return kp;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	193	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	194
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	195	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	196	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	197
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	198	private static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	199	if (key instanceof DHPublicKey) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	200	DHPublicKey dhKey = (DHPublicKey)key;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	201	DHParameterSpec params = dhKey.getParams();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	202	return new DHPublicKeySpec(dhKey.getY(),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	203	params.getP(), params.getG());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	204	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	205	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	206	KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	207	return factory.getKeySpec(key, DHPublicKeySpec.class);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	208	} catch (Exception e) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	209	throw new RuntimeException(e);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	210	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	211	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	212
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	213	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	214	public byte[] encode() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	215	// TODO: cannonical the return byte array length.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	216	return publicKey.getY().toByteArray();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	217	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	218	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	219
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	220	private static final class
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	221	DHEPossessionGenerator implements SSLPossessionGenerator {
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	222	// Flag to use smart ephemeral DH key which size matches the
f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	223	// corresponding authentication key
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	224	private static final boolean useSmartEphemeralDHKeys;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	225
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	226	// Flag to use legacy ephemeral DH key which size is 512 bits for
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	227	// exportable cipher suites, and 768 bits for others
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	228	private static final boolean useLegacyEphemeralDHKeys;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	229
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	230	// The customized ephemeral DH key size for non-exportable
f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	231	// cipher suites.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	232	private static final int customizedDHKeySize;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	233
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	234	// Is it for exportable cipher suite?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	235	private final boolean exportable;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	236
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	237	static {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	238	String property = GetPropertyAction.privilegedGetProperty(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	239	"jdk.tls.ephemeralDHKeySize");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	240	if (property == null \|\| property.length() == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	241	useLegacyEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	242	useSmartEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	243	customizedDHKeySize = -1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	244	} else if ("matched".equals(property)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	245	useLegacyEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	246	useSmartEphemeralDHKeys = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	247	customizedDHKeySize = -1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	248	} else if ("legacy".equals(property)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	249	useLegacyEphemeralDHKeys = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	250	useSmartEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	251	customizedDHKeySize = -1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	252	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	253	useLegacyEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	254	useSmartEphemeralDHKeys = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	255
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	256	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	257	// DH parameter generation can be extremely slow, best to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	258	// use one of the supported pre-computed DH parameters
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	259	// (see DHCrypt class).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	260	customizedDHKeySize = Integer.parseUnsignedInt(property);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	261	if (customizedDHKeySize < 1024 \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	262	customizedDHKeySize > 8192 \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	263	(customizedDHKeySize & 0x3f) != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	264	throw new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	265	"Unsupported customized DH key size: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	266	customizedDHKeySize + ". " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	267	"The key size must be multiple of 64, " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	268	"and range from 1024 to 8192 (inclusive)");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	269	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	270	} catch (NumberFormatException nfe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	271	throw new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	272	"Invalid system property jdk.tls.ephemeralDHKeySize");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	273	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	274	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	275	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	276
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	277	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	278	private DHEPossessionGenerator(boolean exportable) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	279	this.exportable = exportable;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	280	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	281
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	282	// Used for ServerKeyExchange, TLS 1.2 and prior versions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	283	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	284	public SSLPossession createPossession(HandshakeContext context) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	285	NamedGroup preferableNamedGroup = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	286	if (!useLegacyEphemeralDHKeys &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	287	(context.clientRequestedNamedGroups != null) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	288	(!context.clientRequestedNamedGroups.isEmpty())) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	289	preferableNamedGroup =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	290	SupportedGroups.getPreferredGroup(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	291	context.negotiatedProtocol,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	292	context.algorithmConstraints,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	293	NamedGroupType.NAMED_GROUP_FFDHE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	294	context.clientRequestedNamedGroups);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	295	if (preferableNamedGroup != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	296	return new DHEPossession(preferableNamedGroup,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	297	context.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	298	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	299	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	300
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	301	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	302	* 768 bits ephemeral DH private keys were used to be used in
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	303	* ServerKeyExchange except that exportable ciphers max out at 512
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	304	* bits modulus values. We still adhere to this behavior in legacy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	305	* mode (system property "jdk.tls.ephemeralDHKeySize" is defined
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	306	* as "legacy").
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	307	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	308	* Old JDK (JDK 7 and previous) releases don't support DH keys
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	309	* bigger than 1024 bits. We have to consider the compatibility
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	310	* requirement. 1024 bits DH key is always used for non-exportable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	311	* cipher suites in default mode (system property
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	312	* "jdk.tls.ephemeralDHKeySize" is not defined).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	313	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	314	* However, if applications want more stronger strength, setting
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	315	* system property "jdk.tls.ephemeralDHKeySize" to "matched"
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	316	* is a workaround to use ephemeral DH key which size matches the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	317	* corresponding authentication key. For example, if the public key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	318	* size of an authentication certificate is 2048 bits, then the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	319	* ephemeral DH key size should be 2048 bits accordingly unless
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	320	* the cipher suite is exportable. This key sizing scheme keeps
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	321	* the cryptographic strength consistent between authentication
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	322	* keys and key-exchange keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	323	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	324	* Applications may also want to customize the ephemeral DH key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	325	* size to a fixed length for non-exportable cipher suites. This
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	326	* can be approached by setting system property
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	327	* "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	328	* 1024 and 8192 bits, inclusive.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	329	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	330	* Note that the minimum acceptable key size is 1024 bits except
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	331	* exportable cipher suites or legacy mode.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	332	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	333	* Note that per RFC 2246, the key size limit of DH is 512 bits for
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	334	* exportable cipher suites. Because of the weakness, exportable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	335	* cipher suites are deprecated since TLS v1.1 and they are not
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	336	* enabled by default in Oracle provider. The legacy behavior is
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	337	* reserved and 512 bits DH key is always used for exportable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	338	* cipher suites.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	339	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	340	int keySize = exportable ? 512 : 1024; // default mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	341	if (!exportable) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	342	if (useLegacyEphemeralDHKeys) { // legacy mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	343	keySize = 768;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	344	} else if (useSmartEphemeralDHKeys) { // matched mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	345	PrivateKey key = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	346	ServerHandshakeContext shc =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	347	(ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	348	if (shc.interimAuthn instanceof X509Possession) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	349	key = ((X509Possession)shc.interimAuthn).popPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	350	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	351
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	352	if (key != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	353	int ks = KeyUtil.getKeySize(key);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	354
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	355	// DH parameter generation can be extremely slow, make
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	356	// sure to use one of the supported pre-computed DH
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	357	// parameters.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	358	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	359	// Old deployed applications may not be ready to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	360	// support DH key sizes bigger than 2048 bits. Please
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	361	// DON'T use value other than 1024 and 2048 at present.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	362	// May improve the underlying providers and key size
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	363	// limit in the future when the compatibility and
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	364	// interoperability impact is limited.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	365	keySize = ks <= 1024 ? 1024 : 2048;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	366	} // Otherwise, anonymous cipher suites, 1024-bit is used.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	367	} else if (customizedDHKeySize > 0) { // customized mode
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	368	keySize = customizedDHKeySize;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	369	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	370	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	371
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	372	return new DHEPossession(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	373	keySize, context.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	374	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	375	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	376
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	377	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	378	class DHEKAGenerator implements SSLKeyAgreementGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	379	static private DHEKAGenerator instance = new DHEKAGenerator();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	380
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	381	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	382	private DHEKAGenerator() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	383	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	384	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	385
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	386	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	387	public SSLKeyDerivation createKeyDerivation(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	388	HandshakeContext context) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	389	DHEPossession dhePossession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	390	DHECredentials dheCredentials = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	391	for (SSLPossession poss : context.handshakePossessions) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	392	if (!(poss instanceof DHEPossession)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	393	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	394	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	395
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	396	DHEPossession dhep = (DHEPossession)poss;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	397	for (SSLCredentials cred : context.handshakeCredentials) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	398	if (!(cred instanceof DHECredentials)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	399	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	400	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	401	DHECredentials dhec = (DHECredentials)cred;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	402	if (dhep.namedGroup != null && dhec.namedGroup != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	403	if (dhep.namedGroup.equals(dhec.namedGroup)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	404	dheCredentials = (DHECredentials)cred;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	405	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	406	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	407	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	408	DHParameterSpec pps = dhep.publicKey.getParams();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	409	DHParameterSpec cps = dhec.popPublicKey.getParams();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	410	if (pps.getP().equals(cps.getP()) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	411	pps.getG().equals(cps.getG())) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	412	dheCredentials = (DHECredentials)cred;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	413	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	414	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	415	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	416	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	417
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	418	if (dheCredentials != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	419	dhePossession = (DHEPossession)poss;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	420	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	421	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	422	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	423
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	424	if (dhePossession == null \|\| dheCredentials == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	425	context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	426	"No sufficient DHE key agreement parameters negotiated");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	427	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	428
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	429	return new DHEKAKeyDerivation(context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	430	dhePossession.privateKey, dheCredentials.popPublicKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	431	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	432
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	433	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	434	class DHEKAKeyDerivation implements SSLKeyDerivation {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	435	private final HandshakeContext context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	436	private final PrivateKey localPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	437	private final PublicKey peerPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	438
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	439	DHEKAKeyDerivation(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	440	PrivateKey localPrivateKey,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	441	PublicKey peerPublicKey) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	442	this.context = context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	443	this.localPrivateKey = localPrivateKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	444	this.peerPublicKey = peerPublicKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	445	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	446
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	447	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	448	public SecretKey deriveKey(String algorithm,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	449	AlgorithmParameterSpec params) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	450	if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	451	return t12DeriveKey(algorithm, params);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	452	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	453	return t13DeriveKey(algorithm, params);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	454	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	455	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	456
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	457	private SecretKey t12DeriveKey(String algorithm,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	458	AlgorithmParameterSpec params) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	459	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	460	KeyAgreement ka = JsseJce.getKeyAgreement("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	461	ka.init(localPrivateKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	462	ka.doPhase(peerPublicKey, true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	463	SecretKey preMasterSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	464	ka.generateSecret("TlsPremasterSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	465	SSLMasterKeyDerivation mskd =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	466	SSLMasterKeyDerivation.valueOf(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	467	context.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	468	SSLKeyDerivation kd = mskd.createKeyDerivation(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	469	context, preMasterSecret);
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	470	return kd.deriveKey("MasterSecret", params);
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	471	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	472	throw (SSLHandshakeException) new SSLHandshakeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	473	"Could not generate secret").initCause(gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	474	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	475	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	476
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	477	private SecretKey t13DeriveKey(String algorithm,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	478	AlgorithmParameterSpec params) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	479	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	480	KeyAgreement ka = JsseJce.getKeyAgreement("DH");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	481	ka.init(localPrivateKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	482	ka.doPhase(peerPublicKey, true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	483	SecretKey sharedSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	484	ka.generateSecret("TlsPremasterSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	485
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	486	HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	487	SSLKeyDerivation kd = context.handshakeKeyDerivation;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	488	HKDF hkdf = new HKDF(hashAlg.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	489	if (kd == null) { // No PSK is in use.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	490	// If PSK is not in use Early Secret will still be
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	491	// HKDF-Extract(0, 0).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	492	byte[] zeros = new byte[hashAlg.hashLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	493	SecretKeySpec ikm =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	494	new SecretKeySpec(zeros, "TlsPreSharedSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	495	SecretKey earlySecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	496	hkdf.extract(zeros, ikm, "TlsEarlySecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	497	kd = new SSLSecretDerivation(context, earlySecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	498	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	499
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	500	// derive salt secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	501	SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	502
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	503	// derive handshake secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	504	return hkdf.extract(saltSecret, sharedSecret, algorithm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	505	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	506	throw (SSLHandshakeException) new SSLHandshakeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	507	"Could not generate secret").initCause(gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	508	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	509	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	510	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	511	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	512	}

author	xuelei
	Thu, 24 May 2018 09:21:01 -0700
branch	JDK-8145252-TLS13-branch
changeset 56603	f103e0c2be1e
parent 56542	56aaa6cb3693
child 56605	afb358e14f29
permissions	-rw-r--r--