author | ascarpino |
Wed, 08 Feb 2017 12:08:28 -0800 | |
changeset 43701 | fe8c324ba97c |
parent 41471 | 18c0f074ed97 |
child 45064 | b1b45177051b |
permissions | -rw-r--r-- |
2 | 1 |
/* |
36442
ce858cc19004
8132942: ServerHandshaker should not throw SSLHandshakeException when CertificateStatus constructor is called with invalid arguments
jnimeh
parents:
35298
diff
changeset
|
2 |
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
28 |
import java.io.*; |
|
29 |
import java.math.BigInteger; |
|
30 |
import java.security.*; |
|
31 |
import java.security.interfaces.*; |
|
32 |
import java.security.spec.*; |
|
33 |
import java.security.cert.*; |
|
34 |
import java.security.cert.Certificate; |
|
35 |
import java.util.*; |
|
36 |
import java.util.concurrent.ConcurrentHashMap; |
|
37 |
||
38 |
import java.lang.reflect.*; |
|
39 |
||
40 |
import javax.security.auth.x500.X500Principal; |
|
41 |
||
42 |
import javax.crypto.KeyGenerator; |
|
43 |
import javax.crypto.SecretKey; |
|
16080 | 44 |
import javax.crypto.spec.DHPublicKeySpec; |
2 | 45 |
|
46 |
import javax.net.ssl.*; |
|
47 |
||
48 |
import sun.security.internal.spec.TlsPrfParameterSpec; |
|
49 |
import sun.security.ssl.CipherSuite.*; |
|
7043 | 50 |
import static sun.security.ssl.CipherSuite.PRF.*; |
16080 | 51 |
import sun.security.util.KeyUtil; |
41471
18c0f074ed97
8165275: Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
valeriep
parents:
39563
diff
changeset
|
52 |
import sun.security.util.MessageDigestSpi2; |
32032 | 53 |
import sun.security.provider.certpath.OCSPResponse; |
2 | 54 |
|
55 |
/** |
|
56 |
* Many data structures are involved in the handshake messages. These |
|
57 |
* classes are used as structures, with public data members. They are |
|
58 |
* not visible outside the SSL package. |
|
59 |
* |
|
60 |
* Handshake messages all have a common header format, and they are all |
|
61 |
* encoded in a "handshake data" SSL record substream. The base class |
|
62 |
* here (HandshakeMessage) provides a common framework and records the |
|
63 |
* SSL record type of the particular handshake message. |
|
64 |
* |
|
65 |
* This file contains subclasses for all the basic handshake messages. |
|
66 |
* All handshake messages know how to encode and decode themselves on |
|
67 |
* SSL streams; this facilitates using the same code on SSL client and |
|
68 |
* server sides, although they don't send and receive the same messages. |
|
69 |
* |
|
70 |
* Messages also know how to print themselves, which is quite handy |
|
71 |
* for debugging. They always identify their type, and can optionally |
|
72 |
* dump all of their content. |
|
73 |
* |
|
74 |
* @author David Brownell |
|
75 |
*/ |
|
4236 | 76 |
public abstract class HandshakeMessage { |
2 | 77 |
|
30904 | 78 |
/* Class and subclass dynamic debugging support */ |
79 |
public static final Debug debug = Debug.getInstance("ssl"); |
|
2 | 80 |
|
81 |
// enum HandshakeType: |
|
30904 | 82 |
static final byte ht_hello_request = 0; // RFC 5246 |
83 |
static final byte ht_client_hello = 1; // RFC 5246 |
|
84 |
static final byte ht_server_hello = 2; // RFC 5246 |
|
85 |
static final byte ht_hello_verify_request = 3; // RFC 6347 |
|
86 |
static final byte ht_new_session_ticket = 4; // RFC 4507 |
|
87 |
||
88 |
static final byte ht_certificate = 11; // RFC 5246 |
|
89 |
static final byte ht_server_key_exchange = 12; // RFC 5246 |
|
90 |
static final byte ht_certificate_request = 13; // RFC 5246 |
|
91 |
static final byte ht_server_hello_done = 14; // RFC 5246 |
|
92 |
static final byte ht_certificate_verify = 15; // RFC 5246 |
|
93 |
static final byte ht_client_key_exchange = 16; // RFC 5246 |
|
2 | 94 |
|
30904 | 95 |
static final byte ht_finished = 20; // RFC 5246 |
96 |
static final byte ht_certificate_url = 21; // RFC 6066 |
|
97 |
static final byte ht_certificate_status = 22; // RFC 6066 |
|
98 |
static final byte ht_supplemental_data = 23; // RFC 4680 |
|
99 |
||
100 |
static final byte ht_not_applicable = -1; // N/A |
|
2 | 101 |
|
30904 | 102 |
/* |
103 |
* SSL 3.0 MAC padding constants. |
|
104 |
* Also used by CertificateVerify and Finished during the handshake. |
|
105 |
*/ |
|
106 |
static final byte[] MD5_pad1 = genPad(0x36, 48); |
|
107 |
static final byte[] MD5_pad2 = genPad(0x5c, 48); |
|
2 | 108 |
|
30904 | 109 |
static final byte[] SHA_pad1 = genPad(0x36, 40); |
110 |
static final byte[] SHA_pad2 = genPad(0x5c, 40); |
|
111 |
||
112 |
// default constructor |
|
113 |
HandshakeMessage() { |
|
114 |
} |
|
2 | 115 |
|
116 |
/** |
|
117 |
* Utility method to convert a BigInteger to a byte array in unsigned |
|
118 |
* format as needed in the handshake messages. BigInteger uses |
|
119 |
* 2's complement format, i.e. it prepends an extra zero if the MSB |
|
120 |
* is set. We remove that. |
|
121 |
*/ |
|
122 |
static byte[] toByteArray(BigInteger bi) { |
|
123 |
byte[] b = bi.toByteArray(); |
|
124 |
if ((b.length > 1) && (b[0] == 0)) { |
|
125 |
int n = b.length - 1; |
|
126 |
byte[] newarray = new byte[n]; |
|
127 |
System.arraycopy(b, 1, newarray, 0, n); |
|
128 |
b = newarray; |
|
129 |
} |
|
130 |
return b; |
|
131 |
} |
|
132 |
||
133 |
private static byte[] genPad(int b, int count) { |
|
134 |
byte[] padding = new byte[count]; |
|
135 |
Arrays.fill(padding, (byte)b); |
|
136 |
return padding; |
|
137 |
} |
|
138 |
||
139 |
/* |
|
140 |
* Write a handshake message on the (handshake) output stream. |
|
141 |
* This is just a four byte header followed by the data. |
|
142 |
* |
|
143 |
* NOTE that huge messages -- notably, ones with huge cert |
|
144 |
* chains -- are handled correctly. |
|
145 |
*/ |
|
146 |
final void write(HandshakeOutStream s) throws IOException { |
|
147 |
int len = messageLength(); |
|
14004
611031f93e76
7200295: CertificateRequest message is wrapping when using large numbers of Certs
xuelei
parents:
10336
diff
changeset
|
148 |
if (len >= Record.OVERFLOW_OF_INT24) { |
2 | 149 |
throw new SSLException("Handshake message too big" |
150 |
+ ", type = " + messageType() + ", len = " + len); |
|
151 |
} |
|
152 |
s.write(messageType()); |
|
153 |
s.putInt24(len); |
|
154 |
send(s); |
|
30904 | 155 |
s.complete(); |
2 | 156 |
} |
157 |
||
158 |
/* |
|
159 |
* Subclasses implement these methods so those kinds of |
|
160 |
* messages can be emitted. Base class delegates to subclass. |
|
161 |
*/ |
|
162 |
abstract int messageType(); |
|
163 |
abstract int messageLength(); |
|
164 |
abstract void send(HandshakeOutStream s) throws IOException; |
|
165 |
||
166 |
/* |
|
167 |
* Write a descriptive message on the output stream; for debugging. |
|
168 |
*/ |
|
169 |
abstract void print(PrintStream p) throws IOException; |
|
170 |
||
171 |
// |
|
172 |
// NOTE: the rest of these classes are nested within this one, and are |
|
173 |
// imported by other classes in this package. There are a few other |
|
174 |
// handshake message classes, not neatly nested here because of current |
|
175 |
// licensing requirement for native (RSA) methods. They belong here, |
|
176 |
// but those native methods complicate things a lot! |
|
177 |
// |
|
178 |
||
179 |
||
180 |
/* |
|
181 |
* HelloRequest ... SERVER --> CLIENT |
|
182 |
* |
|
183 |
* Server can ask the client to initiate a new handshake, e.g. to change |
|
184 |
* session parameters after a connection has been (re)established. |
|
185 |
*/ |
|
6856 | 186 |
static final class HelloRequest extends HandshakeMessage { |
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
187 |
@Override |
2 | 188 |
int messageType() { return ht_hello_request; } |
189 |
||
190 |
HelloRequest() { } |
|
191 |
||
192 |
HelloRequest(HandshakeInStream in) throws IOException |
|
193 |
{ |
|
194 |
// nothing in this message |
|
195 |
} |
|
196 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
197 |
@Override |
2 | 198 |
int messageLength() { return 0; } |
199 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
200 |
@Override |
2 | 201 |
void send(HandshakeOutStream out) throws IOException |
202 |
{ |
|
203 |
// nothing in this messaage |
|
204 |
} |
|
205 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
206 |
@Override |
2 | 207 |
void print(PrintStream out) throws IOException |
208 |
{ |
|
209 |
out.println("*** HelloRequest (empty)"); |
|
210 |
} |
|
211 |
||
212 |
} |
|
213 |
||
30904 | 214 |
/* |
215 |
* HelloVerifyRequest ... SERVER --> CLIENT [DTLS only] |
|
216 |
* |
|
217 |
* The definition of HelloVerifyRequest is as follows: |
|
218 |
* |
|
219 |
* struct { |
|
220 |
* ProtocolVersion server_version; |
|
221 |
* opaque cookie<0..2^8-1>; |
|
222 |
* } HelloVerifyRequest; |
|
223 |
* |
|
224 |
* For DTLS protocols, once the client has transmitted the ClientHello message, |
|
225 |
* it expects to see a HelloVerifyRequest from the server. However, if the |
|
226 |
* server's message is lost, the client knows that either the ClientHello or |
|
227 |
* the HelloVerifyRequest has been lost and retransmits. [RFC 6347] |
|
228 |
*/ |
|
229 |
static final class HelloVerifyRequest extends HandshakeMessage { |
|
230 |
ProtocolVersion protocolVersion; |
|
231 |
byte[] cookie; // 1 to 2^8 - 1 bytes |
|
232 |
||
233 |
HelloVerifyRequest(HelloCookieManager helloCookieManager, |
|
234 |
ClientHello clientHelloMsg) { |
|
235 |
||
236 |
this.protocolVersion = clientHelloMsg.protocolVersion; |
|
237 |
this.cookie = helloCookieManager.getCookie(clientHelloMsg); |
|
238 |
} |
|
239 |
||
240 |
HelloVerifyRequest( |
|
241 |
HandshakeInStream input, int messageLength) throws IOException { |
|
242 |
||
243 |
this.protocolVersion = |
|
244 |
ProtocolVersion.valueOf(input.getInt8(), input.getInt8()); |
|
245 |
this.cookie = input.getBytes8(); |
|
246 |
||
247 |
// Is it a valid cookie? |
|
248 |
HelloCookieManager.checkCookie(protocolVersion, cookie); |
|
249 |
} |
|
250 |
||
251 |
@Override |
|
252 |
int messageType() { |
|
253 |
return ht_hello_verify_request; |
|
254 |
} |
|
255 |
||
256 |
@Override |
|
257 |
int messageLength() { |
|
258 |
return 2 + cookie.length; // 2: the length of protocolVersion |
|
259 |
} |
|
260 |
||
261 |
@Override |
|
262 |
void send(HandshakeOutStream hos) throws IOException { |
|
263 |
hos.putInt8(protocolVersion.major); |
|
264 |
hos.putInt8(protocolVersion.minor); |
|
265 |
hos.putBytes8(cookie); |
|
266 |
} |
|
267 |
||
268 |
@Override |
|
269 |
void print(PrintStream out) throws IOException { |
|
270 |
out.println("*** HelloVerifyRequest"); |
|
271 |
if (debug != null && Debug.isOn("verbose")) { |
|
272 |
out.println("server_version: " + protocolVersion); |
|
273 |
Debug.println(out, "cookie", cookie); |
|
274 |
} |
|
275 |
} |
|
276 |
} |
|
2 | 277 |
|
278 |
/* |
|
279 |
* ClientHello ... CLIENT --> SERVER |
|
280 |
* |
|
281 |
* Client initiates handshake by telling server what it wants, and what it |
|
282 |
* can support (prioritized by what's first in the ciphe suite list). |
|
283 |
* |
|
284 |
* By RFC2246:7.4.1.2 it's explicitly anticipated that this message |
|
285 |
* will have more data added at the end ... e.g. what CAs the client trusts. |
|
286 |
* Until we know how to parse it, we will just read what we know |
|
287 |
* about, and let our caller handle the jumps over unknown data. |
|
288 |
*/ |
|
6856 | 289 |
static final class ClientHello extends HandshakeMessage { |
2 | 290 |
|
30904 | 291 |
ProtocolVersion protocolVersion; |
292 |
RandomCookie clnt_random; |
|
293 |
SessionId sessionId; |
|
294 |
byte[] cookie; // DTLS only |
|
295 |
private CipherSuiteList cipherSuites; |
|
296 |
private final boolean isDTLS; |
|
297 |
byte[] compression_methods; |
|
2 | 298 |
|
299 |
HelloExtensions extensions = new HelloExtensions(); |
|
300 |
||
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
301 |
private static final byte[] NULL_COMPRESSION = new byte[] {0}; |
2 | 302 |
|
6856 | 303 |
ClientHello(SecureRandom generator, ProtocolVersion protocolVersion, |
30904 | 304 |
SessionId sessionId, CipherSuiteList cipherSuites, |
305 |
boolean isDTLS) { |
|
2 | 306 |
|
30904 | 307 |
this.isDTLS = isDTLS; |
6856 | 308 |
this.protocolVersion = protocolVersion; |
309 |
this.sessionId = sessionId; |
|
310 |
this.cipherSuites = cipherSuites; |
|
30904 | 311 |
if (isDTLS) { |
312 |
this.cookie = new byte[0]; |
|
313 |
} else { |
|
314 |
this.cookie = null; |
|
315 |
} |
|
2 | 316 |
|
6856 | 317 |
clnt_random = new RandomCookie(generator); |
318 |
compression_methods = NULL_COMPRESSION; |
|
2 | 319 |
} |
320 |
||
30904 | 321 |
ClientHello(HandshakeInStream s, |
322 |
int messageLength, boolean isDTLS) throws IOException { |
|
323 |
||
324 |
this.isDTLS = isDTLS; |
|
325 |
||
2 | 326 |
protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8()); |
327 |
clnt_random = new RandomCookie(s); |
|
328 |
sessionId = new SessionId(s.getBytes8()); |
|
28565
48712ca501c1
8044860: Vectors and fixed length fields should be verified for allowed sizes.
jnimeh
parents:
27957
diff
changeset
|
329 |
sessionId.checkLength(protocolVersion); |
30904 | 330 |
if (isDTLS) { |
331 |
cookie = s.getBytes8(); |
|
332 |
} else { |
|
333 |
cookie = null; |
|
334 |
} |
|
335 |
||
2 | 336 |
cipherSuites = new CipherSuiteList(s); |
337 |
compression_methods = s.getBytes8(); |
|
338 |
if (messageLength() != messageLength) { |
|
339 |
extensions = new HelloExtensions(s); |
|
340 |
} |
|
341 |
} |
|
342 |
||
6856 | 343 |
CipherSuiteList getCipherSuites() { |
344 |
return cipherSuites; |
|
345 |
} |
|
346 |
||
347 |
// add renegotiation_info extension |
|
348 |
void addRenegotiationInfoExtension(byte[] clientVerifyData) { |
|
349 |
HelloExtension renegotiationInfo = new RenegotiationInfoExtension( |
|
350 |
clientVerifyData, new byte[0]); |
|
351 |
extensions.add(renegotiationInfo); |
|
352 |
} |
|
353 |
||
7043 | 354 |
// add server_name extension |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
14004
diff
changeset
|
355 |
void addSNIExtension(List<SNIServerName> serverNames) { |
7043 | 356 |
try { |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
14004
diff
changeset
|
357 |
extensions.add(new ServerNameExtension(serverNames)); |
7043 | 358 |
} catch (IOException ioe) { |
359 |
// ignore the exception and return |
|
360 |
} |
|
361 |
} |
|
362 |
||
363 |
// add signature_algorithm extension |
|
364 |
void addSignatureAlgorithmsExtension( |
|
365 |
Collection<SignatureAndHashAlgorithm> algorithms) { |
|
366 |
HelloExtension signatureAlgorithm = |
|
367 |
new SignatureAlgorithmsExtension(algorithms); |
|
368 |
extensions.add(signatureAlgorithm); |
|
369 |
} |
|
370 |
||
30904 | 371 |
void addMFLExtension(int maximumPacketSize) { |
372 |
HelloExtension maxFragmentLength = |
|
373 |
new MaxFragmentLengthExtension(maximumPacketSize); |
|
374 |
extensions.add(maxFragmentLength); |
|
375 |
} |
|
376 |
||
377 |
void updateHelloCookie(MessageDigest cookieDigest) { |
|
378 |
// |
|
379 |
// Just use HandshakeOutStream to compute the hello verify cookie. |
|
380 |
// Not actually used to output handshake message records. |
|
381 |
// |
|
382 |
HandshakeOutStream hos = new HandshakeOutStream(null); |
|
383 |
||
384 |
try { |
|
385 |
send(hos, false); // Do not count hello verify cookie. |
|
386 |
} catch (IOException ioe) { |
|
387 |
// unlikely to happen |
|
388 |
} |
|
389 |
||
390 |
cookieDigest.update(hos.toByteArray()); |
|
391 |
} |
|
392 |
||
32032 | 393 |
// Add status_request extension type |
394 |
void addCertStatusRequestExtension() { |
|
395 |
extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP, |
|
396 |
new OCSPStatusRequest())); |
|
397 |
} |
|
398 |
||
399 |
// Add status_request_v2 extension type |
|
400 |
void addCertStatusReqListV2Extension() { |
|
401 |
// Create a default OCSPStatusRequest that we can use for both |
|
402 |
// OCSP_MULTI and OCSP request list items. |
|
403 |
OCSPStatusRequest osr = new OCSPStatusRequest(); |
|
404 |
List<CertStatusReqItemV2> itemList = new ArrayList<>(2); |
|
405 |
itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI, |
|
406 |
osr)); |
|
407 |
itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr)); |
|
408 |
extensions.add(new CertStatusReqListV2Extension(itemList)); |
|
409 |
} |
|
410 |
||
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32649
diff
changeset
|
411 |
// add application_layer_protocol_negotiation extension |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32649
diff
changeset
|
412 |
void addALPNExtension(String[] applicationProtocols) throws SSLException { |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32649
diff
changeset
|
413 |
extensions.add(new ALPNExtension(applicationProtocols)); |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32649
diff
changeset
|
414 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32649
diff
changeset
|
415 |
|
6856 | 416 |
@Override |
417 |
int messageType() { return ht_client_hello; } |
|
418 |
||
419 |
@Override |
|
420 |
int messageLength() { |
|
421 |
/* |
|
422 |
* Add fixed size parts of each field... |
|
423 |
* version + random + session + cipher + compress |
|
424 |
*/ |
|
425 |
return (2 + 32 + 1 + 2 + 1 |
|
426 |
+ sessionId.length() /* ... + variable parts */ |
|
30904 | 427 |
+ (isDTLS ? (1 + cookie.length) : 0) |
6856 | 428 |
+ (cipherSuites.size() * 2) |
429 |
+ compression_methods.length) |
|
430 |
+ extensions.length(); |
|
431 |
} |
|
432 |
||
433 |
@Override |
|
2 | 434 |
void send(HandshakeOutStream s) throws IOException { |
30904 | 435 |
send(s, true); // Count hello verify cookie. |
2 | 436 |
} |
437 |
||
6856 | 438 |
@Override |
2 | 439 |
void print(PrintStream s) throws IOException { |
440 |
s.println("*** ClientHello, " + protocolVersion); |
|
441 |
||
442 |
if (debug != null && Debug.isOn("verbose")) { |
|
7043 | 443 |
s.print("RandomCookie: "); |
444 |
clnt_random.print(s); |
|
2 | 445 |
|
446 |
s.print("Session ID: "); |
|
447 |
s.println(sessionId); |
|
448 |
||
30904 | 449 |
if (isDTLS) { |
450 |
Debug.println(s, "cookie", cookie); |
|
451 |
} |
|
452 |
||
2 | 453 |
s.println("Cipher Suites: " + cipherSuites); |
454 |
||
455 |
Debug.println(s, "Compression Methods", compression_methods); |
|
456 |
extensions.print(s); |
|
457 |
s.println("***"); |
|
458 |
} |
|
459 |
} |
|
30904 | 460 |
|
461 |
private void send(HandshakeOutStream s, |
|
462 |
boolean computeCookie) throws IOException { |
|
463 |
s.putInt8(protocolVersion.major); |
|
464 |
s.putInt8(protocolVersion.minor); |
|
465 |
clnt_random.send(s); |
|
466 |
s.putBytes8(sessionId.getId()); |
|
467 |
if (isDTLS && computeCookie) { |
|
468 |
s.putBytes8(cookie); |
|
469 |
} |
|
470 |
cipherSuites.send(s); |
|
471 |
s.putBytes8(compression_methods); |
|
472 |
extensions.send(s); |
|
473 |
} |
|
474 |
||
2 | 475 |
} |
476 |
||
477 |
/* |
|
478 |
* ServerHello ... SERVER --> CLIENT |
|
479 |
* |
|
480 |
* Server chooses protocol options from among those it supports and the |
|
481 |
* client supports. Then it sends the basic session descriptive parameters |
|
482 |
* back to the client. |
|
483 |
*/ |
|
484 |
static final |
|
485 |
class ServerHello extends HandshakeMessage |
|
486 |
{ |
|
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
487 |
@Override |
2 | 488 |
int messageType() { return ht_server_hello; } |
489 |
||
490 |
ProtocolVersion protocolVersion; |
|
491 |
RandomCookie svr_random; |
|
492 |
SessionId sessionId; |
|
493 |
CipherSuite cipherSuite; |
|
494 |
byte compression_method; |
|
495 |
HelloExtensions extensions = new HelloExtensions(); |
|
496 |
||
497 |
ServerHello() { |
|
498 |
// empty |
|
499 |
} |
|
500 |
||
7043 | 501 |
ServerHello(HandshakeInStream input, int messageLength) |
502 |
throws IOException { |
|
2 | 503 |
protocolVersion = ProtocolVersion.valueOf(input.getInt8(), |
504 |
input.getInt8()); |
|
505 |
svr_random = new RandomCookie(input); |
|
506 |
sessionId = new SessionId(input.getBytes8()); |
|
28565
48712ca501c1
8044860: Vectors and fixed length fields should be verified for allowed sizes.
jnimeh
parents:
27957
diff
changeset
|
507 |
sessionId.checkLength(protocolVersion); |
2 | 508 |
cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8()); |
509 |
compression_method = (byte)input.getInt8(); |
|
510 |
if (messageLength() != messageLength) { |
|
511 |
extensions = new HelloExtensions(input); |
|
512 |
} |
|
513 |
} |
|
514 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
515 |
@Override |
2 | 516 |
int messageLength() |
517 |
{ |
|
518 |
// almost fixed size, except session ID and extensions: |
|
519 |
// major + minor = 2 |
|
520 |
// random = 32 |
|
521 |
// session ID len field = 1 |
|
522 |
// cipher suite + compression = 3 |
|
523 |
// extensions: if present, 2 + length of extensions |
|
524 |
return 38 + sessionId.length() + extensions.length(); |
|
525 |
} |
|
526 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
527 |
@Override |
2 | 528 |
void send(HandshakeOutStream s) throws IOException |
529 |
{ |
|
530 |
s.putInt8(protocolVersion.major); |
|
531 |
s.putInt8(protocolVersion.minor); |
|
532 |
svr_random.send(s); |
|
533 |
s.putBytes8(sessionId.getId()); |
|
534 |
s.putInt8(cipherSuite.id >> 8); |
|
535 |
s.putInt8(cipherSuite.id & 0xff); |
|
536 |
s.putInt8(compression_method); |
|
537 |
extensions.send(s); |
|
538 |
} |
|
539 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
540 |
@Override |
2 | 541 |
void print(PrintStream s) throws IOException |
542 |
{ |
|
543 |
s.println("*** ServerHello, " + protocolVersion); |
|
544 |
||
545 |
if (debug != null && Debug.isOn("verbose")) { |
|
7043 | 546 |
s.print("RandomCookie: "); |
547 |
svr_random.print(s); |
|
2 | 548 |
|
549 |
s.print("Session ID: "); |
|
550 |
s.println(sessionId); |
|
551 |
||
552 |
s.println("Cipher Suite: " + cipherSuite); |
|
553 |
s.println("Compression Method: " + compression_method); |
|
554 |
extensions.print(s); |
|
555 |
s.println("***"); |
|
556 |
} |
|
557 |
} |
|
558 |
} |
|
559 |
||
560 |
||
561 |
/* |
|
562 |
* CertificateMsg ... send by both CLIENT and SERVER |
|
563 |
* |
|
564 |
* Each end of a connection may need to pass its certificate chain to |
|
565 |
* the other end. Such chains are intended to validate an identity with |
|
566 |
* reference to some certifying authority. Examples include companies |
|
567 |
* like Verisign, or financial institutions. There's some control over |
|
568 |
* the certifying authorities which are sent. |
|
569 |
* |
|
570 |
* NOTE: that these messages might be huge, taking many handshake records. |
|
571 |
* Up to 2^48 bytes of certificate may be sent, in records of at most 2^14 |
|
572 |
* bytes each ... up to 2^32 records sent on the output stream. |
|
573 |
*/ |
|
574 |
static final |
|
575 |
class CertificateMsg extends HandshakeMessage |
|
576 |
{ |
|
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
577 |
@Override |
2 | 578 |
int messageType() { return ht_certificate; } |
579 |
||
580 |
private X509Certificate[] chain; |
|
581 |
||
582 |
private List<byte[]> encodedChain; |
|
583 |
||
584 |
private int messageLength; |
|
585 |
||
586 |
CertificateMsg(X509Certificate[] certs) { |
|
587 |
chain = certs; |
|
588 |
} |
|
589 |
||
590 |
CertificateMsg(HandshakeInStream input) throws IOException { |
|
591 |
int chainLen = input.getInt24(); |
|
7990 | 592 |
List<Certificate> v = new ArrayList<>(4); |
2 | 593 |
|
594 |
CertificateFactory cf = null; |
|
595 |
while (chainLen > 0) { |
|
596 |
byte[] cert = input.getBytes24(); |
|
597 |
chainLen -= (3 + cert.length); |
|
598 |
try { |
|
599 |
if (cf == null) { |
|
600 |
cf = CertificateFactory.getInstance("X.509"); |
|
601 |
} |
|
602 |
v.add(cf.generateCertificate(new ByteArrayInputStream(cert))); |
|
603 |
} catch (CertificateException e) { |
|
7043 | 604 |
throw (SSLProtocolException)new SSLProtocolException( |
605 |
e.getMessage()).initCause(e); |
|
2 | 606 |
} |
607 |
} |
|
608 |
||
609 |
chain = v.toArray(new X509Certificate[v.size()]); |
|
610 |
} |
|
611 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
612 |
@Override |
2 | 613 |
int messageLength() { |
614 |
if (encodedChain == null) { |
|
615 |
messageLength = 3; |
|
616 |
encodedChain = new ArrayList<byte[]>(chain.length); |
|
617 |
try { |
|
618 |
for (X509Certificate cert : chain) { |
|
619 |
byte[] b = cert.getEncoded(); |
|
620 |
encodedChain.add(b); |
|
621 |
messageLength += b.length + 3; |
|
622 |
} |
|
623 |
} catch (CertificateEncodingException e) { |
|
624 |
encodedChain = null; |
|
625 |
throw new RuntimeException("Could not encode certificates", e); |
|
626 |
} |
|
627 |
} |
|
628 |
return messageLength; |
|
629 |
} |
|
630 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
631 |
@Override |
2 | 632 |
void send(HandshakeOutStream s) throws IOException { |
633 |
s.putInt24(messageLength() - 3); |
|
634 |
for (byte[] b : encodedChain) { |
|
635 |
s.putBytes24(b); |
|
636 |
} |
|
637 |
} |
|
638 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
639 |
@Override |
2 | 640 |
void print(PrintStream s) throws IOException { |
641 |
s.println("*** Certificate chain"); |
|
642 |
||
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
28565
diff
changeset
|
643 |
if (chain.length == 0) { |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
28565
diff
changeset
|
644 |
s.println("<Empty>"); |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
28565
diff
changeset
|
645 |
} else if (debug != null && Debug.isOn("verbose")) { |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
28565
diff
changeset
|
646 |
for (int i = 0; i < chain.length; i++) { |
2 | 647 |
s.println("chain [" + i + "] = " + chain[i]); |
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
28565
diff
changeset
|
648 |
} |
2 | 649 |
} |
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
28565
diff
changeset
|
650 |
s.println("***"); |
2 | 651 |
} |
652 |
||
653 |
X509Certificate[] getCertificateChain() { |
|
7043 | 654 |
return chain.clone(); |
2 | 655 |
} |
656 |
} |
|
657 |
||
658 |
/* |
|
32032 | 659 |
* CertificateStatus ... SERVER --> CLIENT |
660 |
* |
|
661 |
* When a ClientHello asserting the status_request or status_request_v2 |
|
662 |
* extensions is accepted by the server, it will fetch and return one |
|
663 |
* or more status responses in this handshake message. |
|
664 |
* |
|
665 |
* NOTE: Like the Certificate handshake message, this can potentially |
|
666 |
* be a very large message both due to the size of multiple status |
|
667 |
* responses and the certificate chains that are often attached to them. |
|
668 |
* Up to 2^24 bytes of status responses may be sent, possibly fragmented |
|
669 |
* over multiple TLS records. |
|
670 |
*/ |
|
671 |
static final class CertificateStatus extends HandshakeMessage |
|
672 |
{ |
|
673 |
private final StatusRequestType statusType; |
|
674 |
private int encodedResponsesLen; |
|
675 |
private int messageLength = -1; |
|
676 |
private List<byte[]> encodedResponses; |
|
677 |
||
678 |
@Override |
|
679 |
int messageType() { return ht_certificate_status; } |
|
680 |
||
681 |
/** |
|
682 |
* Create a CertificateStatus message from the certificates and their |
|
683 |
* respective OCSP responses |
|
684 |
* |
|
685 |
* @param type an indication of the type of response (OCSP or OCSP_MULTI) |
|
686 |
* @param responses a {@code List} of OCSP responses in DER-encoded form. |
|
687 |
* For the OCSP type, only the first entry in the response list is |
|
688 |
* used, and must correspond to the end-entity certificate sent to the |
|
689 |
* peer. Zero-length or null values for the response data are not |
|
690 |
* allowed for the OCSP type. For the OCSP_MULTI type, each entry in |
|
691 |
* the list should match its corresponding certificate sent in the |
|
692 |
* Server Certificate message. Where an OCSP response does not exist, |
|
693 |
* either a zero-length array or a null value should be used. |
|
694 |
* |
|
695 |
* @throws SSLException if an unsupported StatusRequestType or invalid |
|
696 |
* OCSP response data is provided. |
|
697 |
*/ |
|
698 |
CertificateStatus(StatusRequestType type, X509Certificate[] chain, |
|
36442
ce858cc19004
8132942: ServerHandshaker should not throw SSLHandshakeException when CertificateStatus constructor is called with invalid arguments
jnimeh
parents:
35298
diff
changeset
|
699 |
Map<X509Certificate, byte[]> responses) { |
32032 | 700 |
statusType = type; |
701 |
encodedResponsesLen = 0; |
|
702 |
encodedResponses = new ArrayList<>(chain.length); |
|
703 |
||
704 |
Objects.requireNonNull(chain, "Null chain not allowed"); |
|
705 |
Objects.requireNonNull(responses, "Null responses not allowed"); |
|
706 |
||
707 |
if (statusType == StatusRequestType.OCSP) { |
|
708 |
// Just get the response for the end-entity certificate |
|
709 |
byte[] respDER = responses.get(chain[0]); |
|
710 |
if (respDER != null && respDER.length > 0) { |
|
711 |
encodedResponses.add(respDER); |
|
712 |
encodedResponsesLen = 3 + respDER.length; |
|
713 |
} else { |
|
36442
ce858cc19004
8132942: ServerHandshaker should not throw SSLHandshakeException when CertificateStatus constructor is called with invalid arguments
jnimeh
parents:
35298
diff
changeset
|
714 |
throw new IllegalArgumentException("Zero-length or null " + |
32032 | 715 |
"OCSP Response"); |
716 |
} |
|
717 |
} else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
718 |
for (X509Certificate cert : chain) { |
|
719 |
byte[] respDER = responses.get(cert); |
|
720 |
if (respDER != null) { |
|
721 |
encodedResponses.add(respDER); |
|
722 |
encodedResponsesLen += (respDER.length + 3); |
|
723 |
} else { |
|
724 |
// If we cannot find a response for a given certificate |
|
725 |
// then use a zero-length placeholder. |
|
726 |
encodedResponses.add(new byte[0]); |
|
727 |
encodedResponsesLen += 3; |
|
728 |
} |
|
729 |
} |
|
730 |
} else { |
|
36442
ce858cc19004
8132942: ServerHandshaker should not throw SSLHandshakeException when CertificateStatus constructor is called with invalid arguments
jnimeh
parents:
35298
diff
changeset
|
731 |
throw new IllegalArgumentException( |
ce858cc19004
8132942: ServerHandshaker should not throw SSLHandshakeException when CertificateStatus constructor is called with invalid arguments
jnimeh
parents:
35298
diff
changeset
|
732 |
"Unsupported StatusResponseType: " + statusType); |
32032 | 733 |
} |
734 |
} |
|
735 |
||
736 |
/** |
|
737 |
* Decode the CertificateStatus handshake message coming from a |
|
738 |
* {@code HandshakeInputStream}. |
|
739 |
* |
|
740 |
* @param input the {@code HandshakeInputStream} containing the |
|
741 |
* CertificateStatus message bytes. |
|
742 |
* |
|
743 |
* @throws SSLHandshakeException if a zero-length response is found in the |
|
744 |
* OCSP response type, or an unsupported response type is detected. |
|
745 |
* @throws IOException if a decoding error occurs. |
|
746 |
*/ |
|
747 |
CertificateStatus(HandshakeInStream input) throws IOException { |
|
748 |
encodedResponsesLen = 0; |
|
749 |
encodedResponses = new ArrayList<>(); |
|
750 |
||
751 |
statusType = StatusRequestType.get(input.getInt8()); |
|
752 |
if (statusType == StatusRequestType.OCSP) { |
|
753 |
byte[] respDER = input.getBytes24(); |
|
754 |
// Convert the incoming bytes to a OCSPResponse strucutre |
|
755 |
if (respDER.length > 0) { |
|
756 |
encodedResponses.add(respDER); |
|
757 |
encodedResponsesLen = 3 + respDER.length; |
|
758 |
} else { |
|
759 |
throw new SSLHandshakeException("Zero-length OCSP Response"); |
|
760 |
} |
|
761 |
} else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
762 |
int respListLen = input.getInt24(); |
|
763 |
encodedResponsesLen = respListLen; |
|
764 |
||
765 |
// Add each OCSP reponse into the array list in the order |
|
766 |
// we receive them off the wire. A zero-length array is |
|
767 |
// allowed for ocsp_multi, and means that a response for |
|
768 |
// a given certificate is not available. |
|
769 |
while (respListLen > 0) { |
|
770 |
byte[] respDER = input.getBytes24(); |
|
771 |
encodedResponses.add(respDER); |
|
772 |
respListLen -= (respDER.length + 3); |
|
773 |
} |
|
774 |
||
775 |
if (respListLen != 0) { |
|
776 |
throw new SSLHandshakeException( |
|
777 |
"Bad OCSP response list length"); |
|
778 |
} |
|
779 |
} else { |
|
780 |
throw new SSLHandshakeException("Unsupported StatusResponseType: " + |
|
781 |
statusType); |
|
782 |
} |
|
783 |
} |
|
784 |
||
785 |
/** |
|
786 |
* Get the length of the CertificateStatus message. |
|
787 |
* |
|
788 |
* @return the length of the message in bytes. |
|
789 |
*/ |
|
790 |
@Override |
|
791 |
int messageLength() { |
|
792 |
int len = 1; // Length + Status type |
|
793 |
||
794 |
if (messageLength == -1) { |
|
795 |
if (statusType == StatusRequestType.OCSP) { |
|
796 |
len += encodedResponsesLen; |
|
797 |
} else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
798 |
len += 3 + encodedResponsesLen; |
|
799 |
} |
|
800 |
messageLength = len; |
|
801 |
} |
|
802 |
||
803 |
return messageLength; |
|
804 |
} |
|
805 |
||
806 |
/** |
|
807 |
* Encode the CertificateStatus handshake message and place it on a |
|
808 |
* {@code HandshakeOutputStream}. |
|
809 |
* |
|
810 |
* @param s the HandshakeOutputStream that will the message bytes. |
|
811 |
* |
|
812 |
* @throws IOException if an encoding error occurs. |
|
813 |
*/ |
|
814 |
@Override |
|
815 |
void send(HandshakeOutStream s) throws IOException { |
|
816 |
s.putInt8(statusType.id); |
|
817 |
if (statusType == StatusRequestType.OCSP) { |
|
818 |
s.putBytes24(encodedResponses.get(0)); |
|
819 |
} else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
820 |
s.putInt24(encodedResponsesLen); |
|
821 |
for (byte[] respBytes : encodedResponses) { |
|
822 |
if (respBytes != null) { |
|
823 |
s.putBytes24(respBytes); |
|
824 |
} else { |
|
825 |
s.putBytes24(null); |
|
826 |
} |
|
827 |
} |
|
828 |
} else { |
|
829 |
// It is highly unlikely that we will fall into this section of |
|
830 |
// the code. |
|
831 |
throw new SSLHandshakeException("Unsupported status_type: " + |
|
832 |
statusType.id); |
|
833 |
} |
|
834 |
} |
|
835 |
||
836 |
/** |
|
837 |
* Display a human-readable representation of the CertificateStatus message. |
|
838 |
* |
|
839 |
* @param s the PrintStream used to display the message data. |
|
840 |
* |
|
841 |
* @throws IOException if any errors occur while parsing the OCSP response |
|
842 |
* bytes into a readable form. |
|
843 |
*/ |
|
844 |
@Override |
|
845 |
void print(PrintStream s) throws IOException { |
|
846 |
s.println("*** CertificateStatus"); |
|
847 |
if (debug != null && Debug.isOn("verbose")) { |
|
848 |
s.println("Type: " + statusType); |
|
849 |
if (statusType == StatusRequestType.OCSP) { |
|
850 |
OCSPResponse oResp = new OCSPResponse(encodedResponses.get(0)); |
|
851 |
s.println(oResp); |
|
852 |
} else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
853 |
int numResponses = encodedResponses.size(); |
|
854 |
s.println(numResponses + |
|
855 |
(numResponses == 1 ? " entry:" : " entries:")); |
|
856 |
for (byte[] respDER : encodedResponses) { |
|
857 |
if (respDER.length > 0) { |
|
858 |
OCSPResponse oResp = new OCSPResponse(respDER); |
|
859 |
s.println(oResp); |
|
860 |
} else { |
|
861 |
s.println("<Zero-length entry>"); |
|
862 |
} |
|
863 |
} |
|
864 |
} |
|
865 |
} |
|
866 |
} |
|
867 |
||
868 |
/** |
|
869 |
* Get the type of CertificateStatus message |
|
870 |
* |
|
871 |
* @return the {@code StatusRequestType} for this CertificateStatus |
|
872 |
* message. |
|
873 |
*/ |
|
874 |
StatusRequestType getType() { |
|
875 |
return statusType; |
|
876 |
} |
|
877 |
||
878 |
/** |
|
879 |
* Get the list of non-zero length OCSP responses. |
|
880 |
* The responses returned in this list can be used to map to |
|
881 |
* {@code X509Certificate} objects provided by the peer and |
|
882 |
* provided to a {@code PKIXRevocationChecker}. |
|
883 |
* |
|
884 |
* @return an unmodifiable List of zero or more byte arrays, each one |
|
885 |
* consisting of a single status response. |
|
886 |
*/ |
|
887 |
List<byte[]> getResponses() { |
|
888 |
return Collections.unmodifiableList(encodedResponses); |
|
889 |
} |
|
890 |
} |
|
891 |
||
892 |
/* |
|
2 | 893 |
* ServerKeyExchange ... SERVER --> CLIENT |
894 |
* |
|
895 |
* The cipher suite selected, when combined with the certificate exchanged, |
|
896 |
* implies one of several different kinds of key exchange. Most current |
|
897 |
* cipher suites require the server to send more than its certificate. |
|
898 |
* |
|
899 |
* The primary exceptions are when a server sends an encryption-capable |
|
900 |
* RSA public key in its cert, to be used with RSA (or RSA_export) key |
|
901 |
* exchange; and when a server sends its Diffie-Hellman cert. Those kinds |
|
902 |
* of key exchange do not require a ServerKeyExchange message. |
|
903 |
* |
|
904 |
* Key exchange can be viewed as having three modes, which are explicit |
|
905 |
* for the Diffie-Hellman flavors and poorly specified for RSA ones: |
|
906 |
* |
|
907 |
* - "Ephemeral" keys. Here, a "temporary" key is allocated by the |
|
908 |
* server, and signed. Diffie-Hellman keys signed using RSA or |
|
909 |
* DSS are ephemeral (DHE flavor). RSA keys get used to do the same |
|
910 |
* thing, to cut the key size down to 512 bits (export restrictions) |
|
911 |
* or for signing-only RSA certificates. |
|
912 |
* |
|
913 |
* - Anonymity. Here no server certificate is sent, only the public |
|
914 |
* key of the server. This case is subject to man-in-the-middle |
|
915 |
* attacks. This can be done with Diffie-Hellman keys (DH_anon) or |
|
916 |
* with RSA keys, but is only used in SSLv3 for DH_anon. |
|
917 |
* |
|
918 |
* - "Normal" case. Here a server certificate is sent, and the public |
|
919 |
* key there is used directly in exchanging the premaster secret. |
|
920 |
* For example, Diffie-Hellman "DH" flavor, and any RSA flavor with |
|
921 |
* only 512 bit keys. |
|
922 |
* |
|
923 |
* If a server certificate is sent, there is no anonymity. However, |
|
924 |
* when a certificate is sent, ephemeral keys may still be used to |
|
925 |
* exchange the premaster secret. That's how RSA_EXPORT often works, |
|
926 |
* as well as how the DHE_* flavors work. |
|
927 |
*/ |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
928 |
abstract static class ServerKeyExchange extends HandshakeMessage |
2 | 929 |
{ |
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
930 |
@Override |
2 | 931 |
int messageType() { return ht_server_key_exchange; } |
932 |
} |
|
933 |
||
934 |
||
935 |
/* |
|
936 |
* Using RSA for Key Exchange: exchange a session key that's not as big |
|
937 |
* as the signing-only key. Used for export applications, since exported |
|
938 |
* RSA encryption keys can't be bigger than 512 bytes. |
|
939 |
* |
|
940 |
* This is never used when keys are 512 bits or smaller, and isn't used |
|
941 |
* on "US Domestic" ciphers in any case. |
|
942 |
*/ |
|
943 |
static final |
|
944 |
class RSA_ServerKeyExchange extends ServerKeyExchange |
|
945 |
{ |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
946 |
private byte[] rsa_modulus; // 1 to 2^16 - 1 bytes |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
947 |
private byte[] rsa_exponent; // 1 to 2^16 - 1 bytes |
2 | 948 |
|
949 |
private Signature signature; |
|
950 |
private byte[] signatureBytes; |
|
951 |
||
952 |
/* |
|
953 |
* Hash the nonces and the ephemeral RSA public key. |
|
954 |
*/ |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
955 |
private void updateSignature(byte[] clntNonce, byte[] svrNonce) |
2 | 956 |
throws SignatureException { |
957 |
int tmp; |
|
958 |
||
959 |
signature.update(clntNonce); |
|
960 |
signature.update(svrNonce); |
|
961 |
||
962 |
tmp = rsa_modulus.length; |
|
963 |
signature.update((byte)(tmp >> 8)); |
|
964 |
signature.update((byte)(tmp & 0x0ff)); |
|
965 |
signature.update(rsa_modulus); |
|
966 |
||
967 |
tmp = rsa_exponent.length; |
|
968 |
signature.update((byte)(tmp >> 8)); |
|
969 |
signature.update((byte)(tmp & 0x0ff)); |
|
970 |
signature.update(rsa_exponent); |
|
971 |
} |
|
972 |
||
973 |
||
974 |
/* |
|
975 |
* Construct an RSA server key exchange message, using data |
|
976 |
* known _only_ to the server. |
|
977 |
* |
|
978 |
* The client knows the public key corresponding to this private |
|
979 |
* key, from the Certificate message sent previously. To comply |
|
980 |
* with US export regulations we use short RSA keys ... either |
|
981 |
* long term ones in the server's X509 cert, or else ephemeral |
|
982 |
* ones sent using this message. |
|
983 |
*/ |
|
984 |
RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey, |
|
985 |
RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr) |
|
986 |
throws GeneralSecurityException { |
|
987 |
RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey); |
|
988 |
rsa_modulus = toByteArray(rsaKey.getModulus()); |
|
989 |
rsa_exponent = toByteArray(rsaKey.getPublicExponent()); |
|
990 |
signature = RSASignature.getInstance(); |
|
991 |
signature.initSign(privateKey, sr); |
|
992 |
updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); |
|
993 |
signatureBytes = signature.sign(); |
|
994 |
} |
|
995 |
||
996 |
||
997 |
/* |
|
998 |
* Parse an RSA server key exchange message, using data known |
|
999 |
* to the client (and, in some situations, eavesdroppers). |
|
1000 |
*/ |
|
1001 |
RSA_ServerKeyExchange(HandshakeInStream input) |
|
1002 |
throws IOException, NoSuchAlgorithmException { |
|
1003 |
signature = RSASignature.getInstance(); |
|
1004 |
rsa_modulus = input.getBytes16(); |
|
1005 |
rsa_exponent = input.getBytes16(); |
|
1006 |
signatureBytes = input.getBytes16(); |
|
1007 |
} |
|
1008 |
||
1009 |
/* |
|
1010 |
* Get the ephemeral RSA public key that will be used in this |
|
1011 |
* SSL connection. |
|
1012 |
*/ |
|
1013 |
PublicKey getPublicKey() { |
|
1014 |
try { |
|
1015 |
KeyFactory kfac = JsseJce.getKeyFactory("RSA"); |
|
1016 |
// modulus and exponent are always positive |
|
7043 | 1017 |
RSAPublicKeySpec kspec = new RSAPublicKeySpec( |
1018 |
new BigInteger(1, rsa_modulus), |
|
1019 |
new BigInteger(1, rsa_exponent)); |
|
2 | 1020 |
return kfac.generatePublic(kspec); |
1021 |
} catch (Exception e) { |
|
1022 |
throw new RuntimeException(e); |
|
1023 |
} |
|
1024 |
} |
|
1025 |
||
1026 |
/* |
|
1027 |
* Verify the signed temporary key using the hashes computed |
|
1028 |
* from it and the two nonces. This is called by clients |
|
1029 |
* with "exportable" RSA flavors. |
|
1030 |
*/ |
|
1031 |
boolean verify(PublicKey certifiedKey, RandomCookie clntNonce, |
|
1032 |
RandomCookie svrNonce) throws GeneralSecurityException { |
|
1033 |
signature.initVerify(certifiedKey); |
|
1034 |
updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); |
|
1035 |
return signature.verify(signatureBytes); |
|
1036 |
} |
|
1037 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1038 |
@Override |
2 | 1039 |
int messageLength() { |
1040 |
return 6 + rsa_modulus.length + rsa_exponent.length |
|
1041 |
+ signatureBytes.length; |
|
1042 |
} |
|
1043 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1044 |
@Override |
2 | 1045 |
void send(HandshakeOutStream s) throws IOException { |
1046 |
s.putBytes16(rsa_modulus); |
|
1047 |
s.putBytes16(rsa_exponent); |
|
1048 |
s.putBytes16(signatureBytes); |
|
1049 |
} |
|
1050 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1051 |
@Override |
2 | 1052 |
void print(PrintStream s) throws IOException { |
1053 |
s.println("*** RSA ServerKeyExchange"); |
|
1054 |
||
1055 |
if (debug != null && Debug.isOn("verbose")) { |
|
1056 |
Debug.println(s, "RSA Modulus", rsa_modulus); |
|
1057 |
Debug.println(s, "RSA Public Exponent", rsa_exponent); |
|
1058 |
} |
|
1059 |
} |
|
1060 |
} |
|
1061 |
||
1062 |
||
1063 |
/* |
|
1064 |
* Using Diffie-Hellman algorithm for key exchange. All we really need to |
|
1065 |
* do is securely get Diffie-Hellman keys (using the same P, G parameters) |
|
1066 |
* to our peer, then we automatically have a shared secret without need |
|
1067 |
* to exchange any more data. (D-H only solutions, such as SKIP, could |
|
1068 |
* eliminate key exchange negotiations and get faster connection setup. |
|
1069 |
* But they still need a signature algorithm like DSS/DSA to support the |
|
1070 |
* trusted distribution of keys without relying on unscalable physical |
|
1071 |
* key distribution systems.) |
|
1072 |
* |
|
1073 |
* This class supports several DH-based key exchange algorithms, though |
|
1074 |
* perhaps eventually each deserves its own class. Notably, this has |
|
1075 |
* basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants. |
|
1076 |
*/ |
|
1077 |
static final |
|
1078 |
class DH_ServerKeyExchange extends ServerKeyExchange |
|
1079 |
{ |
|
1080 |
// Fix message encoding, see 4348279 |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
1081 |
private static final boolean dhKeyExchangeFix = |
2 | 1082 |
Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true); |
1083 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1084 |
private byte[] dh_p; // 1 to 2^16 - 1 bytes |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1085 |
private byte[] dh_g; // 1 to 2^16 - 1 bytes |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1086 |
private byte[] dh_Ys; // 1 to 2^16 - 1 bytes |
2 | 1087 |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1088 |
private byte[] signature; |
2 | 1089 |
|
7043 | 1090 |
// protocol version being established using this ServerKeyExchange message |
1091 |
ProtocolVersion protocolVersion; |
|
1092 |
||
1093 |
// the preferable signature algorithm used by this ServerKeyExchange message |
|
1094 |
private SignatureAndHashAlgorithm preferableSignatureAlgorithm; |
|
1095 |
||
2 | 1096 |
/* |
1097 |
* Construct from initialized DH key object, for DH_anon |
|
1098 |
* key exchange. |
|
1099 |
*/ |
|
7043 | 1100 |
DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) { |
1101 |
this.protocolVersion = protocolVersion; |
|
1102 |
this.preferableSignatureAlgorithm = null; |
|
1103 |
||
16080 | 1104 |
// The DH key has been validated in the constructor of DHCrypt. |
7043 | 1105 |
setValues(obj); |
2 | 1106 |
signature = null; |
1107 |
} |
|
1108 |
||
1109 |
/* |
|
1110 |
* Construct from initialized DH key object and the key associated |
|
1111 |
* with the cert chain which was sent ... for DHE_DSS and DHE_RSA |
|
1112 |
* key exchange. (Constructor called by server.) |
|
1113 |
*/ |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1114 |
DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte[] clntNonce, |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1115 |
byte[] svrNonce, SecureRandom sr, |
7043 | 1116 |
SignatureAndHashAlgorithm signAlgorithm, |
1117 |
ProtocolVersion protocolVersion) throws GeneralSecurityException { |
|
2 | 1118 |
|
7043 | 1119 |
this.protocolVersion = protocolVersion; |
1120 |
||
16080 | 1121 |
// The DH key has been validated in the constructor of DHCrypt. |
7043 | 1122 |
setValues(obj); |
2 | 1123 |
|
1124 |
Signature sig; |
|
30904 | 1125 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1126 |
this.preferableSignatureAlgorithm = signAlgorithm; |
1127 |
sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); |
|
2 | 1128 |
} else { |
7043 | 1129 |
this.preferableSignatureAlgorithm = null; |
1130 |
if (key.getAlgorithm().equals("DSA")) { |
|
1131 |
sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); |
|
1132 |
} else { |
|
1133 |
sig = RSASignature.getInstance(); |
|
1134 |
} |
|
2 | 1135 |
} |
7043 | 1136 |
|
2 | 1137 |
sig.initSign(key, sr); |
1138 |
updateSignature(sig, clntNonce, svrNonce); |
|
1139 |
signature = sig.sign(); |
|
1140 |
} |
|
1141 |
||
1142 |
/* |
|
1143 |
* Construct a DH_ServerKeyExchange message from an input |
|
1144 |
* stream, as if sent from server to client for use with |
|
1145 |
* DH_anon key exchange |
|
1146 |
*/ |
|
7043 | 1147 |
DH_ServerKeyExchange(HandshakeInStream input, |
16080 | 1148 |
ProtocolVersion protocolVersion) |
1149 |
throws IOException, GeneralSecurityException { |
|
7043 | 1150 |
|
1151 |
this.protocolVersion = protocolVersion; |
|
1152 |
this.preferableSignatureAlgorithm = null; |
|
1153 |
||
2 | 1154 |
dh_p = input.getBytes16(); |
1155 |
dh_g = input.getBytes16(); |
|
1156 |
dh_Ys = input.getBytes16(); |
|
16080 | 1157 |
KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), |
1158 |
new BigInteger(1, dh_p), |
|
1159 |
new BigInteger(1, dh_g))); |
|
1160 |
||
2 | 1161 |
signature = null; |
1162 |
} |
|
1163 |
||
1164 |
/* |
|
1165 |
* Construct a DH_ServerKeyExchange message from an input stream |
|
1166 |
* and a certificate, as if sent from server to client for use with |
|
1167 |
* DHE_DSS or DHE_RSA key exchange. (Called by client.) |
|
1168 |
*/ |
|
1169 |
DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey, |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1170 |
byte[] clntNonce, byte[] svrNonce, int messageSize, |
7043 | 1171 |
Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, |
1172 |
ProtocolVersion protocolVersion) |
|
2 | 1173 |
throws IOException, GeneralSecurityException { |
1174 |
||
7043 | 1175 |
this.protocolVersion = protocolVersion; |
1176 |
||
1177 |
// read params: ServerDHParams |
|
2 | 1178 |
dh_p = input.getBytes16(); |
1179 |
dh_g = input.getBytes16(); |
|
1180 |
dh_Ys = input.getBytes16(); |
|
16080 | 1181 |
KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), |
1182 |
new BigInteger(1, dh_p), |
|
1183 |
new BigInteger(1, dh_g))); |
|
2 | 1184 |
|
7043 | 1185 |
// read the signature and hash algorithm |
30904 | 1186 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1187 |
int hash = input.getInt8(); // hash algorithm |
1188 |
int signature = input.getInt8(); // signature algorithm |
|
1189 |
||
1190 |
preferableSignatureAlgorithm = |
|
1191 |
SignatureAndHashAlgorithm.valueOf(hash, signature, 0); |
|
1192 |
||
1193 |
// Is it a local supported signature algorithm? |
|
1194 |
if (!localSupportedSignAlgs.contains( |
|
1195 |
preferableSignatureAlgorithm)) { |
|
1196 |
throw new SSLHandshakeException( |
|
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1197 |
"Unsupported SignatureAndHashAlgorithm in " + |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1198 |
"ServerKeyExchange message: " + |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1199 |
preferableSignatureAlgorithm); |
7043 | 1200 |
} |
1201 |
} else { |
|
1202 |
this.preferableSignatureAlgorithm = null; |
|
1203 |
} |
|
1204 |
||
1205 |
// read the signature |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1206 |
byte[] signature; |
2 | 1207 |
if (dhKeyExchangeFix) { |
1208 |
signature = input.getBytes16(); |
|
1209 |
} else { |
|
1210 |
messageSize -= (dh_p.length + 2); |
|
1211 |
messageSize -= (dh_g.length + 2); |
|
1212 |
messageSize -= (dh_Ys.length + 2); |
|
1213 |
||
1214 |
signature = new byte[messageSize]; |
|
1215 |
input.read(signature); |
|
1216 |
} |
|
1217 |
||
1218 |
Signature sig; |
|
1219 |
String algorithm = publicKey.getAlgorithm(); |
|
30904 | 1220 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1221 |
sig = JsseJce.getSignature( |
1222 |
preferableSignatureAlgorithm.getAlgorithmName()); |
|
2 | 1223 |
} else { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1224 |
switch (algorithm) { |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1225 |
case "DSA": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1226 |
sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1227 |
break; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1228 |
case "RSA": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1229 |
sig = RSASignature.getInstance(); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1230 |
break; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1231 |
default: |
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1232 |
throw new SSLKeyException( |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1233 |
"neither an RSA or a DSA key: " + algorithm); |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1234 |
} |
2 | 1235 |
} |
1236 |
||
1237 |
sig.initVerify(publicKey); |
|
1238 |
updateSignature(sig, clntNonce, svrNonce); |
|
1239 |
||
1240 |
if (sig.verify(signature) == false ) { |
|
1241 |
throw new SSLKeyException("Server D-H key verification failed"); |
|
1242 |
} |
|
1243 |
} |
|
1244 |
||
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1245 |
/* Return the Diffie-Hellman modulus */ |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1246 |
BigInteger getModulus() { |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1247 |
return new BigInteger(1, dh_p); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1248 |
} |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1249 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1250 |
/* Return the Diffie-Hellman base/generator */ |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1251 |
BigInteger getBase() { |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1252 |
return new BigInteger(1, dh_g); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1253 |
} |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1254 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1255 |
/* Return the server's Diffie-Hellman public key */ |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1256 |
BigInteger getServerPublicKey() { |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1257 |
return new BigInteger(1, dh_Ys); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1258 |
} |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1259 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1260 |
/* |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1261 |
* Update sig with nonces and Diffie-Hellman public key. |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1262 |
*/ |
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1263 |
private void updateSignature(Signature sig, byte[] clntNonce, |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1264 |
byte[] svrNonce) throws SignatureException { |
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1265 |
int tmp; |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1266 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1267 |
sig.update(clntNonce); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1268 |
sig.update(svrNonce); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1269 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1270 |
tmp = dh_p.length; |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1271 |
sig.update((byte)(tmp >> 8)); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1272 |
sig.update((byte)(tmp & 0x0ff)); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1273 |
sig.update(dh_p); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1274 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1275 |
tmp = dh_g.length; |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1276 |
sig.update((byte)(tmp >> 8)); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1277 |
sig.update((byte)(tmp & 0x0ff)); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1278 |
sig.update(dh_g); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1279 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1280 |
tmp = dh_Ys.length; |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1281 |
sig.update((byte)(tmp >> 8)); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1282 |
sig.update((byte)(tmp & 0x0ff)); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1283 |
sig.update(dh_Ys); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1284 |
} |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1285 |
|
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1286 |
private void setValues(DHCrypt obj) { |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1287 |
dh_p = toByteArray(obj.getModulus()); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1288 |
dh_g = toByteArray(obj.getBase()); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1289 |
dh_Ys = toByteArray(obj.getPublicKey()); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1290 |
} |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1291 |
|
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1292 |
@Override |
2 | 1293 |
int messageLength() { |
1294 |
int temp = 6; // overhead for p, g, y(s) values. |
|
1295 |
||
1296 |
temp += dh_p.length; |
|
1297 |
temp += dh_g.length; |
|
1298 |
temp += dh_Ys.length; |
|
7043 | 1299 |
|
2 | 1300 |
if (signature != null) { |
30904 | 1301 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1302 |
temp += SignatureAndHashAlgorithm.sizeInRecord(); |
1303 |
} |
|
1304 |
||
2 | 1305 |
temp += signature.length; |
1306 |
if (dhKeyExchangeFix) { |
|
1307 |
temp += 2; |
|
1308 |
} |
|
1309 |
} |
|
7043 | 1310 |
|
2 | 1311 |
return temp; |
1312 |
} |
|
1313 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1314 |
@Override |
2 | 1315 |
void send(HandshakeOutStream s) throws IOException { |
1316 |
s.putBytes16(dh_p); |
|
1317 |
s.putBytes16(dh_g); |
|
1318 |
s.putBytes16(dh_Ys); |
|
7043 | 1319 |
|
2 | 1320 |
if (signature != null) { |
30904 | 1321 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1322 |
s.putInt8(preferableSignatureAlgorithm.getHashValue()); |
1323 |
s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); |
|
1324 |
} |
|
1325 |
||
2 | 1326 |
if (dhKeyExchangeFix) { |
1327 |
s.putBytes16(signature); |
|
1328 |
} else { |
|
1329 |
s.write(signature); |
|
1330 |
} |
|
1331 |
} |
|
1332 |
} |
|
1333 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1334 |
@Override |
2 | 1335 |
void print(PrintStream s) throws IOException { |
1336 |
s.println("*** Diffie-Hellman ServerKeyExchange"); |
|
1337 |
||
1338 |
if (debug != null && Debug.isOn("verbose")) { |
|
1339 |
Debug.println(s, "DH Modulus", dh_p); |
|
1340 |
Debug.println(s, "DH Base", dh_g); |
|
1341 |
Debug.println(s, "Server DH Public Key", dh_Ys); |
|
1342 |
||
1343 |
if (signature == null) { |
|
1344 |
s.println("Anonymous"); |
|
1345 |
} else { |
|
30904 | 1346 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1347 |
s.println("Signature Algorithm " + |
1348 |
preferableSignatureAlgorithm.getAlgorithmName()); |
|
1349 |
} |
|
1350 |
||
2 | 1351 |
s.println("Signed with a DSA or RSA public key"); |
1352 |
} |
|
1353 |
} |
|
1354 |
} |
|
1355 |
} |
|
1356 |
||
1357 |
/* |
|
1358 |
* ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon |
|
1359 |
* ciphersuites to communicate its ephemeral public key (including the |
|
1360 |
* EC domain parameters). |
|
1361 |
* |
|
1362 |
* We support named curves only, no explicitly encoded curves. |
|
1363 |
*/ |
|
1364 |
static final |
|
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1365 |
class ECDH_ServerKeyExchange extends ServerKeyExchange { |
2 | 1366 |
|
1367 |
// constants for ECCurveType |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
1368 |
private static final int CURVE_EXPLICIT_PRIME = 1; |
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
1369 |
private static final int CURVE_EXPLICIT_CHAR2 = 2; |
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
1370 |
private static final int CURVE_NAMED_CURVE = 3; |
2 | 1371 |
|
1372 |
// id of the curve we are using |
|
1373 |
private int curveId; |
|
1374 |
// encoded public point |
|
1375 |
private byte[] pointBytes; |
|
1376 |
||
1377 |
// signature bytes (or null if anonymous) |
|
1378 |
private byte[] signatureBytes; |
|
1379 |
||
1380 |
// public key object encapsulated in this message |
|
1381 |
private ECPublicKey publicKey; |
|
1382 |
||
7043 | 1383 |
// protocol version being established using this ServerKeyExchange message |
1384 |
ProtocolVersion protocolVersion; |
|
1385 |
||
1386 |
// the preferable signature algorithm used by this ServerKeyExchange message |
|
1387 |
private SignatureAndHashAlgorithm preferableSignatureAlgorithm; |
|
1388 |
||
2 | 1389 |
ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey, |
7043 | 1390 |
byte[] clntNonce, byte[] svrNonce, SecureRandom sr, |
1391 |
SignatureAndHashAlgorithm signAlgorithm, |
|
1392 |
ProtocolVersion protocolVersion) throws GeneralSecurityException { |
|
1393 |
||
1394 |
this.protocolVersion = protocolVersion; |
|
1395 |
||
2 | 1396 |
publicKey = (ECPublicKey)obj.getPublicKey(); |
1397 |
ECParameterSpec params = publicKey.getParams(); |
|
1398 |
ECPoint point = publicKey.getW(); |
|
1399 |
pointBytes = JsseJce.encodePoint(point, params.getCurve()); |
|
37814
844e590a011a
8156502: Use short name of SupportedEllipticCurvesExtension.java
xuelei
parents:
36952
diff
changeset
|
1400 |
curveId = EllipticCurvesExtension.getCurveIndex(params); |
2 | 1401 |
|
1402 |
if (privateKey == null) { |
|
1403 |
// ECDH_anon |
|
1404 |
return; |
|
1405 |
} |
|
1406 |
||
7043 | 1407 |
Signature sig; |
30904 | 1408 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1409 |
this.preferableSignatureAlgorithm = signAlgorithm; |
1410 |
sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); |
|
1411 |
} else { |
|
1412 |
sig = getSignature(privateKey.getAlgorithm()); |
|
1413 |
} |
|
1414 |
sig.initSign(privateKey); // where is the SecureRandom? |
|
2 | 1415 |
|
1416 |
updateSignature(sig, clntNonce, svrNonce); |
|
1417 |
signatureBytes = sig.sign(); |
|
1418 |
} |
|
1419 |
||
1420 |
/* |
|
1421 |
* Parse an ECDH server key exchange message. |
|
1422 |
*/ |
|
1423 |
ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey, |
|
7043 | 1424 |
byte[] clntNonce, byte[] svrNonce, |
1425 |
Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, |
|
1426 |
ProtocolVersion protocolVersion) |
|
2 | 1427 |
throws IOException, GeneralSecurityException { |
7043 | 1428 |
|
1429 |
this.protocolVersion = protocolVersion; |
|
1430 |
||
1431 |
// read params: ServerECDHParams |
|
2 | 1432 |
int curveType = input.getInt8(); |
1433 |
ECParameterSpec parameters; |
|
1434 |
// These parsing errors should never occur as we negotiated |
|
1435 |
// the supported curves during the exchange of the Hello messages. |
|
1436 |
if (curveType == CURVE_NAMED_CURVE) { |
|
1437 |
curveId = input.getInt16(); |
|
37814
844e590a011a
8156502: Use short name of SupportedEllipticCurvesExtension.java
xuelei
parents:
36952
diff
changeset
|
1438 |
if (!EllipticCurvesExtension.isSupported(curveId)) { |
7043 | 1439 |
throw new SSLHandshakeException( |
1440 |
"Unsupported curveId: " + curveId); |
|
2 | 1441 |
} |
37814
844e590a011a
8156502: Use short name of SupportedEllipticCurvesExtension.java
xuelei
parents:
36952
diff
changeset
|
1442 |
String curveOid = EllipticCurvesExtension.getCurveOid(curveId); |
2 | 1443 |
if (curveOid == null) { |
7043 | 1444 |
throw new SSLHandshakeException( |
1445 |
"Unknown named curve: " + curveId); |
|
2 | 1446 |
} |
1447 |
parameters = JsseJce.getECParameterSpec(curveOid); |
|
1448 |
if (parameters == null) { |
|
7043 | 1449 |
throw new SSLHandshakeException( |
1450 |
"Unsupported curve: " + curveOid); |
|
2 | 1451 |
} |
1452 |
} else { |
|
7043 | 1453 |
throw new SSLHandshakeException( |
1454 |
"Unsupported ECCurveType: " + curveType); |
|
2 | 1455 |
} |
1456 |
pointBytes = input.getBytes8(); |
|
1457 |
||
1458 |
ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve()); |
|
1459 |
KeyFactory factory = JsseJce.getKeyFactory("EC"); |
|
7043 | 1460 |
publicKey = (ECPublicKey)factory.generatePublic( |
1461 |
new ECPublicKeySpec(point, parameters)); |
|
2 | 1462 |
|
1463 |
if (signingKey == null) { |
|
1464 |
// ECDH_anon |
|
1465 |
return; |
|
1466 |
} |
|
1467 |
||
7043 | 1468 |
// read the signature and hash algorithm |
30904 | 1469 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1470 |
int hash = input.getInt8(); // hash algorithm |
1471 |
int signature = input.getInt8(); // signature algorithm |
|
1472 |
||
1473 |
preferableSignatureAlgorithm = |
|
1474 |
SignatureAndHashAlgorithm.valueOf(hash, signature, 0); |
|
1475 |
||
1476 |
// Is it a local supported signature algorithm? |
|
1477 |
if (!localSupportedSignAlgs.contains( |
|
1478 |
preferableSignatureAlgorithm)) { |
|
1479 |
throw new SSLHandshakeException( |
|
1480 |
"Unsupported SignatureAndHashAlgorithm in " + |
|
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1481 |
"ServerKeyExchange message: " + |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1482 |
preferableSignatureAlgorithm); |
7043 | 1483 |
} |
1484 |
} |
|
1485 |
||
1486 |
// read the signature |
|
2 | 1487 |
signatureBytes = input.getBytes16(); |
7043 | 1488 |
|
1489 |
// verify the signature |
|
1490 |
Signature sig; |
|
30904 | 1491 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1492 |
sig = JsseJce.getSignature( |
1493 |
preferableSignatureAlgorithm.getAlgorithmName()); |
|
1494 |
} else { |
|
1495 |
sig = getSignature(signingKey.getAlgorithm()); |
|
1496 |
} |
|
2 | 1497 |
sig.initVerify(signingKey); |
1498 |
||
1499 |
updateSignature(sig, clntNonce, svrNonce); |
|
1500 |
||
1501 |
if (sig.verify(signatureBytes) == false ) { |
|
7043 | 1502 |
throw new SSLKeyException( |
1503 |
"Invalid signature on ECDH server key exchange message"); |
|
2 | 1504 |
} |
1505 |
} |
|
1506 |
||
1507 |
/* |
|
1508 |
* Get the ephemeral EC public key encapsulated in this message. |
|
1509 |
*/ |
|
1510 |
ECPublicKey getPublicKey() { |
|
1511 |
return publicKey; |
|
1512 |
} |
|
1513 |
||
7043 | 1514 |
private static Signature getSignature(String keyAlgorithm) |
1515 |
throws NoSuchAlgorithmException { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1516 |
switch (keyAlgorithm) { |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1517 |
case "EC": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1518 |
return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1519 |
case "RSA": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1520 |
return RSASignature.getInstance(); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1521 |
default: |
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1522 |
throw new NoSuchAlgorithmException( |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1523 |
"neither an RSA or a EC key : " + keyAlgorithm); |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
1524 |
} |
2 | 1525 |
} |
1526 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1527 |
private void updateSignature(Signature sig, byte[] clntNonce, |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1528 |
byte[] svrNonce) throws SignatureException { |
2 | 1529 |
sig.update(clntNonce); |
1530 |
sig.update(svrNonce); |
|
1531 |
||
1532 |
sig.update((byte)CURVE_NAMED_CURVE); |
|
1533 |
sig.update((byte)(curveId >> 8)); |
|
1534 |
sig.update((byte)curveId); |
|
1535 |
sig.update((byte)pointBytes.length); |
|
1536 |
sig.update(pointBytes); |
|
1537 |
} |
|
1538 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1539 |
@Override |
2 | 1540 |
int messageLength() { |
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1541 |
int sigLen = 0; |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1542 |
if (signatureBytes != null) { |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1543 |
sigLen = 2 + signatureBytes.length; |
30904 | 1544 |
if (protocolVersion.useTLS12PlusSpec()) { |
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1545 |
sigLen += SignatureAndHashAlgorithm.sizeInRecord(); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1546 |
} |
7043 | 1547 |
} |
1548 |
||
2 | 1549 |
return 4 + pointBytes.length + sigLen; |
1550 |
} |
|
1551 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1552 |
@Override |
2 | 1553 |
void send(HandshakeOutStream s) throws IOException { |
1554 |
s.putInt8(CURVE_NAMED_CURVE); |
|
1555 |
s.putInt16(curveId); |
|
1556 |
s.putBytes8(pointBytes); |
|
7043 | 1557 |
|
2 | 1558 |
if (signatureBytes != null) { |
30904 | 1559 |
if (protocolVersion.useTLS12PlusSpec()) { |
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1560 |
s.putInt8(preferableSignatureAlgorithm.getHashValue()); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1561 |
s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1562 |
} |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1563 |
|
2 | 1564 |
s.putBytes16(signatureBytes); |
1565 |
} |
|
1566 |
} |
|
1567 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1568 |
@Override |
2 | 1569 |
void print(PrintStream s) throws IOException { |
1570 |
s.println("*** ECDH ServerKeyExchange"); |
|
1571 |
||
1572 |
if (debug != null && Debug.isOn("verbose")) { |
|
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1573 |
if (signatureBytes == null) { |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1574 |
s.println("Anonymous"); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1575 |
} else { |
30904 | 1576 |
if (protocolVersion.useTLS12PlusSpec()) { |
8991
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1577 |
s.println("Signature Algorithm " + |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1578 |
preferableSignatureAlgorithm.getAlgorithmName()); |
7df5283fd3b8
7027797: take care of ECDH_anon/DH_anon server key exchange for TLS 1.2
xuelei
parents:
7990
diff
changeset
|
1579 |
} |
7043 | 1580 |
} |
1581 |
||
2 | 1582 |
s.println("Server key: " + publicKey); |
1583 |
} |
|
1584 |
} |
|
1585 |
} |
|
1586 |
||
1587 |
static final class DistinguishedName { |
|
1588 |
||
1589 |
/* |
|
1590 |
* DER encoded distinguished name. |
|
1591 |
* TLS requires that its not longer than 65535 bytes. |
|
1592 |
*/ |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1593 |
byte[] name; |
2 | 1594 |
|
1595 |
DistinguishedName(HandshakeInStream input) throws IOException { |
|
1596 |
name = input.getBytes16(); |
|
1597 |
} |
|
1598 |
||
1599 |
DistinguishedName(X500Principal dn) { |
|
1600 |
name = dn.getEncoded(); |
|
1601 |
} |
|
1602 |
||
1603 |
X500Principal getX500Principal() throws IOException { |
|
1604 |
try { |
|
1605 |
return new X500Principal(name); |
|
1606 |
} catch (IllegalArgumentException e) { |
|
7043 | 1607 |
throw (SSLProtocolException)new SSLProtocolException( |
1608 |
e.getMessage()).initCause(e); |
|
2 | 1609 |
} |
1610 |
} |
|
1611 |
||
1612 |
int length() { |
|
1613 |
return 2 + name.length; |
|
1614 |
} |
|
1615 |
||
1616 |
void send(HandshakeOutStream output) throws IOException { |
|
1617 |
output.putBytes16(name); |
|
1618 |
} |
|
1619 |
||
1620 |
void print(PrintStream output) throws IOException { |
|
1621 |
X500Principal principal = new X500Principal(name); |
|
1622 |
output.println("<" + principal.toString() + ">"); |
|
1623 |
} |
|
1624 |
} |
|
1625 |
||
1626 |
/* |
|
1627 |
* CertificateRequest ... SERVER --> CLIENT |
|
1628 |
* |
|
1629 |
* Authenticated servers may ask clients to authenticate themselves |
|
1630 |
* in turn, using this message. |
|
7043 | 1631 |
* |
1632 |
* Prior to TLS 1.2, the structure of the message is defined as: |
|
1633 |
* struct { |
|
1634 |
* ClientCertificateType certificate_types<1..2^8-1>; |
|
1635 |
* DistinguishedName certificate_authorities<0..2^16-1>; |
|
1636 |
* } CertificateRequest; |
|
1637 |
* |
|
1638 |
* In TLS 1.2, the structure is changed to: |
|
1639 |
* struct { |
|
1640 |
* ClientCertificateType certificate_types<1..2^8-1>; |
|
1641 |
* SignatureAndHashAlgorithm |
|
1642 |
* supported_signature_algorithms<2^16-1>; |
|
1643 |
* DistinguishedName certificate_authorities<0..2^16-1>; |
|
1644 |
* } CertificateRequest; |
|
1645 |
* |
|
2 | 1646 |
*/ |
1647 |
static final |
|
1648 |
class CertificateRequest extends HandshakeMessage |
|
1649 |
{ |
|
1650 |
// enum ClientCertificateType |
|
1651 |
static final int cct_rsa_sign = 1; |
|
1652 |
static final int cct_dss_sign = 2; |
|
1653 |
static final int cct_rsa_fixed_dh = 3; |
|
1654 |
static final int cct_dss_fixed_dh = 4; |
|
1655 |
||
1656 |
// The existance of these two values is a bug in the SSL specification. |
|
1657 |
// They are never used in the protocol. |
|
1658 |
static final int cct_rsa_ephemeral_dh = 5; |
|
1659 |
static final int cct_dss_ephemeral_dh = 6; |
|
1660 |
||
1661 |
// From RFC 4492 (ECC) |
|
1662 |
static final int cct_ecdsa_sign = 64; |
|
1663 |
static final int cct_rsa_fixed_ecdh = 65; |
|
1664 |
static final int cct_ecdsa_fixed_ecdh = 66; |
|
1665 |
||
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
1666 |
private static final byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign }; |
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
1667 |
private static final byte[] TYPES_ECC = |
2 | 1668 |
{ cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign }; |
1669 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1670 |
byte[] types; // 1 to 255 types |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1671 |
DistinguishedName[] authorities; // 3 to 2^16 - 1 |
2 | 1672 |
// ... "3" because that's the smallest DER-encoded X500 DN |
1673 |
||
7043 | 1674 |
// protocol version being established using this CertificateRequest message |
1675 |
ProtocolVersion protocolVersion; |
|
1676 |
||
1677 |
// supported_signature_algorithms for TLS 1.2 or later |
|
1678 |
private Collection<SignatureAndHashAlgorithm> algorithms; |
|
1679 |
||
1680 |
// length of supported_signature_algorithms |
|
1681 |
private int algorithmsLen; |
|
1682 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
1683 |
CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange, |
7043 | 1684 |
Collection<SignatureAndHashAlgorithm> signAlgs, |
1685 |
ProtocolVersion protocolVersion) throws IOException { |
|
1686 |
||
1687 |
this.protocolVersion = protocolVersion; |
|
1688 |
||
2 | 1689 |
// always use X500Principal |
1690 |
authorities = new DistinguishedName[ca.length]; |
|
1691 |
for (int i = 0; i < ca.length; i++) { |
|
1692 |
X500Principal x500Principal = ca[i].getSubjectX500Principal(); |
|
1693 |
authorities[i] = new DistinguishedName(x500Principal); |
|
1694 |
} |
|
1695 |
// we support RSA, DSS, and ECDSA client authentication and they |
|
1696 |
// can be used with all ciphersuites. If this changes, the code |
|
1697 |
// needs to be adapted to take keyExchange into account. |
|
1698 |
// We only request ECDSA client auth if we have ECC crypto available. |
|
1699 |
this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC; |
|
7043 | 1700 |
|
1701 |
// Use supported_signature_algorithms for TLS 1.2 or later. |
|
30904 | 1702 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1703 |
if (signAlgs == null || signAlgs.isEmpty()) { |
1704 |
throw new SSLProtocolException( |
|
1705 |
"No supported signature algorithms"); |
|
1706 |
} |
|
1707 |
||
1708 |
algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs); |
|
1709 |
algorithmsLen = |
|
1710 |
SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size(); |
|
1711 |
} else { |
|
1712 |
algorithms = new ArrayList<SignatureAndHashAlgorithm>(); |
|
1713 |
algorithmsLen = 0; |
|
1714 |
} |
|
2 | 1715 |
} |
1716 |
||
7043 | 1717 |
CertificateRequest(HandshakeInStream input, |
1718 |
ProtocolVersion protocolVersion) throws IOException { |
|
1719 |
||
1720 |
this.protocolVersion = protocolVersion; |
|
1721 |
||
1722 |
// Read the certificate_types. |
|
2 | 1723 |
types = input.getBytes8(); |
7043 | 1724 |
|
1725 |
// Read the supported_signature_algorithms for TLS 1.2 or later. |
|
30904 | 1726 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1727 |
algorithmsLen = input.getInt16(); |
1728 |
if (algorithmsLen < 2) { |
|
1729 |
throw new SSLProtocolException( |
|
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1730 |
"Invalid supported_signature_algorithms field: " + |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1731 |
algorithmsLen); |
7043 | 1732 |
} |
1733 |
||
1734 |
algorithms = new ArrayList<SignatureAndHashAlgorithm>(); |
|
1735 |
int remains = algorithmsLen; |
|
1736 |
int sequence = 0; |
|
1737 |
while (remains > 1) { // needs at least two bytes |
|
1738 |
int hash = input.getInt8(); // hash algorithm |
|
1739 |
int signature = input.getInt8(); // signature algorithm |
|
1740 |
||
1741 |
SignatureAndHashAlgorithm algorithm = |
|
1742 |
SignatureAndHashAlgorithm.valueOf(hash, signature, |
|
1743 |
++sequence); |
|
1744 |
algorithms.add(algorithm); |
|
1745 |
remains -= 2; // one byte for hash, one byte for signature |
|
1746 |
} |
|
1747 |
||
1748 |
if (remains != 0) { |
|
1749 |
throw new SSLProtocolException( |
|
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1750 |
"Invalid supported_signature_algorithms field. remains: " + |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1751 |
remains); |
7043 | 1752 |
} |
1753 |
} else { |
|
1754 |
algorithms = new ArrayList<SignatureAndHashAlgorithm>(); |
|
1755 |
algorithmsLen = 0; |
|
1756 |
} |
|
1757 |
||
1758 |
// read the certificate_authorities |
|
2 | 1759 |
int len = input.getInt16(); |
7990 | 1760 |
ArrayList<DistinguishedName> v = new ArrayList<>(); |
2 | 1761 |
while (len >= 3) { |
1762 |
DistinguishedName dn = new DistinguishedName(input); |
|
1763 |
v.add(dn); |
|
1764 |
len -= dn.length(); |
|
1765 |
} |
|
1766 |
||
1767 |
if (len != 0) { |
|
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1768 |
throw new SSLProtocolException( |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1769 |
"Bad CertificateRequest DN length: " + len); |
2 | 1770 |
} |
1771 |
||
1772 |
authorities = v.toArray(new DistinguishedName[v.size()]); |
|
1773 |
} |
|
1774 |
||
1775 |
X500Principal[] getAuthorities() throws IOException { |
|
1776 |
X500Principal[] ret = new X500Principal[authorities.length]; |
|
1777 |
for (int i = 0; i < authorities.length; i++) { |
|
1778 |
ret[i] = authorities[i].getX500Principal(); |
|
1779 |
} |
|
1780 |
return ret; |
|
1781 |
} |
|
1782 |
||
7043 | 1783 |
Collection<SignatureAndHashAlgorithm> getSignAlgorithms() { |
1784 |
return algorithms; |
|
1785 |
} |
|
1786 |
||
1787 |
@Override |
|
1788 |
int messageType() { |
|
1789 |
return ht_certificate_request; |
|
1790 |
} |
|
2 | 1791 |
|
7043 | 1792 |
@Override |
1793 |
int messageLength() { |
|
1794 |
int len = 1 + types.length + 2; |
|
1795 |
||
30904 | 1796 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1797 |
len += algorithmsLen + 2; |
1798 |
} |
|
1799 |
||
1800 |
for (int i = 0; i < authorities.length; i++) { |
|
2 | 1801 |
len += authorities[i].length(); |
7043 | 1802 |
} |
1803 |
||
2 | 1804 |
return len; |
1805 |
} |
|
1806 |
||
7043 | 1807 |
@Override |
1808 |
void send(HandshakeOutStream output) throws IOException { |
|
1809 |
// put certificate_types |
|
1810 |
output.putBytes8(types); |
|
2 | 1811 |
|
7043 | 1812 |
// put supported_signature_algorithms |
30904 | 1813 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1814 |
output.putInt16(algorithmsLen); |
1815 |
for (SignatureAndHashAlgorithm algorithm : algorithms) { |
|
1816 |
output.putInt8(algorithm.getHashValue()); // hash |
|
1817 |
output.putInt8(algorithm.getSignatureValue()); // signature |
|
1818 |
} |
|
1819 |
} |
|
1820 |
||
1821 |
// put certificate_authorities |
|
1822 |
int len = 0; |
|
1823 |
for (int i = 0; i < authorities.length; i++) { |
|
2 | 1824 |
len += authorities[i].length(); |
7043 | 1825 |
} |
2 | 1826 |
|
1827 |
output.putInt16(len); |
|
7043 | 1828 |
for (int i = 0; i < authorities.length; i++) { |
2 | 1829 |
authorities[i].send(output); |
7043 | 1830 |
} |
2 | 1831 |
} |
1832 |
||
7043 | 1833 |
@Override |
1834 |
void print(PrintStream s) throws IOException { |
|
2 | 1835 |
s.println("*** CertificateRequest"); |
1836 |
||
1837 |
if (debug != null && Debug.isOn("verbose")) { |
|
1838 |
s.print("Cert Types: "); |
|
1839 |
for (int i = 0; i < types.length; i++) { |
|
1840 |
switch (types[i]) { |
|
1841 |
case cct_rsa_sign: |
|
1842 |
s.print("RSA"); break; |
|
1843 |
case cct_dss_sign: |
|
1844 |
s.print("DSS"); break; |
|
1845 |
case cct_rsa_fixed_dh: |
|
1846 |
s.print("Fixed DH (RSA sig)"); break; |
|
1847 |
case cct_dss_fixed_dh: |
|
1848 |
s.print("Fixed DH (DSS sig)"); break; |
|
1849 |
case cct_rsa_ephemeral_dh: |
|
1850 |
s.print("Ephemeral DH (RSA sig)"); break; |
|
1851 |
case cct_dss_ephemeral_dh: |
|
1852 |
s.print("Ephemeral DH (DSS sig)"); break; |
|
1853 |
case cct_ecdsa_sign: |
|
1854 |
s.print("ECDSA"); break; |
|
1855 |
case cct_rsa_fixed_ecdh: |
|
1856 |
s.print("Fixed ECDH (RSA sig)"); break; |
|
1857 |
case cct_ecdsa_fixed_ecdh: |
|
1858 |
s.print("Fixed ECDH (ECDSA sig)"); break; |
|
1859 |
default: |
|
1860 |
s.print("Type-" + (types[i] & 0xff)); break; |
|
1861 |
} |
|
1862 |
if (i != types.length - 1) { |
|
1863 |
s.print(", "); |
|
1864 |
} |
|
1865 |
} |
|
1866 |
s.println(); |
|
1867 |
||
30904 | 1868 |
if (protocolVersion.useTLS12PlusSpec()) { |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
16100
diff
changeset
|
1869 |
StringBuilder sb = new StringBuilder(); |
7043 | 1870 |
boolean opened = false; |
1871 |
for (SignatureAndHashAlgorithm signAlg : algorithms) { |
|
1872 |
if (opened) { |
|
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27804
diff
changeset
|
1873 |
sb.append(", ").append(signAlg.getAlgorithmName()); |
7043 | 1874 |
} else { |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
16100
diff
changeset
|
1875 |
sb.append(signAlg.getAlgorithmName()); |
7043 | 1876 |
opened = true; |
1877 |
} |
|
1878 |
} |
|
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
16100
diff
changeset
|
1879 |
s.println("Supported Signature Algorithms: " + sb); |
7043 | 1880 |
} |
1881 |
||
2 | 1882 |
s.println("Cert Authorities:"); |
7039 | 1883 |
if (authorities.length == 0) { |
1884 |
s.println("<Empty>"); |
|
1885 |
} else { |
|
1886 |
for (int i = 0; i < authorities.length; i++) { |
|
1887 |
authorities[i].print(s); |
|
1888 |
} |
|
1889 |
} |
|
2 | 1890 |
} |
1891 |
} |
|
1892 |
} |
|
1893 |
||
1894 |
||
1895 |
/* |
|
1896 |
* ServerHelloDone ... SERVER --> CLIENT |
|
1897 |
* |
|
1898 |
* When server's done sending its messages in response to the client's |
|
1899 |
* "hello" (e.g. its own hello, certificate, key exchange message, perhaps |
|
1900 |
* client certificate request) it sends this message to flag that it's |
|
1901 |
* done that part of the handshake. |
|
1902 |
*/ |
|
1903 |
static final |
|
1904 |
class ServerHelloDone extends HandshakeMessage |
|
1905 |
{ |
|
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1906 |
@Override |
2 | 1907 |
int messageType() { return ht_server_hello_done; } |
1908 |
||
1909 |
ServerHelloDone() { } |
|
1910 |
||
1911 |
ServerHelloDone(HandshakeInStream input) |
|
1912 |
{ |
|
1913 |
// nothing to do |
|
1914 |
} |
|
1915 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1916 |
@Override |
2 | 1917 |
int messageLength() |
1918 |
{ |
|
1919 |
return 0; |
|
1920 |
} |
|
1921 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1922 |
@Override |
2 | 1923 |
void send(HandshakeOutStream s) throws IOException |
1924 |
{ |
|
1925 |
// nothing to send |
|
1926 |
} |
|
1927 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1928 |
@Override |
2 | 1929 |
void print(PrintStream s) throws IOException |
1930 |
{ |
|
1931 |
s.println("*** ServerHelloDone"); |
|
1932 |
} |
|
1933 |
} |
|
1934 |
||
1935 |
||
1936 |
/* |
|
1937 |
* CertificateVerify ... CLIENT --> SERVER |
|
1938 |
* |
|
1939 |
* Sent after client sends signature-capable certificates (e.g. not |
|
1940 |
* Diffie-Hellman) to verify. |
|
1941 |
*/ |
|
1942 |
static final class CertificateVerify extends HandshakeMessage { |
|
1943 |
||
7043 | 1944 |
// the signature bytes |
1945 |
private byte[] signature; |
|
2 | 1946 |
|
35298 | 1947 |
// protocol version being established using this CertificateVerify message |
7043 | 1948 |
ProtocolVersion protocolVersion; |
1949 |
||
1950 |
// the preferable signature algorithm used by this CertificateVerify message |
|
1951 |
private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null; |
|
2 | 1952 |
|
1953 |
/* |
|
1954 |
* Create an RSA or DSA signed certificate verify message. |
|
1955 |
*/ |
|
7043 | 1956 |
CertificateVerify(ProtocolVersion protocolVersion, |
1957 |
HandshakeHash handshakeHash, PrivateKey privateKey, |
|
1958 |
SecretKey masterSecret, SecureRandom sr, |
|
1959 |
SignatureAndHashAlgorithm signAlgorithm) |
|
1960 |
throws GeneralSecurityException { |
|
1961 |
||
1962 |
this.protocolVersion = protocolVersion; |
|
1963 |
||
2 | 1964 |
String algorithm = privateKey.getAlgorithm(); |
7043 | 1965 |
Signature sig = null; |
30904 | 1966 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1967 |
this.preferableSignatureAlgorithm = signAlgorithm; |
1968 |
sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); |
|
1969 |
} else { |
|
1970 |
sig = getSignature(protocolVersion, algorithm); |
|
1971 |
} |
|
2 | 1972 |
sig.initSign(privateKey, sr); |
1973 |
updateSignature(sig, protocolVersion, handshakeHash, algorithm, |
|
1974 |
masterSecret); |
|
1975 |
signature = sig.sign(); |
|
1976 |
} |
|
1977 |
||
1978 |
// |
|
1979 |
// Unmarshal the signed data from the input stream. |
|
1980 |
// |
|
7043 | 1981 |
CertificateVerify(HandshakeInStream input, |
1982 |
Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, |
|
1983 |
ProtocolVersion protocolVersion) throws IOException { |
|
1984 |
||
1985 |
this.protocolVersion = protocolVersion; |
|
1986 |
||
1987 |
// read the signature and hash algorithm |
|
30904 | 1988 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 1989 |
int hashAlg = input.getInt8(); // hash algorithm |
1990 |
int signAlg = input.getInt8(); // signature algorithm |
|
1991 |
||
1992 |
preferableSignatureAlgorithm = |
|
1993 |
SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0); |
|
1994 |
||
1995 |
// Is it a local supported signature algorithm? |
|
1996 |
if (!localSupportedSignAlgs.contains( |
|
1997 |
preferableSignatureAlgorithm)) { |
|
1998 |
throw new SSLHandshakeException( |
|
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
1999 |
"Unsupported SignatureAndHashAlgorithm in " + |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
2000 |
"CertificateVerify message: " + preferableSignatureAlgorithm); |
7043 | 2001 |
} |
2002 |
} |
|
2003 |
||
2004 |
// read the signature |
|
2 | 2005 |
signature = input.getBytes16(); |
2006 |
} |
|
2007 |
||
2008 |
/* |
|
7043 | 2009 |
* Get the preferable signature algorithm used by this message |
2010 |
*/ |
|
2011 |
SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() { |
|
2012 |
return preferableSignatureAlgorithm; |
|
2013 |
} |
|
2014 |
||
2015 |
/* |
|
2 | 2016 |
* Verify a certificate verify message. Return the result of verification, |
2017 |
* if there is a problem throw a GeneralSecurityException. |
|
2018 |
*/ |
|
2019 |
boolean verify(ProtocolVersion protocolVersion, |
|
2020 |
HandshakeHash handshakeHash, PublicKey publicKey, |
|
2021 |
SecretKey masterSecret) throws GeneralSecurityException { |
|
2022 |
String algorithm = publicKey.getAlgorithm(); |
|
7043 | 2023 |
Signature sig = null; |
30904 | 2024 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 2025 |
sig = JsseJce.getSignature( |
2026 |
preferableSignatureAlgorithm.getAlgorithmName()); |
|
2027 |
} else { |
|
2028 |
sig = getSignature(protocolVersion, algorithm); |
|
2029 |
} |
|
2 | 2030 |
sig.initVerify(publicKey); |
2031 |
updateSignature(sig, protocolVersion, handshakeHash, algorithm, |
|
2032 |
masterSecret); |
|
2033 |
return sig.verify(signature); |
|
2034 |
} |
|
2035 |
||
2036 |
/* |
|
2037 |
* Get the Signature object appropriate for verification using the |
|
2038 |
* given signature algorithm and protocol version. |
|
2039 |
*/ |
|
2040 |
private static Signature getSignature(ProtocolVersion protocolVersion, |
|
2041 |
String algorithm) throws GeneralSecurityException { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2042 |
switch (algorithm) { |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2043 |
case "RSA": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2044 |
return RSASignature.getInternalInstance(); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2045 |
case "DSA": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2046 |
return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2047 |
case "EC": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2048 |
return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2049 |
default: |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2050 |
throw new SignatureException("Unrecognized algorithm: " |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2051 |
+ algorithm); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
8991
diff
changeset
|
2052 |
} |
2 | 2053 |
} |
2054 |
||
2055 |
/* |
|
2056 |
* Update the Signature with the data appropriate for the given |
|
2057 |
* signature algorithm and protocol version so that the object is |
|
2058 |
* ready for signing or verifying. |
|
2059 |
*/ |
|
2060 |
private static void updateSignature(Signature sig, |
|
2061 |
ProtocolVersion protocolVersion, |
|
2062 |
HandshakeHash handshakeHash, String algorithm, SecretKey masterKey) |
|
2063 |
throws SignatureException { |
|
7043 | 2064 |
|
2 | 2065 |
if (algorithm.equals("RSA")) { |
30904 | 2066 |
if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1- |
7043 | 2067 |
MessageDigest md5Clone = handshakeHash.getMD5Clone(); |
2068 |
MessageDigest shaClone = handshakeHash.getSHAClone(); |
|
2069 |
||
30904 | 2070 |
if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3 |
7043 | 2071 |
updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey); |
2072 |
updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); |
|
2073 |
} |
|
2074 |
||
2075 |
// The signature must be an instance of RSASignature, need |
|
2076 |
// to use these hashes directly. |
|
2077 |
RSASignature.setHashes(sig, md5Clone, shaClone); |
|
2078 |
} else { // TLS1.2+ |
|
2079 |
sig.update(handshakeHash.getAllHandshakeMessages()); |
|
2 | 2080 |
} |
2081 |
} else { // DSA, ECDSA |
|
30904 | 2082 |
if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1- |
7043 | 2083 |
MessageDigest shaClone = handshakeHash.getSHAClone(); |
2084 |
||
30904 | 2085 |
if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3 |
7043 | 2086 |
updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); |
2087 |
} |
|
2088 |
||
2089 |
sig.update(shaClone.digest()); |
|
2090 |
} else { // TLS1.2+ |
|
2091 |
sig.update(handshakeHash.getAllHandshakeMessages()); |
|
2 | 2092 |
} |
2093 |
} |
|
2094 |
} |
|
2095 |
||
2096 |
/* |
|
2097 |
* Update the MessageDigest for SSLv3 certificate verify or finished |
|
2098 |
* message calculation. The digest must already have been updated with |
|
2099 |
* all preceding handshake messages. |
|
2100 |
* Used by the Finished class as well. |
|
2101 |
*/ |
|
7043 | 2102 |
private static void updateDigest(MessageDigest md, |
2103 |
byte[] pad1, byte[] pad2, |
|
2 | 2104 |
SecretKey masterSecret) { |
2105 |
// Digest the key bytes if available. |
|
2106 |
// Otherwise (sensitive key), try digesting the key directly. |
|
2107 |
// That is currently only implemented in SunPKCS11 using a private |
|
2108 |
// reflection API, so we avoid that if possible. |
|
2109 |
byte[] keyBytes = "RAW".equals(masterSecret.getFormat()) |
|
2110 |
? masterSecret.getEncoded() : null; |
|
2111 |
if (keyBytes != null) { |
|
2112 |
md.update(keyBytes); |
|
2113 |
} else { |
|
2114 |
digestKey(md, masterSecret); |
|
2115 |
} |
|
2116 |
md.update(pad1); |
|
2117 |
byte[] temp = md.digest(); |
|
2118 |
||
2119 |
if (keyBytes != null) { |
|
2120 |
md.update(keyBytes); |
|
2121 |
} else { |
|
2122 |
digestKey(md, masterSecret); |
|
2123 |
} |
|
2124 |
md.update(pad2); |
|
2125 |
md.update(temp); |
|
2126 |
} |
|
2127 |
||
2128 |
private static void digestKey(MessageDigest md, SecretKey key) { |
|
2129 |
try { |
|
41471
18c0f074ed97
8165275: Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
valeriep
parents:
39563
diff
changeset
|
2130 |
if (md instanceof MessageDigestSpi2) { |
18c0f074ed97
8165275: Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
valeriep
parents:
39563
diff
changeset
|
2131 |
((MessageDigestSpi2)md).engineUpdate(key); |
18c0f074ed97
8165275: Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
valeriep
parents:
39563
diff
changeset
|
2132 |
} else { |
7043 | 2133 |
throw new Exception( |
2134 |
"Digest does not support implUpdate(SecretKey)"); |
|
2 | 2135 |
} |
2136 |
} catch (Exception e) { |
|
7043 | 2137 |
throw new RuntimeException( |
2138 |
"Could not obtain encoded key and " |
|
2139 |
+ "MessageDigest cannot digest key", e); |
|
2 | 2140 |
} |
2141 |
} |
|
2142 |
||
7043 | 2143 |
@Override |
2144 |
int messageType() { |
|
2145 |
return ht_certificate_verify; |
|
2 | 2146 |
} |
2147 |
||
7043 | 2148 |
@Override |
2149 |
int messageLength() { |
|
2150 |
int temp = 2; |
|
2151 |
||
30904 | 2152 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 2153 |
temp += SignatureAndHashAlgorithm.sizeInRecord(); |
2154 |
} |
|
2155 |
||
2156 |
return temp + signature.length; |
|
2157 |
} |
|
2158 |
||
2159 |
@Override |
|
2 | 2160 |
void send(HandshakeOutStream s) throws IOException { |
30904 | 2161 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 2162 |
s.putInt8(preferableSignatureAlgorithm.getHashValue()); |
2163 |
s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); |
|
2164 |
} |
|
2165 |
||
2 | 2166 |
s.putBytes16(signature); |
2167 |
} |
|
2168 |
||
7043 | 2169 |
@Override |
2 | 2170 |
void print(PrintStream s) throws IOException { |
2171 |
s.println("*** CertificateVerify"); |
|
7043 | 2172 |
|
2173 |
if (debug != null && Debug.isOn("verbose")) { |
|
30904 | 2174 |
if (protocolVersion.useTLS12PlusSpec()) { |
7043 | 2175 |
s.println("Signature Algorithm " + |
2176 |
preferableSignatureAlgorithm.getAlgorithmName()); |
|
2177 |
} |
|
2178 |
} |
|
2 | 2179 |
} |
2180 |
} |
|
2181 |
||
2182 |
||
2183 |
/* |
|
2184 |
* FINISHED ... sent by both CLIENT and SERVER |
|
2185 |
* |
|
2186 |
* This is the FINISHED message as defined in the SSL and TLS protocols. |
|
2187 |
* Both protocols define this handshake message slightly differently. |
|
2188 |
* This class supports both formats. |
|
2189 |
* |
|
2190 |
* When handshaking is finished, each side sends a "change_cipher_spec" |
|
2191 |
* record, then immediately sends a "finished" handshake message prepared |
|
2192 |
* according to the newly adopted cipher spec. |
|
2193 |
* |
|
2194 |
* NOTE that until this is sent, no application data may be passed, unless |
|
2195 |
* some non-default cipher suite has already been set up on this connection |
|
2196 |
* connection (e.g. a previous handshake arranged one). |
|
2197 |
*/ |
|
2198 |
static final class Finished extends HandshakeMessage { |
|
2199 |
||
2200 |
// constant for a Finished message sent by the client |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
2201 |
static final int CLIENT = 1; |
2 | 2202 |
|
2203 |
// constant for a Finished message sent by the server |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
2204 |
static final int SERVER = 2; |
2 | 2205 |
|
2206 |
// enum Sender: "CLNT" and "SRVR" |
|
2207 |
private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 }; |
|
2208 |
private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 }; |
|
2209 |
||
2210 |
/* |
|
2211 |
* Contents of the finished message ("checksum"). For TLS, it |
|
2212 |
* is 12 bytes long, for SSLv3 36 bytes. |
|
2213 |
*/ |
|
2214 |
private byte[] verifyData; |
|
2215 |
||
2216 |
/* |
|
7043 | 2217 |
* Current cipher suite we are negotiating. TLS 1.2 has |
2218 |
* ciphersuite-defined PRF algorithms. |
|
2219 |
*/ |
|
2220 |
private ProtocolVersion protocolVersion; |
|
2221 |
private CipherSuite cipherSuite; |
|
2222 |
||
2223 |
/* |
|
2 | 2224 |
* Create a finished message to send to the remote peer. |
2225 |
*/ |
|
2226 |
Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, |
|
7043 | 2227 |
int sender, SecretKey master, CipherSuite cipherSuite) { |
2228 |
this.protocolVersion = protocolVersion; |
|
2229 |
this.cipherSuite = cipherSuite; |
|
2230 |
verifyData = getFinished(handshakeHash, sender, master); |
|
2 | 2231 |
} |
2232 |
||
2233 |
/* |
|
2234 |
* Constructor that reads FINISHED message from stream. |
|
2235 |
*/ |
|
7043 | 2236 |
Finished(ProtocolVersion protocolVersion, HandshakeInStream input, |
2237 |
CipherSuite cipherSuite) throws IOException { |
|
2238 |
this.protocolVersion = protocolVersion; |
|
2239 |
this.cipherSuite = cipherSuite; |
|
30904 | 2240 |
int msgLen = protocolVersion.useTLS10PlusSpec() ? 12 : 36; |
2 | 2241 |
verifyData = new byte[msgLen]; |
2242 |
input.read(verifyData); |
|
2243 |
} |
|
2244 |
||
2245 |
/* |
|
2246 |
* Verify that the hashes here are what would have been produced |
|
2247 |
* according to a given set of inputs. This is used to ensure that |
|
2248 |
* both client and server are fully in sync, and that the handshake |
|
2249 |
* computations have been successful. |
|
2250 |
*/ |
|
7043 | 2251 |
boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) { |
2252 |
byte[] myFinished = getFinished(handshakeHash, sender, master); |
|
31695 | 2253 |
return MessageDigest.isEqual(myFinished, verifyData); |
2 | 2254 |
} |
2255 |
||
2256 |
/* |
|
2257 |
* Perform the actual finished message calculation. |
|
2258 |
*/ |
|
7043 | 2259 |
private byte[] getFinished(HandshakeHash handshakeHash, |
2260 |
int sender, SecretKey masterKey) { |
|
2 | 2261 |
byte[] sslLabel; |
2262 |
String tlsLabel; |
|
2263 |
if (sender == CLIENT) { |
|
2264 |
sslLabel = SSL_CLIENT; |
|
2265 |
tlsLabel = "client finished"; |
|
2266 |
} else if (sender == SERVER) { |
|
2267 |
sslLabel = SSL_SERVER; |
|
2268 |
tlsLabel = "server finished"; |
|
2269 |
} else { |
|
2270 |
throw new RuntimeException("Invalid sender: " + sender); |
|
2271 |
} |
|
7043 | 2272 |
|
30904 | 2273 |
if (protocolVersion.useTLS10PlusSpec()) { |
7043 | 2274 |
// TLS 1.0+ |
2 | 2275 |
try { |
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
30904
diff
changeset
|
2276 |
byte[] seed; |
7043 | 2277 |
String prfAlg; |
2278 |
PRF prf; |
|
2279 |
||
2280 |
// Get the KeyGenerator alg and calculate the seed. |
|
30904 | 2281 |
if (protocolVersion.useTLS12PlusSpec()) { |
2282 |
// TLS 1.2+ or DTLS 1.2+ |
|
7043 | 2283 |
seed = handshakeHash.getFinishedHash(); |
2284 |
||
2285 |
prfAlg = "SunTls12Prf"; |
|
2286 |
prf = cipherSuite.prfAlg; |
|
2287 |
} else { |
|
30904 | 2288 |
// TLS 1.0/1.1, DTLS 1.0 |
7043 | 2289 |
MessageDigest md5Clone = handshakeHash.getMD5Clone(); |
2290 |
MessageDigest shaClone = handshakeHash.getSHAClone(); |
|
2291 |
seed = new byte[36]; |
|
2292 |
md5Clone.digest(seed, 0, 16); |
|
2293 |
shaClone.digest(seed, 16, 20); |
|
2 | 2294 |
|
7043 | 2295 |
prfAlg = "SunTlsPrf"; |
2296 |
prf = P_NONE; |
|
2297 |
} |
|
2298 |
||
2299 |
String prfHashAlg = prf.getPRFHashAlg(); |
|
2300 |
int prfHashLength = prf.getPRFHashLength(); |
|
2301 |
int prfBlockSize = prf.getPRFBlockSize(); |
|
2302 |
||
2303 |
/* |
|
2304 |
* RFC 5246/7.4.9 says that finished messages can |
|
2305 |
* be ciphersuite-specific in both length/PRF hash |
|
2306 |
* algorithm. If we ever run across a different |
|
2307 |
* length, this call will need to be updated. |
|
2308 |
*/ |
|
27804
4659e70271c4
8066617: Suppress deprecation warnings in java.base module
darcy
parents:
25859
diff
changeset
|
2309 |
@SuppressWarnings("deprecation") |
7043 | 2310 |
TlsPrfParameterSpec spec = new TlsPrfParameterSpec( |
2311 |
masterKey, tlsLabel, seed, 12, |
|
2312 |
prfHashAlg, prfHashLength, prfBlockSize); |
|
2313 |
||
2314 |
KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg); |
|
2315 |
kg.init(spec); |
|
2316 |
SecretKey prfKey = kg.generateKey(); |
|
2 | 2317 |
if ("RAW".equals(prfKey.getFormat()) == false) { |
7043 | 2318 |
throw new ProviderException( |
36952
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
2319 |
"Invalid PRF output, format must be RAW. " + |
4500612ce068
8153531: Improve exception messaging for RSAClientKeyExchange
coffeys
parents:
36442
diff
changeset
|
2320 |
"Format received: " + prfKey.getFormat()); |
2 | 2321 |
} |
2322 |
byte[] finished = prfKey.getEncoded(); |
|
2323 |
return finished; |
|
2324 |
} catch (GeneralSecurityException e) { |
|
2325 |
throw new RuntimeException("PRF failed", e); |
|
2326 |
} |
|
2327 |
} else { |
|
2328 |
// SSLv3 |
|
7043 | 2329 |
MessageDigest md5Clone = handshakeHash.getMD5Clone(); |
2330 |
MessageDigest shaClone = handshakeHash.getSHAClone(); |
|
2 | 2331 |
updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey); |
2332 |
updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey); |
|
2333 |
byte[] finished = new byte[36]; |
|
2334 |
try { |
|
2335 |
md5Clone.digest(finished, 0, 16); |
|
2336 |
shaClone.digest(finished, 16, 20); |
|
2337 |
} catch (DigestException e) { |
|
2338 |
// cannot occur |
|
2339 |
throw new RuntimeException("Digest failed", e); |
|
2340 |
} |
|
2341 |
return finished; |
|
2342 |
} |
|
2343 |
} |
|
2344 |
||
2345 |
/* |
|
2346 |
* Update the MessageDigest for SSLv3 finished message calculation. |
|
2347 |
* The digest must already have been updated with all preceding handshake |
|
2348 |
* messages. This operation is almost identical to the certificate verify |
|
2349 |
* hash, reuse that code. |
|
2350 |
*/ |
|
2351 |
private static void updateDigest(MessageDigest md, byte[] sender, |
|
2352 |
byte[] pad1, byte[] pad2, SecretKey masterSecret) { |
|
2353 |
md.update(sender); |
|
2354 |
CertificateVerify.updateDigest(md, pad1, pad2, masterSecret); |
|
2355 |
} |
|
2356 |
||
6856 | 2357 |
// get the verify_data of the finished message |
2358 |
byte[] getVerifyData() { |
|
2359 |
return verifyData; |
|
2360 |
} |
|
2361 |
||
2362 |
@Override |
|
2363 |
int messageType() { return ht_finished; } |
|
2364 |
||
2365 |
@Override |
|
2 | 2366 |
int messageLength() { |
2367 |
return verifyData.length; |
|
2368 |
} |
|
2369 |
||
6856 | 2370 |
@Override |
2 | 2371 |
void send(HandshakeOutStream out) throws IOException { |
2372 |
out.write(verifyData); |
|
2373 |
} |
|
2374 |
||
6856 | 2375 |
@Override |
2 | 2376 |
void print(PrintStream s) throws IOException { |
2377 |
s.println("*** Finished"); |
|
2378 |
if (debug != null && Debug.isOn("verbose")) { |
|
2379 |
Debug.println(s, "verify_data", verifyData); |
|
2380 |
s.println("***"); |
|
2381 |
} |
|
2382 |
} |
|
2383 |
} |
|
2384 |
||
2385 |
// |
|
2386 |
// END of nested classes |
|
2387 |
// |
|
2388 |
||
2389 |
} |