1 /* |
|
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.io.*; |
|
29 import java.math.BigInteger; |
|
30 import java.security.*; |
|
31 import java.security.interfaces.*; |
|
32 import java.security.spec.*; |
|
33 import java.security.cert.*; |
|
34 import java.security.cert.Certificate; |
|
35 import java.util.*; |
|
36 import java.util.concurrent.ConcurrentHashMap; |
|
37 |
|
38 import java.lang.reflect.*; |
|
39 |
|
40 import javax.security.auth.x500.X500Principal; |
|
41 |
|
42 import javax.crypto.KeyGenerator; |
|
43 import javax.crypto.SecretKey; |
|
44 import javax.crypto.spec.DHPublicKeySpec; |
|
45 |
|
46 import javax.net.ssl.*; |
|
47 |
|
48 import sun.security.internal.spec.TlsPrfParameterSpec; |
|
49 import sun.security.ssl.CipherSuite.*; |
|
50 import static sun.security.ssl.CipherSuite.PRF.*; |
|
51 import sun.security.util.KeyUtil; |
|
52 import sun.security.util.MessageDigestSpi2; |
|
53 import sun.security.provider.certpath.OCSPResponse; |
|
54 |
|
55 /** |
|
56 * Many data structures are involved in the handshake messages. These |
|
57 * classes are used as structures, with public data members. They are |
|
58 * not visible outside the SSL package. |
|
59 * |
|
60 * Handshake messages all have a common header format, and they are all |
|
61 * encoded in a "handshake data" SSL record substream. The base class |
|
62 * here (HandshakeMessage) provides a common framework and records the |
|
63 * SSL record type of the particular handshake message. |
|
64 * |
|
65 * This file contains subclasses for all the basic handshake messages. |
|
66 * All handshake messages know how to encode and decode themselves on |
|
67 * SSL streams; this facilitates using the same code on SSL client and |
|
68 * server sides, although they don't send and receive the same messages. |
|
69 * |
|
70 * Messages also know how to print themselves, which is quite handy |
|
71 * for debugging. They always identify their type, and can optionally |
|
72 * dump all of their content. |
|
73 * |
|
74 * @author David Brownell |
|
75 */ |
|
76 public abstract class HandshakeMessage { |
|
77 |
|
78 /* Class and subclass dynamic debugging support */ |
|
79 public static final Debug debug = Debug.getInstance("ssl"); |
|
80 |
|
81 // enum HandshakeType: |
|
82 // |
|
83 // Please update the isUnsupported() method accordingly if the handshake |
|
84 // types get updated in the future. |
|
85 static final byte ht_hello_request = 0; // RFC 5246 |
|
86 static final byte ht_client_hello = 1; // RFC 5246 |
|
87 static final byte ht_server_hello = 2; // RFC 5246 |
|
88 static final byte ht_hello_verify_request = 3; // RFC 6347 |
|
89 static final byte ht_new_session_ticket = 4; // RFC 4507 |
|
90 |
|
91 static final byte ht_certificate = 11; // RFC 5246 |
|
92 static final byte ht_server_key_exchange = 12; // RFC 5246 |
|
93 static final byte ht_certificate_request = 13; // RFC 5246 |
|
94 static final byte ht_server_hello_done = 14; // RFC 5246 |
|
95 static final byte ht_certificate_verify = 15; // RFC 5246 |
|
96 static final byte ht_client_key_exchange = 16; // RFC 5246 |
|
97 |
|
98 static final byte ht_finished = 20; // RFC 5246 |
|
99 static final byte ht_certificate_url = 21; // RFC 6066 |
|
100 static final byte ht_certificate_status = 22; // RFC 6066 |
|
101 static final byte ht_supplemental_data = 23; // RFC 4680 |
|
102 |
|
103 static final byte ht_not_applicable = -1; // N/A |
|
104 |
|
105 /* |
|
106 * SSL 3.0 MAC padding constants. |
|
107 * Also used by CertificateVerify and Finished during the handshake. |
|
108 */ |
|
109 static final byte[] MD5_pad1 = genPad(0x36, 48); |
|
110 static final byte[] MD5_pad2 = genPad(0x5c, 48); |
|
111 |
|
112 static final byte[] SHA_pad1 = genPad(0x36, 40); |
|
113 static final byte[] SHA_pad2 = genPad(0x5c, 40); |
|
114 |
|
115 // default constructor |
|
116 HandshakeMessage() { |
|
117 } |
|
118 |
|
119 /** |
|
120 * Utility method to convert a BigInteger to a byte array in unsigned |
|
121 * format as needed in the handshake messages. BigInteger uses |
|
122 * 2's complement format, i.e. it prepends an extra zero if the MSB |
|
123 * is set. We remove that. |
|
124 */ |
|
125 static byte[] toByteArray(BigInteger bi) { |
|
126 byte[] b = bi.toByteArray(); |
|
127 if ((b.length > 1) && (b[0] == 0)) { |
|
128 int n = b.length - 1; |
|
129 byte[] newarray = new byte[n]; |
|
130 System.arraycopy(b, 1, newarray, 0, n); |
|
131 b = newarray; |
|
132 } |
|
133 return b; |
|
134 } |
|
135 |
|
136 static boolean isUnsupported(byte handshakeType) { |
|
137 return (handshakeType != ht_hello_request) && |
|
138 (handshakeType != ht_client_hello) && |
|
139 (handshakeType != ht_server_hello) && |
|
140 (handshakeType != ht_hello_verify_request) && |
|
141 (handshakeType != ht_new_session_ticket) && |
|
142 (handshakeType != ht_certificate) && |
|
143 (handshakeType != ht_server_key_exchange) && |
|
144 (handshakeType != ht_certificate_request) && |
|
145 (handshakeType != ht_server_hello_done) && |
|
146 (handshakeType != ht_certificate_verify) && |
|
147 (handshakeType != ht_client_key_exchange) && |
|
148 (handshakeType != ht_finished) && |
|
149 (handshakeType != ht_certificate_url) && |
|
150 (handshakeType != ht_certificate_status) && |
|
151 (handshakeType != ht_supplemental_data); |
|
152 } |
|
153 |
|
154 private static byte[] genPad(int b, int count) { |
|
155 byte[] padding = new byte[count]; |
|
156 Arrays.fill(padding, (byte)b); |
|
157 return padding; |
|
158 } |
|
159 |
|
160 /* |
|
161 * Write a handshake message on the (handshake) output stream. |
|
162 * This is just a four byte header followed by the data. |
|
163 * |
|
164 * NOTE that huge messages -- notably, ones with huge cert |
|
165 * chains -- are handled correctly. |
|
166 */ |
|
167 final void write(HandshakeOutStream s) throws IOException { |
|
168 int len = messageLength(); |
|
169 if (len >= Record.OVERFLOW_OF_INT24) { |
|
170 throw new SSLException("Handshake message too big" |
|
171 + ", type = " + messageType() + ", len = " + len); |
|
172 } |
|
173 s.write(messageType()); |
|
174 s.putInt24(len); |
|
175 send(s); |
|
176 s.complete(); |
|
177 } |
|
178 |
|
179 /* |
|
180 * Subclasses implement these methods so those kinds of |
|
181 * messages can be emitted. Base class delegates to subclass. |
|
182 */ |
|
183 abstract int messageType(); |
|
184 abstract int messageLength(); |
|
185 abstract void send(HandshakeOutStream s) throws IOException; |
|
186 |
|
187 /* |
|
188 * Write a descriptive message on the output stream; for debugging. |
|
189 */ |
|
190 abstract void print(PrintStream p) throws IOException; |
|
191 |
|
192 // |
|
193 // NOTE: the rest of these classes are nested within this one, and are |
|
194 // imported by other classes in this package. There are a few other |
|
195 // handshake message classes, not neatly nested here because of current |
|
196 // licensing requirement for native (RSA) methods. They belong here, |
|
197 // but those native methods complicate things a lot! |
|
198 // |
|
199 |
|
200 |
|
201 /* |
|
202 * HelloRequest ... SERVER --> CLIENT |
|
203 * |
|
204 * Server can ask the client to initiate a new handshake, e.g. to change |
|
205 * session parameters after a connection has been (re)established. |
|
206 */ |
|
207 static final class HelloRequest extends HandshakeMessage { |
|
208 @Override |
|
209 int messageType() { return ht_hello_request; } |
|
210 |
|
211 HelloRequest() { } |
|
212 |
|
213 HelloRequest(HandshakeInStream in) throws IOException |
|
214 { |
|
215 // nothing in this message |
|
216 } |
|
217 |
|
218 @Override |
|
219 int messageLength() { return 0; } |
|
220 |
|
221 @Override |
|
222 void send(HandshakeOutStream out) throws IOException |
|
223 { |
|
224 // nothing in this messaage |
|
225 } |
|
226 |
|
227 @Override |
|
228 void print(PrintStream out) throws IOException |
|
229 { |
|
230 out.println("*** HelloRequest (empty)"); |
|
231 } |
|
232 |
|
233 } |
|
234 |
|
235 /* |
|
236 * HelloVerifyRequest ... SERVER --> CLIENT [DTLS only] |
|
237 * |
|
238 * The definition of HelloVerifyRequest is as follows: |
|
239 * |
|
240 * struct { |
|
241 * ProtocolVersion server_version; |
|
242 * opaque cookie<0..2^8-1>; |
|
243 * } HelloVerifyRequest; |
|
244 * |
|
245 * For DTLS protocols, once the client has transmitted the ClientHello message, |
|
246 * it expects to see a HelloVerifyRequest from the server. However, if the |
|
247 * server's message is lost, the client knows that either the ClientHello or |
|
248 * the HelloVerifyRequest has been lost and retransmits. [RFC 6347] |
|
249 */ |
|
250 static final class HelloVerifyRequest extends HandshakeMessage { |
|
251 ProtocolVersion protocolVersion; |
|
252 byte[] cookie; // 1 to 2^8 - 1 bytes |
|
253 |
|
254 HelloVerifyRequest(HelloCookieManager helloCookieManager, |
|
255 ClientHello clientHelloMsg) { |
|
256 |
|
257 this.protocolVersion = clientHelloMsg.protocolVersion; |
|
258 this.cookie = helloCookieManager.getCookie(clientHelloMsg); |
|
259 } |
|
260 |
|
261 HelloVerifyRequest( |
|
262 HandshakeInStream input, int messageLength) throws IOException { |
|
263 |
|
264 this.protocolVersion = |
|
265 ProtocolVersion.valueOf(input.getInt8(), input.getInt8()); |
|
266 this.cookie = input.getBytes8(); |
|
267 |
|
268 // Is it a valid cookie? |
|
269 HelloCookieManager.checkCookie(protocolVersion, cookie); |
|
270 } |
|
271 |
|
272 @Override |
|
273 int messageType() { |
|
274 return ht_hello_verify_request; |
|
275 } |
|
276 |
|
277 @Override |
|
278 int messageLength() { |
|
279 return 2 + cookie.length; // 2: the length of protocolVersion |
|
280 } |
|
281 |
|
282 @Override |
|
283 void send(HandshakeOutStream hos) throws IOException { |
|
284 hos.putInt8(protocolVersion.major); |
|
285 hos.putInt8(protocolVersion.minor); |
|
286 hos.putBytes8(cookie); |
|
287 } |
|
288 |
|
289 @Override |
|
290 void print(PrintStream out) throws IOException { |
|
291 out.println("*** HelloVerifyRequest"); |
|
292 if (debug != null && Debug.isOn("verbose")) { |
|
293 out.println("server_version: " + protocolVersion); |
|
294 Debug.println(out, "cookie", cookie); |
|
295 } |
|
296 } |
|
297 } |
|
298 |
|
299 /* |
|
300 * ClientHello ... CLIENT --> SERVER |
|
301 * |
|
302 * Client initiates handshake by telling server what it wants, and what it |
|
303 * can support (prioritized by what's first in the ciphe suite list). |
|
304 * |
|
305 * By RFC2246:7.4.1.2 it's explicitly anticipated that this message |
|
306 * will have more data added at the end ... e.g. what CAs the client trusts. |
|
307 * Until we know how to parse it, we will just read what we know |
|
308 * about, and let our caller handle the jumps over unknown data. |
|
309 */ |
|
310 static final class ClientHello extends HandshakeMessage { |
|
311 |
|
312 ProtocolVersion protocolVersion; |
|
313 RandomCookie clnt_random; |
|
314 SessionId sessionId; |
|
315 byte[] cookie; // DTLS only |
|
316 private CipherSuiteList cipherSuites; |
|
317 private final boolean isDTLS; |
|
318 byte[] compression_methods; |
|
319 |
|
320 HelloExtensions extensions = new HelloExtensions(); |
|
321 |
|
322 private static final byte[] NULL_COMPRESSION = new byte[] {0}; |
|
323 |
|
324 ClientHello(SecureRandom generator, ProtocolVersion protocolVersion, |
|
325 SessionId sessionId, CipherSuiteList cipherSuites, |
|
326 boolean isDTLS) { |
|
327 |
|
328 this.isDTLS = isDTLS; |
|
329 this.protocolVersion = protocolVersion; |
|
330 this.sessionId = sessionId; |
|
331 this.cipherSuites = cipherSuites; |
|
332 if (isDTLS) { |
|
333 this.cookie = new byte[0]; |
|
334 } else { |
|
335 this.cookie = null; |
|
336 } |
|
337 |
|
338 clnt_random = new RandomCookie(generator); |
|
339 compression_methods = NULL_COMPRESSION; |
|
340 } |
|
341 |
|
342 ClientHello(HandshakeInStream s, |
|
343 int messageLength, boolean isDTLS) throws IOException { |
|
344 |
|
345 this.isDTLS = isDTLS; |
|
346 |
|
347 protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8()); |
|
348 clnt_random = new RandomCookie(s); |
|
349 sessionId = new SessionId(s.getBytes8()); |
|
350 sessionId.checkLength(protocolVersion); |
|
351 if (isDTLS) { |
|
352 cookie = s.getBytes8(); |
|
353 } else { |
|
354 cookie = null; |
|
355 } |
|
356 |
|
357 cipherSuites = new CipherSuiteList(s); |
|
358 compression_methods = s.getBytes8(); |
|
359 if (messageLength() != messageLength) { |
|
360 extensions = new HelloExtensions(s); |
|
361 } |
|
362 } |
|
363 |
|
364 CipherSuiteList getCipherSuites() { |
|
365 return cipherSuites; |
|
366 } |
|
367 |
|
368 // add renegotiation_info extension |
|
369 void addRenegotiationInfoExtension(byte[] clientVerifyData) { |
|
370 HelloExtension renegotiationInfo = new RenegotiationInfoExtension( |
|
371 clientVerifyData, new byte[0]); |
|
372 extensions.add(renegotiationInfo); |
|
373 } |
|
374 |
|
375 // add server_name extension |
|
376 void addSNIExtension(List<SNIServerName> serverNames) { |
|
377 try { |
|
378 extensions.add(new ServerNameExtension(serverNames)); |
|
379 } catch (IOException ioe) { |
|
380 // ignore the exception and return |
|
381 } |
|
382 } |
|
383 |
|
384 // add signature_algorithm extension |
|
385 void addSignatureAlgorithmsExtension( |
|
386 Collection<SignatureAndHashAlgorithm> algorithms) { |
|
387 HelloExtension signatureAlgorithm = |
|
388 new SignatureAlgorithmsExtension(algorithms); |
|
389 extensions.add(signatureAlgorithm); |
|
390 } |
|
391 |
|
392 void addExtendedMasterSecretExtension() { |
|
393 extensions.add(new ExtendedMasterSecretExtension()); |
|
394 } |
|
395 |
|
396 void addMFLExtension(int maximumPacketSize) { |
|
397 HelloExtension maxFragmentLength = |
|
398 new MaxFragmentLengthExtension(maximumPacketSize); |
|
399 extensions.add(maxFragmentLength); |
|
400 } |
|
401 |
|
402 void updateHelloCookie(MessageDigest cookieDigest) { |
|
403 // |
|
404 // Just use HandshakeOutStream to compute the hello verify cookie. |
|
405 // Not actually used to output handshake message records. |
|
406 // |
|
407 HandshakeOutStream hos = new HandshakeOutStream(null); |
|
408 |
|
409 try { |
|
410 send(hos, false); // Do not count hello verify cookie. |
|
411 } catch (IOException ioe) { |
|
412 // unlikely to happen |
|
413 } |
|
414 |
|
415 cookieDigest.update(hos.toByteArray()); |
|
416 } |
|
417 |
|
418 // Add status_request extension type |
|
419 void addCertStatusRequestExtension() { |
|
420 extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP, |
|
421 new OCSPStatusRequest())); |
|
422 } |
|
423 |
|
424 // Add status_request_v2 extension type |
|
425 void addCertStatusReqListV2Extension() { |
|
426 // Create a default OCSPStatusRequest that we can use for both |
|
427 // OCSP_MULTI and OCSP request list items. |
|
428 OCSPStatusRequest osr = new OCSPStatusRequest(); |
|
429 List<CertStatusReqItemV2> itemList = new ArrayList<>(2); |
|
430 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI, |
|
431 osr)); |
|
432 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr)); |
|
433 extensions.add(new CertStatusReqListV2Extension(itemList)); |
|
434 } |
|
435 |
|
436 // add application_layer_protocol_negotiation extension |
|
437 void addALPNExtension(String[] applicationProtocols) throws SSLException { |
|
438 extensions.add(new ALPNExtension(applicationProtocols)); |
|
439 } |
|
440 |
|
441 @Override |
|
442 int messageType() { return ht_client_hello; } |
|
443 |
|
444 @Override |
|
445 int messageLength() { |
|
446 /* |
|
447 * Add fixed size parts of each field... |
|
448 * version + random + session + cipher + compress |
|
449 */ |
|
450 return (2 + 32 + 1 + 2 + 1 |
|
451 + sessionId.length() /* ... + variable parts */ |
|
452 + (isDTLS ? (1 + cookie.length) : 0) |
|
453 + (cipherSuites.size() * 2) |
|
454 + compression_methods.length) |
|
455 + extensions.length(); |
|
456 } |
|
457 |
|
458 @Override |
|
459 void send(HandshakeOutStream s) throws IOException { |
|
460 send(s, true); // Count hello verify cookie. |
|
461 } |
|
462 |
|
463 @Override |
|
464 void print(PrintStream s) throws IOException { |
|
465 s.println("*** ClientHello, " + protocolVersion); |
|
466 |
|
467 if (debug != null && Debug.isOn("verbose")) { |
|
468 s.print("RandomCookie: "); |
|
469 clnt_random.print(s); |
|
470 |
|
471 s.print("Session ID: "); |
|
472 s.println(sessionId); |
|
473 |
|
474 if (isDTLS) { |
|
475 Debug.println(s, "cookie", cookie); |
|
476 } |
|
477 |
|
478 s.println("Cipher Suites: " + cipherSuites); |
|
479 |
|
480 Debug.println(s, "Compression Methods", compression_methods); |
|
481 extensions.print(s); |
|
482 s.println("***"); |
|
483 } |
|
484 } |
|
485 |
|
486 private void send(HandshakeOutStream s, |
|
487 boolean computeCookie) throws IOException { |
|
488 s.putInt8(protocolVersion.major); |
|
489 s.putInt8(protocolVersion.minor); |
|
490 clnt_random.send(s); |
|
491 s.putBytes8(sessionId.getId()); |
|
492 if (isDTLS && computeCookie) { |
|
493 s.putBytes8(cookie); |
|
494 } |
|
495 cipherSuites.send(s); |
|
496 s.putBytes8(compression_methods); |
|
497 extensions.send(s); |
|
498 } |
|
499 |
|
500 } |
|
501 |
|
502 /* |
|
503 * ServerHello ... SERVER --> CLIENT |
|
504 * |
|
505 * Server chooses protocol options from among those it supports and the |
|
506 * client supports. Then it sends the basic session descriptive parameters |
|
507 * back to the client. |
|
508 */ |
|
509 static final |
|
510 class ServerHello extends HandshakeMessage |
|
511 { |
|
512 @Override |
|
513 int messageType() { return ht_server_hello; } |
|
514 |
|
515 ProtocolVersion protocolVersion; |
|
516 RandomCookie svr_random; |
|
517 SessionId sessionId; |
|
518 CipherSuite cipherSuite; |
|
519 byte compression_method; |
|
520 HelloExtensions extensions = new HelloExtensions(); |
|
521 |
|
522 ServerHello() { |
|
523 // empty |
|
524 } |
|
525 |
|
526 ServerHello(HandshakeInStream input, int messageLength) |
|
527 throws IOException { |
|
528 protocolVersion = ProtocolVersion.valueOf(input.getInt8(), |
|
529 input.getInt8()); |
|
530 svr_random = new RandomCookie(input); |
|
531 sessionId = new SessionId(input.getBytes8()); |
|
532 sessionId.checkLength(protocolVersion); |
|
533 cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8()); |
|
534 compression_method = (byte)input.getInt8(); |
|
535 if (messageLength() != messageLength) { |
|
536 extensions = new HelloExtensions(input); |
|
537 } |
|
538 } |
|
539 |
|
540 @Override |
|
541 int messageLength() |
|
542 { |
|
543 // almost fixed size, except session ID and extensions: |
|
544 // major + minor = 2 |
|
545 // random = 32 |
|
546 // session ID len field = 1 |
|
547 // cipher suite + compression = 3 |
|
548 // extensions: if present, 2 + length of extensions |
|
549 return 38 + sessionId.length() + extensions.length(); |
|
550 } |
|
551 |
|
552 @Override |
|
553 void send(HandshakeOutStream s) throws IOException |
|
554 { |
|
555 s.putInt8(protocolVersion.major); |
|
556 s.putInt8(protocolVersion.minor); |
|
557 svr_random.send(s); |
|
558 s.putBytes8(sessionId.getId()); |
|
559 s.putInt8(cipherSuite.id >> 8); |
|
560 s.putInt8(cipherSuite.id & 0xff); |
|
561 s.putInt8(compression_method); |
|
562 extensions.send(s); |
|
563 } |
|
564 |
|
565 @Override |
|
566 void print(PrintStream s) throws IOException |
|
567 { |
|
568 s.println("*** ServerHello, " + protocolVersion); |
|
569 |
|
570 if (debug != null && Debug.isOn("verbose")) { |
|
571 s.print("RandomCookie: "); |
|
572 svr_random.print(s); |
|
573 |
|
574 s.print("Session ID: "); |
|
575 s.println(sessionId); |
|
576 |
|
577 s.println("Cipher Suite: " + cipherSuite); |
|
578 s.println("Compression Method: " + compression_method); |
|
579 extensions.print(s); |
|
580 s.println("***"); |
|
581 } |
|
582 } |
|
583 } |
|
584 |
|
585 |
|
586 /* |
|
587 * CertificateMsg ... send by both CLIENT and SERVER |
|
588 * |
|
589 * Each end of a connection may need to pass its certificate chain to |
|
590 * the other end. Such chains are intended to validate an identity with |
|
591 * reference to some certifying authority. Examples include companies |
|
592 * like Verisign, or financial institutions. There's some control over |
|
593 * the certifying authorities which are sent. |
|
594 * |
|
595 * NOTE: that these messages might be huge, taking many handshake records. |
|
596 * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14 |
|
597 * bytes each ... up to 2^32 records sent on the output stream. |
|
598 */ |
|
599 static final |
|
600 class CertificateMsg extends HandshakeMessage |
|
601 { |
|
602 @Override |
|
603 int messageType() { return ht_certificate; } |
|
604 |
|
605 private X509Certificate[] chain; |
|
606 |
|
607 private List<byte[]> encodedChain; |
|
608 |
|
609 private int messageLength; |
|
610 |
|
611 CertificateMsg(X509Certificate[] certs) { |
|
612 chain = certs; |
|
613 } |
|
614 |
|
615 CertificateMsg(HandshakeInStream input) throws IOException { |
|
616 int chainLen = input.getInt24(); |
|
617 List<Certificate> v = new ArrayList<>(4); |
|
618 |
|
619 CertificateFactory cf = null; |
|
620 while (chainLen > 0) { |
|
621 byte[] cert = input.getBytes24(); |
|
622 chainLen -= (3 + cert.length); |
|
623 try { |
|
624 if (cf == null) { |
|
625 cf = CertificateFactory.getInstance("X.509"); |
|
626 } |
|
627 v.add(cf.generateCertificate(new ByteArrayInputStream(cert))); |
|
628 } catch (CertificateException e) { |
|
629 throw (SSLProtocolException)new SSLProtocolException( |
|
630 e.getMessage()).initCause(e); |
|
631 } |
|
632 } |
|
633 |
|
634 chain = v.toArray(new X509Certificate[v.size()]); |
|
635 } |
|
636 |
|
637 @Override |
|
638 int messageLength() { |
|
639 if (encodedChain == null) { |
|
640 messageLength = 3; |
|
641 encodedChain = new ArrayList<byte[]>(chain.length); |
|
642 try { |
|
643 for (X509Certificate cert : chain) { |
|
644 byte[] b = cert.getEncoded(); |
|
645 encodedChain.add(b); |
|
646 messageLength += b.length + 3; |
|
647 } |
|
648 } catch (CertificateEncodingException e) { |
|
649 encodedChain = null; |
|
650 throw new RuntimeException("Could not encode certificates", e); |
|
651 } |
|
652 } |
|
653 return messageLength; |
|
654 } |
|
655 |
|
656 @Override |
|
657 void send(HandshakeOutStream s) throws IOException { |
|
658 s.putInt24(messageLength() - 3); |
|
659 for (byte[] b : encodedChain) { |
|
660 s.putBytes24(b); |
|
661 } |
|
662 } |
|
663 |
|
664 @Override |
|
665 void print(PrintStream s) throws IOException { |
|
666 s.println("*** Certificate chain"); |
|
667 |
|
668 if (chain.length == 0) { |
|
669 s.println("<Empty>"); |
|
670 } else if (debug != null && Debug.isOn("verbose")) { |
|
671 for (int i = 0; i < chain.length; i++) { |
|
672 s.println("chain [" + i + "] = " + chain[i]); |
|
673 } |
|
674 } |
|
675 s.println("***"); |
|
676 } |
|
677 |
|
678 X509Certificate[] getCertificateChain() { |
|
679 return chain.clone(); |
|
680 } |
|
681 } |
|
682 |
|
683 /* |
|
684 * CertificateStatus ... SERVER --> CLIENT |
|
685 * |
|
686 * When a ClientHello asserting the status_request or status_request_v2 |
|
687 * extensions is accepted by the server, it will fetch and return one |
|
688 * or more status responses in this handshake message. |
|
689 * |
|
690 * NOTE: Like the Certificate handshake message, this can potentially |
|
691 * be a very large message both due to the size of multiple status |
|
692 * responses and the certificate chains that are often attached to them. |
|
693 * Up to 2^24 bytes of status responses may be sent, possibly fragmented |
|
694 * over multiple TLS records. |
|
695 */ |
|
696 static final class CertificateStatus extends HandshakeMessage |
|
697 { |
|
698 private final StatusRequestType statusType; |
|
699 private int encodedResponsesLen; |
|
700 private int messageLength = -1; |
|
701 private List<byte[]> encodedResponses; |
|
702 |
|
703 @Override |
|
704 int messageType() { return ht_certificate_status; } |
|
705 |
|
706 /** |
|
707 * Create a CertificateStatus message from the certificates and their |
|
708 * respective OCSP responses |
|
709 * |
|
710 * @param type an indication of the type of response (OCSP or OCSP_MULTI) |
|
711 * @param responses a {@code List} of OCSP responses in DER-encoded form. |
|
712 * For the OCSP type, only the first entry in the response list is |
|
713 * used, and must correspond to the end-entity certificate sent to the |
|
714 * peer. Zero-length or null values for the response data are not |
|
715 * allowed for the OCSP type. For the OCSP_MULTI type, each entry in |
|
716 * the list should match its corresponding certificate sent in the |
|
717 * Server Certificate message. Where an OCSP response does not exist, |
|
718 * either a zero-length array or a null value should be used. |
|
719 * |
|
720 * @throws SSLException if an unsupported StatusRequestType or invalid |
|
721 * OCSP response data is provided. |
|
722 */ |
|
723 CertificateStatus(StatusRequestType type, X509Certificate[] chain, |
|
724 Map<X509Certificate, byte[]> responses) { |
|
725 statusType = type; |
|
726 encodedResponsesLen = 0; |
|
727 encodedResponses = new ArrayList<>(chain.length); |
|
728 |
|
729 Objects.requireNonNull(chain, "Null chain not allowed"); |
|
730 Objects.requireNonNull(responses, "Null responses not allowed"); |
|
731 |
|
732 if (statusType == StatusRequestType.OCSP) { |
|
733 // Just get the response for the end-entity certificate |
|
734 byte[] respDER = responses.get(chain[0]); |
|
735 if (respDER != null && respDER.length > 0) { |
|
736 encodedResponses.add(respDER); |
|
737 encodedResponsesLen = 3 + respDER.length; |
|
738 } else { |
|
739 throw new IllegalArgumentException("Zero-length or null " + |
|
740 "OCSP Response"); |
|
741 } |
|
742 } else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
743 for (X509Certificate cert : chain) { |
|
744 byte[] respDER = responses.get(cert); |
|
745 if (respDER != null) { |
|
746 encodedResponses.add(respDER); |
|
747 encodedResponsesLen += (respDER.length + 3); |
|
748 } else { |
|
749 // If we cannot find a response for a given certificate |
|
750 // then use a zero-length placeholder. |
|
751 encodedResponses.add(new byte[0]); |
|
752 encodedResponsesLen += 3; |
|
753 } |
|
754 } |
|
755 } else { |
|
756 throw new IllegalArgumentException( |
|
757 "Unsupported StatusResponseType: " + statusType); |
|
758 } |
|
759 } |
|
760 |
|
761 /** |
|
762 * Decode the CertificateStatus handshake message coming from a |
|
763 * {@code HandshakeInputStream}. |
|
764 * |
|
765 * @param input the {@code HandshakeInputStream} containing the |
|
766 * CertificateStatus message bytes. |
|
767 * |
|
768 * @throws SSLHandshakeException if a zero-length response is found in the |
|
769 * OCSP response type, or an unsupported response type is detected. |
|
770 * @throws IOException if a decoding error occurs. |
|
771 */ |
|
772 CertificateStatus(HandshakeInStream input) throws IOException { |
|
773 encodedResponsesLen = 0; |
|
774 encodedResponses = new ArrayList<>(); |
|
775 |
|
776 statusType = StatusRequestType.get(input.getInt8()); |
|
777 if (statusType == StatusRequestType.OCSP) { |
|
778 byte[] respDER = input.getBytes24(); |
|
779 // Convert the incoming bytes to a OCSPResponse strucutre |
|
780 if (respDER.length > 0) { |
|
781 encodedResponses.add(respDER); |
|
782 encodedResponsesLen = 3 + respDER.length; |
|
783 } else { |
|
784 throw new SSLHandshakeException("Zero-length OCSP Response"); |
|
785 } |
|
786 } else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
787 int respListLen = input.getInt24(); |
|
788 encodedResponsesLen = respListLen; |
|
789 |
|
790 // Add each OCSP reponse into the array list in the order |
|
791 // we receive them off the wire. A zero-length array is |
|
792 // allowed for ocsp_multi, and means that a response for |
|
793 // a given certificate is not available. |
|
794 while (respListLen > 0) { |
|
795 byte[] respDER = input.getBytes24(); |
|
796 encodedResponses.add(respDER); |
|
797 respListLen -= (respDER.length + 3); |
|
798 } |
|
799 |
|
800 if (respListLen != 0) { |
|
801 throw new SSLHandshakeException( |
|
802 "Bad OCSP response list length"); |
|
803 } |
|
804 } else { |
|
805 throw new SSLHandshakeException("Unsupported StatusResponseType: " + |
|
806 statusType); |
|
807 } |
|
808 } |
|
809 |
|
810 /** |
|
811 * Get the length of the CertificateStatus message. |
|
812 * |
|
813 * @return the length of the message in bytes. |
|
814 */ |
|
815 @Override |
|
816 int messageLength() { |
|
817 int len = 1; // Length + Status type |
|
818 |
|
819 if (messageLength == -1) { |
|
820 if (statusType == StatusRequestType.OCSP) { |
|
821 len += encodedResponsesLen; |
|
822 } else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
823 len += 3 + encodedResponsesLen; |
|
824 } |
|
825 messageLength = len; |
|
826 } |
|
827 |
|
828 return messageLength; |
|
829 } |
|
830 |
|
831 /** |
|
832 * Encode the CertificateStatus handshake message and place it on a |
|
833 * {@code HandshakeOutputStream}. |
|
834 * |
|
835 * @param s the HandshakeOutputStream that will the message bytes. |
|
836 * |
|
837 * @throws IOException if an encoding error occurs. |
|
838 */ |
|
839 @Override |
|
840 void send(HandshakeOutStream s) throws IOException { |
|
841 s.putInt8(statusType.id); |
|
842 if (statusType == StatusRequestType.OCSP) { |
|
843 s.putBytes24(encodedResponses.get(0)); |
|
844 } else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
845 s.putInt24(encodedResponsesLen); |
|
846 for (byte[] respBytes : encodedResponses) { |
|
847 if (respBytes != null) { |
|
848 s.putBytes24(respBytes); |
|
849 } else { |
|
850 s.putBytes24(null); |
|
851 } |
|
852 } |
|
853 } else { |
|
854 // It is highly unlikely that we will fall into this section of |
|
855 // the code. |
|
856 throw new SSLHandshakeException("Unsupported status_type: " + |
|
857 statusType.id); |
|
858 } |
|
859 } |
|
860 |
|
861 /** |
|
862 * Display a human-readable representation of the CertificateStatus message. |
|
863 * |
|
864 * @param s the PrintStream used to display the message data. |
|
865 * |
|
866 * @throws IOException if any errors occur while parsing the OCSP response |
|
867 * bytes into a readable form. |
|
868 */ |
|
869 @Override |
|
870 void print(PrintStream s) throws IOException { |
|
871 s.println("*** CertificateStatus"); |
|
872 if (debug != null && Debug.isOn("verbose")) { |
|
873 s.println("Type: " + statusType); |
|
874 if (statusType == StatusRequestType.OCSP) { |
|
875 OCSPResponse oResp = new OCSPResponse(encodedResponses.get(0)); |
|
876 s.println(oResp); |
|
877 } else if (statusType == StatusRequestType.OCSP_MULTI) { |
|
878 int numResponses = encodedResponses.size(); |
|
879 s.println(numResponses + |
|
880 (numResponses == 1 ? " entry:" : " entries:")); |
|
881 for (byte[] respDER : encodedResponses) { |
|
882 if (respDER.length > 0) { |
|
883 OCSPResponse oResp = new OCSPResponse(respDER); |
|
884 s.println(oResp); |
|
885 } else { |
|
886 s.println("<Zero-length entry>"); |
|
887 } |
|
888 } |
|
889 } |
|
890 } |
|
891 } |
|
892 |
|
893 /** |
|
894 * Get the type of CertificateStatus message |
|
895 * |
|
896 * @return the {@code StatusRequestType} for this CertificateStatus |
|
897 * message. |
|
898 */ |
|
899 StatusRequestType getType() { |
|
900 return statusType; |
|
901 } |
|
902 |
|
903 /** |
|
904 * Get the list of non-zero length OCSP responses. |
|
905 * The responses returned in this list can be used to map to |
|
906 * {@code X509Certificate} objects provided by the peer and |
|
907 * provided to a {@code PKIXRevocationChecker}. |
|
908 * |
|
909 * @return an unmodifiable List of zero or more byte arrays, each one |
|
910 * consisting of a single status response. |
|
911 */ |
|
912 List<byte[]> getResponses() { |
|
913 return Collections.unmodifiableList(encodedResponses); |
|
914 } |
|
915 } |
|
916 |
|
917 /* |
|
918 * ServerKeyExchange ... SERVER --> CLIENT |
|
919 * |
|
920 * The cipher suite selected, when combined with the certificate exchanged, |
|
921 * implies one of several different kinds of key exchange. Most current |
|
922 * cipher suites require the server to send more than its certificate. |
|
923 * |
|
924 * The primary exceptions are when a server sends an encryption-capable |
|
925 * RSA public key in its cert, to be used with RSA (or RSA_export) key |
|
926 * exchange; and when a server sends its Diffie-Hellman cert. Those kinds |
|
927 * of key exchange do not require a ServerKeyExchange message. |
|
928 * |
|
929 * Key exchange can be viewed as having three modes, which are explicit |
|
930 * for the Diffie-Hellman flavors and poorly specified for RSA ones: |
|
931 * |
|
932 * - "Ephemeral" keys. Here, a "temporary" key is allocated by the |
|
933 * server, and signed. Diffie-Hellman keys signed using RSA or |
|
934 * DSS are ephemeral (DHE flavor). RSA keys get used to do the same |
|
935 * thing, to cut the key size down to 512 bits (export restrictions) |
|
936 * or for signing-only RSA certificates. |
|
937 * |
|
938 * - Anonymity. Here no server certificate is sent, only the public |
|
939 * key of the server. This case is subject to man-in-the-middle |
|
940 * attacks. This can be done with Diffie-Hellman keys (DH_anon) or |
|
941 * with RSA keys, but is only used in SSLv3 for DH_anon. |
|
942 * |
|
943 * - "Normal" case. Here a server certificate is sent, and the public |
|
944 * key there is used directly in exchanging the premaster secret. |
|
945 * For example, Diffie-Hellman "DH" flavor, and any RSA flavor with |
|
946 * only 512 bit keys. |
|
947 * |
|
948 * If a server certificate is sent, there is no anonymity. However, |
|
949 * when a certificate is sent, ephemeral keys may still be used to |
|
950 * exchange the premaster secret. That's how RSA_EXPORT often works, |
|
951 * as well as how the DHE_* flavors work. |
|
952 */ |
|
953 abstract static class ServerKeyExchange extends HandshakeMessage |
|
954 { |
|
955 @Override |
|
956 int messageType() { return ht_server_key_exchange; } |
|
957 } |
|
958 |
|
959 |
|
960 /* |
|
961 * Using RSA for Key Exchange: exchange a session key that's not as big |
|
962 * as the signing-only key. Used for export applications, since exported |
|
963 * RSA encryption keys can't be bigger than 512 bytes. |
|
964 * |
|
965 * This is never used when keys are 512 bits or smaller, and isn't used |
|
966 * on "US Domestic" ciphers in any case. |
|
967 */ |
|
968 static final |
|
969 class RSA_ServerKeyExchange extends ServerKeyExchange |
|
970 { |
|
971 private byte[] rsa_modulus; // 1 to 2^16 - 1 bytes |
|
972 private byte[] rsa_exponent; // 1 to 2^16 - 1 bytes |
|
973 |
|
974 private Signature signature; |
|
975 private byte[] signatureBytes; |
|
976 |
|
977 /* |
|
978 * Hash the nonces and the ephemeral RSA public key. |
|
979 */ |
|
980 private void updateSignature(byte[] clntNonce, byte[] svrNonce) |
|
981 throws SignatureException { |
|
982 int tmp; |
|
983 |
|
984 signature.update(clntNonce); |
|
985 signature.update(svrNonce); |
|
986 |
|
987 tmp = rsa_modulus.length; |
|
988 signature.update((byte)(tmp >> 8)); |
|
989 signature.update((byte)(tmp & 0x0ff)); |
|
990 signature.update(rsa_modulus); |
|
991 |
|
992 tmp = rsa_exponent.length; |
|
993 signature.update((byte)(tmp >> 8)); |
|
994 signature.update((byte)(tmp & 0x0ff)); |
|
995 signature.update(rsa_exponent); |
|
996 } |
|
997 |
|
998 |
|
999 /* |
|
1000 * Construct an RSA server key exchange message, using data |
|
1001 * known _only_ to the server. |
|
1002 * |
|
1003 * The client knows the public key corresponding to this private |
|
1004 * key, from the Certificate message sent previously. To comply |
|
1005 * with US export regulations we use short RSA keys ... either |
|
1006 * long term ones in the server's X509 cert, or else ephemeral |
|
1007 * ones sent using this message. |
|
1008 */ |
|
1009 RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey, |
|
1010 RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr) |
|
1011 throws GeneralSecurityException { |
|
1012 RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey); |
|
1013 rsa_modulus = toByteArray(rsaKey.getModulus()); |
|
1014 rsa_exponent = toByteArray(rsaKey.getPublicExponent()); |
|
1015 signature = RSASignature.getInstance(); |
|
1016 signature.initSign(privateKey, sr); |
|
1017 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); |
|
1018 signatureBytes = signature.sign(); |
|
1019 } |
|
1020 |
|
1021 |
|
1022 /* |
|
1023 * Parse an RSA server key exchange message, using data known |
|
1024 * to the client (and, in some situations, eavesdroppers). |
|
1025 */ |
|
1026 RSA_ServerKeyExchange(HandshakeInStream input) |
|
1027 throws IOException, NoSuchAlgorithmException { |
|
1028 signature = RSASignature.getInstance(); |
|
1029 rsa_modulus = input.getBytes16(); |
|
1030 rsa_exponent = input.getBytes16(); |
|
1031 signatureBytes = input.getBytes16(); |
|
1032 } |
|
1033 |
|
1034 /* |
|
1035 * Get the ephemeral RSA public key that will be used in this |
|
1036 * SSL connection. |
|
1037 */ |
|
1038 PublicKey getPublicKey() { |
|
1039 try { |
|
1040 KeyFactory kfac = JsseJce.getKeyFactory("RSA"); |
|
1041 // modulus and exponent are always positive |
|
1042 RSAPublicKeySpec kspec = new RSAPublicKeySpec( |
|
1043 new BigInteger(1, rsa_modulus), |
|
1044 new BigInteger(1, rsa_exponent)); |
|
1045 return kfac.generatePublic(kspec); |
|
1046 } catch (Exception e) { |
|
1047 throw new RuntimeException(e); |
|
1048 } |
|
1049 } |
|
1050 |
|
1051 /* |
|
1052 * Verify the signed temporary key using the hashes computed |
|
1053 * from it and the two nonces. This is called by clients |
|
1054 * with "exportable" RSA flavors. |
|
1055 */ |
|
1056 boolean verify(PublicKey certifiedKey, RandomCookie clntNonce, |
|
1057 RandomCookie svrNonce) throws GeneralSecurityException { |
|
1058 signature.initVerify(certifiedKey); |
|
1059 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); |
|
1060 return signature.verify(signatureBytes); |
|
1061 } |
|
1062 |
|
1063 @Override |
|
1064 int messageLength() { |
|
1065 return 6 + rsa_modulus.length + rsa_exponent.length |
|
1066 + signatureBytes.length; |
|
1067 } |
|
1068 |
|
1069 @Override |
|
1070 void send(HandshakeOutStream s) throws IOException { |
|
1071 s.putBytes16(rsa_modulus); |
|
1072 s.putBytes16(rsa_exponent); |
|
1073 s.putBytes16(signatureBytes); |
|
1074 } |
|
1075 |
|
1076 @Override |
|
1077 void print(PrintStream s) throws IOException { |
|
1078 s.println("*** RSA ServerKeyExchange"); |
|
1079 |
|
1080 if (debug != null && Debug.isOn("verbose")) { |
|
1081 Debug.println(s, "RSA Modulus", rsa_modulus); |
|
1082 Debug.println(s, "RSA Public Exponent", rsa_exponent); |
|
1083 } |
|
1084 } |
|
1085 } |
|
1086 |
|
1087 |
|
1088 /* |
|
1089 * Using Diffie-Hellman algorithm for key exchange. All we really need to |
|
1090 * do is securely get Diffie-Hellman keys (using the same P, G parameters) |
|
1091 * to our peer, then we automatically have a shared secret without need |
|
1092 * to exchange any more data. (D-H only solutions, such as SKIP, could |
|
1093 * eliminate key exchange negotiations and get faster connection setup. |
|
1094 * But they still need a signature algorithm like DSS/DSA to support the |
|
1095 * trusted distribution of keys without relying on unscalable physical |
|
1096 * key distribution systems.) |
|
1097 * |
|
1098 * This class supports several DH-based key exchange algorithms, though |
|
1099 * perhaps eventually each deserves its own class. Notably, this has |
|
1100 * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants. |
|
1101 */ |
|
1102 static final |
|
1103 class DH_ServerKeyExchange extends ServerKeyExchange |
|
1104 { |
|
1105 // Fix message encoding, see 4348279 |
|
1106 private static final boolean dhKeyExchangeFix = |
|
1107 Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true); |
|
1108 |
|
1109 private byte[] dh_p; // 1 to 2^16 - 1 bytes |
|
1110 private byte[] dh_g; // 1 to 2^16 - 1 bytes |
|
1111 private byte[] dh_Ys; // 1 to 2^16 - 1 bytes |
|
1112 |
|
1113 private byte[] signature; |
|
1114 |
|
1115 // protocol version being established using this ServerKeyExchange message |
|
1116 ProtocolVersion protocolVersion; |
|
1117 |
|
1118 // the preferable signature algorithm used by this ServerKeyExchange message |
|
1119 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; |
|
1120 |
|
1121 /* |
|
1122 * Construct from initialized DH key object, for DH_anon |
|
1123 * key exchange. |
|
1124 */ |
|
1125 DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) { |
|
1126 this.protocolVersion = protocolVersion; |
|
1127 this.preferableSignatureAlgorithm = null; |
|
1128 |
|
1129 // The DH key has been validated in the constructor of DHCrypt. |
|
1130 setValues(obj); |
|
1131 signature = null; |
|
1132 } |
|
1133 |
|
1134 /* |
|
1135 * Construct from initialized DH key object and the key associated |
|
1136 * with the cert chain which was sent ... for DHE_DSS and DHE_RSA |
|
1137 * key exchange. (Constructor called by server.) |
|
1138 */ |
|
1139 DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte[] clntNonce, |
|
1140 byte[] svrNonce, SecureRandom sr, |
|
1141 SignatureAndHashAlgorithm signAlgorithm, |
|
1142 ProtocolVersion protocolVersion) throws GeneralSecurityException { |
|
1143 |
|
1144 this.protocolVersion = protocolVersion; |
|
1145 |
|
1146 // The DH key has been validated in the constructor of DHCrypt. |
|
1147 setValues(obj); |
|
1148 |
|
1149 Signature sig; |
|
1150 if (protocolVersion.useTLS12PlusSpec()) { |
|
1151 this.preferableSignatureAlgorithm = signAlgorithm; |
|
1152 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); |
|
1153 } else { |
|
1154 this.preferableSignatureAlgorithm = null; |
|
1155 if (key.getAlgorithm().equals("DSA")) { |
|
1156 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); |
|
1157 } else { |
|
1158 sig = RSASignature.getInstance(); |
|
1159 } |
|
1160 } |
|
1161 |
|
1162 sig.initSign(key, sr); |
|
1163 updateSignature(sig, clntNonce, svrNonce); |
|
1164 signature = sig.sign(); |
|
1165 } |
|
1166 |
|
1167 /* |
|
1168 * Construct a DH_ServerKeyExchange message from an input |
|
1169 * stream, as if sent from server to client for use with |
|
1170 * DH_anon key exchange |
|
1171 */ |
|
1172 DH_ServerKeyExchange(HandshakeInStream input, |
|
1173 ProtocolVersion protocolVersion) |
|
1174 throws IOException, GeneralSecurityException { |
|
1175 |
|
1176 this.protocolVersion = protocolVersion; |
|
1177 this.preferableSignatureAlgorithm = null; |
|
1178 |
|
1179 dh_p = input.getBytes16(); |
|
1180 dh_g = input.getBytes16(); |
|
1181 dh_Ys = input.getBytes16(); |
|
1182 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), |
|
1183 new BigInteger(1, dh_p), |
|
1184 new BigInteger(1, dh_g))); |
|
1185 |
|
1186 signature = null; |
|
1187 } |
|
1188 |
|
1189 /* |
|
1190 * Construct a DH_ServerKeyExchange message from an input stream |
|
1191 * and a certificate, as if sent from server to client for use with |
|
1192 * DHE_DSS or DHE_RSA key exchange. (Called by client.) |
|
1193 */ |
|
1194 DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey, |
|
1195 byte[] clntNonce, byte[] svrNonce, int messageSize, |
|
1196 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, |
|
1197 ProtocolVersion protocolVersion) |
|
1198 throws IOException, GeneralSecurityException { |
|
1199 |
|
1200 this.protocolVersion = protocolVersion; |
|
1201 |
|
1202 // read params: ServerDHParams |
|
1203 dh_p = input.getBytes16(); |
|
1204 dh_g = input.getBytes16(); |
|
1205 dh_Ys = input.getBytes16(); |
|
1206 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), |
|
1207 new BigInteger(1, dh_p), |
|
1208 new BigInteger(1, dh_g))); |
|
1209 |
|
1210 // read the signature and hash algorithm |
|
1211 if (protocolVersion.useTLS12PlusSpec()) { |
|
1212 int hash = input.getInt8(); // hash algorithm |
|
1213 int signature = input.getInt8(); // signature algorithm |
|
1214 |
|
1215 preferableSignatureAlgorithm = |
|
1216 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); |
|
1217 |
|
1218 // Is it a local supported signature algorithm? |
|
1219 if (!localSupportedSignAlgs.contains( |
|
1220 preferableSignatureAlgorithm)) { |
|
1221 throw new SSLHandshakeException( |
|
1222 "Unsupported SignatureAndHashAlgorithm in " + |
|
1223 "ServerKeyExchange message: " + |
|
1224 preferableSignatureAlgorithm); |
|
1225 } |
|
1226 } else { |
|
1227 this.preferableSignatureAlgorithm = null; |
|
1228 } |
|
1229 |
|
1230 // read the signature |
|
1231 byte[] signature; |
|
1232 if (dhKeyExchangeFix) { |
|
1233 signature = input.getBytes16(); |
|
1234 } else { |
|
1235 messageSize -= (dh_p.length + 2); |
|
1236 messageSize -= (dh_g.length + 2); |
|
1237 messageSize -= (dh_Ys.length + 2); |
|
1238 |
|
1239 signature = new byte[messageSize]; |
|
1240 input.read(signature); |
|
1241 } |
|
1242 |
|
1243 Signature sig; |
|
1244 String algorithm = publicKey.getAlgorithm(); |
|
1245 if (protocolVersion.useTLS12PlusSpec()) { |
|
1246 sig = JsseJce.getSignature( |
|
1247 preferableSignatureAlgorithm.getAlgorithmName()); |
|
1248 } else { |
|
1249 switch (algorithm) { |
|
1250 case "DSA": |
|
1251 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); |
|
1252 break; |
|
1253 case "RSA": |
|
1254 sig = RSASignature.getInstance(); |
|
1255 break; |
|
1256 default: |
|
1257 throw new SSLKeyException( |
|
1258 "neither an RSA or a DSA key: " + algorithm); |
|
1259 } |
|
1260 } |
|
1261 |
|
1262 sig.initVerify(publicKey); |
|
1263 updateSignature(sig, clntNonce, svrNonce); |
|
1264 |
|
1265 if (sig.verify(signature) == false ) { |
|
1266 throw new SSLKeyException("Server D-H key verification failed"); |
|
1267 } |
|
1268 } |
|
1269 |
|
1270 /* Return the Diffie-Hellman modulus */ |
|
1271 BigInteger getModulus() { |
|
1272 return new BigInteger(1, dh_p); |
|
1273 } |
|
1274 |
|
1275 /* Return the Diffie-Hellman base/generator */ |
|
1276 BigInteger getBase() { |
|
1277 return new BigInteger(1, dh_g); |
|
1278 } |
|
1279 |
|
1280 /* Return the server's Diffie-Hellman public key */ |
|
1281 BigInteger getServerPublicKey() { |
|
1282 return new BigInteger(1, dh_Ys); |
|
1283 } |
|
1284 |
|
1285 /* |
|
1286 * Update sig with nonces and Diffie-Hellman public key. |
|
1287 */ |
|
1288 private void updateSignature(Signature sig, byte[] clntNonce, |
|
1289 byte[] svrNonce) throws SignatureException { |
|
1290 int tmp; |
|
1291 |
|
1292 sig.update(clntNonce); |
|
1293 sig.update(svrNonce); |
|
1294 |
|
1295 tmp = dh_p.length; |
|
1296 sig.update((byte)(tmp >> 8)); |
|
1297 sig.update((byte)(tmp & 0x0ff)); |
|
1298 sig.update(dh_p); |
|
1299 |
|
1300 tmp = dh_g.length; |
|
1301 sig.update((byte)(tmp >> 8)); |
|
1302 sig.update((byte)(tmp & 0x0ff)); |
|
1303 sig.update(dh_g); |
|
1304 |
|
1305 tmp = dh_Ys.length; |
|
1306 sig.update((byte)(tmp >> 8)); |
|
1307 sig.update((byte)(tmp & 0x0ff)); |
|
1308 sig.update(dh_Ys); |
|
1309 } |
|
1310 |
|
1311 private void setValues(DHCrypt obj) { |
|
1312 dh_p = toByteArray(obj.getModulus()); |
|
1313 dh_g = toByteArray(obj.getBase()); |
|
1314 dh_Ys = toByteArray(obj.getPublicKey()); |
|
1315 } |
|
1316 |
|
1317 @Override |
|
1318 int messageLength() { |
|
1319 int temp = 6; // overhead for p, g, y(s) values. |
|
1320 |
|
1321 temp += dh_p.length; |
|
1322 temp += dh_g.length; |
|
1323 temp += dh_Ys.length; |
|
1324 |
|
1325 if (signature != null) { |
|
1326 if (protocolVersion.useTLS12PlusSpec()) { |
|
1327 temp += SignatureAndHashAlgorithm.sizeInRecord(); |
|
1328 } |
|
1329 |
|
1330 temp += signature.length; |
|
1331 if (dhKeyExchangeFix) { |
|
1332 temp += 2; |
|
1333 } |
|
1334 } |
|
1335 |
|
1336 return temp; |
|
1337 } |
|
1338 |
|
1339 @Override |
|
1340 void send(HandshakeOutStream s) throws IOException { |
|
1341 s.putBytes16(dh_p); |
|
1342 s.putBytes16(dh_g); |
|
1343 s.putBytes16(dh_Ys); |
|
1344 |
|
1345 if (signature != null) { |
|
1346 if (protocolVersion.useTLS12PlusSpec()) { |
|
1347 s.putInt8(preferableSignatureAlgorithm.getHashValue()); |
|
1348 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); |
|
1349 } |
|
1350 |
|
1351 if (dhKeyExchangeFix) { |
|
1352 s.putBytes16(signature); |
|
1353 } else { |
|
1354 s.write(signature); |
|
1355 } |
|
1356 } |
|
1357 } |
|
1358 |
|
1359 @Override |
|
1360 void print(PrintStream s) throws IOException { |
|
1361 s.println("*** Diffie-Hellman ServerKeyExchange"); |
|
1362 |
|
1363 if (debug != null && Debug.isOn("verbose")) { |
|
1364 Debug.println(s, "DH Modulus", dh_p); |
|
1365 Debug.println(s, "DH Base", dh_g); |
|
1366 Debug.println(s, "Server DH Public Key", dh_Ys); |
|
1367 |
|
1368 if (signature == null) { |
|
1369 s.println("Anonymous"); |
|
1370 } else { |
|
1371 if (protocolVersion.useTLS12PlusSpec()) { |
|
1372 s.println("Signature Algorithm " + |
|
1373 preferableSignatureAlgorithm.getAlgorithmName()); |
|
1374 } |
|
1375 |
|
1376 s.println("Signed with a DSA or RSA public key"); |
|
1377 } |
|
1378 } |
|
1379 } |
|
1380 } |
|
1381 |
|
1382 /* |
|
1383 * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon |
|
1384 * ciphersuites to communicate its ephemeral public key (including the |
|
1385 * EC domain parameters). |
|
1386 * |
|
1387 * We support named curves only, no explicitly encoded curves. |
|
1388 */ |
|
1389 static final |
|
1390 class ECDH_ServerKeyExchange extends ServerKeyExchange { |
|
1391 |
|
1392 // constants for ECCurveType |
|
1393 private static final int CURVE_EXPLICIT_PRIME = 1; |
|
1394 private static final int CURVE_EXPLICIT_CHAR2 = 2; |
|
1395 private static final int CURVE_NAMED_CURVE = 3; |
|
1396 |
|
1397 // id of the named group we are using |
|
1398 private int groupId; |
|
1399 |
|
1400 // encoded public point |
|
1401 private byte[] pointBytes; |
|
1402 |
|
1403 // signature bytes (or null if anonymous) |
|
1404 private byte[] signatureBytes; |
|
1405 |
|
1406 // public key object encapsulated in this message |
|
1407 private ECPublicKey publicKey; |
|
1408 |
|
1409 // protocol version being established using this ServerKeyExchange message |
|
1410 ProtocolVersion protocolVersion; |
|
1411 |
|
1412 // the preferable signature algorithm used by this ServerKeyExchange message |
|
1413 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; |
|
1414 |
|
1415 ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey, |
|
1416 byte[] clntNonce, byte[] svrNonce, SecureRandom sr, |
|
1417 SignatureAndHashAlgorithm signAlgorithm, |
|
1418 ProtocolVersion protocolVersion) |
|
1419 throws SSLHandshakeException, GeneralSecurityException { |
|
1420 |
|
1421 this.protocolVersion = protocolVersion; |
|
1422 |
|
1423 publicKey = (ECPublicKey)obj.getPublicKey(); |
|
1424 ECParameterSpec params = publicKey.getParams(); |
|
1425 ECPoint point = publicKey.getW(); |
|
1426 pointBytes = JsseJce.encodePoint(point, params.getCurve()); |
|
1427 |
|
1428 NamedGroup namedGroup = NamedGroup.valueOf(params); |
|
1429 if ((namedGroup == null) || (namedGroup.oid == null) ){ |
|
1430 // unlikely |
|
1431 throw new SSLHandshakeException( |
|
1432 "Unnamed EC parameter spec: " + params); |
|
1433 } |
|
1434 groupId = namedGroup.id; |
|
1435 |
|
1436 if (privateKey == null) { |
|
1437 // ECDH_anon |
|
1438 return; |
|
1439 } |
|
1440 |
|
1441 Signature sig; |
|
1442 if (protocolVersion.useTLS12PlusSpec()) { |
|
1443 this.preferableSignatureAlgorithm = signAlgorithm; |
|
1444 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); |
|
1445 } else { |
|
1446 sig = getSignature(privateKey.getAlgorithm()); |
|
1447 } |
|
1448 sig.initSign(privateKey, sr); |
|
1449 |
|
1450 updateSignature(sig, clntNonce, svrNonce); |
|
1451 signatureBytes = sig.sign(); |
|
1452 } |
|
1453 |
|
1454 /* |
|
1455 * Parse an ECDH server key exchange message. |
|
1456 */ |
|
1457 ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey, |
|
1458 byte[] clntNonce, byte[] svrNonce, |
|
1459 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, |
|
1460 ProtocolVersion protocolVersion) |
|
1461 throws IOException, GeneralSecurityException { |
|
1462 |
|
1463 this.protocolVersion = protocolVersion; |
|
1464 |
|
1465 // read params: ServerECDHParams |
|
1466 int curveType = input.getInt8(); |
|
1467 ECParameterSpec parameters; |
|
1468 // These parsing errors should never occur as we negotiated |
|
1469 // the supported curves during the exchange of the Hello messages. |
|
1470 if (curveType == CURVE_NAMED_CURVE) { |
|
1471 groupId = input.getInt16(); |
|
1472 NamedGroup namedGroup = NamedGroup.valueOf(groupId); |
|
1473 if (namedGroup == null) { |
|
1474 throw new SSLHandshakeException( |
|
1475 "Unknown named group ID: " + groupId); |
|
1476 } |
|
1477 |
|
1478 if (!SupportedGroupsExtension.supports(namedGroup)) { |
|
1479 throw new SSLHandshakeException( |
|
1480 "Unsupported named group: " + namedGroup); |
|
1481 } |
|
1482 |
|
1483 if (namedGroup.oid == null) { |
|
1484 throw new SSLHandshakeException( |
|
1485 "Unknown named EC curve: " + namedGroup); |
|
1486 } |
|
1487 |
|
1488 parameters = JsseJce.getECParameterSpec(namedGroup.oid); |
|
1489 if (parameters == null) { |
|
1490 throw new SSLHandshakeException( |
|
1491 "No supported EC parameter for named group: " + namedGroup); |
|
1492 } |
|
1493 } else { |
|
1494 throw new SSLHandshakeException( |
|
1495 "Unsupported ECCurveType: " + curveType); |
|
1496 } |
|
1497 pointBytes = input.getBytes8(); |
|
1498 |
|
1499 ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve()); |
|
1500 KeyFactory factory = JsseJce.getKeyFactory("EC"); |
|
1501 publicKey = (ECPublicKey)factory.generatePublic( |
|
1502 new ECPublicKeySpec(point, parameters)); |
|
1503 |
|
1504 if (signingKey == null) { |
|
1505 // ECDH_anon |
|
1506 return; |
|
1507 } |
|
1508 |
|
1509 // read the signature and hash algorithm |
|
1510 if (protocolVersion.useTLS12PlusSpec()) { |
|
1511 int hash = input.getInt8(); // hash algorithm |
|
1512 int signature = input.getInt8(); // signature algorithm |
|
1513 |
|
1514 preferableSignatureAlgorithm = |
|
1515 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); |
|
1516 |
|
1517 // Is it a local supported signature algorithm? |
|
1518 if (!localSupportedSignAlgs.contains( |
|
1519 preferableSignatureAlgorithm)) { |
|
1520 throw new SSLHandshakeException( |
|
1521 "Unsupported SignatureAndHashAlgorithm in " + |
|
1522 "ServerKeyExchange message: " + |
|
1523 preferableSignatureAlgorithm); |
|
1524 } |
|
1525 } |
|
1526 |
|
1527 // read the signature |
|
1528 signatureBytes = input.getBytes16(); |
|
1529 |
|
1530 // verify the signature |
|
1531 Signature sig; |
|
1532 if (protocolVersion.useTLS12PlusSpec()) { |
|
1533 sig = JsseJce.getSignature( |
|
1534 preferableSignatureAlgorithm.getAlgorithmName()); |
|
1535 } else { |
|
1536 sig = getSignature(signingKey.getAlgorithm()); |
|
1537 } |
|
1538 sig.initVerify(signingKey); |
|
1539 |
|
1540 updateSignature(sig, clntNonce, svrNonce); |
|
1541 |
|
1542 if (sig.verify(signatureBytes) == false ) { |
|
1543 throw new SSLKeyException( |
|
1544 "Invalid signature on ECDH server key exchange message"); |
|
1545 } |
|
1546 } |
|
1547 |
|
1548 /* |
|
1549 * Get the ephemeral EC public key encapsulated in this message. |
|
1550 */ |
|
1551 ECPublicKey getPublicKey() { |
|
1552 return publicKey; |
|
1553 } |
|
1554 |
|
1555 private static Signature getSignature(String keyAlgorithm) |
|
1556 throws NoSuchAlgorithmException { |
|
1557 switch (keyAlgorithm) { |
|
1558 case "EC": |
|
1559 return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA); |
|
1560 case "RSA": |
|
1561 return RSASignature.getInstance(); |
|
1562 default: |
|
1563 throw new NoSuchAlgorithmException( |
|
1564 "neither an RSA or a EC key : " + keyAlgorithm); |
|
1565 } |
|
1566 } |
|
1567 |
|
1568 private void updateSignature(Signature sig, byte[] clntNonce, |
|
1569 byte[] svrNonce) throws SignatureException { |
|
1570 sig.update(clntNonce); |
|
1571 sig.update(svrNonce); |
|
1572 |
|
1573 sig.update((byte)CURVE_NAMED_CURVE); |
|
1574 sig.update((byte)(groupId >> 8)); |
|
1575 sig.update((byte)groupId); |
|
1576 sig.update((byte)pointBytes.length); |
|
1577 sig.update(pointBytes); |
|
1578 } |
|
1579 |
|
1580 @Override |
|
1581 int messageLength() { |
|
1582 int sigLen = 0; |
|
1583 if (signatureBytes != null) { |
|
1584 sigLen = 2 + signatureBytes.length; |
|
1585 if (protocolVersion.useTLS12PlusSpec()) { |
|
1586 sigLen += SignatureAndHashAlgorithm.sizeInRecord(); |
|
1587 } |
|
1588 } |
|
1589 |
|
1590 return 4 + pointBytes.length + sigLen; |
|
1591 } |
|
1592 |
|
1593 @Override |
|
1594 void send(HandshakeOutStream s) throws IOException { |
|
1595 s.putInt8(CURVE_NAMED_CURVE); |
|
1596 s.putInt16(groupId); |
|
1597 s.putBytes8(pointBytes); |
|
1598 |
|
1599 if (signatureBytes != null) { |
|
1600 if (protocolVersion.useTLS12PlusSpec()) { |
|
1601 s.putInt8(preferableSignatureAlgorithm.getHashValue()); |
|
1602 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); |
|
1603 } |
|
1604 |
|
1605 s.putBytes16(signatureBytes); |
|
1606 } |
|
1607 } |
|
1608 |
|
1609 @Override |
|
1610 void print(PrintStream s) throws IOException { |
|
1611 s.println("*** ECDH ServerKeyExchange"); |
|
1612 |
|
1613 if (debug != null && Debug.isOn("verbose")) { |
|
1614 if (signatureBytes == null) { |
|
1615 s.println("Anonymous"); |
|
1616 } else { |
|
1617 if (protocolVersion.useTLS12PlusSpec()) { |
|
1618 s.println("Signature Algorithm " + |
|
1619 preferableSignatureAlgorithm.getAlgorithmName()); |
|
1620 } |
|
1621 } |
|
1622 |
|
1623 s.println("Server key: " + publicKey); |
|
1624 } |
|
1625 } |
|
1626 } |
|
1627 |
|
1628 static final class DistinguishedName { |
|
1629 |
|
1630 /* |
|
1631 * DER encoded distinguished name. |
|
1632 * TLS requires that its not longer than 65535 bytes. |
|
1633 */ |
|
1634 byte[] name; |
|
1635 |
|
1636 DistinguishedName(HandshakeInStream input) throws IOException { |
|
1637 name = input.getBytes16(); |
|
1638 } |
|
1639 |
|
1640 DistinguishedName(X500Principal dn) { |
|
1641 name = dn.getEncoded(); |
|
1642 } |
|
1643 |
|
1644 X500Principal getX500Principal() throws IOException { |
|
1645 try { |
|
1646 return new X500Principal(name); |
|
1647 } catch (IllegalArgumentException e) { |
|
1648 throw (SSLProtocolException)new SSLProtocolException( |
|
1649 e.getMessage()).initCause(e); |
|
1650 } |
|
1651 } |
|
1652 |
|
1653 int length() { |
|
1654 return 2 + name.length; |
|
1655 } |
|
1656 |
|
1657 void send(HandshakeOutStream output) throws IOException { |
|
1658 output.putBytes16(name); |
|
1659 } |
|
1660 |
|
1661 void print(PrintStream output) throws IOException { |
|
1662 X500Principal principal = new X500Principal(name); |
|
1663 output.println("<" + principal.toString() + ">"); |
|
1664 } |
|
1665 } |
|
1666 |
|
1667 /* |
|
1668 * CertificateRequest ... SERVER --> CLIENT |
|
1669 * |
|
1670 * Authenticated servers may ask clients to authenticate themselves |
|
1671 * in turn, using this message. |
|
1672 * |
|
1673 * Prior to TLS 1.2, the structure of the message is defined as: |
|
1674 * struct { |
|
1675 * ClientCertificateType certificate_types<1..2^8-1>; |
|
1676 * DistinguishedName certificate_authorities<0..2^16-1>; |
|
1677 * } CertificateRequest; |
|
1678 * |
|
1679 * In TLS 1.2, the structure is changed to: |
|
1680 * struct { |
|
1681 * ClientCertificateType certificate_types<1..2^8-1>; |
|
1682 * SignatureAndHashAlgorithm |
|
1683 * supported_signature_algorithms<2^16-1>; |
|
1684 * DistinguishedName certificate_authorities<0..2^16-1>; |
|
1685 * } CertificateRequest; |
|
1686 * |
|
1687 */ |
|
1688 static final |
|
1689 class CertificateRequest extends HandshakeMessage |
|
1690 { |
|
1691 // enum ClientCertificateType |
|
1692 static final int cct_rsa_sign = 1; |
|
1693 static final int cct_dss_sign = 2; |
|
1694 static final int cct_rsa_fixed_dh = 3; |
|
1695 static final int cct_dss_fixed_dh = 4; |
|
1696 |
|
1697 // The existance of these two values is a bug in the SSL specification. |
|
1698 // They are never used in the protocol. |
|
1699 static final int cct_rsa_ephemeral_dh = 5; |
|
1700 static final int cct_dss_ephemeral_dh = 6; |
|
1701 |
|
1702 // From RFC 4492 (ECC) |
|
1703 static final int cct_ecdsa_sign = 64; |
|
1704 static final int cct_rsa_fixed_ecdh = 65; |
|
1705 static final int cct_ecdsa_fixed_ecdh = 66; |
|
1706 |
|
1707 private static final byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign }; |
|
1708 private static final byte[] TYPES_ECC = |
|
1709 { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign }; |
|
1710 |
|
1711 byte[] types; // 1 to 255 types |
|
1712 DistinguishedName[] authorities; // 3 to 2^16 - 1 |
|
1713 // ... "3" because that's the smallest DER-encoded X500 DN |
|
1714 |
|
1715 // protocol version being established using this CertificateRequest message |
|
1716 ProtocolVersion protocolVersion; |
|
1717 |
|
1718 // supported_signature_algorithms for TLS 1.2 or later |
|
1719 private Collection<SignatureAndHashAlgorithm> algorithms; |
|
1720 |
|
1721 // length of supported_signature_algorithms |
|
1722 private int algorithmsLen; |
|
1723 |
|
1724 CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange, |
|
1725 Collection<SignatureAndHashAlgorithm> signAlgs, |
|
1726 ProtocolVersion protocolVersion) throws IOException { |
|
1727 |
|
1728 this.protocolVersion = protocolVersion; |
|
1729 |
|
1730 // always use X500Principal |
|
1731 authorities = new DistinguishedName[ca.length]; |
|
1732 for (int i = 0; i < ca.length; i++) { |
|
1733 X500Principal x500Principal = ca[i].getSubjectX500Principal(); |
|
1734 authorities[i] = new DistinguishedName(x500Principal); |
|
1735 } |
|
1736 // we support RSA, DSS, and ECDSA client authentication and they |
|
1737 // can be used with all ciphersuites. If this changes, the code |
|
1738 // needs to be adapted to take keyExchange into account. |
|
1739 // We only request ECDSA client auth if we have ECC crypto available. |
|
1740 this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC; |
|
1741 |
|
1742 // Use supported_signature_algorithms for TLS 1.2 or later. |
|
1743 if (protocolVersion.useTLS12PlusSpec()) { |
|
1744 if (signAlgs == null || signAlgs.isEmpty()) { |
|
1745 throw new SSLProtocolException( |
|
1746 "No supported signature algorithms"); |
|
1747 } |
|
1748 |
|
1749 algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs); |
|
1750 algorithmsLen = |
|
1751 SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size(); |
|
1752 } else { |
|
1753 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); |
|
1754 algorithmsLen = 0; |
|
1755 } |
|
1756 } |
|
1757 |
|
1758 CertificateRequest(HandshakeInStream input, |
|
1759 ProtocolVersion protocolVersion) throws IOException { |
|
1760 |
|
1761 this.protocolVersion = protocolVersion; |
|
1762 |
|
1763 // Read the certificate_types. |
|
1764 types = input.getBytes8(); |
|
1765 |
|
1766 // Read the supported_signature_algorithms for TLS 1.2 or later. |
|
1767 if (protocolVersion.useTLS12PlusSpec()) { |
|
1768 algorithmsLen = input.getInt16(); |
|
1769 if (algorithmsLen < 2) { |
|
1770 throw new SSLProtocolException( |
|
1771 "Invalid supported_signature_algorithms field: " + |
|
1772 algorithmsLen); |
|
1773 } |
|
1774 |
|
1775 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); |
|
1776 int remains = algorithmsLen; |
|
1777 int sequence = 0; |
|
1778 while (remains > 1) { // needs at least two bytes |
|
1779 int hash = input.getInt8(); // hash algorithm |
|
1780 int signature = input.getInt8(); // signature algorithm |
|
1781 |
|
1782 SignatureAndHashAlgorithm algorithm = |
|
1783 SignatureAndHashAlgorithm.valueOf(hash, signature, |
|
1784 ++sequence); |
|
1785 algorithms.add(algorithm); |
|
1786 remains -= 2; // one byte for hash, one byte for signature |
|
1787 } |
|
1788 |
|
1789 if (remains != 0) { |
|
1790 throw new SSLProtocolException( |
|
1791 "Invalid supported_signature_algorithms field. remains: " + |
|
1792 remains); |
|
1793 } |
|
1794 } else { |
|
1795 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); |
|
1796 algorithmsLen = 0; |
|
1797 } |
|
1798 |
|
1799 // read the certificate_authorities |
|
1800 int len = input.getInt16(); |
|
1801 ArrayList<DistinguishedName> v = new ArrayList<>(); |
|
1802 while (len >= 3) { |
|
1803 DistinguishedName dn = new DistinguishedName(input); |
|
1804 v.add(dn); |
|
1805 len -= dn.length(); |
|
1806 } |
|
1807 |
|
1808 if (len != 0) { |
|
1809 throw new SSLProtocolException( |
|
1810 "Bad CertificateRequest DN length: " + len); |
|
1811 } |
|
1812 |
|
1813 authorities = v.toArray(new DistinguishedName[v.size()]); |
|
1814 } |
|
1815 |
|
1816 X500Principal[] getAuthorities() throws IOException { |
|
1817 X500Principal[] ret = new X500Principal[authorities.length]; |
|
1818 for (int i = 0; i < authorities.length; i++) { |
|
1819 ret[i] = authorities[i].getX500Principal(); |
|
1820 } |
|
1821 return ret; |
|
1822 } |
|
1823 |
|
1824 Collection<SignatureAndHashAlgorithm> getSignAlgorithms() { |
|
1825 return algorithms; |
|
1826 } |
|
1827 |
|
1828 @Override |
|
1829 int messageType() { |
|
1830 return ht_certificate_request; |
|
1831 } |
|
1832 |
|
1833 @Override |
|
1834 int messageLength() { |
|
1835 int len = 1 + types.length + 2; |
|
1836 |
|
1837 if (protocolVersion.useTLS12PlusSpec()) { |
|
1838 len += algorithmsLen + 2; |
|
1839 } |
|
1840 |
|
1841 for (int i = 0; i < authorities.length; i++) { |
|
1842 len += authorities[i].length(); |
|
1843 } |
|
1844 |
|
1845 return len; |
|
1846 } |
|
1847 |
|
1848 @Override |
|
1849 void send(HandshakeOutStream output) throws IOException { |
|
1850 // put certificate_types |
|
1851 output.putBytes8(types); |
|
1852 |
|
1853 // put supported_signature_algorithms |
|
1854 if (protocolVersion.useTLS12PlusSpec()) { |
|
1855 output.putInt16(algorithmsLen); |
|
1856 for (SignatureAndHashAlgorithm algorithm : algorithms) { |
|
1857 output.putInt8(algorithm.getHashValue()); // hash |
|
1858 output.putInt8(algorithm.getSignatureValue()); // signature |
|
1859 } |
|
1860 } |
|
1861 |
|
1862 // put certificate_authorities |
|
1863 int len = 0; |
|
1864 for (int i = 0; i < authorities.length; i++) { |
|
1865 len += authorities[i].length(); |
|
1866 } |
|
1867 |
|
1868 output.putInt16(len); |
|
1869 for (int i = 0; i < authorities.length; i++) { |
|
1870 authorities[i].send(output); |
|
1871 } |
|
1872 } |
|
1873 |
|
1874 @Override |
|
1875 void print(PrintStream s) throws IOException { |
|
1876 s.println("*** CertificateRequest"); |
|
1877 |
|
1878 if (debug != null && Debug.isOn("verbose")) { |
|
1879 s.print("Cert Types: "); |
|
1880 for (int i = 0; i < types.length; i++) { |
|
1881 switch (types[i]) { |
|
1882 case cct_rsa_sign: |
|
1883 s.print("RSA"); break; |
|
1884 case cct_dss_sign: |
|
1885 s.print("DSS"); break; |
|
1886 case cct_rsa_fixed_dh: |
|
1887 s.print("Fixed DH (RSA sig)"); break; |
|
1888 case cct_dss_fixed_dh: |
|
1889 s.print("Fixed DH (DSS sig)"); break; |
|
1890 case cct_rsa_ephemeral_dh: |
|
1891 s.print("Ephemeral DH (RSA sig)"); break; |
|
1892 case cct_dss_ephemeral_dh: |
|
1893 s.print("Ephemeral DH (DSS sig)"); break; |
|
1894 case cct_ecdsa_sign: |
|
1895 s.print("ECDSA"); break; |
|
1896 case cct_rsa_fixed_ecdh: |
|
1897 s.print("Fixed ECDH (RSA sig)"); break; |
|
1898 case cct_ecdsa_fixed_ecdh: |
|
1899 s.print("Fixed ECDH (ECDSA sig)"); break; |
|
1900 default: |
|
1901 s.print("Type-" + (types[i] & 0xff)); break; |
|
1902 } |
|
1903 if (i != types.length - 1) { |
|
1904 s.print(", "); |
|
1905 } |
|
1906 } |
|
1907 s.println(); |
|
1908 |
|
1909 if (protocolVersion.useTLS12PlusSpec()) { |
|
1910 StringBuilder sb = new StringBuilder(); |
|
1911 boolean opened = false; |
|
1912 for (SignatureAndHashAlgorithm signAlg : algorithms) { |
|
1913 if (opened) { |
|
1914 sb.append(", ").append(signAlg.getAlgorithmName()); |
|
1915 } else { |
|
1916 sb.append(signAlg.getAlgorithmName()); |
|
1917 opened = true; |
|
1918 } |
|
1919 } |
|
1920 s.println("Supported Signature Algorithms: " + sb); |
|
1921 } |
|
1922 |
|
1923 s.println("Cert Authorities:"); |
|
1924 if (authorities.length == 0) { |
|
1925 s.println("<Empty>"); |
|
1926 } else { |
|
1927 for (int i = 0; i < authorities.length; i++) { |
|
1928 authorities[i].print(s); |
|
1929 } |
|
1930 } |
|
1931 } |
|
1932 } |
|
1933 } |
|
1934 |
|
1935 |
|
1936 /* |
|
1937 * ServerHelloDone ... SERVER --> CLIENT |
|
1938 * |
|
1939 * When server's done sending its messages in response to the client's |
|
1940 * "hello" (e.g. its own hello, certificate, key exchange message, perhaps |
|
1941 * client certificate request) it sends this message to flag that it's |
|
1942 * done that part of the handshake. |
|
1943 */ |
|
1944 static final |
|
1945 class ServerHelloDone extends HandshakeMessage |
|
1946 { |
|
1947 @Override |
|
1948 int messageType() { return ht_server_hello_done; } |
|
1949 |
|
1950 ServerHelloDone() { } |
|
1951 |
|
1952 ServerHelloDone(HandshakeInStream input) |
|
1953 { |
|
1954 // nothing to do |
|
1955 } |
|
1956 |
|
1957 @Override |
|
1958 int messageLength() |
|
1959 { |
|
1960 return 0; |
|
1961 } |
|
1962 |
|
1963 @Override |
|
1964 void send(HandshakeOutStream s) throws IOException |
|
1965 { |
|
1966 // nothing to send |
|
1967 } |
|
1968 |
|
1969 @Override |
|
1970 void print(PrintStream s) throws IOException |
|
1971 { |
|
1972 s.println("*** ServerHelloDone"); |
|
1973 } |
|
1974 } |
|
1975 |
|
1976 |
|
1977 /* |
|
1978 * CertificateVerify ... CLIENT --> SERVER |
|
1979 * |
|
1980 * Sent after client sends signature-capable certificates (e.g. not |
|
1981 * Diffie-Hellman) to verify. |
|
1982 */ |
|
1983 static final class CertificateVerify extends HandshakeMessage { |
|
1984 |
|
1985 // the signature bytes |
|
1986 private byte[] signature; |
|
1987 |
|
1988 // protocol version being established using this CertificateVerify message |
|
1989 ProtocolVersion protocolVersion; |
|
1990 |
|
1991 // the preferable signature algorithm used by this CertificateVerify message |
|
1992 private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null; |
|
1993 |
|
1994 /* |
|
1995 * Create an RSA or DSA signed certificate verify message. |
|
1996 */ |
|
1997 CertificateVerify(ProtocolVersion protocolVersion, |
|
1998 HandshakeHash handshakeHash, PrivateKey privateKey, |
|
1999 SecretKey masterSecret, SecureRandom sr, |
|
2000 SignatureAndHashAlgorithm signAlgorithm) |
|
2001 throws GeneralSecurityException { |
|
2002 |
|
2003 this.protocolVersion = protocolVersion; |
|
2004 |
|
2005 String algorithm = privateKey.getAlgorithm(); |
|
2006 Signature sig = null; |
|
2007 if (protocolVersion.useTLS12PlusSpec()) { |
|
2008 this.preferableSignatureAlgorithm = signAlgorithm; |
|
2009 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); |
|
2010 } else { |
|
2011 sig = getSignature(protocolVersion, algorithm); |
|
2012 } |
|
2013 sig.initSign(privateKey, sr); |
|
2014 updateSignature(sig, protocolVersion, handshakeHash, algorithm, |
|
2015 masterSecret); |
|
2016 signature = sig.sign(); |
|
2017 } |
|
2018 |
|
2019 // |
|
2020 // Unmarshal the signed data from the input stream. |
|
2021 // |
|
2022 CertificateVerify(HandshakeInStream input, |
|
2023 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, |
|
2024 ProtocolVersion protocolVersion) throws IOException { |
|
2025 |
|
2026 this.protocolVersion = protocolVersion; |
|
2027 |
|
2028 // read the signature and hash algorithm |
|
2029 if (protocolVersion.useTLS12PlusSpec()) { |
|
2030 int hashAlg = input.getInt8(); // hash algorithm |
|
2031 int signAlg = input.getInt8(); // signature algorithm |
|
2032 |
|
2033 preferableSignatureAlgorithm = |
|
2034 SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0); |
|
2035 |
|
2036 // Is it a local supported signature algorithm? |
|
2037 if (!localSupportedSignAlgs.contains( |
|
2038 preferableSignatureAlgorithm)) { |
|
2039 throw new SSLHandshakeException( |
|
2040 "Unsupported SignatureAndHashAlgorithm in " + |
|
2041 "CertificateVerify message: " + preferableSignatureAlgorithm); |
|
2042 } |
|
2043 } |
|
2044 |
|
2045 // read the signature |
|
2046 signature = input.getBytes16(); |
|
2047 } |
|
2048 |
|
2049 /* |
|
2050 * Get the preferable signature algorithm used by this message |
|
2051 */ |
|
2052 SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() { |
|
2053 return preferableSignatureAlgorithm; |
|
2054 } |
|
2055 |
|
2056 /* |
|
2057 * Verify a certificate verify message. Return the result of verification, |
|
2058 * if there is a problem throw a GeneralSecurityException. |
|
2059 */ |
|
2060 boolean verify(ProtocolVersion protocolVersion, |
|
2061 HandshakeHash handshakeHash, PublicKey publicKey, |
|
2062 SecretKey masterSecret) throws GeneralSecurityException { |
|
2063 String algorithm = publicKey.getAlgorithm(); |
|
2064 Signature sig = null; |
|
2065 if (protocolVersion.useTLS12PlusSpec()) { |
|
2066 sig = JsseJce.getSignature( |
|
2067 preferableSignatureAlgorithm.getAlgorithmName()); |
|
2068 } else { |
|
2069 sig = getSignature(protocolVersion, algorithm); |
|
2070 } |
|
2071 sig.initVerify(publicKey); |
|
2072 updateSignature(sig, protocolVersion, handshakeHash, algorithm, |
|
2073 masterSecret); |
|
2074 return sig.verify(signature); |
|
2075 } |
|
2076 |
|
2077 /* |
|
2078 * Get the Signature object appropriate for verification using the |
|
2079 * given signature algorithm and protocol version. |
|
2080 */ |
|
2081 private static Signature getSignature(ProtocolVersion protocolVersion, |
|
2082 String algorithm) throws GeneralSecurityException { |
|
2083 switch (algorithm) { |
|
2084 case "RSA": |
|
2085 return RSASignature.getInternalInstance(); |
|
2086 case "DSA": |
|
2087 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA); |
|
2088 case "EC": |
|
2089 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA); |
|
2090 default: |
|
2091 throw new SignatureException("Unrecognized algorithm: " |
|
2092 + algorithm); |
|
2093 } |
|
2094 } |
|
2095 |
|
2096 /* |
|
2097 * Update the Signature with the data appropriate for the given |
|
2098 * signature algorithm and protocol version so that the object is |
|
2099 * ready for signing or verifying. |
|
2100 */ |
|
2101 private static void updateSignature(Signature sig, |
|
2102 ProtocolVersion protocolVersion, |
|
2103 HandshakeHash handshakeHash, String algorithm, SecretKey masterKey) |
|
2104 throws SignatureException { |
|
2105 |
|
2106 if (algorithm.equals("RSA")) { |
|
2107 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1- |
|
2108 MessageDigest md5Clone = handshakeHash.getMD5Clone(); |
|
2109 MessageDigest shaClone = handshakeHash.getSHAClone(); |
|
2110 |
|
2111 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3 |
|
2112 updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey); |
|
2113 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); |
|
2114 } |
|
2115 |
|
2116 // The signature must be an instance of RSASignature, need |
|
2117 // to use these hashes directly. |
|
2118 RSASignature.setHashes(sig, md5Clone, shaClone); |
|
2119 } else { // TLS1.2+ |
|
2120 sig.update(handshakeHash.getAllHandshakeMessages()); |
|
2121 } |
|
2122 } else { // DSA, ECDSA |
|
2123 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1- |
|
2124 MessageDigest shaClone = handshakeHash.getSHAClone(); |
|
2125 |
|
2126 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3 |
|
2127 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); |
|
2128 } |
|
2129 |
|
2130 sig.update(shaClone.digest()); |
|
2131 } else { // TLS1.2+ |
|
2132 sig.update(handshakeHash.getAllHandshakeMessages()); |
|
2133 } |
|
2134 } |
|
2135 } |
|
2136 |
|
2137 /* |
|
2138 * Update the MessageDigest for SSLv3 certificate verify or finished |
|
2139 * message calculation. The digest must already have been updated with |
|
2140 * all preceding handshake messages. |
|
2141 * Used by the Finished class as well. |
|
2142 */ |
|
2143 private static void updateDigest(MessageDigest md, |
|
2144 byte[] pad1, byte[] pad2, |
|
2145 SecretKey masterSecret) { |
|
2146 // Digest the key bytes if available. |
|
2147 // Otherwise (sensitive key), try digesting the key directly. |
|
2148 // That is currently only implemented in SunPKCS11 using a private |
|
2149 // reflection API, so we avoid that if possible. |
|
2150 byte[] keyBytes = "RAW".equals(masterSecret.getFormat()) |
|
2151 ? masterSecret.getEncoded() : null; |
|
2152 if (keyBytes != null) { |
|
2153 md.update(keyBytes); |
|
2154 } else { |
|
2155 digestKey(md, masterSecret); |
|
2156 } |
|
2157 md.update(pad1); |
|
2158 byte[] temp = md.digest(); |
|
2159 |
|
2160 if (keyBytes != null) { |
|
2161 md.update(keyBytes); |
|
2162 } else { |
|
2163 digestKey(md, masterSecret); |
|
2164 } |
|
2165 md.update(pad2); |
|
2166 md.update(temp); |
|
2167 } |
|
2168 |
|
2169 private static void digestKey(MessageDigest md, SecretKey key) { |
|
2170 try { |
|
2171 if (md instanceof MessageDigestSpi2) { |
|
2172 ((MessageDigestSpi2)md).engineUpdate(key); |
|
2173 } else { |
|
2174 throw new Exception( |
|
2175 "Digest does not support implUpdate(SecretKey)"); |
|
2176 } |
|
2177 } catch (Exception e) { |
|
2178 throw new RuntimeException( |
|
2179 "Could not obtain encoded key and " |
|
2180 + "MessageDigest cannot digest key", e); |
|
2181 } |
|
2182 } |
|
2183 |
|
2184 @Override |
|
2185 int messageType() { |
|
2186 return ht_certificate_verify; |
|
2187 } |
|
2188 |
|
2189 @Override |
|
2190 int messageLength() { |
|
2191 int temp = 2; |
|
2192 |
|
2193 if (protocolVersion.useTLS12PlusSpec()) { |
|
2194 temp += SignatureAndHashAlgorithm.sizeInRecord(); |
|
2195 } |
|
2196 |
|
2197 return temp + signature.length; |
|
2198 } |
|
2199 |
|
2200 @Override |
|
2201 void send(HandshakeOutStream s) throws IOException { |
|
2202 if (protocolVersion.useTLS12PlusSpec()) { |
|
2203 s.putInt8(preferableSignatureAlgorithm.getHashValue()); |
|
2204 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); |
|
2205 } |
|
2206 |
|
2207 s.putBytes16(signature); |
|
2208 } |
|
2209 |
|
2210 @Override |
|
2211 void print(PrintStream s) throws IOException { |
|
2212 s.println("*** CertificateVerify"); |
|
2213 |
|
2214 if (debug != null && Debug.isOn("verbose")) { |
|
2215 if (protocolVersion.useTLS12PlusSpec()) { |
|
2216 s.println("Signature Algorithm " + |
|
2217 preferableSignatureAlgorithm.getAlgorithmName()); |
|
2218 } |
|
2219 } |
|
2220 } |
|
2221 } |
|
2222 |
|
2223 |
|
2224 /* |
|
2225 * FINISHED ... sent by both CLIENT and SERVER |
|
2226 * |
|
2227 * This is the FINISHED message as defined in the SSL and TLS protocols. |
|
2228 * Both protocols define this handshake message slightly differently. |
|
2229 * This class supports both formats. |
|
2230 * |
|
2231 * When handshaking is finished, each side sends a "change_cipher_spec" |
|
2232 * record, then immediately sends a "finished" handshake message prepared |
|
2233 * according to the newly adopted cipher spec. |
|
2234 * |
|
2235 * NOTE that until this is sent, no application data may be passed, unless |
|
2236 * some non-default cipher suite has already been set up on this connection |
|
2237 * connection (e.g. a previous handshake arranged one). |
|
2238 */ |
|
2239 static final class Finished extends HandshakeMessage { |
|
2240 |
|
2241 // constant for a Finished message sent by the client |
|
2242 static final int CLIENT = 1; |
|
2243 |
|
2244 // constant for a Finished message sent by the server |
|
2245 static final int SERVER = 2; |
|
2246 |
|
2247 // enum Sender: "CLNT" and "SRVR" |
|
2248 private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 }; |
|
2249 private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 }; |
|
2250 |
|
2251 /* |
|
2252 * Contents of the finished message ("checksum"). For TLS, it |
|
2253 * is 12 bytes long, for SSLv3 36 bytes. |
|
2254 */ |
|
2255 private byte[] verifyData; |
|
2256 |
|
2257 /* |
|
2258 * Current cipher suite we are negotiating. TLS 1.2 has |
|
2259 * ciphersuite-defined PRF algorithms. |
|
2260 */ |
|
2261 private ProtocolVersion protocolVersion; |
|
2262 private CipherSuite cipherSuite; |
|
2263 |
|
2264 /* |
|
2265 * Create a finished message to send to the remote peer. |
|
2266 */ |
|
2267 Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, |
|
2268 int sender, SecretKey master, CipherSuite cipherSuite) { |
|
2269 this.protocolVersion = protocolVersion; |
|
2270 this.cipherSuite = cipherSuite; |
|
2271 verifyData = getFinished(handshakeHash, sender, master); |
|
2272 } |
|
2273 |
|
2274 /* |
|
2275 * Constructor that reads FINISHED message from stream. |
|
2276 */ |
|
2277 Finished(ProtocolVersion protocolVersion, HandshakeInStream input, |
|
2278 CipherSuite cipherSuite) throws IOException { |
|
2279 this.protocolVersion = protocolVersion; |
|
2280 this.cipherSuite = cipherSuite; |
|
2281 int msgLen = protocolVersion.useTLS10PlusSpec() ? 12 : 36; |
|
2282 verifyData = new byte[msgLen]; |
|
2283 input.read(verifyData); |
|
2284 } |
|
2285 |
|
2286 /* |
|
2287 * Verify that the hashes here are what would have been produced |
|
2288 * according to a given set of inputs. This is used to ensure that |
|
2289 * both client and server are fully in sync, and that the handshake |
|
2290 * computations have been successful. |
|
2291 */ |
|
2292 boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) { |
|
2293 byte[] myFinished = getFinished(handshakeHash, sender, master); |
|
2294 return MessageDigest.isEqual(myFinished, verifyData); |
|
2295 } |
|
2296 |
|
2297 /* |
|
2298 * Perform the actual finished message calculation. |
|
2299 */ |
|
2300 private byte[] getFinished(HandshakeHash handshakeHash, |
|
2301 int sender, SecretKey masterKey) { |
|
2302 byte[] sslLabel; |
|
2303 String tlsLabel; |
|
2304 if (sender == CLIENT) { |
|
2305 sslLabel = SSL_CLIENT; |
|
2306 tlsLabel = "client finished"; |
|
2307 } else if (sender == SERVER) { |
|
2308 sslLabel = SSL_SERVER; |
|
2309 tlsLabel = "server finished"; |
|
2310 } else { |
|
2311 throw new RuntimeException("Invalid sender: " + sender); |
|
2312 } |
|
2313 |
|
2314 if (protocolVersion.useTLS10PlusSpec()) { |
|
2315 // TLS 1.0+ |
|
2316 try { |
|
2317 byte[] seed; |
|
2318 String prfAlg; |
|
2319 PRF prf; |
|
2320 |
|
2321 // Get the KeyGenerator alg and calculate the seed. |
|
2322 if (protocolVersion.useTLS12PlusSpec()) { |
|
2323 // TLS 1.2+ or DTLS 1.2+ |
|
2324 seed = handshakeHash.getFinishedHash(); |
|
2325 |
|
2326 prfAlg = "SunTls12Prf"; |
|
2327 prf = cipherSuite.prfAlg; |
|
2328 } else { |
|
2329 // TLS 1.0/1.1, DTLS 1.0 |
|
2330 MessageDigest md5Clone = handshakeHash.getMD5Clone(); |
|
2331 MessageDigest shaClone = handshakeHash.getSHAClone(); |
|
2332 seed = new byte[36]; |
|
2333 md5Clone.digest(seed, 0, 16); |
|
2334 shaClone.digest(seed, 16, 20); |
|
2335 |
|
2336 prfAlg = "SunTlsPrf"; |
|
2337 prf = P_NONE; |
|
2338 } |
|
2339 |
|
2340 String prfHashAlg = prf.getPRFHashAlg(); |
|
2341 int prfHashLength = prf.getPRFHashLength(); |
|
2342 int prfBlockSize = prf.getPRFBlockSize(); |
|
2343 |
|
2344 /* |
|
2345 * RFC 5246/7.4.9 says that finished messages can |
|
2346 * be ciphersuite-specific in both length/PRF hash |
|
2347 * algorithm. If we ever run across a different |
|
2348 * length, this call will need to be updated. |
|
2349 */ |
|
2350 @SuppressWarnings("deprecation") |
|
2351 TlsPrfParameterSpec spec = new TlsPrfParameterSpec( |
|
2352 masterKey, tlsLabel, seed, 12, |
|
2353 prfHashAlg, prfHashLength, prfBlockSize); |
|
2354 |
|
2355 KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg); |
|
2356 kg.init(spec); |
|
2357 SecretKey prfKey = kg.generateKey(); |
|
2358 if ("RAW".equals(prfKey.getFormat()) == false) { |
|
2359 throw new ProviderException( |
|
2360 "Invalid PRF output, format must be RAW. " + |
|
2361 "Format received: " + prfKey.getFormat()); |
|
2362 } |
|
2363 byte[] finished = prfKey.getEncoded(); |
|
2364 return finished; |
|
2365 } catch (GeneralSecurityException e) { |
|
2366 throw new RuntimeException("PRF failed", e); |
|
2367 } |
|
2368 } else { |
|
2369 // SSLv3 |
|
2370 MessageDigest md5Clone = handshakeHash.getMD5Clone(); |
|
2371 MessageDigest shaClone = handshakeHash.getSHAClone(); |
|
2372 updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey); |
|
2373 updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey); |
|
2374 byte[] finished = new byte[36]; |
|
2375 try { |
|
2376 md5Clone.digest(finished, 0, 16); |
|
2377 shaClone.digest(finished, 16, 20); |
|
2378 } catch (DigestException e) { |
|
2379 // cannot occur |
|
2380 throw new RuntimeException("Digest failed", e); |
|
2381 } |
|
2382 return finished; |
|
2383 } |
|
2384 } |
|
2385 |
|
2386 /* |
|
2387 * Update the MessageDigest for SSLv3 finished message calculation. |
|
2388 * The digest must already have been updated with all preceding handshake |
|
2389 * messages. This operation is almost identical to the certificate verify |
|
2390 * hash, reuse that code. |
|
2391 */ |
|
2392 private static void updateDigest(MessageDigest md, byte[] sender, |
|
2393 byte[] pad1, byte[] pad2, SecretKey masterSecret) { |
|
2394 md.update(sender); |
|
2395 CertificateVerify.updateDigest(md, pad1, pad2, masterSecret); |
|
2396 } |
|
2397 |
|
2398 // get the verify_data of the finished message |
|
2399 byte[] getVerifyData() { |
|
2400 return verifyData; |
|
2401 } |
|
2402 |
|
2403 @Override |
|
2404 int messageType() { return ht_finished; } |
|
2405 |
|
2406 @Override |
|
2407 int messageLength() { |
|
2408 return verifyData.length; |
|
2409 } |
|
2410 |
|
2411 @Override |
|
2412 void send(HandshakeOutStream out) throws IOException { |
|
2413 out.write(verifyData); |
|
2414 } |
|
2415 |
|
2416 @Override |
|
2417 void print(PrintStream s) throws IOException { |
|
2418 s.println("*** Finished"); |
|
2419 if (debug != null && Debug.isOn("verbose")) { |
|
2420 Debug.println(s, "verify_data", verifyData); |
|
2421 s.println("***"); |
|
2422 } |
|
2423 } |
|
2424 } |
|
2425 |
|
2426 // |
|
2427 // END of nested classes |
|
2428 // |
|
2429 |
|
2430 } |
|