1 /* |
1 /* |
2 * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
23 * questions. |
23 * questions. |
24 */ |
24 */ |
25 |
25 |
26 package sun.security.ssl; |
26 package sun.security.ssl; |
27 |
27 |
|
28 import java.math.BigInteger; |
28 import java.security.*; |
29 import java.security.*; |
29 import java.math.BigInteger; |
30 import java.util.Collections; |
|
31 import java.util.HashMap; |
|
32 import java.util.Map; |
|
33 import java.util.regex.Matcher; |
30 import java.util.regex.Pattern; |
34 import java.util.regex.Pattern; |
31 import java.util.regex.Matcher; |
|
32 import java.util.Map; |
|
33 import java.util.HashMap; |
|
34 import java.util.Collections; |
|
35 import javax.crypto.spec.DHParameterSpec; |
35 import javax.crypto.spec.DHParameterSpec; |
36 |
36 |
37 /** |
37 /** |
38 * Predefined default DH ephemeral parameters. |
38 * Predefined default DH ephemeral parameters. |
39 */ |
39 */ |
40 final class PredefinedDHParameterSpecs { |
40 final class PredefinedDHParameterSpecs { |
41 private final static boolean debugIsOn = |
|
42 (Debug.getInstance("ssl") != null) && Debug.isOn("sslctx"); |
|
43 |
41 |
44 // |
42 // |
45 // Default DH ephemeral parameters |
43 // Default DH ephemeral parameters |
46 // |
44 // |
47 private static final BigInteger p512 = new BigInteger( // generated |
45 private static final BigInteger p512 = new BigInteger( // generated |
207 p2048, p3072, p4096, p6144, p8192}; |
205 p2048, p3072, p4096, p6144, p8192}; |
208 |
206 |
209 // a measure of the uncertainty that prime modulus p is not a prime |
207 // a measure of the uncertainty that prime modulus p is not a prime |
210 // |
208 // |
211 // see BigInteger.isProbablePrime(int certainty) |
209 // see BigInteger.isProbablePrime(int certainty) |
212 private final static int PRIME_CERTAINTY = 120; |
210 private static final int PRIME_CERTAINTY = 120; |
213 |
211 |
214 // the known security property, jdk.tls.server.defaultDHEParameters |
212 // the known security property, jdk.tls.server.defaultDHEParameters |
215 private final static String PROPERTY_NAME = |
213 private static final String PROPERTY_NAME = |
216 "jdk.tls.server.defaultDHEParameters"; |
214 "jdk.tls.server.defaultDHEParameters"; |
217 |
215 |
218 private static final Pattern spacesPattern = Pattern.compile("\\s+"); |
216 private static final Pattern spacesPattern = Pattern.compile("\\s+"); |
219 |
217 |
220 private final static Pattern syntaxPattern = Pattern.compile( |
218 private static final Pattern syntaxPattern = Pattern.compile( |
221 "(\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})" + |
219 "(\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})" + |
222 "(,\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})*"); |
220 "(,\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})*"); |
223 |
221 |
224 private static final Pattern paramsPattern = Pattern.compile( |
222 private static final Pattern paramsPattern = Pattern.compile( |
225 "\\{([0-9A-Fa-f]+),([0-9A-Fa-f]+)\\}"); |
223 "\\{([0-9A-Fa-f]+),([0-9A-Fa-f]+)\\}"); |
226 |
224 |
227 // cache of predefined default DH ephemeral parameters |
225 // cache of predefined default DH ephemeral parameters |
228 final static Map<Integer, DHParameterSpec> definedParams; |
226 static final Map<Integer, DHParameterSpec> definedParams; |
229 |
227 |
230 // cache of Finite Field DH Ephemeral parameters (RFC 7919/FFDHE) |
228 // cache of Finite Field DH Ephemeral parameters (RFC 7919/FFDHE) |
231 final static Map<Integer, DHParameterSpec> ffdheParams; |
229 static final Map<Integer, DHParameterSpec> ffdheParams; |
232 |
230 |
233 static { |
231 static { |
234 String property = AccessController.doPrivileged( |
232 String property = AccessController.doPrivileged( |
235 new PrivilegedAction<String>() { |
233 new PrivilegedAction<String>() { |
236 public String run() { |
234 public String run() { |
250 |
248 |
251 if (property != null && !property.isEmpty()) { |
249 if (property != null && !property.isEmpty()) { |
252 Matcher spacesMatcher = spacesPattern.matcher(property); |
250 Matcher spacesMatcher = spacesPattern.matcher(property); |
253 property = spacesMatcher.replaceAll(""); |
251 property = spacesMatcher.replaceAll(""); |
254 |
252 |
255 if (debugIsOn) { |
253 if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) { |
256 System.out.println("The Security Property " + |
254 SSLLogger.fine( |
|
255 "The Security Property " + |
257 PROPERTY_NAME + ": " + property); |
256 PROPERTY_NAME + ": " + property); |
258 } |
257 } |
259 } |
258 } |
260 |
259 |
261 Map<Integer,DHParameterSpec> defaultParams = new HashMap<>(); |
260 Map<Integer,DHParameterSpec> defaultParams = new HashMap<>(); |
265 Matcher paramsFinder = paramsPattern.matcher(property); |
264 Matcher paramsFinder = paramsPattern.matcher(property); |
266 while(paramsFinder.find()) { |
265 while(paramsFinder.find()) { |
267 String primeModulus = paramsFinder.group(1); |
266 String primeModulus = paramsFinder.group(1); |
268 BigInteger p = new BigInteger(primeModulus, 16); |
267 BigInteger p = new BigInteger(primeModulus, 16); |
269 if (!p.isProbablePrime(PRIME_CERTAINTY)) { |
268 if (!p.isProbablePrime(PRIME_CERTAINTY)) { |
270 if (debugIsOn) { |
269 if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) { |
271 System.out.println( |
270 SSLLogger.fine( |
272 "Prime modulus p in Security Property, " + |
271 "Prime modulus p in Security Property, " + |
273 PROPERTY_NAME + ", is not a prime: " + |
272 PROPERTY_NAME + ", is not a prime: " + |
274 primeModulus); |
273 primeModulus); |
275 } |
274 } |
276 |
275 |
282 |
281 |
283 DHParameterSpec spec = new DHParameterSpec(p, g); |
282 DHParameterSpec spec = new DHParameterSpec(p, g); |
284 int primeLen = p.bitLength(); |
283 int primeLen = p.bitLength(); |
285 defaultParams.put(primeLen, spec); |
284 defaultParams.put(primeLen, spec); |
286 } |
285 } |
287 } else if (debugIsOn) { |
286 } else if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) { |
288 System.out.println("Invalid Security Property, " + |
287 SSLLogger.fine("Invalid Security Property, " + |
289 PROPERTY_NAME + ", definition"); |
288 PROPERTY_NAME + ", definition"); |
290 } |
289 } |
291 } |
290 } |
292 |
291 |
293 Map<Integer,DHParameterSpec> tempFFDHEs = new HashMap<>(); |
292 Map<Integer,DHParameterSpec> tempFFDHEs = new HashMap<>(); |