34 import java.security.KeyPairGenerator; |
34 import java.security.KeyPairGenerator; |
35 import java.security.PrivateKey; |
35 import java.security.PrivateKey; |
36 import java.security.PublicKey; |
36 import java.security.PublicKey; |
37 import java.security.SecureRandom; |
37 import java.security.SecureRandom; |
38 import java.security.interfaces.ECPublicKey; |
38 import java.security.interfaces.ECPublicKey; |
39 import java.security.spec.ECGenParameterSpec; |
|
40 import java.security.spec.ECParameterSpec; |
39 import java.security.spec.ECParameterSpec; |
41 import java.security.spec.ECPoint; |
40 import java.security.spec.ECPoint; |
42 import java.security.spec.ECPublicKeySpec; |
41 import java.security.spec.ECPublicKeySpec; |
43 import java.util.EnumSet; |
42 import java.util.EnumSet; |
44 import javax.crypto.KeyAgreement; |
43 import javax.crypto.KeyAgreement; |
45 import javax.crypto.SecretKey; |
44 import javax.crypto.SecretKey; |
46 import javax.net.ssl.SSLHandshakeException; |
45 import javax.net.ssl.SSLHandshakeException; |
47 import sun.security.ssl.NamedGroup.NamedGroupType; |
46 import sun.security.ssl.NamedGroup.NamedGroupSpec; |
48 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups; |
47 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups; |
49 import sun.security.ssl.X509Authentication.X509Credentials; |
48 import sun.security.ssl.X509Authentication.X509Credentials; |
50 import sun.security.ssl.X509Authentication.X509Possession; |
49 import sun.security.ssl.X509Authentication.X509Possession; |
51 import sun.security.ssl.XDHKeyExchange.XDHECredentials; |
50 import sun.security.ssl.XDHKeyExchange.XDHECredentials; |
52 import sun.security.ssl.XDHKeyExchange.XDHEPossession; |
51 import sun.security.ssl.XDHKeyExchange.XDHEPossession; |
86 } |
85 } |
87 |
86 |
88 static ECDHECredentials valueOf(NamedGroup namedGroup, |
87 static ECDHECredentials valueOf(NamedGroup namedGroup, |
89 byte[] encodedPoint) throws IOException, GeneralSecurityException { |
88 byte[] encodedPoint) throws IOException, GeneralSecurityException { |
90 |
89 |
91 if (namedGroup.type != NamedGroupType.NAMED_GROUP_ECDHE) { |
90 if (namedGroup.spec != NamedGroupSpec.NAMED_GROUP_ECDHE) { |
92 throw new RuntimeException( |
91 throw new RuntimeException( |
93 "Credentials decoding: Not ECDHE named group"); |
92 "Credentials decoding: Not ECDHE named group"); |
94 } |
93 } |
95 |
94 |
96 if (encodedPoint == null || encodedPoint.length == 0) { |
95 if (encodedPoint == null || encodedPoint.length == 0) { |
97 return null; |
96 return null; |
98 } |
97 } |
99 |
98 |
100 ECParameterSpec parameters = |
99 ECParameterSpec parameters = |
101 ECUtil.getECParameterSpec(null, namedGroup.oid); |
100 (ECParameterSpec)namedGroup.keAlgParamSpec; |
102 if (parameters == null) { |
|
103 return null; |
|
104 } |
|
105 |
|
106 ECPoint point = ECUtil.decodePoint( |
101 ECPoint point = ECUtil.decodePoint( |
107 encodedPoint, parameters.getCurve()); |
102 encodedPoint, parameters.getCurve()); |
108 KeyFactory factory = KeyFactory.getInstance("EC"); |
103 KeyFactory factory = KeyFactory.getInstance("EC"); |
109 ECPublicKey publicKey = (ECPublicKey)factory.generatePublic( |
104 ECPublicKey publicKey = (ECPublicKey)factory.generatePublic( |
110 new ECPublicKeySpec(point, parameters)); |
105 new ECPublicKeySpec(point, parameters)); |
118 final NamedGroup namedGroup; |
113 final NamedGroup namedGroup; |
119 |
114 |
120 ECDHEPossession(NamedGroup namedGroup, SecureRandom random) { |
115 ECDHEPossession(NamedGroup namedGroup, SecureRandom random) { |
121 try { |
116 try { |
122 KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC"); |
117 KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC"); |
123 ECGenParameterSpec params = |
118 kpg.initialize(namedGroup.keAlgParamSpec, random); |
124 (ECGenParameterSpec)namedGroup.getParameterSpec(); |
|
125 kpg.initialize(params, random); |
|
126 KeyPair kp = kpg.generateKeyPair(); |
119 KeyPair kp = kpg.generateKeyPair(); |
127 privateKey = kp.getPrivate(); |
120 privateKey = kp.getPrivate(); |
128 publicKey = (ECPublicKey)kp.getPublic(); |
121 publicKey = (ECPublicKey)kp.getPublic(); |
129 } catch (GeneralSecurityException e) { |
122 } catch (GeneralSecurityException e) { |
130 throw new RuntimeException( |
123 throw new RuntimeException( |
246 if ((context.clientRequestedNamedGroups != null) && |
239 if ((context.clientRequestedNamedGroups != null) && |
247 (!context.clientRequestedNamedGroups.isEmpty())) { |
240 (!context.clientRequestedNamedGroups.isEmpty())) { |
248 preferableNamedGroup = SupportedGroups.getPreferredGroup( |
241 preferableNamedGroup = SupportedGroups.getPreferredGroup( |
249 context.negotiatedProtocol, |
242 context.negotiatedProtocol, |
250 context.algorithmConstraints, |
243 context.algorithmConstraints, |
251 new NamedGroupType[] { |
244 new NamedGroupSpec[] { |
252 NamedGroupType.NAMED_GROUP_ECDHE, |
245 NamedGroupSpec.NAMED_GROUP_ECDHE, |
253 NamedGroupType.NAMED_GROUP_XDH }, |
246 NamedGroupSpec.NAMED_GROUP_XDH }, |
254 context.clientRequestedNamedGroups); |
247 context.clientRequestedNamedGroups); |
255 } else { |
248 } else { |
256 preferableNamedGroup = SupportedGroups.getPreferredGroup( |
249 preferableNamedGroup = SupportedGroups.getPreferredGroup( |
257 context.negotiatedProtocol, |
250 context.negotiatedProtocol, |
258 context.algorithmConstraints, |
251 context.algorithmConstraints, |
259 new NamedGroupType[] { |
252 new NamedGroupSpec[] { |
260 NamedGroupType.NAMED_GROUP_ECDHE, |
253 NamedGroupSpec.NAMED_GROUP_ECDHE, |
261 NamedGroupType.NAMED_GROUP_XDH }); |
254 NamedGroupSpec.NAMED_GROUP_XDH }); |
262 } |
255 } |
263 |
256 |
264 if (preferableNamedGroup != null) { |
257 if (preferableNamedGroup != null) { |
265 return preferableNamedGroup.createPossession( |
258 return preferableNamedGroup.createPossession( |
266 context.sslContext.getSecureRandom()); |
259 context.sslContext.getSecureRandom()); |
306 continue; |
299 continue; |
307 } |
300 } |
308 |
301 |
309 NamedGroup ng = NamedGroup.valueOf(params); |
302 NamedGroup ng = NamedGroup.valueOf(params); |
310 if (ng == null) { |
303 if (ng == null) { |
311 // unlikely, have been checked during cipher suite negotiation. |
304 // unlikely, have been checked during cipher suite |
|
305 // negotiation. |
312 throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
306 throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
313 "Unsupported EC server cert for ECDH key exchange"); |
307 "Unsupported EC server cert for ECDH key exchange"); |
314 } |
308 } |
315 |
309 |
316 for (SSLCredentials cred : shc.handshakeCredentials) { |
310 for (SSLCredentials cred : shc.handshakeCredentials) { |