1 /*

     2  * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.

     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

     4  *

     5  * This code is free software; you can redistribute it and/or modify it

     6  * under the terms of the GNU General Public License version 2 only, as

     7  * published by the Free Software Foundation.  Oracle designates this

     8  * particular file as subject to the "Classpath" exception as provided

     9  * by Oracle in the LICENSE file that accompanied this code.

    10  *

    11  * This code is distributed in the hope that it will be useful, but WITHOUT

    12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

    13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

    14  * version 2 for more details (a copy is included in the LICENSE file that

    15  * accompanied this code).

    16  *

    17  * You should have received a copy of the GNU General Public License version

    18  * 2 along with this work; if not, write to the Free Software Foundation,

    19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

    20  *

    21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

    22  * or visit www.oracle.com if you need additional information or have any

    23  * questions.

    24  */

    25 

    26 package sun.security.ssl;

    27 

    28 import javax.crypto.KeyAgreement;

    29 import javax.crypto.SecretKey;

    30 import javax.crypto.spec.SecretKeySpec;

    31 import javax.net.ssl.SSLHandshakeException;

    32 import java.io.IOException;

    33 import java.security.GeneralSecurityException;

    34 import java.security.PrivateKey;

    35 import java.security.PublicKey;

    36 import java.security.spec.AlgorithmParameterSpec;

    37 

    38 public class KAKeyDerivation implements SSLKeyDerivation {

    39 

    40     private final String algorithmName;

    41     private final HandshakeContext context;

    42     private final PrivateKey localPrivateKey;

    43     private final PublicKey peerPublicKey;

    44 

    45     KAKeyDerivation(String algorithmName,

    46                     HandshakeContext context,

    47                     PrivateKey localPrivateKey,

    48                     PublicKey peerPublicKey) {

    49         this.algorithmName = algorithmName;

    50         this.context = context;

    51         this.localPrivateKey = localPrivateKey;

    52         this.peerPublicKey = peerPublicKey;

    53     }

    54 

    55     @Override

    56     public SecretKey deriveKey(String algorithm,

    57                                AlgorithmParameterSpec params) throws IOException {

    58         if (!context.negotiatedProtocol.useTLS13PlusSpec()) {

    59             return t12DeriveKey(algorithm, params);

    60         } else {

    61             return t13DeriveKey(algorithm, params);

    62         }

    63     }

    64 

    65     private SecretKey t12DeriveKey(String algorithm,

    66                                    AlgorithmParameterSpec params) throws IOException {

    67         try {

    68             KeyAgreement ka = JsseJce.getKeyAgreement(algorithmName);

    69             ka.init(localPrivateKey);

    70             ka.doPhase(peerPublicKey, true);

    71             SecretKey preMasterSecret =

    72             ka.generateSecret("TlsPremasterSecret");

    73             SSLMasterKeyDerivation mskd =

    74             SSLMasterKeyDerivation.valueOf(

    75             context.negotiatedProtocol);

    76             if (mskd == null) {

    77                 // unlikely

    78                 throw new SSLHandshakeException(

    79                 "No expected master key derivation for protocol: " +

    80                 context.negotiatedProtocol.name);

    81             }

    82             SSLKeyDerivation kd = mskd.createKeyDerivation(

    83             context, preMasterSecret);

    84             return kd.deriveKey("MasterSecret", params);

    85         } catch (GeneralSecurityException gse) {

    86             throw (SSLHandshakeException) new SSLHandshakeException(

    87             "Could not generate secret").initCause(gse);

    88         }

    89     }

    90 

    91     private SecretKey t13DeriveKey(String algorithm,

    92                                    AlgorithmParameterSpec params) throws IOException {

    93         try {

    94             KeyAgreement ka = JsseJce.getKeyAgreement(algorithmName);

    95             ka.init(localPrivateKey);

    96             ka.doPhase(peerPublicKey, true);

    97             SecretKey sharedSecret =

    98             ka.generateSecret("TlsPremasterSecret");

    99 

   100             CipherSuite.HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;

   101             SSLKeyDerivation kd = context.handshakeKeyDerivation;

   102             HKDF hkdf = new HKDF(hashAlg.name);

   103             if (kd == null) {   // No PSK is in use.

   104                 // If PSK is not in use Early Secret will still be

   105                 // HKDF-Extract(0, 0).

   106                 byte[] zeros = new byte[hashAlg.hashLength];

   107                 SecretKeySpec ikm =

   108                 new SecretKeySpec(zeros, "TlsPreSharedSecret");

   109                 SecretKey earlySecret =

   110                 hkdf.extract(zeros, ikm, "TlsEarlySecret");

   111                 kd = new SSLSecretDerivation(context, earlySecret);

   112             }

   113 

   114             // derive salt secret

   115             SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);

   116 

   117             // derive handshake secret

   118             return hkdf.extract(saltSecret, sharedSecret, algorithm);

   119         } catch (GeneralSecurityException gse) {

   120             throw (SSLHandshakeException) new SSLHandshakeException(

   121             "Could not generate secret").initCause(gse);

   122         }

   123     }

   124 }