--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Fri May 11 15:53:12 2018 -0700
@@ -0,0 +1,1107 @@
+ /*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.*;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Locale;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of the CertificateVerify handshake message.
+ */
+final class CertificateVerify {
+ static final SSLConsumer s30HandshakeConsumer =
+ new S30CertificateVerifyConsumer();
+ static final HandshakeProducer s30HandshakeProducer =
+ new S30CertificateVerifyProducer();
+
+ static final SSLConsumer t10HandshakeConsumer =
+ new T10CertificateVerifyConsumer();
+ static final HandshakeProducer t10HandshakeProducer =
+ new T10CertificateVerifyProducer();
+
+ static final SSLConsumer t12HandshakeConsumer =
+ new T12CertificateVerifyConsumer();
+ static final HandshakeProducer t12HandshakeProducer =
+ new T12CertificateVerifyProducer();
+
+ static final SSLConsumer t13HandshakeConsumer =
+ new T13CertificateVerifyConsumer();
+ static final HandshakeProducer t13HandshakeProducer =
+ new T13CertificateVerifyProducer();
+
+ /**
+ * The CertificateVerify handshake message (SSL 3.0).
+ */
+ static final class S30CertificateVerifyMessage extends HandshakeMessage {
+ // signature bytes
+ private final byte[] signature;
+
+ S30CertificateVerifyMessage(HandshakeContext context,
+ X509Possession x509Possession) throws IOException {
+ super(context);
+
+ // This happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+ byte[] temproary = null;
+ String algorithm = x509Possession.popPrivateKey.getAlgorithm();
+ try {
+ Signature signer = getSignature(algorithm);
+ signer.initSign(x509Possession.popPrivateKey);
+ byte[] hashes = chc.handshakeHash.digest(algorithm,
+ chc.handshakeSession.getMasterSecret());
+ signer.update(hashes);
+ temproary = signer.sign();
+ } catch (NoSuchAlgorithmException nsae) {
+ chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" + algorithm +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (GeneralSecurityException gse) {
+ chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot produce CertificateVerify signature", gse);
+ }
+
+ this.signature = temproary;
+ }
+
+ S30CertificateVerifyMessage(HandshakeContext context,
+ ByteBuffer m) throws IOException {
+ super(context);
+
+ // This happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+ // digitally-signed struct {
+ // select(SignatureAlgorithm) {
+ // case anonymous: struct { };
+ // case rsa:
+ // opaque md5_hash[16];
+ // opaque sha_hash[20];
+ // case dsa:
+ // opaque sha_hash[20];
+ // };
+ // } Signature;
+ if (m.remaining() < 2) {
+ shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ "Invalid CertificateVerify message: no sufficient data");
+ }
+
+ // read and verify the signature
+ this.signature = Record.getBytes16(m);
+ X509Credentials x509Credentials = null;
+ for (SSLCredentials cd : shc.handshakeCredentials) {
+ if (cd instanceof X509Credentials) {
+ x509Credentials = (X509Credentials)cd;
+ break;
+ }
+ }
+
+ if (x509Credentials == null) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "No X509 credentials negotiated for CertificateVerify");
+ }
+
+ String algorithm = x509Credentials.popPublicKey.getAlgorithm();
+ try {
+ Signature signer = getSignature(algorithm);
+ signer.initVerify(x509Credentials.popPublicKey);
+ byte[] hashes = shc.handshakeHash.digest(algorithm,
+ shc.handshakeSession.getMasterSecret());
+ signer.update(hashes);
+ if (!signer.verify(signature)) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Invalid CertificateVerify message: invalid signature");
+ }
+ } catch (NoSuchAlgorithmException nsae) {
+ shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" + algorithm +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (GeneralSecurityException gse) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot verify CertificateVerify signature", gse);
+ }
+ }
+
+ @Override
+ public SSLHandshake handshakeType() {
+ return SSLHandshake.CERTIFICATE_VERIFY;
+ }
+
+ @Override
+ public int messageLength() {
+ return 2 + signature.length; // 2: length of signature
+ }
+
+ @Override
+ public void send(HandshakeOutStream hos) throws IOException {
+ hos.putBytes16(signature);
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\"CertificateVerify\": '{'\n" +
+ " \"signature\": '{'\n" +
+ "{0}\n" +
+ " '}'\n" +
+ "'}'",
+ Locale.ENGLISH);
+
+ HexDumpEncoder hexEncoder = new HexDumpEncoder();
+ Object[] messageFields = {
+ Utilities.indent(
+ hexEncoder.encodeBuffer(signature), " ")
+ };
+
+ return messageFormat.format(messageFields);
+ }
+
+ /*
+ * Get the Signature object appropriate for verification using the
+ * given signature algorithm.
+ */
+ private static Signature getSignature(
+ String algorithm) throws GeneralSecurityException {
+ switch (algorithm) {
+ case "RSA":
+ return JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ case "DSA":
+ return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ case "EC":
+ return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ default:
+ throw new SignatureException("Unrecognized algorithm: "
+ + algorithm);
+ }
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message producer.
+ */
+ private static final
+ class S30CertificateVerifyProducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private S30CertificateVerifyProducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+ X509Possession x509Possession = null;
+ for (SSLPossession possession : chc.handshakePossessions) {
+ if (possession instanceof X509Possession) {
+ x509Possession = (X509Possession)possession;
+ break;
+ }
+ }
+
+ if (x509Possession == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "No X.509 credentials negotiated for CertificateVerify");
+ }
+
+ return null;
+ }
+
+ S30CertificateVerifyMessage cvm =
+ new S30CertificateVerifyMessage(chc, x509Possession);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Produced CertificateVerify handshake message", cvm);
+ }
+
+ // Output the handshake message.
+ cvm.write(chc.handshakeOutput);
+ chc.handshakeOutput.flush();
+
+ // The handshake message has been delivered.
+ return null;
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message consumer.
+ */
+ private static final
+ class S30CertificateVerifyConsumer implements SSLConsumer {
+ // Prevent instantiation of this class.
+ private S30CertificateVerifyConsumer() {
+ // blank
+ }
+
+ @Override
+ public void consume(ConnectionContext context,
+ ByteBuffer message) throws IOException {
+ // The consuming happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+ S30CertificateVerifyMessage cvm =
+ new S30CertificateVerifyMessage(shc, message);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Consuming CertificateVerify handshake message", cvm);
+ }
+
+ //
+ // update
+ //
+ // Need no additional validation.
+
+ //
+ // produce
+ //
+ // Need no new handshake message producers here.
+ }
+ }
+
+ /**
+ * The CertificateVerify handshake message (TLS 1.0/1.1).
+ */
+ static final class T10CertificateVerifyMessage extends HandshakeMessage {
+ // signature bytes
+ private final byte[] signature;
+
+ T10CertificateVerifyMessage(HandshakeContext context,
+ X509Possession x509Possession) throws IOException {
+ super(context);
+
+ // This happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+ byte[] temproary = null;
+ String algorithm = x509Possession.popPrivateKey.getAlgorithm();
+ try {
+ Signature signer = getSignature(algorithm);
+ signer.initSign(x509Possession.popPrivateKey);
+ byte[] hashes = chc.handshakeHash.digest(algorithm);
+ signer.update(hashes);
+ temproary = signer.sign();
+ } catch (NoSuchAlgorithmException nsae) {
+ chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" + algorithm +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (GeneralSecurityException gse) {
+ chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot produce CertificateVerify signature", gse);
+ }
+
+ this.signature = temproary;
+ }
+
+ T10CertificateVerifyMessage(HandshakeContext context,
+ ByteBuffer m) throws IOException {
+ super(context);
+
+ // This happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+ // digitally-signed struct {
+ // select(SignatureAlgorithm) {
+ // case anonymous: struct { };
+ // case rsa:
+ // opaque md5_hash[16];
+ // opaque sha_hash[20];
+ // case dsa:
+ // opaque sha_hash[20];
+ // };
+ // } Signature;
+ if (m.remaining() < 2) {
+ shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ "Invalid CertificateVerify message: no sufficient data");
+ }
+
+ // read and verify the signature
+ this.signature = Record.getBytes16(m);
+ X509Credentials x509Credentials = null;
+ for (SSLCredentials cd : shc.handshakeCredentials) {
+ if (cd instanceof X509Credentials) {
+ x509Credentials = (X509Credentials)cd;
+ break;
+ }
+ }
+
+ if (x509Credentials == null) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "No X509 credentials negotiated for CertificateVerify");
+ }
+
+ String algorithm = x509Credentials.popPublicKey.getAlgorithm();
+ try {
+ Signature signer = getSignature(algorithm);
+ signer.initVerify(x509Credentials.popPublicKey);
+ byte[] hashes = shc.handshakeHash.digest(algorithm);
+ signer.update(hashes);
+ if (!signer.verify(signature)) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Invalid CertificateVerify message: invalid signature");
+ }
+ } catch (NoSuchAlgorithmException nsae) {
+ shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" + algorithm +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (GeneralSecurityException gse) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot verify CertificateVerify signature", gse);
+ }
+ }
+
+ @Override
+ public SSLHandshake handshakeType() {
+ return SSLHandshake.CERTIFICATE_VERIFY;
+ }
+
+ @Override
+ public int messageLength() {
+ return 2 + signature.length; // 2: length of signature
+ }
+
+ @Override
+ public void send(HandshakeOutStream hos) throws IOException {
+ hos.putBytes16(signature);
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\"CertificateVerify\": '{'\n" +
+ " \"signature\": '{'\n" +
+ "{0}\n" +
+ " '}'\n" +
+ "'}'",
+ Locale.ENGLISH);
+
+ HexDumpEncoder hexEncoder = new HexDumpEncoder();
+ Object[] messageFields = {
+ Utilities.indent(
+ hexEncoder.encodeBuffer(signature), " ")
+ };
+
+ return messageFormat.format(messageFields);
+ }
+
+ /*
+ * Get the Signature object appropriate for verification using the
+ * given signature algorithm.
+ */
+ private static Signature getSignature(
+ String algorithm) throws GeneralSecurityException {
+ switch (algorithm) {
+ case "RSA":
+ return JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ case "DSA":
+ return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ case "EC":
+ return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ default:
+ throw new SignatureException("Unrecognized algorithm: "
+ + algorithm);
+ }
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message producer.
+ */
+ private static final
+ class T10CertificateVerifyProducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private T10CertificateVerifyProducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+ X509Possession x509Possession = null;
+ for (SSLPossession possession : chc.handshakePossessions) {
+ if (possession instanceof X509Possession) {
+ x509Possession = (X509Possession)possession;
+ break;
+ }
+ }
+
+ if (x509Possession == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "No X.509 credentials negotiated for CertificateVerify");
+ }
+
+ return null;
+ }
+
+ T10CertificateVerifyMessage cvm =
+ new T10CertificateVerifyMessage(chc, x509Possession);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Produced CertificateVerify handshake message", cvm);
+ }
+
+ // Output the handshake message.
+ cvm.write(chc.handshakeOutput);
+ chc.handshakeOutput.flush();
+
+ // The handshake message has been delivered.
+ return null;
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message consumer.
+ */
+ private static final
+ class T10CertificateVerifyConsumer implements SSLConsumer {
+ // Prevent instantiation of this class.
+ private T10CertificateVerifyConsumer() {
+ // blank
+ }
+
+ @Override
+ public void consume(ConnectionContext context,
+ ByteBuffer message) throws IOException {
+ // The consuming happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+ T10CertificateVerifyMessage cvm =
+ new T10CertificateVerifyMessage(shc, message);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Consuming CertificateVerify handshake message", cvm);
+ }
+
+ //
+ // update
+ //
+ // Need no additional validation.
+
+ //
+ // produce
+ //
+ // Need no new handshake message producers here. }
+ }
+ }
+
+ /**
+ * The CertificateVerify handshake message (TLS 1.2).
+ */
+ static final class T12CertificateVerifyMessage extends HandshakeMessage {
+ // the signature algorithm
+ private final SignatureScheme signatureScheme;
+
+ // signature bytes
+ private final byte[] signature;
+
+ T12CertificateVerifyMessage(HandshakeContext context,
+ X509Possession x509Possession) throws IOException {
+ super(context);
+
+ // This happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+ this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
+ chc.peerRequestedSignatureSchemes,
+ x509Possession.popPrivateKey,
+ chc.negotiatedProtocol);
+ if (signatureScheme == null) {
+ // Unlikely, the credentials generator should have
+ // selected the preferable signature algorithm properly.
+ chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ "No preferred signature algorithm for CertificateVerify");
+ }
+
+ byte[] temproary = null;
+ try {
+ Signature signer = signatureScheme.getSignature();
+ signer.initSign(x509Possession.popPrivateKey);
+ signer.update(chc.handshakeHash.archived());
+ temproary = signer.sign();
+ } catch (NoSuchAlgorithmException |
+ InvalidAlgorithmParameterException nsae) {
+ chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" +
+ signatureScheme.name +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (InvalidKeyException | SignatureException ikse) {
+ chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot produce CertificateVerify signature", ikse);
+ }
+
+ this.signature = temproary;
+ }
+
+ T12CertificateVerifyMessage(HandshakeContext handshakeContext,
+ ByteBuffer m) throws IOException {
+ super(handshakeContext);
+
+ // This happens in server side only.
+ ServerHandshakeContext shc =
+ (ServerHandshakeContext)handshakeContext;
+
+ // struct {
+ // SignatureAndHashAlgorithm algorithm;
+ // opaque signature<0..2^16-1>;
+ // } DigitallySigned;
+ if (m.remaining() < 4) {
+ shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ "Invalid CertificateVerify message: no sufficient data");
+ }
+
+ // SignatureAndHashAlgorithm algorithm
+ int ssid = Record.getInt16(m);
+ this.signatureScheme = SignatureScheme.valueOf(ssid);
+ if (signatureScheme == null) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Invalid signature algorithm (" + ssid +
+ ") used in CertificateVerify handshake message");
+ }
+
+ if (!shc.localSupportedSignAlgs.contains(signatureScheme)) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Unsupported signature algorithm (" +
+ signatureScheme.name +
+ ") used in CertificateVerify handshake message");
+ }
+
+ // read and verify the signature
+ X509Credentials x509Credentials = null;
+ for (SSLCredentials cd : shc.handshakeCredentials) {
+ if (cd instanceof X509Credentials) {
+ x509Credentials = (X509Credentials)cd;
+ break;
+ }
+ }
+
+ if (x509Credentials == null) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "No X509 credentials negotiated for CertificateVerify");
+ }
+
+ // opaque signature<0..2^16-1>;
+ this.signature = Record.getBytes16(m);
+ try {
+ Signature signer = signatureScheme.getSignature();
+ signer.initVerify(x509Credentials.popPublicKey);
+ signer.update(shc.handshakeHash.archived());
+ if (!signer.verify(signature)) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Invalid CertificateVerify signature");
+ }
+ } catch (NoSuchAlgorithmException |
+ InvalidAlgorithmParameterException nsae) {
+ shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" +
+ signatureScheme.name +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (InvalidKeyException | SignatureException ikse) {
+ shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot verify CertificateVerify signature", ikse);
+ }
+ }
+
+ @Override
+ public SSLHandshake handshakeType() {
+ return SSLHandshake.CERTIFICATE_VERIFY;
+ }
+
+ @Override
+ public int messageLength() {
+ return 4 + signature.length; // 2: signature algorithm
+ // +2: length of signature
+ }
+
+ @Override
+ public void send(HandshakeOutStream hos) throws IOException {
+ hos.putInt16(signatureScheme.id);
+ hos.putBytes16(signature);
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\"CertificateVerify\": '{'\n" +
+ " \"signature algorithm\": {0}\n" +
+ " \"signature\": '{'\n" +
+ "{1}\n" +
+ " '}'\n" +
+ "'}'",
+ Locale.ENGLISH);
+
+ HexDumpEncoder hexEncoder = new HexDumpEncoder();
+ Object[] messageFields = {
+ signatureScheme.name,
+ Utilities.indent(
+ hexEncoder.encodeBuffer(signature), " ")
+ };
+
+ return messageFormat.format(messageFields);
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message producer.
+ */
+ private static final
+ class T12CertificateVerifyProducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private T12CertificateVerifyProducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+ X509Possession x509Possession = null;
+ for (SSLPossession possession : chc.handshakePossessions) {
+ if (possession instanceof X509Possession) {
+ x509Possession = (X509Possession)possession;
+ break;
+ }
+ }
+
+ if (x509Possession == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "No X.509 credentials negotiated for CertificateVerify");
+ }
+
+ return null;
+ }
+
+ T12CertificateVerifyMessage cvm =
+ new T12CertificateVerifyMessage(chc, x509Possession);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Produced CertificateVerify handshake message", cvm);
+ }
+
+ // Output the handshake message.
+ cvm.write(chc.handshakeOutput);
+ chc.handshakeOutput.flush();
+
+ // The handshake message has been delivered.
+ return null;
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message consumer.
+ */
+ private static final
+ class T12CertificateVerifyConsumer implements SSLConsumer {
+ // Prevent instantiation of this class.
+ private T12CertificateVerifyConsumer() {
+ // blank
+ }
+
+ @Override
+ public void consume(ConnectionContext context,
+ ByteBuffer message) throws IOException {
+ // The consuming happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+ T12CertificateVerifyMessage cvm =
+ new T12CertificateVerifyMessage(shc, message);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Consuming CertificateVerify handshake message", cvm);
+ }
+
+ //
+ // update
+ //
+ // Need no additional validation.
+
+ //
+ // produce
+ //
+ // Need no new handshake message producers here.
+ }
+ }
+
+ /**
+ * The CertificateVerify handshake message (TLS 1.3).
+ */
+ static final class T13CertificateVerifyMessage extends HandshakeMessage {
+ private static final byte[] serverSignHead = new byte[] {
+ // repeated 0x20 for 64 times
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+
+ // "TLS 1.3, server CertificateVerify" + 0x00
+ (byte)0x54, (byte)0x4c, (byte)0x53, (byte)0x20,
+ (byte)0x31, (byte)0x2e, (byte)0x33, (byte)0x2c,
+ (byte)0x20, (byte)0x73, (byte)0x65, (byte)0x72,
+ (byte)0x76, (byte)0x65, (byte)0x72, (byte)0x20,
+ (byte)0x43, (byte)0x65, (byte)0x72, (byte)0x74,
+ (byte)0x69, (byte)0x66, (byte)0x69, (byte)0x63,
+ (byte)0x61, (byte)0x74, (byte)0x65, (byte)0x56,
+ (byte)0x65, (byte)0x72, (byte)0x69, (byte)0x66,
+ (byte)0x79, (byte)0x00
+ };
+
+ private static final byte[] clientSignHead = new byte[] {
+ // repeated 0x20 for 64 times
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+ (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+
+ // "TLS 1.3, client CertificateVerify" + 0x00
+ (byte)0x54, (byte)0x4c, (byte)0x53, (byte)0x20,
+ (byte)0x31, (byte)0x2e, (byte)0x33, (byte)0x2c,
+ (byte)0x20, (byte)0x63, (byte)0x6c, (byte)0x69,
+ (byte)0x65, (byte)0x6e, (byte)0x74, (byte)0x20,
+ (byte)0x43, (byte)0x65, (byte)0x72, (byte)0x74,
+ (byte)0x69, (byte)0x66, (byte)0x69, (byte)0x63,
+ (byte)0x61, (byte)0x74, (byte)0x65, (byte)0x56,
+ (byte)0x65, (byte)0x72, (byte)0x69, (byte)0x66,
+ (byte)0x79, (byte)0x00
+ };
+
+
+ // the signature algorithm
+ private final SignatureScheme signatureScheme;
+
+ // signature bytes
+ private final byte[] signature;
+
+ T13CertificateVerifyMessage(HandshakeContext context,
+ X509Possession x509Possession) throws IOException {
+ super(context);
+
+ this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
+ context.peerRequestedSignatureSchemes,
+ x509Possession.popPrivateKey,
+ context.negotiatedProtocol);
+ if (signatureScheme == null) {
+ // Unlikely, the credentials generator should have
+ // selected the preferable signature algorithm properly.
+ context.conContext.fatal(Alert.INTERNAL_ERROR,
+ "No preferred signature algorithm for CertificateVerify");
+ }
+
+ byte[] hashValue = context.handshakeHash.digest();
+ byte[] contentCovered;
+ if (context.sslConfig.isClientMode) {
+ contentCovered = Arrays.copyOf(clientSignHead,
+ clientSignHead.length + hashValue.length);
+ System.arraycopy(hashValue, 0, contentCovered,
+ clientSignHead.length, hashValue.length);
+ } else {
+ contentCovered = Arrays.copyOf(serverSignHead,
+ serverSignHead.length + hashValue.length);
+ System.arraycopy(hashValue, 0, contentCovered,
+ serverSignHead.length, hashValue.length);
+ }
+
+ byte[] temproary = null;
+ try {
+ Signature signer = signatureScheme.getSignature();
+ signer.initSign(x509Possession.popPrivateKey);
+ signer.update(contentCovered);
+ temproary = signer.sign();
+ } catch (NoSuchAlgorithmException |
+ InvalidAlgorithmParameterException nsae) {
+ context.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" +
+ signatureScheme.name +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (InvalidKeyException | SignatureException ikse) {
+ context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot produce CertificateVerify signature", ikse);
+ }
+
+ this.signature = temproary;
+ }
+
+ T13CertificateVerifyMessage(HandshakeContext context,
+ ByteBuffer m) throws IOException {
+ super(context);
+
+ // struct {
+ // SignatureAndHashAlgorithm algorithm;
+ // opaque signature<0..2^16-1>;
+ // } DigitallySigned;
+ if (m.remaining() < 4) {
+ context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ "Invalid CertificateVerify message: no sufficient data");
+ }
+
+ // SignatureAndHashAlgorithm algorithm
+ int ssid = Record.getInt16(m);
+ this.signatureScheme = SignatureScheme.valueOf(ssid);
+ if (signatureScheme == null) {
+ context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Invalid signature algorithm (" + ssid +
+ ") used in CertificateVerify handshake message");
+ }
+
+ if (!context.localSupportedSignAlgs.contains(signatureScheme)) {
+ context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Unsupported signature algorithm (" +
+ signatureScheme.name +
+ ") used in CertificateVerify handshake message");
+ }
+
+ // read and verify the signature
+ X509Credentials x509Credentials = null;
+ for (SSLCredentials cd : context.handshakeCredentials) {
+ if (cd instanceof X509Credentials) {
+ x509Credentials = (X509Credentials)cd;
+ break;
+ }
+ }
+
+ if (x509Credentials == null) {
+ context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "No X509 credentials negotiated for CertificateVerify");
+ }
+
+ // opaque signature<0..2^16-1>;
+ this.signature = Record.getBytes16(m);
+
+ byte[] hashValue = context.handshakeHash.digest();
+ byte[] contentCovered;
+ if (context.sslConfig.isClientMode) {
+ contentCovered = Arrays.copyOf(serverSignHead,
+ serverSignHead.length + hashValue.length);
+ System.arraycopy(hashValue, 0, contentCovered,
+ serverSignHead.length, hashValue.length);
+ } else {
+ contentCovered = Arrays.copyOf(clientSignHead,
+ clientSignHead.length + hashValue.length);
+ System.arraycopy(hashValue, 0, contentCovered,
+ clientSignHead.length, hashValue.length);
+ }
+
+ try {
+ Signature signer = signatureScheme.getSignature();
+ signer.initVerify(x509Credentials.popPublicKey);
+ signer.update(contentCovered);
+ if (!signer.verify(signature)) {
+ context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Invalid CertificateVerify signature");
+ }
+ } catch (NoSuchAlgorithmException |
+ InvalidAlgorithmParameterException nsae) {
+ context.conContext.fatal(Alert.INTERNAL_ERROR,
+ "Unsupported signature algorithm (" +
+ signatureScheme.name +
+ ") used in CertificateVerify handshake message", nsae);
+ } catch (InvalidKeyException | SignatureException ikse) {
+ context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ "Cannot verify CertificateVerify signature", ikse);
+ }
+ }
+
+ @Override
+ public SSLHandshake handshakeType() {
+ return SSLHandshake.CERTIFICATE_VERIFY;
+ }
+
+ @Override
+ public int messageLength() {
+ return 4 + signature.length; // 2: signature algorithm
+ // +2: length of signature
+ }
+
+ @Override
+ public void send(HandshakeOutStream hos) throws IOException {
+ hos.putInt16(signatureScheme.id);
+ hos.putBytes16(signature);
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\"CertificateVerify\": '{'\n" +
+ " \"signature algorithm\": {0}\n" +
+ " \"signature\": '{'\n" +
+ "{1}\n" +
+ " '}'\n" +
+ "'}'",
+ Locale.ENGLISH);
+
+ HexDumpEncoder hexEncoder = new HexDumpEncoder();
+ Object[] messageFields = {
+ signatureScheme.name,
+ Utilities.indent(
+ hexEncoder.encodeBuffer(signature), " ")
+ };
+
+ return messageFormat.format(messageFields);
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message producer.
+ */
+ private static final
+ class T13CertificateVerifyProducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private T13CertificateVerifyProducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in handshake context only.
+ HandshakeContext hc = (HandshakeContext)context;
+
+ X509Possession x509Possession = null;
+ for (SSLPossession possession : hc.handshakePossessions) {
+ if (possession instanceof X509Possession) {
+ x509Possession = (X509Possession)possession;
+ break;
+ }
+ }
+
+ if (x509Possession == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "No X.509 credentials negotiated for CertificateVerify");
+ }
+
+ return null;
+ }
+
+ if (hc.sslConfig.isClientMode) {
+ return onProduceCertificateVerify(
+ (ClientHandshakeContext)context, x509Possession);
+ } else {
+ return onProduceCertificateVerify(
+ (ServerHandshakeContext)context, x509Possession);
+ }
+ }
+
+ private byte[] onProduceCertificateVerify(ServerHandshakeContext shc,
+ X509Possession x509Possession) throws IOException {
+ T13CertificateVerifyMessage cvm =
+ new T13CertificateVerifyMessage(shc, x509Possession);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Produced server CertificateVerify handshake message", cvm);
+ }
+
+ // Output the handshake message.
+ cvm.write(shc.handshakeOutput);
+ shc.handshakeOutput.flush();
+
+ // The handshake message has been delivered.
+ return null;
+ }
+
+ private byte[] onProduceCertificateVerify(ClientHandshakeContext chc,
+ X509Possession x509Possession) throws IOException {
+ T13CertificateVerifyMessage cvm =
+ new T13CertificateVerifyMessage(chc, x509Possession);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Produced client CertificateVerify handshake message", cvm);
+ }
+
+ // Output the handshake message.
+ cvm.write(chc.handshakeOutput);
+ chc.handshakeOutput.flush();
+
+ // The handshake message has been delivered.
+ return null;
+ }
+ }
+
+ /**
+ * The "CertificateVerify" handshake message consumer.
+ */
+ private static final
+ class T13CertificateVerifyConsumer implements SSLConsumer {
+ // Prevent instantiation of this class.
+ private T13CertificateVerifyConsumer() {
+ // blank
+ }
+
+ @Override
+ public void consume(ConnectionContext context,
+ ByteBuffer message) throws IOException {
+ // The producing happens in handshake context only.
+ HandshakeContext hc = (HandshakeContext)context;
+ T13CertificateVerifyMessage cvm =
+ new T13CertificateVerifyMessage(hc, message);
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Consuming CertificateVerify handshake message", cvm);
+ }
+
+ //
+ // update
+ //
+ // Need no additional validation.
+
+ //
+ // produce
+ //
+ // Need no new handshake message producers here.
+ }
+ }
+}