--- a/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java Wed Jun 12 23:21:24 2019 +0200
+++ b/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java Wed Jun 12 18:58:00 2019 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,27 +27,19 @@
import java.io.IOException;
import java.nio.ByteBuffer;
-import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Collections;
-import java.util.EnumSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.net.ssl.SSLProtocolException;
-import sun.security.ssl.DHKeyExchange.DHECredentials;
-import sun.security.ssl.DHKeyExchange.DHEPossession;
-import sun.security.ssl.ECDHKeyExchange.ECDHECredentials;
-import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
import sun.security.ssl.KeyShareExtension.CHKeyShareSpec;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
-import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
-import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
import sun.security.util.HexDumpEncoder;
@@ -264,8 +256,7 @@
for (SSLPossession pos : poses) {
// update the context
chc.handshakePossessions.add(pos);
- if (!(pos instanceof ECDHEPossession) &&
- !(pos instanceof DHEPossession)) {
+ if (!(pos instanceof NamedGroupPossession)) {
// May need more possesion types in the future.
continue;
}
@@ -353,46 +344,18 @@
continue;
}
- if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) {
- try {
- ECDHECredentials ecdhec =
- ECDHECredentials.valueOf(ng, entry.keyExchange);
- if (ecdhec != null) {
- if (!shc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- ecdhec.popPublicKey)) {
- SSLLogger.warning(
- "ECDHE key share entry does not " +
- "comply to algorithm constraints");
- } else {
- credentials.add(ecdhec);
- }
- }
- } catch (IOException | GeneralSecurityException ex) {
- SSLLogger.warning(
- "Cannot decode named group: " +
- NamedGroup.nameOf(entry.namedGroupId));
+ try {
+ SSLCredentials kaCred =
+ ng.decodeCredentials(entry.keyExchange,
+ shc.algorithmConstraints,
+ s -> SSLLogger.warning(s));
+ if (kaCred != null) {
+ credentials.add(kaCred);
}
- } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) {
- try {
- DHECredentials dhec =
- DHECredentials.valueOf(ng, entry.keyExchange);
- if (dhec != null) {
- if (!shc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- dhec.popPublicKey)) {
- SSLLogger.warning(
- "DHE key share entry does not " +
- "comply to algorithm constraints");
- } else {
- credentials.add(dhec);
- }
- }
- } catch (IOException | GeneralSecurityException ex) {
- SSLLogger.warning(
- "Cannot decode named group: " +
- NamedGroup.nameOf(entry.namedGroupId));
- }
+ } catch (GeneralSecurityException ex) {
+ SSLLogger.warning(
+ "Cannot decode named group: " +
+ NamedGroup.nameOf(entry.namedGroupId));
}
}
@@ -526,10 +489,9 @@
KeyShareEntry keyShare = null;
for (SSLCredentials cd : shc.handshakeCredentials) {
NamedGroup ng = null;
- if (cd instanceof ECDHECredentials) {
- ng = ((ECDHECredentials)cd).namedGroup;
- } else if (cd instanceof DHECredentials) {
- ng = ((DHECredentials)cd).namedGroup;
+ if (cd instanceof NamedGroupCredentials) {
+ NamedGroupCredentials creds = (NamedGroupCredentials)cd;
+ ng = creds.getNamedGroup();
}
if (ng == null) {
@@ -547,8 +509,7 @@
SSLPossession[] poses = ke.createPossessions(shc);
for (SSLPossession pos : poses) {
- if (!(pos instanceof ECDHEPossession) &&
- !(pos instanceof DHEPossession)) {
+ if (!(pos instanceof NamedGroupPossession)) {
// May need more possesion types in the future.
continue;
}
@@ -567,7 +528,7 @@
me.getKey(), me.getValue());
}
- // We have got one! Don't forgor to break.
+ // We have got one! Don't forget to break.
break;
}
}
@@ -643,49 +604,16 @@
}
SSLCredentials credentials = null;
- if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) {
- try {
- ECDHECredentials ecdhec =
- ECDHECredentials.valueOf(ng, keyShare.keyExchange);
- if (ecdhec != null) {
- if (!chc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- ecdhec.popPublicKey)) {
- throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
- "ECDHE key share entry does not " +
- "comply to algorithm constraints");
- } else {
- credentials = ecdhec;
- }
- }
- } catch (IOException | GeneralSecurityException ex) {
- throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
- "Cannot decode named group: " +
- NamedGroup.nameOf(keyShare.namedGroupId));
+ try {
+ SSLCredentials kaCred = ng.decodeCredentials(
+ keyShare.keyExchange, chc.algorithmConstraints,
+ s -> chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, s));
+ if (kaCred != null) {
+ credentials = kaCred;
}
- } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) {
- try {
- DHECredentials dhec =
- DHECredentials.valueOf(ng, keyShare.keyExchange);
- if (dhec != null) {
- if (!chc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- dhec.popPublicKey)) {
- throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
- "DHE key share entry does not " +
- "comply to algorithm constraints");
- } else {
- credentials = dhec;
- }
- }
- } catch (IOException | GeneralSecurityException ex) {
- throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
- "Cannot decode named group: " +
- NamedGroup.nameOf(keyShare.namedGroupId));
- }
- } else {
+ } catch (GeneralSecurityException ex) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
- "Unsupported named group: " +
+ "Cannot decode named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}