1 /*
   2  * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.io.*;
  29 import java.math.BigInteger;
  30 import java.security.*;
  31 import java.security.interfaces.*;
  32 import java.security.spec.*;
  33 import java.security.cert.*;
  34 import java.security.cert.Certificate;
  35 import java.util.*;
  36 import java.util.concurrent.ConcurrentHashMap;
  37 
  38 import java.lang.reflect.*;
  39 
  40 import javax.security.auth.x500.X500Principal;
  41 
  42 import javax.crypto.KeyGenerator;
  43 import javax.crypto.SecretKey;
  44 import javax.crypto.spec.DHPublicKeySpec;
  45 
  46 import javax.net.ssl.*;
  47 
  48 import sun.security.internal.spec.TlsPrfParameterSpec;
  49 import sun.security.ssl.CipherSuite.*;
  50 import static sun.security.ssl.CipherSuite.PRF.*;
  51 import sun.security.util.KeyUtil;
  52 import sun.security.provider.certpath.OCSPResponse;
  53 
  54 /**
  55  * Many data structures are involved in the handshake messages.  These
  56  * classes are used as structures, with public data members.  They are
  57  * not visible outside the SSL package.
  58  *
  59  * Handshake messages all have a common header format, and they are all
  60  * encoded in a "handshake data" SSL record substream.  The base class
  61  * here (HandshakeMessage) provides a common framework and records the
  62  * SSL record type of the particular handshake message.
  63  *
  64  * This file contains subclasses for all the basic handshake messages.
  65  * All handshake messages know how to encode and decode themselves on
  66  * SSL streams; this facilitates using the same code on SSL client and
  67  * server sides, although they don't send and receive the same messages.
  68  *
  69  * Messages also know how to print themselves, which is quite handy
  70  * for debugging.  They always identify their type, and can optionally
  71  * dump all of their content.
  72  *
  73  * @author David Brownell
  74  */
  75 public abstract class HandshakeMessage {
  76 
  77     /* Class and subclass dynamic debugging support */
  78     public static final Debug debug = Debug.getInstance("ssl");
  79 
  80     // enum HandshakeType:
  81     static final byte   ht_hello_request          = 0;      // RFC 5246
  82     static final byte   ht_client_hello           = 1;      // RFC 5246
  83     static final byte   ht_server_hello           = 2;      // RFC 5246
  84     static final byte   ht_hello_verify_request   = 3;      // RFC 6347
  85     static final byte   ht_new_session_ticket     = 4;      // RFC 4507
  86 
  87     static final byte   ht_certificate            = 11;     // RFC 5246
  88     static final byte   ht_server_key_exchange    = 12;     // RFC 5246
  89     static final byte   ht_certificate_request    = 13;     // RFC 5246
  90     static final byte   ht_server_hello_done      = 14;     // RFC 5246
  91     static final byte   ht_certificate_verify     = 15;     // RFC 5246
  92     static final byte   ht_client_key_exchange    = 16;     // RFC 5246
  93 
  94     static final byte   ht_finished               = 20;     // RFC 5246
  95     static final byte   ht_certificate_url        = 21;     // RFC 6066
  96     static final byte   ht_certificate_status     = 22;     // RFC 6066
  97     static final byte   ht_supplemental_data      = 23;     // RFC 4680
  98 
  99     static final byte   ht_not_applicable         = -1;     // N/A
 100 
 101     /*
 102      * SSL 3.0 MAC padding constants.
 103      * Also used by CertificateVerify and Finished during the handshake.
 104      */
 105     static final byte[] MD5_pad1 = genPad(0x36, 48);
 106     static final byte[] MD5_pad2 = genPad(0x5c, 48);
 107 
 108     static final byte[] SHA_pad1 = genPad(0x36, 40);
 109     static final byte[] SHA_pad2 = genPad(0x5c, 40);
 110 
 111     // default constructor
 112     HandshakeMessage() {
 113     }
 114 
 115     /**
 116      * Utility method to convert a BigInteger to a byte array in unsigned
 117      * format as needed in the handshake messages. BigInteger uses
 118      * 2's complement format, i.e. it prepends an extra zero if the MSB
 119      * is set. We remove that.
 120      */
 121     static byte[] toByteArray(BigInteger bi) {
 122         byte[] b = bi.toByteArray();
 123         if ((b.length > 1) && (b[0] == 0)) {
 124             int n = b.length - 1;
 125             byte[] newarray = new byte[n];
 126             System.arraycopy(b, 1, newarray, 0, n);
 127             b = newarray;
 128         }
 129         return b;
 130     }
 131 
 132     private static byte[] genPad(int b, int count) {
 133         byte[] padding = new byte[count];
 134         Arrays.fill(padding, (byte)b);
 135         return padding;
 136     }
 137 
 138     /*
 139      * Write a handshake message on the (handshake) output stream.
 140      * This is just a four byte header followed by the data.
 141      *
 142      * NOTE that huge messages -- notably, ones with huge cert
 143      * chains -- are handled correctly.
 144      */
 145     final void write(HandshakeOutStream s) throws IOException {
 146         int len = messageLength();
 147         if (len >= Record.OVERFLOW_OF_INT24) {
 148             throw new SSLException("Handshake message too big"
 149                 + ", type = " + messageType() + ", len = " + len);
 150         }
 151         s.write(messageType());
 152         s.putInt24(len);
 153         send(s);
 154         s.complete();
 155     }
 156 
 157     /*
 158      * Subclasses implement these methods so those kinds of
 159      * messages can be emitted.  Base class delegates to subclass.
 160      */
 161     abstract int  messageType();
 162     abstract int  messageLength();
 163     abstract void send(HandshakeOutStream s) throws IOException;
 164 
 165     /*
 166      * Write a descriptive message on the output stream; for debugging.
 167      */
 168     abstract void print(PrintStream p) throws IOException;
 169 
 170 //
 171 // NOTE:  the rest of these classes are nested within this one, and are
 172 // imported by other classes in this package.  There are a few other
 173 // handshake message classes, not neatly nested here because of current
 174 // licensing requirement for native (RSA) methods.  They belong here,
 175 // but those native methods complicate things a lot!
 176 //
 177 
 178 
 179 /*
 180  * HelloRequest ... SERVER --> CLIENT
 181  *
 182  * Server can ask the client to initiate a new handshake, e.g. to change
 183  * session parameters after a connection has been (re)established.
 184  */
 185 static final class HelloRequest extends HandshakeMessage {
 186     @Override
 187     int messageType() { return ht_hello_request; }
 188 
 189     HelloRequest() { }
 190 
 191     HelloRequest(HandshakeInStream in) throws IOException
 192     {
 193         // nothing in this message
 194     }
 195 
 196     @Override
 197     int messageLength() { return 0; }
 198 
 199     @Override
 200     void send(HandshakeOutStream out) throws IOException
 201     {
 202         // nothing in this messaage
 203     }
 204 
 205     @Override
 206     void print(PrintStream out) throws IOException
 207     {
 208         out.println("*** HelloRequest (empty)");
 209     }
 210 
 211 }
 212 
 213 /*
 214  * HelloVerifyRequest ... SERVER --> CLIENT  [DTLS only]
 215  *
 216  * The definition of HelloVerifyRequest is as follows:
 217  *
 218  *     struct {
 219  *       ProtocolVersion server_version;
 220  *       opaque cookie<0..2^8-1>;
 221  *     } HelloVerifyRequest;
 222  *
 223  * For DTLS protocols, once the client has transmitted the ClientHello message,
 224  * it expects to see a HelloVerifyRequest from the server.  However, if the
 225  * server's message is lost, the client knows that either the ClientHello or
 226  * the HelloVerifyRequest has been lost and retransmits. [RFC 6347]
 227  */
 228 static final class HelloVerifyRequest extends HandshakeMessage {
 229     ProtocolVersion     protocolVersion;
 230     byte[]              cookie;         // 1 to 2^8 - 1 bytes
 231 
 232     HelloVerifyRequest(HelloCookieManager helloCookieManager,
 233             ClientHello clientHelloMsg) {
 234 
 235         this.protocolVersion = clientHelloMsg.protocolVersion;
 236         this.cookie = helloCookieManager.getCookie(clientHelloMsg);
 237     }
 238 
 239     HelloVerifyRequest(
 240             HandshakeInStream input, int messageLength) throws IOException {
 241 
 242         this.protocolVersion =
 243                 ProtocolVersion.valueOf(input.getInt8(), input.getInt8());
 244         this.cookie = input.getBytes8();
 245 
 246         // Is it a valid cookie?
 247         HelloCookieManager.checkCookie(protocolVersion, cookie);
 248     }
 249 
 250     @Override
 251     int messageType() {
 252         return ht_hello_verify_request;
 253     }
 254 
 255     @Override
 256     int messageLength() {
 257         return 2 + cookie.length;       // 2: the length of protocolVersion
 258     }
 259 
 260     @Override
 261     void send(HandshakeOutStream hos) throws IOException {
 262         hos.putInt8(protocolVersion.major);
 263         hos.putInt8(protocolVersion.minor);
 264         hos.putBytes8(cookie);
 265     }
 266 
 267     @Override
 268     void print(PrintStream out) throws IOException {
 269         out.println("*** HelloVerifyRequest");
 270         if (debug != null && Debug.isOn("verbose")) {
 271             out.println("server_version: " + protocolVersion);
 272             Debug.println(out, "cookie", cookie);
 273         }
 274     }
 275 }
 276 
 277 /*
 278  * ClientHello ... CLIENT --> SERVER
 279  *
 280  * Client initiates handshake by telling server what it wants, and what it
 281  * can support (prioritized by what's first in the ciphe suite list).
 282  *
 283  * By RFC2246:7.4.1.2 it's explicitly anticipated that this message
 284  * will have more data added at the end ... e.g. what CAs the client trusts.
 285  * Until we know how to parse it, we will just read what we know
 286  * about, and let our caller handle the jumps over unknown data.
 287  */
 288 static final class ClientHello extends HandshakeMessage {
 289 
 290     ProtocolVersion             protocolVersion;
 291     RandomCookie                clnt_random;
 292     SessionId                   sessionId;
 293     byte[]                      cookie;                     // DTLS only
 294     private CipherSuiteList     cipherSuites;
 295     private final boolean       isDTLS;
 296     byte[]                      compression_methods;
 297 
 298     HelloExtensions extensions = new HelloExtensions();
 299 
 300     private static final byte[]  NULL_COMPRESSION = new byte[] {0};
 301 
 302     ClientHello(SecureRandom generator, ProtocolVersion protocolVersion,
 303             SessionId sessionId, CipherSuiteList cipherSuites,
 304             boolean isDTLS) {
 305 
 306         this.isDTLS = isDTLS;
 307         this.protocolVersion = protocolVersion;
 308         this.sessionId = sessionId;
 309         this.cipherSuites = cipherSuites;
 310         if (isDTLS) {
 311             this.cookie = new byte[0];
 312         } else {
 313             this.cookie = null;
 314         }
 315 
 316         if (cipherSuites.containsEC()) {
 317             extensions.add(SupportedEllipticCurvesExtension.DEFAULT);
 318             extensions.add(SupportedEllipticPointFormatsExtension.DEFAULT);
 319         }
 320 
 321         clnt_random = new RandomCookie(generator);
 322         compression_methods = NULL_COMPRESSION;
 323     }
 324 
 325     ClientHello(HandshakeInStream s,
 326             int messageLength, boolean isDTLS) throws IOException {
 327 
 328         this.isDTLS = isDTLS;
 329 
 330         protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8());
 331         clnt_random = new RandomCookie(s);
 332         sessionId = new SessionId(s.getBytes8());
 333         sessionId.checkLength(protocolVersion);
 334         if (isDTLS) {
 335             cookie = s.getBytes8();
 336         } else {
 337             cookie = null;
 338         }
 339 
 340         cipherSuites = new CipherSuiteList(s);
 341         compression_methods = s.getBytes8();
 342         if (messageLength() != messageLength) {
 343             extensions = new HelloExtensions(s);
 344         }
 345     }
 346 
 347     CipherSuiteList getCipherSuites() {
 348         return cipherSuites;
 349     }
 350 
 351     // add renegotiation_info extension
 352     void addRenegotiationInfoExtension(byte[] clientVerifyData) {
 353         HelloExtension renegotiationInfo = new RenegotiationInfoExtension(
 354                     clientVerifyData, new byte[0]);
 355         extensions.add(renegotiationInfo);
 356     }
 357 
 358     // add server_name extension
 359     void addSNIExtension(List<SNIServerName> serverNames) {
 360         try {
 361             extensions.add(new ServerNameExtension(serverNames));
 362         } catch (IOException ioe) {
 363             // ignore the exception and return
 364         }
 365     }
 366 
 367     // add signature_algorithm extension
 368     void addSignatureAlgorithmsExtension(
 369             Collection<SignatureAndHashAlgorithm> algorithms) {
 370         HelloExtension signatureAlgorithm =
 371                 new SignatureAlgorithmsExtension(algorithms);
 372         extensions.add(signatureAlgorithm);
 373     }
 374 
 375     void addMFLExtension(int maximumPacketSize) {
 376         HelloExtension maxFragmentLength =
 377                 new MaxFragmentLengthExtension(maximumPacketSize);
 378         extensions.add(maxFragmentLength);
 379     }
 380 
 381     void updateHelloCookie(MessageDigest cookieDigest) {
 382         //
 383         // Just use HandshakeOutStream to compute the hello verify cookie.
 384         // Not actually used to output handshake message records.
 385         //
 386         HandshakeOutStream hos = new HandshakeOutStream(null);
 387 
 388         try {
 389             send(hos, false);    // Do not count hello verify cookie.
 390         } catch (IOException ioe) {
 391             // unlikely to happen
 392         }
 393 
 394         cookieDigest.update(hos.toByteArray());
 395     }
 396 
 397     // Add status_request extension type
 398     void addCertStatusRequestExtension() {
 399         extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP,
 400                 new OCSPStatusRequest()));
 401     }
 402 
 403     // Add status_request_v2 extension type
 404     void addCertStatusReqListV2Extension() {
 405         // Create a default OCSPStatusRequest that we can use for both
 406         // OCSP_MULTI and OCSP request list items.
 407         OCSPStatusRequest osr = new OCSPStatusRequest();
 408         List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
 409         itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
 410                 osr));
 411         itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
 412         extensions.add(new CertStatusReqListV2Extension(itemList));
 413     }
 414 
 415     // add application_layer_protocol_negotiation extension
 416     void addALPNExtension(String[] applicationProtocols) throws SSLException {
 417         extensions.add(new ALPNExtension(applicationProtocols));
 418     }
 419 
 420     @Override
 421     int messageType() { return ht_client_hello; }
 422 
 423     @Override
 424     int messageLength() {
 425         /*
 426          * Add fixed size parts of each field...
 427          * version + random + session + cipher + compress
 428          */
 429         return (2 + 32 + 1 + 2 + 1
 430             + sessionId.length()                /* ... + variable parts */
 431             + (isDTLS ? (1 + cookie.length) : 0)
 432             + (cipherSuites.size() * 2)
 433             + compression_methods.length)
 434             + extensions.length();
 435     }
 436 
 437     @Override
 438     void send(HandshakeOutStream s) throws IOException {
 439         send(s, true);  // Count hello verify cookie.
 440     }
 441 
 442     @Override
 443     void print(PrintStream s) throws IOException {
 444         s.println("*** ClientHello, " + protocolVersion);
 445 
 446         if (debug != null && Debug.isOn("verbose")) {
 447             s.print("RandomCookie:  ");
 448             clnt_random.print(s);
 449 
 450             s.print("Session ID:  ");
 451             s.println(sessionId);
 452 
 453             if (isDTLS) {
 454                 Debug.println(s, "cookie", cookie);
 455             }
 456 
 457             s.println("Cipher Suites: " + cipherSuites);
 458 
 459             Debug.println(s, "Compression Methods", compression_methods);
 460             extensions.print(s);
 461             s.println("***");
 462         }
 463     }
 464 
 465     private void send(HandshakeOutStream s,
 466             boolean computeCookie) throws IOException {
 467         s.putInt8(protocolVersion.major);
 468         s.putInt8(protocolVersion.minor);
 469         clnt_random.send(s);
 470         s.putBytes8(sessionId.getId());
 471         if (isDTLS && computeCookie) {
 472             s.putBytes8(cookie);
 473         }
 474         cipherSuites.send(s);
 475         s.putBytes8(compression_methods);
 476         extensions.send(s);
 477     }
 478 
 479 }
 480 
 481 /*
 482  * ServerHello ... SERVER --> CLIENT
 483  *
 484  * Server chooses protocol options from among those it supports and the
 485  * client supports.  Then it sends the basic session descriptive parameters
 486  * back to the client.
 487  */
 488 static final
 489 class ServerHello extends HandshakeMessage
 490 {
 491     @Override
 492     int messageType() { return ht_server_hello; }
 493 
 494     ProtocolVersion     protocolVersion;
 495     RandomCookie        svr_random;
 496     SessionId           sessionId;
 497     CipherSuite         cipherSuite;
 498     byte                compression_method;
 499     HelloExtensions extensions = new HelloExtensions();
 500 
 501     ServerHello() {
 502         // empty
 503     }
 504 
 505     ServerHello(HandshakeInStream input, int messageLength)
 506             throws IOException {
 507         protocolVersion = ProtocolVersion.valueOf(input.getInt8(),
 508                                                   input.getInt8());
 509         svr_random = new RandomCookie(input);
 510         sessionId = new SessionId(input.getBytes8());
 511         sessionId.checkLength(protocolVersion);
 512         cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8());
 513         compression_method = (byte)input.getInt8();
 514         if (messageLength() != messageLength) {
 515             extensions = new HelloExtensions(input);
 516         }
 517     }
 518 
 519     @Override
 520     int messageLength()
 521     {
 522         // almost fixed size, except session ID and extensions:
 523         //      major + minor = 2
 524         //      random = 32
 525         //      session ID len field = 1
 526         //      cipher suite + compression = 3
 527         //      extensions: if present, 2 + length of extensions
 528         return 38 + sessionId.length() + extensions.length();
 529     }
 530 
 531     @Override
 532     void send(HandshakeOutStream s) throws IOException
 533     {
 534         s.putInt8(protocolVersion.major);
 535         s.putInt8(protocolVersion.minor);
 536         svr_random.send(s);
 537         s.putBytes8(sessionId.getId());
 538         s.putInt8(cipherSuite.id >> 8);
 539         s.putInt8(cipherSuite.id & 0xff);
 540         s.putInt8(compression_method);
 541         extensions.send(s);
 542     }
 543 
 544     @Override
 545     void print(PrintStream s) throws IOException
 546     {
 547         s.println("*** ServerHello, " + protocolVersion);
 548 
 549         if (debug != null && Debug.isOn("verbose")) {
 550             s.print("RandomCookie:  ");
 551             svr_random.print(s);
 552 
 553             s.print("Session ID:  ");
 554             s.println(sessionId);
 555 
 556             s.println("Cipher Suite: " + cipherSuite);
 557             s.println("Compression Method: " + compression_method);
 558             extensions.print(s);
 559             s.println("***");
 560         }
 561     }
 562 }
 563 
 564 
 565 /*
 566  * CertificateMsg ... send by both CLIENT and SERVER
 567  *
 568  * Each end of a connection may need to pass its certificate chain to
 569  * the other end.  Such chains are intended to validate an identity with
 570  * reference to some certifying authority.  Examples include companies
 571  * like Verisign, or financial institutions.  There's some control over
 572  * the certifying authorities which are sent.
 573  *
 574  * NOTE: that these messages might be huge, taking many handshake records.
 575  * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14
 576  * bytes each ... up to 2^32 records sent on the output stream.
 577  */
 578 static final
 579 class CertificateMsg extends HandshakeMessage
 580 {
 581     @Override
 582     int messageType() { return ht_certificate; }
 583 
 584     private X509Certificate[] chain;
 585 
 586     private List<byte[]> encodedChain;
 587 
 588     private int messageLength;
 589 
 590     CertificateMsg(X509Certificate[] certs) {
 591         chain = certs;
 592     }
 593 
 594     CertificateMsg(HandshakeInStream input) throws IOException {
 595         int chainLen = input.getInt24();
 596         List<Certificate> v = new ArrayList<>(4);
 597 
 598         CertificateFactory cf = null;
 599         while (chainLen > 0) {
 600             byte[] cert = input.getBytes24();
 601             chainLen -= (3 + cert.length);
 602             try {
 603                 if (cf == null) {
 604                     cf = CertificateFactory.getInstance("X.509");
 605                 }
 606                 v.add(cf.generateCertificate(new ByteArrayInputStream(cert)));
 607             } catch (CertificateException e) {
 608                 throw (SSLProtocolException)new SSLProtocolException(
 609                     e.getMessage()).initCause(e);
 610             }
 611         }
 612 
 613         chain = v.toArray(new X509Certificate[v.size()]);
 614     }
 615 
 616     @Override
 617     int messageLength() {
 618         if (encodedChain == null) {
 619             messageLength = 3;
 620             encodedChain = new ArrayList<byte[]>(chain.length);
 621             try {
 622                 for (X509Certificate cert : chain) {
 623                     byte[] b = cert.getEncoded();
 624                     encodedChain.add(b);
 625                     messageLength += b.length + 3;
 626                 }
 627             } catch (CertificateEncodingException e) {
 628                 encodedChain = null;
 629                 throw new RuntimeException("Could not encode certificates", e);
 630             }
 631         }
 632         return messageLength;
 633     }
 634 
 635     @Override
 636     void send(HandshakeOutStream s) throws IOException {
 637         s.putInt24(messageLength() - 3);
 638         for (byte[] b : encodedChain) {
 639             s.putBytes24(b);
 640         }
 641     }
 642 
 643     @Override
 644     void print(PrintStream s) throws IOException {
 645         s.println("*** Certificate chain");
 646 
 647         if (chain.length == 0) {
 648             s.println("<Empty>");
 649         } else if (debug != null && Debug.isOn("verbose")) {
 650             for (int i = 0; i < chain.length; i++) {
 651                 s.println("chain [" + i + "] = " + chain[i]);
 652             }
 653         }
 654         s.println("***");
 655     }
 656 
 657     X509Certificate[] getCertificateChain() {
 658         return chain.clone();
 659     }
 660 }
 661 
 662 /*
 663  * CertificateStatus ... SERVER --> CLIENT
 664  *
 665  * When a ClientHello asserting the status_request or status_request_v2
 666  * extensions is accepted by the server, it will fetch and return one
 667  * or more status responses in this handshake message.
 668  *
 669  * NOTE: Like the Certificate handshake message, this can potentially
 670  * be a very large message both due to the size of multiple status
 671  * responses and the certificate chains that are often attached to them.
 672  * Up to 2^24 bytes of status responses may be sent, possibly fragmented
 673  * over multiple TLS records.
 674  */
 675 static final class CertificateStatus extends HandshakeMessage
 676 {
 677     private final StatusRequestType statusType;
 678     private int encodedResponsesLen;
 679     private int messageLength = -1;
 680     private List<byte[]> encodedResponses;
 681 
 682     @Override
 683     int messageType() { return ht_certificate_status; }
 684 
 685     /**
 686      * Create a CertificateStatus message from the certificates and their
 687      * respective OCSP responses
 688      *
 689      * @param type an indication of the type of response (OCSP or OCSP_MULTI)
 690      * @param responses a {@code List} of OCSP responses in DER-encoded form.
 691      *      For the OCSP type, only the first entry in the response list is
 692      *      used, and must correspond to the end-entity certificate sent to the
 693      *      peer.  Zero-length or null values for the response data are not
 694      *      allowed for the OCSP type.  For the OCSP_MULTI type, each entry in
 695      *      the list should match its corresponding certificate sent in the
 696      *      Server Certificate message.  Where an OCSP response does not exist,
 697      *      either a zero-length array or a null value should be used.
 698      *
 699      * @throws SSLException if an unsupported StatusRequestType or invalid
 700      *      OCSP response data is provided.
 701      */
 702     CertificateStatus(StatusRequestType type, X509Certificate[] chain,
 703             Map<X509Certificate, byte[]> responses) {
 704         statusType = type;
 705         encodedResponsesLen = 0;
 706         encodedResponses = new ArrayList<>(chain.length);
 707 
 708         Objects.requireNonNull(chain, "Null chain not allowed");
 709         Objects.requireNonNull(responses, "Null responses not allowed");
 710 
 711         if (statusType == StatusRequestType.OCSP) {
 712             // Just get the response for the end-entity certificate
 713             byte[] respDER = responses.get(chain[0]);
 714             if (respDER != null && respDER.length > 0) {
 715                 encodedResponses.add(respDER);
 716                 encodedResponsesLen = 3 + respDER.length;
 717             } else {
 718                 throw new IllegalArgumentException("Zero-length or null " +
 719                         "OCSP Response");
 720             }
 721         } else if (statusType == StatusRequestType.OCSP_MULTI) {
 722             for (X509Certificate cert : chain) {
 723                 byte[] respDER = responses.get(cert);
 724                 if (respDER != null) {
 725                     encodedResponses.add(respDER);
 726                     encodedResponsesLen += (respDER.length + 3);
 727                 } else {
 728                     // If we cannot find a response for a given certificate
 729                     // then use a zero-length placeholder.
 730                     encodedResponses.add(new byte[0]);
 731                     encodedResponsesLen += 3;
 732                 }
 733             }
 734         } else {
 735             throw new IllegalArgumentException(
 736                     "Unsupported StatusResponseType: " + statusType);
 737         }
 738     }
 739 
 740     /**
 741      * Decode the CertificateStatus handshake message coming from a
 742      * {@code HandshakeInputStream}.
 743      *
 744      * @param input the {@code HandshakeInputStream} containing the
 745      * CertificateStatus message bytes.
 746      *
 747      * @throws SSLHandshakeException if a zero-length response is found in the
 748      * OCSP response type, or an unsupported response type is detected.
 749      * @throws IOException if a decoding error occurs.
 750      */
 751     CertificateStatus(HandshakeInStream input) throws IOException {
 752         encodedResponsesLen = 0;
 753         encodedResponses = new ArrayList<>();
 754 
 755         statusType = StatusRequestType.get(input.getInt8());
 756         if (statusType == StatusRequestType.OCSP) {
 757             byte[] respDER = input.getBytes24();
 758             // Convert the incoming bytes to a OCSPResponse strucutre
 759             if (respDER.length > 0) {
 760                 encodedResponses.add(respDER);
 761                 encodedResponsesLen = 3 + respDER.length;
 762             } else {
 763                 throw new SSLHandshakeException("Zero-length OCSP Response");
 764             }
 765         } else if (statusType == StatusRequestType.OCSP_MULTI) {
 766             int respListLen = input.getInt24();
 767             encodedResponsesLen = respListLen;
 768 
 769             // Add each OCSP reponse into the array list in the order
 770             // we receive them off the wire.  A zero-length array is
 771             // allowed for ocsp_multi, and means that a response for
 772             // a given certificate is not available.
 773             while (respListLen > 0) {
 774                 byte[] respDER = input.getBytes24();
 775                 encodedResponses.add(respDER);
 776                 respListLen -= (respDER.length + 3);
 777             }
 778 
 779             if (respListLen != 0) {
 780                 throw new SSLHandshakeException(
 781                         "Bad OCSP response list length");
 782             }
 783         } else {
 784             throw new SSLHandshakeException("Unsupported StatusResponseType: " +
 785                     statusType);
 786         }
 787     }
 788 
 789     /**
 790      * Get the length of the CertificateStatus message.
 791      *
 792      * @return the length of the message in bytes.
 793      */
 794     @Override
 795     int messageLength() {
 796         int len = 1;            // Length + Status type
 797 
 798         if (messageLength == -1) {
 799             if (statusType == StatusRequestType.OCSP) {
 800                 len += encodedResponsesLen;
 801             } else if (statusType == StatusRequestType.OCSP_MULTI) {
 802                 len += 3 + encodedResponsesLen;
 803             }
 804             messageLength = len;
 805         }
 806 
 807         return messageLength;
 808     }
 809 
 810     /**
 811      * Encode the CertificateStatus handshake message and place it on a
 812      * {@code HandshakeOutputStream}.
 813      *
 814      * @param s the HandshakeOutputStream that will the message bytes.
 815      *
 816      * @throws IOException if an encoding error occurs.
 817      */
 818     @Override
 819     void send(HandshakeOutStream s) throws IOException {
 820         s.putInt8(statusType.id);
 821         if (statusType == StatusRequestType.OCSP) {
 822             s.putBytes24(encodedResponses.get(0));
 823         } else if (statusType == StatusRequestType.OCSP_MULTI) {
 824             s.putInt24(encodedResponsesLen);
 825             for (byte[] respBytes : encodedResponses) {
 826                 if (respBytes != null) {
 827                     s.putBytes24(respBytes);
 828                 } else {
 829                     s.putBytes24(null);
 830                 }
 831             }
 832         } else {
 833             // It is highly unlikely that we will fall into this section of
 834             // the code.
 835             throw new SSLHandshakeException("Unsupported status_type: " +
 836                     statusType.id);
 837         }
 838     }
 839 
 840     /**
 841      * Display a human-readable representation of the CertificateStatus message.
 842      *
 843      * @param s the PrintStream used to display the message data.
 844      *
 845      * @throws IOException if any errors occur while parsing the OCSP response
 846      * bytes into a readable form.
 847      */
 848     @Override
 849     void print(PrintStream s) throws IOException {
 850         s.println("*** CertificateStatus");
 851         if (debug != null && Debug.isOn("verbose")) {
 852             s.println("Type: " + statusType);
 853             if (statusType == StatusRequestType.OCSP) {
 854                 OCSPResponse oResp = new OCSPResponse(encodedResponses.get(0));
 855                 s.println(oResp);
 856             } else if (statusType == StatusRequestType.OCSP_MULTI) {
 857                 int numResponses = encodedResponses.size();
 858                 s.println(numResponses +
 859                         (numResponses == 1 ? " entry:" : " entries:"));
 860                 for (byte[] respDER : encodedResponses) {
 861                     if (respDER.length > 0) {
 862                         OCSPResponse oResp = new OCSPResponse(respDER);
 863                         s.println(oResp);
 864                     } else {
 865                         s.println("<Zero-length entry>");
 866                     }
 867                 }
 868             }
 869         }
 870     }
 871 
 872     /**
 873      * Get the type of CertificateStatus message
 874      *
 875      * @return the {@code StatusRequestType} for this CertificateStatus
 876      *      message.
 877      */
 878     StatusRequestType getType() {
 879         return statusType;
 880     }
 881 
 882     /**
 883      * Get the list of non-zero length OCSP responses.
 884      * The responses returned in this list can be used to map to
 885      * {@code X509Certificate} objects provided by the peer and
 886      * provided to a {@code PKIXRevocationChecker}.
 887      *
 888      * @return an unmodifiable List of zero or more byte arrays, each one
 889      *      consisting of a single status response.
 890      */
 891     List<byte[]> getResponses() {
 892         return Collections.unmodifiableList(encodedResponses);
 893     }
 894 }
 895 
 896 /*
 897  * ServerKeyExchange ... SERVER --> CLIENT
 898  *
 899  * The cipher suite selected, when combined with the certificate exchanged,
 900  * implies one of several different kinds of key exchange.  Most current
 901  * cipher suites require the server to send more than its certificate.
 902  *
 903  * The primary exceptions are when a server sends an encryption-capable
 904  * RSA public key in its cert, to be used with RSA (or RSA_export) key
 905  * exchange; and when a server sends its Diffie-Hellman cert.  Those kinds
 906  * of key exchange do not require a ServerKeyExchange message.
 907  *
 908  * Key exchange can be viewed as having three modes, which are explicit
 909  * for the Diffie-Hellman flavors and poorly specified for RSA ones:
 910  *
 911  *      - "Ephemeral" keys.  Here, a "temporary" key is allocated by the
 912  *        server, and signed.  Diffie-Hellman keys signed using RSA or
 913  *        DSS are ephemeral (DHE flavor).  RSA keys get used to do the same
 914  *        thing, to cut the key size down to 512 bits (export restrictions)
 915  *        or for signing-only RSA certificates.
 916  *
 917  *      - Anonymity.  Here no server certificate is sent, only the public
 918  *        key of the server.  This case is subject to man-in-the-middle
 919  *        attacks.  This can be done with Diffie-Hellman keys (DH_anon) or
 920  *        with RSA keys, but is only used in SSLv3 for DH_anon.
 921  *
 922  *      - "Normal" case.  Here a server certificate is sent, and the public
 923  *        key there is used directly in exchanging the premaster secret.
 924  *        For example, Diffie-Hellman "DH" flavor, and any RSA flavor with
 925  *        only 512 bit keys.
 926  *
 927  * If a server certificate is sent, there is no anonymity.  However,
 928  * when a certificate is sent, ephemeral keys may still be used to
 929  * exchange the premaster secret.  That's how RSA_EXPORT often works,
 930  * as well as how the DHE_* flavors work.
 931  */
 932 abstract static class ServerKeyExchange extends HandshakeMessage
 933 {
 934     @Override
 935     int messageType() { return ht_server_key_exchange; }
 936 }
 937 
 938 
 939 /*
 940  * Using RSA for Key Exchange:  exchange a session key that's not as big
 941  * as the signing-only key.  Used for export applications, since exported
 942  * RSA encryption keys can't be bigger than 512 bytes.
 943  *
 944  * This is never used when keys are 512 bits or smaller, and isn't used
 945  * on "US Domestic" ciphers in any case.
 946  */
 947 static final
 948 class RSA_ServerKeyExchange extends ServerKeyExchange
 949 {
 950     private byte[] rsa_modulus;     // 1 to 2^16 - 1 bytes
 951     private byte[] rsa_exponent;    // 1 to 2^16 - 1 bytes
 952 
 953     private Signature signature;
 954     private byte[] signatureBytes;
 955 
 956     /*
 957      * Hash the nonces and the ephemeral RSA public key.
 958      */
 959     private void updateSignature(byte[] clntNonce, byte[] svrNonce)
 960             throws SignatureException {
 961         int tmp;
 962 
 963         signature.update(clntNonce);
 964         signature.update(svrNonce);
 965 
 966         tmp = rsa_modulus.length;
 967         signature.update((byte)(tmp >> 8));
 968         signature.update((byte)(tmp & 0x0ff));
 969         signature.update(rsa_modulus);
 970 
 971         tmp = rsa_exponent.length;
 972         signature.update((byte)(tmp >> 8));
 973         signature.update((byte)(tmp & 0x0ff));
 974         signature.update(rsa_exponent);
 975     }
 976 
 977 
 978     /*
 979      * Construct an RSA server key exchange message, using data
 980      * known _only_ to the server.
 981      *
 982      * The client knows the public key corresponding to this private
 983      * key, from the Certificate message sent previously.  To comply
 984      * with US export regulations we use short RSA keys ... either
 985      * long term ones in the server's X509 cert, or else ephemeral
 986      * ones sent using this message.
 987      */
 988     RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey,
 989             RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr)
 990             throws GeneralSecurityException {
 991         RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey);
 992         rsa_modulus = toByteArray(rsaKey.getModulus());
 993         rsa_exponent = toByteArray(rsaKey.getPublicExponent());
 994         signature = RSASignature.getInstance();
 995         signature.initSign(privateKey, sr);
 996         updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
 997         signatureBytes = signature.sign();
 998     }
 999 
1000 
1001     /*
1002      * Parse an RSA server key exchange message, using data known
1003      * to the client (and, in some situations, eavesdroppers).
1004      */
1005     RSA_ServerKeyExchange(HandshakeInStream input)
1006             throws IOException, NoSuchAlgorithmException {
1007         signature = RSASignature.getInstance();
1008         rsa_modulus = input.getBytes16();
1009         rsa_exponent = input.getBytes16();
1010         signatureBytes = input.getBytes16();
1011     }
1012 
1013     /*
1014      * Get the ephemeral RSA public key that will be used in this
1015      * SSL connection.
1016      */
1017     PublicKey getPublicKey() {
1018         try {
1019             KeyFactory kfac = JsseJce.getKeyFactory("RSA");
1020             // modulus and exponent are always positive
1021             RSAPublicKeySpec kspec = new RSAPublicKeySpec(
1022                 new BigInteger(1, rsa_modulus),
1023                 new BigInteger(1, rsa_exponent));
1024             return kfac.generatePublic(kspec);
1025         } catch (Exception e) {
1026             throw new RuntimeException(e);
1027         }
1028     }
1029 
1030     /*
1031      * Verify the signed temporary key using the hashes computed
1032      * from it and the two nonces.  This is called by clients
1033      * with "exportable" RSA flavors.
1034      */
1035     boolean verify(PublicKey certifiedKey, RandomCookie clntNonce,
1036             RandomCookie svrNonce) throws GeneralSecurityException {
1037         signature.initVerify(certifiedKey);
1038         updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
1039         return signature.verify(signatureBytes);
1040     }
1041 
1042     @Override
1043     int messageLength() {
1044         return 6 + rsa_modulus.length + rsa_exponent.length
1045                + signatureBytes.length;
1046     }
1047 
1048     @Override
1049     void send(HandshakeOutStream s) throws IOException {
1050         s.putBytes16(rsa_modulus);
1051         s.putBytes16(rsa_exponent);
1052         s.putBytes16(signatureBytes);
1053     }
1054 
1055     @Override
1056     void print(PrintStream s) throws IOException {
1057         s.println("*** RSA ServerKeyExchange");
1058 
1059         if (debug != null && Debug.isOn("verbose")) {
1060             Debug.println(s, "RSA Modulus", rsa_modulus);
1061             Debug.println(s, "RSA Public Exponent", rsa_exponent);
1062         }
1063     }
1064 }
1065 
1066 
1067 /*
1068  * Using Diffie-Hellman algorithm for key exchange.  All we really need to
1069  * do is securely get Diffie-Hellman keys (using the same P, G parameters)
1070  * to our peer, then we automatically have a shared secret without need
1071  * to exchange any more data.  (D-H only solutions, such as SKIP, could
1072  * eliminate key exchange negotiations and get faster connection setup.
1073  * But they still need a signature algorithm like DSS/DSA to support the
1074  * trusted distribution of keys without relying on unscalable physical
1075  * key distribution systems.)
1076  *
1077  * This class supports several DH-based key exchange algorithms, though
1078  * perhaps eventually each deserves its own class.  Notably, this has
1079  * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants.
1080  */
1081 static final
1082 class DH_ServerKeyExchange extends ServerKeyExchange
1083 {
1084     // Fix message encoding, see 4348279
1085     private static final boolean dhKeyExchangeFix =
1086         Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true);
1087 
1088     private byte[]                dh_p;        // 1 to 2^16 - 1 bytes
1089     private byte[]                dh_g;        // 1 to 2^16 - 1 bytes
1090     private byte[]                dh_Ys;       // 1 to 2^16 - 1 bytes
1091 
1092     private byte[]                signature;
1093 
1094     // protocol version being established using this ServerKeyExchange message
1095     ProtocolVersion protocolVersion;
1096 
1097     // the preferable signature algorithm used by this ServerKeyExchange message
1098     private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
1099 
1100     /*
1101      * Construct from initialized DH key object, for DH_anon
1102      * key exchange.
1103      */
1104     DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) {
1105         this.protocolVersion = protocolVersion;
1106         this.preferableSignatureAlgorithm = null;
1107 
1108         // The DH key has been validated in the constructor of DHCrypt.
1109         setValues(obj);
1110         signature = null;
1111     }
1112 
1113     /*
1114      * Construct from initialized DH key object and the key associated
1115      * with the cert chain which was sent ... for DHE_DSS and DHE_RSA
1116      * key exchange.  (Constructor called by server.)
1117      */
1118     DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte[] clntNonce,
1119             byte[] svrNonce, SecureRandom sr,
1120             SignatureAndHashAlgorithm signAlgorithm,
1121             ProtocolVersion protocolVersion) throws GeneralSecurityException {
1122 
1123         this.protocolVersion = protocolVersion;
1124 
1125         // The DH key has been validated in the constructor of DHCrypt.
1126         setValues(obj);
1127 
1128         Signature sig;
1129         if (protocolVersion.useTLS12PlusSpec()) {
1130             this.preferableSignatureAlgorithm = signAlgorithm;
1131             sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1132         } else {
1133             this.preferableSignatureAlgorithm = null;
1134             if (key.getAlgorithm().equals("DSA")) {
1135                 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
1136             } else {
1137                 sig = RSASignature.getInstance();
1138             }
1139         }
1140 
1141         sig.initSign(key, sr);
1142         updateSignature(sig, clntNonce, svrNonce);
1143         signature = sig.sign();
1144     }
1145 
1146     /*
1147      * Construct a DH_ServerKeyExchange message from an input
1148      * stream, as if sent from server to client for use with
1149      * DH_anon key exchange
1150      */
1151     DH_ServerKeyExchange(HandshakeInStream input,
1152             ProtocolVersion protocolVersion)
1153             throws IOException, GeneralSecurityException {
1154 
1155         this.protocolVersion = protocolVersion;
1156         this.preferableSignatureAlgorithm = null;
1157 
1158         dh_p = input.getBytes16();
1159         dh_g = input.getBytes16();
1160         dh_Ys = input.getBytes16();
1161         KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
1162                                              new BigInteger(1, dh_p),
1163                                              new BigInteger(1, dh_g)));
1164 
1165         signature = null;
1166     }
1167 
1168     /*
1169      * Construct a DH_ServerKeyExchange message from an input stream
1170      * and a certificate, as if sent from server to client for use with
1171      * DHE_DSS or DHE_RSA key exchange.  (Called by client.)
1172      */
1173     DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey,
1174             byte[] clntNonce, byte[] svrNonce, int messageSize,
1175             Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1176             ProtocolVersion protocolVersion)
1177             throws IOException, GeneralSecurityException {
1178 
1179         this.protocolVersion = protocolVersion;
1180 
1181         // read params: ServerDHParams
1182         dh_p = input.getBytes16();
1183         dh_g = input.getBytes16();
1184         dh_Ys = input.getBytes16();
1185         KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
1186                                              new BigInteger(1, dh_p),
1187                                              new BigInteger(1, dh_g)));
1188 
1189         // read the signature and hash algorithm
1190         if (protocolVersion.useTLS12PlusSpec()) {
1191             int hash = input.getInt8();         // hash algorithm
1192             int signature = input.getInt8();    // signature algorithm
1193 
1194             preferableSignatureAlgorithm =
1195                 SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
1196 
1197             // Is it a local supported signature algorithm?
1198             if (!localSupportedSignAlgs.contains(
1199                     preferableSignatureAlgorithm)) {
1200                 throw new SSLHandshakeException(
1201                         "Unsupported SignatureAndHashAlgorithm in " +
1202                         "ServerKeyExchange message: " + preferableSignatureAlgorithm);
1203             }
1204         } else {
1205             this.preferableSignatureAlgorithm = null;
1206         }
1207 
1208         // read the signature
1209         byte[] signature;
1210         if (dhKeyExchangeFix) {
1211             signature = input.getBytes16();
1212         } else {
1213             messageSize -= (dh_p.length + 2);
1214             messageSize -= (dh_g.length + 2);
1215             messageSize -= (dh_Ys.length + 2);
1216 
1217             signature = new byte[messageSize];
1218             input.read(signature);
1219         }
1220 
1221         Signature sig;
1222         String algorithm = publicKey.getAlgorithm();
1223         if (protocolVersion.useTLS12PlusSpec()) {
1224             sig = JsseJce.getSignature(
1225                         preferableSignatureAlgorithm.getAlgorithmName());
1226         } else {
1227                 switch (algorithm) {
1228                     case "DSA":
1229                         sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
1230                         break;
1231                     case "RSA":
1232                         sig = RSASignature.getInstance();
1233                         break;
1234                     default:
1235                         throw new SSLKeyException("neither an RSA or a DSA key: " + algorithm);
1236                 }
1237         }
1238 
1239         sig.initVerify(publicKey);
1240         updateSignature(sig, clntNonce, svrNonce);
1241 
1242         if (sig.verify(signature) == false ) {
1243             throw new SSLKeyException("Server D-H key verification failed");
1244         }
1245     }
1246 
1247     /* Return the Diffie-Hellman modulus */
1248     BigInteger getModulus() {
1249         return new BigInteger(1, dh_p);
1250     }
1251 
1252     /* Return the Diffie-Hellman base/generator */
1253     BigInteger getBase() {
1254         return new BigInteger(1, dh_g);
1255     }
1256 
1257     /* Return the server's Diffie-Hellman public key */
1258     BigInteger getServerPublicKey() {
1259         return new BigInteger(1, dh_Ys);
1260     }
1261 
1262     /*
1263      * Update sig with nonces and Diffie-Hellman public key.
1264      */
1265     private void updateSignature(Signature sig, byte[] clntNonce,
1266             byte[] svrNonce) throws SignatureException {
1267         int tmp;
1268 
1269         sig.update(clntNonce);
1270         sig.update(svrNonce);
1271 
1272         tmp = dh_p.length;
1273         sig.update((byte)(tmp >> 8));
1274         sig.update((byte)(tmp & 0x0ff));
1275         sig.update(dh_p);
1276 
1277         tmp = dh_g.length;
1278         sig.update((byte)(tmp >> 8));
1279         sig.update((byte)(tmp & 0x0ff));
1280         sig.update(dh_g);
1281 
1282         tmp = dh_Ys.length;
1283         sig.update((byte)(tmp >> 8));
1284         sig.update((byte)(tmp & 0x0ff));
1285         sig.update(dh_Ys);
1286     }
1287 
1288     private void setValues(DHCrypt obj) {
1289         dh_p = toByteArray(obj.getModulus());
1290         dh_g = toByteArray(obj.getBase());
1291         dh_Ys = toByteArray(obj.getPublicKey());
1292     }
1293 
1294     @Override
1295     int messageLength() {
1296         int temp = 6;   // overhead for p, g, y(s) values.
1297 
1298         temp += dh_p.length;
1299         temp += dh_g.length;
1300         temp += dh_Ys.length;
1301 
1302         if (signature != null) {
1303             if (protocolVersion.useTLS12PlusSpec()) {
1304                 temp += SignatureAndHashAlgorithm.sizeInRecord();
1305             }
1306 
1307             temp += signature.length;
1308             if (dhKeyExchangeFix) {
1309                 temp += 2;
1310             }
1311         }
1312 
1313         return temp;
1314     }
1315 
1316     @Override
1317     void send(HandshakeOutStream s) throws IOException {
1318         s.putBytes16(dh_p);
1319         s.putBytes16(dh_g);
1320         s.putBytes16(dh_Ys);
1321 
1322         if (signature != null) {
1323             if (protocolVersion.useTLS12PlusSpec()) {
1324                 s.putInt8(preferableSignatureAlgorithm.getHashValue());
1325                 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
1326             }
1327 
1328             if (dhKeyExchangeFix) {
1329                 s.putBytes16(signature);
1330             } else {
1331                 s.write(signature);
1332             }
1333         }
1334     }
1335 
1336     @Override
1337     void print(PrintStream s) throws IOException {
1338         s.println("*** Diffie-Hellman ServerKeyExchange");
1339 
1340         if (debug != null && Debug.isOn("verbose")) {
1341             Debug.println(s, "DH Modulus", dh_p);
1342             Debug.println(s, "DH Base", dh_g);
1343             Debug.println(s, "Server DH Public Key", dh_Ys);
1344 
1345             if (signature == null) {
1346                 s.println("Anonymous");
1347             } else {
1348                 if (protocolVersion.useTLS12PlusSpec()) {
1349                     s.println("Signature Algorithm " +
1350                         preferableSignatureAlgorithm.getAlgorithmName());
1351                 }
1352 
1353                 s.println("Signed with a DSA or RSA public key");
1354             }
1355         }
1356     }
1357 }
1358 
1359 /*
1360  * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon
1361  * ciphersuites to communicate its ephemeral public key (including the
1362  * EC domain parameters).
1363  *
1364  * We support named curves only, no explicitly encoded curves.
1365  */
1366 static final
1367 class ECDH_ServerKeyExchange extends ServerKeyExchange {
1368 
1369     // constants for ECCurveType
1370     private static final int CURVE_EXPLICIT_PRIME = 1;
1371     private static final int CURVE_EXPLICIT_CHAR2 = 2;
1372     private static final int CURVE_NAMED_CURVE    = 3;
1373 
1374     // id of the curve we are using
1375     private int curveId;
1376     // encoded public point
1377     private byte[] pointBytes;
1378 
1379     // signature bytes (or null if anonymous)
1380     private byte[] signatureBytes;
1381 
1382     // public key object encapsulated in this message
1383     private ECPublicKey publicKey;
1384 
1385     // protocol version being established using this ServerKeyExchange message
1386     ProtocolVersion protocolVersion;
1387 
1388     // the preferable signature algorithm used by this ServerKeyExchange message
1389     private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
1390 
1391     ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey,
1392             byte[] clntNonce, byte[] svrNonce, SecureRandom sr,
1393             SignatureAndHashAlgorithm signAlgorithm,
1394             ProtocolVersion protocolVersion) throws GeneralSecurityException {
1395 
1396         this.protocolVersion = protocolVersion;
1397 
1398         publicKey = (ECPublicKey)obj.getPublicKey();
1399         ECParameterSpec params = publicKey.getParams();
1400         ECPoint point = publicKey.getW();
1401         pointBytes = JsseJce.encodePoint(point, params.getCurve());
1402         curveId = SupportedEllipticCurvesExtension.getCurveIndex(params);
1403 
1404         if (privateKey == null) {
1405             // ECDH_anon
1406             return;
1407         }
1408 
1409         Signature sig;
1410         if (protocolVersion.useTLS12PlusSpec()) {
1411             this.preferableSignatureAlgorithm = signAlgorithm;
1412             sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1413         } else {
1414             sig = getSignature(privateKey.getAlgorithm());
1415         }
1416         sig.initSign(privateKey);  // where is the SecureRandom?
1417 
1418         updateSignature(sig, clntNonce, svrNonce);
1419         signatureBytes = sig.sign();
1420     }
1421 
1422     /*
1423      * Parse an ECDH server key exchange message.
1424      */
1425     ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey,
1426             byte[] clntNonce, byte[] svrNonce,
1427             Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1428             ProtocolVersion protocolVersion)
1429             throws IOException, GeneralSecurityException {
1430 
1431         this.protocolVersion = protocolVersion;
1432 
1433         // read params: ServerECDHParams
1434         int curveType = input.getInt8();
1435         ECParameterSpec parameters;
1436         // These parsing errors should never occur as we negotiated
1437         // the supported curves during the exchange of the Hello messages.
1438         if (curveType == CURVE_NAMED_CURVE) {
1439             curveId = input.getInt16();
1440             if (SupportedEllipticCurvesExtension.isSupported(curveId)
1441                     == false) {
1442                 throw new SSLHandshakeException(
1443                     "Unsupported curveId: " + curveId);
1444             }
1445             String curveOid =
1446                 SupportedEllipticCurvesExtension.getCurveOid(curveId);
1447             if (curveOid == null) {
1448                 throw new SSLHandshakeException(
1449                     "Unknown named curve: " + curveId);
1450             }
1451             parameters = JsseJce.getECParameterSpec(curveOid);
1452             if (parameters == null) {
1453                 throw new SSLHandshakeException(
1454                     "Unsupported curve: " + curveOid);
1455             }
1456         } else {
1457             throw new SSLHandshakeException(
1458                 "Unsupported ECCurveType: " + curveType);
1459         }
1460         pointBytes = input.getBytes8();
1461 
1462         ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve());
1463         KeyFactory factory = JsseJce.getKeyFactory("EC");
1464         publicKey = (ECPublicKey)factory.generatePublic(
1465             new ECPublicKeySpec(point, parameters));
1466 
1467         if (signingKey == null) {
1468             // ECDH_anon
1469             return;
1470         }
1471 
1472         // read the signature and hash algorithm
1473         if (protocolVersion.useTLS12PlusSpec()) {
1474             int hash = input.getInt8();         // hash algorithm
1475             int signature = input.getInt8();    // signature algorithm
1476 
1477             preferableSignatureAlgorithm =
1478                 SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
1479 
1480             // Is it a local supported signature algorithm?
1481             if (!localSupportedSignAlgs.contains(
1482                     preferableSignatureAlgorithm)) {
1483                 throw new SSLHandshakeException(
1484                         "Unsupported SignatureAndHashAlgorithm in " +
1485                         "ServerKeyExchange message: " + preferableSignatureAlgorithm);
1486             }
1487         }
1488 
1489         // read the signature
1490         signatureBytes = input.getBytes16();
1491 
1492         // verify the signature
1493         Signature sig;
1494         if (protocolVersion.useTLS12PlusSpec()) {
1495             sig = JsseJce.getSignature(
1496                         preferableSignatureAlgorithm.getAlgorithmName());
1497         } else {
1498             sig = getSignature(signingKey.getAlgorithm());
1499         }
1500         sig.initVerify(signingKey);
1501 
1502         updateSignature(sig, clntNonce, svrNonce);
1503 
1504         if (sig.verify(signatureBytes) == false ) {
1505             throw new SSLKeyException(
1506                 "Invalid signature on ECDH server key exchange message");
1507         }
1508     }
1509 
1510     /*
1511      * Get the ephemeral EC public key encapsulated in this message.
1512      */
1513     ECPublicKey getPublicKey() {
1514         return publicKey;
1515     }
1516 
1517     private static Signature getSignature(String keyAlgorithm)
1518             throws NoSuchAlgorithmException {
1519             switch (keyAlgorithm) {
1520                 case "EC":
1521                     return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
1522                 case "RSA":
1523                     return RSASignature.getInstance();
1524                 default:
1525                     throw new NoSuchAlgorithmException(
1526                         "neither an RSA or a EC key : " + keyAlgorithm);
1527             }
1528     }
1529 
1530     private void updateSignature(Signature sig, byte[] clntNonce,
1531             byte[] svrNonce) throws SignatureException {
1532         sig.update(clntNonce);
1533         sig.update(svrNonce);
1534 
1535         sig.update((byte)CURVE_NAMED_CURVE);
1536         sig.update((byte)(curveId >> 8));
1537         sig.update((byte)curveId);
1538         sig.update((byte)pointBytes.length);
1539         sig.update(pointBytes);
1540     }
1541 
1542     @Override
1543     int messageLength() {
1544         int sigLen = 0;
1545         if (signatureBytes != null) {
1546             sigLen = 2 + signatureBytes.length;
1547             if (protocolVersion.useTLS12PlusSpec()) {
1548                 sigLen += SignatureAndHashAlgorithm.sizeInRecord();
1549             }
1550         }
1551 
1552         return 4 + pointBytes.length + sigLen;
1553     }
1554 
1555     @Override
1556     void send(HandshakeOutStream s) throws IOException {
1557         s.putInt8(CURVE_NAMED_CURVE);
1558         s.putInt16(curveId);
1559         s.putBytes8(pointBytes);
1560 
1561         if (signatureBytes != null) {
1562             if (protocolVersion.useTLS12PlusSpec()) {
1563                 s.putInt8(preferableSignatureAlgorithm.getHashValue());
1564                 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
1565             }
1566 
1567             s.putBytes16(signatureBytes);
1568         }
1569     }
1570 
1571     @Override
1572     void print(PrintStream s) throws IOException {
1573         s.println("*** ECDH ServerKeyExchange");
1574 
1575         if (debug != null && Debug.isOn("verbose")) {
1576             if (signatureBytes == null) {
1577                 s.println("Anonymous");
1578             } else {
1579                 if (protocolVersion.useTLS12PlusSpec()) {
1580                     s.println("Signature Algorithm " +
1581                             preferableSignatureAlgorithm.getAlgorithmName());
1582                 }
1583             }
1584 
1585             s.println("Server key: " + publicKey);
1586         }
1587     }
1588 }
1589 
1590 static final class DistinguishedName {
1591 
1592     /*
1593      * DER encoded distinguished name.
1594      * TLS requires that its not longer than 65535 bytes.
1595      */
1596     byte[] name;
1597 
1598     DistinguishedName(HandshakeInStream input) throws IOException {
1599         name = input.getBytes16();
1600     }
1601 
1602     DistinguishedName(X500Principal dn) {
1603         name = dn.getEncoded();
1604     }
1605 
1606     X500Principal getX500Principal() throws IOException {
1607         try {
1608             return new X500Principal(name);
1609         } catch (IllegalArgumentException e) {
1610             throw (SSLProtocolException)new SSLProtocolException(
1611                 e.getMessage()).initCause(e);
1612         }
1613     }
1614 
1615     int length() {
1616         return 2 + name.length;
1617     }
1618 
1619     void send(HandshakeOutStream output) throws IOException {
1620         output.putBytes16(name);
1621     }
1622 
1623     void print(PrintStream output) throws IOException {
1624         X500Principal principal = new X500Principal(name);
1625         output.println("<" + principal.toString() + ">");
1626     }
1627 }
1628 
1629 /*
1630  * CertificateRequest ... SERVER --> CLIENT
1631  *
1632  * Authenticated servers may ask clients to authenticate themselves
1633  * in turn, using this message.
1634  *
1635  * Prior to TLS 1.2, the structure of the message is defined as:
1636  *     struct {
1637  *         ClientCertificateType certificate_types<1..2^8-1>;
1638  *         DistinguishedName certificate_authorities<0..2^16-1>;
1639  *     } CertificateRequest;
1640  *
1641  * In TLS 1.2, the structure is changed to:
1642  *     struct {
1643  *         ClientCertificateType certificate_types<1..2^8-1>;
1644  *         SignatureAndHashAlgorithm
1645  *           supported_signature_algorithms<2^16-1>;
1646  *         DistinguishedName certificate_authorities<0..2^16-1>;
1647  *     } CertificateRequest;
1648  *
1649  */
1650 static final
1651 class CertificateRequest extends HandshakeMessage
1652 {
1653     // enum ClientCertificateType
1654     static final int   cct_rsa_sign = 1;
1655     static final int   cct_dss_sign = 2;
1656     static final int   cct_rsa_fixed_dh = 3;
1657     static final int   cct_dss_fixed_dh = 4;
1658 
1659     // The existance of these two values is a bug in the SSL specification.
1660     // They are never used in the protocol.
1661     static final int   cct_rsa_ephemeral_dh = 5;
1662     static final int   cct_dss_ephemeral_dh = 6;
1663 
1664     // From RFC 4492 (ECC)
1665     static final int    cct_ecdsa_sign       = 64;
1666     static final int    cct_rsa_fixed_ecdh   = 65;
1667     static final int    cct_ecdsa_fixed_ecdh = 66;
1668 
1669     private static final byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign };
1670     private static final byte[] TYPES_ECC =
1671         { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign };
1672 
1673     byte[]                types;               // 1 to 255 types
1674     DistinguishedName[]   authorities;         // 3 to 2^16 - 1
1675         // ... "3" because that's the smallest DER-encoded X500 DN
1676 
1677     // protocol version being established using this CertificateRequest message
1678     ProtocolVersion protocolVersion;
1679 
1680     // supported_signature_algorithms for TLS 1.2 or later
1681     private Collection<SignatureAndHashAlgorithm> algorithms;
1682 
1683     // length of supported_signature_algorithms
1684     private int algorithmsLen;
1685 
1686     CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange,
1687             Collection<SignatureAndHashAlgorithm> signAlgs,
1688             ProtocolVersion protocolVersion) throws IOException {
1689 
1690         this.protocolVersion = protocolVersion;
1691 
1692         // always use X500Principal
1693         authorities = new DistinguishedName[ca.length];
1694         for (int i = 0; i < ca.length; i++) {
1695             X500Principal x500Principal = ca[i].getSubjectX500Principal();
1696             authorities[i] = new DistinguishedName(x500Principal);
1697         }
1698         // we support RSA, DSS, and ECDSA client authentication and they
1699         // can be used with all ciphersuites. If this changes, the code
1700         // needs to be adapted to take keyExchange into account.
1701         // We only request ECDSA client auth if we have ECC crypto available.
1702         this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC;
1703 
1704         // Use supported_signature_algorithms for TLS 1.2 or later.
1705         if (protocolVersion.useTLS12PlusSpec()) {
1706             if (signAlgs == null || signAlgs.isEmpty()) {
1707                 throw new SSLProtocolException(
1708                         "No supported signature algorithms");
1709             }
1710 
1711             algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs);
1712             algorithmsLen =
1713                 SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size();
1714         } else {
1715             algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1716             algorithmsLen = 0;
1717         }
1718     }
1719 
1720     CertificateRequest(HandshakeInStream input,
1721             ProtocolVersion protocolVersion) throws IOException {
1722 
1723         this.protocolVersion = protocolVersion;
1724 
1725         // Read the certificate_types.
1726         types = input.getBytes8();
1727 
1728         // Read the supported_signature_algorithms for TLS 1.2 or later.
1729         if (protocolVersion.useTLS12PlusSpec()) {
1730             algorithmsLen = input.getInt16();
1731             if (algorithmsLen < 2) {
1732                 throw new SSLProtocolException(
1733                     "Invalid supported_signature_algorithms field: " + algorithmsLen);
1734             }
1735 
1736             algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1737             int remains = algorithmsLen;
1738             int sequence = 0;
1739             while (remains > 1) {    // needs at least two bytes
1740                 int hash = input.getInt8();         // hash algorithm
1741                 int signature = input.getInt8();    // signature algorithm
1742 
1743                 SignatureAndHashAlgorithm algorithm =
1744                     SignatureAndHashAlgorithm.valueOf(hash, signature,
1745                                                                 ++sequence);
1746                 algorithms.add(algorithm);
1747                 remains -= 2;  // one byte for hash, one byte for signature
1748             }
1749 
1750             if (remains != 0) {
1751                 throw new SSLProtocolException(
1752                     "Invalid supported_signature_algorithms field. remains: " + remains);
1753             }
1754         } else {
1755             algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1756             algorithmsLen = 0;
1757         }
1758 
1759         // read the certificate_authorities
1760         int len = input.getInt16();
1761         ArrayList<DistinguishedName> v = new ArrayList<>();
1762         while (len >= 3) {
1763             DistinguishedName dn = new DistinguishedName(input);
1764             v.add(dn);
1765             len -= dn.length();
1766         }
1767 
1768         if (len != 0) {
1769             throw new SSLProtocolException("Bad CertificateRequest DN length: " + len);
1770         }
1771 
1772         authorities = v.toArray(new DistinguishedName[v.size()]);
1773     }
1774 
1775     X500Principal[] getAuthorities() throws IOException {
1776         X500Principal[] ret = new X500Principal[authorities.length];
1777         for (int i = 0; i < authorities.length; i++) {
1778             ret[i] = authorities[i].getX500Principal();
1779         }
1780         return ret;
1781     }
1782 
1783     Collection<SignatureAndHashAlgorithm> getSignAlgorithms() {
1784         return algorithms;
1785     }
1786 
1787     @Override
1788     int messageType() {
1789         return ht_certificate_request;
1790     }
1791 
1792     @Override
1793     int messageLength() {
1794         int len = 1 + types.length + 2;
1795 
1796         if (protocolVersion.useTLS12PlusSpec()) {
1797             len += algorithmsLen + 2;
1798         }
1799 
1800         for (int i = 0; i < authorities.length; i++) {
1801             len += authorities[i].length();
1802         }
1803 
1804         return len;
1805     }
1806 
1807     @Override
1808     void send(HandshakeOutStream output) throws IOException {
1809         // put certificate_types
1810         output.putBytes8(types);
1811 
1812         // put supported_signature_algorithms
1813         if (protocolVersion.useTLS12PlusSpec()) {
1814             output.putInt16(algorithmsLen);
1815             for (SignatureAndHashAlgorithm algorithm : algorithms) {
1816                 output.putInt8(algorithm.getHashValue());      // hash
1817                 output.putInt8(algorithm.getSignatureValue()); // signature
1818             }
1819         }
1820 
1821         // put certificate_authorities
1822         int len = 0;
1823         for (int i = 0; i < authorities.length; i++) {
1824             len += authorities[i].length();
1825         }
1826 
1827         output.putInt16(len);
1828         for (int i = 0; i < authorities.length; i++) {
1829             authorities[i].send(output);
1830         }
1831     }
1832 
1833     @Override
1834     void print(PrintStream s) throws IOException {
1835         s.println("*** CertificateRequest");
1836 
1837         if (debug != null && Debug.isOn("verbose")) {
1838             s.print("Cert Types: ");
1839             for (int i = 0; i < types.length; i++) {
1840                 switch (types[i]) {
1841                   case cct_rsa_sign:
1842                     s.print("RSA"); break;
1843                   case cct_dss_sign:
1844                     s.print("DSS"); break;
1845                   case cct_rsa_fixed_dh:
1846                     s.print("Fixed DH (RSA sig)"); break;
1847                   case cct_dss_fixed_dh:
1848                     s.print("Fixed DH (DSS sig)"); break;
1849                   case cct_rsa_ephemeral_dh:
1850                     s.print("Ephemeral DH (RSA sig)"); break;
1851                   case cct_dss_ephemeral_dh:
1852                     s.print("Ephemeral DH (DSS sig)"); break;
1853                   case cct_ecdsa_sign:
1854                     s.print("ECDSA"); break;
1855                   case cct_rsa_fixed_ecdh:
1856                     s.print("Fixed ECDH (RSA sig)"); break;
1857                   case cct_ecdsa_fixed_ecdh:
1858                     s.print("Fixed ECDH (ECDSA sig)"); break;
1859                   default:
1860                     s.print("Type-" + (types[i] & 0xff)); break;
1861                 }
1862                 if (i != types.length - 1) {
1863                     s.print(", ");
1864                 }
1865             }
1866             s.println();
1867 
1868             if (protocolVersion.useTLS12PlusSpec()) {
1869                 StringBuilder sb = new StringBuilder();
1870                 boolean opened = false;
1871                 for (SignatureAndHashAlgorithm signAlg : algorithms) {
1872                     if (opened) {
1873                         sb.append(", ").append(signAlg.getAlgorithmName());
1874                     } else {
1875                         sb.append(signAlg.getAlgorithmName());
1876                         opened = true;
1877                     }
1878                 }
1879                 s.println("Supported Signature Algorithms: " + sb);
1880             }
1881 
1882             s.println("Cert Authorities:");
1883             if (authorities.length == 0) {
1884                 s.println("<Empty>");
1885             } else {
1886                 for (int i = 0; i < authorities.length; i++) {
1887                     authorities[i].print(s);
1888                 }
1889             }
1890         }
1891     }
1892 }
1893 
1894 
1895 /*
1896  * ServerHelloDone ... SERVER --> CLIENT
1897  *
1898  * When server's done sending its messages in response to the client's
1899  * "hello" (e.g. its own hello, certificate, key exchange message, perhaps
1900  * client certificate request) it sends this message to flag that it's
1901  * done that part of the handshake.
1902  */
1903 static final
1904 class ServerHelloDone extends HandshakeMessage
1905 {
1906     @Override
1907     int messageType() { return ht_server_hello_done; }
1908 
1909     ServerHelloDone() { }
1910 
1911     ServerHelloDone(HandshakeInStream input)
1912     {
1913         // nothing to do
1914     }
1915 
1916     @Override
1917     int messageLength()
1918     {
1919         return 0;
1920     }
1921 
1922     @Override
1923     void send(HandshakeOutStream s) throws IOException
1924     {
1925         // nothing to send
1926     }
1927 
1928     @Override
1929     void print(PrintStream s) throws IOException
1930     {
1931         s.println("*** ServerHelloDone");
1932     }
1933 }
1934 
1935 
1936 /*
1937  * CertificateVerify ... CLIENT --> SERVER
1938  *
1939  * Sent after client sends signature-capable certificates (e.g. not
1940  * Diffie-Hellman) to verify.
1941  */
1942 static final class CertificateVerify extends HandshakeMessage {
1943 
1944     // the signature bytes
1945     private byte[] signature;
1946 
1947     // protocol version being established using this CertificateVerify message
1948     ProtocolVersion protocolVersion;
1949 
1950     // the preferable signature algorithm used by this CertificateVerify message
1951     private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
1952 
1953     /*
1954      * Create an RSA or DSA signed certificate verify message.
1955      */
1956     CertificateVerify(ProtocolVersion protocolVersion,
1957             HandshakeHash handshakeHash, PrivateKey privateKey,
1958             SecretKey masterSecret, SecureRandom sr,
1959             SignatureAndHashAlgorithm signAlgorithm)
1960             throws GeneralSecurityException {
1961 
1962         this.protocolVersion = protocolVersion;
1963 
1964         String algorithm = privateKey.getAlgorithm();
1965         Signature sig = null;
1966         if (protocolVersion.useTLS12PlusSpec()) {
1967             this.preferableSignatureAlgorithm = signAlgorithm;
1968             sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1969         } else {
1970             sig = getSignature(protocolVersion, algorithm);
1971         }
1972         sig.initSign(privateKey, sr);
1973         updateSignature(sig, protocolVersion, handshakeHash, algorithm,
1974                         masterSecret);
1975         signature = sig.sign();
1976     }
1977 
1978     //
1979     // Unmarshal the signed data from the input stream.
1980     //
1981     CertificateVerify(HandshakeInStream input,
1982             Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1983             ProtocolVersion protocolVersion) throws IOException  {
1984 
1985         this.protocolVersion = protocolVersion;
1986 
1987         // read the signature and hash algorithm
1988         if (protocolVersion.useTLS12PlusSpec()) {
1989             int hashAlg = input.getInt8();         // hash algorithm
1990             int signAlg = input.getInt8();         // signature algorithm
1991 
1992             preferableSignatureAlgorithm =
1993                 SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0);
1994 
1995             // Is it a local supported signature algorithm?
1996             if (!localSupportedSignAlgs.contains(
1997                     preferableSignatureAlgorithm)) {
1998                 throw new SSLHandshakeException(
1999                         "Unsupported SignatureAndHashAlgorithm in " +
2000                         "CertificateVerify message: " + preferableSignatureAlgorithm);
2001             }
2002         }
2003 
2004         // read the signature
2005         signature = input.getBytes16();
2006     }
2007 
2008     /*
2009      * Get the preferable signature algorithm used by this message
2010      */
2011     SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() {
2012         return preferableSignatureAlgorithm;
2013     }
2014 
2015     /*
2016      * Verify a certificate verify message. Return the result of verification,
2017      * if there is a problem throw a GeneralSecurityException.
2018      */
2019     boolean verify(ProtocolVersion protocolVersion,
2020             HandshakeHash handshakeHash, PublicKey publicKey,
2021             SecretKey masterSecret) throws GeneralSecurityException {
2022         String algorithm = publicKey.getAlgorithm();
2023         Signature sig = null;
2024         if (protocolVersion.useTLS12PlusSpec()) {
2025             sig = JsseJce.getSignature(
2026                         preferableSignatureAlgorithm.getAlgorithmName());
2027         } else {
2028             sig = getSignature(protocolVersion, algorithm);
2029         }
2030         sig.initVerify(publicKey);
2031         updateSignature(sig, protocolVersion, handshakeHash, algorithm,
2032                         masterSecret);
2033         return sig.verify(signature);
2034     }
2035 
2036     /*
2037      * Get the Signature object appropriate for verification using the
2038      * given signature algorithm and protocol version.
2039      */
2040     private static Signature getSignature(ProtocolVersion protocolVersion,
2041             String algorithm) throws GeneralSecurityException {
2042             switch (algorithm) {
2043                 case "RSA":
2044                     return RSASignature.getInternalInstance();
2045                 case "DSA":
2046                     return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
2047                 case "EC":
2048                     return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
2049                 default:
2050                     throw new SignatureException("Unrecognized algorithm: "
2051                         + algorithm);
2052             }
2053     }
2054 
2055     /*
2056      * Update the Signature with the data appropriate for the given
2057      * signature algorithm and protocol version so that the object is
2058      * ready for signing or verifying.
2059      */
2060     private static void updateSignature(Signature sig,
2061             ProtocolVersion protocolVersion,
2062             HandshakeHash handshakeHash, String algorithm, SecretKey masterKey)
2063             throws SignatureException {
2064 
2065         if (algorithm.equals("RSA")) {
2066             if (!protocolVersion.useTLS12PlusSpec()) {  // TLS1.1-
2067                 MessageDigest md5Clone = handshakeHash.getMD5Clone();
2068                 MessageDigest shaClone = handshakeHash.getSHAClone();
2069 
2070                 if (!protocolVersion.useTLS10PlusSpec()) {  // SSLv3
2071                     updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey);
2072                     updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
2073                 }
2074 
2075                 // The signature must be an instance of RSASignature, need
2076                 // to use these hashes directly.
2077                 RSASignature.setHashes(sig, md5Clone, shaClone);
2078             } else {  // TLS1.2+
2079                 sig.update(handshakeHash.getAllHandshakeMessages());
2080             }
2081         } else { // DSA, ECDSA
2082             if (!protocolVersion.useTLS12PlusSpec()) {  // TLS1.1-
2083                 MessageDigest shaClone = handshakeHash.getSHAClone();
2084 
2085                 if (!protocolVersion.useTLS10PlusSpec()) {  // SSLv3
2086                     updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
2087                 }
2088 
2089                 sig.update(shaClone.digest());
2090             } else {  // TLS1.2+
2091                 sig.update(handshakeHash.getAllHandshakeMessages());
2092             }
2093         }
2094     }
2095 
2096     /*
2097      * Update the MessageDigest for SSLv3 certificate verify or finished
2098      * message calculation. The digest must already have been updated with
2099      * all preceding handshake messages.
2100      * Used by the Finished class as well.
2101      */
2102     private static void updateDigest(MessageDigest md,
2103             byte[] pad1, byte[] pad2,
2104             SecretKey masterSecret) {
2105         // Digest the key bytes if available.
2106         // Otherwise (sensitive key), try digesting the key directly.
2107         // That is currently only implemented in SunPKCS11 using a private
2108         // reflection API, so we avoid that if possible.
2109         byte[] keyBytes = "RAW".equals(masterSecret.getFormat())
2110                         ? masterSecret.getEncoded() : null;
2111         if (keyBytes != null) {
2112             md.update(keyBytes);
2113         } else {
2114             digestKey(md, masterSecret);
2115         }
2116         md.update(pad1);
2117         byte[] temp = md.digest();
2118 
2119         if (keyBytes != null) {
2120             md.update(keyBytes);
2121         } else {
2122             digestKey(md, masterSecret);
2123         }
2124         md.update(pad2);
2125         md.update(temp);
2126     }
2127 
2128     private static final Class<?> delegate;
2129     private static final Field spiField;
2130 
2131     static {
2132         try {
2133             delegate = Class.forName("java.security.MessageDigest$Delegate");
2134             spiField = delegate.getDeclaredField("digestSpi");
2135         } catch (Exception e) {
2136             throw new RuntimeException("Reflection failed", e);
2137         }
2138         makeAccessible(spiField);
2139     }
2140 
2141     private static void makeAccessible(final AccessibleObject o) {
2142         AccessController.doPrivileged(new PrivilegedAction<Object>() {
2143             @Override
2144             public Object run() {
2145                 o.setAccessible(true);
2146                 return null;
2147             }
2148         });
2149     }
2150 
2151     // ConcurrentHashMap does not allow null values, use this marker object
2152     private static final Object NULL_OBJECT = new Object();
2153 
2154     // cache Method objects per Spi class
2155     // Note that this will prevent the Spi classes from being GC'd. We assume
2156     // that is not a problem.
2157     private static final Map<Class<?>,Object> methodCache =
2158                                         new ConcurrentHashMap<>();
2159 
2160     private static void digestKey(MessageDigest md, SecretKey key) {
2161         try {
2162             // Verify that md is implemented via MessageDigestSpi, not
2163             // via JDK 1.1 style MessageDigest subclassing.
2164             if (md.getClass() != delegate) {
2165                 throw new Exception("Digest is not a MessageDigestSpi");
2166             }
2167             MessageDigestSpi spi = (MessageDigestSpi)spiField.get(md);
2168             Class<?> clazz = spi.getClass();
2169             Object r = methodCache.get(clazz);
2170             if (r == null) {
2171                 try {
2172                     r = clazz.getDeclaredMethod("implUpdate", SecretKey.class);
2173                     makeAccessible((Method)r);
2174                 } catch (NoSuchMethodException e) {
2175                     r = NULL_OBJECT;
2176                 }
2177                 methodCache.put(clazz, r);
2178             }
2179             if (r == NULL_OBJECT) {
2180                 throw new Exception(
2181                     "Digest does not support implUpdate(SecretKey)");
2182             }
2183             Method update = (Method)r;
2184             update.invoke(spi, key);
2185         } catch (Exception e) {
2186             throw new RuntimeException(
2187                 "Could not obtain encoded key and "
2188                 + "MessageDigest cannot digest key", e);
2189         }
2190     }
2191 
2192     @Override
2193     int messageType() {
2194         return ht_certificate_verify;
2195     }
2196 
2197     @Override
2198     int messageLength() {
2199         int temp = 2;
2200 
2201         if (protocolVersion.useTLS12PlusSpec()) {
2202             temp += SignatureAndHashAlgorithm.sizeInRecord();
2203         }
2204 
2205         return temp + signature.length;
2206     }
2207 
2208     @Override
2209     void send(HandshakeOutStream s) throws IOException {
2210         if (protocolVersion.useTLS12PlusSpec()) {
2211             s.putInt8(preferableSignatureAlgorithm.getHashValue());
2212             s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
2213         }
2214 
2215         s.putBytes16(signature);
2216     }
2217 
2218     @Override
2219     void print(PrintStream s) throws IOException {
2220         s.println("*** CertificateVerify");
2221 
2222         if (debug != null && Debug.isOn("verbose")) {
2223             if (protocolVersion.useTLS12PlusSpec()) {
2224                 s.println("Signature Algorithm " +
2225                         preferableSignatureAlgorithm.getAlgorithmName());
2226             }
2227         }
2228     }
2229 }
2230 
2231 
2232 /*
2233  * FINISHED ... sent by both CLIENT and SERVER
2234  *
2235  * This is the FINISHED message as defined in the SSL and TLS protocols.
2236  * Both protocols define this handshake message slightly differently.
2237  * This class supports both formats.
2238  *
2239  * When handshaking is finished, each side sends a "change_cipher_spec"
2240  * record, then immediately sends a "finished" handshake message prepared
2241  * according to the newly adopted cipher spec.
2242  *
2243  * NOTE that until this is sent, no application data may be passed, unless
2244  * some non-default cipher suite has already been set up on this connection
2245  * connection (e.g. a previous handshake arranged one).
2246  */
2247 static final class Finished extends HandshakeMessage {
2248 
2249     // constant for a Finished message sent by the client
2250     static final int CLIENT = 1;
2251 
2252     // constant for a Finished message sent by the server
2253     static final int SERVER = 2;
2254 
2255     // enum Sender:  "CLNT" and "SRVR"
2256     private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 };
2257     private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 };
2258 
2259     /*
2260      * Contents of the finished message ("checksum"). For TLS, it
2261      * is 12 bytes long, for SSLv3 36 bytes.
2262      */
2263     private byte[] verifyData;
2264 
2265     /*
2266      * Current cipher suite we are negotiating.  TLS 1.2 has
2267      * ciphersuite-defined PRF algorithms.
2268      */
2269     private ProtocolVersion protocolVersion;
2270     private CipherSuite cipherSuite;
2271 
2272     /*
2273      * Create a finished message to send to the remote peer.
2274      */
2275     Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash,
2276             int sender, SecretKey master, CipherSuite cipherSuite) {
2277         this.protocolVersion = protocolVersion;
2278         this.cipherSuite = cipherSuite;
2279         verifyData = getFinished(handshakeHash, sender, master);
2280     }
2281 
2282     /*
2283      * Constructor that reads FINISHED message from stream.
2284      */
2285     Finished(ProtocolVersion protocolVersion, HandshakeInStream input,
2286             CipherSuite cipherSuite) throws IOException {
2287         this.protocolVersion = protocolVersion;
2288         this.cipherSuite = cipherSuite;
2289         int msgLen = protocolVersion.useTLS10PlusSpec() ?  12 : 36;
2290         verifyData = new byte[msgLen];
2291         input.read(verifyData);
2292     }
2293 
2294     /*
2295      * Verify that the hashes here are what would have been produced
2296      * according to a given set of inputs.  This is used to ensure that
2297      * both client and server are fully in sync, and that the handshake
2298      * computations have been successful.
2299      */
2300     boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) {
2301         byte[] myFinished = getFinished(handshakeHash, sender, master);
2302         return MessageDigest.isEqual(myFinished, verifyData);
2303     }
2304 
2305     /*
2306      * Perform the actual finished message calculation.
2307      */
2308     private byte[] getFinished(HandshakeHash handshakeHash,
2309             int sender, SecretKey masterKey) {
2310         byte[] sslLabel;
2311         String tlsLabel;
2312         if (sender == CLIENT) {
2313             sslLabel = SSL_CLIENT;
2314             tlsLabel = "client finished";
2315         } else if (sender == SERVER) {
2316             sslLabel = SSL_SERVER;
2317             tlsLabel = "server finished";
2318         } else {
2319             throw new RuntimeException("Invalid sender: " + sender);
2320         }
2321 
2322         if (protocolVersion.useTLS10PlusSpec()) {
2323             // TLS 1.0+
2324             try {
2325                 byte[] seed;
2326                 String prfAlg;
2327                 PRF prf;
2328 
2329                 // Get the KeyGenerator alg and calculate the seed.
2330                 if (protocolVersion.useTLS12PlusSpec()) {
2331                     // TLS 1.2+ or DTLS 1.2+
2332                     seed = handshakeHash.getFinishedHash();
2333 
2334                     prfAlg = "SunTls12Prf";
2335                     prf = cipherSuite.prfAlg;
2336                 } else {
2337                     // TLS 1.0/1.1, DTLS 1.0
2338                     MessageDigest md5Clone = handshakeHash.getMD5Clone();
2339                     MessageDigest shaClone = handshakeHash.getSHAClone();
2340                     seed = new byte[36];
2341                     md5Clone.digest(seed, 0, 16);
2342                     shaClone.digest(seed, 16, 20);
2343 
2344                     prfAlg = "SunTlsPrf";
2345                     prf = P_NONE;
2346                 }
2347 
2348                 String prfHashAlg = prf.getPRFHashAlg();
2349                 int prfHashLength = prf.getPRFHashLength();
2350                 int prfBlockSize = prf.getPRFBlockSize();
2351 
2352                 /*
2353                  * RFC 5246/7.4.9 says that finished messages can
2354                  * be ciphersuite-specific in both length/PRF hash
2355                  * algorithm.  If we ever run across a different
2356                  * length, this call will need to be updated.
2357                  */
2358                 @SuppressWarnings("deprecation")
2359                 TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
2360                     masterKey, tlsLabel, seed, 12,
2361                     prfHashAlg, prfHashLength, prfBlockSize);
2362 
2363                 KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
2364                 kg.init(spec);
2365                 SecretKey prfKey = kg.generateKey();
2366                 if ("RAW".equals(prfKey.getFormat()) == false) {
2367                     throw new ProviderException(
2368                         "Invalid PRF output, format must be RAW. Format received:" +
2369                         prfKey.getFormat());
2370                 }
2371                 byte[] finished = prfKey.getEncoded();
2372                 return finished;
2373             } catch (GeneralSecurityException e) {
2374                 throw new RuntimeException("PRF failed", e);
2375             }
2376         } else {
2377             // SSLv3
2378             MessageDigest md5Clone = handshakeHash.getMD5Clone();
2379             MessageDigest shaClone = handshakeHash.getSHAClone();
2380             updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey);
2381             updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey);
2382             byte[] finished = new byte[36];
2383             try {
2384                 md5Clone.digest(finished, 0, 16);
2385                 shaClone.digest(finished, 16, 20);
2386             } catch (DigestException e) {
2387                 // cannot occur
2388                 throw new RuntimeException("Digest failed", e);
2389             }
2390             return finished;
2391         }
2392     }
2393 
2394     /*
2395      * Update the MessageDigest for SSLv3 finished message calculation.
2396      * The digest must already have been updated with all preceding handshake
2397      * messages. This operation is almost identical to the certificate verify
2398      * hash, reuse that code.
2399      */
2400     private static void updateDigest(MessageDigest md, byte[] sender,
2401             byte[] pad1, byte[] pad2, SecretKey masterSecret) {
2402         md.update(sender);
2403         CertificateVerify.updateDigest(md, pad1, pad2, masterSecret);
2404     }
2405 
2406     // get the verify_data of the finished message
2407     byte[] getVerifyData() {
2408         return verifyData;
2409     }
2410 
2411     @Override
2412     int messageType() { return ht_finished; }
2413 
2414     @Override
2415     int messageLength() {
2416         return verifyData.length;
2417     }
2418 
2419     @Override
2420     void send(HandshakeOutStream out) throws IOException {
2421         out.write(verifyData);
2422     }
2423 
2424     @Override
2425     void print(PrintStream s) throws IOException {
2426         s.println("*** Finished");
2427         if (debug != null && Debug.isOn("verbose")) {
2428             Debug.println(s, "verify_data", verifyData);
2429             s.println("***");
2430         }
2431     }
2432 }
2433 
2434 //
2435 // END of nested classes
2436 //
2437 
2438 }