1 /*
   2  * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 
  27 package sun.security.ssl;
  28 
  29 import java.io.*;
  30 import java.security.*;
  31 
  32 import javax.crypto.*;
  33 
  34 import javax.net.ssl.*;
  35 
  36 import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
  37 import sun.security.util.KeyUtil;
  38 
  39 /**
  40  * This is the client key exchange message (CLIENT --> SERVER) used with
  41  * all RSA key exchanges; it holds the RSA-encrypted pre-master secret.
  42  *
  43  * The message is encrypted using PKCS #1 block type 02 encryption with the
  44  * server's public key.  The padding and resulting message size is a function
  45  * of this server's public key modulus size, but the pre-master secret is
  46  * always exactly 48 bytes.
  47  *
  48  */
  49 final class RSAClientKeyExchange extends HandshakeMessage {
  50 
  51     /*
  52      * The following field values were encrypted with the server's public
  53      * key (or temp key from server key exchange msg) and are presented
  54      * here in DECRYPTED form.
  55      */
  56     private ProtocolVersion protocolVersion; // preMaster [0,1]
  57     SecretKey preMaster;
  58     private byte[] encrypted;           // same size as public modulus
  59 
  60     /*
  61      * Client randomly creates a pre-master secret and encrypts it
  62      * using the server's RSA public key; only the server can decrypt
  63      * it, using its RSA private key.  Result is the same size as the
  64      * server's public key, and uses PKCS #1 block format 02.
  65      */
  66     @SuppressWarnings("deprecation")
  67     RSAClientKeyExchange(ProtocolVersion protocolVersion,
  68             ProtocolVersion maxVersion,
  69             SecureRandom generator, PublicKey publicKey) throws IOException {
  70         if (publicKey.getAlgorithm().equals("RSA") == false) {
  71             throw new SSLKeyException("Public key not of type RSA");
  72         }
  73         this.protocolVersion = protocolVersion;
  74 
  75         try {
  76             String s = protocolVersion.useTLS12PlusSpec() ?
  77                 "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret";
  78             KeyGenerator kg = JsseJce.getKeyGenerator(s);
  79             kg.init(new TlsRsaPremasterSecretParameterSpec(
  80                     maxVersion.v, protocolVersion.v), generator);
  81             preMaster = kg.generateKey();
  82 
  83             Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
  84             cipher.init(Cipher.WRAP_MODE, publicKey, generator);
  85             encrypted = cipher.wrap(preMaster);
  86         } catch (GeneralSecurityException e) {
  87             throw (SSLKeyException)new SSLKeyException
  88                                 ("RSA premaster secret error").initCause(e);
  89         }
  90     }
  91 
  92     /*
  93      * Server gets the PKCS #1 (block format 02) data, decrypts
  94      * it with its private key.
  95      */
  96     @SuppressWarnings("deprecation")
  97     RSAClientKeyExchange(ProtocolVersion currentVersion,
  98             ProtocolVersion maxVersion,
  99             SecureRandom generator, HandshakeInStream input,
 100             int messageSize, PrivateKey privateKey) throws IOException {
 101 
 102         if (privateKey.getAlgorithm().equals("RSA") == false) {
 103             throw new SSLKeyException("Private key not of type RSA");
 104         }
 105 
 106         if (currentVersion.useTLS10PlusSpec()) {
 107             encrypted = input.getBytes16();
 108         } else {
 109             encrypted = new byte [messageSize];
 110             if (input.read(encrypted) != messageSize) {
 111                 throw new SSLProtocolException(
 112                         "SSL: read PreMasterSecret: short read");
 113             }
 114         }
 115 
 116         byte[] encoded = null;
 117         try {
 118             boolean needFailover = false;
 119             Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
 120             try {
 121                 // Try UNWRAP_MODE mode firstly.
 122                 cipher.init(Cipher.UNWRAP_MODE, privateKey,
 123                         new TlsRsaPremasterSecretParameterSpec(
 124                                 maxVersion.v, currentVersion.v),
 125                         generator);
 126 
 127                 // The provider selection can be delayed, please don't call
 128                 // any Cipher method before the call to Cipher.init().
 129                 needFailover = !KeyUtil.isOracleJCEProvider(
 130                         cipher.getProvider().getName());
 131             } catch (InvalidKeyException | UnsupportedOperationException iue) {
 132                 if (debug != null && Debug.isOn("handshake")) {
 133                     System.out.println("The Cipher provider " +
 134                         cipher.getProvider().getName() +
 135                         " caused exception: " + iue.getMessage());
 136                 }
 137 
 138                 needFailover = true;
 139             }
 140 
 141             if (needFailover) {
 142                 // Use DECRYPT_MODE and dispose the previous initialization.
 143                 cipher.init(Cipher.DECRYPT_MODE, privateKey);
 144                 boolean failed = false;
 145                 try {
 146                     encoded = cipher.doFinal(encrypted);
 147                 } catch (BadPaddingException bpe) {
 148                     // Note: encoded == null
 149                     failed = true;
 150                 }
 151                 encoded = KeyUtil.checkTlsPreMasterSecretKey(
 152                                 maxVersion.v, currentVersion.v,
 153                                 generator, encoded, failed);
 154                 preMaster = generatePreMasterSecret(
 155                                 maxVersion.v, currentVersion.v,
 156                                 encoded, generator);
 157             } else {
 158                 // the cipher should have been initialized
 159                 preMaster = (SecretKey)cipher.unwrap(encrypted,
 160                         "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
 161             }
 162         } catch (InvalidKeyException ibk) {
 163             // the message is too big to process with RSA
 164             throw new SSLProtocolException(
 165                 "Unable to process PreMasterSecret, may be too big");
 166         } catch (Exception e) {
 167             // unlikely to happen, otherwise, must be a provider exception
 168             if (debug != null && Debug.isOn("handshake")) {
 169                 System.out.println("RSA premaster secret decryption error:");
 170                 e.printStackTrace(System.out);
 171             }
 172             throw new RuntimeException("Could not generate dummy secret", e);
 173         }
 174     }
 175 
 176     // generate a premaster secret with the specified version number
 177     @SuppressWarnings("deprecation")
 178     private static SecretKey generatePreMasterSecret(
 179             int clientVersion, int serverVersion,
 180             byte[] encodedSecret, SecureRandom generator) {
 181 
 182         if (debug != null && Debug.isOn("handshake")) {
 183             System.out.println("Generating a premaster secret");
 184         }
 185 
 186         try {
 187             String s = ((clientVersion >= ProtocolVersion.TLS12.v) ?
 188                 "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
 189             KeyGenerator kg = JsseJce.getKeyGenerator(s);
 190             kg.init(new TlsRsaPremasterSecretParameterSpec(
 191                     clientVersion, serverVersion, encodedSecret),
 192                     generator);
 193             return kg.generateKey();
 194         } catch (InvalidAlgorithmParameterException |
 195                 NoSuchAlgorithmException iae) {
 196             // unlikely to happen, otherwise, must be a provider exception
 197             if (debug != null && Debug.isOn("handshake")) {
 198                 System.out.println("RSA premaster secret generation error:");
 199                 iae.printStackTrace(System.out);
 200             }
 201             throw new RuntimeException("Could not generate premaster secret", iae);
 202         }
 203     }
 204 
 205     @Override
 206     int messageType() {
 207         return ht_client_key_exchange;
 208     }
 209 
 210     @Override
 211     int messageLength() {
 212         if (protocolVersion.useTLS10PlusSpec()) {
 213             return encrypted.length + 2;
 214         } else {
 215             return encrypted.length;
 216         }
 217     }
 218 
 219     @Override
 220     void send(HandshakeOutStream s) throws IOException {
 221         if (protocolVersion.useTLS10PlusSpec()) {
 222             s.putBytes16(encrypted);
 223         } else {
 224             s.write(encrypted);
 225         }
 226     }
 227 
 228     @Override
 229     void print(PrintStream s) throws IOException {
 230         s.println("*** ClientKeyExchange, RSA PreMasterSecret, " +
 231                                                         protocolVersion);
 232     }
 233 }