1 /* 2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.*; 29 import java.math.BigInteger; 30 import java.security.*; 31 import java.security.interfaces.*; 32 import java.security.spec.*; 33 import java.security.cert.*; 34 import java.security.cert.Certificate; 35 import java.util.*; 36 import java.util.concurrent.ConcurrentHashMap; 37 38 import java.lang.reflect.*; 39 40 import javax.security.auth.x500.X500Principal; 41 42 import javax.crypto.KeyGenerator; 43 import javax.crypto.SecretKey; 44 import javax.crypto.spec.DHPublicKeySpec; 45 46 import javax.net.ssl.*; 47 48 import sun.security.internal.spec.TlsPrfParameterSpec; 49 import sun.security.ssl.CipherSuite.*; 50 import static sun.security.ssl.CipherSuite.PRF.*; 51 import sun.security.util.KeyUtil; 52 import sun.security.provider.certpath.OCSPResponse; 53 54 /** 55 * Many data structures are involved in the handshake messages. These 56 * classes are used as structures, with public data members. They are 57 * not visible outside the SSL package. 58 * 59 * Handshake messages all have a common header format, and they are all 60 * encoded in a "handshake data" SSL record substream. The base class 61 * here (HandshakeMessage) provides a common framework and records the 62 * SSL record type of the particular handshake message. 63 * 64 * This file contains subclasses for all the basic handshake messages. 65 * All handshake messages know how to encode and decode themselves on 66 * SSL streams; this facilitates using the same code on SSL client and 67 * server sides, although they don't send and receive the same messages. 68 * 69 * Messages also know how to print themselves, which is quite handy 70 * for debugging. They always identify their type, and can optionally 71 * dump all of their content. 72 * 73 * @author David Brownell 74 */ 75 public abstract class HandshakeMessage { 76 77 /* Class and subclass dynamic debugging support */ 78 public static final Debug debug = Debug.getInstance("ssl"); 79 80 // enum HandshakeType: 81 static final byte ht_hello_request = 0; // RFC 5246 82 static final byte ht_client_hello = 1; // RFC 5246 83 static final byte ht_server_hello = 2; // RFC 5246 84 static final byte ht_hello_verify_request = 3; // RFC 6347 85 static final byte ht_new_session_ticket = 4; // RFC 4507 86 87 static final byte ht_certificate = 11; // RFC 5246 88 static final byte ht_server_key_exchange = 12; // RFC 5246 89 static final byte ht_certificate_request = 13; // RFC 5246 90 static final byte ht_server_hello_done = 14; // RFC 5246 91 static final byte ht_certificate_verify = 15; // RFC 5246 92 static final byte ht_client_key_exchange = 16; // RFC 5246 93 94 static final byte ht_finished = 20; // RFC 5246 95 static final byte ht_certificate_url = 21; // RFC 6066 96 static final byte ht_certificate_status = 22; // RFC 6066 97 static final byte ht_supplemental_data = 23; // RFC 4680 98 99 static final byte ht_not_applicable = -1; // N/A 100 101 /* 102 * SSL 3.0 MAC padding constants. 103 * Also used by CertificateVerify and Finished during the handshake. 104 */ 105 static final byte[] MD5_pad1 = genPad(0x36, 48); 106 static final byte[] MD5_pad2 = genPad(0x5c, 48); 107 108 static final byte[] SHA_pad1 = genPad(0x36, 40); 109 static final byte[] SHA_pad2 = genPad(0x5c, 40); 110 111 // default constructor 112 HandshakeMessage() { 113 } 114 115 /** 116 * Utility method to convert a BigInteger to a byte array in unsigned 117 * format as needed in the handshake messages. BigInteger uses 118 * 2's complement format, i.e. it prepends an extra zero if the MSB 119 * is set. We remove that. 120 */ 121 static byte[] toByteArray(BigInteger bi) { 122 byte[] b = bi.toByteArray(); 123 if ((b.length > 1) && (b[0] == 0)) { 124 int n = b.length - 1; 125 byte[] newarray = new byte[n]; 126 System.arraycopy(b, 1, newarray, 0, n); 127 b = newarray; 128 } 129 return b; 130 } 131 132 private static byte[] genPad(int b, int count) { 133 byte[] padding = new byte[count]; 134 Arrays.fill(padding, (byte)b); 135 return padding; 136 } 137 138 /* 139 * Write a handshake message on the (handshake) output stream. 140 * This is just a four byte header followed by the data. 141 * 142 * NOTE that huge messages -- notably, ones with huge cert 143 * chains -- are handled correctly. 144 */ 145 final void write(HandshakeOutStream s) throws IOException { 146 int len = messageLength(); 147 if (len >= Record.OVERFLOW_OF_INT24) { 148 throw new SSLException("Handshake message too big" 149 + ", type = " + messageType() + ", len = " + len); 150 } 151 s.write(messageType()); 152 s.putInt24(len); 153 send(s); 154 s.complete(); 155 } 156 157 /* 158 * Subclasses implement these methods so those kinds of 159 * messages can be emitted. Base class delegates to subclass. 160 */ 161 abstract int messageType(); 162 abstract int messageLength(); 163 abstract void send(HandshakeOutStream s) throws IOException; 164 165 /* 166 * Write a descriptive message on the output stream; for debugging. 167 */ 168 abstract void print(PrintStream p) throws IOException; 169 170 // 171 // NOTE: the rest of these classes are nested within this one, and are 172 // imported by other classes in this package. There are a few other 173 // handshake message classes, not neatly nested here because of current 174 // licensing requirement for native (RSA) methods. They belong here, 175 // but those native methods complicate things a lot! 176 // 177 178 179 /* 180 * HelloRequest ... SERVER --> CLIENT 181 * 182 * Server can ask the client to initiate a new handshake, e.g. to change 183 * session parameters after a connection has been (re)established. 184 */ 185 static final class HelloRequest extends HandshakeMessage { 186 @Override 187 int messageType() { return ht_hello_request; } 188 189 HelloRequest() { } 190 191 HelloRequest(HandshakeInStream in) throws IOException 192 { 193 // nothing in this message 194 } 195 196 @Override 197 int messageLength() { return 0; } 198 199 @Override 200 void send(HandshakeOutStream out) throws IOException 201 { 202 // nothing in this messaage 203 } 204 205 @Override 206 void print(PrintStream out) throws IOException 207 { 208 out.println("*** HelloRequest (empty)"); 209 } 210 211 } 212 213 /* 214 * HelloVerifyRequest ... SERVER --> CLIENT [DTLS only] 215 * 216 * The definition of HelloVerifyRequest is as follows: 217 * 218 * struct { 219 * ProtocolVersion server_version; 220 * opaque cookie<0..2^8-1>; 221 * } HelloVerifyRequest; 222 * 223 * For DTLS protocols, once the client has transmitted the ClientHello message, 224 * it expects to see a HelloVerifyRequest from the server. However, if the 225 * server's message is lost, the client knows that either the ClientHello or 226 * the HelloVerifyRequest has been lost and retransmits. [RFC 6347] 227 */ 228 static final class HelloVerifyRequest extends HandshakeMessage { 229 ProtocolVersion protocolVersion; 230 byte[] cookie; // 1 to 2^8 - 1 bytes 231 232 HelloVerifyRequest(HelloCookieManager helloCookieManager, 233 ClientHello clientHelloMsg) { 234 235 this.protocolVersion = clientHelloMsg.protocolVersion; 236 this.cookie = helloCookieManager.getCookie(clientHelloMsg); 237 } 238 239 HelloVerifyRequest( 240 HandshakeInStream input, int messageLength) throws IOException { 241 242 this.protocolVersion = 243 ProtocolVersion.valueOf(input.getInt8(), input.getInt8()); 244 this.cookie = input.getBytes8(); 245 246 // Is it a valid cookie? 247 HelloCookieManager.checkCookie(protocolVersion, cookie); 248 } 249 250 @Override 251 int messageType() { 252 return ht_hello_verify_request; 253 } 254 255 @Override 256 int messageLength() { 257 return 2 + cookie.length; // 2: the length of protocolVersion 258 } 259 260 @Override 261 void send(HandshakeOutStream hos) throws IOException { 262 hos.putInt8(protocolVersion.major); 263 hos.putInt8(protocolVersion.minor); 264 hos.putBytes8(cookie); 265 } 266 267 @Override 268 void print(PrintStream out) throws IOException { 269 out.println("*** HelloVerifyRequest"); 270 if (debug != null && Debug.isOn("verbose")) { 271 out.println("server_version: " + protocolVersion); 272 Debug.println(out, "cookie", cookie); 273 } 274 } 275 } 276 277 /* 278 * ClientHello ... CLIENT --> SERVER 279 * 280 * Client initiates handshake by telling server what it wants, and what it 281 * can support (prioritized by what's first in the ciphe suite list). 282 * 283 * By RFC2246:7.4.1.2 it's explicitly anticipated that this message 284 * will have more data added at the end ... e.g. what CAs the client trusts. 285 * Until we know how to parse it, we will just read what we know 286 * about, and let our caller handle the jumps over unknown data. 287 */ 288 static final class ClientHello extends HandshakeMessage { 289 290 ProtocolVersion protocolVersion; 291 RandomCookie clnt_random; 292 SessionId sessionId; 293 byte[] cookie; // DTLS only 294 private CipherSuiteList cipherSuites; 295 private final boolean isDTLS; 296 byte[] compression_methods; 297 298 HelloExtensions extensions = new HelloExtensions(); 299 300 private static final byte[] NULL_COMPRESSION = new byte[] {0}; 301 302 ClientHello(SecureRandom generator, ProtocolVersion protocolVersion, 303 SessionId sessionId, CipherSuiteList cipherSuites, 304 boolean isDTLS) { 305 306 this.isDTLS = isDTLS; 307 this.protocolVersion = protocolVersion; 308 this.sessionId = sessionId; 309 this.cipherSuites = cipherSuites; 310 if (isDTLS) { 311 this.cookie = new byte[0]; 312 } else { 313 this.cookie = null; 314 } 315 316 if (cipherSuites.containsEC()) { 317 extensions.add(SupportedEllipticCurvesExtension.DEFAULT); 318 extensions.add(SupportedEllipticPointFormatsExtension.DEFAULT); 319 } 320 321 clnt_random = new RandomCookie(generator); 322 compression_methods = NULL_COMPRESSION; 323 } 324 325 ClientHello(HandshakeInStream s, 326 int messageLength, boolean isDTLS) throws IOException { 327 328 this.isDTLS = isDTLS; 329 330 protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8()); 331 clnt_random = new RandomCookie(s); 332 sessionId = new SessionId(s.getBytes8()); 333 sessionId.checkLength(protocolVersion); 334 if (isDTLS) { 335 cookie = s.getBytes8(); 336 } else { 337 cookie = null; 338 } 339 340 cipherSuites = new CipherSuiteList(s); 341 compression_methods = s.getBytes8(); 342 if (messageLength() != messageLength) { 343 extensions = new HelloExtensions(s); 344 } 345 } 346 347 CipherSuiteList getCipherSuites() { 348 return cipherSuites; 349 } 350 351 // add renegotiation_info extension 352 void addRenegotiationInfoExtension(byte[] clientVerifyData) { 353 HelloExtension renegotiationInfo = new RenegotiationInfoExtension( 354 clientVerifyData, new byte[0]); 355 extensions.add(renegotiationInfo); 356 } 357 358 // add server_name extension 359 void addSNIExtension(List<SNIServerName> serverNames) { 360 try { 361 extensions.add(new ServerNameExtension(serverNames)); 362 } catch (IOException ioe) { 363 // ignore the exception and return 364 } 365 } 366 367 // add signature_algorithm extension 368 void addSignatureAlgorithmsExtension( 369 Collection<SignatureAndHashAlgorithm> algorithms) { 370 HelloExtension signatureAlgorithm = 371 new SignatureAlgorithmsExtension(algorithms); 372 extensions.add(signatureAlgorithm); 373 } 374 375 void addMFLExtension(int maximumPacketSize) { 376 HelloExtension maxFragmentLength = 377 new MaxFragmentLengthExtension(maximumPacketSize); 378 extensions.add(maxFragmentLength); 379 } 380 381 void updateHelloCookie(MessageDigest cookieDigest) { 382 // 383 // Just use HandshakeOutStream to compute the hello verify cookie. 384 // Not actually used to output handshake message records. 385 // 386 HandshakeOutStream hos = new HandshakeOutStream(null); 387 388 try { 389 send(hos, false); // Do not count hello verify cookie. 390 } catch (IOException ioe) { 391 // unlikely to happen 392 } 393 394 cookieDigest.update(hos.toByteArray()); 395 } 396 397 // Add status_request extension type 398 void addCertStatusRequestExtension() { 399 extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP, 400 new OCSPStatusRequest())); 401 } 402 403 // Add status_request_v2 extension type 404 void addCertStatusReqListV2Extension() { 405 // Create a default OCSPStatusRequest that we can use for both 406 // OCSP_MULTI and OCSP request list items. 407 OCSPStatusRequest osr = new OCSPStatusRequest(); 408 List<CertStatusReqItemV2> itemList = new ArrayList<>(2); 409 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI, 410 osr)); 411 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr)); 412 extensions.add(new CertStatusReqListV2Extension(itemList)); 413 } 414 415 // add application_layer_protocol_negotiation extension 416 void addALPNExtension(String[] applicationProtocols) throws SSLException { 417 extensions.add(new ALPNExtension(applicationProtocols)); 418 } 419 420 @Override 421 int messageType() { return ht_client_hello; } 422 423 @Override 424 int messageLength() { 425 /* 426 * Add fixed size parts of each field... 427 * version + random + session + cipher + compress 428 */ 429 return (2 + 32 + 1 + 2 + 1 430 + sessionId.length() /* ... + variable parts */ 431 + (isDTLS ? (1 + cookie.length) : 0) 432 + (cipherSuites.size() * 2) 433 + compression_methods.length) 434 + extensions.length(); 435 } 436 437 @Override 438 void send(HandshakeOutStream s) throws IOException { 439 send(s, true); // Count hello verify cookie. 440 } 441 442 @Override 443 void print(PrintStream s) throws IOException { 444 s.println("*** ClientHello, " + protocolVersion); 445 446 if (debug != null && Debug.isOn("verbose")) { 447 s.print("RandomCookie: "); 448 clnt_random.print(s); 449 450 s.print("Session ID: "); 451 s.println(sessionId); 452 453 if (isDTLS) { 454 Debug.println(s, "cookie", cookie); 455 } 456 457 s.println("Cipher Suites: " + cipherSuites); 458 459 Debug.println(s, "Compression Methods", compression_methods); 460 extensions.print(s); 461 s.println("***"); 462 } 463 } 464 465 private void send(HandshakeOutStream s, 466 boolean computeCookie) throws IOException { 467 s.putInt8(protocolVersion.major); 468 s.putInt8(protocolVersion.minor); 469 clnt_random.send(s); 470 s.putBytes8(sessionId.getId()); 471 if (isDTLS && computeCookie) { 472 s.putBytes8(cookie); 473 } 474 cipherSuites.send(s); 475 s.putBytes8(compression_methods); 476 extensions.send(s); 477 } 478 479 } 480 481 /* 482 * ServerHello ... SERVER --> CLIENT 483 * 484 * Server chooses protocol options from among those it supports and the 485 * client supports. Then it sends the basic session descriptive parameters 486 * back to the client. 487 */ 488 static final 489 class ServerHello extends HandshakeMessage 490 { 491 @Override 492 int messageType() { return ht_server_hello; } 493 494 ProtocolVersion protocolVersion; 495 RandomCookie svr_random; 496 SessionId sessionId; 497 CipherSuite cipherSuite; 498 byte compression_method; 499 HelloExtensions extensions = new HelloExtensions(); 500 501 ServerHello() { 502 // empty 503 } 504 505 ServerHello(HandshakeInStream input, int messageLength) 506 throws IOException { 507 protocolVersion = ProtocolVersion.valueOf(input.getInt8(), 508 input.getInt8()); 509 svr_random = new RandomCookie(input); 510 sessionId = new SessionId(input.getBytes8()); 511 sessionId.checkLength(protocolVersion); 512 cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8()); 513 compression_method = (byte)input.getInt8(); 514 if (messageLength() != messageLength) { 515 extensions = new HelloExtensions(input); 516 } 517 } 518 519 @Override 520 int messageLength() 521 { 522 // almost fixed size, except session ID and extensions: 523 // major + minor = 2 524 // random = 32 525 // session ID len field = 1 526 // cipher suite + compression = 3 527 // extensions: if present, 2 + length of extensions 528 return 38 + sessionId.length() + extensions.length(); 529 } 530 531 @Override 532 void send(HandshakeOutStream s) throws IOException 533 { 534 s.putInt8(protocolVersion.major); 535 s.putInt8(protocolVersion.minor); 536 svr_random.send(s); 537 s.putBytes8(sessionId.getId()); 538 s.putInt8(cipherSuite.id >> 8); 539 s.putInt8(cipherSuite.id & 0xff); 540 s.putInt8(compression_method); 541 extensions.send(s); 542 } 543 544 @Override 545 void print(PrintStream s) throws IOException 546 { 547 s.println("*** ServerHello, " + protocolVersion); 548 549 if (debug != null && Debug.isOn("verbose")) { 550 s.print("RandomCookie: "); 551 svr_random.print(s); 552 553 s.print("Session ID: "); 554 s.println(sessionId); 555 556 s.println("Cipher Suite: " + cipherSuite); 557 s.println("Compression Method: " + compression_method); 558 extensions.print(s); 559 s.println("***"); 560 } 561 } 562 } 563 564 565 /* 566 * CertificateMsg ... send by both CLIENT and SERVER 567 * 568 * Each end of a connection may need to pass its certificate chain to 569 * the other end. Such chains are intended to validate an identity with 570 * reference to some certifying authority. Examples include companies 571 * like Verisign, or financial institutions. There's some control over 572 * the certifying authorities which are sent. 573 * 574 * NOTE: that these messages might be huge, taking many handshake records. 575 * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14 576 * bytes each ... up to 2^32 records sent on the output stream. 577 */ 578 static final 579 class CertificateMsg extends HandshakeMessage 580 { 581 @Override 582 int messageType() { return ht_certificate; } 583 584 private X509Certificate[] chain; 585 586 private List<byte[]> encodedChain; 587 588 private int messageLength; 589 590 CertificateMsg(X509Certificate[] certs) { 591 chain = certs; 592 } 593 594 CertificateMsg(HandshakeInStream input) throws IOException { 595 int chainLen = input.getInt24(); 596 List<Certificate> v = new ArrayList<>(4); 597 598 CertificateFactory cf = null; 599 while (chainLen > 0) { 600 byte[] cert = input.getBytes24(); 601 chainLen -= (3 + cert.length); 602 try { 603 if (cf == null) { 604 cf = CertificateFactory.getInstance("X.509"); 605 } 606 v.add(cf.generateCertificate(new ByteArrayInputStream(cert))); 607 } catch (CertificateException e) { 608 throw (SSLProtocolException)new SSLProtocolException( 609 e.getMessage()).initCause(e); 610 } 611 } 612 613 chain = v.toArray(new X509Certificate[v.size()]); 614 } 615 616 @Override 617 int messageLength() { 618 if (encodedChain == null) { 619 messageLength = 3; 620 encodedChain = new ArrayList<byte[]>(chain.length); 621 try { 622 for (X509Certificate cert : chain) { 623 byte[] b = cert.getEncoded(); 624 encodedChain.add(b); 625 messageLength += b.length + 3; 626 } 627 } catch (CertificateEncodingException e) { 628 encodedChain = null; 629 throw new RuntimeException("Could not encode certificates", e); 630 } 631 } 632 return messageLength; 633 } 634 635 @Override 636 void send(HandshakeOutStream s) throws IOException { 637 s.putInt24(messageLength() - 3); 638 for (byte[] b : encodedChain) { 639 s.putBytes24(b); 640 } 641 } 642 643 @Override 644 void print(PrintStream s) throws IOException { 645 s.println("*** Certificate chain"); 646 647 if (chain.length == 0) { 648 s.println("<Empty>"); 649 } else if (debug != null && Debug.isOn("verbose")) { 650 for (int i = 0; i < chain.length; i++) { 651 s.println("chain [" + i + "] = " + chain[i]); 652 } 653 } 654 s.println("***"); 655 } 656 657 X509Certificate[] getCertificateChain() { 658 return chain.clone(); 659 } 660 } 661 662 /* 663 * CertificateStatus ... SERVER --> CLIENT 664 * 665 * When a ClientHello asserting the status_request or status_request_v2 666 * extensions is accepted by the server, it will fetch and return one 667 * or more status responses in this handshake message. 668 * 669 * NOTE: Like the Certificate handshake message, this can potentially 670 * be a very large message both due to the size of multiple status 671 * responses and the certificate chains that are often attached to them. 672 * Up to 2^24 bytes of status responses may be sent, possibly fragmented 673 * over multiple TLS records. 674 */ 675 static final class CertificateStatus extends HandshakeMessage 676 { 677 private final StatusRequestType statusType; 678 private int encodedResponsesLen; 679 private int messageLength = -1; 680 private List<byte[]> encodedResponses; 681 682 @Override 683 int messageType() { return ht_certificate_status; } 684 685 /** 686 * Create a CertificateStatus message from the certificates and their 687 * respective OCSP responses 688 * 689 * @param type an indication of the type of response (OCSP or OCSP_MULTI) 690 * @param responses a {@code List} of OCSP responses in DER-encoded form. 691 * For the OCSP type, only the first entry in the response list is 692 * used, and must correspond to the end-entity certificate sent to the 693 * peer. Zero-length or null values for the response data are not 694 * allowed for the OCSP type. For the OCSP_MULTI type, each entry in 695 * the list should match its corresponding certificate sent in the 696 * Server Certificate message. Where an OCSP response does not exist, 697 * either a zero-length array or a null value should be used. 698 * 699 * @throws SSLException if an unsupported StatusRequestType or invalid 700 * OCSP response data is provided. 701 */ 702 CertificateStatus(StatusRequestType type, X509Certificate[] chain, 703 Map<X509Certificate, byte[]> responses) { 704 statusType = type; 705 encodedResponsesLen = 0; 706 encodedResponses = new ArrayList<>(chain.length); 707 708 Objects.requireNonNull(chain, "Null chain not allowed"); 709 Objects.requireNonNull(responses, "Null responses not allowed"); 710 711 if (statusType == StatusRequestType.OCSP) { 712 // Just get the response for the end-entity certificate 713 byte[] respDER = responses.get(chain[0]); 714 if (respDER != null && respDER.length > 0) { 715 encodedResponses.add(respDER); 716 encodedResponsesLen = 3 + respDER.length; 717 } else { 718 throw new IllegalArgumentException("Zero-length or null " + 719 "OCSP Response"); 720 } 721 } else if (statusType == StatusRequestType.OCSP_MULTI) { 722 for (X509Certificate cert : chain) { 723 byte[] respDER = responses.get(cert); 724 if (respDER != null) { 725 encodedResponses.add(respDER); 726 encodedResponsesLen += (respDER.length + 3); 727 } else { 728 // If we cannot find a response for a given certificate 729 // then use a zero-length placeholder. 730 encodedResponses.add(new byte[0]); 731 encodedResponsesLen += 3; 732 } 733 } 734 } else { 735 throw new IllegalArgumentException( 736 "Unsupported StatusResponseType: " + statusType); 737 } 738 } 739 740 /** 741 * Decode the CertificateStatus handshake message coming from a 742 * {@code HandshakeInputStream}. 743 * 744 * @param input the {@code HandshakeInputStream} containing the 745 * CertificateStatus message bytes. 746 * 747 * @throws SSLHandshakeException if a zero-length response is found in the 748 * OCSP response type, or an unsupported response type is detected. 749 * @throws IOException if a decoding error occurs. 750 */ 751 CertificateStatus(HandshakeInStream input) throws IOException { 752 encodedResponsesLen = 0; 753 encodedResponses = new ArrayList<>(); 754 755 statusType = StatusRequestType.get(input.getInt8()); 756 if (statusType == StatusRequestType.OCSP) { 757 byte[] respDER = input.getBytes24(); 758 // Convert the incoming bytes to a OCSPResponse strucutre 759 if (respDER.length > 0) { 760 encodedResponses.add(respDER); 761 encodedResponsesLen = 3 + respDER.length; 762 } else { 763 throw new SSLHandshakeException("Zero-length OCSP Response"); 764 } 765 } else if (statusType == StatusRequestType.OCSP_MULTI) { 766 int respListLen = input.getInt24(); 767 encodedResponsesLen = respListLen; 768 769 // Add each OCSP reponse into the array list in the order 770 // we receive them off the wire. A zero-length array is 771 // allowed for ocsp_multi, and means that a response for 772 // a given certificate is not available. 773 while (respListLen > 0) { 774 byte[] respDER = input.getBytes24(); 775 encodedResponses.add(respDER); 776 respListLen -= (respDER.length + 3); 777 } 778 779 if (respListLen != 0) { 780 throw new SSLHandshakeException( 781 "Bad OCSP response list length"); 782 } 783 } else { 784 throw new SSLHandshakeException("Unsupported StatusResponseType: " + 785 statusType); 786 } 787 } 788 789 /** 790 * Get the length of the CertificateStatus message. 791 * 792 * @return the length of the message in bytes. 793 */ 794 @Override 795 int messageLength() { 796 int len = 1; // Length + Status type 797 798 if (messageLength == -1) { 799 if (statusType == StatusRequestType.OCSP) { 800 len += encodedResponsesLen; 801 } else if (statusType == StatusRequestType.OCSP_MULTI) { 802 len += 3 + encodedResponsesLen; 803 } 804 messageLength = len; 805 } 806 807 return messageLength; 808 } 809 810 /** 811 * Encode the CertificateStatus handshake message and place it on a 812 * {@code HandshakeOutputStream}. 813 * 814 * @param s the HandshakeOutputStream that will the message bytes. 815 * 816 * @throws IOException if an encoding error occurs. 817 */ 818 @Override 819 void send(HandshakeOutStream s) throws IOException { 820 s.putInt8(statusType.id); 821 if (statusType == StatusRequestType.OCSP) { 822 s.putBytes24(encodedResponses.get(0)); 823 } else if (statusType == StatusRequestType.OCSP_MULTI) { 824 s.putInt24(encodedResponsesLen); 825 for (byte[] respBytes : encodedResponses) { 826 if (respBytes != null) { 827 s.putBytes24(respBytes); 828 } else { 829 s.putBytes24(null); 830 } 831 } 832 } else { 833 // It is highly unlikely that we will fall into this section of 834 // the code. 835 throw new SSLHandshakeException("Unsupported status_type: " + 836 statusType.id); 837 } 838 } 839 840 /** 841 * Display a human-readable representation of the CertificateStatus message. 842 * 843 * @param s the PrintStream used to display the message data. 844 * 845 * @throws IOException if any errors occur while parsing the OCSP response 846 * bytes into a readable form. 847 */ 848 @Override 849 void print(PrintStream s) throws IOException { 850 s.println("*** CertificateStatus"); 851 if (debug != null && Debug.isOn("verbose")) { 852 s.println("Type: " + statusType); 853 if (statusType == StatusRequestType.OCSP) { 854 OCSPResponse oResp = new OCSPResponse(encodedResponses.get(0)); 855 s.println(oResp); 856 } else if (statusType == StatusRequestType.OCSP_MULTI) { 857 int numResponses = encodedResponses.size(); 858 s.println(numResponses + 859 (numResponses == 1 ? " entry:" : " entries:")); 860 for (byte[] respDER : encodedResponses) { 861 if (respDER.length > 0) { 862 OCSPResponse oResp = new OCSPResponse(respDER); 863 s.println(oResp); 864 } else { 865 s.println("<Zero-length entry>"); 866 } 867 } 868 } 869 } 870 } 871 872 /** 873 * Get the type of CertificateStatus message 874 * 875 * @return the {@code StatusRequestType} for this CertificateStatus 876 * message. 877 */ 878 StatusRequestType getType() { 879 return statusType; 880 } 881 882 /** 883 * Get the list of non-zero length OCSP responses. 884 * The responses returned in this list can be used to map to 885 * {@code X509Certificate} objects provided by the peer and 886 * provided to a {@code PKIXRevocationChecker}. 887 * 888 * @return an unmodifiable List of zero or more byte arrays, each one 889 * consisting of a single status response. 890 */ 891 List<byte[]> getResponses() { 892 return Collections.unmodifiableList(encodedResponses); 893 } 894 } 895 896 /* 897 * ServerKeyExchange ... SERVER --> CLIENT 898 * 899 * The cipher suite selected, when combined with the certificate exchanged, 900 * implies one of several different kinds of key exchange. Most current 901 * cipher suites require the server to send more than its certificate. 902 * 903 * The primary exceptions are when a server sends an encryption-capable 904 * RSA public key in its cert, to be used with RSA (or RSA_export) key 905 * exchange; and when a server sends its Diffie-Hellman cert. Those kinds 906 * of key exchange do not require a ServerKeyExchange message. 907 * 908 * Key exchange can be viewed as having three modes, which are explicit 909 * for the Diffie-Hellman flavors and poorly specified for RSA ones: 910 * 911 * - "Ephemeral" keys. Here, a "temporary" key is allocated by the 912 * server, and signed. Diffie-Hellman keys signed using RSA or 913 * DSS are ephemeral (DHE flavor). RSA keys get used to do the same 914 * thing, to cut the key size down to 512 bits (export restrictions) 915 * or for signing-only RSA certificates. 916 * 917 * - Anonymity. Here no server certificate is sent, only the public 918 * key of the server. This case is subject to man-in-the-middle 919 * attacks. This can be done with Diffie-Hellman keys (DH_anon) or 920 * with RSA keys, but is only used in SSLv3 for DH_anon. 921 * 922 * - "Normal" case. Here a server certificate is sent, and the public 923 * key there is used directly in exchanging the premaster secret. 924 * For example, Diffie-Hellman "DH" flavor, and any RSA flavor with 925 * only 512 bit keys. 926 * 927 * If a server certificate is sent, there is no anonymity. However, 928 * when a certificate is sent, ephemeral keys may still be used to 929 * exchange the premaster secret. That's how RSA_EXPORT often works, 930 * as well as how the DHE_* flavors work. 931 */ 932 abstract static class ServerKeyExchange extends HandshakeMessage 933 { 934 @Override 935 int messageType() { return ht_server_key_exchange; } 936 } 937 938 939 /* 940 * Using RSA for Key Exchange: exchange a session key that's not as big 941 * as the signing-only key. Used for export applications, since exported 942 * RSA encryption keys can't be bigger than 512 bytes. 943 * 944 * This is never used when keys are 512 bits or smaller, and isn't used 945 * on "US Domestic" ciphers in any case. 946 */ 947 static final 948 class RSA_ServerKeyExchange extends ServerKeyExchange 949 { 950 private byte[] rsa_modulus; // 1 to 2^16 - 1 bytes 951 private byte[] rsa_exponent; // 1 to 2^16 - 1 bytes 952 953 private Signature signature; 954 private byte[] signatureBytes; 955 956 /* 957 * Hash the nonces and the ephemeral RSA public key. 958 */ 959 private void updateSignature(byte[] clntNonce, byte[] svrNonce) 960 throws SignatureException { 961 int tmp; 962 963 signature.update(clntNonce); 964 signature.update(svrNonce); 965 966 tmp = rsa_modulus.length; 967 signature.update((byte)(tmp >> 8)); 968 signature.update((byte)(tmp & 0x0ff)); 969 signature.update(rsa_modulus); 970 971 tmp = rsa_exponent.length; 972 signature.update((byte)(tmp >> 8)); 973 signature.update((byte)(tmp & 0x0ff)); 974 signature.update(rsa_exponent); 975 } 976 977 978 /* 979 * Construct an RSA server key exchange message, using data 980 * known _only_ to the server. 981 * 982 * The client knows the public key corresponding to this private 983 * key, from the Certificate message sent previously. To comply 984 * with US export regulations we use short RSA keys ... either 985 * long term ones in the server's X509 cert, or else ephemeral 986 * ones sent using this message. 987 */ 988 RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey, 989 RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr) 990 throws GeneralSecurityException { 991 RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey); 992 rsa_modulus = toByteArray(rsaKey.getModulus()); 993 rsa_exponent = toByteArray(rsaKey.getPublicExponent()); 994 signature = RSASignature.getInstance(); 995 signature.initSign(privateKey, sr); 996 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); 997 signatureBytes = signature.sign(); 998 } 999 1000 1001 /* 1002 * Parse an RSA server key exchange message, using data known 1003 * to the client (and, in some situations, eavesdroppers). 1004 */ 1005 RSA_ServerKeyExchange(HandshakeInStream input) 1006 throws IOException, NoSuchAlgorithmException { 1007 signature = RSASignature.getInstance(); 1008 rsa_modulus = input.getBytes16(); 1009 rsa_exponent = input.getBytes16(); 1010 signatureBytes = input.getBytes16(); 1011 } 1012 1013 /* 1014 * Get the ephemeral RSA public key that will be used in this 1015 * SSL connection. 1016 */ 1017 PublicKey getPublicKey() { 1018 try { 1019 KeyFactory kfac = JsseJce.getKeyFactory("RSA"); 1020 // modulus and exponent are always positive 1021 RSAPublicKeySpec kspec = new RSAPublicKeySpec( 1022 new BigInteger(1, rsa_modulus), 1023 new BigInteger(1, rsa_exponent)); 1024 return kfac.generatePublic(kspec); 1025 } catch (Exception e) { 1026 throw new RuntimeException(e); 1027 } 1028 } 1029 1030 /* 1031 * Verify the signed temporary key using the hashes computed 1032 * from it and the two nonces. This is called by clients 1033 * with "exportable" RSA flavors. 1034 */ 1035 boolean verify(PublicKey certifiedKey, RandomCookie clntNonce, 1036 RandomCookie svrNonce) throws GeneralSecurityException { 1037 signature.initVerify(certifiedKey); 1038 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); 1039 return signature.verify(signatureBytes); 1040 } 1041 1042 @Override 1043 int messageLength() { 1044 return 6 + rsa_modulus.length + rsa_exponent.length 1045 + signatureBytes.length; 1046 } 1047 1048 @Override 1049 void send(HandshakeOutStream s) throws IOException { 1050 s.putBytes16(rsa_modulus); 1051 s.putBytes16(rsa_exponent); 1052 s.putBytes16(signatureBytes); 1053 } 1054 1055 @Override 1056 void print(PrintStream s) throws IOException { 1057 s.println("*** RSA ServerKeyExchange"); 1058 1059 if (debug != null && Debug.isOn("verbose")) { 1060 Debug.println(s, "RSA Modulus", rsa_modulus); 1061 Debug.println(s, "RSA Public Exponent", rsa_exponent); 1062 } 1063 } 1064 } 1065 1066 1067 /* 1068 * Using Diffie-Hellman algorithm for key exchange. All we really need to 1069 * do is securely get Diffie-Hellman keys (using the same P, G parameters) 1070 * to our peer, then we automatically have a shared secret without need 1071 * to exchange any more data. (D-H only solutions, such as SKIP, could 1072 * eliminate key exchange negotiations and get faster connection setup. 1073 * But they still need a signature algorithm like DSS/DSA to support the 1074 * trusted distribution of keys without relying on unscalable physical 1075 * key distribution systems.) 1076 * 1077 * This class supports several DH-based key exchange algorithms, though 1078 * perhaps eventually each deserves its own class. Notably, this has 1079 * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants. 1080 */ 1081 static final 1082 class DH_ServerKeyExchange extends ServerKeyExchange 1083 { 1084 // Fix message encoding, see 4348279 1085 private static final boolean dhKeyExchangeFix = 1086 Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true); 1087 1088 private byte[] dh_p; // 1 to 2^16 - 1 bytes 1089 private byte[] dh_g; // 1 to 2^16 - 1 bytes 1090 private byte[] dh_Ys; // 1 to 2^16 - 1 bytes 1091 1092 private byte[] signature; 1093 1094 // protocol version being established using this ServerKeyExchange message 1095 ProtocolVersion protocolVersion; 1096 1097 // the preferable signature algorithm used by this ServerKeyExchange message 1098 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; 1099 1100 /* 1101 * Construct from initialized DH key object, for DH_anon 1102 * key exchange. 1103 */ 1104 DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) { 1105 this.protocolVersion = protocolVersion; 1106 this.preferableSignatureAlgorithm = null; 1107 1108 // The DH key has been validated in the constructor of DHCrypt. 1109 setValues(obj); 1110 signature = null; 1111 } 1112 1113 /* 1114 * Construct from initialized DH key object and the key associated 1115 * with the cert chain which was sent ... for DHE_DSS and DHE_RSA 1116 * key exchange. (Constructor called by server.) 1117 */ 1118 DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte[] clntNonce, 1119 byte[] svrNonce, SecureRandom sr, 1120 SignatureAndHashAlgorithm signAlgorithm, 1121 ProtocolVersion protocolVersion) throws GeneralSecurityException { 1122 1123 this.protocolVersion = protocolVersion; 1124 1125 // The DH key has been validated in the constructor of DHCrypt. 1126 setValues(obj); 1127 1128 Signature sig; 1129 if (protocolVersion.useTLS12PlusSpec()) { 1130 this.preferableSignatureAlgorithm = signAlgorithm; 1131 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 1132 } else { 1133 this.preferableSignatureAlgorithm = null; 1134 if (key.getAlgorithm().equals("DSA")) { 1135 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); 1136 } else { 1137 sig = RSASignature.getInstance(); 1138 } 1139 } 1140 1141 sig.initSign(key, sr); 1142 updateSignature(sig, clntNonce, svrNonce); 1143 signature = sig.sign(); 1144 } 1145 1146 /* 1147 * Construct a DH_ServerKeyExchange message from an input 1148 * stream, as if sent from server to client for use with 1149 * DH_anon key exchange 1150 */ 1151 DH_ServerKeyExchange(HandshakeInStream input, 1152 ProtocolVersion protocolVersion) 1153 throws IOException, GeneralSecurityException { 1154 1155 this.protocolVersion = protocolVersion; 1156 this.preferableSignatureAlgorithm = null; 1157 1158 dh_p = input.getBytes16(); 1159 dh_g = input.getBytes16(); 1160 dh_Ys = input.getBytes16(); 1161 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), 1162 new BigInteger(1, dh_p), 1163 new BigInteger(1, dh_g))); 1164 1165 signature = null; 1166 } 1167 1168 /* 1169 * Construct a DH_ServerKeyExchange message from an input stream 1170 * and a certificate, as if sent from server to client for use with 1171 * DHE_DSS or DHE_RSA key exchange. (Called by client.) 1172 */ 1173 DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey, 1174 byte[] clntNonce, byte[] svrNonce, int messageSize, 1175 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 1176 ProtocolVersion protocolVersion) 1177 throws IOException, GeneralSecurityException { 1178 1179 this.protocolVersion = protocolVersion; 1180 1181 // read params: ServerDHParams 1182 dh_p = input.getBytes16(); 1183 dh_g = input.getBytes16(); 1184 dh_Ys = input.getBytes16(); 1185 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), 1186 new BigInteger(1, dh_p), 1187 new BigInteger(1, dh_g))); 1188 1189 // read the signature and hash algorithm 1190 if (protocolVersion.useTLS12PlusSpec()) { 1191 int hash = input.getInt8(); // hash algorithm 1192 int signature = input.getInt8(); // signature algorithm 1193 1194 preferableSignatureAlgorithm = 1195 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); 1196 1197 // Is it a local supported signature algorithm? 1198 if (!localSupportedSignAlgs.contains( 1199 preferableSignatureAlgorithm)) { 1200 throw new SSLHandshakeException( 1201 "Unsupported SignatureAndHashAlgorithm in " + 1202 "ServerKeyExchange message: " + 1203 preferableSignatureAlgorithm); 1204 } 1205 } else { 1206 this.preferableSignatureAlgorithm = null; 1207 } 1208 1209 // read the signature 1210 byte[] signature; 1211 if (dhKeyExchangeFix) { 1212 signature = input.getBytes16(); 1213 } else { 1214 messageSize -= (dh_p.length + 2); 1215 messageSize -= (dh_g.length + 2); 1216 messageSize -= (dh_Ys.length + 2); 1217 1218 signature = new byte[messageSize]; 1219 input.read(signature); 1220 } 1221 1222 Signature sig; 1223 String algorithm = publicKey.getAlgorithm(); 1224 if (protocolVersion.useTLS12PlusSpec()) { 1225 sig = JsseJce.getSignature( 1226 preferableSignatureAlgorithm.getAlgorithmName()); 1227 } else { 1228 switch (algorithm) { 1229 case "DSA": 1230 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); 1231 break; 1232 case "RSA": 1233 sig = RSASignature.getInstance(); 1234 break; 1235 default: 1236 throw new SSLKeyException( 1237 "neither an RSA or a DSA key: " + algorithm); 1238 } 1239 } 1240 1241 sig.initVerify(publicKey); 1242 updateSignature(sig, clntNonce, svrNonce); 1243 1244 if (sig.verify(signature) == false ) { 1245 throw new SSLKeyException("Server D-H key verification failed"); 1246 } 1247 } 1248 1249 /* Return the Diffie-Hellman modulus */ 1250 BigInteger getModulus() { 1251 return new BigInteger(1, dh_p); 1252 } 1253 1254 /* Return the Diffie-Hellman base/generator */ 1255 BigInteger getBase() { 1256 return new BigInteger(1, dh_g); 1257 } 1258 1259 /* Return the server's Diffie-Hellman public key */ 1260 BigInteger getServerPublicKey() { 1261 return new BigInteger(1, dh_Ys); 1262 } 1263 1264 /* 1265 * Update sig with nonces and Diffie-Hellman public key. 1266 */ 1267 private void updateSignature(Signature sig, byte[] clntNonce, 1268 byte[] svrNonce) throws SignatureException { 1269 int tmp; 1270 1271 sig.update(clntNonce); 1272 sig.update(svrNonce); 1273 1274 tmp = dh_p.length; 1275 sig.update((byte)(tmp >> 8)); 1276 sig.update((byte)(tmp & 0x0ff)); 1277 sig.update(dh_p); 1278 1279 tmp = dh_g.length; 1280 sig.update((byte)(tmp >> 8)); 1281 sig.update((byte)(tmp & 0x0ff)); 1282 sig.update(dh_g); 1283 1284 tmp = dh_Ys.length; 1285 sig.update((byte)(tmp >> 8)); 1286 sig.update((byte)(tmp & 0x0ff)); 1287 sig.update(dh_Ys); 1288 } 1289 1290 private void setValues(DHCrypt obj) { 1291 dh_p = toByteArray(obj.getModulus()); 1292 dh_g = toByteArray(obj.getBase()); 1293 dh_Ys = toByteArray(obj.getPublicKey()); 1294 } 1295 1296 @Override 1297 int messageLength() { 1298 int temp = 6; // overhead for p, g, y(s) values. 1299 1300 temp += dh_p.length; 1301 temp += dh_g.length; 1302 temp += dh_Ys.length; 1303 1304 if (signature != null) { 1305 if (protocolVersion.useTLS12PlusSpec()) { 1306 temp += SignatureAndHashAlgorithm.sizeInRecord(); 1307 } 1308 1309 temp += signature.length; 1310 if (dhKeyExchangeFix) { 1311 temp += 2; 1312 } 1313 } 1314 1315 return temp; 1316 } 1317 1318 @Override 1319 void send(HandshakeOutStream s) throws IOException { 1320 s.putBytes16(dh_p); 1321 s.putBytes16(dh_g); 1322 s.putBytes16(dh_Ys); 1323 1324 if (signature != null) { 1325 if (protocolVersion.useTLS12PlusSpec()) { 1326 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 1327 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 1328 } 1329 1330 if (dhKeyExchangeFix) { 1331 s.putBytes16(signature); 1332 } else { 1333 s.write(signature); 1334 } 1335 } 1336 } 1337 1338 @Override 1339 void print(PrintStream s) throws IOException { 1340 s.println("*** Diffie-Hellman ServerKeyExchange"); 1341 1342 if (debug != null && Debug.isOn("verbose")) { 1343 Debug.println(s, "DH Modulus", dh_p); 1344 Debug.println(s, "DH Base", dh_g); 1345 Debug.println(s, "Server DH Public Key", dh_Ys); 1346 1347 if (signature == null) { 1348 s.println("Anonymous"); 1349 } else { 1350 if (protocolVersion.useTLS12PlusSpec()) { 1351 s.println("Signature Algorithm " + 1352 preferableSignatureAlgorithm.getAlgorithmName()); 1353 } 1354 1355 s.println("Signed with a DSA or RSA public key"); 1356 } 1357 } 1358 } 1359 } 1360 1361 /* 1362 * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon 1363 * ciphersuites to communicate its ephemeral public key (including the 1364 * EC domain parameters). 1365 * 1366 * We support named curves only, no explicitly encoded curves. 1367 */ 1368 static final 1369 class ECDH_ServerKeyExchange extends ServerKeyExchange { 1370 1371 // constants for ECCurveType 1372 private static final int CURVE_EXPLICIT_PRIME = 1; 1373 private static final int CURVE_EXPLICIT_CHAR2 = 2; 1374 private static final int CURVE_NAMED_CURVE = 3; 1375 1376 // id of the curve we are using 1377 private int curveId; 1378 // encoded public point 1379 private byte[] pointBytes; 1380 1381 // signature bytes (or null if anonymous) 1382 private byte[] signatureBytes; 1383 1384 // public key object encapsulated in this message 1385 private ECPublicKey publicKey; 1386 1387 // protocol version being established using this ServerKeyExchange message 1388 ProtocolVersion protocolVersion; 1389 1390 // the preferable signature algorithm used by this ServerKeyExchange message 1391 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; 1392 1393 ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey, 1394 byte[] clntNonce, byte[] svrNonce, SecureRandom sr, 1395 SignatureAndHashAlgorithm signAlgorithm, 1396 ProtocolVersion protocolVersion) throws GeneralSecurityException { 1397 1398 this.protocolVersion = protocolVersion; 1399 1400 publicKey = (ECPublicKey)obj.getPublicKey(); 1401 ECParameterSpec params = publicKey.getParams(); 1402 ECPoint point = publicKey.getW(); 1403 pointBytes = JsseJce.encodePoint(point, params.getCurve()); 1404 curveId = SupportedEllipticCurvesExtension.getCurveIndex(params); 1405 1406 if (privateKey == null) { 1407 // ECDH_anon 1408 return; 1409 } 1410 1411 Signature sig; 1412 if (protocolVersion.useTLS12PlusSpec()) { 1413 this.preferableSignatureAlgorithm = signAlgorithm; 1414 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 1415 } else { 1416 sig = getSignature(privateKey.getAlgorithm()); 1417 } 1418 sig.initSign(privateKey); // where is the SecureRandom? 1419 1420 updateSignature(sig, clntNonce, svrNonce); 1421 signatureBytes = sig.sign(); 1422 } 1423 1424 /* 1425 * Parse an ECDH server key exchange message. 1426 */ 1427 ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey, 1428 byte[] clntNonce, byte[] svrNonce, 1429 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 1430 ProtocolVersion protocolVersion) 1431 throws IOException, GeneralSecurityException { 1432 1433 this.protocolVersion = protocolVersion; 1434 1435 // read params: ServerECDHParams 1436 int curveType = input.getInt8(); 1437 ECParameterSpec parameters; 1438 // These parsing errors should never occur as we negotiated 1439 // the supported curves during the exchange of the Hello messages. 1440 if (curveType == CURVE_NAMED_CURVE) { 1441 curveId = input.getInt16(); 1442 if (SupportedEllipticCurvesExtension.isSupported(curveId) 1443 == false) { 1444 throw new SSLHandshakeException( 1445 "Unsupported curveId: " + curveId); 1446 } 1447 String curveOid = 1448 SupportedEllipticCurvesExtension.getCurveOid(curveId); 1449 if (curveOid == null) { 1450 throw new SSLHandshakeException( 1451 "Unknown named curve: " + curveId); 1452 } 1453 parameters = JsseJce.getECParameterSpec(curveOid); 1454 if (parameters == null) { 1455 throw new SSLHandshakeException( 1456 "Unsupported curve: " + curveOid); 1457 } 1458 } else { 1459 throw new SSLHandshakeException( 1460 "Unsupported ECCurveType: " + curveType); 1461 } 1462 pointBytes = input.getBytes8(); 1463 1464 ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve()); 1465 KeyFactory factory = JsseJce.getKeyFactory("EC"); 1466 publicKey = (ECPublicKey)factory.generatePublic( 1467 new ECPublicKeySpec(point, parameters)); 1468 1469 if (signingKey == null) { 1470 // ECDH_anon 1471 return; 1472 } 1473 1474 // read the signature and hash algorithm 1475 if (protocolVersion.useTLS12PlusSpec()) { 1476 int hash = input.getInt8(); // hash algorithm 1477 int signature = input.getInt8(); // signature algorithm 1478 1479 preferableSignatureAlgorithm = 1480 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); 1481 1482 // Is it a local supported signature algorithm? 1483 if (!localSupportedSignAlgs.contains( 1484 preferableSignatureAlgorithm)) { 1485 throw new SSLHandshakeException( 1486 "Unsupported SignatureAndHashAlgorithm in " + 1487 "ServerKeyExchange message: " + 1488 preferableSignatureAlgorithm); 1489 } 1490 } 1491 1492 // read the signature 1493 signatureBytes = input.getBytes16(); 1494 1495 // verify the signature 1496 Signature sig; 1497 if (protocolVersion.useTLS12PlusSpec()) { 1498 sig = JsseJce.getSignature( 1499 preferableSignatureAlgorithm.getAlgorithmName()); 1500 } else { 1501 sig = getSignature(signingKey.getAlgorithm()); 1502 } 1503 sig.initVerify(signingKey); 1504 1505 updateSignature(sig, clntNonce, svrNonce); 1506 1507 if (sig.verify(signatureBytes) == false ) { 1508 throw new SSLKeyException( 1509 "Invalid signature on ECDH server key exchange message"); 1510 } 1511 } 1512 1513 /* 1514 * Get the ephemeral EC public key encapsulated in this message. 1515 */ 1516 ECPublicKey getPublicKey() { 1517 return publicKey; 1518 } 1519 1520 private static Signature getSignature(String keyAlgorithm) 1521 throws NoSuchAlgorithmException { 1522 switch (keyAlgorithm) { 1523 case "EC": 1524 return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA); 1525 case "RSA": 1526 return RSASignature.getInstance(); 1527 default: 1528 throw new NoSuchAlgorithmException( 1529 "neither an RSA or a EC key : " + keyAlgorithm); 1530 } 1531 } 1532 1533 private void updateSignature(Signature sig, byte[] clntNonce, 1534 byte[] svrNonce) throws SignatureException { 1535 sig.update(clntNonce); 1536 sig.update(svrNonce); 1537 1538 sig.update((byte)CURVE_NAMED_CURVE); 1539 sig.update((byte)(curveId >> 8)); 1540 sig.update((byte)curveId); 1541 sig.update((byte)pointBytes.length); 1542 sig.update(pointBytes); 1543 } 1544 1545 @Override 1546 int messageLength() { 1547 int sigLen = 0; 1548 if (signatureBytes != null) { 1549 sigLen = 2 + signatureBytes.length; 1550 if (protocolVersion.useTLS12PlusSpec()) { 1551 sigLen += SignatureAndHashAlgorithm.sizeInRecord(); 1552 } 1553 } 1554 1555 return 4 + pointBytes.length + sigLen; 1556 } 1557 1558 @Override 1559 void send(HandshakeOutStream s) throws IOException { 1560 s.putInt8(CURVE_NAMED_CURVE); 1561 s.putInt16(curveId); 1562 s.putBytes8(pointBytes); 1563 1564 if (signatureBytes != null) { 1565 if (protocolVersion.useTLS12PlusSpec()) { 1566 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 1567 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 1568 } 1569 1570 s.putBytes16(signatureBytes); 1571 } 1572 } 1573 1574 @Override 1575 void print(PrintStream s) throws IOException { 1576 s.println("*** ECDH ServerKeyExchange"); 1577 1578 if (debug != null && Debug.isOn("verbose")) { 1579 if (signatureBytes == null) { 1580 s.println("Anonymous"); 1581 } else { 1582 if (protocolVersion.useTLS12PlusSpec()) { 1583 s.println("Signature Algorithm " + 1584 preferableSignatureAlgorithm.getAlgorithmName()); 1585 } 1586 } 1587 1588 s.println("Server key: " + publicKey); 1589 } 1590 } 1591 } 1592 1593 static final class DistinguishedName { 1594 1595 /* 1596 * DER encoded distinguished name. 1597 * TLS requires that its not longer than 65535 bytes. 1598 */ 1599 byte[] name; 1600 1601 DistinguishedName(HandshakeInStream input) throws IOException { 1602 name = input.getBytes16(); 1603 } 1604 1605 DistinguishedName(X500Principal dn) { 1606 name = dn.getEncoded(); 1607 } 1608 1609 X500Principal getX500Principal() throws IOException { 1610 try { 1611 return new X500Principal(name); 1612 } catch (IllegalArgumentException e) { 1613 throw (SSLProtocolException)new SSLProtocolException( 1614 e.getMessage()).initCause(e); 1615 } 1616 } 1617 1618 int length() { 1619 return 2 + name.length; 1620 } 1621 1622 void send(HandshakeOutStream output) throws IOException { 1623 output.putBytes16(name); 1624 } 1625 1626 void print(PrintStream output) throws IOException { 1627 X500Principal principal = new X500Principal(name); 1628 output.println("<" + principal.toString() + ">"); 1629 } 1630 } 1631 1632 /* 1633 * CertificateRequest ... SERVER --> CLIENT 1634 * 1635 * Authenticated servers may ask clients to authenticate themselves 1636 * in turn, using this message. 1637 * 1638 * Prior to TLS 1.2, the structure of the message is defined as: 1639 * struct { 1640 * ClientCertificateType certificate_types<1..2^8-1>; 1641 * DistinguishedName certificate_authorities<0..2^16-1>; 1642 * } CertificateRequest; 1643 * 1644 * In TLS 1.2, the structure is changed to: 1645 * struct { 1646 * ClientCertificateType certificate_types<1..2^8-1>; 1647 * SignatureAndHashAlgorithm 1648 * supported_signature_algorithms<2^16-1>; 1649 * DistinguishedName certificate_authorities<0..2^16-1>; 1650 * } CertificateRequest; 1651 * 1652 */ 1653 static final 1654 class CertificateRequest extends HandshakeMessage 1655 { 1656 // enum ClientCertificateType 1657 static final int cct_rsa_sign = 1; 1658 static final int cct_dss_sign = 2; 1659 static final int cct_rsa_fixed_dh = 3; 1660 static final int cct_dss_fixed_dh = 4; 1661 1662 // The existance of these two values is a bug in the SSL specification. 1663 // They are never used in the protocol. 1664 static final int cct_rsa_ephemeral_dh = 5; 1665 static final int cct_dss_ephemeral_dh = 6; 1666 1667 // From RFC 4492 (ECC) 1668 static final int cct_ecdsa_sign = 64; 1669 static final int cct_rsa_fixed_ecdh = 65; 1670 static final int cct_ecdsa_fixed_ecdh = 66; 1671 1672 private static final byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign }; 1673 private static final byte[] TYPES_ECC = 1674 { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign }; 1675 1676 byte[] types; // 1 to 255 types 1677 DistinguishedName[] authorities; // 3 to 2^16 - 1 1678 // ... "3" because that's the smallest DER-encoded X500 DN 1679 boolean authoritiesDropped = false; 1680 1681 // protocol version being established using this CertificateRequest message 1682 ProtocolVersion protocolVersion; 1683 1684 // supported_signature_algorithms for TLS 1.2 or later 1685 private Collection<SignatureAndHashAlgorithm> algorithms; 1686 1687 // length of supported_signature_algorithms 1688 private int algorithmsLen; 1689 1690 1691 private static final boolean allowDropAuthorites = 1692 Debug.getBooleanProperty("jdk.tls.allowDropCertReqAuthorites", false); 1693 1694 CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange, 1695 Collection<SignatureAndHashAlgorithm> signAlgs, 1696 ProtocolVersion protocolVersion) throws IOException { 1697 1698 this.protocolVersion = protocolVersion; 1699 1700 // always use X500Principal 1701 authorities = new DistinguishedName[ca.length]; 1702 for (int i = 0, len = 0; i < ca.length; i++) { 1703 X500Principal x500Principal = ca[i].getSubjectX500Principal(); 1704 authorities[i] = new DistinguishedName(x500Principal); 1705 if (allowDropAuthorites) { 1706 len += authorities[i].length(); 1707 if (len >= Record.OVERFLOW_OF_INT16) { 1708 authorities = new DistinguishedName[0]; 1709 authoritiesDropped = true; 1710 break; 1711 } 1712 } 1713 } 1714 // we support RSA, DSS, and ECDSA client authentication and they 1715 // can be used with all ciphersuites. If this changes, the code 1716 // needs to be adapted to take keyExchange into account. 1717 // We only request ECDSA client auth if we have ECC crypto available. 1718 this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC; 1719 1720 // Use supported_signature_algorithms for TLS 1.2 or later. 1721 if (protocolVersion.useTLS12PlusSpec()) { 1722 if (signAlgs == null || signAlgs.isEmpty()) { 1723 throw new SSLProtocolException( 1724 "No supported signature algorithms"); 1725 } 1726 1727 algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs); 1728 algorithmsLen = 1729 SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size(); 1730 } else { 1731 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1732 algorithmsLen = 0; 1733 } 1734 } 1735 1736 CertificateRequest(HandshakeInStream input, 1737 ProtocolVersion protocolVersion) throws IOException { 1738 1739 this.protocolVersion = protocolVersion; 1740 1741 // Read the certificate_types. 1742 types = input.getBytes8(); 1743 1744 // Read the supported_signature_algorithms for TLS 1.2 or later. 1745 if (protocolVersion.useTLS12PlusSpec()) { 1746 algorithmsLen = input.getInt16(); 1747 if (algorithmsLen < 2) { 1748 throw new SSLProtocolException( 1749 "Invalid supported_signature_algorithms field: " + 1750 algorithmsLen); 1751 } 1752 1753 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1754 int remains = algorithmsLen; 1755 int sequence = 0; 1756 while (remains > 1) { // needs at least two bytes 1757 int hash = input.getInt8(); // hash algorithm 1758 int signature = input.getInt8(); // signature algorithm 1759 1760 SignatureAndHashAlgorithm algorithm = 1761 SignatureAndHashAlgorithm.valueOf(hash, signature, 1762 ++sequence); 1763 algorithms.add(algorithm); 1764 remains -= 2; // one byte for hash, one byte for signature 1765 } 1766 1767 if (remains != 0) { 1768 throw new SSLProtocolException( 1769 "Invalid supported_signature_algorithms field. remains: " + 1770 remains); 1771 } 1772 } else { 1773 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1774 algorithmsLen = 0; 1775 } 1776 1777 // read the certificate_authorities 1778 int len = input.getInt16(); 1779 ArrayList<DistinguishedName> v = new ArrayList<>(); 1780 while (len >= 3) { 1781 DistinguishedName dn = new DistinguishedName(input); 1782 v.add(dn); 1783 len -= dn.length(); 1784 } 1785 1786 if (len != 0) { 1787 throw new SSLProtocolException( 1788 "Bad CertificateRequest DN length: " + len); 1789 } 1790 1791 authorities = v.toArray(new DistinguishedName[v.size()]); 1792 } 1793 1794 X500Principal[] getAuthorities() throws IOException { 1795 X500Principal[] ret = new X500Principal[authorities.length]; 1796 for (int i = 0; i < authorities.length; i++) { 1797 ret[i] = authorities[i].getX500Principal(); 1798 } 1799 return ret; 1800 } 1801 1802 Collection<SignatureAndHashAlgorithm> getSignAlgorithms() { 1803 return algorithms; 1804 } 1805 1806 @Override 1807 int messageType() { 1808 return ht_certificate_request; 1809 } 1810 1811 @Override 1812 int messageLength() { 1813 int len = 1 + types.length + 2; 1814 1815 if (protocolVersion.useTLS12PlusSpec()) { 1816 len += algorithmsLen + 2; 1817 } 1818 1819 for (int i = 0; i < authorities.length; i++) { 1820 len += authorities[i].length(); 1821 } 1822 1823 return len; 1824 } 1825 1826 @Override 1827 void send(HandshakeOutStream output) throws IOException { 1828 // put certificate_types 1829 output.putBytes8(types); 1830 1831 // put supported_signature_algorithms 1832 if (protocolVersion.useTLS12PlusSpec()) { 1833 output.putInt16(algorithmsLen); 1834 for (SignatureAndHashAlgorithm algorithm : algorithms) { 1835 output.putInt8(algorithm.getHashValue()); // hash 1836 output.putInt8(algorithm.getSignatureValue()); // signature 1837 } 1838 } 1839 1840 // put certificate_authorities 1841 int len = 0; 1842 for (int i = 0; i < authorities.length; i++) { 1843 len += authorities[i].length(); 1844 } 1845 1846 output.putInt16(len); 1847 for (int i = 0; i < authorities.length; i++) { 1848 authorities[i].send(output); 1849 } 1850 } 1851 1852 @Override 1853 void print(PrintStream s) throws IOException { 1854 s.println("*** CertificateRequest"); 1855 1856 if (debug != null && Debug.isOn("verbose")) { 1857 s.print("Cert Types: "); 1858 for (int i = 0; i < types.length; i++) { 1859 switch (types[i]) { 1860 case cct_rsa_sign: 1861 s.print("RSA"); break; 1862 case cct_dss_sign: 1863 s.print("DSS"); break; 1864 case cct_rsa_fixed_dh: 1865 s.print("Fixed DH (RSA sig)"); break; 1866 case cct_dss_fixed_dh: 1867 s.print("Fixed DH (DSS sig)"); break; 1868 case cct_rsa_ephemeral_dh: 1869 s.print("Ephemeral DH (RSA sig)"); break; 1870 case cct_dss_ephemeral_dh: 1871 s.print("Ephemeral DH (DSS sig)"); break; 1872 case cct_ecdsa_sign: 1873 s.print("ECDSA"); break; 1874 case cct_rsa_fixed_ecdh: 1875 s.print("Fixed ECDH (RSA sig)"); break; 1876 case cct_ecdsa_fixed_ecdh: 1877 s.print("Fixed ECDH (ECDSA sig)"); break; 1878 default: 1879 s.print("Type-" + (types[i] & 0xff)); break; 1880 } 1881 if (i != types.length - 1) { 1882 s.print(", "); 1883 } 1884 } 1885 s.println(); 1886 1887 if (protocolVersion.useTLS12PlusSpec()) { 1888 StringBuilder sb = new StringBuilder(); 1889 boolean opened = false; 1890 for (SignatureAndHashAlgorithm signAlg : algorithms) { 1891 if (opened) { 1892 sb.append(", ").append(signAlg.getAlgorithmName()); 1893 } else { 1894 sb.append(signAlg.getAlgorithmName()); 1895 opened = true; 1896 } 1897 } 1898 s.println("Supported Signature Algorithms: " + sb); 1899 } 1900 1901 s.println("Cert Authorities:"); 1902 if (authorities.length == 0) { 1903 s.println("<Empty>" + (authoritiesDropped ? " (dropped)" : "")); 1904 } else { 1905 for (int i = 0; i < authorities.length; i++) { 1906 authorities[i].print(s); 1907 } 1908 } 1909 } 1910 } 1911 } 1912 1913 1914 /* 1915 * ServerHelloDone ... SERVER --> CLIENT 1916 * 1917 * When server's done sending its messages in response to the client's 1918 * "hello" (e.g. its own hello, certificate, key exchange message, perhaps 1919 * client certificate request) it sends this message to flag that it's 1920 * done that part of the handshake. 1921 */ 1922 static final 1923 class ServerHelloDone extends HandshakeMessage 1924 { 1925 @Override 1926 int messageType() { return ht_server_hello_done; } 1927 1928 ServerHelloDone() { } 1929 1930 ServerHelloDone(HandshakeInStream input) 1931 { 1932 // nothing to do 1933 } 1934 1935 @Override 1936 int messageLength() 1937 { 1938 return 0; 1939 } 1940 1941 @Override 1942 void send(HandshakeOutStream s) throws IOException 1943 { 1944 // nothing to send 1945 } 1946 1947 @Override 1948 void print(PrintStream s) throws IOException 1949 { 1950 s.println("*** ServerHelloDone"); 1951 } 1952 } 1953 1954 1955 /* 1956 * CertificateVerify ... CLIENT --> SERVER 1957 * 1958 * Sent after client sends signature-capable certificates (e.g. not 1959 * Diffie-Hellman) to verify. 1960 */ 1961 static final class CertificateVerify extends HandshakeMessage { 1962 1963 // the signature bytes 1964 private byte[] signature; 1965 1966 // protocol version being established using this CertificateVerify message 1967 ProtocolVersion protocolVersion; 1968 1969 // the preferable signature algorithm used by this CertificateVerify message 1970 private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null; 1971 1972 /* 1973 * Create an RSA or DSA signed certificate verify message. 1974 */ 1975 CertificateVerify(ProtocolVersion protocolVersion, 1976 HandshakeHash handshakeHash, PrivateKey privateKey, 1977 SecretKey masterSecret, SecureRandom sr, 1978 SignatureAndHashAlgorithm signAlgorithm) 1979 throws GeneralSecurityException { 1980 1981 this.protocolVersion = protocolVersion; 1982 1983 String algorithm = privateKey.getAlgorithm(); 1984 Signature sig = null; 1985 if (protocolVersion.useTLS12PlusSpec()) { 1986 this.preferableSignatureAlgorithm = signAlgorithm; 1987 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 1988 } else { 1989 sig = getSignature(protocolVersion, algorithm); 1990 } 1991 sig.initSign(privateKey, sr); 1992 updateSignature(sig, protocolVersion, handshakeHash, algorithm, 1993 masterSecret); 1994 signature = sig.sign(); 1995 } 1996 1997 // 1998 // Unmarshal the signed data from the input stream. 1999 // 2000 CertificateVerify(HandshakeInStream input, 2001 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 2002 ProtocolVersion protocolVersion) throws IOException { 2003 2004 this.protocolVersion = protocolVersion; 2005 2006 // read the signature and hash algorithm 2007 if (protocolVersion.useTLS12PlusSpec()) { 2008 int hashAlg = input.getInt8(); // hash algorithm 2009 int signAlg = input.getInt8(); // signature algorithm 2010 2011 preferableSignatureAlgorithm = 2012 SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0); 2013 2014 // Is it a local supported signature algorithm? 2015 if (!localSupportedSignAlgs.contains( 2016 preferableSignatureAlgorithm)) { 2017 throw new SSLHandshakeException( 2018 "Unsupported SignatureAndHashAlgorithm in " + 2019 "CertificateVerify message: " + preferableSignatureAlgorithm); 2020 } 2021 } 2022 2023 // read the signature 2024 signature = input.getBytes16(); 2025 } 2026 2027 /* 2028 * Get the preferable signature algorithm used by this message 2029 */ 2030 SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() { 2031 return preferableSignatureAlgorithm; 2032 } 2033 2034 /* 2035 * Verify a certificate verify message. Return the result of verification, 2036 * if there is a problem throw a GeneralSecurityException. 2037 */ 2038 boolean verify(ProtocolVersion protocolVersion, 2039 HandshakeHash handshakeHash, PublicKey publicKey, 2040 SecretKey masterSecret) throws GeneralSecurityException { 2041 String algorithm = publicKey.getAlgorithm(); 2042 Signature sig = null; 2043 if (protocolVersion.useTLS12PlusSpec()) { 2044 sig = JsseJce.getSignature( 2045 preferableSignatureAlgorithm.getAlgorithmName()); 2046 } else { 2047 sig = getSignature(protocolVersion, algorithm); 2048 } 2049 sig.initVerify(publicKey); 2050 updateSignature(sig, protocolVersion, handshakeHash, algorithm, 2051 masterSecret); 2052 return sig.verify(signature); 2053 } 2054 2055 /* 2056 * Get the Signature object appropriate for verification using the 2057 * given signature algorithm and protocol version. 2058 */ 2059 private static Signature getSignature(ProtocolVersion protocolVersion, 2060 String algorithm) throws GeneralSecurityException { 2061 switch (algorithm) { 2062 case "RSA": 2063 return RSASignature.getInternalInstance(); 2064 case "DSA": 2065 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA); 2066 case "EC": 2067 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA); 2068 default: 2069 throw new SignatureException("Unrecognized algorithm: " 2070 + algorithm); 2071 } 2072 } 2073 2074 /* 2075 * Update the Signature with the data appropriate for the given 2076 * signature algorithm and protocol version so that the object is 2077 * ready for signing or verifying. 2078 */ 2079 private static void updateSignature(Signature sig, 2080 ProtocolVersion protocolVersion, 2081 HandshakeHash handshakeHash, String algorithm, SecretKey masterKey) 2082 throws SignatureException { 2083 2084 if (algorithm.equals("RSA")) { 2085 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1- 2086 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 2087 MessageDigest shaClone = handshakeHash.getSHAClone(); 2088 2089 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3 2090 updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey); 2091 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); 2092 } 2093 2094 // The signature must be an instance of RSASignature, need 2095 // to use these hashes directly. 2096 RSASignature.setHashes(sig, md5Clone, shaClone); 2097 } else { // TLS1.2+ 2098 sig.update(handshakeHash.getAllHandshakeMessages()); 2099 } 2100 } else { // DSA, ECDSA 2101 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1- 2102 MessageDigest shaClone = handshakeHash.getSHAClone(); 2103 2104 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3 2105 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); 2106 } 2107 2108 sig.update(shaClone.digest()); 2109 } else { // TLS1.2+ 2110 sig.update(handshakeHash.getAllHandshakeMessages()); 2111 } 2112 } 2113 } 2114 2115 /* 2116 * Update the MessageDigest for SSLv3 certificate verify or finished 2117 * message calculation. The digest must already have been updated with 2118 * all preceding handshake messages. 2119 * Used by the Finished class as well. 2120 */ 2121 private static void updateDigest(MessageDigest md, 2122 byte[] pad1, byte[] pad2, 2123 SecretKey masterSecret) { 2124 // Digest the key bytes if available. 2125 // Otherwise (sensitive key), try digesting the key directly. 2126 // That is currently only implemented in SunPKCS11 using a private 2127 // reflection API, so we avoid that if possible. 2128 byte[] keyBytes = "RAW".equals(masterSecret.getFormat()) 2129 ? masterSecret.getEncoded() : null; 2130 if (keyBytes != null) { 2131 md.update(keyBytes); 2132 } else { 2133 digestKey(md, masterSecret); 2134 } 2135 md.update(pad1); 2136 byte[] temp = md.digest(); 2137 2138 if (keyBytes != null) { 2139 md.update(keyBytes); 2140 } else { 2141 digestKey(md, masterSecret); 2142 } 2143 md.update(pad2); 2144 md.update(temp); 2145 } 2146 2147 private static final Class<?> delegate; 2148 private static final Field spiField; 2149 2150 static { 2151 try { 2152 delegate = Class.forName("java.security.MessageDigest$Delegate"); 2153 spiField = delegate.getDeclaredField("digestSpi"); 2154 } catch (Exception e) { 2155 throw new RuntimeException("Reflection failed", e); 2156 } 2157 makeAccessible(spiField); 2158 } 2159 2160 private static void makeAccessible(final AccessibleObject o) { 2161 AccessController.doPrivileged(new PrivilegedAction<Object>() { 2162 @Override 2163 public Object run() { 2164 o.setAccessible(true); 2165 return null; 2166 } 2167 }); 2168 } 2169 2170 // ConcurrentHashMap does not allow null values, use this marker object 2171 private static final Object NULL_OBJECT = new Object(); 2172 2173 // cache Method objects per Spi class 2174 // Note that this will prevent the Spi classes from being GC'd. We assume 2175 // that is not a problem. 2176 private static final Map<Class<?>,Object> methodCache = 2177 new ConcurrentHashMap<>(); 2178 2179 private static void digestKey(MessageDigest md, SecretKey key) { 2180 try { 2181 // Verify that md is implemented via MessageDigestSpi, not 2182 // via JDK 1.1 style MessageDigest subclassing. 2183 if (md.getClass() != delegate) { 2184 throw new Exception("Digest is not a MessageDigestSpi"); 2185 } 2186 MessageDigestSpi spi = (MessageDigestSpi)spiField.get(md); 2187 Class<?> clazz = spi.getClass(); 2188 Object r = methodCache.get(clazz); 2189 if (r == null) { 2190 try { 2191 r = clazz.getDeclaredMethod("implUpdate", SecretKey.class); 2192 makeAccessible((Method)r); 2193 } catch (NoSuchMethodException e) { 2194 r = NULL_OBJECT; 2195 } 2196 methodCache.put(clazz, r); 2197 } 2198 if (r == NULL_OBJECT) { 2199 throw new Exception( 2200 "Digest does not support implUpdate(SecretKey)"); 2201 } 2202 Method update = (Method)r; 2203 update.invoke(spi, key); 2204 } catch (Exception e) { 2205 throw new RuntimeException( 2206 "Could not obtain encoded key and " 2207 + "MessageDigest cannot digest key", e); 2208 } 2209 } 2210 2211 @Override 2212 int messageType() { 2213 return ht_certificate_verify; 2214 } 2215 2216 @Override 2217 int messageLength() { 2218 int temp = 2; 2219 2220 if (protocolVersion.useTLS12PlusSpec()) { 2221 temp += SignatureAndHashAlgorithm.sizeInRecord(); 2222 } 2223 2224 return temp + signature.length; 2225 } 2226 2227 @Override 2228 void send(HandshakeOutStream s) throws IOException { 2229 if (protocolVersion.useTLS12PlusSpec()) { 2230 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 2231 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 2232 } 2233 2234 s.putBytes16(signature); 2235 } 2236 2237 @Override 2238 void print(PrintStream s) throws IOException { 2239 s.println("*** CertificateVerify"); 2240 2241 if (debug != null && Debug.isOn("verbose")) { 2242 if (protocolVersion.useTLS12PlusSpec()) { 2243 s.println("Signature Algorithm " + 2244 preferableSignatureAlgorithm.getAlgorithmName()); 2245 } 2246 } 2247 } 2248 } 2249 2250 2251 /* 2252 * FINISHED ... sent by both CLIENT and SERVER 2253 * 2254 * This is the FINISHED message as defined in the SSL and TLS protocols. 2255 * Both protocols define this handshake message slightly differently. 2256 * This class supports both formats. 2257 * 2258 * When handshaking is finished, each side sends a "change_cipher_spec" 2259 * record, then immediately sends a "finished" handshake message prepared 2260 * according to the newly adopted cipher spec. 2261 * 2262 * NOTE that until this is sent, no application data may be passed, unless 2263 * some non-default cipher suite has already been set up on this connection 2264 * connection (e.g. a previous handshake arranged one). 2265 */ 2266 static final class Finished extends HandshakeMessage { 2267 2268 // constant for a Finished message sent by the client 2269 static final int CLIENT = 1; 2270 2271 // constant for a Finished message sent by the server 2272 static final int SERVER = 2; 2273 2274 // enum Sender: "CLNT" and "SRVR" 2275 private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 }; 2276 private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 }; 2277 2278 /* 2279 * Contents of the finished message ("checksum"). For TLS, it 2280 * is 12 bytes long, for SSLv3 36 bytes. 2281 */ 2282 private byte[] verifyData; 2283 2284 /* 2285 * Current cipher suite we are negotiating. TLS 1.2 has 2286 * ciphersuite-defined PRF algorithms. 2287 */ 2288 private ProtocolVersion protocolVersion; 2289 private CipherSuite cipherSuite; 2290 2291 /* 2292 * Create a finished message to send to the remote peer. 2293 */ 2294 Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, 2295 int sender, SecretKey master, CipherSuite cipherSuite) { 2296 this.protocolVersion = protocolVersion; 2297 this.cipherSuite = cipherSuite; 2298 verifyData = getFinished(handshakeHash, sender, master); 2299 } 2300 2301 /* 2302 * Constructor that reads FINISHED message from stream. 2303 */ 2304 Finished(ProtocolVersion protocolVersion, HandshakeInStream input, 2305 CipherSuite cipherSuite) throws IOException { 2306 this.protocolVersion = protocolVersion; 2307 this.cipherSuite = cipherSuite; 2308 int msgLen = protocolVersion.useTLS10PlusSpec() ? 12 : 36; 2309 verifyData = new byte[msgLen]; 2310 input.read(verifyData); 2311 } 2312 2313 /* 2314 * Verify that the hashes here are what would have been produced 2315 * according to a given set of inputs. This is used to ensure that 2316 * both client and server are fully in sync, and that the handshake 2317 * computations have been successful. 2318 */ 2319 boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) { 2320 byte[] myFinished = getFinished(handshakeHash, sender, master); 2321 return MessageDigest.isEqual(myFinished, verifyData); 2322 } 2323 2324 /* 2325 * Perform the actual finished message calculation. 2326 */ 2327 private byte[] getFinished(HandshakeHash handshakeHash, 2328 int sender, SecretKey masterKey) { 2329 byte[] sslLabel; 2330 String tlsLabel; 2331 if (sender == CLIENT) { 2332 sslLabel = SSL_CLIENT; 2333 tlsLabel = "client finished"; 2334 } else if (sender == SERVER) { 2335 sslLabel = SSL_SERVER; 2336 tlsLabel = "server finished"; 2337 } else { 2338 throw new RuntimeException("Invalid sender: " + sender); 2339 } 2340 2341 if (protocolVersion.useTLS10PlusSpec()) { 2342 // TLS 1.0+ 2343 try { 2344 byte[] seed; 2345 String prfAlg; 2346 PRF prf; 2347 2348 // Get the KeyGenerator alg and calculate the seed. 2349 if (protocolVersion.useTLS12PlusSpec()) { 2350 // TLS 1.2+ or DTLS 1.2+ 2351 seed = handshakeHash.getFinishedHash(); 2352 2353 prfAlg = "SunTls12Prf"; 2354 prf = cipherSuite.prfAlg; 2355 } else { 2356 // TLS 1.0/1.1, DTLS 1.0 2357 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 2358 MessageDigest shaClone = handshakeHash.getSHAClone(); 2359 seed = new byte[36]; 2360 md5Clone.digest(seed, 0, 16); 2361 shaClone.digest(seed, 16, 20); 2362 2363 prfAlg = "SunTlsPrf"; 2364 prf = P_NONE; 2365 } 2366 2367 String prfHashAlg = prf.getPRFHashAlg(); 2368 int prfHashLength = prf.getPRFHashLength(); 2369 int prfBlockSize = prf.getPRFBlockSize(); 2370 2371 /* 2372 * RFC 5246/7.4.9 says that finished messages can 2373 * be ciphersuite-specific in both length/PRF hash 2374 * algorithm. If we ever run across a different 2375 * length, this call will need to be updated. 2376 */ 2377 @SuppressWarnings("deprecation") 2378 TlsPrfParameterSpec spec = new TlsPrfParameterSpec( 2379 masterKey, tlsLabel, seed, 12, 2380 prfHashAlg, prfHashLength, prfBlockSize); 2381 2382 KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg); 2383 kg.init(spec); 2384 SecretKey prfKey = kg.generateKey(); 2385 if ("RAW".equals(prfKey.getFormat()) == false) { 2386 throw new ProviderException( 2387 "Invalid PRF output, format must be RAW. " + 2388 "Format received: " + prfKey.getFormat()); 2389 } 2390 byte[] finished = prfKey.getEncoded(); 2391 return finished; 2392 } catch (GeneralSecurityException e) { 2393 throw new RuntimeException("PRF failed", e); 2394 } 2395 } else { 2396 // SSLv3 2397 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 2398 MessageDigest shaClone = handshakeHash.getSHAClone(); 2399 updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey); 2400 updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey); 2401 byte[] finished = new byte[36]; 2402 try { 2403 md5Clone.digest(finished, 0, 16); 2404 shaClone.digest(finished, 16, 20); 2405 } catch (DigestException e) { 2406 // cannot occur 2407 throw new RuntimeException("Digest failed", e); 2408 } 2409 return finished; 2410 } 2411 } 2412 2413 /* 2414 * Update the MessageDigest for SSLv3 finished message calculation. 2415 * The digest must already have been updated with all preceding handshake 2416 * messages. This operation is almost identical to the certificate verify 2417 * hash, reuse that code. 2418 */ 2419 private static void updateDigest(MessageDigest md, byte[] sender, 2420 byte[] pad1, byte[] pad2, SecretKey masterSecret) { 2421 md.update(sender); 2422 CertificateVerify.updateDigest(md, pad1, pad2, masterSecret); 2423 } 2424 2425 // get the verify_data of the finished message 2426 byte[] getVerifyData() { 2427 return verifyData; 2428 } 2429 2430 @Override 2431 int messageType() { return ht_finished; } 2432 2433 @Override 2434 int messageLength() { 2435 return verifyData.length; 2436 } 2437 2438 @Override 2439 void send(HandshakeOutStream out) throws IOException { 2440 out.write(verifyData); 2441 } 2442 2443 @Override 2444 void print(PrintStream s) throws IOException { 2445 s.println("*** Finished"); 2446 if (debug != null && Debug.isOn("verbose")) { 2447 Debug.println(s, "verify_data", verifyData); 2448 s.println("***"); 2449 } 2450 } 2451 } 2452 2453 // 2454 // END of nested classes 2455 // 2456 2457 }