1 /*
2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.util.*;
31 import java.util.concurrent.TimeUnit;
32 import java.security.*;
33 import java.security.cert.*;
34 import java.security.interfaces.*;
35 import java.security.spec.ECParameterSpec;
36 import java.math.BigInteger;
37
38 import javax.crypto.SecretKey;
39 import javax.net.ssl.*;
40
41 import sun.security.action.GetLongAction;
42 import sun.security.util.KeyUtil;
43 import sun.security.util.LegacyAlgorithmConstraints;
44 import sun.security.action.GetPropertyAction;
45 import sun.security.ssl.HandshakeMessage.*;
46 import sun.security.ssl.CipherSuite.*;
47 import sun.security.ssl.SignatureAndHashAlgorithm.*;
48 import static sun.security.ssl.CipherSuite.KeyExchange.*;
49
50 /**
51 * ServerHandshaker does the protocol handshaking from the point
52 * of view of a server. It is driven asychronously by handshake messages
53 * as delivered by the parent Handshaker class, and also uses
54 * common functionality (e.g. key generation) that is provided there.
55 *
56 * @author David Brownell
57 */
58 final class ServerHandshaker extends Handshaker {
59
60 // The default number of milliseconds the handshaker will wait for
61 // revocation status responses.
62 private static final long DEFAULT_STATUS_RESP_DELAY = 5000;
63
64 // is the server going to require the client to authenticate?
65 private ClientAuthType doClientAuth;
66
67 // our authentication info
68 private X509Certificate[] certs;
69 private PrivateKey privateKey;
70
71 private Object serviceCreds;
72
73 // flag to check for clientCertificateVerify message
74 private boolean needClientVerify = false;
75
76 /*
77 * For exportable ciphersuites using non-exportable key sizes, we use
78 * ephemeral RSA keys. We could also do anonymous RSA in the same way
79 * but there are no such ciphersuites currently defined.
80 */
81 private PrivateKey tempPrivateKey;
82 private PublicKey tempPublicKey;
83
84 /*
85 * For anonymous and ephemeral Diffie-Hellman key exchange, we use
86 * ephemeral Diffie-Hellman keys.
87 */
88 private DHCrypt dh;
89
90 // Helper for ECDH based key exchanges
91 private ECDHCrypt ecdh;
92
93 // version request by the client in its ClientHello
94 // we remember it for the RSA premaster secret version check
95 private ProtocolVersion clientRequestedVersion;
96
97 private SupportedEllipticCurvesExtension supportedCurves;
98
99 // the preferable signature algorithm used by ServerKeyExchange message
100 SignatureAndHashAlgorithm preferableSignatureAlgorithm;
101
102 // Flag to use smart ephemeral DH key which size matches the corresponding
103 // authentication key
104 private static final boolean useSmartEphemeralDHKeys;
105
106 // Flag to use legacy ephemeral DH key which size is 512 bits for
107 // exportable cipher suites, and 768 bits for others
108 private static final boolean useLegacyEphemeralDHKeys;
109
110 // The customized ephemeral DH key size for non-exportable cipher suites.
111 private static final int customizedDHKeySize;
112
113 // legacy algorithm constraints
114 private static final AlgorithmConstraints legacyAlgorithmConstraints =
115 new LegacyAlgorithmConstraints(
116 LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
117 new SSLAlgorithmDecomposer());
118
119 private long statusRespTimeout;
120
121 static {
122 String property = AccessController.doPrivileged(
123 new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
124 if (property == null || property.length() == 0) {
125 useLegacyEphemeralDHKeys = false;
126 useSmartEphemeralDHKeys = false;
127 customizedDHKeySize = -1;
128 } else if ("matched".equals(property)) {
129 useLegacyEphemeralDHKeys = false;
130 useSmartEphemeralDHKeys = true;
131 customizedDHKeySize = -1;
132 } else if ("legacy".equals(property)) {
133 useLegacyEphemeralDHKeys = true;
134 useSmartEphemeralDHKeys = false;
135 customizedDHKeySize = -1;
136 } else {
137 useLegacyEphemeralDHKeys = false;
138 useSmartEphemeralDHKeys = false;
139
140 try {
141 // DH parameter generation can be extremely slow, best to
142 // use one of the supported pre-computed DH parameters
143 // (see DHCrypt class).
144 customizedDHKeySize = Integer.parseUnsignedInt(property);
145 if (customizedDHKeySize < 1024 || customizedDHKeySize > 8192 ||
146 (customizedDHKeySize & 0x3f) != 0) {
147 throw new IllegalArgumentException(
148 "Unsupported customized DH key size: " +
149 customizedDHKeySize + ". " +
150 "The key size must be multiple of 64, " +
151 "and can only range from 1024 to 8192 (inclusive)");
152 }
153 } catch (NumberFormatException nfe) {
154 throw new IllegalArgumentException(
155 "Invalid system property jdk.tls.ephemeralDHKeySize");
156 }
157 }
158 }
159
160 /*
161 * Constructor ... use the keys found in the auth context.
162 */
163 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
164 ProtocolList enabledProtocols, ClientAuthType clientAuth,
165 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
166 boolean secureRenegotiation,
167 byte[] clientVerifyData, byte[] serverVerifyData) {
168
169 super(socket, context, enabledProtocols,
170 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
171 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
172 clientVerifyData, serverVerifyData);
173 doClientAuth = clientAuth;
174 statusRespTimeout = AccessController.doPrivileged(
175 new GetLongAction("jdk.tls.stapling.responseTimeout",
176 DEFAULT_STATUS_RESP_DELAY));
177 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
178 DEFAULT_STATUS_RESP_DELAY;
179 }
180
181 /*
182 * Constructor ... use the keys found in the auth context.
183 */
184 ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context,
185 ProtocolList enabledProtocols, ClientAuthType clientAuth,
186 ProtocolVersion activeProtocolVersion,
187 boolean isInitialHandshake, boolean secureRenegotiation,
188 byte[] clientVerifyData, byte[] serverVerifyData,
189 boolean isDTLS) {
190
191 super(engine, context, enabledProtocols,
192 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
193 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
194 clientVerifyData, serverVerifyData, isDTLS);
195 doClientAuth = clientAuth;
196 statusRespTimeout = AccessController.doPrivileged(
197 new GetLongAction("jdk.tls.stapling.responseTimeout",
198 DEFAULT_STATUS_RESP_DELAY));
199 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
200 DEFAULT_STATUS_RESP_DELAY;
201 }
202
203 /*
204 * As long as handshaking has not started, we can change
205 * whether client authentication is required. Otherwise,
206 * we will need to wait for the next handshake.
207 */
208 void setClientAuth(ClientAuthType clientAuth) {
209 doClientAuth = clientAuth;
210 }
211
212 /*
213 * This routine handles all the server side handshake messages, one at
214 * a time. Given the message type (and in some cases the pending cipher
215 * spec) it parses the type-specific message. Then it calls a function
216 * that handles that specific message.
217 *
218 * It updates the state machine as each message is processed, and writes
219 * responses as needed using the connection in the constructor.
220 */
221 @Override
222 void processMessage(byte type, int message_len)
223 throws IOException {
224
225 // check the handshake state
226 handshakeState.check(type);
227
228 switch (type) {
229 case HandshakeMessage.ht_client_hello:
230 ClientHello ch = new ClientHello(input, message_len, isDTLS);
231 handshakeState.update(ch, resumingSession);
232
233 /*
234 * send it off for processing.
235 */
236 this.clientHello(ch);
237 break;
238
239 case HandshakeMessage.ht_certificate:
240 if (doClientAuth == ClientAuthType.CLIENT_AUTH_NONE) {
241 fatalSE(Alerts.alert_unexpected_message,
242 "client sent unsolicited cert chain");
243 // NOTREACHED
244 }
245 CertificateMsg certificateMsg = new CertificateMsg(input);
246 handshakeState.update(certificateMsg, resumingSession);
247 this.clientCertificate(certificateMsg);
248 break;
249
250 case HandshakeMessage.ht_client_key_exchange:
251 SecretKey preMasterSecret;
252 switch (keyExchange) {
253 case K_RSA:
254 case K_RSA_EXPORT:
255 /*
256 * The client's pre-master secret is decrypted using
257 * either the server's normal private RSA key, or the
258 * temporary one used for non-export or signing-only
259 * certificates/keys.
260 */
261 RSAClientKeyExchange pms = new RSAClientKeyExchange(
262 protocolVersion, clientRequestedVersion,
263 sslContext.getSecureRandom(), input,
264 message_len, privateKey);
265 handshakeState.update(pms, resumingSession);
266 preMasterSecret = this.clientKeyExchange(pms);
267 break;
268 case K_DHE_RSA:
269 case K_DHE_DSS:
270 case K_DH_ANON:
271 /*
272 * The pre-master secret is derived using the normal
273 * Diffie-Hellman calculation. Note that the main
274 * protocol difference in these five flavors is in how
275 * the ServerKeyExchange message was constructed!
276 */
277 DHClientKeyExchange dhcke = new DHClientKeyExchange(input);
278 handshakeState.update(dhcke, resumingSession);
279 preMasterSecret = this.clientKeyExchange(dhcke);
280 break;
281 case K_ECDH_RSA:
282 case K_ECDH_ECDSA:
283 case K_ECDHE_RSA:
284 case K_ECDHE_ECDSA:
285 case K_ECDH_ANON:
286 ECDHClientKeyExchange ecdhcke =
287 new ECDHClientKeyExchange(input);
288 handshakeState.update(ecdhcke, resumingSession);
289 preMasterSecret = this.clientKeyExchange(ecdhcke);
290 break;
291 default:
292 ClientKeyExchangeService p =
293 ClientKeyExchangeService.find(keyExchange.name);
294 if (p == null) {
295 throw new SSLProtocolException
296 ("Unrecognized key exchange: " + keyExchange);
297 }
298 byte[] encodedTicket = input.getBytes16();
299 input.getBytes16();
300 byte[] secret = input.getBytes16();
301 ClientKeyExchange cke = p.createServerExchange(protocolVersion,
302 clientRequestedVersion,
303 sslContext.getSecureRandom(),
304 encodedTicket,
305 secret,
306 this.getAccSE(), serviceCreds);
307 handshakeState.update(cke, resumingSession);
308 preMasterSecret = this.clientKeyExchange(cke);
309 break;
310 }
311
312 //
313 // All keys are calculated from the premaster secret
314 // and the exchanged nonces in the same way.
315 //
316 calculateKeys(preMasterSecret, clientRequestedVersion);
317 break;
318
319 case HandshakeMessage.ht_certificate_verify:
320 CertificateVerify cvm =
321 new CertificateVerify(input,
322 getLocalSupportedSignAlgs(), protocolVersion);
323 handshakeState.update(cvm, resumingSession);
324 this.clientCertificateVerify(cvm);
325
326 break;
327
328 case HandshakeMessage.ht_finished:
329 Finished cfm =
330 new Finished(protocolVersion, input, cipherSuite);
331 handshakeState.update(cfm, resumingSession);
332 this.clientFinished(cfm);
333
334 break;
335
336 default:
337 throw new SSLProtocolException(
338 "Illegal server handshake msg, " + type);
339 }
340
341 }
342
343
344 /*
345 * ClientHello presents the server with a bunch of options, to which the
346 * server replies with a ServerHello listing the ones which this session
347 * will use. If needed, it also writes its Certificate plus in some cases
348 * a ServerKeyExchange message. It may also write a CertificateRequest,
349 * to elicit a client certificate.
350 *
351 * All these messages are terminated by a ServerHelloDone message. In
352 * most cases, all this can be sent in a single Record.
353 */
354 private void clientHello(ClientHello mesg) throws IOException {
355 if (debug != null && Debug.isOn("handshake")) {
356 mesg.print(System.out);
357 }
358
359 // Reject client initiated renegotiation?
360 //
361 // If server side should reject client-initiated renegotiation,
362 // send an alert_handshake_failure fatal alert, not a no_renegotiation
363 // warning alert (no_renegotiation must be a warning: RFC 2246).
364 // no_renegotiation might seem more natural at first, but warnings
365 // are not appropriate because the sending party does not know how
366 // the receiving party will behave. This state must be treated as
367 // a fatal server condition.
368 //
369 // This will not have any impact on server initiated renegotiation.
370 if (rejectClientInitiatedRenego && !isInitialHandshake &&
371 !serverHelloRequested) {
372 fatalSE(Alerts.alert_handshake_failure,
373 "Client initiated renegotiation is not allowed");
374 }
375
376 // check the server name indication if required
377 ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
378 mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
379 if (!sniMatchers.isEmpty()) {
380 // we do not reject client without SNI extension
381 if (clientHelloSNIExt != null &&
382 !clientHelloSNIExt.isMatched(sniMatchers)) {
383 fatalSE(Alerts.alert_unrecognized_name,
384 "Unrecognized server name indication");
385 }
386 }
387
388 // Does the message include security renegotiation indication?
389 boolean renegotiationIndicated = false;
390
391 // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV
392 CipherSuiteList cipherSuites = mesg.getCipherSuites();
393 if (cipherSuites.contains(CipherSuite.C_SCSV)) {
394 renegotiationIndicated = true;
395 if (isInitialHandshake) {
396 secureRenegotiation = true;
397 } else {
398 // abort the handshake with a fatal handshake_failure alert
399 if (secureRenegotiation) {
400 fatalSE(Alerts.alert_handshake_failure,
401 "The SCSV is present in a secure renegotiation");
402 } else {
403 fatalSE(Alerts.alert_handshake_failure,
404 "The SCSV is present in a insecure renegotiation");
405 }
406 }
407 }
408
409 // check the "renegotiation_info" extension
410 RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension)
411 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
412 if (clientHelloRI != null) {
413 renegotiationIndicated = true;
414 if (isInitialHandshake) {
415 // verify the length of the "renegotiated_connection" field
416 if (!clientHelloRI.isEmpty()) {
417 // abort the handshake with a fatal handshake_failure alert
418 fatalSE(Alerts.alert_handshake_failure,
419 "The renegotiation_info field is not empty");
420 }
421
422 secureRenegotiation = true;
423 } else {
424 if (!secureRenegotiation) {
425 // unexpected RI extension for insecure renegotiation,
426 // abort the handshake with a fatal handshake_failure alert
427 fatalSE(Alerts.alert_handshake_failure,
428 "The renegotiation_info is present in a insecure " +
429 "renegotiation");
430 }
431
432 // verify the client_verify_data value
433 if (!MessageDigest.isEqual(clientVerifyData,
434 clientHelloRI.getRenegotiatedConnection())) {
435 fatalSE(Alerts.alert_handshake_failure,
436 "Incorrect verify data in ClientHello " +
437 "renegotiation_info message");
438 }
439 }
440 } else if (!isInitialHandshake && secureRenegotiation) {
441 // if the connection's "secure_renegotiation" flag is set to TRUE
442 // and the "renegotiation_info" extension is not present, abort
443 // the handshake.
444 fatalSE(Alerts.alert_handshake_failure,
445 "Inconsistent secure renegotiation indication");
446 }
447
448 // if there is no security renegotiation indication or the previous
449 // handshake is insecure.
450 if (!renegotiationIndicated || !secureRenegotiation) {
451 if (isInitialHandshake) {
452 if (!allowLegacyHelloMessages) {
453 // abort the handshake with a fatal handshake_failure alert
454 fatalSE(Alerts.alert_handshake_failure,
455 "Failed to negotiate the use of secure renegotiation");
456 }
457
458 // continue with legacy ClientHello
459 if (debug != null && Debug.isOn("handshake")) {
460 System.out.println("Warning: No renegotiation " +
461 "indication in ClientHello, allow legacy ClientHello");
462 }
463 } else if (!allowUnsafeRenegotiation) {
464 // abort the handshake
465 if (activeProtocolVersion.useTLS10PlusSpec()) {
466 // respond with a no_renegotiation warning
467 warningSE(Alerts.alert_no_renegotiation);
468
469 // invalidate the handshake so that the caller can
470 // dispose this object.
471 invalidated = true;
472
473 // If there is still unread block in the handshake
474 // input stream, it would be truncated with the disposal
475 // and the next handshake message will become incomplete.
476 //
477 // However, according to SSL/TLS specifications, no more
478 // handshake message could immediately follow ClientHello
479 // or HelloRequest. But in case of any improper messages,
480 // we'd better check to ensure there is no remaining bytes
481 // in the handshake input stream.
482 if (input.available() > 0) {
483 fatalSE(Alerts.alert_unexpected_message,
484 "ClientHello followed by an unexpected " +
485 "handshake message");
486 }
487
488 return;
489 } else {
490 // For SSLv3, send the handshake_failure fatal error.
491 // Note that SSLv3 does not define a no_renegotiation
492 // alert like TLSv1. However we cannot ignore the message
493 // simply, otherwise the other side was waiting for a
494 // response that would never come.
495 fatalSE(Alerts.alert_handshake_failure,
496 "Renegotiation is not allowed");
497 }
498 } else { // !isInitialHandshake && allowUnsafeRenegotiation
499 // continue with unsafe renegotiation.
500 if (debug != null && Debug.isOn("handshake")) {
501 System.out.println(
502 "Warning: continue with insecure renegotiation");
503 }
504 }
505 }
506
507 // check the "max_fragment_length" extension
508 MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
509 mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
510 if ((maxFragLenExt != null) && (maximumPacketSize != 0)) {
511 // Not yet consider the impact of IV/MAC/padding.
512 int estimatedMaxFragSize = maximumPacketSize;
513 if (isDTLS) {
514 estimatedMaxFragSize -= DTLSRecord.headerSize;
515 } else {
516 estimatedMaxFragSize -= SSLRecord.headerSize;
517 }
518
519 if (maxFragLenExt.getMaxFragLen() > estimatedMaxFragSize) {
520 // For better interoperability, abort the maximum fragment
521 // length negotiation, rather than terminate the connection
522 // with a fatal alert.
523 maxFragLenExt = null;
524
525 // fatalSE(Alerts.alert_illegal_parameter,
526 // "Not an allowed max_fragment_length value");
527 }
528 }
529
530 // check the ALPN extension
531 ALPNExtension clientHelloALPN = (ALPNExtension)
532 mesg.extensions.get(ExtensionType.EXT_ALPN);
533
534 if ((clientHelloALPN != null) && (localApl.length > 0)) {
535
536 // Intersect the requested and the locally supported,
537 // and save for later.
538 String negotiatedValue = null;
539 List<String> protocols = clientHelloALPN.getPeerAPs();
540
541 // Use server preference order
542 for (String ap : localApl) {
543 if (protocols.contains(ap)) {
544 negotiatedValue = ap;
545 break;
546 }
547 }
548
549 if (negotiatedValue == null) {
550 fatalSE(Alerts.alert_no_application_protocol,
551 new SSLHandshakeException(
552 "No matching ALPN values"));
553 }
554 applicationProtocol = negotiatedValue;
555
556 } else {
557 applicationProtocol = "";
558 }
559
560 // cookie exchange
561 if (isDTLS) {
562 HelloCookieManager hcMgr = sslContext.getHelloCookieManager();
563 if ((mesg.cookie == null) || (mesg.cookie.length == 0) ||
564 (!hcMgr.isValid(mesg))) {
565
566 //
567 // Perform cookie exchange for DTLS handshaking if no cookie
568 // or the cookie is invalid in the ClientHello message.
569 //
570 HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg);
571
572 if (debug != null && Debug.isOn("handshake")) {
573 m0.print(System.out);
574 }
575
576 m0.write(output);
577 handshakeState.update(m0, resumingSession);
578 output.flush();
579
580 return;
581 }
582 }
583
584 /*
585 * FIRST, construct the ServerHello using the options and priorities
586 * from the ClientHello. Update the (pending) cipher spec as we do
587 * so, and save the client's version to protect against rollback
588 * attacks.
589 *
590 * There are a bunch of minor tasks here, and one major one: deciding
591 * if the short or the full handshake sequence will be used.
592 */
593 ServerHello m1 = new ServerHello();
594
595 clientRequestedVersion = mesg.protocolVersion;
596
597 // select a proper protocol version.
598 ProtocolVersion selectedVersion =
599 selectProtocolVersion(clientRequestedVersion);
600 if (selectedVersion == null ||
601 selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
602 fatalSE(Alerts.alert_handshake_failure,
603 "Client requested protocol " + clientRequestedVersion +
604 " not enabled or not supported");
605 }
606
607 handshakeHash.protocolDetermined(selectedVersion);
608 setVersion(selectedVersion);
609
610 m1.protocolVersion = protocolVersion;
611
612 //
613 // random ... save client and server values for later use
614 // in computing the master secret (from pre-master secret)
615 // and thence the other crypto keys.
616 //
617 // NOTE: this use of three inputs to generating _each_ set
618 // of ciphers slows things down, but it does increase the
619 // security since each connection in the session can hold
620 // its own authenticated (and strong) keys. One could make
621 // creation of a session a rare thing...
622 //
623 clnt_random = mesg.clnt_random;
624 svr_random = new RandomCookie(sslContext.getSecureRandom());
625 m1.svr_random = svr_random;
626
627 session = null; // forget about the current session
628 //
629 // Here we go down either of two paths: (a) the fast one, where
630 // the client's asked to rejoin an existing session, and the server
631 // permits this; (b) the other one, where a new session is created.
632 //
633 if (mesg.sessionId.length() != 0) {
634 // client is trying to resume a session, let's see...
635
636 SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext
637 .engineGetServerSessionContext())
638 .get(mesg.sessionId.getId());
639 //
640 // Check if we can use the fast path, resuming a session. We
641 // can do so iff we have a valid record for that session, and
642 // the cipher suite for that session was on the list which the
643 // client requested, and if we're not forgetting any needed
644 // authentication on the part of the client.
645 //
646 if (previous != null) {
647 resumingSession = previous.isRejoinable();
648
649 if (resumingSession) {
650 ProtocolVersion oldVersion = previous.getProtocolVersion();
651 // cannot resume session with different version
652 if (oldVersion != protocolVersion) {
653 resumingSession = false;
654 }
655 }
656
657 // cannot resume session with different server name indication
658 if (resumingSession) {
659 List<SNIServerName> oldServerNames =
660 previous.getRequestedServerNames();
661 if (clientHelloSNIExt != null) {
662 if (!clientHelloSNIExt.isIdentical(oldServerNames)) {
663 resumingSession = false;
664 }
665 } else if (!oldServerNames.isEmpty()) {
666 resumingSession = false;
667 }
668
669 if (!resumingSession &&
670 debug != null && Debug.isOn("handshake")) {
671 System.out.println(
672 "The requested server name indication " +
673 "is not identical to the previous one");
674 }
675 }
676
677 if (resumingSession &&
678 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED)) {
679 try {
680 previous.getPeerPrincipal();
681 } catch (SSLPeerUnverifiedException e) {
682 resumingSession = false;
683 }
684 }
685
686 // validate subject identity
687 if (resumingSession) {
688 CipherSuite suite = previous.getSuite();
689 ClientKeyExchangeService p =
690 ClientKeyExchangeService.find(suite.keyExchange.name);
691 if (p != null) {
692 Principal localPrincipal = previous.getLocalPrincipal();
693
694 if (p.isRelated(
695 false, getAccSE(), localPrincipal)) {
696 if (debug != null && Debug.isOn("session"))
697 System.out.println("Subject can" +
698 " provide creds for princ");
699 } else {
700 resumingSession = false;
701 if (debug != null && Debug.isOn("session"))
702 System.out.println("Subject cannot" +
703 " provide creds for princ");
704 }
705 }
706 }
707
708 if (resumingSession) {
709 CipherSuite suite = previous.getSuite();
710 // verify that the ciphersuite from the cached session
711 // is in the list of client requested ciphersuites and
712 // we have it enabled
713 if ((isNegotiable(suite) == false) ||
714 (mesg.getCipherSuites().contains(suite) == false)) {
715 resumingSession = false;
716 } else {
717 // everything looks ok, set the ciphersuite
718 // this should be done last when we are sure we
719 // will resume
720 setCipherSuite(suite);
721 }
722 }
723
724 if (resumingSession) {
725 session = previous;
726 if (debug != null &&
727 (Debug.isOn("handshake") || Debug.isOn("session"))) {
728 System.out.println("%% Resuming " + session);
729 }
730 }
731 }
732 } // else client did not try to resume
733
734 //
735 // If client hasn't specified a session we can resume, start a
736 // new one and choose its cipher suite and compression options.
737 // Unless new session creation is disabled for this connection!
738 //
739 if (session == null) {
740 if (!enableNewSession) {
741 throw new SSLException("Client did not resume a session");
742 }
743
744 supportedCurves = (SupportedEllipticCurvesExtension)
745 mesg.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES);
746
747 // We only need to handle the "signature_algorithm" extension
748 // for full handshakes and TLS 1.2 or later.
749 if (protocolVersion.useTLS12PlusSpec()) {
750 SignatureAlgorithmsExtension signAlgs =
751 (SignatureAlgorithmsExtension)mesg.extensions.get(
752 ExtensionType.EXT_SIGNATURE_ALGORITHMS);
753 if (signAlgs != null) {
754 Collection<SignatureAndHashAlgorithm> peerSignAlgs =
755 signAlgs.getSignAlgorithms();
756 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
757 throw new SSLHandshakeException(
758 "No peer supported signature algorithms");
759 }
760
761 Collection<SignatureAndHashAlgorithm>
762 supportedPeerSignAlgs =
763 SignatureAndHashAlgorithm.getSupportedAlgorithms(
764 algorithmConstraints, peerSignAlgs);
765 if (supportedPeerSignAlgs.isEmpty()) {
766 throw new SSLHandshakeException(
767 "No signature and hash algorithm in common");
768 }
769
770 setPeerSupportedSignAlgs(supportedPeerSignAlgs);
771 } // else, need to use peer implicit supported signature algs
772 }
773
774 session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL,
775 getLocalSupportedSignAlgs(),
776 sslContext.getSecureRandom(),
777 getHostAddressSE(), getPortSE());
778
779 if (protocolVersion.useTLS12PlusSpec()) {
780 if (peerSupportedSignAlgs != null) {
781 session.setPeerSupportedSignatureAlgorithms(
782 peerSupportedSignAlgs);
783 } // else, we will set the implicit peer supported signature
784 // algorithms in chooseCipherSuite()
785 }
786
787 // set the server name indication in the session
788 List<SNIServerName> clientHelloSNI =
789 Collections.<SNIServerName>emptyList();
790 if (clientHelloSNIExt != null) {
791 clientHelloSNI = clientHelloSNIExt.getServerNames();
792 }
793 session.setRequestedServerNames(clientHelloSNI);
794
795 // set the handshake session
796 setHandshakeSessionSE(session);
797
798 // choose cipher suite and corresponding private key
799 chooseCipherSuite(mesg);
800
801 session.setSuite(cipherSuite);
802 session.setLocalPrivateKey(privateKey);
803
804 // chooseCompression(mesg);
805
806 // set the negotiated maximum fragment in the session
807 //
808 // The protocol version and cipher suite have been negotiated
809 // in previous processes.
810 if (maxFragLenExt != null) {
811 int maxFragLen = maxFragLenExt.getMaxFragLen();
812
813 // More check of the requested "max_fragment_length" extension.
814 if (maximumPacketSize != 0) {
815 int estimatedMaxFragSize = cipherSuite.calculatePacketSize(
816 maxFragLen, protocolVersion, isDTLS);
817 if (estimatedMaxFragSize > maximumPacketSize) {
818 // For better interoperability, abort the maximum
819 // fragment length negotiation, rather than terminate
820 // the connection with a fatal alert.
821 maxFragLenExt = null;
822
823 // fatalSE(Alerts.alert_illegal_parameter,
824 // "Not an allowed max_fragment_length value");
825 }
826 }
827
828 if (maxFragLenExt != null) {
829 session.setNegotiatedMaxFragSize(maxFragLen);
830 }
831 }
832
833 session.setMaximumPacketSize(maximumPacketSize);
834 } else {
835 // set the handshake session
836 setHandshakeSessionSE(session);
837 }
838
839 if (protocolVersion.useTLS12PlusSpec()) {
840 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
841 }
842
843 m1.cipherSuite = cipherSuite;
844 m1.sessionId = session.getSessionId();
845 m1.compression_method = session.getCompression();
846
847 if (secureRenegotiation) {
848 // For ServerHellos that are initial handshakes, then the
849 // "renegotiated_connection" field in "renegotiation_info"
850 // extension is of zero length.
851 //
852 // For ServerHellos that are renegotiating, this field contains
853 // the concatenation of client_verify_data and server_verify_data.
854 //
855 // Note that for initial handshakes, both the clientVerifyData
856 // variable and serverVerifyData variable are of zero length.
857 HelloExtension serverHelloRI = new RenegotiationInfoExtension(
858 clientVerifyData, serverVerifyData);
859 m1.extensions.add(serverHelloRI);
860 }
861
862 if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) {
863 // When resuming a session, the server MUST NOT include a
864 // server_name extension in the server hello.
865 if (!resumingSession) {
866 ServerNameExtension serverHelloSNI = new ServerNameExtension();
867 m1.extensions.add(serverHelloSNI);
868 }
869 }
870
871 if ((maxFragLenExt != null) && !resumingSession) {
872 // When resuming a session, the server MUST NOT include a
873 // max_fragment_length extension in the server hello.
874 //
875 // Otherwise, use the same value as the requested extension.
876 m1.extensions.add(maxFragLenExt);
877 }
878
879 StaplingParameters staplingParams = processStapling(mesg);
880 if (staplingParams != null) {
881 // We now can safely assert status_request[_v2] in our
882 // ServerHello, and know for certain that we can provide
883 // responses back to this client for this connection.
884 if (staplingParams.statusRespExt ==
885 ExtensionType.EXT_STATUS_REQUEST) {
886 m1.extensions.add(new CertStatusReqExtension());
887 } else if (staplingParams.statusRespExt ==
888 ExtensionType.EXT_STATUS_REQUEST_V2) {
889 m1.extensions.add(new CertStatusReqListV2Extension());
890 }
891 }
892
893 // Prepare the ALPN response
894 if (applicationProtocol != null && !applicationProtocol.isEmpty()) {
895 m1.extensions.add(new ALPNExtension(applicationProtocol));
896 }
897
898 if (debug != null && Debug.isOn("handshake")) {
899 m1.print(System.out);
900 System.out.println("Cipher suite: " + session.getSuite());
901 }
902 m1.write(output);
903 handshakeState.update(m1, resumingSession);
904
905 //
906 // If we are resuming a session, we finish writing handshake
907 // messages right now and then finish.
908 //
909 if (resumingSession) {
910 calculateConnectionKeys(session.getMasterSecret());
911 sendChangeCipherAndFinish(false);
912
913 // expecting the final ChangeCipherSpec and Finished messages
914 expectingFinishFlightSE();
915
916 return;
917 }
918
919
920 /*
921 * SECOND, write the server Certificate(s) if we need to.
922 *
923 * NOTE: while an "anonymous RSA" mode is explicitly allowed by
924 * the protocol, we can't support it since all of the SSL flavors
925 * defined in the protocol spec are explicitly stated to require
926 * using RSA certificates.
927 */
928 if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
929 // No external key exchange provider needs a cert now.
930 } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) {
931 if (certs == null) {
932 throw new RuntimeException("no certificates");
933 }
934
935 CertificateMsg m2 = new CertificateMsg(certs);
936
937 /*
938 * Set local certs in the SSLSession, output
939 * debug info, and then actually write to the client.
940 */
941 session.setLocalCertificates(certs);
942 if (debug != null && Debug.isOn("handshake")) {
943 m2.print(System.out);
944 }
945 m2.write(output);
946 handshakeState.update(m2, resumingSession);
947
948 // XXX has some side effects with OS TCP buffering,
949 // leave it out for now
950
951 // let client verify chain in the meantime...
952 // output.flush();
953 } else {
954 if (certs != null) {
955 throw new RuntimeException("anonymous keyexchange with certs");
956 }
957 }
958
959 /**
960 * The CertificateStatus message ... only if it is needed.
961 * This would only be needed if we've established that this handshake
962 * supports status stapling and there is at least one response to
963 * return to the client.
964 */
965 if (staplingParams != null) {
966 CertificateStatus csMsg = new CertificateStatus(
967 staplingParams.statReqType, certs,
968 staplingParams.responseMap);
969 if (debug != null && Debug.isOn("handshake")) {
970 csMsg.print(System.out);
971 }
972 csMsg.write(output);
973 handshakeState.update(csMsg, resumingSession);
974 }
975
976 /*
977 * THIRD, the ServerKeyExchange message ... iff it's needed.
978 *
979 * It's usually needed unless there's an encryption-capable
980 * RSA cert, or a D-H cert. The notable exception is that
981 * exportable ciphers used with big RSA keys need to downgrade
982 * to use short RSA keys, even when the key/cert encrypts OK.
983 */
984
985 ServerKeyExchange m3;
986 switch (keyExchange) {
987 case K_RSA:
988 // no server key exchange for RSA ciphersuites
989 m3 = null;
990 break;
991 case K_RSA_EXPORT:
992 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
993 try {
994 m3 = new RSA_ServerKeyExchange(
995 tempPublicKey, privateKey,
996 clnt_random, svr_random,
997 sslContext.getSecureRandom());
998 privateKey = tempPrivateKey;
999 } catch (GeneralSecurityException e) {
1000 m3 = null; // make compiler happy
1001 throw new SSLException(
1002 "Error generating RSA server key exchange", e);
1003 }
1004 } else {
1005 // RSA_EXPORT with short key, don't need ServerKeyExchange
1006 m3 = null;
1007 }
1008 break;
1009 case K_DHE_RSA:
1010 case K_DHE_DSS:
1011 try {
1012 m3 = new DH_ServerKeyExchange(dh,
1013 privateKey,
1014 clnt_random.random_bytes,
1015 svr_random.random_bytes,
1016 sslContext.getSecureRandom(),
1017 preferableSignatureAlgorithm,
1018 protocolVersion);
1019 } catch (GeneralSecurityException e) {
1020 m3 = null; // make compiler happy
1021 throw new SSLException(
1022 "Error generating DH server key exchange", e);
1023 }
1024 break;
1025 case K_DH_ANON:
1026 m3 = new DH_ServerKeyExchange(dh, protocolVersion);
1027 break;
1028 case K_ECDHE_RSA:
1029 case K_ECDHE_ECDSA:
1030 case K_ECDH_ANON:
1031 try {
1032 m3 = new ECDH_ServerKeyExchange(ecdh,
1033 privateKey,
1034 clnt_random.random_bytes,
1035 svr_random.random_bytes,
1036 sslContext.getSecureRandom(),
1037 preferableSignatureAlgorithm,
1038 protocolVersion);
1039 } catch (GeneralSecurityException e) {
1040 m3 = null; // make compiler happy
1041 throw new SSLException(
1042 "Error generating ECDH server key exchange", e);
1043 }
1044 break;
1045 case K_ECDH_RSA:
1046 case K_ECDH_ECDSA:
1047 // ServerKeyExchange not used for fixed ECDH
1048 m3 = null;
1049 break;
1050 default:
1051 ClientKeyExchangeService p =
1052 ClientKeyExchangeService.find(keyExchange.name);
1053 if (p != null) {
1054 // No external key exchange provider needs a cert now.
1055 m3 = null;
1056 break;
1057 }
1058 throw new RuntimeException("internal error: " + keyExchange);
1059 }
1060 if (m3 != null) {
1061 if (debug != null && Debug.isOn("handshake")) {
1062 m3.print(System.out);
1063 }
1064 m3.write(output);
1065 handshakeState.update(m3, resumingSession);
1066 }
1067
1068 //
1069 // FOURTH, the CertificateRequest message. The details of
1070 // the message can be affected by the key exchange algorithm
1071 // in use. For example, certs with fixed Diffie-Hellman keys
1072 // are only useful with the DH_DSS and DH_RSA key exchange
1073 // algorithms.
1074 //
1075 // Needed only if server requires client to authenticate self.
1076 // Illegal for anonymous flavors, so we need to check that.
1077 //
1078 // No external key exchange provider needs a cert now.
1079 if (doClientAuth != ClientAuthType.CLIENT_AUTH_NONE &&
1080 keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON &&
1081 ClientKeyExchangeService.find(keyExchange.name) == null) {
1082
1083 CertificateRequest m4;
1084 X509Certificate[] caCerts;
1085
1086 Collection<SignatureAndHashAlgorithm> localSignAlgs = null;
1087 if (protocolVersion.useTLS12PlusSpec()) {
1088 // We currently use all local upported signature and hash
1089 // algorithms. However, to minimize the computation cost
1090 // of requested hash algorithms, we may use a restricted
1091 // set of signature algorithms in the future.
1092 localSignAlgs = getLocalSupportedSignAlgs();
1093 if (localSignAlgs.isEmpty()) {
1094 throw new SSLHandshakeException(
1095 "No supported signature algorithm");
1096 }
1097
1098 Set<String> localHashAlgs =
1099 SignatureAndHashAlgorithm.getHashAlgorithmNames(
1100 localSignAlgs);
1101 if (localHashAlgs.isEmpty()) {
1102 throw new SSLHandshakeException(
1103 "No supported signature algorithm");
1104 }
1105 }
1106
1107 caCerts = sslContext.getX509TrustManager().getAcceptedIssuers();
1108 m4 = new CertificateRequest(caCerts, keyExchange,
1109 localSignAlgs, protocolVersion);
1110
1111 if (debug != null && Debug.isOn("handshake")) {
1112 m4.print(System.out);
1113 }
1114 m4.write(output);
1115 handshakeState.update(m4, resumingSession);
1116 }
1117
1118 /*
1119 * FIFTH, say ServerHelloDone.
1120 */
1121 ServerHelloDone m5 = new ServerHelloDone();
1122
1123 if (debug != null && Debug.isOn("handshake")) {
1124 m5.print(System.out);
1125 }
1126 m5.write(output);
1127 handshakeState.update(m5, resumingSession);
1128
1129 /*
1130 * Flush any buffered messages so the client will see them.
1131 * Ideally, all the messages above go in a single network level
1132 * message to the client. Without big Certificate chains, it's
1133 * going to be the common case.
1134 */
1135 output.flush();
1136 }
1137
1138 /*
1139 * Choose cipher suite from among those supported by client. Sets
1140 * the cipherSuite and keyExchange variables.
1141 */
1142 private void chooseCipherSuite(ClientHello mesg) throws IOException {
1143 CipherSuiteList prefered;
1144 CipherSuiteList proposed;
1145 if (preferLocalCipherSuites) {
1146 prefered = getActiveCipherSuites();
1147 proposed = mesg.getCipherSuites();
1148 } else {
1149 prefered = mesg.getCipherSuites();
1150 proposed = getActiveCipherSuites();
1151 }
1152
1153 List<CipherSuite> legacySuites = new ArrayList<>();
1154 for (CipherSuite suite : prefered.collection()) {
1155 if (isNegotiable(proposed, suite) == false) {
1156 continue;
1157 }
1158
1159 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1160 if ((suite.keyExchange == K_DH_ANON) ||
1161 (suite.keyExchange == K_ECDH_ANON)) {
1162 continue;
1163 }
1164 }
1165
1166 if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
1167 legacySuites.add(suite);
1168 continue;
1169 }
1170
1171 if (trySetCipherSuite(suite) == false) {
1172 continue;
1173 }
1174 return;
1175 }
1176
1177 for (CipherSuite suite : legacySuites) {
1178 if (trySetCipherSuite(suite)) {
1179 return;
1180 }
1181 }
1182
1183 fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
1184 }
1185
1186 /**
1187 * Set the given CipherSuite, if possible. Return the result.
1188 * The call succeeds if the CipherSuite is available and we have
1189 * the necessary certificates to complete the handshake. We don't
1190 * check if the CipherSuite is actually enabled.
1191 *
1192 * If successful, this method also generates ephemeral keys if
1193 * required for this ciphersuite. This may take some time, so this
1194 * method should only be called if you really want to use the
1195 * CipherSuite.
1196 *
1197 * This method is called from chooseCipherSuite() in this class.
1198 */
1199 boolean trySetCipherSuite(CipherSuite suite) {
1200 /*
1201 * If we're resuming a session we know we can
1202 * support this key exchange algorithm and in fact
1203 * have already cached the result of it in
1204 * the session state.
1205 */
1206 if (resumingSession) {
1207 return true;
1208 }
1209
1210 if (suite.isNegotiable() == false) {
1211 return false;
1212 }
1213
1214 // must not negotiate the obsoleted weak cipher suites.
1215 if (protocolVersion.obsoletes(suite)) {
1216 return false;
1217 }
1218
1219 // must not negotiate unsupported cipher suites.
1220 if (!protocolVersion.supports(suite)) {
1221 return false;
1222 }
1223
1224 KeyExchange keyExchange = suite.keyExchange;
1225
1226 // null out any existing references
1227 privateKey = null;
1228 certs = null;
1229 dh = null;
1230 tempPrivateKey = null;
1231 tempPublicKey = null;
1232
1233 Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null;
1234 if (protocolVersion.useTLS12PlusSpec()) {
1235 if (peerSupportedSignAlgs != null) {
1236 supportedSignAlgs = peerSupportedSignAlgs;
1237 } else {
1238 SignatureAndHashAlgorithm algorithm = null;
1239
1240 // we may optimize the performance
1241 switch (keyExchange) {
1242 // If the negotiated key exchange algorithm is one of
1243 // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA),
1244 // behave as if client had sent the value {sha1,rsa}.
1245 case K_RSA:
1246 case K_DHE_RSA:
1247 case K_DH_RSA:
1248 // case K_RSA_PSK:
1249 case K_ECDH_RSA:
1250 case K_ECDHE_RSA:
1251 algorithm = SignatureAndHashAlgorithm.valueOf(
1252 HashAlgorithm.SHA1.value,
1253 SignatureAlgorithm.RSA.value, 0);
1254 break;
1255 // If the negotiated key exchange algorithm is one of
1256 // (DHE_DSS, DH_DSS), behave as if the client had
1257 // sent the value {sha1,dsa}.
1258 case K_DHE_DSS:
1259 case K_DH_DSS:
1260 algorithm = SignatureAndHashAlgorithm.valueOf(
1261 HashAlgorithm.SHA1.value,
1262 SignatureAlgorithm.DSA.value, 0);
1263 break;
1264 // If the negotiated key exchange algorithm is one of
1265 // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client
1266 // had sent value {sha1,ecdsa}.
1267 case K_ECDH_ECDSA:
1268 case K_ECDHE_ECDSA:
1269 algorithm = SignatureAndHashAlgorithm.valueOf(
1270 HashAlgorithm.SHA1.value,
1271 SignatureAlgorithm.ECDSA.value, 0);
1272 break;
1273 default:
1274 // no peer supported signature algorithms
1275 }
1276
1277 if (algorithm == null) {
1278 supportedSignAlgs =
1279 Collections.<SignatureAndHashAlgorithm>emptySet();
1280 } else {
1281 supportedSignAlgs =
1282 new ArrayList<SignatureAndHashAlgorithm>(1);
1283 supportedSignAlgs.add(algorithm);
1284
1285 supportedSignAlgs =
1286 SignatureAndHashAlgorithm.getSupportedAlgorithms(
1287 algorithmConstraints, supportedSignAlgs);
1288
1289 // May be no default activated signature algorithm, but
1290 // let the following process make the final decision.
1291 }
1292
1293 // Sets the peer supported signature algorithm to use in KM
1294 // temporarily.
1295 session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs);
1296 }
1297 }
1298
1299 switch (keyExchange) {
1300 case K_RSA:
1301 // need RSA certs for authentication
1302 if (setupPrivateKeyAndChain("RSA") == false) {
1303 return false;
1304 }
1305 break;
1306 case K_RSA_EXPORT:
1307 // need RSA certs for authentication
1308 if (setupPrivateKeyAndChain("RSA") == false) {
1309 return false;
1310 }
1311
1312 try {
1313 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
1314 if (!setupEphemeralRSAKeys(suite.exportable)) {
1315 return false;
1316 }
1317 }
1318 } catch (RuntimeException e) {
1319 // could not determine keylength, ignore key
1320 return false;
1321 }
1322 break;
1323 case K_DHE_RSA:
1324 // need RSA certs for authentication
1325 if (setupPrivateKeyAndChain("RSA") == false) {
1326 return false;
1327 }
1328
1329 // get preferable peer signature algorithm for server key exchange
1330 if (protocolVersion.useTLS12PlusSpec()) {
1331 preferableSignatureAlgorithm =
1332 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1333 supportedSignAlgs, "RSA", privateKey);
1334 if (preferableSignatureAlgorithm == null) {
1335 if ((debug != null) && Debug.isOn("handshake")) {
1336 System.out.println(
1337 "No signature and hash algorithm for cipher " +
1338 suite);
1339 }
1340 return false;
1341 }
1342 }
1343
1344 setupEphemeralDHKeys(suite.exportable, privateKey);
1345 break;
1346 case K_ECDHE_RSA:
1347 // need RSA certs for authentication
1348 if (setupPrivateKeyAndChain("RSA") == false) {
1349 return false;
1350 }
1351
1352 // get preferable peer signature algorithm for server key exchange
1353 if (protocolVersion.useTLS12PlusSpec()) {
1354 preferableSignatureAlgorithm =
1355 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1356 supportedSignAlgs, "RSA", privateKey);
1357 if (preferableSignatureAlgorithm == null) {
1358 if ((debug != null) && Debug.isOn("handshake")) {
1359 System.out.println(
1360 "No signature and hash algorithm for cipher " +
1361 suite);
1362 }
1363 return false;
1364 }
1365 }
1366
1367 if (setupEphemeralECDHKeys() == false) {
1368 return false;
1369 }
1370 break;
1371 case K_DHE_DSS:
1372 // get preferable peer signature algorithm for server key exchange
1373 if (protocolVersion.useTLS12PlusSpec()) {
1374 preferableSignatureAlgorithm =
1375 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1376 supportedSignAlgs, "DSA");
1377 if (preferableSignatureAlgorithm == null) {
1378 if ((debug != null) && Debug.isOn("handshake")) {
1379 System.out.println(
1380 "No signature and hash algorithm for cipher " +
1381 suite);
1382 }
1383 return false;
1384 }
1385 }
1386
1387 // need DSS certs for authentication
1388 if (setupPrivateKeyAndChain("DSA") == false) {
1389 return false;
1390 }
1391
1392 setupEphemeralDHKeys(suite.exportable, privateKey);
1393 break;
1394 case K_ECDHE_ECDSA:
1395 // get preferable peer signature algorithm for server key exchange
1396 if (protocolVersion.useTLS12PlusSpec()) {
1397 preferableSignatureAlgorithm =
1398 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1399 supportedSignAlgs, "ECDSA");
1400 if (preferableSignatureAlgorithm == null) {
1401 if ((debug != null) && Debug.isOn("handshake")) {
1402 System.out.println(
1403 "No signature and hash algorithm for cipher " +
1404 suite);
1405 }
1406 return false;
1407 }
1408 }
1409
1410 // need EC cert
1411 if (setupPrivateKeyAndChain("EC") == false) {
1412 return false;
1413 }
1414 if (setupEphemeralECDHKeys() == false) {
1415 return false;
1416 }
1417 break;
1418 case K_ECDH_RSA:
1419 // need EC cert
1420 if (setupPrivateKeyAndChain("EC") == false) {
1421 return false;
1422 }
1423 setupStaticECDHKeys();
1424 break;
1425 case K_ECDH_ECDSA:
1426 // need EC cert
1427 if (setupPrivateKeyAndChain("EC") == false) {
1428 return false;
1429 }
1430 setupStaticECDHKeys();
1431 break;
1432 case K_DH_ANON:
1433 // no certs needed for anonymous
1434 setupEphemeralDHKeys(suite.exportable, null);
1435 break;
1436 case K_ECDH_ANON:
1437 // no certs needed for anonymous
1438 if (setupEphemeralECDHKeys() == false) {
1439 return false;
1440 }
1441 break;
1442 default:
1443 ClientKeyExchangeService p =
1444 ClientKeyExchangeService.find(keyExchange.name);
1445 if (p == null) {
1446 // internal error, unknown key exchange
1447 throw new RuntimeException(
1448 "Unrecognized cipherSuite: " + suite);
1449 }
1450 // need service creds
1451 if (serviceCreds == null) {
1452 AccessControlContext acc = getAccSE();
1453 serviceCreds = p.getServiceCreds(acc);
1454 if (serviceCreds != null) {
1455 if (debug != null && Debug.isOn("handshake")) {
1456 System.out.println("Using serviceCreds");
1457 }
1458 }
1459 if (serviceCreds == null) {
1460 return false;
1461 }
1462 }
1463 break;
1464 }
1465 setCipherSuite(suite);
1466
1467 // set the peer implicit supported signature algorithms
1468 if (protocolVersion.useTLS12PlusSpec()) {
1469 if (peerSupportedSignAlgs == null) {
1470 setPeerSupportedSignAlgs(supportedSignAlgs);
1471 // we had alreay update the session
1472 }
1473 }
1474 return true;
1475 }
1476
1477 /*
1478 * Get some "ephemeral" RSA keys for this context. This means
1479 * generating them if it's not already been done.
1480 *
1481 * Note that we currently do not implement any ciphersuites that use
1482 * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites
1483 * and standard RSA ciphersuites prohibit ephemeral mode for some reason)
1484 * This means that export is always true and 512 bit keys are generated.
1485 */
1486 private boolean setupEphemeralRSAKeys(boolean export) {
1487 KeyPair kp = sslContext.getEphemeralKeyManager().
1488 getRSAKeyPair(export, sslContext.getSecureRandom());
1489 if (kp == null) {
1490 return false;
1491 } else {
1492 tempPublicKey = kp.getPublic();
1493 tempPrivateKey = kp.getPrivate();
1494 return true;
1495 }
1496 }
1497
1498 /*
1499 * Acquire some "ephemeral" Diffie-Hellman keys for this handshake.
1500 * We don't reuse these, for improved forward secrecy.
1501 */
1502 private void setupEphemeralDHKeys(boolean export, Key key) {
1503 /*
1504 * 768 bits ephemeral DH private keys were used to be used in
1505 * ServerKeyExchange except that exportable ciphers max out at 512
1506 * bits modulus values. We still adhere to this behavior in legacy
1507 * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
1508 * as "legacy").
1509 *
1510 * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1511 * than 1024 bits. We have to consider the compatibility requirement.
1512 * 1024 bits DH key is always used for non-exportable cipher suites
1513 * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1514 * is not defined).
1515 *
1516 * However, if applications want more stronger strength, setting
1517 * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1518 * is a workaround to use ephemeral DH key which size matches the
1519 * corresponding authentication key. For example, if the public key
1520 * size of an authentication certificate is 2048 bits, then the
1521 * ephemeral DH key size should be 2048 bits accordingly unless
1522 * the cipher suite is exportable. This key sizing scheme keeps
1523 * the cryptographic strength consistent between authentication
1524 * keys and key-exchange keys.
1525 *
1526 * Applications may also want to customize the ephemeral DH key size
1527 * to a fixed length for non-exportable cipher suites. This can be
1528 * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1529 * to a valid positive integer between 1024 and 8192 bits, inclusive.
1530 *
1531 * Note that the minimum acceptable key size is 1024 bits except
1532 * exportable cipher suites or legacy mode.
1533 *
1534 * Note that per RFC 2246, the key size limit of DH is 512 bits for
1535 * exportable cipher suites. Because of the weakness, exportable
1536 * cipher suites are deprecated since TLS v1.1 and they are not
1537 * enabled by default in Oracle provider. The legacy behavior is
1538 * reserved and 512 bits DH key is always used for exportable
1539 * cipher suites.
1540 */
1541 int keySize = export ? 512 : 1024; // default mode
1542 if (!export) {
1543 if (useLegacyEphemeralDHKeys) { // legacy mode
1544 keySize = 768;
1545 } else if (useSmartEphemeralDHKeys) { // matched mode
1546 if (key != null) {
1547 int ks = KeyUtil.getKeySize(key);
1548
1549 // DH parameter generation can be extremely slow, make
1550 // sure to use one of the supported pre-computed DH
1551 // parameters (see DHCrypt class).
1552 //
1553 // Old deployed applications may not be ready to support
1554 // DH key sizes bigger than 2048 bits. Please DON'T use
1555 // value other than 1024 and 2048 at present. May improve
1556 // the underlying providers and key size limit in the
1557 // future when the compatibility and interoperability
1558 // impact is limited.
1559 //
1560 // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1561 keySize = ks <= 1024 ? 1024 : 2048;
1562 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1563 } else if (customizedDHKeySize > 0) { // customized mode
1564 keySize = customizedDHKeySize;
1565 }
1566 }
1567
1568 dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1569 }
1570
1571 // Setup the ephemeral ECDH parameters.
1572 // If we cannot continue because we do not support any of the curves that
1573 // the client requested, return false. Otherwise (all is well), return true.
1574 private boolean setupEphemeralECDHKeys() {
1575 int index = -1;
1576 if (supportedCurves != null) {
1577 // if the client sent the supported curves extension, pick the
1578 // first one that we support;
1579 for (int curveId : supportedCurves.curveIds()) {
1580 if (SupportedEllipticCurvesExtension.isSupported(curveId)) {
1581 index = curveId;
1582 break;
1583 }
1584 }
1585 if (index < 0) {
1586 // no match found, cannot use this ciphersuite
1587 return false;
1588 }
1589 } else {
1590 // pick our preference
1591 index = SupportedEllipticCurvesExtension.DEFAULT.curveIds()[0];
1592 }
1593 String oid = SupportedEllipticCurvesExtension.getCurveOid(index);
1594 ecdh = new ECDHCrypt(oid, sslContext.getSecureRandom());
1595 return true;
1596 }
1597
1598 private void setupStaticECDHKeys() {
1599 // don't need to check whether the curve is supported, already done
1600 // in setupPrivateKeyAndChain().
1601 ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey());
1602 }
1603
1604 /**
1605 * Retrieve the server key and certificate for the specified algorithm
1606 * from the KeyManager and set the instance variables.
1607 *
1608 * @return true if successful, false if not available or invalid
1609 */
1610 private boolean setupPrivateKeyAndChain(String algorithm) {
1611 X509ExtendedKeyManager km = sslContext.getX509KeyManager();
1612 String alias;
1613 if (conn != null) {
1614 alias = km.chooseServerAlias(algorithm, null, conn);
1615 } else {
1616 alias = km.chooseEngineServerAlias(algorithm, null, engine);
1617 }
1618 if (alias == null) {
1619 return false;
1620 }
1621 PrivateKey tempPrivateKey = km.getPrivateKey(alias);
1622 if (tempPrivateKey == null) {
1623 return false;
1624 }
1625 X509Certificate[] tempCerts = km.getCertificateChain(alias);
1626 if ((tempCerts == null) || (tempCerts.length == 0)) {
1627 return false;
1628 }
1629 String keyAlgorithm = algorithm.split("_")[0];
1630 PublicKey publicKey = tempCerts[0].getPublicKey();
1631 if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false)
1632 || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) {
1633 return false;
1634 }
1635 // For ECC certs, check whether we support the EC domain parameters.
1636 // If the client sent a SupportedEllipticCurves ClientHello extension,
1637 // check against that too.
1638 if (keyAlgorithm.equals("EC")) {
1639 if (publicKey instanceof ECPublicKey == false) {
1640 return false;
1641 }
1642 ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
1643 int index = SupportedEllipticCurvesExtension.getCurveIndex(params);
1644 if (SupportedEllipticCurvesExtension.isSupported(index) == false) {
1645 return false;
1646 }
1647 if ((supportedCurves != null) && !supportedCurves.contains(index)) {
1648 return false;
1649 }
1650 }
1651 this.privateKey = tempPrivateKey;
1652 this.certs = tempCerts;
1653 return true;
1654 }
1655
1656 /*
1657 * Returns premaster secret for external key exchange services.
1658 */
1659 private SecretKey clientKeyExchange(ClientKeyExchange mesg)
1660 throws IOException {
1661
1662 if (debug != null && Debug.isOn("handshake")) {
1663 mesg.print(System.out);
1664 }
1665
1666 // Record the principals involved in exchange
1667 session.setPeerPrincipal(mesg.getPeerPrincipal());
1668 session.setLocalPrincipal(mesg.getLocalPrincipal());
1669
1670 return mesg.clientKeyExchange();
1671 }
1672
1673 /*
1674 * Diffie Hellman key exchange is used when the server presented
1675 * D-H parameters in its certificate (signed using RSA or DSS/DSA),
1676 * or else the server presented no certificate but sent D-H params
1677 * in a ServerKeyExchange message. Use of D-H is specified by the
1678 * cipher suite chosen.
1679 *
1680 * The message optionally contains the client's D-H public key (if
1681 * it wasn't not sent in a client certificate). As always with D-H,
1682 * if a client and a server have each other's D-H public keys and
1683 * they use common algorithm parameters, they have a shared key
1684 * that's derived via the D-H calculation. That key becomes the
1685 * pre-master secret.
1686 */
1687 private SecretKey clientKeyExchange(DHClientKeyExchange mesg)
1688 throws IOException {
1689
1690 if (debug != null && Debug.isOn("handshake")) {
1691 mesg.print(System.out);
1692 }
1693
1694 BigInteger publicKeyValue = mesg.getClientPublicKey();
1695
1696 // check algorithm constraints
1697 dh.checkConstraints(algorithmConstraints, publicKeyValue);
1698
1699 return dh.getAgreedSecret(publicKeyValue, false);
1700 }
1701
1702 private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
1703 throws IOException {
1704
1705 if (debug != null && Debug.isOn("handshake")) {
1706 mesg.print(System.out);
1707 }
1708
1709 byte[] publicPoint = mesg.getEncodedPoint();
1710
1711 // check algorithm constraints
1712 ecdh.checkConstraints(algorithmConstraints, publicPoint);
1713
1714 return ecdh.getAgreedSecret(publicPoint);
1715 }
1716
1717 /*
1718 * Client wrote a message to verify the certificate it sent earlier.
1719 *
1720 * Note that this certificate isn't involved in key exchange. Client
1721 * authentication messages are included in the checksums used to
1722 * validate the handshake (e.g. Finished messages). Other than that,
1723 * the _exact_ identity of the client is less fundamental to protocol
1724 * security than its role in selecting keys via the pre-master secret.
1725 */
1726 private void clientCertificateVerify(CertificateVerify mesg)
1727 throws IOException {
1728
1729 if (debug != null && Debug.isOn("handshake")) {
1730 mesg.print(System.out);
1731 }
1732
1733 if (protocolVersion.useTLS12PlusSpec()) {
1734 SignatureAndHashAlgorithm signAlg =
1735 mesg.getPreferableSignatureAlgorithm();
1736 if (signAlg == null) {
1737 throw new SSLHandshakeException(
1738 "Illegal CertificateVerify message");
1739 }
1740
1741 String hashAlg =
1742 SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg);
1743 if (hashAlg == null || hashAlg.length() == 0) {
1744 throw new SSLHandshakeException(
1745 "No supported hash algorithm");
1746 }
1747 }
1748
1749 try {
1750 PublicKey publicKey =
1751 session.getPeerCertificates()[0].getPublicKey();
1752
1753 boolean valid = mesg.verify(protocolVersion, handshakeHash,
1754 publicKey, session.getMasterSecret());
1755 if (valid == false) {
1756 fatalSE(Alerts.alert_bad_certificate,
1757 "certificate verify message signature error");
1758 }
1759 } catch (GeneralSecurityException e) {
1760 fatalSE(Alerts.alert_bad_certificate,
1761 "certificate verify format error", e);
1762 }
1763
1764 // reset the flag for clientCertificateVerify message
1765 needClientVerify = false;
1766 }
1767
1768
1769 /*
1770 * Client writes "finished" at the end of its handshake, after cipher
1771 * spec is changed. We verify it and then send ours.
1772 *
1773 * When we're resuming a session, we'll have already sent our own
1774 * Finished message so just the verification is needed.
1775 */
1776 private void clientFinished(Finished mesg) throws IOException {
1777 if (debug != null && Debug.isOn("handshake")) {
1778 mesg.print(System.out);
1779 }
1780
1781 /*
1782 * Verify if client did send the certificate when client
1783 * authentication was required, otherwise server should not proceed
1784 */
1785 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1786 // get X500Principal of the end-entity certificate for X509-based
1787 // ciphersuites, or Kerberos principal for Kerberos ciphersuites, etc
1788 session.getPeerPrincipal();
1789 }
1790
1791 /*
1792 * Verify if client did send clientCertificateVerify message following
1793 * the client Certificate, otherwise server should not proceed
1794 */
1795 if (needClientVerify) {
1796 fatalSE(Alerts.alert_handshake_failure,
1797 "client did not send certificate verify message");
1798 }
1799
1800 /*
1801 * Verify the client's message with the "before" digest of messages,
1802 * and forget about continuing to use that digest.
1803 */
1804 boolean verified = mesg.verify(handshakeHash, Finished.CLIENT,
1805 session.getMasterSecret());
1806
1807 if (!verified) {
1808 fatalSE(Alerts.alert_handshake_failure,
1809 "client 'finished' message doesn't verify");
1810 // NOTREACHED
1811 }
1812
1813 /*
1814 * save client verify data for secure renegotiation
1815 */
1816 if (secureRenegotiation) {
1817 clientVerifyData = mesg.getVerifyData();
1818 }
1819
1820 /*
1821 * OK, it verified. If we're doing the full handshake, add that
1822 * "Finished" message to the hash of handshake messages, then send
1823 * the change_cipher_spec and Finished message.
1824 */
1825 if (!resumingSession) {
1826 sendChangeCipherAndFinish(true);
1827 } else {
1828 handshakeFinished = true;
1829 }
1830
1831 /*
1832 * Update the session cache only after the handshake completed, else
1833 * we're open to an attack against a partially completed handshake.
1834 */
1835 session.setLastAccessedTime(System.currentTimeMillis());
1836 if (!resumingSession && session.isRejoinable()) {
1837 ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext())
1838 .put(session);
1839 if (debug != null && Debug.isOn("session")) {
1840 System.out.println(
1841 "%% Cached server session: " + session);
1842 }
1843 } else if (!resumingSession &&
1844 debug != null && Debug.isOn("session")) {
1845 System.out.println(
1846 "%% Didn't cache non-resumable server session: "
1847 + session);
1848 }
1849 }
1850
1851 /*
1852 * Compute finished message with the "server" digest (and then forget
1853 * about that digest, it can't be used again).
1854 */
1855 private void sendChangeCipherAndFinish(boolean finishedTag)
1856 throws IOException {
1857
1858 // Reload if this message has been reserved.
1859 handshakeHash.reload();
1860
1861 Finished mesg = new Finished(protocolVersion, handshakeHash,
1862 Finished.SERVER, session.getMasterSecret(), cipherSuite);
1863
1864 /*
1865 * Send the change_cipher_spec record; then our Finished handshake
1866 * message will be the last handshake message. Flush, and now we
1867 * are ready for application data!!
1868 */
1869 sendChangeCipherSpec(mesg, finishedTag);
1870
1871 /*
1872 * save server verify data for secure renegotiation
1873 */
1874 if (secureRenegotiation) {
1875 serverVerifyData = mesg.getVerifyData();
1876 }
1877 }
1878
1879
1880 /*
1881 * Returns a HelloRequest message to kickstart renegotiations
1882 */
1883 @Override
1884 HandshakeMessage getKickstartMessage() {
1885 return new HelloRequest();
1886 }
1887
1888
1889 /*
1890 * Fault detected during handshake.
1891 */
1892 @Override
1893 void handshakeAlert(byte description) throws SSLProtocolException {
1894
1895 String message = Alerts.alertDescription(description);
1896
1897 if (debug != null && Debug.isOn("handshake")) {
1898 System.out.println("SSL -- handshake alert: "
1899 + message);
1900 }
1901
1902 /*
1903 * It's ok to get a no_certificate alert from a client of which
1904 * we *requested* authentication information.
1905 * However, if we *required* it, then this is not acceptable.
1906 *
1907 * Anyone calling getPeerCertificates() on the
1908 * session will get an SSLPeerUnverifiedException.
1909 */
1910 if ((description == Alerts.alert_no_certificate) &&
1911 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED)) {
1912 return;
1913 }
1914
1915 throw new SSLProtocolException("handshake alert: " + message);
1916 }
1917
1918 /*
1919 * RSA key exchange is normally used. The client encrypts a "pre-master
1920 * secret" with the server's public key, from the Certificate (or else
1921 * ServerKeyExchange) message that was sent to it by the server. That's
1922 * decrypted using the private key before we get here.
1923 */
1924 private SecretKey clientKeyExchange(RSAClientKeyExchange mesg)
1925 throws IOException {
1926
1927 if (debug != null && Debug.isOn("handshake")) {
1928 mesg.print(System.out);
1929 }
1930 return mesg.preMaster;
1931 }
1932
1933 /*
1934 * Verify the certificate sent by the client. We'll only get one if we
1935 * sent a CertificateRequest to request client authentication. If we
1936 * are in TLS mode, the client may send a message with no certificates
1937 * to indicate it does not have an appropriate chain. (In SSLv3 mode,
1938 * it would send a no certificate alert).
1939 */
1940 private void clientCertificate(CertificateMsg mesg) throws IOException {
1941 if (debug != null && Debug.isOn("handshake")) {
1942 mesg.print(System.out);
1943 }
1944
1945 X509Certificate[] peerCerts = mesg.getCertificateChain();
1946
1947 if (peerCerts.length == 0) {
1948 /*
1949 * If the client authentication is only *REQUESTED* (e.g.
1950 * not *REQUIRED*, this is an acceptable condition.)
1951 */
1952 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED) {
1953 return;
1954 } else {
1955 fatalSE(Alerts.alert_bad_certificate,
1956 "null cert chain");
1957 }
1958 }
1959
1960 // ask the trust manager to verify the chain
1961 X509TrustManager tm = sslContext.getX509TrustManager();
1962
1963 try {
1964 // find out the types of client authentication used
1965 PublicKey key = peerCerts[0].getPublicKey();
1966 String keyAlgorithm = key.getAlgorithm();
1967 String authType;
1968 if (keyAlgorithm.equals("RSA")) {
1969 authType = "RSA";
1970 } else if (keyAlgorithm.equals("DSA")) {
1971 authType = "DSA";
1972 } else if (keyAlgorithm.equals("EC")) {
1973 authType = "EC";
1974 } else {
1975 // unknown public key type
1976 authType = "UNKNOWN";
1977 }
1978
1979 if (tm instanceof X509ExtendedTrustManager) {
1980 if (conn != null) {
1981 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1982 peerCerts.clone(),
1983 authType,
1984 conn);
1985 } else {
1986 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1987 peerCerts.clone(),
1988 authType,
1989 engine);
1990 }
1991 } else {
1992 // Unlikely to happen, because we have wrapped the old
1993 // X509TrustManager with the new X509ExtendedTrustManager.
1994 throw new CertificateException(
1995 "Improper X509TrustManager implementation");
1996 }
1997 } catch (CertificateException e) {
1998 // This will throw an exception, so include the original error.
1999 fatalSE(Alerts.alert_certificate_unknown, e);
2000 }
2001 // set the flag for clientCertificateVerify message
2002 needClientVerify = true;
2003
2004 session.setPeerCertificates(peerCerts);
2005 }
2006
2007 private StaplingParameters processStapling(ClientHello mesg) {
2008 StaplingParameters params = null;
2009 ExtensionType ext;
2010 StatusRequestType type = null;
2011 StatusRequest req = null;
2012 Map<X509Certificate, byte[]> responses;
2013
2014 // If this feature has not been enabled, then no more processing
2015 // is necessary. Also we will only staple if we're doing a full
2016 // handshake.
2017 if (!sslContext.isStaplingEnabled(false) || resumingSession) {
2018 return null;
2019 }
2020
2021 // Check if the client has asserted the status_request[_v2] extension(s)
2022 CertStatusReqExtension statReqExt = (CertStatusReqExtension)
2023 mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST);
2024 CertStatusReqListV2Extension statReqExtV2 =
2025 (CertStatusReqListV2Extension)mesg.extensions.get(
2026 ExtensionType.EXT_STATUS_REQUEST_V2);
2027 // Keep processing only if either status_request or status_request_v2
2028 // has been sent in the ClientHello.
2029 if (statReqExt == null && statReqExtV2 == null) {
2030 return null;
2031 }
2032
2033 // Determine which type of stapling we are doing and assert the
2034 // proper extension in the server hello.
2035 // Favor status_request_v2 over status_request and ocsp_multi
2036 // over ocsp.
2037 // If multiple ocsp or ocsp_multi types exist, select the first
2038 // instance of a given type
2039 ext = ExtensionType.EXT_STATUS_REQUEST;
2040 if (statReqExtV2 != null) { // RFC 6961 stapling
2041 ext = ExtensionType.EXT_STATUS_REQUEST_V2;
2042 List<CertStatusReqItemV2> reqItems =
2043 statReqExtV2.getRequestItems();
2044 int ocspIdx = -1;
2045 int ocspMultiIdx = -1;
2046 for (int pos = 0; pos < reqItems.size(); pos++) {
2047 CertStatusReqItemV2 item = reqItems.get(pos);
2048 if (ocspIdx < 0 && item.getType() ==
2049 StatusRequestType.OCSP) {
2050 ocspIdx = pos;
2051 } else if (ocspMultiIdx < 0 && item.getType() ==
2052 StatusRequestType.OCSP_MULTI) {
2053 ocspMultiIdx = pos;
2054 }
2055 }
2056 if (ocspMultiIdx >= 0) {
2057 type = reqItems.get(ocspMultiIdx).getType();
2058 req = reqItems.get(ocspMultiIdx).getRequest();
2059 } else if (ocspIdx >= 0) {
2060 type = reqItems.get(ocspIdx).getType();
2061 req = reqItems.get(ocspIdx).getRequest();
2062 }
2063 } else { // RFC 6066 stapling
2064 type = StatusRequestType.OCSP;
2065 req = statReqExt.getRequest();
2066 }
2067
2068 // If, after walking through the extensions we were unable to
2069 // find a suitable StatusRequest, then stapling is disabled.
2070 // Both statReqType and statReqData must have been set to continue.
2071 if (type == null || req == null) {
2072 return null;
2073 }
2074
2075 // Get the OCSP responses from the StatusResponseManager
2076 StatusResponseManager statRespMgr =
2077 sslContext.getStatusResponseManager();
2078 if (statRespMgr != null) {
2079 responses = statRespMgr.get(type, req, certs, statusRespTimeout,
2080 TimeUnit.MILLISECONDS);
2081 if (!responses.isEmpty()) {
2082 // If this RFC 6066-style stapling (SSL cert only) then the
2083 // response cannot be zero length
2084 if (type == StatusRequestType.OCSP) {
2085 byte[] respDER = responses.get(certs[0]);
2086 if (respDER == null || respDER.length <= 0) {
2087 return null;
2088 }
2089 }
2090 params = new StaplingParameters(ext, type, req, responses);
2091 }
2092 } else {
2093 // This should not happen, but if lazy initialization of the
2094 // StatusResponseManager doesn't occur we should turn off stapling.
2095 if (debug != null && Debug.isOn("handshake")) {
2096 System.out.println("Warning: lazy initialization " +
2097 "of the StatusResponseManager failed. " +
2098 "Stapling has been disabled.");
2099 }
2100 }
2101
2102 return params;
2103 }
2104
2105 /**
2106 * Inner class used to hold stapling parameters needed by the handshaker
2107 * when stapling is active.
2108 */
2109 private class StaplingParameters {
2110 private final ExtensionType statusRespExt;
2111 private final StatusRequestType statReqType;
2112 private final StatusRequest statReqData;
2113 private final Map<X509Certificate, byte[]> responseMap;
2114
2115 StaplingParameters(ExtensionType ext, StatusRequestType type,
2116 StatusRequest req, Map<X509Certificate, byte[]> responses) {
2117 statusRespExt = ext;
2118 statReqType = type;
2119 statReqData = req;
2120 responseMap = responses;
2121 }
2122 }
2123 }