1 /*
2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.io.*;
29 import java.math.BigInteger;
30 import java.security.*;
31 import java.security.interfaces.*;
32 import java.security.spec.*;
33 import java.security.cert.*;
34 import java.security.cert.Certificate;
35 import java.util.*;
36 import java.util.concurrent.ConcurrentHashMap;
37
38 import java.lang.reflect.*;
39
40 import javax.security.auth.x500.X500Principal;
41
42 import javax.crypto.KeyGenerator;
43 import javax.crypto.SecretKey;
44 import javax.crypto.spec.DHPublicKeySpec;
45
46 import javax.net.ssl.*;
47
48 import sun.security.internal.spec.TlsPrfParameterSpec;
49 import sun.security.ssl.CipherSuite.*;
50 import static sun.security.ssl.CipherSuite.PRF.*;
51 import sun.security.util.KeyUtil;
52 import sun.security.util.MessageDigestSpi2;
53 import sun.security.provider.certpath.OCSPResponse;
54
55 /**
56 * Many data structures are involved in the handshake messages. These
57 * classes are used as structures, with public data members. They are
58 * not visible outside the SSL package.
59 *
60 * Handshake messages all have a common header format, and they are all
61 * encoded in a "handshake data" SSL record substream. The base class
62 * here (HandshakeMessage) provides a common framework and records the
63 * SSL record type of the particular handshake message.
64 *
65 * This file contains subclasses for all the basic handshake messages.
66 * All handshake messages know how to encode and decode themselves on
67 * SSL streams; this facilitates using the same code on SSL client and
68 * server sides, although they don't send and receive the same messages.
69 *
70 * Messages also know how to print themselves, which is quite handy
71 * for debugging. They always identify their type, and can optionally
72 * dump all of their content.
73 *
74 * @author David Brownell
75 */
76 public abstract class HandshakeMessage {
77
78 /* Class and subclass dynamic debugging support */
79 public static final Debug debug = Debug.getInstance("ssl");
80
81 // enum HandshakeType:
82 static final byte ht_hello_request = 0; // RFC 5246
83 static final byte ht_client_hello = 1; // RFC 5246
84 static final byte ht_server_hello = 2; // RFC 5246
85 static final byte ht_hello_verify_request = 3; // RFC 6347
86 static final byte ht_new_session_ticket = 4; // RFC 4507
87
88 static final byte ht_certificate = 11; // RFC 5246
89 static final byte ht_server_key_exchange = 12; // RFC 5246
90 static final byte ht_certificate_request = 13; // RFC 5246
91 static final byte ht_server_hello_done = 14; // RFC 5246
92 static final byte ht_certificate_verify = 15; // RFC 5246
93 static final byte ht_client_key_exchange = 16; // RFC 5246
94
95 static final byte ht_finished = 20; // RFC 5246
96 static final byte ht_certificate_url = 21; // RFC 6066
97 static final byte ht_certificate_status = 22; // RFC 6066
98 static final byte ht_supplemental_data = 23; // RFC 4680
99
100 static final byte ht_not_applicable = -1; // N/A
101
102 /*
103 * SSL 3.0 MAC padding constants.
104 * Also used by CertificateVerify and Finished during the handshake.
105 */
106 static final byte[] MD5_pad1 = genPad(0x36, 48);
107 static final byte[] MD5_pad2 = genPad(0x5c, 48);
108
109 static final byte[] SHA_pad1 = genPad(0x36, 40);
110 static final byte[] SHA_pad2 = genPad(0x5c, 40);
111
112 // default constructor
113 HandshakeMessage() {
114 }
115
116 /**
117 * Utility method to convert a BigInteger to a byte array in unsigned
118 * format as needed in the handshake messages. BigInteger uses
119 * 2's complement format, i.e. it prepends an extra zero if the MSB
120 * is set. We remove that.
121 */
122 static byte[] toByteArray(BigInteger bi) {
123 byte[] b = bi.toByteArray();
124 if ((b.length > 1) && (b[0] == 0)) {
125 int n = b.length - 1;
126 byte[] newarray = new byte[n];
127 System.arraycopy(b, 1, newarray, 0, n);
128 b = newarray;
129 }
130 return b;
131 }
132
133 private static byte[] genPad(int b, int count) {
134 byte[] padding = new byte[count];
135 Arrays.fill(padding, (byte)b);
136 return padding;
137 }
138
139 /*
140 * Write a handshake message on the (handshake) output stream.
141 * This is just a four byte header followed by the data.
142 *
143 * NOTE that huge messages -- notably, ones with huge cert
144 * chains -- are handled correctly.
145 */
146 final void write(HandshakeOutStream s) throws IOException {
147 int len = messageLength();
148 if (len >= Record.OVERFLOW_OF_INT24) {
149 throw new SSLException("Handshake message too big"
150 + ", type = " + messageType() + ", len = " + len);
151 }
152 s.write(messageType());
153 s.putInt24(len);
154 send(s);
155 s.complete();
156 }
157
158 /*
159 * Subclasses implement these methods so those kinds of
160 * messages can be emitted. Base class delegates to subclass.
161 */
162 abstract int messageType();
163 abstract int messageLength();
164 abstract void send(HandshakeOutStream s) throws IOException;
165
166 /*
167 * Write a descriptive message on the output stream; for debugging.
168 */
169 abstract void print(PrintStream p) throws IOException;
170
171 //
172 // NOTE: the rest of these classes are nested within this one, and are
173 // imported by other classes in this package. There are a few other
174 // handshake message classes, not neatly nested here because of current
175 // licensing requirement for native (RSA) methods. They belong here,
176 // but those native methods complicate things a lot!
177 //
178
179
180 /*
181 * HelloRequest ... SERVER --> CLIENT
182 *
183 * Server can ask the client to initiate a new handshake, e.g. to change
184 * session parameters after a connection has been (re)established.
185 */
186 static final class HelloRequest extends HandshakeMessage {
187 @Override
188 int messageType() { return ht_hello_request; }
189
190 HelloRequest() { }
191
192 HelloRequest(HandshakeInStream in) throws IOException
193 {
194 // nothing in this message
195 }
196
197 @Override
198 int messageLength() { return 0; }
199
200 @Override
201 void send(HandshakeOutStream out) throws IOException
202 {
203 // nothing in this messaage
204 }
205
206 @Override
207 void print(PrintStream out) throws IOException
208 {
209 out.println("*** HelloRequest (empty)");
210 }
211
212 }
213
214 /*
215 * HelloVerifyRequest ... SERVER --> CLIENT [DTLS only]
216 *
217 * The definition of HelloVerifyRequest is as follows:
218 *
219 * struct {
220 * ProtocolVersion server_version;
221 * opaque cookie<0..2^8-1>;
222 * } HelloVerifyRequest;
223 *
224 * For DTLS protocols, once the client has transmitted the ClientHello message,
225 * it expects to see a HelloVerifyRequest from the server. However, if the
226 * server's message is lost, the client knows that either the ClientHello or
227 * the HelloVerifyRequest has been lost and retransmits. [RFC 6347]
228 */
229 static final class HelloVerifyRequest extends HandshakeMessage {
230 ProtocolVersion protocolVersion;
231 byte[] cookie; // 1 to 2^8 - 1 bytes
232
233 HelloVerifyRequest(HelloCookieManager helloCookieManager,
234 ClientHello clientHelloMsg) {
235
236 this.protocolVersion = clientHelloMsg.protocolVersion;
237 this.cookie = helloCookieManager.getCookie(clientHelloMsg);
238 }
239
240 HelloVerifyRequest(
241 HandshakeInStream input, int messageLength) throws IOException {
242
243 this.protocolVersion =
244 ProtocolVersion.valueOf(input.getInt8(), input.getInt8());
245 this.cookie = input.getBytes8();
246
247 // Is it a valid cookie?
248 HelloCookieManager.checkCookie(protocolVersion, cookie);
249 }
250
251 @Override
252 int messageType() {
253 return ht_hello_verify_request;
254 }
255
256 @Override
257 int messageLength() {
258 return 2 + cookie.length; // 2: the length of protocolVersion
259 }
260
261 @Override
262 void send(HandshakeOutStream hos) throws IOException {
263 hos.putInt8(protocolVersion.major);
264 hos.putInt8(protocolVersion.minor);
265 hos.putBytes8(cookie);
266 }
267
268 @Override
269 void print(PrintStream out) throws IOException {
270 out.println("*** HelloVerifyRequest");
271 if (debug != null && Debug.isOn("verbose")) {
272 out.println("server_version: " + protocolVersion);
273 Debug.println(out, "cookie", cookie);
274 }
275 }
276 }
277
278 /*
279 * ClientHello ... CLIENT --> SERVER
280 *
281 * Client initiates handshake by telling server what it wants, and what it
282 * can support (prioritized by what's first in the ciphe suite list).
283 *
284 * By RFC2246:7.4.1.2 it's explicitly anticipated that this message
285 * will have more data added at the end ... e.g. what CAs the client trusts.
286 * Until we know how to parse it, we will just read what we know
287 * about, and let our caller handle the jumps over unknown data.
288 */
289 static final class ClientHello extends HandshakeMessage {
290
291 ProtocolVersion protocolVersion;
292 RandomCookie clnt_random;
293 SessionId sessionId;
294 byte[] cookie; // DTLS only
295 private CipherSuiteList cipherSuites;
296 private final boolean isDTLS;
297 byte[] compression_methods;
298
299 HelloExtensions extensions = new HelloExtensions();
300
301 private static final byte[] NULL_COMPRESSION = new byte[] {0};
302
303 ClientHello(SecureRandom generator, ProtocolVersion protocolVersion,
304 SessionId sessionId, CipherSuiteList cipherSuites,
305 boolean isDTLS) {
306
307 this.isDTLS = isDTLS;
308 this.protocolVersion = protocolVersion;
309 this.sessionId = sessionId;
310 this.cipherSuites = cipherSuites;
311 if (isDTLS) {
312 this.cookie = new byte[0];
313 } else {
314 this.cookie = null;
315 }
316
317 clnt_random = new RandomCookie(generator);
318 compression_methods = NULL_COMPRESSION;
319 }
320
321 ClientHello(HandshakeInStream s,
322 int messageLength, boolean isDTLS) throws IOException {
323
324 this.isDTLS = isDTLS;
325
326 protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8());
327 clnt_random = new RandomCookie(s);
328 sessionId = new SessionId(s.getBytes8());
329 sessionId.checkLength(protocolVersion);
330 if (isDTLS) {
331 cookie = s.getBytes8();
332 } else {
333 cookie = null;
334 }
335
336 cipherSuites = new CipherSuiteList(s);
337 compression_methods = s.getBytes8();
338 if (messageLength() != messageLength) {
339 extensions = new HelloExtensions(s);
340 }
341 }
342
343 CipherSuiteList getCipherSuites() {
344 return cipherSuites;
345 }
346
347 // add renegotiation_info extension
348 void addRenegotiationInfoExtension(byte[] clientVerifyData) {
349 HelloExtension renegotiationInfo = new RenegotiationInfoExtension(
350 clientVerifyData, new byte[0]);
351 extensions.add(renegotiationInfo);
352 }
353
354 // add server_name extension
355 void addSNIExtension(List<SNIServerName> serverNames) {
356 try {
357 extensions.add(new ServerNameExtension(serverNames));
358 } catch (IOException ioe) {
359 // ignore the exception and return
360 }
361 }
362
363 // add signature_algorithm extension
364 void addSignatureAlgorithmsExtension(
365 Collection<SignatureAndHashAlgorithm> algorithms) {
366 HelloExtension signatureAlgorithm =
367 new SignatureAlgorithmsExtension(algorithms);
368 extensions.add(signatureAlgorithm);
369 }
370
371 void addMFLExtension(int maximumPacketSize) {
372 HelloExtension maxFragmentLength =
373 new MaxFragmentLengthExtension(maximumPacketSize);
374 extensions.add(maxFragmentLength);
375 }
376
377 void updateHelloCookie(MessageDigest cookieDigest) {
378 //
379 // Just use HandshakeOutStream to compute the hello verify cookie.
380 // Not actually used to output handshake message records.
381 //
382 HandshakeOutStream hos = new HandshakeOutStream(null);
383
384 try {
385 send(hos, false); // Do not count hello verify cookie.
386 } catch (IOException ioe) {
387 // unlikely to happen
388 }
389
390 cookieDigest.update(hos.toByteArray());
391 }
392
393 // Add status_request extension type
394 void addCertStatusRequestExtension() {
395 extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP,
396 new OCSPStatusRequest()));
397 }
398
399 // Add status_request_v2 extension type
400 void addCertStatusReqListV2Extension() {
401 // Create a default OCSPStatusRequest that we can use for both
402 // OCSP_MULTI and OCSP request list items.
403 OCSPStatusRequest osr = new OCSPStatusRequest();
404 List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
405 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
406 osr));
407 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
408 extensions.add(new CertStatusReqListV2Extension(itemList));
409 }
410
411 // add application_layer_protocol_negotiation extension
412 void addALPNExtension(String[] applicationProtocols) throws SSLException {
413 extensions.add(new ALPNExtension(applicationProtocols));
414 }
415
416 @Override
417 int messageType() { return ht_client_hello; }
418
419 @Override
420 int messageLength() {
421 /*
422 * Add fixed size parts of each field...
423 * version + random + session + cipher + compress
424 */
425 return (2 + 32 + 1 + 2 + 1
426 + sessionId.length() /* ... + variable parts */
427 + (isDTLS ? (1 + cookie.length) : 0)
428 + (cipherSuites.size() * 2)
429 + compression_methods.length)
430 + extensions.length();
431 }
432
433 @Override
434 void send(HandshakeOutStream s) throws IOException {
435 send(s, true); // Count hello verify cookie.
436 }
437
438 @Override
439 void print(PrintStream s) throws IOException {
440 s.println("*** ClientHello, " + protocolVersion);
441
442 if (debug != null && Debug.isOn("verbose")) {
443 s.print("RandomCookie: ");
444 clnt_random.print(s);
445
446 s.print("Session ID: ");
447 s.println(sessionId);
448
449 if (isDTLS) {
450 Debug.println(s, "cookie", cookie);
451 }
452
453 s.println("Cipher Suites: " + cipherSuites);
454
455 Debug.println(s, "Compression Methods", compression_methods);
456 extensions.print(s);
457 s.println("***");
458 }
459 }
460
461 private void send(HandshakeOutStream s,
462 boolean computeCookie) throws IOException {
463 s.putInt8(protocolVersion.major);
464 s.putInt8(protocolVersion.minor);
465 clnt_random.send(s);
466 s.putBytes8(sessionId.getId());
467 if (isDTLS && computeCookie) {
468 s.putBytes8(cookie);
469 }
470 cipherSuites.send(s);
471 s.putBytes8(compression_methods);
472 extensions.send(s);
473 }
474
475 }
476
477 /*
478 * ServerHello ... SERVER --> CLIENT
479 *
480 * Server chooses protocol options from among those it supports and the
481 * client supports. Then it sends the basic session descriptive parameters
482 * back to the client.
483 */
484 static final
485 class ServerHello extends HandshakeMessage
486 {
487 @Override
488 int messageType() { return ht_server_hello; }
489
490 ProtocolVersion protocolVersion;
491 RandomCookie svr_random;
492 SessionId sessionId;
493 CipherSuite cipherSuite;
494 byte compression_method;
495 HelloExtensions extensions = new HelloExtensions();
496
497 ServerHello() {
498 // empty
499 }
500
501 ServerHello(HandshakeInStream input, int messageLength)
502 throws IOException {
503 protocolVersion = ProtocolVersion.valueOf(input.getInt8(),
504 input.getInt8());
505 svr_random = new RandomCookie(input);
506 sessionId = new SessionId(input.getBytes8());
507 sessionId.checkLength(protocolVersion);
508 cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8());
509 compression_method = (byte)input.getInt8();
510 if (messageLength() != messageLength) {
511 extensions = new HelloExtensions(input);
512 }
513 }
514
515 @Override
516 int messageLength()
517 {
518 // almost fixed size, except session ID and extensions:
519 // major + minor = 2
520 // random = 32
521 // session ID len field = 1
522 // cipher suite + compression = 3
523 // extensions: if present, 2 + length of extensions
524 return 38 + sessionId.length() + extensions.length();
525 }
526
527 @Override
528 void send(HandshakeOutStream s) throws IOException
529 {
530 s.putInt8(protocolVersion.major);
531 s.putInt8(protocolVersion.minor);
532 svr_random.send(s);
533 s.putBytes8(sessionId.getId());
534 s.putInt8(cipherSuite.id >> 8);
535 s.putInt8(cipherSuite.id & 0xff);
536 s.putInt8(compression_method);
537 extensions.send(s);
538 }
539
540 @Override
541 void print(PrintStream s) throws IOException
542 {
543 s.println("*** ServerHello, " + protocolVersion);
544
545 if (debug != null && Debug.isOn("verbose")) {
546 s.print("RandomCookie: ");
547 svr_random.print(s);
548
549 s.print("Session ID: ");
550 s.println(sessionId);
551
552 s.println("Cipher Suite: " + cipherSuite);
553 s.println("Compression Method: " + compression_method);
554 extensions.print(s);
555 s.println("***");
556 }
557 }
558 }
559
560
561 /*
562 * CertificateMsg ... send by both CLIENT and SERVER
563 *
564 * Each end of a connection may need to pass its certificate chain to
565 * the other end. Such chains are intended to validate an identity with
566 * reference to some certifying authority. Examples include companies
567 * like Verisign, or financial institutions. There's some control over
568 * the certifying authorities which are sent.
569 *
570 * NOTE: that these messages might be huge, taking many handshake records.
571 * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14
572 * bytes each ... up to 2^32 records sent on the output stream.
573 */
574 static final
575 class CertificateMsg extends HandshakeMessage
576 {
577 @Override
578 int messageType() { return ht_certificate; }
579
580 private X509Certificate[] chain;
581
582 private List<byte[]> encodedChain;
583
584 private int messageLength;
585
586 CertificateMsg(X509Certificate[] certs) {
587 chain = certs;
588 }
589
590 CertificateMsg(HandshakeInStream input) throws IOException {
591 int chainLen = input.getInt24();
592 List<Certificate> v = new ArrayList<>(4);
593
594 CertificateFactory cf = null;
595 while (chainLen > 0) {
596 byte[] cert = input.getBytes24();
597 chainLen -= (3 + cert.length);
598 try {
599 if (cf == null) {
600 cf = CertificateFactory.getInstance("X.509");
601 }
602 v.add(cf.generateCertificate(new ByteArrayInputStream(cert)));
603 } catch (CertificateException e) {
604 throw (SSLProtocolException)new SSLProtocolException(
605 e.getMessage()).initCause(e);
606 }
607 }
608
609 chain = v.toArray(new X509Certificate[v.size()]);
610 }
611
612 @Override
613 int messageLength() {
614 if (encodedChain == null) {
615 messageLength = 3;
616 encodedChain = new ArrayList<byte[]>(chain.length);
617 try {
618 for (X509Certificate cert : chain) {
619 byte[] b = cert.getEncoded();
620 encodedChain.add(b);
621 messageLength += b.length + 3;
622 }
623 } catch (CertificateEncodingException e) {
624 encodedChain = null;
625 throw new RuntimeException("Could not encode certificates", e);
626 }
627 }
628 return messageLength;
629 }
630
631 @Override
632 void send(HandshakeOutStream s) throws IOException {
633 s.putInt24(messageLength() - 3);
634 for (byte[] b : encodedChain) {
635 s.putBytes24(b);
636 }
637 }
638
639 @Override
640 void print(PrintStream s) throws IOException {
641 s.println("*** Certificate chain");
642
643 if (chain.length == 0) {
644 s.println("<Empty>");
645 } else if (debug != null && Debug.isOn("verbose")) {
646 for (int i = 0; i < chain.length; i++) {
647 s.println("chain [" + i + "] = " + chain[i]);
648 }
649 }
650 s.println("***");
651 }
652
653 X509Certificate[] getCertificateChain() {
654 return chain.clone();
655 }
656 }
657
658 /*
659 * CertificateStatus ... SERVER --> CLIENT
660 *
661 * When a ClientHello asserting the status_request or status_request_v2
662 * extensions is accepted by the server, it will fetch and return one
663 * or more status responses in this handshake message.
664 *
665 * NOTE: Like the Certificate handshake message, this can potentially
666 * be a very large message both due to the size of multiple status
667 * responses and the certificate chains that are often attached to them.
668 * Up to 2^24 bytes of status responses may be sent, possibly fragmented
669 * over multiple TLS records.
670 */
671 static final class CertificateStatus extends HandshakeMessage
672 {
673 private final StatusRequestType statusType;
674 private int encodedResponsesLen;
675 private int messageLength = -1;
676 private List<byte[]> encodedResponses;
677
678 @Override
679 int messageType() { return ht_certificate_status; }
680
681 /**
682 * Create a CertificateStatus message from the certificates and their
683 * respective OCSP responses
684 *
685 * @param type an indication of the type of response (OCSP or OCSP_MULTI)
686 * @param responses a {@code List} of OCSP responses in DER-encoded form.
687 * For the OCSP type, only the first entry in the response list is
688 * used, and must correspond to the end-entity certificate sent to the
689 * peer. Zero-length or null values for the response data are not
690 * allowed for the OCSP type. For the OCSP_MULTI type, each entry in
691 * the list should match its corresponding certificate sent in the
692 * Server Certificate message. Where an OCSP response does not exist,
693 * either a zero-length array or a null value should be used.
694 *
695 * @throws SSLException if an unsupported StatusRequestType or invalid
696 * OCSP response data is provided.
697 */
698 CertificateStatus(StatusRequestType type, X509Certificate[] chain,
699 Map<X509Certificate, byte[]> responses) {
700 statusType = type;
701 encodedResponsesLen = 0;
702 encodedResponses = new ArrayList<>(chain.length);
703
704 Objects.requireNonNull(chain, "Null chain not allowed");
705 Objects.requireNonNull(responses, "Null responses not allowed");
706
707 if (statusType == StatusRequestType.OCSP) {
708 // Just get the response for the end-entity certificate
709 byte[] respDER = responses.get(chain[0]);
710 if (respDER != null && respDER.length > 0) {
711 encodedResponses.add(respDER);
712 encodedResponsesLen = 3 + respDER.length;
713 } else {
714 throw new IllegalArgumentException("Zero-length or null " +
715 "OCSP Response");
716 }
717 } else if (statusType == StatusRequestType.OCSP_MULTI) {
718 for (X509Certificate cert : chain) {
719 byte[] respDER = responses.get(cert);
720 if (respDER != null) {
721 encodedResponses.add(respDER);
722 encodedResponsesLen += (respDER.length + 3);
723 } else {
724 // If we cannot find a response for a given certificate
725 // then use a zero-length placeholder.
726 encodedResponses.add(new byte[0]);
727 encodedResponsesLen += 3;
728 }
729 }
730 } else {
731 throw new IllegalArgumentException(
732 "Unsupported StatusResponseType: " + statusType);
733 }
734 }
735
736 /**
737 * Decode the CertificateStatus handshake message coming from a
738 * {@code HandshakeInputStream}.
739 *
740 * @param input the {@code HandshakeInputStream} containing the
741 * CertificateStatus message bytes.
742 *
743 * @throws SSLHandshakeException if a zero-length response is found in the
744 * OCSP response type, or an unsupported response type is detected.
745 * @throws IOException if a decoding error occurs.
746 */
747 CertificateStatus(HandshakeInStream input) throws IOException {
748 encodedResponsesLen = 0;
749 encodedResponses = new ArrayList<>();
750
751 statusType = StatusRequestType.get(input.getInt8());
752 if (statusType == StatusRequestType.OCSP) {
753 byte[] respDER = input.getBytes24();
754 // Convert the incoming bytes to a OCSPResponse strucutre
755 if (respDER.length > 0) {
756 encodedResponses.add(respDER);
757 encodedResponsesLen = 3 + respDER.length;
758 } else {
759 throw new SSLHandshakeException("Zero-length OCSP Response");
760 }
761 } else if (statusType == StatusRequestType.OCSP_MULTI) {
762 int respListLen = input.getInt24();
763 encodedResponsesLen = respListLen;
764
765 // Add each OCSP reponse into the array list in the order
766 // we receive them off the wire. A zero-length array is
767 // allowed for ocsp_multi, and means that a response for
768 // a given certificate is not available.
769 while (respListLen > 0) {
770 byte[] respDER = input.getBytes24();
771 encodedResponses.add(respDER);
772 respListLen -= (respDER.length + 3);
773 }
774
775 if (respListLen != 0) {
776 throw new SSLHandshakeException(
777 "Bad OCSP response list length");
778 }
779 } else {
780 throw new SSLHandshakeException("Unsupported StatusResponseType: " +
781 statusType);
782 }
783 }
784
785 /**
786 * Get the length of the CertificateStatus message.
787 *
788 * @return the length of the message in bytes.
789 */
790 @Override
791 int messageLength() {
792 int len = 1; // Length + Status type
793
794 if (messageLength == -1) {
795 if (statusType == StatusRequestType.OCSP) {
796 len += encodedResponsesLen;
797 } else if (statusType == StatusRequestType.OCSP_MULTI) {
798 len += 3 + encodedResponsesLen;
799 }
800 messageLength = len;
801 }
802
803 return messageLength;
804 }
805
806 /**
807 * Encode the CertificateStatus handshake message and place it on a
808 * {@code HandshakeOutputStream}.
809 *
810 * @param s the HandshakeOutputStream that will the message bytes.
811 *
812 * @throws IOException if an encoding error occurs.
813 */
814 @Override
815 void send(HandshakeOutStream s) throws IOException {
816 s.putInt8(statusType.id);
817 if (statusType == StatusRequestType.OCSP) {
818 s.putBytes24(encodedResponses.get(0));
819 } else if (statusType == StatusRequestType.OCSP_MULTI) {
820 s.putInt24(encodedResponsesLen);
821 for (byte[] respBytes : encodedResponses) {
822 if (respBytes != null) {
823 s.putBytes24(respBytes);
824 } else {
825 s.putBytes24(null);
826 }
827 }
828 } else {
829 // It is highly unlikely that we will fall into this section of
830 // the code.
831 throw new SSLHandshakeException("Unsupported status_type: " +
832 statusType.id);
833 }
834 }
835
836 /**
837 * Display a human-readable representation of the CertificateStatus message.
838 *
839 * @param s the PrintStream used to display the message data.
840 *
841 * @throws IOException if any errors occur while parsing the OCSP response
842 * bytes into a readable form.
843 */
844 @Override
845 void print(PrintStream s) throws IOException {
846 s.println("*** CertificateStatus");
847 if (debug != null && Debug.isOn("verbose")) {
848 s.println("Type: " + statusType);
849 if (statusType == StatusRequestType.OCSP) {
850 OCSPResponse oResp = new OCSPResponse(encodedResponses.get(0));
851 s.println(oResp);
852 } else if (statusType == StatusRequestType.OCSP_MULTI) {
853 int numResponses = encodedResponses.size();
854 s.println(numResponses +
855 (numResponses == 1 ? " entry:" : " entries:"));
856 for (byte[] respDER : encodedResponses) {
857 if (respDER.length > 0) {
858 OCSPResponse oResp = new OCSPResponse(respDER);
859 s.println(oResp);
860 } else {
861 s.println("<Zero-length entry>");
862 }
863 }
864 }
865 }
866 }
867
868 /**
869 * Get the type of CertificateStatus message
870 *
871 * @return the {@code StatusRequestType} for this CertificateStatus
872 * message.
873 */
874 StatusRequestType getType() {
875 return statusType;
876 }
877
878 /**
879 * Get the list of non-zero length OCSP responses.
880 * The responses returned in this list can be used to map to
881 * {@code X509Certificate} objects provided by the peer and
882 * provided to a {@code PKIXRevocationChecker}.
883 *
884 * @return an unmodifiable List of zero or more byte arrays, each one
885 * consisting of a single status response.
886 */
887 List<byte[]> getResponses() {
888 return Collections.unmodifiableList(encodedResponses);
889 }
890 }
891
892 /*
893 * ServerKeyExchange ... SERVER --> CLIENT
894 *
895 * The cipher suite selected, when combined with the certificate exchanged,
896 * implies one of several different kinds of key exchange. Most current
897 * cipher suites require the server to send more than its certificate.
898 *
899 * The primary exceptions are when a server sends an encryption-capable
900 * RSA public key in its cert, to be used with RSA (or RSA_export) key
901 * exchange; and when a server sends its Diffie-Hellman cert. Those kinds
902 * of key exchange do not require a ServerKeyExchange message.
903 *
904 * Key exchange can be viewed as having three modes, which are explicit
905 * for the Diffie-Hellman flavors and poorly specified for RSA ones:
906 *
907 * - "Ephemeral" keys. Here, a "temporary" key is allocated by the
908 * server, and signed. Diffie-Hellman keys signed using RSA or
909 * DSS are ephemeral (DHE flavor). RSA keys get used to do the same
910 * thing, to cut the key size down to 512 bits (export restrictions)
911 * or for signing-only RSA certificates.
912 *
913 * - Anonymity. Here no server certificate is sent, only the public
914 * key of the server. This case is subject to man-in-the-middle
915 * attacks. This can be done with Diffie-Hellman keys (DH_anon) or
916 * with RSA keys, but is only used in SSLv3 for DH_anon.
917 *
918 * - "Normal" case. Here a server certificate is sent, and the public
919 * key there is used directly in exchanging the premaster secret.
920 * For example, Diffie-Hellman "DH" flavor, and any RSA flavor with
921 * only 512 bit keys.
922 *
923 * If a server certificate is sent, there is no anonymity. However,
924 * when a certificate is sent, ephemeral keys may still be used to
925 * exchange the premaster secret. That's how RSA_EXPORT often works,
926 * as well as how the DHE_* flavors work.
927 */
928 abstract static class ServerKeyExchange extends HandshakeMessage
929 {
930 @Override
931 int messageType() { return ht_server_key_exchange; }
932 }
933
934
935 /*
936 * Using RSA for Key Exchange: exchange a session key that's not as big
937 * as the signing-only key. Used for export applications, since exported
938 * RSA encryption keys can't be bigger than 512 bytes.
939 *
940 * This is never used when keys are 512 bits or smaller, and isn't used
941 * on "US Domestic" ciphers in any case.
942 */
943 static final
944 class RSA_ServerKeyExchange extends ServerKeyExchange
945 {
946 private byte[] rsa_modulus; // 1 to 2^16 - 1 bytes
947 private byte[] rsa_exponent; // 1 to 2^16 - 1 bytes
948
949 private Signature signature;
950 private byte[] signatureBytes;
951
952 /*
953 * Hash the nonces and the ephemeral RSA public key.
954 */
955 private void updateSignature(byte[] clntNonce, byte[] svrNonce)
956 throws SignatureException {
957 int tmp;
958
959 signature.update(clntNonce);
960 signature.update(svrNonce);
961
962 tmp = rsa_modulus.length;
963 signature.update((byte)(tmp >> 8));
964 signature.update((byte)(tmp & 0x0ff));
965 signature.update(rsa_modulus);
966
967 tmp = rsa_exponent.length;
968 signature.update((byte)(tmp >> 8));
969 signature.update((byte)(tmp & 0x0ff));
970 signature.update(rsa_exponent);
971 }
972
973
974 /*
975 * Construct an RSA server key exchange message, using data
976 * known _only_ to the server.
977 *
978 * The client knows the public key corresponding to this private
979 * key, from the Certificate message sent previously. To comply
980 * with US export regulations we use short RSA keys ... either
981 * long term ones in the server's X509 cert, or else ephemeral
982 * ones sent using this message.
983 */
984 RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey,
985 RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr)
986 throws GeneralSecurityException {
987 RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey);
988 rsa_modulus = toByteArray(rsaKey.getModulus());
989 rsa_exponent = toByteArray(rsaKey.getPublicExponent());
990 signature = RSASignature.getInstance();
991 signature.initSign(privateKey, sr);
992 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
993 signatureBytes = signature.sign();
994 }
995
996
997 /*
998 * Parse an RSA server key exchange message, using data known
999 * to the client (and, in some situations, eavesdroppers).
1000 */
1001 RSA_ServerKeyExchange(HandshakeInStream input)
1002 throws IOException, NoSuchAlgorithmException {
1003 signature = RSASignature.getInstance();
1004 rsa_modulus = input.getBytes16();
1005 rsa_exponent = input.getBytes16();
1006 signatureBytes = input.getBytes16();
1007 }
1008
1009 /*
1010 * Get the ephemeral RSA public key that will be used in this
1011 * SSL connection.
1012 */
1013 PublicKey getPublicKey() {
1014 try {
1015 KeyFactory kfac = JsseJce.getKeyFactory("RSA");
1016 // modulus and exponent are always positive
1017 RSAPublicKeySpec kspec = new RSAPublicKeySpec(
1018 new BigInteger(1, rsa_modulus),
1019 new BigInteger(1, rsa_exponent));
1020 return kfac.generatePublic(kspec);
1021 } catch (Exception e) {
1022 throw new RuntimeException(e);
1023 }
1024 }
1025
1026 /*
1027 * Verify the signed temporary key using the hashes computed
1028 * from it and the two nonces. This is called by clients
1029 * with "exportable" RSA flavors.
1030 */
1031 boolean verify(PublicKey certifiedKey, RandomCookie clntNonce,
1032 RandomCookie svrNonce) throws GeneralSecurityException {
1033 signature.initVerify(certifiedKey);
1034 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
1035 return signature.verify(signatureBytes);
1036 }
1037
1038 @Override
1039 int messageLength() {
1040 return 6 + rsa_modulus.length + rsa_exponent.length
1041 + signatureBytes.length;
1042 }
1043
1044 @Override
1045 void send(HandshakeOutStream s) throws IOException {
1046 s.putBytes16(rsa_modulus);
1047 s.putBytes16(rsa_exponent);
1048 s.putBytes16(signatureBytes);
1049 }
1050
1051 @Override
1052 void print(PrintStream s) throws IOException {
1053 s.println("*** RSA ServerKeyExchange");
1054
1055 if (debug != null && Debug.isOn("verbose")) {
1056 Debug.println(s, "RSA Modulus", rsa_modulus);
1057 Debug.println(s, "RSA Public Exponent", rsa_exponent);
1058 }
1059 }
1060 }
1061
1062
1063 /*
1064 * Using Diffie-Hellman algorithm for key exchange. All we really need to
1065 * do is securely get Diffie-Hellman keys (using the same P, G parameters)
1066 * to our peer, then we automatically have a shared secret without need
1067 * to exchange any more data. (D-H only solutions, such as SKIP, could
1068 * eliminate key exchange negotiations and get faster connection setup.
1069 * But they still need a signature algorithm like DSS/DSA to support the
1070 * trusted distribution of keys without relying on unscalable physical
1071 * key distribution systems.)
1072 *
1073 * This class supports several DH-based key exchange algorithms, though
1074 * perhaps eventually each deserves its own class. Notably, this has
1075 * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants.
1076 */
1077 static final
1078 class DH_ServerKeyExchange extends ServerKeyExchange
1079 {
1080 // Fix message encoding, see 4348279
1081 private static final boolean dhKeyExchangeFix =
1082 Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true);
1083
1084 private byte[] dh_p; // 1 to 2^16 - 1 bytes
1085 private byte[] dh_g; // 1 to 2^16 - 1 bytes
1086 private byte[] dh_Ys; // 1 to 2^16 - 1 bytes
1087
1088 private byte[] signature;
1089
1090 // protocol version being established using this ServerKeyExchange message
1091 ProtocolVersion protocolVersion;
1092
1093 // the preferable signature algorithm used by this ServerKeyExchange message
1094 private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
1095
1096 /*
1097 * Construct from initialized DH key object, for DH_anon
1098 * key exchange.
1099 */
1100 DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) {
1101 this.protocolVersion = protocolVersion;
1102 this.preferableSignatureAlgorithm = null;
1103
1104 // The DH key has been validated in the constructor of DHCrypt.
1105 setValues(obj);
1106 signature = null;
1107 }
1108
1109 /*
1110 * Construct from initialized DH key object and the key associated
1111 * with the cert chain which was sent ... for DHE_DSS and DHE_RSA
1112 * key exchange. (Constructor called by server.)
1113 */
1114 DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte[] clntNonce,
1115 byte[] svrNonce, SecureRandom sr,
1116 SignatureAndHashAlgorithm signAlgorithm,
1117 ProtocolVersion protocolVersion) throws GeneralSecurityException {
1118
1119 this.protocolVersion = protocolVersion;
1120
1121 // The DH key has been validated in the constructor of DHCrypt.
1122 setValues(obj);
1123
1124 Signature sig;
1125 if (protocolVersion.useTLS12PlusSpec()) {
1126 this.preferableSignatureAlgorithm = signAlgorithm;
1127 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1128 } else {
1129 this.preferableSignatureAlgorithm = null;
1130 if (key.getAlgorithm().equals("DSA")) {
1131 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
1132 } else {
1133 sig = RSASignature.getInstance();
1134 }
1135 }
1136
1137 sig.initSign(key, sr);
1138 updateSignature(sig, clntNonce, svrNonce);
1139 signature = sig.sign();
1140 }
1141
1142 /*
1143 * Construct a DH_ServerKeyExchange message from an input
1144 * stream, as if sent from server to client for use with
1145 * DH_anon key exchange
1146 */
1147 DH_ServerKeyExchange(HandshakeInStream input,
1148 ProtocolVersion protocolVersion)
1149 throws IOException, GeneralSecurityException {
1150
1151 this.protocolVersion = protocolVersion;
1152 this.preferableSignatureAlgorithm = null;
1153
1154 dh_p = input.getBytes16();
1155 dh_g = input.getBytes16();
1156 dh_Ys = input.getBytes16();
1157 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
1158 new BigInteger(1, dh_p),
1159 new BigInteger(1, dh_g)));
1160
1161 signature = null;
1162 }
1163
1164 /*
1165 * Construct a DH_ServerKeyExchange message from an input stream
1166 * and a certificate, as if sent from server to client for use with
1167 * DHE_DSS or DHE_RSA key exchange. (Called by client.)
1168 */
1169 DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey,
1170 byte[] clntNonce, byte[] svrNonce, int messageSize,
1171 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1172 ProtocolVersion protocolVersion)
1173 throws IOException, GeneralSecurityException {
1174
1175 this.protocolVersion = protocolVersion;
1176
1177 // read params: ServerDHParams
1178 dh_p = input.getBytes16();
1179 dh_g = input.getBytes16();
1180 dh_Ys = input.getBytes16();
1181 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
1182 new BigInteger(1, dh_p),
1183 new BigInteger(1, dh_g)));
1184
1185 // read the signature and hash algorithm
1186 if (protocolVersion.useTLS12PlusSpec()) {
1187 int hash = input.getInt8(); // hash algorithm
1188 int signature = input.getInt8(); // signature algorithm
1189
1190 preferableSignatureAlgorithm =
1191 SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
1192
1193 // Is it a local supported signature algorithm?
1194 if (!localSupportedSignAlgs.contains(
1195 preferableSignatureAlgorithm)) {
1196 throw new SSLHandshakeException(
1197 "Unsupported SignatureAndHashAlgorithm in " +
1198 "ServerKeyExchange message: " +
1199 preferableSignatureAlgorithm);
1200 }
1201 } else {
1202 this.preferableSignatureAlgorithm = null;
1203 }
1204
1205 // read the signature
1206 byte[] signature;
1207 if (dhKeyExchangeFix) {
1208 signature = input.getBytes16();
1209 } else {
1210 messageSize -= (dh_p.length + 2);
1211 messageSize -= (dh_g.length + 2);
1212 messageSize -= (dh_Ys.length + 2);
1213
1214 signature = new byte[messageSize];
1215 input.read(signature);
1216 }
1217
1218 Signature sig;
1219 String algorithm = publicKey.getAlgorithm();
1220 if (protocolVersion.useTLS12PlusSpec()) {
1221 sig = JsseJce.getSignature(
1222 preferableSignatureAlgorithm.getAlgorithmName());
1223 } else {
1224 switch (algorithm) {
1225 case "DSA":
1226 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
1227 break;
1228 case "RSA":
1229 sig = RSASignature.getInstance();
1230 break;
1231 default:
1232 throw new SSLKeyException(
1233 "neither an RSA or a DSA key: " + algorithm);
1234 }
1235 }
1236
1237 sig.initVerify(publicKey);
1238 updateSignature(sig, clntNonce, svrNonce);
1239
1240 if (sig.verify(signature) == false ) {
1241 throw new SSLKeyException("Server D-H key verification failed");
1242 }
1243 }
1244
1245 /* Return the Diffie-Hellman modulus */
1246 BigInteger getModulus() {
1247 return new BigInteger(1, dh_p);
1248 }
1249
1250 /* Return the Diffie-Hellman base/generator */
1251 BigInteger getBase() {
1252 return new BigInteger(1, dh_g);
1253 }
1254
1255 /* Return the server's Diffie-Hellman public key */
1256 BigInteger getServerPublicKey() {
1257 return new BigInteger(1, dh_Ys);
1258 }
1259
1260 /*
1261 * Update sig with nonces and Diffie-Hellman public key.
1262 */
1263 private void updateSignature(Signature sig, byte[] clntNonce,
1264 byte[] svrNonce) throws SignatureException {
1265 int tmp;
1266
1267 sig.update(clntNonce);
1268 sig.update(svrNonce);
1269
1270 tmp = dh_p.length;
1271 sig.update((byte)(tmp >> 8));
1272 sig.update((byte)(tmp & 0x0ff));
1273 sig.update(dh_p);
1274
1275 tmp = dh_g.length;
1276 sig.update((byte)(tmp >> 8));
1277 sig.update((byte)(tmp & 0x0ff));
1278 sig.update(dh_g);
1279
1280 tmp = dh_Ys.length;
1281 sig.update((byte)(tmp >> 8));
1282 sig.update((byte)(tmp & 0x0ff));
1283 sig.update(dh_Ys);
1284 }
1285
1286 private void setValues(DHCrypt obj) {
1287 dh_p = toByteArray(obj.getModulus());
1288 dh_g = toByteArray(obj.getBase());
1289 dh_Ys = toByteArray(obj.getPublicKey());
1290 }
1291
1292 @Override
1293 int messageLength() {
1294 int temp = 6; // overhead for p, g, y(s) values.
1295
1296 temp += dh_p.length;
1297 temp += dh_g.length;
1298 temp += dh_Ys.length;
1299
1300 if (signature != null) {
1301 if (protocolVersion.useTLS12PlusSpec()) {
1302 temp += SignatureAndHashAlgorithm.sizeInRecord();
1303 }
1304
1305 temp += signature.length;
1306 if (dhKeyExchangeFix) {
1307 temp += 2;
1308 }
1309 }
1310
1311 return temp;
1312 }
1313
1314 @Override
1315 void send(HandshakeOutStream s) throws IOException {
1316 s.putBytes16(dh_p);
1317 s.putBytes16(dh_g);
1318 s.putBytes16(dh_Ys);
1319
1320 if (signature != null) {
1321 if (protocolVersion.useTLS12PlusSpec()) {
1322 s.putInt8(preferableSignatureAlgorithm.getHashValue());
1323 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
1324 }
1325
1326 if (dhKeyExchangeFix) {
1327 s.putBytes16(signature);
1328 } else {
1329 s.write(signature);
1330 }
1331 }
1332 }
1333
1334 @Override
1335 void print(PrintStream s) throws IOException {
1336 s.println("*** Diffie-Hellman ServerKeyExchange");
1337
1338 if (debug != null && Debug.isOn("verbose")) {
1339 Debug.println(s, "DH Modulus", dh_p);
1340 Debug.println(s, "DH Base", dh_g);
1341 Debug.println(s, "Server DH Public Key", dh_Ys);
1342
1343 if (signature == null) {
1344 s.println("Anonymous");
1345 } else {
1346 if (protocolVersion.useTLS12PlusSpec()) {
1347 s.println("Signature Algorithm " +
1348 preferableSignatureAlgorithm.getAlgorithmName());
1349 }
1350
1351 s.println("Signed with a DSA or RSA public key");
1352 }
1353 }
1354 }
1355 }
1356
1357 /*
1358 * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon
1359 * ciphersuites to communicate its ephemeral public key (including the
1360 * EC domain parameters).
1361 *
1362 * We support named curves only, no explicitly encoded curves.
1363 */
1364 static final
1365 class ECDH_ServerKeyExchange extends ServerKeyExchange {
1366
1367 // constants for ECCurveType
1368 private static final int CURVE_EXPLICIT_PRIME = 1;
1369 private static final int CURVE_EXPLICIT_CHAR2 = 2;
1370 private static final int CURVE_NAMED_CURVE = 3;
1371
1372 // id of the curve we are using
1373 private int curveId;
1374 // encoded public point
1375 private byte[] pointBytes;
1376
1377 // signature bytes (or null if anonymous)
1378 private byte[] signatureBytes;
1379
1380 // public key object encapsulated in this message
1381 private ECPublicKey publicKey;
1382
1383 // protocol version being established using this ServerKeyExchange message
1384 ProtocolVersion protocolVersion;
1385
1386 // the preferable signature algorithm used by this ServerKeyExchange message
1387 private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
1388
1389 ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey,
1390 byte[] clntNonce, byte[] svrNonce, SecureRandom sr,
1391 SignatureAndHashAlgorithm signAlgorithm,
1392 ProtocolVersion protocolVersion) throws GeneralSecurityException {
1393
1394 this.protocolVersion = protocolVersion;
1395
1396 publicKey = (ECPublicKey)obj.getPublicKey();
1397 ECParameterSpec params = publicKey.getParams();
1398 ECPoint point = publicKey.getW();
1399 pointBytes = JsseJce.encodePoint(point, params.getCurve());
1400 curveId = EllipticCurvesExtension.getCurveIndex(params);
1401
1402 if (privateKey == null) {
1403 // ECDH_anon
1404 return;
1405 }
1406
1407 Signature sig;
1408 if (protocolVersion.useTLS12PlusSpec()) {
1409 this.preferableSignatureAlgorithm = signAlgorithm;
1410 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1411 } else {
1412 sig = getSignature(privateKey.getAlgorithm());
1413 }
1414 sig.initSign(privateKey); // where is the SecureRandom?
1415
1416 updateSignature(sig, clntNonce, svrNonce);
1417 signatureBytes = sig.sign();
1418 }
1419
1420 /*
1421 * Parse an ECDH server key exchange message.
1422 */
1423 ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey,
1424 byte[] clntNonce, byte[] svrNonce,
1425 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1426 ProtocolVersion protocolVersion)
1427 throws IOException, GeneralSecurityException {
1428
1429 this.protocolVersion = protocolVersion;
1430
1431 // read params: ServerECDHParams
1432 int curveType = input.getInt8();
1433 ECParameterSpec parameters;
1434 // These parsing errors should never occur as we negotiated
1435 // the supported curves during the exchange of the Hello messages.
1436 if (curveType == CURVE_NAMED_CURVE) {
1437 curveId = input.getInt16();
1438 if (!EllipticCurvesExtension.isSupported(curveId)) {
1439 throw new SSLHandshakeException(
1440 "Unsupported curveId: " + curveId);
1441 }
1442 String curveOid = EllipticCurvesExtension.getCurveOid(curveId);
1443 if (curveOid == null) {
1444 throw new SSLHandshakeException(
1445 "Unknown named curve: " + curveId);
1446 }
1447 parameters = JsseJce.getECParameterSpec(curveOid);
1448 if (parameters == null) {
1449 throw new SSLHandshakeException(
1450 "Unsupported curve: " + curveOid);
1451 }
1452 } else {
1453 throw new SSLHandshakeException(
1454 "Unsupported ECCurveType: " + curveType);
1455 }
1456 pointBytes = input.getBytes8();
1457
1458 ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve());
1459 KeyFactory factory = JsseJce.getKeyFactory("EC");
1460 publicKey = (ECPublicKey)factory.generatePublic(
1461 new ECPublicKeySpec(point, parameters));
1462
1463 if (signingKey == null) {
1464 // ECDH_anon
1465 return;
1466 }
1467
1468 // read the signature and hash algorithm
1469 if (protocolVersion.useTLS12PlusSpec()) {
1470 int hash = input.getInt8(); // hash algorithm
1471 int signature = input.getInt8(); // signature algorithm
1472
1473 preferableSignatureAlgorithm =
1474 SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
1475
1476 // Is it a local supported signature algorithm?
1477 if (!localSupportedSignAlgs.contains(
1478 preferableSignatureAlgorithm)) {
1479 throw new SSLHandshakeException(
1480 "Unsupported SignatureAndHashAlgorithm in " +
1481 "ServerKeyExchange message: " +
1482 preferableSignatureAlgorithm);
1483 }
1484 }
1485
1486 // read the signature
1487 signatureBytes = input.getBytes16();
1488
1489 // verify the signature
1490 Signature sig;
1491 if (protocolVersion.useTLS12PlusSpec()) {
1492 sig = JsseJce.getSignature(
1493 preferableSignatureAlgorithm.getAlgorithmName());
1494 } else {
1495 sig = getSignature(signingKey.getAlgorithm());
1496 }
1497 sig.initVerify(signingKey);
1498
1499 updateSignature(sig, clntNonce, svrNonce);
1500
1501 if (sig.verify(signatureBytes) == false ) {
1502 throw new SSLKeyException(
1503 "Invalid signature on ECDH server key exchange message");
1504 }
1505 }
1506
1507 /*
1508 * Get the ephemeral EC public key encapsulated in this message.
1509 */
1510 ECPublicKey getPublicKey() {
1511 return publicKey;
1512 }
1513
1514 private static Signature getSignature(String keyAlgorithm)
1515 throws NoSuchAlgorithmException {
1516 switch (keyAlgorithm) {
1517 case "EC":
1518 return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
1519 case "RSA":
1520 return RSASignature.getInstance();
1521 default:
1522 throw new NoSuchAlgorithmException(
1523 "neither an RSA or a EC key : " + keyAlgorithm);
1524 }
1525 }
1526
1527 private void updateSignature(Signature sig, byte[] clntNonce,
1528 byte[] svrNonce) throws SignatureException {
1529 sig.update(clntNonce);
1530 sig.update(svrNonce);
1531
1532 sig.update((byte)CURVE_NAMED_CURVE);
1533 sig.update((byte)(curveId >> 8));
1534 sig.update((byte)curveId);
1535 sig.update((byte)pointBytes.length);
1536 sig.update(pointBytes);
1537 }
1538
1539 @Override
1540 int messageLength() {
1541 int sigLen = 0;
1542 if (signatureBytes != null) {
1543 sigLen = 2 + signatureBytes.length;
1544 if (protocolVersion.useTLS12PlusSpec()) {
1545 sigLen += SignatureAndHashAlgorithm.sizeInRecord();
1546 }
1547 }
1548
1549 return 4 + pointBytes.length + sigLen;
1550 }
1551
1552 @Override
1553 void send(HandshakeOutStream s) throws IOException {
1554 s.putInt8(CURVE_NAMED_CURVE);
1555 s.putInt16(curveId);
1556 s.putBytes8(pointBytes);
1557
1558 if (signatureBytes != null) {
1559 if (protocolVersion.useTLS12PlusSpec()) {
1560 s.putInt8(preferableSignatureAlgorithm.getHashValue());
1561 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
1562 }
1563
1564 s.putBytes16(signatureBytes);
1565 }
1566 }
1567
1568 @Override
1569 void print(PrintStream s) throws IOException {
1570 s.println("*** ECDH ServerKeyExchange");
1571
1572 if (debug != null && Debug.isOn("verbose")) {
1573 if (signatureBytes == null) {
1574 s.println("Anonymous");
1575 } else {
1576 if (protocolVersion.useTLS12PlusSpec()) {
1577 s.println("Signature Algorithm " +
1578 preferableSignatureAlgorithm.getAlgorithmName());
1579 }
1580 }
1581
1582 s.println("Server key: " + publicKey);
1583 }
1584 }
1585 }
1586
1587 static final class DistinguishedName {
1588
1589 /*
1590 * DER encoded distinguished name.
1591 * TLS requires that its not longer than 65535 bytes.
1592 */
1593 byte[] name;
1594
1595 DistinguishedName(HandshakeInStream input) throws IOException {
1596 name = input.getBytes16();
1597 }
1598
1599 DistinguishedName(X500Principal dn) {
1600 name = dn.getEncoded();
1601 }
1602
1603 X500Principal getX500Principal() throws IOException {
1604 try {
1605 return new X500Principal(name);
1606 } catch (IllegalArgumentException e) {
1607 throw (SSLProtocolException)new SSLProtocolException(
1608 e.getMessage()).initCause(e);
1609 }
1610 }
1611
1612 int length() {
1613 return 2 + name.length;
1614 }
1615
1616 void send(HandshakeOutStream output) throws IOException {
1617 output.putBytes16(name);
1618 }
1619
1620 void print(PrintStream output) throws IOException {
1621 X500Principal principal = new X500Principal(name);
1622 output.println("<" + principal.toString() + ">");
1623 }
1624 }
1625
1626 /*
1627 * CertificateRequest ... SERVER --> CLIENT
1628 *
1629 * Authenticated servers may ask clients to authenticate themselves
1630 * in turn, using this message.
1631 *
1632 * Prior to TLS 1.2, the structure of the message is defined as:
1633 * struct {
1634 * ClientCertificateType certificate_types<1..2^8-1>;
1635 * DistinguishedName certificate_authorities<0..2^16-1>;
1636 * } CertificateRequest;
1637 *
1638 * In TLS 1.2, the structure is changed to:
1639 * struct {
1640 * ClientCertificateType certificate_types<1..2^8-1>;
1641 * SignatureAndHashAlgorithm
1642 * supported_signature_algorithms<2^16-1>;
1643 * DistinguishedName certificate_authorities<0..2^16-1>;
1644 * } CertificateRequest;
1645 *
1646 */
1647 static final
1648 class CertificateRequest extends HandshakeMessage
1649 {
1650 // enum ClientCertificateType
1651 static final int cct_rsa_sign = 1;
1652 static final int cct_dss_sign = 2;
1653 static final int cct_rsa_fixed_dh = 3;
1654 static final int cct_dss_fixed_dh = 4;
1655
1656 // The existance of these two values is a bug in the SSL specification.
1657 // They are never used in the protocol.
1658 static final int cct_rsa_ephemeral_dh = 5;
1659 static final int cct_dss_ephemeral_dh = 6;
1660
1661 // From RFC 4492 (ECC)
1662 static final int cct_ecdsa_sign = 64;
1663 static final int cct_rsa_fixed_ecdh = 65;
1664 static final int cct_ecdsa_fixed_ecdh = 66;
1665
1666 private static final byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign };
1667 private static final byte[] TYPES_ECC =
1668 { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign };
1669
1670 byte[] types; // 1 to 255 types
1671 DistinguishedName[] authorities; // 3 to 2^16 - 1
1672 // ... "3" because that's the smallest DER-encoded X500 DN
1673
1674 // protocol version being established using this CertificateRequest message
1675 ProtocolVersion protocolVersion;
1676
1677 // supported_signature_algorithms for TLS 1.2 or later
1678 private Collection<SignatureAndHashAlgorithm> algorithms;
1679
1680 // length of supported_signature_algorithms
1681 private int algorithmsLen;
1682
1683 CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange,
1684 Collection<SignatureAndHashAlgorithm> signAlgs,
1685 ProtocolVersion protocolVersion) throws IOException {
1686
1687 this.protocolVersion = protocolVersion;
1688
1689 // always use X500Principal
1690 authorities = new DistinguishedName[ca.length];
1691 for (int i = 0; i < ca.length; i++) {
1692 X500Principal x500Principal = ca[i].getSubjectX500Principal();
1693 authorities[i] = new DistinguishedName(x500Principal);
1694 }
1695 // we support RSA, DSS, and ECDSA client authentication and they
1696 // can be used with all ciphersuites. If this changes, the code
1697 // needs to be adapted to take keyExchange into account.
1698 // We only request ECDSA client auth if we have ECC crypto available.
1699 this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC;
1700
1701 // Use supported_signature_algorithms for TLS 1.2 or later.
1702 if (protocolVersion.useTLS12PlusSpec()) {
1703 if (signAlgs == null || signAlgs.isEmpty()) {
1704 throw new SSLProtocolException(
1705 "No supported signature algorithms");
1706 }
1707
1708 algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs);
1709 algorithmsLen =
1710 SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size();
1711 } else {
1712 algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1713 algorithmsLen = 0;
1714 }
1715 }
1716
1717 CertificateRequest(HandshakeInStream input,
1718 ProtocolVersion protocolVersion) throws IOException {
1719
1720 this.protocolVersion = protocolVersion;
1721
1722 // Read the certificate_types.
1723 types = input.getBytes8();
1724
1725 // Read the supported_signature_algorithms for TLS 1.2 or later.
1726 if (protocolVersion.useTLS12PlusSpec()) {
1727 algorithmsLen = input.getInt16();
1728 if (algorithmsLen < 2) {
1729 throw new SSLProtocolException(
1730 "Invalid supported_signature_algorithms field: " +
1731 algorithmsLen);
1732 }
1733
1734 algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1735 int remains = algorithmsLen;
1736 int sequence = 0;
1737 while (remains > 1) { // needs at least two bytes
1738 int hash = input.getInt8(); // hash algorithm
1739 int signature = input.getInt8(); // signature algorithm
1740
1741 SignatureAndHashAlgorithm algorithm =
1742 SignatureAndHashAlgorithm.valueOf(hash, signature,
1743 ++sequence);
1744 algorithms.add(algorithm);
1745 remains -= 2; // one byte for hash, one byte for signature
1746 }
1747
1748 if (remains != 0) {
1749 throw new SSLProtocolException(
1750 "Invalid supported_signature_algorithms field. remains: " +
1751 remains);
1752 }
1753 } else {
1754 algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1755 algorithmsLen = 0;
1756 }
1757
1758 // read the certificate_authorities
1759 int len = input.getInt16();
1760 ArrayList<DistinguishedName> v = new ArrayList<>();
1761 while (len >= 3) {
1762 DistinguishedName dn = new DistinguishedName(input);
1763 v.add(dn);
1764 len -= dn.length();
1765 }
1766
1767 if (len != 0) {
1768 throw new SSLProtocolException(
1769 "Bad CertificateRequest DN length: " + len);
1770 }
1771
1772 authorities = v.toArray(new DistinguishedName[v.size()]);
1773 }
1774
1775 X500Principal[] getAuthorities() throws IOException {
1776 X500Principal[] ret = new X500Principal[authorities.length];
1777 for (int i = 0; i < authorities.length; i++) {
1778 ret[i] = authorities[i].getX500Principal();
1779 }
1780 return ret;
1781 }
1782
1783 Collection<SignatureAndHashAlgorithm> getSignAlgorithms() {
1784 return algorithms;
1785 }
1786
1787 @Override
1788 int messageType() {
1789 return ht_certificate_request;
1790 }
1791
1792 @Override
1793 int messageLength() {
1794 int len = 1 + types.length + 2;
1795
1796 if (protocolVersion.useTLS12PlusSpec()) {
1797 len += algorithmsLen + 2;
1798 }
1799
1800 for (int i = 0; i < authorities.length; i++) {
1801 len += authorities[i].length();
1802 }
1803
1804 return len;
1805 }
1806
1807 @Override
1808 void send(HandshakeOutStream output) throws IOException {
1809 // put certificate_types
1810 output.putBytes8(types);
1811
1812 // put supported_signature_algorithms
1813 if (protocolVersion.useTLS12PlusSpec()) {
1814 output.putInt16(algorithmsLen);
1815 for (SignatureAndHashAlgorithm algorithm : algorithms) {
1816 output.putInt8(algorithm.getHashValue()); // hash
1817 output.putInt8(algorithm.getSignatureValue()); // signature
1818 }
1819 }
1820
1821 // put certificate_authorities
1822 int len = 0;
1823 for (int i = 0; i < authorities.length; i++) {
1824 len += authorities[i].length();
1825 }
1826
1827 output.putInt16(len);
1828 for (int i = 0; i < authorities.length; i++) {
1829 authorities[i].send(output);
1830 }
1831 }
1832
1833 @Override
1834 void print(PrintStream s) throws IOException {
1835 s.println("*** CertificateRequest");
1836
1837 if (debug != null && Debug.isOn("verbose")) {
1838 s.print("Cert Types: ");
1839 for (int i = 0; i < types.length; i++) {
1840 switch (types[i]) {
1841 case cct_rsa_sign:
1842 s.print("RSA"); break;
1843 case cct_dss_sign:
1844 s.print("DSS"); break;
1845 case cct_rsa_fixed_dh:
1846 s.print("Fixed DH (RSA sig)"); break;
1847 case cct_dss_fixed_dh:
1848 s.print("Fixed DH (DSS sig)"); break;
1849 case cct_rsa_ephemeral_dh:
1850 s.print("Ephemeral DH (RSA sig)"); break;
1851 case cct_dss_ephemeral_dh:
1852 s.print("Ephemeral DH (DSS sig)"); break;
1853 case cct_ecdsa_sign:
1854 s.print("ECDSA"); break;
1855 case cct_rsa_fixed_ecdh:
1856 s.print("Fixed ECDH (RSA sig)"); break;
1857 case cct_ecdsa_fixed_ecdh:
1858 s.print("Fixed ECDH (ECDSA sig)"); break;
1859 default:
1860 s.print("Type-" + (types[i] & 0xff)); break;
1861 }
1862 if (i != types.length - 1) {
1863 s.print(", ");
1864 }
1865 }
1866 s.println();
1867
1868 if (protocolVersion.useTLS12PlusSpec()) {
1869 StringBuilder sb = new StringBuilder();
1870 boolean opened = false;
1871 for (SignatureAndHashAlgorithm signAlg : algorithms) {
1872 if (opened) {
1873 sb.append(", ").append(signAlg.getAlgorithmName());
1874 } else {
1875 sb.append(signAlg.getAlgorithmName());
1876 opened = true;
1877 }
1878 }
1879 s.println("Supported Signature Algorithms: " + sb);
1880 }
1881
1882 s.println("Cert Authorities:");
1883 if (authorities.length == 0) {
1884 s.println("<Empty>");
1885 } else {
1886 for (int i = 0; i < authorities.length; i++) {
1887 authorities[i].print(s);
1888 }
1889 }
1890 }
1891 }
1892 }
1893
1894
1895 /*
1896 * ServerHelloDone ... SERVER --> CLIENT
1897 *
1898 * When server's done sending its messages in response to the client's
1899 * "hello" (e.g. its own hello, certificate, key exchange message, perhaps
1900 * client certificate request) it sends this message to flag that it's
1901 * done that part of the handshake.
1902 */
1903 static final
1904 class ServerHelloDone extends HandshakeMessage
1905 {
1906 @Override
1907 int messageType() { return ht_server_hello_done; }
1908
1909 ServerHelloDone() { }
1910
1911 ServerHelloDone(HandshakeInStream input)
1912 {
1913 // nothing to do
1914 }
1915
1916 @Override
1917 int messageLength()
1918 {
1919 return 0;
1920 }
1921
1922 @Override
1923 void send(HandshakeOutStream s) throws IOException
1924 {
1925 // nothing to send
1926 }
1927
1928 @Override
1929 void print(PrintStream s) throws IOException
1930 {
1931 s.println("*** ServerHelloDone");
1932 }
1933 }
1934
1935
1936 /*
1937 * CertificateVerify ... CLIENT --> SERVER
1938 *
1939 * Sent after client sends signature-capable certificates (e.g. not
1940 * Diffie-Hellman) to verify.
1941 */
1942 static final class CertificateVerify extends HandshakeMessage {
1943
1944 // the signature bytes
1945 private byte[] signature;
1946
1947 // protocol version being established using this CertificateVerify message
1948 ProtocolVersion protocolVersion;
1949
1950 // the preferable signature algorithm used by this CertificateVerify message
1951 private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
1952
1953 /*
1954 * Create an RSA or DSA signed certificate verify message.
1955 */
1956 CertificateVerify(ProtocolVersion protocolVersion,
1957 HandshakeHash handshakeHash, PrivateKey privateKey,
1958 SecretKey masterSecret, SecureRandom sr,
1959 SignatureAndHashAlgorithm signAlgorithm)
1960 throws GeneralSecurityException {
1961
1962 this.protocolVersion = protocolVersion;
1963
1964 String algorithm = privateKey.getAlgorithm();
1965 Signature sig = null;
1966 if (protocolVersion.useTLS12PlusSpec()) {
1967 this.preferableSignatureAlgorithm = signAlgorithm;
1968 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1969 } else {
1970 sig = getSignature(protocolVersion, algorithm);
1971 }
1972 sig.initSign(privateKey, sr);
1973 updateSignature(sig, protocolVersion, handshakeHash, algorithm,
1974 masterSecret);
1975 signature = sig.sign();
1976 }
1977
1978 //
1979 // Unmarshal the signed data from the input stream.
1980 //
1981 CertificateVerify(HandshakeInStream input,
1982 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1983 ProtocolVersion protocolVersion) throws IOException {
1984
1985 this.protocolVersion = protocolVersion;
1986
1987 // read the signature and hash algorithm
1988 if (protocolVersion.useTLS12PlusSpec()) {
1989 int hashAlg = input.getInt8(); // hash algorithm
1990 int signAlg = input.getInt8(); // signature algorithm
1991
1992 preferableSignatureAlgorithm =
1993 SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0);
1994
1995 // Is it a local supported signature algorithm?
1996 if (!localSupportedSignAlgs.contains(
1997 preferableSignatureAlgorithm)) {
1998 throw new SSLHandshakeException(
1999 "Unsupported SignatureAndHashAlgorithm in " +
2000 "CertificateVerify message: " + preferableSignatureAlgorithm);
2001 }
2002 }
2003
2004 // read the signature
2005 signature = input.getBytes16();
2006 }
2007
2008 /*
2009 * Get the preferable signature algorithm used by this message
2010 */
2011 SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() {
2012 return preferableSignatureAlgorithm;
2013 }
2014
2015 /*
2016 * Verify a certificate verify message. Return the result of verification,
2017 * if there is a problem throw a GeneralSecurityException.
2018 */
2019 boolean verify(ProtocolVersion protocolVersion,
2020 HandshakeHash handshakeHash, PublicKey publicKey,
2021 SecretKey masterSecret) throws GeneralSecurityException {
2022 String algorithm = publicKey.getAlgorithm();
2023 Signature sig = null;
2024 if (protocolVersion.useTLS12PlusSpec()) {
2025 sig = JsseJce.getSignature(
2026 preferableSignatureAlgorithm.getAlgorithmName());
2027 } else {
2028 sig = getSignature(protocolVersion, algorithm);
2029 }
2030 sig.initVerify(publicKey);
2031 updateSignature(sig, protocolVersion, handshakeHash, algorithm,
2032 masterSecret);
2033 return sig.verify(signature);
2034 }
2035
2036 /*
2037 * Get the Signature object appropriate for verification using the
2038 * given signature algorithm and protocol version.
2039 */
2040 private static Signature getSignature(ProtocolVersion protocolVersion,
2041 String algorithm) throws GeneralSecurityException {
2042 switch (algorithm) {
2043 case "RSA":
2044 return RSASignature.getInternalInstance();
2045 case "DSA":
2046 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
2047 case "EC":
2048 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
2049 default:
2050 throw new SignatureException("Unrecognized algorithm: "
2051 + algorithm);
2052 }
2053 }
2054
2055 /*
2056 * Update the Signature with the data appropriate for the given
2057 * signature algorithm and protocol version so that the object is
2058 * ready for signing or verifying.
2059 */
2060 private static void updateSignature(Signature sig,
2061 ProtocolVersion protocolVersion,
2062 HandshakeHash handshakeHash, String algorithm, SecretKey masterKey)
2063 throws SignatureException {
2064
2065 if (algorithm.equals("RSA")) {
2066 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1-
2067 MessageDigest md5Clone = handshakeHash.getMD5Clone();
2068 MessageDigest shaClone = handshakeHash.getSHAClone();
2069
2070 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3
2071 updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey);
2072 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
2073 }
2074
2075 // The signature must be an instance of RSASignature, need
2076 // to use these hashes directly.
2077 RSASignature.setHashes(sig, md5Clone, shaClone);
2078 } else { // TLS1.2+
2079 sig.update(handshakeHash.getAllHandshakeMessages());
2080 }
2081 } else { // DSA, ECDSA
2082 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1-
2083 MessageDigest shaClone = handshakeHash.getSHAClone();
2084
2085 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3
2086 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
2087 }
2088
2089 sig.update(shaClone.digest());
2090 } else { // TLS1.2+
2091 sig.update(handshakeHash.getAllHandshakeMessages());
2092 }
2093 }
2094 }
2095
2096 /*
2097 * Update the MessageDigest for SSLv3 certificate verify or finished
2098 * message calculation. The digest must already have been updated with
2099 * all preceding handshake messages.
2100 * Used by the Finished class as well.
2101 */
2102 private static void updateDigest(MessageDigest md,
2103 byte[] pad1, byte[] pad2,
2104 SecretKey masterSecret) {
2105 // Digest the key bytes if available.
2106 // Otherwise (sensitive key), try digesting the key directly.
2107 // That is currently only implemented in SunPKCS11 using a private
2108 // reflection API, so we avoid that if possible.
2109 byte[] keyBytes = "RAW".equals(masterSecret.getFormat())
2110 ? masterSecret.getEncoded() : null;
2111 if (keyBytes != null) {
2112 md.update(keyBytes);
2113 } else {
2114 digestKey(md, masterSecret);
2115 }
2116 md.update(pad1);
2117 byte[] temp = md.digest();
2118
2119 if (keyBytes != null) {
2120 md.update(keyBytes);
2121 } else {
2122 digestKey(md, masterSecret);
2123 }
2124 md.update(pad2);
2125 md.update(temp);
2126 }
2127
2128 private static void digestKey(MessageDigest md, SecretKey key) {
2129 try {
2130 if (md instanceof MessageDigestSpi2) {
2131 ((MessageDigestSpi2)md).engineUpdate(key);
2132 } else {
2133 throw new Exception(
2134 "Digest does not support implUpdate(SecretKey)");
2135 }
2136 } catch (Exception e) {
2137 throw new RuntimeException(
2138 "Could not obtain encoded key and "
2139 + "MessageDigest cannot digest key", e);
2140 }
2141 }
2142
2143 @Override
2144 int messageType() {
2145 return ht_certificate_verify;
2146 }
2147
2148 @Override
2149 int messageLength() {
2150 int temp = 2;
2151
2152 if (protocolVersion.useTLS12PlusSpec()) {
2153 temp += SignatureAndHashAlgorithm.sizeInRecord();
2154 }
2155
2156 return temp + signature.length;
2157 }
2158
2159 @Override
2160 void send(HandshakeOutStream s) throws IOException {
2161 if (protocolVersion.useTLS12PlusSpec()) {
2162 s.putInt8(preferableSignatureAlgorithm.getHashValue());
2163 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
2164 }
2165
2166 s.putBytes16(signature);
2167 }
2168
2169 @Override
2170 void print(PrintStream s) throws IOException {
2171 s.println("*** CertificateVerify");
2172
2173 if (debug != null && Debug.isOn("verbose")) {
2174 if (protocolVersion.useTLS12PlusSpec()) {
2175 s.println("Signature Algorithm " +
2176 preferableSignatureAlgorithm.getAlgorithmName());
2177 }
2178 }
2179 }
2180 }
2181
2182
2183 /*
2184 * FINISHED ... sent by both CLIENT and SERVER
2185 *
2186 * This is the FINISHED message as defined in the SSL and TLS protocols.
2187 * Both protocols define this handshake message slightly differently.
2188 * This class supports both formats.
2189 *
2190 * When handshaking is finished, each side sends a "change_cipher_spec"
2191 * record, then immediately sends a "finished" handshake message prepared
2192 * according to the newly adopted cipher spec.
2193 *
2194 * NOTE that until this is sent, no application data may be passed, unless
2195 * some non-default cipher suite has already been set up on this connection
2196 * connection (e.g. a previous handshake arranged one).
2197 */
2198 static final class Finished extends HandshakeMessage {
2199
2200 // constant for a Finished message sent by the client
2201 static final int CLIENT = 1;
2202
2203 // constant for a Finished message sent by the server
2204 static final int SERVER = 2;
2205
2206 // enum Sender: "CLNT" and "SRVR"
2207 private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 };
2208 private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 };
2209
2210 /*
2211 * Contents of the finished message ("checksum"). For TLS, it
2212 * is 12 bytes long, for SSLv3 36 bytes.
2213 */
2214 private byte[] verifyData;
2215
2216 /*
2217 * Current cipher suite we are negotiating. TLS 1.2 has
2218 * ciphersuite-defined PRF algorithms.
2219 */
2220 private ProtocolVersion protocolVersion;
2221 private CipherSuite cipherSuite;
2222
2223 /*
2224 * Create a finished message to send to the remote peer.
2225 */
2226 Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash,
2227 int sender, SecretKey master, CipherSuite cipherSuite) {
2228 this.protocolVersion = protocolVersion;
2229 this.cipherSuite = cipherSuite;
2230 verifyData = getFinished(handshakeHash, sender, master);
2231 }
2232
2233 /*
2234 * Constructor that reads FINISHED message from stream.
2235 */
2236 Finished(ProtocolVersion protocolVersion, HandshakeInStream input,
2237 CipherSuite cipherSuite) throws IOException {
2238 this.protocolVersion = protocolVersion;
2239 this.cipherSuite = cipherSuite;
2240 int msgLen = protocolVersion.useTLS10PlusSpec() ? 12 : 36;
2241 verifyData = new byte[msgLen];
2242 input.read(verifyData);
2243 }
2244
2245 /*
2246 * Verify that the hashes here are what would have been produced
2247 * according to a given set of inputs. This is used to ensure that
2248 * both client and server are fully in sync, and that the handshake
2249 * computations have been successful.
2250 */
2251 boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) {
2252 byte[] myFinished = getFinished(handshakeHash, sender, master);
2253 return MessageDigest.isEqual(myFinished, verifyData);
2254 }
2255
2256 /*
2257 * Perform the actual finished message calculation.
2258 */
2259 private byte[] getFinished(HandshakeHash handshakeHash,
2260 int sender, SecretKey masterKey) {
2261 byte[] sslLabel;
2262 String tlsLabel;
2263 if (sender == CLIENT) {
2264 sslLabel = SSL_CLIENT;
2265 tlsLabel = "client finished";
2266 } else if (sender == SERVER) {
2267 sslLabel = SSL_SERVER;
2268 tlsLabel = "server finished";
2269 } else {
2270 throw new RuntimeException("Invalid sender: " + sender);
2271 }
2272
2273 if (protocolVersion.useTLS10PlusSpec()) {
2274 // TLS 1.0+
2275 try {
2276 byte[] seed;
2277 String prfAlg;
2278 PRF prf;
2279
2280 // Get the KeyGenerator alg and calculate the seed.
2281 if (protocolVersion.useTLS12PlusSpec()) {
2282 // TLS 1.2+ or DTLS 1.2+
2283 seed = handshakeHash.getFinishedHash();
2284
2285 prfAlg = "SunTls12Prf";
2286 prf = cipherSuite.prfAlg;
2287 } else {
2288 // TLS 1.0/1.1, DTLS 1.0
2289 MessageDigest md5Clone = handshakeHash.getMD5Clone();
2290 MessageDigest shaClone = handshakeHash.getSHAClone();
2291 seed = new byte[36];
2292 md5Clone.digest(seed, 0, 16);
2293 shaClone.digest(seed, 16, 20);
2294
2295 prfAlg = "SunTlsPrf";
2296 prf = P_NONE;
2297 }
2298
2299 String prfHashAlg = prf.getPRFHashAlg();
2300 int prfHashLength = prf.getPRFHashLength();
2301 int prfBlockSize = prf.getPRFBlockSize();
2302
2303 /*
2304 * RFC 5246/7.4.9 says that finished messages can
2305 * be ciphersuite-specific in both length/PRF hash
2306 * algorithm. If we ever run across a different
2307 * length, this call will need to be updated.
2308 */
2309 @SuppressWarnings("deprecation")
2310 TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
2311 masterKey, tlsLabel, seed, 12,
2312 prfHashAlg, prfHashLength, prfBlockSize);
2313
2314 KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
2315 kg.init(spec);
2316 SecretKey prfKey = kg.generateKey();
2317 if ("RAW".equals(prfKey.getFormat()) == false) {
2318 throw new ProviderException(
2319 "Invalid PRF output, format must be RAW. " +
2320 "Format received: " + prfKey.getFormat());
2321 }
2322 byte[] finished = prfKey.getEncoded();
2323 return finished;
2324 } catch (GeneralSecurityException e) {
2325 throw new RuntimeException("PRF failed", e);
2326 }
2327 } else {
2328 // SSLv3
2329 MessageDigest md5Clone = handshakeHash.getMD5Clone();
2330 MessageDigest shaClone = handshakeHash.getSHAClone();
2331 updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey);
2332 updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey);
2333 byte[] finished = new byte[36];
2334 try {
2335 md5Clone.digest(finished, 0, 16);
2336 shaClone.digest(finished, 16, 20);
2337 } catch (DigestException e) {
2338 // cannot occur
2339 throw new RuntimeException("Digest failed", e);
2340 }
2341 return finished;
2342 }
2343 }
2344
2345 /*
2346 * Update the MessageDigest for SSLv3 finished message calculation.
2347 * The digest must already have been updated with all preceding handshake
2348 * messages. This operation is almost identical to the certificate verify
2349 * hash, reuse that code.
2350 */
2351 private static void updateDigest(MessageDigest md, byte[] sender,
2352 byte[] pad1, byte[] pad2, SecretKey masterSecret) {
2353 md.update(sender);
2354 CertificateVerify.updateDigest(md, pad1, pad2, masterSecret);
2355 }
2356
2357 // get the verify_data of the finished message
2358 byte[] getVerifyData() {
2359 return verifyData;
2360 }
2361
2362 @Override
2363 int messageType() { return ht_finished; }
2364
2365 @Override
2366 int messageLength() {
2367 return verifyData.length;
2368 }
2369
2370 @Override
2371 void send(HandshakeOutStream out) throws IOException {
2372 out.write(verifyData);
2373 }
2374
2375 @Override
2376 void print(PrintStream s) throws IOException {
2377 s.println("*** Finished");
2378 if (debug != null && Debug.isOn("verbose")) {
2379 Debug.println(s, "verify_data", verifyData);
2380 s.println("***");
2381 }
2382 }
2383 }
2384
2385 //
2386 // END of nested classes
2387 //
2388
2389 }