1 /* 2 * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.*; 29 import java.math.BigInteger; 30 import java.security.*; 31 import java.security.interfaces.*; 32 import java.security.spec.*; 33 import java.security.cert.*; 34 import java.security.cert.Certificate; 35 import java.util.*; 36 import java.util.concurrent.ConcurrentHashMap; 37 38 import java.lang.reflect.*; 39 40 import javax.security.auth.x500.X500Principal; 41 42 import javax.crypto.KeyGenerator; 43 import javax.crypto.SecretKey; 44 import javax.crypto.spec.DHPublicKeySpec; 45 46 import javax.net.ssl.*; 47 48 import sun.security.internal.spec.TlsPrfParameterSpec; 49 import sun.security.ssl.CipherSuite.*; 50 import static sun.security.ssl.CipherSuite.PRF.*; 51 import sun.security.util.KeyUtil; 52 53 /** 54 * Many data structures are involved in the handshake messages. These 55 * classes are used as structures, with public data members. They are 56 * not visible outside the SSL package. 57 * 58 * Handshake messages all have a common header format, and they are all 59 * encoded in a "handshake data" SSL record substream. The base class 60 * here (HandshakeMessage) provides a common framework and records the 61 * SSL record type of the particular handshake message. 62 * 63 * This file contains subclasses for all the basic handshake messages. 64 * All handshake messages know how to encode and decode themselves on 65 * SSL streams; this facilitates using the same code on SSL client and 66 * server sides, although they don't send and receive the same messages. 67 * 68 * Messages also know how to print themselves, which is quite handy 69 * for debugging. They always identify their type, and can optionally 70 * dump all of their content. 71 * 72 * @author David Brownell 73 */ 74 public abstract class HandshakeMessage { 75 76 HandshakeMessage() { } 77 78 // enum HandshakeType: 79 static final byte ht_hello_request = 0; 80 static final byte ht_client_hello = 1; 81 static final byte ht_server_hello = 2; 82 83 static final byte ht_certificate = 11; 84 static final byte ht_server_key_exchange = 12; 85 static final byte ht_certificate_request = 13; 86 static final byte ht_server_hello_done = 14; 87 static final byte ht_certificate_verify = 15; 88 static final byte ht_client_key_exchange = 16; 89 90 static final byte ht_finished = 20; 91 92 /* Class and subclass dynamic debugging support */ 93 public static final Debug debug = Debug.getInstance("ssl"); 94 95 /** 96 * Utility method to convert a BigInteger to a byte array in unsigned 97 * format as needed in the handshake messages. BigInteger uses 98 * 2's complement format, i.e. it prepends an extra zero if the MSB 99 * is set. We remove that. 100 */ 101 static byte[] toByteArray(BigInteger bi) { 102 byte[] b = bi.toByteArray(); 103 if ((b.length > 1) && (b[0] == 0)) { 104 int n = b.length - 1; 105 byte[] newarray = new byte[n]; 106 System.arraycopy(b, 1, newarray, 0, n); 107 b = newarray; 108 } 109 return b; 110 } 111 112 /* 113 * SSL 3.0 MAC padding constants. 114 * Also used by CertificateVerify and Finished during the handshake. 115 */ 116 static final byte[] MD5_pad1 = genPad(0x36, 48); 117 static final byte[] MD5_pad2 = genPad(0x5c, 48); 118 119 static final byte[] SHA_pad1 = genPad(0x36, 40); 120 static final byte[] SHA_pad2 = genPad(0x5c, 40); 121 122 private static byte[] genPad(int b, int count) { 123 byte[] padding = new byte[count]; 124 Arrays.fill(padding, (byte)b); 125 return padding; 126 } 127 128 /* 129 * Write a handshake message on the (handshake) output stream. 130 * This is just a four byte header followed by the data. 131 * 132 * NOTE that huge messages -- notably, ones with huge cert 133 * chains -- are handled correctly. 134 */ 135 final void write(HandshakeOutStream s) throws IOException { 136 int len = messageLength(); 137 if (len >= Record.OVERFLOW_OF_INT24) { 138 throw new SSLException("Handshake message too big" 139 + ", type = " + messageType() + ", len = " + len); 140 } 141 s.write(messageType()); 142 s.putInt24(len); 143 send(s); 144 } 145 146 /* 147 * Subclasses implement these methods so those kinds of 148 * messages can be emitted. Base class delegates to subclass. 149 */ 150 abstract int messageType(); 151 abstract int messageLength(); 152 abstract void send(HandshakeOutStream s) throws IOException; 153 154 /* 155 * Write a descriptive message on the output stream; for debugging. 156 */ 157 abstract void print(PrintStream p) throws IOException; 158 159 // 160 // NOTE: the rest of these classes are nested within this one, and are 161 // imported by other classes in this package. There are a few other 162 // handshake message classes, not neatly nested here because of current 163 // licensing requirement for native (RSA) methods. They belong here, 164 // but those native methods complicate things a lot! 165 // 166 167 168 /* 169 * HelloRequest ... SERVER --> CLIENT 170 * 171 * Server can ask the client to initiate a new handshake, e.g. to change 172 * session parameters after a connection has been (re)established. 173 */ 174 static final class HelloRequest extends HandshakeMessage { 175 @Override 176 int messageType() { return ht_hello_request; } 177 178 HelloRequest() { } 179 180 HelloRequest(HandshakeInStream in) throws IOException 181 { 182 // nothing in this message 183 } 184 185 @Override 186 int messageLength() { return 0; } 187 188 @Override 189 void send(HandshakeOutStream out) throws IOException 190 { 191 // nothing in this messaage 192 } 193 194 @Override 195 void print(PrintStream out) throws IOException 196 { 197 out.println("*** HelloRequest (empty)"); 198 } 199 200 } 201 202 203 /* 204 * ClientHello ... CLIENT --> SERVER 205 * 206 * Client initiates handshake by telling server what it wants, and what it 207 * can support (prioritized by what's first in the ciphe suite list). 208 * 209 * By RFC2246:7.4.1.2 it's explicitly anticipated that this message 210 * will have more data added at the end ... e.g. what CAs the client trusts. 211 * Until we know how to parse it, we will just read what we know 212 * about, and let our caller handle the jumps over unknown data. 213 */ 214 static final class ClientHello extends HandshakeMessage { 215 216 ProtocolVersion protocolVersion; 217 RandomCookie clnt_random; 218 SessionId sessionId; 219 private CipherSuiteList cipherSuites; 220 byte[] compression_methods; 221 222 HelloExtensions extensions = new HelloExtensions(); 223 224 private final static byte[] NULL_COMPRESSION = new byte[] {0}; 225 226 ClientHello(SecureRandom generator, ProtocolVersion protocolVersion, 227 SessionId sessionId, CipherSuiteList cipherSuites) { 228 229 this.protocolVersion = protocolVersion; 230 this.sessionId = sessionId; 231 this.cipherSuites = cipherSuites; 232 233 if (cipherSuites.containsEC()) { 234 extensions.add(SupportedEllipticCurvesExtension.DEFAULT); 235 extensions.add(SupportedEllipticPointFormatsExtension.DEFAULT); 236 } 237 238 clnt_random = new RandomCookie(generator); 239 compression_methods = NULL_COMPRESSION; 240 } 241 242 ClientHello(HandshakeInStream s, int messageLength) throws IOException { 243 protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8()); 244 clnt_random = new RandomCookie(s); 245 sessionId = new SessionId(s.getBytes8()); 246 cipherSuites = new CipherSuiteList(s); 247 compression_methods = s.getBytes8(); 248 if (messageLength() != messageLength) { 249 extensions = new HelloExtensions(s); 250 } 251 } 252 253 CipherSuiteList getCipherSuites() { 254 return cipherSuites; 255 } 256 257 // add renegotiation_info extension 258 void addRenegotiationInfoExtension(byte[] clientVerifyData) { 259 HelloExtension renegotiationInfo = new RenegotiationInfoExtension( 260 clientVerifyData, new byte[0]); 261 extensions.add(renegotiationInfo); 262 } 263 264 // add server_name extension 265 void addSNIExtension(List<SNIServerName> serverNames) { 266 try { 267 extensions.add(new ServerNameExtension(serverNames)); 268 } catch (IOException ioe) { 269 // ignore the exception and return 270 } 271 } 272 273 // add signature_algorithm extension 274 void addSignatureAlgorithmsExtension( 275 Collection<SignatureAndHashAlgorithm> algorithms) { 276 HelloExtension signatureAlgorithm = 277 new SignatureAlgorithmsExtension(algorithms); 278 extensions.add(signatureAlgorithm); 279 } 280 281 @Override 282 int messageType() { return ht_client_hello; } 283 284 @Override 285 int messageLength() { 286 /* 287 * Add fixed size parts of each field... 288 * version + random + session + cipher + compress 289 */ 290 return (2 + 32 + 1 + 2 + 1 291 + sessionId.length() /* ... + variable parts */ 292 + (cipherSuites.size() * 2) 293 + compression_methods.length) 294 + extensions.length(); 295 } 296 297 @Override 298 void send(HandshakeOutStream s) throws IOException { 299 s.putInt8(protocolVersion.major); 300 s.putInt8(protocolVersion.minor); 301 clnt_random.send(s); 302 s.putBytes8(sessionId.getId()); 303 cipherSuites.send(s); 304 s.putBytes8(compression_methods); 305 extensions.send(s); 306 } 307 308 @Override 309 void print(PrintStream s) throws IOException { 310 s.println("*** ClientHello, " + protocolVersion); 311 312 if (debug != null && Debug.isOn("verbose")) { 313 s.print("RandomCookie: "); 314 clnt_random.print(s); 315 316 s.print("Session ID: "); 317 s.println(sessionId); 318 319 s.println("Cipher Suites: " + cipherSuites); 320 321 Debug.println(s, "Compression Methods", compression_methods); 322 extensions.print(s); 323 s.println("***"); 324 } 325 } 326 } 327 328 /* 329 * ServerHello ... SERVER --> CLIENT 330 * 331 * Server chooses protocol options from among those it supports and the 332 * client supports. Then it sends the basic session descriptive parameters 333 * back to the client. 334 */ 335 static final 336 class ServerHello extends HandshakeMessage 337 { 338 @Override 339 int messageType() { return ht_server_hello; } 340 341 ProtocolVersion protocolVersion; 342 RandomCookie svr_random; 343 SessionId sessionId; 344 CipherSuite cipherSuite; 345 byte compression_method; 346 HelloExtensions extensions = new HelloExtensions(); 347 348 ServerHello() { 349 // empty 350 } 351 352 ServerHello(HandshakeInStream input, int messageLength) 353 throws IOException { 354 protocolVersion = ProtocolVersion.valueOf(input.getInt8(), 355 input.getInt8()); 356 svr_random = new RandomCookie(input); 357 sessionId = new SessionId(input.getBytes8()); 358 cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8()); 359 compression_method = (byte)input.getInt8(); 360 if (messageLength() != messageLength) { 361 extensions = new HelloExtensions(input); 362 } 363 } 364 365 @Override 366 int messageLength() 367 { 368 // almost fixed size, except session ID and extensions: 369 // major + minor = 2 370 // random = 32 371 // session ID len field = 1 372 // cipher suite + compression = 3 373 // extensions: if present, 2 + length of extensions 374 return 38 + sessionId.length() + extensions.length(); 375 } 376 377 @Override 378 void send(HandshakeOutStream s) throws IOException 379 { 380 s.putInt8(protocolVersion.major); 381 s.putInt8(protocolVersion.minor); 382 svr_random.send(s); 383 s.putBytes8(sessionId.getId()); 384 s.putInt8(cipherSuite.id >> 8); 385 s.putInt8(cipherSuite.id & 0xff); 386 s.putInt8(compression_method); 387 extensions.send(s); 388 } 389 390 @Override 391 void print(PrintStream s) throws IOException 392 { 393 s.println("*** ServerHello, " + protocolVersion); 394 395 if (debug != null && Debug.isOn("verbose")) { 396 s.print("RandomCookie: "); 397 svr_random.print(s); 398 399 s.print("Session ID: "); 400 s.println(sessionId); 401 402 s.println("Cipher Suite: " + cipherSuite); 403 s.println("Compression Method: " + compression_method); 404 extensions.print(s); 405 s.println("***"); 406 } 407 } 408 } 409 410 411 /* 412 * CertificateMsg ... send by both CLIENT and SERVER 413 * 414 * Each end of a connection may need to pass its certificate chain to 415 * the other end. Such chains are intended to validate an identity with 416 * reference to some certifying authority. Examples include companies 417 * like Verisign, or financial institutions. There's some control over 418 * the certifying authorities which are sent. 419 * 420 * NOTE: that these messages might be huge, taking many handshake records. 421 * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14 422 * bytes each ... up to 2^32 records sent on the output stream. 423 */ 424 static final 425 class CertificateMsg extends HandshakeMessage 426 { 427 @Override 428 int messageType() { return ht_certificate; } 429 430 private X509Certificate[] chain; 431 432 private List<byte[]> encodedChain; 433 434 private int messageLength; 435 436 CertificateMsg(X509Certificate[] certs) { 437 chain = certs; 438 } 439 440 CertificateMsg(HandshakeInStream input) throws IOException { 441 int chainLen = input.getInt24(); 442 List<Certificate> v = new ArrayList<>(4); 443 444 CertificateFactory cf = null; 445 while (chainLen > 0) { 446 byte[] cert = input.getBytes24(); 447 chainLen -= (3 + cert.length); 448 try { 449 if (cf == null) { 450 cf = CertificateFactory.getInstance("X.509"); 451 } 452 v.add(cf.generateCertificate(new ByteArrayInputStream(cert))); 453 } catch (CertificateException e) { 454 throw (SSLProtocolException)new SSLProtocolException( 455 e.getMessage()).initCause(e); 456 } 457 } 458 459 chain = v.toArray(new X509Certificate[v.size()]); 460 } 461 462 @Override 463 int messageLength() { 464 if (encodedChain == null) { 465 messageLength = 3; 466 encodedChain = new ArrayList<byte[]>(chain.length); 467 try { 468 for (X509Certificate cert : chain) { 469 byte[] b = cert.getEncoded(); 470 encodedChain.add(b); 471 messageLength += b.length + 3; 472 } 473 } catch (CertificateEncodingException e) { 474 encodedChain = null; 475 throw new RuntimeException("Could not encode certificates", e); 476 } 477 } 478 return messageLength; 479 } 480 481 @Override 482 void send(HandshakeOutStream s) throws IOException { 483 s.putInt24(messageLength() - 3); 484 for (byte[] b : encodedChain) { 485 s.putBytes24(b); 486 } 487 } 488 489 @Override 490 void print(PrintStream s) throws IOException { 491 s.println("*** Certificate chain"); 492 493 if (debug != null && Debug.isOn("verbose")) { 494 for (int i = 0; i < chain.length; i++) 495 s.println("chain [" + i + "] = " + chain[i]); 496 s.println("***"); 497 } 498 } 499 500 X509Certificate[] getCertificateChain() { 501 return chain.clone(); 502 } 503 } 504 505 /* 506 * ServerKeyExchange ... SERVER --> CLIENT 507 * 508 * The cipher suite selected, when combined with the certificate exchanged, 509 * implies one of several different kinds of key exchange. Most current 510 * cipher suites require the server to send more than its certificate. 511 * 512 * The primary exceptions are when a server sends an encryption-capable 513 * RSA public key in its cert, to be used with RSA (or RSA_export) key 514 * exchange; and when a server sends its Diffie-Hellman cert. Those kinds 515 * of key exchange do not require a ServerKeyExchange message. 516 * 517 * Key exchange can be viewed as having three modes, which are explicit 518 * for the Diffie-Hellman flavors and poorly specified for RSA ones: 519 * 520 * - "Ephemeral" keys. Here, a "temporary" key is allocated by the 521 * server, and signed. Diffie-Hellman keys signed using RSA or 522 * DSS are ephemeral (DHE flavor). RSA keys get used to do the same 523 * thing, to cut the key size down to 512 bits (export restrictions) 524 * or for signing-only RSA certificates. 525 * 526 * - Anonymity. Here no server certificate is sent, only the public 527 * key of the server. This case is subject to man-in-the-middle 528 * attacks. This can be done with Diffie-Hellman keys (DH_anon) or 529 * with RSA keys, but is only used in SSLv3 for DH_anon. 530 * 531 * - "Normal" case. Here a server certificate is sent, and the public 532 * key there is used directly in exchanging the premaster secret. 533 * For example, Diffie-Hellman "DH" flavor, and any RSA flavor with 534 * only 512 bit keys. 535 * 536 * If a server certificate is sent, there is no anonymity. However, 537 * when a certificate is sent, ephemeral keys may still be used to 538 * exchange the premaster secret. That's how RSA_EXPORT often works, 539 * as well as how the DHE_* flavors work. 540 */ 541 static abstract class ServerKeyExchange extends HandshakeMessage 542 { 543 @Override 544 int messageType() { return ht_server_key_exchange; } 545 } 546 547 548 /* 549 * Using RSA for Key Exchange: exchange a session key that's not as big 550 * as the signing-only key. Used for export applications, since exported 551 * RSA encryption keys can't be bigger than 512 bytes. 552 * 553 * This is never used when keys are 512 bits or smaller, and isn't used 554 * on "US Domestic" ciphers in any case. 555 */ 556 static final 557 class RSA_ServerKeyExchange extends ServerKeyExchange 558 { 559 private byte rsa_modulus[]; // 1 to 2^16 - 1 bytes 560 private byte rsa_exponent[]; // 1 to 2^16 - 1 bytes 561 562 private Signature signature; 563 private byte[] signatureBytes; 564 565 /* 566 * Hash the nonces and the ephemeral RSA public key. 567 */ 568 private void updateSignature(byte clntNonce[], byte svrNonce[]) 569 throws SignatureException { 570 int tmp; 571 572 signature.update(clntNonce); 573 signature.update(svrNonce); 574 575 tmp = rsa_modulus.length; 576 signature.update((byte)(tmp >> 8)); 577 signature.update((byte)(tmp & 0x0ff)); 578 signature.update(rsa_modulus); 579 580 tmp = rsa_exponent.length; 581 signature.update((byte)(tmp >> 8)); 582 signature.update((byte)(tmp & 0x0ff)); 583 signature.update(rsa_exponent); 584 } 585 586 587 /* 588 * Construct an RSA server key exchange message, using data 589 * known _only_ to the server. 590 * 591 * The client knows the public key corresponding to this private 592 * key, from the Certificate message sent previously. To comply 593 * with US export regulations we use short RSA keys ... either 594 * long term ones in the server's X509 cert, or else ephemeral 595 * ones sent using this message. 596 */ 597 RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey, 598 RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr) 599 throws GeneralSecurityException { 600 RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey); 601 rsa_modulus = toByteArray(rsaKey.getModulus()); 602 rsa_exponent = toByteArray(rsaKey.getPublicExponent()); 603 signature = RSASignature.getInstance(); 604 signature.initSign(privateKey, sr); 605 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); 606 signatureBytes = signature.sign(); 607 } 608 609 610 /* 611 * Parse an RSA server key exchange message, using data known 612 * to the client (and, in some situations, eavesdroppers). 613 */ 614 RSA_ServerKeyExchange(HandshakeInStream input) 615 throws IOException, NoSuchAlgorithmException { 616 signature = RSASignature.getInstance(); 617 rsa_modulus = input.getBytes16(); 618 rsa_exponent = input.getBytes16(); 619 signatureBytes = input.getBytes16(); 620 } 621 622 /* 623 * Get the ephemeral RSA public key that will be used in this 624 * SSL connection. 625 */ 626 PublicKey getPublicKey() { 627 try { 628 KeyFactory kfac = JsseJce.getKeyFactory("RSA"); 629 // modulus and exponent are always positive 630 RSAPublicKeySpec kspec = new RSAPublicKeySpec( 631 new BigInteger(1, rsa_modulus), 632 new BigInteger(1, rsa_exponent)); 633 return kfac.generatePublic(kspec); 634 } catch (Exception e) { 635 throw new RuntimeException(e); 636 } 637 } 638 639 /* 640 * Verify the signed temporary key using the hashes computed 641 * from it and the two nonces. This is called by clients 642 * with "exportable" RSA flavors. 643 */ 644 boolean verify(PublicKey certifiedKey, RandomCookie clntNonce, 645 RandomCookie svrNonce) throws GeneralSecurityException { 646 signature.initVerify(certifiedKey); 647 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); 648 return signature.verify(signatureBytes); 649 } 650 651 @Override 652 int messageLength() { 653 return 6 + rsa_modulus.length + rsa_exponent.length 654 + signatureBytes.length; 655 } 656 657 @Override 658 void send(HandshakeOutStream s) throws IOException { 659 s.putBytes16(rsa_modulus); 660 s.putBytes16(rsa_exponent); 661 s.putBytes16(signatureBytes); 662 } 663 664 @Override 665 void print(PrintStream s) throws IOException { 666 s.println("*** RSA ServerKeyExchange"); 667 668 if (debug != null && Debug.isOn("verbose")) { 669 Debug.println(s, "RSA Modulus", rsa_modulus); 670 Debug.println(s, "RSA Public Exponent", rsa_exponent); 671 } 672 } 673 } 674 675 676 /* 677 * Using Diffie-Hellman algorithm for key exchange. All we really need to 678 * do is securely get Diffie-Hellman keys (using the same P, G parameters) 679 * to our peer, then we automatically have a shared secret without need 680 * to exchange any more data. (D-H only solutions, such as SKIP, could 681 * eliminate key exchange negotiations and get faster connection setup. 682 * But they still need a signature algorithm like DSS/DSA to support the 683 * trusted distribution of keys without relying on unscalable physical 684 * key distribution systems.) 685 * 686 * This class supports several DH-based key exchange algorithms, though 687 * perhaps eventually each deserves its own class. Notably, this has 688 * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants. 689 */ 690 static final 691 class DH_ServerKeyExchange extends ServerKeyExchange 692 { 693 // Fix message encoding, see 4348279 694 private final static boolean dhKeyExchangeFix = 695 Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true); 696 697 private byte dh_p []; // 1 to 2^16 - 1 bytes 698 private byte dh_g []; // 1 to 2^16 - 1 bytes 699 private byte dh_Ys []; // 1 to 2^16 - 1 bytes 700 701 private byte signature []; 702 703 // protocol version being established using this ServerKeyExchange message 704 ProtocolVersion protocolVersion; 705 706 // the preferable signature algorithm used by this ServerKeyExchange message 707 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; 708 709 /* 710 * Construct from initialized DH key object, for DH_anon 711 * key exchange. 712 */ 713 DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) { 714 this.protocolVersion = protocolVersion; 715 this.preferableSignatureAlgorithm = null; 716 717 // The DH key has been validated in the constructor of DHCrypt. 718 setValues(obj); 719 signature = null; 720 } 721 722 /* 723 * Construct from initialized DH key object and the key associated 724 * with the cert chain which was sent ... for DHE_DSS and DHE_RSA 725 * key exchange. (Constructor called by server.) 726 */ 727 DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte clntNonce[], 728 byte svrNonce[], SecureRandom sr, 729 SignatureAndHashAlgorithm signAlgorithm, 730 ProtocolVersion protocolVersion) throws GeneralSecurityException { 731 732 this.protocolVersion = protocolVersion; 733 734 // The DH key has been validated in the constructor of DHCrypt. 735 setValues(obj); 736 737 Signature sig; 738 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 739 this.preferableSignatureAlgorithm = signAlgorithm; 740 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 741 } else { 742 this.preferableSignatureAlgorithm = null; 743 if (key.getAlgorithm().equals("DSA")) { 744 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); 745 } else { 746 sig = RSASignature.getInstance(); 747 } 748 } 749 750 sig.initSign(key, sr); 751 updateSignature(sig, clntNonce, svrNonce); 752 signature = sig.sign(); 753 } 754 755 /* 756 * Construct a DH_ServerKeyExchange message from an input 757 * stream, as if sent from server to client for use with 758 * DH_anon key exchange 759 */ 760 DH_ServerKeyExchange(HandshakeInStream input, 761 ProtocolVersion protocolVersion) 762 throws IOException, GeneralSecurityException { 763 764 this.protocolVersion = protocolVersion; 765 this.preferableSignatureAlgorithm = null; 766 767 dh_p = input.getBytes16(); 768 dh_g = input.getBytes16(); 769 dh_Ys = input.getBytes16(); 770 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), 771 new BigInteger(1, dh_p), 772 new BigInteger(1, dh_g))); 773 774 signature = null; 775 } 776 777 /* 778 * Construct a DH_ServerKeyExchange message from an input stream 779 * and a certificate, as if sent from server to client for use with 780 * DHE_DSS or DHE_RSA key exchange. (Called by client.) 781 */ 782 DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey, 783 byte clntNonce[], byte svrNonce[], int messageSize, 784 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 785 ProtocolVersion protocolVersion) 786 throws IOException, GeneralSecurityException { 787 788 this.protocolVersion = protocolVersion; 789 790 // read params: ServerDHParams 791 dh_p = input.getBytes16(); 792 dh_g = input.getBytes16(); 793 dh_Ys = input.getBytes16(); 794 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), 795 new BigInteger(1, dh_p), 796 new BigInteger(1, dh_g))); 797 798 // read the signature and hash algorithm 799 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 800 int hash = input.getInt8(); // hash algorithm 801 int signature = input.getInt8(); // signature algorithm 802 803 preferableSignatureAlgorithm = 804 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); 805 806 // Is it a local supported signature algorithm? 807 if (!localSupportedSignAlgs.contains( 808 preferableSignatureAlgorithm)) { 809 throw new SSLHandshakeException( 810 "Unsupported SignatureAndHashAlgorithm in " + 811 "ServerKeyExchange message"); 812 } 813 } else { 814 this.preferableSignatureAlgorithm = null; 815 } 816 817 // read the signature 818 byte signature[]; 819 if (dhKeyExchangeFix) { 820 signature = input.getBytes16(); 821 } else { 822 messageSize -= (dh_p.length + 2); 823 messageSize -= (dh_g.length + 2); 824 messageSize -= (dh_Ys.length + 2); 825 826 signature = new byte[messageSize]; 827 input.read(signature); 828 } 829 830 Signature sig; 831 String algorithm = publicKey.getAlgorithm(); 832 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 833 sig = JsseJce.getSignature( 834 preferableSignatureAlgorithm.getAlgorithmName()); 835 } else { 836 switch (algorithm) { 837 case "DSA": 838 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); 839 break; 840 case "RSA": 841 sig = RSASignature.getInstance(); 842 break; 843 default: 844 throw new SSLKeyException("neither an RSA or a DSA key"); 845 } 846 } 847 848 sig.initVerify(publicKey); 849 updateSignature(sig, clntNonce, svrNonce); 850 851 if (sig.verify(signature) == false ) { 852 throw new SSLKeyException("Server D-H key verification failed"); 853 } 854 } 855 856 /* Return the Diffie-Hellman modulus */ 857 BigInteger getModulus() { 858 return new BigInteger(1, dh_p); 859 } 860 861 /* Return the Diffie-Hellman base/generator */ 862 BigInteger getBase() { 863 return new BigInteger(1, dh_g); 864 } 865 866 /* Return the server's Diffie-Hellman public key */ 867 BigInteger getServerPublicKey() { 868 return new BigInteger(1, dh_Ys); 869 } 870 871 /* 872 * Update sig with nonces and Diffie-Hellman public key. 873 */ 874 private void updateSignature(Signature sig, byte clntNonce[], 875 byte svrNonce[]) throws SignatureException { 876 int tmp; 877 878 sig.update(clntNonce); 879 sig.update(svrNonce); 880 881 tmp = dh_p.length; 882 sig.update((byte)(tmp >> 8)); 883 sig.update((byte)(tmp & 0x0ff)); 884 sig.update(dh_p); 885 886 tmp = dh_g.length; 887 sig.update((byte)(tmp >> 8)); 888 sig.update((byte)(tmp & 0x0ff)); 889 sig.update(dh_g); 890 891 tmp = dh_Ys.length; 892 sig.update((byte)(tmp >> 8)); 893 sig.update((byte)(tmp & 0x0ff)); 894 sig.update(dh_Ys); 895 } 896 897 private void setValues(DHCrypt obj) { 898 dh_p = toByteArray(obj.getModulus()); 899 dh_g = toByteArray(obj.getBase()); 900 dh_Ys = toByteArray(obj.getPublicKey()); 901 } 902 903 @Override 904 int messageLength() { 905 int temp = 6; // overhead for p, g, y(s) values. 906 907 temp += dh_p.length; 908 temp += dh_g.length; 909 temp += dh_Ys.length; 910 911 if (signature != null) { 912 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 913 temp += SignatureAndHashAlgorithm.sizeInRecord(); 914 } 915 916 temp += signature.length; 917 if (dhKeyExchangeFix) { 918 temp += 2; 919 } 920 } 921 922 return temp; 923 } 924 925 @Override 926 void send(HandshakeOutStream s) throws IOException { 927 s.putBytes16(dh_p); 928 s.putBytes16(dh_g); 929 s.putBytes16(dh_Ys); 930 931 if (signature != null) { 932 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 933 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 934 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 935 } 936 937 if (dhKeyExchangeFix) { 938 s.putBytes16(signature); 939 } else { 940 s.write(signature); 941 } 942 } 943 } 944 945 @Override 946 void print(PrintStream s) throws IOException { 947 s.println("*** Diffie-Hellman ServerKeyExchange"); 948 949 if (debug != null && Debug.isOn("verbose")) { 950 Debug.println(s, "DH Modulus", dh_p); 951 Debug.println(s, "DH Base", dh_g); 952 Debug.println(s, "Server DH Public Key", dh_Ys); 953 954 if (signature == null) { 955 s.println("Anonymous"); 956 } else { 957 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 958 s.println("Signature Algorithm " + 959 preferableSignatureAlgorithm.getAlgorithmName()); 960 } 961 962 s.println("Signed with a DSA or RSA public key"); 963 } 964 } 965 } 966 } 967 968 /* 969 * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon 970 * ciphersuites to communicate its ephemeral public key (including the 971 * EC domain parameters). 972 * 973 * We support named curves only, no explicitly encoded curves. 974 */ 975 static final 976 class ECDH_ServerKeyExchange extends ServerKeyExchange { 977 978 // constants for ECCurveType 979 private final static int CURVE_EXPLICIT_PRIME = 1; 980 private final static int CURVE_EXPLICIT_CHAR2 = 2; 981 private final static int CURVE_NAMED_CURVE = 3; 982 983 // id of the curve we are using 984 private int curveId; 985 // encoded public point 986 private byte[] pointBytes; 987 988 // signature bytes (or null if anonymous) 989 private byte[] signatureBytes; 990 991 // public key object encapsulated in this message 992 private ECPublicKey publicKey; 993 994 // protocol version being established using this ServerKeyExchange message 995 ProtocolVersion protocolVersion; 996 997 // the preferable signature algorithm used by this ServerKeyExchange message 998 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; 999 1000 ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey, 1001 byte[] clntNonce, byte[] svrNonce, SecureRandom sr, 1002 SignatureAndHashAlgorithm signAlgorithm, 1003 ProtocolVersion protocolVersion) throws GeneralSecurityException { 1004 1005 this.protocolVersion = protocolVersion; 1006 1007 publicKey = (ECPublicKey)obj.getPublicKey(); 1008 ECParameterSpec params = publicKey.getParams(); 1009 ECPoint point = publicKey.getW(); 1010 pointBytes = JsseJce.encodePoint(point, params.getCurve()); 1011 curveId = SupportedEllipticCurvesExtension.getCurveIndex(params); 1012 1013 if (privateKey == null) { 1014 // ECDH_anon 1015 return; 1016 } 1017 1018 Signature sig; 1019 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1020 this.preferableSignatureAlgorithm = signAlgorithm; 1021 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 1022 } else { 1023 sig = getSignature(privateKey.getAlgorithm()); 1024 } 1025 sig.initSign(privateKey); // where is the SecureRandom? 1026 1027 updateSignature(sig, clntNonce, svrNonce); 1028 signatureBytes = sig.sign(); 1029 } 1030 1031 /* 1032 * Parse an ECDH server key exchange message. 1033 */ 1034 ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey, 1035 byte[] clntNonce, byte[] svrNonce, 1036 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 1037 ProtocolVersion protocolVersion) 1038 throws IOException, GeneralSecurityException { 1039 1040 this.protocolVersion = protocolVersion; 1041 1042 // read params: ServerECDHParams 1043 int curveType = input.getInt8(); 1044 ECParameterSpec parameters; 1045 // These parsing errors should never occur as we negotiated 1046 // the supported curves during the exchange of the Hello messages. 1047 if (curveType == CURVE_NAMED_CURVE) { 1048 curveId = input.getInt16(); 1049 if (SupportedEllipticCurvesExtension.isSupported(curveId) 1050 == false) { 1051 throw new SSLHandshakeException( 1052 "Unsupported curveId: " + curveId); 1053 } 1054 String curveOid = 1055 SupportedEllipticCurvesExtension.getCurveOid(curveId); 1056 if (curveOid == null) { 1057 throw new SSLHandshakeException( 1058 "Unknown named curve: " + curveId); 1059 } 1060 parameters = JsseJce.getECParameterSpec(curveOid); 1061 if (parameters == null) { 1062 throw new SSLHandshakeException( 1063 "Unsupported curve: " + curveOid); 1064 } 1065 } else { 1066 throw new SSLHandshakeException( 1067 "Unsupported ECCurveType: " + curveType); 1068 } 1069 pointBytes = input.getBytes8(); 1070 1071 ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve()); 1072 KeyFactory factory = JsseJce.getKeyFactory("EC"); 1073 publicKey = (ECPublicKey)factory.generatePublic( 1074 new ECPublicKeySpec(point, parameters)); 1075 1076 if (signingKey == null) { 1077 // ECDH_anon 1078 return; 1079 } 1080 1081 // read the signature and hash algorithm 1082 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1083 int hash = input.getInt8(); // hash algorithm 1084 int signature = input.getInt8(); // signature algorithm 1085 1086 preferableSignatureAlgorithm = 1087 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); 1088 1089 // Is it a local supported signature algorithm? 1090 if (!localSupportedSignAlgs.contains( 1091 preferableSignatureAlgorithm)) { 1092 throw new SSLHandshakeException( 1093 "Unsupported SignatureAndHashAlgorithm in " + 1094 "ServerKeyExchange message"); 1095 } 1096 } 1097 1098 // read the signature 1099 signatureBytes = input.getBytes16(); 1100 1101 // verify the signature 1102 Signature sig; 1103 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1104 sig = JsseJce.getSignature( 1105 preferableSignatureAlgorithm.getAlgorithmName()); 1106 } else { 1107 sig = getSignature(signingKey.getAlgorithm()); 1108 } 1109 sig.initVerify(signingKey); 1110 1111 updateSignature(sig, clntNonce, svrNonce); 1112 1113 if (sig.verify(signatureBytes) == false ) { 1114 throw new SSLKeyException( 1115 "Invalid signature on ECDH server key exchange message"); 1116 } 1117 } 1118 1119 /* 1120 * Get the ephemeral EC public key encapsulated in this message. 1121 */ 1122 ECPublicKey getPublicKey() { 1123 return publicKey; 1124 } 1125 1126 private static Signature getSignature(String keyAlgorithm) 1127 throws NoSuchAlgorithmException { 1128 switch (keyAlgorithm) { 1129 case "EC": 1130 return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA); 1131 case "RSA": 1132 return RSASignature.getInstance(); 1133 default: 1134 throw new NoSuchAlgorithmException("neither an RSA or a EC key"); 1135 } 1136 } 1137 1138 private void updateSignature(Signature sig, byte clntNonce[], 1139 byte svrNonce[]) throws SignatureException { 1140 sig.update(clntNonce); 1141 sig.update(svrNonce); 1142 1143 sig.update((byte)CURVE_NAMED_CURVE); 1144 sig.update((byte)(curveId >> 8)); 1145 sig.update((byte)curveId); 1146 sig.update((byte)pointBytes.length); 1147 sig.update(pointBytes); 1148 } 1149 1150 @Override 1151 int messageLength() { 1152 int sigLen = 0; 1153 if (signatureBytes != null) { 1154 sigLen = 2 + signatureBytes.length; 1155 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1156 sigLen += SignatureAndHashAlgorithm.sizeInRecord(); 1157 } 1158 } 1159 1160 return 4 + pointBytes.length + sigLen; 1161 } 1162 1163 @Override 1164 void send(HandshakeOutStream s) throws IOException { 1165 s.putInt8(CURVE_NAMED_CURVE); 1166 s.putInt16(curveId); 1167 s.putBytes8(pointBytes); 1168 1169 if (signatureBytes != null) { 1170 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1171 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 1172 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 1173 } 1174 1175 s.putBytes16(signatureBytes); 1176 } 1177 } 1178 1179 @Override 1180 void print(PrintStream s) throws IOException { 1181 s.println("*** ECDH ServerKeyExchange"); 1182 1183 if (debug != null && Debug.isOn("verbose")) { 1184 if (signatureBytes == null) { 1185 s.println("Anonymous"); 1186 } else { 1187 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1188 s.println("Signature Algorithm " + 1189 preferableSignatureAlgorithm.getAlgorithmName()); 1190 } 1191 } 1192 1193 s.println("Server key: " + publicKey); 1194 } 1195 } 1196 } 1197 1198 static final class DistinguishedName { 1199 1200 /* 1201 * DER encoded distinguished name. 1202 * TLS requires that its not longer than 65535 bytes. 1203 */ 1204 byte name[]; 1205 1206 DistinguishedName(HandshakeInStream input) throws IOException { 1207 name = input.getBytes16(); 1208 } 1209 1210 DistinguishedName(X500Principal dn) { 1211 name = dn.getEncoded(); 1212 } 1213 1214 X500Principal getX500Principal() throws IOException { 1215 try { 1216 return new X500Principal(name); 1217 } catch (IllegalArgumentException e) { 1218 throw (SSLProtocolException)new SSLProtocolException( 1219 e.getMessage()).initCause(e); 1220 } 1221 } 1222 1223 int length() { 1224 return 2 + name.length; 1225 } 1226 1227 void send(HandshakeOutStream output) throws IOException { 1228 output.putBytes16(name); 1229 } 1230 1231 void print(PrintStream output) throws IOException { 1232 X500Principal principal = new X500Principal(name); 1233 output.println("<" + principal.toString() + ">"); 1234 } 1235 } 1236 1237 /* 1238 * CertificateRequest ... SERVER --> CLIENT 1239 * 1240 * Authenticated servers may ask clients to authenticate themselves 1241 * in turn, using this message. 1242 * 1243 * Prior to TLS 1.2, the structure of the message is defined as: 1244 * struct { 1245 * ClientCertificateType certificate_types<1..2^8-1>; 1246 * DistinguishedName certificate_authorities<0..2^16-1>; 1247 * } CertificateRequest; 1248 * 1249 * In TLS 1.2, the structure is changed to: 1250 * struct { 1251 * ClientCertificateType certificate_types<1..2^8-1>; 1252 * SignatureAndHashAlgorithm 1253 * supported_signature_algorithms<2^16-1>; 1254 * DistinguishedName certificate_authorities<0..2^16-1>; 1255 * } CertificateRequest; 1256 * 1257 */ 1258 static final 1259 class CertificateRequest extends HandshakeMessage 1260 { 1261 // enum ClientCertificateType 1262 static final int cct_rsa_sign = 1; 1263 static final int cct_dss_sign = 2; 1264 static final int cct_rsa_fixed_dh = 3; 1265 static final int cct_dss_fixed_dh = 4; 1266 1267 // The existance of these two values is a bug in the SSL specification. 1268 // They are never used in the protocol. 1269 static final int cct_rsa_ephemeral_dh = 5; 1270 static final int cct_dss_ephemeral_dh = 6; 1271 1272 // From RFC 4492 (ECC) 1273 static final int cct_ecdsa_sign = 64; 1274 static final int cct_rsa_fixed_ecdh = 65; 1275 static final int cct_ecdsa_fixed_ecdh = 66; 1276 1277 private final static byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign }; 1278 private final static byte[] TYPES_ECC = 1279 { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign }; 1280 1281 byte types []; // 1 to 255 types 1282 DistinguishedName authorities []; // 3 to 2^16 - 1 1283 // ... "3" because that's the smallest DER-encoded X500 DN 1284 1285 // protocol version being established using this CertificateRequest message 1286 ProtocolVersion protocolVersion; 1287 1288 // supported_signature_algorithms for TLS 1.2 or later 1289 private Collection<SignatureAndHashAlgorithm> algorithms; 1290 1291 // length of supported_signature_algorithms 1292 private int algorithmsLen; 1293 1294 CertificateRequest(X509Certificate ca[], KeyExchange keyExchange, 1295 Collection<SignatureAndHashAlgorithm> signAlgs, 1296 ProtocolVersion protocolVersion) throws IOException { 1297 1298 this.protocolVersion = protocolVersion; 1299 1300 // always use X500Principal 1301 authorities = new DistinguishedName[ca.length]; 1302 for (int i = 0; i < ca.length; i++) { 1303 X500Principal x500Principal = ca[i].getSubjectX500Principal(); 1304 authorities[i] = new DistinguishedName(x500Principal); 1305 } 1306 // we support RSA, DSS, and ECDSA client authentication and they 1307 // can be used with all ciphersuites. If this changes, the code 1308 // needs to be adapted to take keyExchange into account. 1309 // We only request ECDSA client auth if we have ECC crypto available. 1310 this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC; 1311 1312 // Use supported_signature_algorithms for TLS 1.2 or later. 1313 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1314 if (signAlgs == null || signAlgs.isEmpty()) { 1315 throw new SSLProtocolException( 1316 "No supported signature algorithms"); 1317 } 1318 1319 algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs); 1320 algorithmsLen = 1321 SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size(); 1322 } else { 1323 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1324 algorithmsLen = 0; 1325 } 1326 } 1327 1328 CertificateRequest(HandshakeInStream input, 1329 ProtocolVersion protocolVersion) throws IOException { 1330 1331 this.protocolVersion = protocolVersion; 1332 1333 // Read the certificate_types. 1334 types = input.getBytes8(); 1335 1336 // Read the supported_signature_algorithms for TLS 1.2 or later. 1337 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1338 algorithmsLen = input.getInt16(); 1339 if (algorithmsLen < 2) { 1340 throw new SSLProtocolException( 1341 "Invalid supported_signature_algorithms field"); 1342 } 1343 1344 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1345 int remains = algorithmsLen; 1346 int sequence = 0; 1347 while (remains > 1) { // needs at least two bytes 1348 int hash = input.getInt8(); // hash algorithm 1349 int signature = input.getInt8(); // signature algorithm 1350 1351 SignatureAndHashAlgorithm algorithm = 1352 SignatureAndHashAlgorithm.valueOf(hash, signature, 1353 ++sequence); 1354 algorithms.add(algorithm); 1355 remains -= 2; // one byte for hash, one byte for signature 1356 } 1357 1358 if (remains != 0) { 1359 throw new SSLProtocolException( 1360 "Invalid supported_signature_algorithms field"); 1361 } 1362 } else { 1363 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1364 algorithmsLen = 0; 1365 } 1366 1367 // read the certificate_authorities 1368 int len = input.getInt16(); 1369 ArrayList<DistinguishedName> v = new ArrayList<>(); 1370 while (len >= 3) { 1371 DistinguishedName dn = new DistinguishedName(input); 1372 v.add(dn); 1373 len -= dn.length(); 1374 } 1375 1376 if (len != 0) { 1377 throw new SSLProtocolException("Bad CertificateRequest DN length"); 1378 } 1379 1380 authorities = v.toArray(new DistinguishedName[v.size()]); 1381 } 1382 1383 X500Principal[] getAuthorities() throws IOException { 1384 X500Principal[] ret = new X500Principal[authorities.length]; 1385 for (int i = 0; i < authorities.length; i++) { 1386 ret[i] = authorities[i].getX500Principal(); 1387 } 1388 return ret; 1389 } 1390 1391 Collection<SignatureAndHashAlgorithm> getSignAlgorithms() { 1392 return algorithms; 1393 } 1394 1395 @Override 1396 int messageType() { 1397 return ht_certificate_request; 1398 } 1399 1400 @Override 1401 int messageLength() { 1402 int len = 1 + types.length + 2; 1403 1404 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1405 len += algorithmsLen + 2; 1406 } 1407 1408 for (int i = 0; i < authorities.length; i++) { 1409 len += authorities[i].length(); 1410 } 1411 1412 return len; 1413 } 1414 1415 @Override 1416 void send(HandshakeOutStream output) throws IOException { 1417 // put certificate_types 1418 output.putBytes8(types); 1419 1420 // put supported_signature_algorithms 1421 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1422 output.putInt16(algorithmsLen); 1423 for (SignatureAndHashAlgorithm algorithm : algorithms) { 1424 output.putInt8(algorithm.getHashValue()); // hash 1425 output.putInt8(algorithm.getSignatureValue()); // signature 1426 } 1427 } 1428 1429 // put certificate_authorities 1430 int len = 0; 1431 for (int i = 0; i < authorities.length; i++) { 1432 len += authorities[i].length(); 1433 } 1434 1435 output.putInt16(len); 1436 for (int i = 0; i < authorities.length; i++) { 1437 authorities[i].send(output); 1438 } 1439 } 1440 1441 @Override 1442 void print(PrintStream s) throws IOException { 1443 s.println("*** CertificateRequest"); 1444 1445 if (debug != null && Debug.isOn("verbose")) { 1446 s.print("Cert Types: "); 1447 for (int i = 0; i < types.length; i++) { 1448 switch (types[i]) { 1449 case cct_rsa_sign: 1450 s.print("RSA"); break; 1451 case cct_dss_sign: 1452 s.print("DSS"); break; 1453 case cct_rsa_fixed_dh: 1454 s.print("Fixed DH (RSA sig)"); break; 1455 case cct_dss_fixed_dh: 1456 s.print("Fixed DH (DSS sig)"); break; 1457 case cct_rsa_ephemeral_dh: 1458 s.print("Ephemeral DH (RSA sig)"); break; 1459 case cct_dss_ephemeral_dh: 1460 s.print("Ephemeral DH (DSS sig)"); break; 1461 case cct_ecdsa_sign: 1462 s.print("ECDSA"); break; 1463 case cct_rsa_fixed_ecdh: 1464 s.print("Fixed ECDH (RSA sig)"); break; 1465 case cct_ecdsa_fixed_ecdh: 1466 s.print("Fixed ECDH (ECDSA sig)"); break; 1467 default: 1468 s.print("Type-" + (types[i] & 0xff)); break; 1469 } 1470 if (i != types.length - 1) { 1471 s.print(", "); 1472 } 1473 } 1474 s.println(); 1475 1476 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1477 StringBuilder sb = new StringBuilder(); 1478 boolean opened = false; 1479 for (SignatureAndHashAlgorithm signAlg : algorithms) { 1480 if (opened) { 1481 sb.append(", ").append(signAlg.getAlgorithmName()); 1482 } else { 1483 sb.append(signAlg.getAlgorithmName()); 1484 opened = true; 1485 } 1486 } 1487 s.println("Supported Signature Algorithms: " + sb); 1488 } 1489 1490 s.println("Cert Authorities:"); 1491 if (authorities.length == 0) { 1492 s.println("<Empty>"); 1493 } else { 1494 for (int i = 0; i < authorities.length; i++) { 1495 authorities[i].print(s); 1496 } 1497 } 1498 } 1499 } 1500 } 1501 1502 1503 /* 1504 * ServerHelloDone ... SERVER --> CLIENT 1505 * 1506 * When server's done sending its messages in response to the client's 1507 * "hello" (e.g. its own hello, certificate, key exchange message, perhaps 1508 * client certificate request) it sends this message to flag that it's 1509 * done that part of the handshake. 1510 */ 1511 static final 1512 class ServerHelloDone extends HandshakeMessage 1513 { 1514 @Override 1515 int messageType() { return ht_server_hello_done; } 1516 1517 ServerHelloDone() { } 1518 1519 ServerHelloDone(HandshakeInStream input) 1520 { 1521 // nothing to do 1522 } 1523 1524 @Override 1525 int messageLength() 1526 { 1527 return 0; 1528 } 1529 1530 @Override 1531 void send(HandshakeOutStream s) throws IOException 1532 { 1533 // nothing to send 1534 } 1535 1536 @Override 1537 void print(PrintStream s) throws IOException 1538 { 1539 s.println("*** ServerHelloDone"); 1540 } 1541 } 1542 1543 1544 /* 1545 * CertificateVerify ... CLIENT --> SERVER 1546 * 1547 * Sent after client sends signature-capable certificates (e.g. not 1548 * Diffie-Hellman) to verify. 1549 */ 1550 static final class CertificateVerify extends HandshakeMessage { 1551 1552 // the signature bytes 1553 private byte[] signature; 1554 1555 // protocol version being established using this ServerKeyExchange message 1556 ProtocolVersion protocolVersion; 1557 1558 // the preferable signature algorithm used by this CertificateVerify message 1559 private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null; 1560 1561 /* 1562 * Create an RSA or DSA signed certificate verify message. 1563 */ 1564 CertificateVerify(ProtocolVersion protocolVersion, 1565 HandshakeHash handshakeHash, PrivateKey privateKey, 1566 SecretKey masterSecret, SecureRandom sr, 1567 SignatureAndHashAlgorithm signAlgorithm) 1568 throws GeneralSecurityException { 1569 1570 this.protocolVersion = protocolVersion; 1571 1572 String algorithm = privateKey.getAlgorithm(); 1573 Signature sig = null; 1574 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1575 this.preferableSignatureAlgorithm = signAlgorithm; 1576 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 1577 } else { 1578 sig = getSignature(protocolVersion, algorithm); 1579 } 1580 sig.initSign(privateKey, sr); 1581 updateSignature(sig, protocolVersion, handshakeHash, algorithm, 1582 masterSecret); 1583 signature = sig.sign(); 1584 } 1585 1586 // 1587 // Unmarshal the signed data from the input stream. 1588 // 1589 CertificateVerify(HandshakeInStream input, 1590 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 1591 ProtocolVersion protocolVersion) throws IOException { 1592 1593 this.protocolVersion = protocolVersion; 1594 1595 // read the signature and hash algorithm 1596 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1597 int hashAlg = input.getInt8(); // hash algorithm 1598 int signAlg = input.getInt8(); // signature algorithm 1599 1600 preferableSignatureAlgorithm = 1601 SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0); 1602 1603 // Is it a local supported signature algorithm? 1604 if (!localSupportedSignAlgs.contains( 1605 preferableSignatureAlgorithm)) { 1606 throw new SSLHandshakeException( 1607 "Unsupported SignatureAndHashAlgorithm in " + 1608 "ServerKeyExchange message"); 1609 } 1610 } 1611 1612 // read the signature 1613 signature = input.getBytes16(); 1614 } 1615 1616 /* 1617 * Get the preferable signature algorithm used by this message 1618 */ 1619 SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() { 1620 return preferableSignatureAlgorithm; 1621 } 1622 1623 /* 1624 * Verify a certificate verify message. Return the result of verification, 1625 * if there is a problem throw a GeneralSecurityException. 1626 */ 1627 boolean verify(ProtocolVersion protocolVersion, 1628 HandshakeHash handshakeHash, PublicKey publicKey, 1629 SecretKey masterSecret) throws GeneralSecurityException { 1630 String algorithm = publicKey.getAlgorithm(); 1631 Signature sig = null; 1632 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1633 sig = JsseJce.getSignature( 1634 preferableSignatureAlgorithm.getAlgorithmName()); 1635 } else { 1636 sig = getSignature(protocolVersion, algorithm); 1637 } 1638 sig.initVerify(publicKey); 1639 updateSignature(sig, protocolVersion, handshakeHash, algorithm, 1640 masterSecret); 1641 return sig.verify(signature); 1642 } 1643 1644 /* 1645 * Get the Signature object appropriate for verification using the 1646 * given signature algorithm and protocol version. 1647 */ 1648 private static Signature getSignature(ProtocolVersion protocolVersion, 1649 String algorithm) throws GeneralSecurityException { 1650 switch (algorithm) { 1651 case "RSA": 1652 return RSASignature.getInternalInstance(); 1653 case "DSA": 1654 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA); 1655 case "EC": 1656 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA); 1657 default: 1658 throw new SignatureException("Unrecognized algorithm: " 1659 + algorithm); 1660 } 1661 } 1662 1663 /* 1664 * Update the Signature with the data appropriate for the given 1665 * signature algorithm and protocol version so that the object is 1666 * ready for signing or verifying. 1667 */ 1668 private static void updateSignature(Signature sig, 1669 ProtocolVersion protocolVersion, 1670 HandshakeHash handshakeHash, String algorithm, SecretKey masterKey) 1671 throws SignatureException { 1672 1673 if (algorithm.equals("RSA")) { 1674 if (protocolVersion.v < ProtocolVersion.TLS12.v) { // TLS1.1- 1675 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 1676 MessageDigest shaClone = handshakeHash.getSHAClone(); 1677 1678 if (protocolVersion.v < ProtocolVersion.TLS10.v) { // SSLv3 1679 updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey); 1680 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); 1681 } 1682 1683 // The signature must be an instance of RSASignature, need 1684 // to use these hashes directly. 1685 RSASignature.setHashes(sig, md5Clone, shaClone); 1686 } else { // TLS1.2+ 1687 sig.update(handshakeHash.getAllHandshakeMessages()); 1688 } 1689 } else { // DSA, ECDSA 1690 if (protocolVersion.v < ProtocolVersion.TLS12.v) { // TLS1.1- 1691 MessageDigest shaClone = handshakeHash.getSHAClone(); 1692 1693 if (protocolVersion.v < ProtocolVersion.TLS10.v) { // SSLv3 1694 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); 1695 } 1696 1697 sig.update(shaClone.digest()); 1698 } else { // TLS1.2+ 1699 sig.update(handshakeHash.getAllHandshakeMessages()); 1700 } 1701 } 1702 } 1703 1704 /* 1705 * Update the MessageDigest for SSLv3 certificate verify or finished 1706 * message calculation. The digest must already have been updated with 1707 * all preceding handshake messages. 1708 * Used by the Finished class as well. 1709 */ 1710 private static void updateDigest(MessageDigest md, 1711 byte[] pad1, byte[] pad2, 1712 SecretKey masterSecret) { 1713 // Digest the key bytes if available. 1714 // Otherwise (sensitive key), try digesting the key directly. 1715 // That is currently only implemented in SunPKCS11 using a private 1716 // reflection API, so we avoid that if possible. 1717 byte[] keyBytes = "RAW".equals(masterSecret.getFormat()) 1718 ? masterSecret.getEncoded() : null; 1719 if (keyBytes != null) { 1720 md.update(keyBytes); 1721 } else { 1722 digestKey(md, masterSecret); 1723 } 1724 md.update(pad1); 1725 byte[] temp = md.digest(); 1726 1727 if (keyBytes != null) { 1728 md.update(keyBytes); 1729 } else { 1730 digestKey(md, masterSecret); 1731 } 1732 md.update(pad2); 1733 md.update(temp); 1734 } 1735 1736 private final static Class<?> delegate; 1737 private final static Field spiField; 1738 1739 static { 1740 try { 1741 delegate = Class.forName("java.security.MessageDigest$Delegate"); 1742 spiField = delegate.getDeclaredField("digestSpi"); 1743 } catch (Exception e) { 1744 throw new RuntimeException("Reflection failed", e); 1745 } 1746 makeAccessible(spiField); 1747 } 1748 1749 private static void makeAccessible(final AccessibleObject o) { 1750 AccessController.doPrivileged(new PrivilegedAction<Object>() { 1751 @Override 1752 public Object run() { 1753 o.setAccessible(true); 1754 return null; 1755 } 1756 }); 1757 } 1758 1759 // ConcurrentHashMap does not allow null values, use this marker object 1760 private final static Object NULL_OBJECT = new Object(); 1761 1762 // cache Method objects per Spi class 1763 // Note that this will prevent the Spi classes from being GC'd. We assume 1764 // that is not a problem. 1765 private final static Map<Class<?>,Object> methodCache = 1766 new ConcurrentHashMap<>(); 1767 1768 private static void digestKey(MessageDigest md, SecretKey key) { 1769 try { 1770 // Verify that md is implemented via MessageDigestSpi, not 1771 // via JDK 1.1 style MessageDigest subclassing. 1772 if (md.getClass() != delegate) { 1773 throw new Exception("Digest is not a MessageDigestSpi"); 1774 } 1775 MessageDigestSpi spi = (MessageDigestSpi)spiField.get(md); 1776 Class<?> clazz = spi.getClass(); 1777 Object r = methodCache.get(clazz); 1778 if (r == null) { 1779 try { 1780 r = clazz.getDeclaredMethod("implUpdate", SecretKey.class); 1781 makeAccessible((Method)r); 1782 } catch (NoSuchMethodException e) { 1783 r = NULL_OBJECT; 1784 } 1785 methodCache.put(clazz, r); 1786 } 1787 if (r == NULL_OBJECT) { 1788 throw new Exception( 1789 "Digest does not support implUpdate(SecretKey)"); 1790 } 1791 Method update = (Method)r; 1792 update.invoke(spi, key); 1793 } catch (Exception e) { 1794 throw new RuntimeException( 1795 "Could not obtain encoded key and " 1796 + "MessageDigest cannot digest key", e); 1797 } 1798 } 1799 1800 @Override 1801 int messageType() { 1802 return ht_certificate_verify; 1803 } 1804 1805 @Override 1806 int messageLength() { 1807 int temp = 2; 1808 1809 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1810 temp += SignatureAndHashAlgorithm.sizeInRecord(); 1811 } 1812 1813 return temp + signature.length; 1814 } 1815 1816 @Override 1817 void send(HandshakeOutStream s) throws IOException { 1818 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1819 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 1820 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 1821 } 1822 1823 s.putBytes16(signature); 1824 } 1825 1826 @Override 1827 void print(PrintStream s) throws IOException { 1828 s.println("*** CertificateVerify"); 1829 1830 if (debug != null && Debug.isOn("verbose")) { 1831 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1832 s.println("Signature Algorithm " + 1833 preferableSignatureAlgorithm.getAlgorithmName()); 1834 } 1835 } 1836 } 1837 } 1838 1839 1840 /* 1841 * FINISHED ... sent by both CLIENT and SERVER 1842 * 1843 * This is the FINISHED message as defined in the SSL and TLS protocols. 1844 * Both protocols define this handshake message slightly differently. 1845 * This class supports both formats. 1846 * 1847 * When handshaking is finished, each side sends a "change_cipher_spec" 1848 * record, then immediately sends a "finished" handshake message prepared 1849 * according to the newly adopted cipher spec. 1850 * 1851 * NOTE that until this is sent, no application data may be passed, unless 1852 * some non-default cipher suite has already been set up on this connection 1853 * connection (e.g. a previous handshake arranged one). 1854 */ 1855 static final class Finished extends HandshakeMessage { 1856 1857 // constant for a Finished message sent by the client 1858 final static int CLIENT = 1; 1859 1860 // constant for a Finished message sent by the server 1861 final static int SERVER = 2; 1862 1863 // enum Sender: "CLNT" and "SRVR" 1864 private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 }; 1865 private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 }; 1866 1867 /* 1868 * Contents of the finished message ("checksum"). For TLS, it 1869 * is 12 bytes long, for SSLv3 36 bytes. 1870 */ 1871 private byte[] verifyData; 1872 1873 /* 1874 * Current cipher suite we are negotiating. TLS 1.2 has 1875 * ciphersuite-defined PRF algorithms. 1876 */ 1877 private ProtocolVersion protocolVersion; 1878 private CipherSuite cipherSuite; 1879 1880 /* 1881 * Create a finished message to send to the remote peer. 1882 */ 1883 Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, 1884 int sender, SecretKey master, CipherSuite cipherSuite) { 1885 this.protocolVersion = protocolVersion; 1886 this.cipherSuite = cipherSuite; 1887 verifyData = getFinished(handshakeHash, sender, master); 1888 } 1889 1890 /* 1891 * Constructor that reads FINISHED message from stream. 1892 */ 1893 Finished(ProtocolVersion protocolVersion, HandshakeInStream input, 1894 CipherSuite cipherSuite) throws IOException { 1895 this.protocolVersion = protocolVersion; 1896 this.cipherSuite = cipherSuite; 1897 int msgLen = (protocolVersion.v >= ProtocolVersion.TLS10.v) ? 12 : 36; 1898 verifyData = new byte[msgLen]; 1899 input.read(verifyData); 1900 } 1901 1902 /* 1903 * Verify that the hashes here are what would have been produced 1904 * according to a given set of inputs. This is used to ensure that 1905 * both client and server are fully in sync, and that the handshake 1906 * computations have been successful. 1907 */ 1908 boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) { 1909 byte[] myFinished = getFinished(handshakeHash, sender, master); 1910 return Arrays.equals(myFinished, verifyData); 1911 } 1912 1913 /* 1914 * Perform the actual finished message calculation. 1915 */ 1916 private byte[] getFinished(HandshakeHash handshakeHash, 1917 int sender, SecretKey masterKey) { 1918 byte[] sslLabel; 1919 String tlsLabel; 1920 if (sender == CLIENT) { 1921 sslLabel = SSL_CLIENT; 1922 tlsLabel = "client finished"; 1923 } else if (sender == SERVER) { 1924 sslLabel = SSL_SERVER; 1925 tlsLabel = "server finished"; 1926 } else { 1927 throw new RuntimeException("Invalid sender: " + sender); 1928 } 1929 1930 if (protocolVersion.v >= ProtocolVersion.TLS10.v) { 1931 // TLS 1.0+ 1932 try { 1933 byte [] seed; 1934 String prfAlg; 1935 PRF prf; 1936 1937 // Get the KeyGenerator alg and calculate the seed. 1938 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1939 // TLS 1.2 1940 seed = handshakeHash.getFinishedHash(); 1941 1942 prfAlg = "SunTls12Prf"; 1943 prf = cipherSuite.prfAlg; 1944 } else { 1945 // TLS 1.0/1.1 1946 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 1947 MessageDigest shaClone = handshakeHash.getSHAClone(); 1948 seed = new byte[36]; 1949 md5Clone.digest(seed, 0, 16); 1950 shaClone.digest(seed, 16, 20); 1951 1952 prfAlg = "SunTlsPrf"; 1953 prf = P_NONE; 1954 } 1955 1956 String prfHashAlg = prf.getPRFHashAlg(); 1957 int prfHashLength = prf.getPRFHashLength(); 1958 int prfBlockSize = prf.getPRFBlockSize(); 1959 1960 /* 1961 * RFC 5246/7.4.9 says that finished messages can 1962 * be ciphersuite-specific in both length/PRF hash 1963 * algorithm. If we ever run across a different 1964 * length, this call will need to be updated. 1965 */ 1966 TlsPrfParameterSpec spec = new TlsPrfParameterSpec( 1967 masterKey, tlsLabel, seed, 12, 1968 prfHashAlg, prfHashLength, prfBlockSize); 1969 1970 KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg); 1971 kg.init(spec); 1972 SecretKey prfKey = kg.generateKey(); 1973 if ("RAW".equals(prfKey.getFormat()) == false) { 1974 throw new ProviderException( 1975 "Invalid PRF output, format must be RAW"); 1976 } 1977 byte[] finished = prfKey.getEncoded(); 1978 return finished; 1979 } catch (GeneralSecurityException e) { 1980 throw new RuntimeException("PRF failed", e); 1981 } 1982 } else { 1983 // SSLv3 1984 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 1985 MessageDigest shaClone = handshakeHash.getSHAClone(); 1986 updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey); 1987 updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey); 1988 byte[] finished = new byte[36]; 1989 try { 1990 md5Clone.digest(finished, 0, 16); 1991 shaClone.digest(finished, 16, 20); 1992 } catch (DigestException e) { 1993 // cannot occur 1994 throw new RuntimeException("Digest failed", e); 1995 } 1996 return finished; 1997 } 1998 } 1999 2000 /* 2001 * Update the MessageDigest for SSLv3 finished message calculation. 2002 * The digest must already have been updated with all preceding handshake 2003 * messages. This operation is almost identical to the certificate verify 2004 * hash, reuse that code. 2005 */ 2006 private static void updateDigest(MessageDigest md, byte[] sender, 2007 byte[] pad1, byte[] pad2, SecretKey masterSecret) { 2008 md.update(sender); 2009 CertificateVerify.updateDigest(md, pad1, pad2, masterSecret); 2010 } 2011 2012 // get the verify_data of the finished message 2013 byte[] getVerifyData() { 2014 return verifyData; 2015 } 2016 2017 @Override 2018 int messageType() { return ht_finished; } 2019 2020 @Override 2021 int messageLength() { 2022 return verifyData.length; 2023 } 2024 2025 @Override 2026 void send(HandshakeOutStream out) throws IOException { 2027 out.write(verifyData); 2028 } 2029 2030 @Override 2031 void print(PrintStream s) throws IOException { 2032 s.println("*** Finished"); 2033 if (debug != null && Debug.isOn("verbose")) { 2034 Debug.println(s, "verify_data", verifyData); 2035 s.println("***"); 2036 } 2037 } 2038 } 2039 2040 // 2041 // END of nested classes 2042 // 2043 2044 }