/* * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.io.IOException; import java.math.BigInteger; import java.nio.ByteBuffer; import java.security.CryptoPrimitive; import java.security.GeneralSecurityException; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.Signature; import java.security.SignatureException; import java.text.MessageFormat; import java.util.EnumSet; import java.util.Locale; import javax.crypto.interfaces.DHPublicKey; import javax.crypto.spec.DHParameterSpec; import javax.crypto.spec.DHPublicKeySpec; import sun.security.ssl.DHKeyExchange.DHECredentials; import sun.security.ssl.DHKeyExchange.DHEPossession; import sun.security.ssl.SSLHandshake.HandshakeMessage; import sun.security.ssl.SupportedGroupsExtension.NamedGroup; import sun.security.ssl.X509Authentication.X509Credentials; import sun.security.ssl.X509Authentication.X509Possession; import sun.security.util.HexDumpEncoder; import sun.security.util.KeyUtil; /** * Pack of the ServerKeyExchange handshake message. */ final class DHServerKeyExchange { static final SSLConsumer dhHandshakeConsumer = new DHServerKeyExchangeConsumer(); static final HandshakeProducer dhHandshakeProducer = new DHServerKeyExchangeProducer(); /** * The DiffieHellman ServerKeyExchange handshake message. */ private static final class DHServerKeyExchangeMessage extends HandshakeMessage { // public key encapsulated in this message private byte[] p; // 1 to 2^16 - 1 bytes private byte[] g; // 1 to 2^16 - 1 bytes private byte[] y; // 1 to 2^16 - 1 bytes // the signature algorithm used by this ServerKeyExchange message private final boolean useExplicitSigAlgorithm; private final SignatureScheme signatureScheme; // signature bytes, or null if anonymous private final byte[] paramsSignature; DHServerKeyExchangeMessage( HandshakeContext handshakeContext) throws IOException { super(handshakeContext); // This happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)handshakeContext; DHEPossession dhePossession = null; X509Possession x509Possession = null; for (SSLPossession possession : shc.handshakePossessions) { if (possession instanceof DHEPossession) { dhePossession = (DHEPossession)possession; if (x509Possession != null) { break; } } else if (possession instanceof X509Possession) { x509Possession = (X509Possession)possession; if (dhePossession != null) { break; } } } if (dhePossession == null) { // unlikely shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No DHE credentials negotiated for server key exchange"); } DHPublicKey publicKey = dhePossession.publicKey; DHParameterSpec params = publicKey.getParams(); this.p = Utilities.toByteArray(params.getP()); this.g = Utilities.toByteArray(params.getG()); this.y = Utilities.toByteArray(publicKey.getY()); if (x509Possession == null) { // anonymous, no authentication, no signature paramsSignature = null; signatureScheme = null; useExplicitSigAlgorithm = false; } else { useExplicitSigAlgorithm = shc.negotiatedProtocol.useTLS12PlusSpec(); Signature signer = null; if (useExplicitSigAlgorithm) { signatureScheme = SignatureScheme.getPreferableAlgorithm( shc.peerRequestedSignatureSchemes, x509Possession.popPrivateKey, shc.negotiatedProtocol); if (signatureScheme == null) { // Unlikely, the credentials generator should have // selected the preferable signature algorithm properly. shc.conContext.fatal(Alert.INTERNAL_ERROR, "No preferred signature algorithm"); } try { signer = signatureScheme.getSignature(); } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException nsae) { shc.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + signatureScheme.name, nsae); } } else { signatureScheme = null; try { signer = getSignature( x509Possession.popPrivateKey.getAlgorithm()); } catch (NoSuchAlgorithmException e) { shc.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + x509Possession.popPrivateKey.getAlgorithm(), e); } } byte[] signature = null; try { signer.initSign(x509Possession.popPrivateKey); updateSignature(signer, shc.clientHelloRandom.randomBytes, shc.serverHelloRandom.randomBytes); signature = signer.sign(); } catch (InvalidKeyException | SignatureException ex) { shc.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign dhe parameters: " + x509Possession.popPrivateKey.getAlgorithm(), ex); } paramsSignature = signature; } } DHServerKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer m) throws IOException { super(handshakeContext); // This happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)handshakeContext; this.p = Record.getBytes16(m); this.g = Record.getBytes16(m); this.y = Record.getBytes16(m); try { KeyUtil.validate(new DHPublicKeySpec( new BigInteger(1, y), new BigInteger(1, p), new BigInteger(1, p))); } catch (InvalidKeyException ike) { chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid DH ServerKeyExchange: invalid parameters", ike); } // TODO: check FFDHE named group X509Credentials x509Credentials = null; for (SSLCredentials cd : chc.handshakeCredentials) { if (cd instanceof X509Credentials) { x509Credentials = (X509Credentials)cd; break; } } if (x509Credentials == null) { // anonymous, no authentication, no signature if (m.hasRemaining()) { chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid DH ServerKeyExchange: unknown extra data"); } this.signatureScheme = null; this.paramsSignature = null; this.useExplicitSigAlgorithm = false; return; } this.useExplicitSigAlgorithm = chc.negotiatedProtocol.useTLS12PlusSpec(); if (useExplicitSigAlgorithm) { int ssid = Record.getInt16(m); signatureScheme = SignatureScheme.valueOf(ssid); if (signatureScheme == null) { chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature algorithm (" + ssid + ") used in DH ServerKeyExchange handshake message"); } if (!chc.localSupportedSignAlgs.contains(signatureScheme)) { chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Unsupported signature algorithm (" + signatureScheme.name + ") used in DH ServerKeyExchange handshake message"); } } else { this.signatureScheme = null; } // read and verify the signature this.paramsSignature = Record.getBytes16(m); Signature signer; if (useExplicitSigAlgorithm) { try { signer = signatureScheme.getSignature(); } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException nsae) { chc.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + signatureScheme.name, nsae); return; // make the compiler happe } } else { try { signer = getSignature( x509Credentials.popPublicKey.getAlgorithm()); } catch (NoSuchAlgorithmException e) { chc.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + x509Credentials.popPublicKey.getAlgorithm(), e); return; // make the compiler happe } } try { signer.initVerify(x509Credentials.popPublicKey); updateSignature(signer, chc.clientHelloRandom.randomBytes, chc.serverHelloRandom.randomBytes); if (!signer.verify(paramsSignature)) { chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature on DH ServerKeyExchange message"); } } catch (InvalidKeyException | SignatureException ex) { chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot verify DH ServerKeyExchange signature", ex); } } @Override public SSLHandshake handshakeType() { return SSLHandshake.SERVER_KEY_EXCHANGE; } @Override public int messageLength() { int sigLen = 0; if (paramsSignature != null) { sigLen = 2 + paramsSignature.length; if (useExplicitSigAlgorithm) { sigLen += SignatureScheme.sizeInRecord(); } } return 6 + p.length + g.length + y.length + sigLen; // 6: overhead for p, g, y values } @Override public void send(HandshakeOutStream hos) throws IOException { hos.putBytes16(p); hos.putBytes16(g); hos.putBytes16(y); if (paramsSignature != null) { if (useExplicitSigAlgorithm) { hos.putInt16(signatureScheme.id); } hos.putBytes16(paramsSignature); } } @Override public String toString() { if (paramsSignature == null) { // anonymous MessageFormat messageFormat = new MessageFormat( "\"DH ServerKeyExchange\": '{'\n" + " \"parameters\": '{'\n" + " \"dh_p\": '{'\n" + "{0}\n" + " '}',\n" + " \"dh_g\": '{'\n" + "{1}\n" + " '}',\n" + " \"dh_Ys\": '{'\n" + "{2}\n" + " '}',\n" + " '}'\n" + "'}'", Locale.ENGLISH); HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { Utilities.indent( hexEncoder.encodeBuffer(p), " "), Utilities.indent( hexEncoder.encodeBuffer(g), " "), Utilities.indent( hexEncoder.encodeBuffer(y), " "), }; return messageFormat.format(messageFields); } if (useExplicitSigAlgorithm) { MessageFormat messageFormat = new MessageFormat( "\"DH ServerKeyExchange\": '{'\n" + " \"parameters\": '{'\n" + " \"dh_p\": '{'\n" + "{0}\n" + " '}',\n" + " \"dh_g\": '{'\n" + "{1}\n" + " '}',\n" + " \"dh_Ys\": '{'\n" + "{2}\n" + " '}',\n" + " '}',\n" + " \"digital signature\": '{'\n" + " \"signature algorithm\": \"{3}\"\n" + " \"signature\": '{'\n" + "{4}\n" + " '}',\n" + " '}'\n" + "'}'", Locale.ENGLISH); HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { Utilities.indent( hexEncoder.encodeBuffer(p), " "), Utilities.indent( hexEncoder.encodeBuffer(g), " "), Utilities.indent( hexEncoder.encodeBuffer(y), " "), signatureScheme.name, Utilities.indent( hexEncoder.encodeBuffer(paramsSignature), " ") }; return messageFormat.format(messageFields); } else { MessageFormat messageFormat = new MessageFormat( "\"DH ServerKeyExchange\": '{'\n" + " \"parameters\": '{'\n" + " \"dh_p\": '{'\n" + "{0}\n" + " '}',\n" + " \"dh_g\": '{'\n" + "{1}\n" + " '}',\n" + " \"dh_Ys\": '{'\n" + "{2}\n" + " '}',\n" + " '}',\n" + " \"signature\": '{'\n" + "{3}\n" + " '}'\n" + "'}'", Locale.ENGLISH); HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { Utilities.indent( hexEncoder.encodeBuffer(p), " "), Utilities.indent( hexEncoder.encodeBuffer(g), " "), Utilities.indent( hexEncoder.encodeBuffer(y), " "), Utilities.indent( hexEncoder.encodeBuffer(paramsSignature), " ") }; return messageFormat.format(messageFields); } } private static Signature getSignature(String keyAlgorithm) throws NoSuchAlgorithmException { switch (keyAlgorithm) { case "DSA": return JsseJce.getSignature(JsseJce.SIGNATURE_DSA); case "RSA": return RSASignature.getInstance(); default: throw new NoSuchAlgorithmException( "neither an RSA or a DSA key : " + keyAlgorithm); } } /* * Update sig with nonces and Diffie-Hellman public key. */ private void updateSignature(Signature sig, byte[] clntNonce, byte[] svrNonce) throws SignatureException { int tmp; sig.update(clntNonce); sig.update(svrNonce); sig.update((byte)(p.length >> 8)); sig.update((byte)(p.length & 0x0ff)); sig.update(p); sig.update((byte)(g.length >> 8)); sig.update((byte)(g.length & 0x0ff)); sig.update(g); sig.update((byte)(y.length >> 8)); sig.update((byte)(y.length & 0x0ff)); sig.update(y); } } /** * The DiffieHellman "ServerKeyExchange" handshake message producer. */ static final class DHServerKeyExchangeProducer implements HandshakeProducer { // Prevent instantiation of this class. private DHServerKeyExchangeProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; DHServerKeyExchangeMessage skem = new DHServerKeyExchangeMessage(shc); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Produced DH ServerKeyExchange handshake message", skem); } // Output the handshake message. skem.write(shc.handshakeOutput); shc.handshakeOutput.flush(); // The handshake message has been delivered. return null; } } /** * The DiffieHellman "ServerKeyExchange" handshake message consumer. */ static final class DHServerKeyExchangeConsumer implements SSLConsumer { // Prevent instantiation of this class. private DHServerKeyExchangeConsumer() { // blank } @Override public void consume(ConnectionContext context, ByteBuffer message) throws IOException { // The consuming happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; DHServerKeyExchangeMessage skem = new DHServerKeyExchangeMessage(chc, message); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming DH ServerKeyExchange handshake message", skem); } // // validate // // check constraints of EC PublicKey DHPublicKey publicKey; try { KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman"); DHPublicKeySpec spec = new DHPublicKeySpec( new BigInteger(1, skem.y), new BigInteger(1, skem.p), new BigInteger(1, skem.g)); publicKey = (DHPublicKey)kf.generatePublic(spec); } catch (GeneralSecurityException gse) { chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "Could not generate DHPublicKey", gse); return; // make the compiler happy } if (!chc.algorithmConstraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) { chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "DH ServerKeyExchange does not comply to " + "algorithm constraints"); } // // update // NamedGroup namedGroup = NamedGroup.valueOf(publicKey.getParams()); chc.handshakeCredentials.add( new DHECredentials(publicKey, namedGroup)); // // produce // // Need no new handshake message producers here. } } }