10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.util.HashSet;
29 import java.util.Set;
30 import sun.security.util.AlgorithmDecomposer;
31 import static sun.security.ssl.CipherSuite.*;
32 import static sun.security.ssl.CipherSuite.KeyExchange.*;
33
34 /**
35 * The class decomposes standard SSL/TLS cipher suites into sub-elements.
36 */
37 class SSLAlgorithmDecomposer extends AlgorithmDecomposer {
38
39 // indicates that only certification path algorithms need to be used
40 private final boolean onlyX509;
41
42 SSLAlgorithmDecomposer(boolean onlyX509) {
43 this.onlyX509 = onlyX509;
44 }
45
46 SSLAlgorithmDecomposer() {
47 this(false);
48 }
49
50 private Set<String> decomposes(CipherSuite.KeyExchange keyExchange) {
51 Set<String> components = new HashSet<>();
52 switch (keyExchange) {
109 components.add("ECDH_RSA");
110 break;
111 case K_ECDHE_ECDSA:
112 components.add("ECDHE");
113 components.add("ECDSA");
114 components.add("ECDHE_ECDSA");
115 break;
116 case K_ECDHE_RSA:
117 components.add("ECDHE");
118 components.add("RSA");
119 components.add("ECDHE_RSA");
120 break;
121 case K_ECDH_ANON:
122 if (!onlyX509) {
123 components.add("ECDH");
124 components.add("ANON");
125 components.add("ECDH_ANON");
126 }
127 break;
128 default:
129 if (ClientKeyExchangeService.find(keyExchange.name) != null) {
130 if (!onlyX509) {
131 components.add(keyExchange.name);
132 }
133 }
134 // otherwise ignore
135 }
136
137 return components;
138 }
139
140 private Set<String> decomposes(CipherSuite.BulkCipher bulkCipher) {
141 Set<String> components = new HashSet<>();
142
143 if (bulkCipher.transformation != null) {
144 components.addAll(super.decompose(bulkCipher.transformation));
145 }
146
147 switch (bulkCipher) {
148 case B_NULL:
149 components.add("C_NULL");
150 break;
151 case B_RC2_40:
152 components.add("RC2_CBC_40");
153 break;
154 case B_RC4_40:
155 components.add("RC4_40");
156 break;
157 case B_RC4_128:
158 components.add("RC4_128");
159 break;
160 case B_DES_40:
168 components.add("3DES_EDE_CBC");
169 break;
170 case B_AES_128:
171 components.add("AES_128_CBC");
172 break;
173 case B_AES_256:
174 components.add("AES_256_CBC");
175 break;
176 case B_AES_128_GCM:
177 components.add("AES_128_GCM");
178 break;
179 case B_AES_256_GCM:
180 components.add("AES_256_GCM");
181 break;
182 }
183
184 return components;
185 }
186
187 private Set<String> decomposes(CipherSuite.MacAlg macAlg,
188 BulkCipher cipher) {
189 Set<String> components = new HashSet<>();
190
191 if (macAlg == CipherSuite.MacAlg.M_NULL
192 && cipher.cipherType != CipherType.AEAD_CIPHER) {
193 components.add("M_NULL");
194 } else if (macAlg == CipherSuite.MacAlg.M_MD5) {
195 components.add("MD5");
196 components.add("HmacMD5");
197 } else if (macAlg == CipherSuite.MacAlg.M_SHA) {
198 components.add("SHA1");
199 components.add("SHA-1");
200 components.add("HmacSHA1");
201 } else if (macAlg == CipherSuite.MacAlg.M_SHA256) {
202 components.add("SHA256");
203 components.add("SHA-256");
204 components.add("HmacSHA256");
205 } else if (macAlg == CipherSuite.MacAlg.M_SHA384) {
206 components.add("SHA384");
207 components.add("SHA-384");
208 components.add("HmacSHA384");
209 }
210
211 return components;
212 }
213
214 private Set<String> decompose(KeyExchange keyExchange, BulkCipher cipher,
215 MacAlg macAlg) {
216 Set<String> components = new HashSet<>();
217
218 if (keyExchange != null) {
219 components.addAll(decomposes(keyExchange));
220 }
221
222 if (onlyX509) {
223 // Certification path algorithm constraints do not apply
224 // to cipher and macAlg.
225 return components;
226 }
227
228 if (cipher != null) {
229 components.addAll(decomposes(cipher));
230 }
231
232 if (macAlg != null) {
233 components.addAll(decomposes(macAlg, cipher));
234 }
235
236 return components;
237 }
238
239 @Override
240 public Set<String> decompose(String algorithm) {
241 if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
242 CipherSuite cipherSuite = null;
243 try {
244 cipherSuite = CipherSuite.valueOf(algorithm);
245 } catch (IllegalArgumentException iae) {
246 // ignore: unknown or unsupported ciphersuite
247 }
248
249 if (cipherSuite != null) {
250 return decompose(cipherSuite.keyExchange, cipherSuite.cipher,
251 cipherSuite.macAlg);
252 }
253 }
254
255 return super.decompose(algorithm);
256 }
257
258 }
|
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.util.HashSet;
29 import java.util.Set;
30 import sun.security.ssl.CipherSuite.HashAlg;
31 import sun.security.ssl.CipherSuite.KeyExchange;
32 import static sun.security.ssl.CipherSuite.KeyExchange.*;
33 import sun.security.ssl.CipherSuite.MacAlg;
34 import static sun.security.ssl.SSLCipher.B_3DES;
35 import static sun.security.ssl.SSLCipher.B_AES_128;
36 import static sun.security.ssl.SSLCipher.B_AES_128_GCM;
37 import static sun.security.ssl.SSLCipher.B_AES_256;
38 import static sun.security.ssl.SSLCipher.B_AES_256_GCM;
39 import static sun.security.ssl.SSLCipher.B_DES;
40 import static sun.security.ssl.SSLCipher.B_DES_40;
41 import static sun.security.ssl.SSLCipher.B_NULL;
42 import static sun.security.ssl.SSLCipher.B_RC2_40;
43 import static sun.security.ssl.SSLCipher.B_RC4_128;
44 import static sun.security.ssl.SSLCipher.B_RC4_40;
45 import sun.security.util.AlgorithmDecomposer;
46
47 /**
48 * The class decomposes standard SSL/TLS cipher suites into sub-elements.
49 */
50 class SSLAlgorithmDecomposer extends AlgorithmDecomposer {
51
52 // indicates that only certification path algorithms need to be used
53 private final boolean onlyX509;
54
55 SSLAlgorithmDecomposer(boolean onlyX509) {
56 this.onlyX509 = onlyX509;
57 }
58
59 SSLAlgorithmDecomposer() {
60 this(false);
61 }
62
63 private Set<String> decomposes(CipherSuite.KeyExchange keyExchange) {
64 Set<String> components = new HashSet<>();
65 switch (keyExchange) {
122 components.add("ECDH_RSA");
123 break;
124 case K_ECDHE_ECDSA:
125 components.add("ECDHE");
126 components.add("ECDSA");
127 components.add("ECDHE_ECDSA");
128 break;
129 case K_ECDHE_RSA:
130 components.add("ECDHE");
131 components.add("RSA");
132 components.add("ECDHE_RSA");
133 break;
134 case K_ECDH_ANON:
135 if (!onlyX509) {
136 components.add("ECDH");
137 components.add("ANON");
138 components.add("ECDH_ANON");
139 }
140 break;
141 default:
142 // otherwise ignore
143 }
144
145 return components;
146 }
147
148 private Set<String> decomposes(SSLCipher bulkCipher) {
149 Set<String> components = new HashSet<>();
150
151 if (bulkCipher.transformation != null) {
152 components.addAll(super.decompose(bulkCipher.transformation));
153 }
154
155 switch (bulkCipher) {
156 case B_NULL:
157 components.add("C_NULL");
158 break;
159 case B_RC2_40:
160 components.add("RC2_CBC_40");
161 break;
162 case B_RC4_40:
163 components.add("RC4_40");
164 break;
165 case B_RC4_128:
166 components.add("RC4_128");
167 break;
168 case B_DES_40:
176 components.add("3DES_EDE_CBC");
177 break;
178 case B_AES_128:
179 components.add("AES_128_CBC");
180 break;
181 case B_AES_256:
182 components.add("AES_256_CBC");
183 break;
184 case B_AES_128_GCM:
185 components.add("AES_128_GCM");
186 break;
187 case B_AES_256_GCM:
188 components.add("AES_256_GCM");
189 break;
190 }
191
192 return components;
193 }
194
195 private Set<String> decomposes(CipherSuite.MacAlg macAlg,
196 SSLCipher cipher) {
197 Set<String> components = new HashSet<>();
198
199 if (macAlg == CipherSuite.MacAlg.M_NULL
200 && cipher.cipherType != CipherType.AEAD_CIPHER) {
201 components.add("M_NULL");
202 } else if (macAlg == CipherSuite.MacAlg.M_MD5) {
203 components.add("MD5");
204 components.add("HmacMD5");
205 } else if (macAlg == CipherSuite.MacAlg.M_SHA) {
206 components.add("SHA1");
207 components.add("SHA-1");
208 components.add("HmacSHA1");
209 } else if (macAlg == CipherSuite.MacAlg.M_SHA256) {
210 components.add("SHA256");
211 components.add("SHA-256");
212 components.add("HmacSHA256");
213 } else if (macAlg == CipherSuite.MacAlg.M_SHA384) {
214 components.add("SHA384");
215 components.add("SHA-384");
216 components.add("HmacSHA384");
217 }
218
219 return components;
220 }
221
222 private Set<String> decomposes(CipherSuite.HashAlg hashAlg) {
223 Set<String> components = new HashSet<>();
224
225 if (hashAlg == CipherSuite.HashAlg.H_SHA256) {
226 components.add("SHA256");
227 components.add("SHA-256");
228 components.add("HmacSHA256");
229 } else if (hashAlg == CipherSuite.HashAlg.H_SHA384) {
230 components.add("SHA384");
231 components.add("SHA-384");
232 components.add("HmacSHA384");
233 }
234
235 return components;
236 }
237
238 private Set<String> decompose(KeyExchange keyExchange,
239 SSLCipher cipher,
240 MacAlg macAlg,
241 HashAlg hashAlg) {
242 Set<String> components = new HashSet<>();
243
244 if (keyExchange != null) {
245 components.addAll(decomposes(keyExchange));
246 }
247
248 if (onlyX509) {
249 // Certification path algorithm constraints do not apply
250 // to cipher and macAlg.
251 return components;
252 }
253
254 if (cipher != null) {
255 components.addAll(decomposes(cipher));
256 }
257
258 if (macAlg != null) {
259 components.addAll(decomposes(macAlg, cipher));
260 }
261
262 if (hashAlg != null) {
263 components.addAll(decomposes(hashAlg));
264 }
265
266 return components;
267 }
268
269 @Override
270 public Set<String> decompose(String algorithm) {
271 if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
272 CipherSuite cipherSuite = null;
273 try {
274 cipherSuite = CipherSuite.nameOf(algorithm);
275 } catch (IllegalArgumentException iae) {
276 // ignore: unknown or unsupported ciphersuite
277 }
278
279 if (cipherSuite != null) {
280 return decompose(cipherSuite.keyExchange,
281 cipherSuite.bulkCipher,
282 cipherSuite.macAlg,
283 cipherSuite.hashAlg);
284 }
285 }
286
287 return super.decompose(algorithm);
288 }
289 }
|