1 /*
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.io.*;
29 import java.math.BigInteger;
30 import java.security.*;
31 import java.security.interfaces.*;
32 import java.security.spec.*;
33 import java.security.cert.*;
34 import java.security.cert.Certificate;
35 import java.util.*;
36 import java.util.concurrent.ConcurrentHashMap;
37
38 import java.lang.reflect.*;
39
40 import javax.security.auth.x500.X500Principal;
41
42 import javax.crypto.KeyGenerator;
43 import javax.crypto.SecretKey;
44 import javax.crypto.spec.DHPublicKeySpec;
45
46 import javax.net.ssl.*;
47
48 import sun.security.internal.spec.TlsPrfParameterSpec;
49 import sun.security.ssl.CipherSuite.*;
50 import static sun.security.ssl.CipherSuite.PRF.*;
51 import sun.security.util.KeyUtil;
52 import sun.security.util.MessageDigestSpi2;
53 import sun.security.provider.certpath.OCSPResponse;
54
55 /**
56 * Many data structures are involved in the handshake messages. These
57 * classes are used as structures, with public data members. They are
58 * not visible outside the SSL package.
59 *
60 * Handshake messages all have a common header format, and they are all
61 * encoded in a "handshake data" SSL record substream. The base class
62 * here (HandshakeMessage) provides a common framework and records the
63 * SSL record type of the particular handshake message.
64 *
65 * This file contains subclasses for all the basic handshake messages.
66 * All handshake messages know how to encode and decode themselves on
67 * SSL streams; this facilitates using the same code on SSL client and
68 * server sides, although they don't send and receive the same messages.
69 *
70 * Messages also know how to print themselves, which is quite handy
71 * for debugging. They always identify their type, and can optionally
72 * dump all of their content.
73 *
74 * @author David Brownell
75 */
76 public abstract class HandshakeMessage {
77
78 /* Class and subclass dynamic debugging support */
79 public static final Debug debug = Debug.getInstance("ssl");
80
81 // enum HandshakeType:
82 //
83 // Please update the isUnsupported() method accordingly if the handshake
84 // types get updated in the future.
85 static final byte ht_hello_request = 0; // RFC 5246
86 static final byte ht_client_hello = 1; // RFC 5246
87 static final byte ht_server_hello = 2; // RFC 5246
88 static final byte ht_hello_verify_request = 3; // RFC 6347
89 static final byte ht_new_session_ticket = 4; // RFC 4507
90
91 static final byte ht_certificate = 11; // RFC 5246
92 static final byte ht_server_key_exchange = 12; // RFC 5246
93 static final byte ht_certificate_request = 13; // RFC 5246
94 static final byte ht_server_hello_done = 14; // RFC 5246
95 static final byte ht_certificate_verify = 15; // RFC 5246
96 static final byte ht_client_key_exchange = 16; // RFC 5246
97
98 static final byte ht_finished = 20; // RFC 5246
99 static final byte ht_certificate_url = 21; // RFC 6066
100 static final byte ht_certificate_status = 22; // RFC 6066
101 static final byte ht_supplemental_data = 23; // RFC 4680
102
103 static final byte ht_not_applicable = -1; // N/A
104
105 /*
106 * SSL 3.0 MAC padding constants.
107 * Also used by CertificateVerify and Finished during the handshake.
108 */
109 static final byte[] MD5_pad1 = genPad(0x36, 48);
110 static final byte[] MD5_pad2 = genPad(0x5c, 48);
111
112 static final byte[] SHA_pad1 = genPad(0x36, 40);
113 static final byte[] SHA_pad2 = genPad(0x5c, 40);
114
115 // default constructor
116 HandshakeMessage() {
117 }
118
119 /**
120 * Utility method to convert a BigInteger to a byte array in unsigned
121 * format as needed in the handshake messages. BigInteger uses
122 * 2's complement format, i.e. it prepends an extra zero if the MSB
123 * is set. We remove that.
124 */
125 static byte[] toByteArray(BigInteger bi) {
126 byte[] b = bi.toByteArray();
127 if ((b.length > 1) && (b[0] == 0)) {
128 int n = b.length - 1;
129 byte[] newarray = new byte[n];
130 System.arraycopy(b, 1, newarray, 0, n);
131 b = newarray;
132 }
133 return b;
134 }
135
136 static boolean isUnsupported(byte handshakeType) {
137 return (handshakeType != ht_hello_request) &&
138 (handshakeType != ht_client_hello) &&
139 (handshakeType != ht_server_hello) &&
140 (handshakeType != ht_hello_verify_request) &&
141 (handshakeType != ht_new_session_ticket) &&
142 (handshakeType != ht_certificate) &&
143 (handshakeType != ht_server_key_exchange) &&
144 (handshakeType != ht_certificate_request) &&
145 (handshakeType != ht_server_hello_done) &&
146 (handshakeType != ht_certificate_verify) &&
147 (handshakeType != ht_client_key_exchange) &&
148 (handshakeType != ht_finished) &&
149 (handshakeType != ht_certificate_url) &&
150 (handshakeType != ht_certificate_status) &&
151 (handshakeType != ht_supplemental_data);
152 }
153
154 private static byte[] genPad(int b, int count) {
155 byte[] padding = new byte[count];
156 Arrays.fill(padding, (byte)b);
157 return padding;
158 }
159
160 /*
161 * Write a handshake message on the (handshake) output stream.
162 * This is just a four byte header followed by the data.
163 *
164 * NOTE that huge messages -- notably, ones with huge cert
165 * chains -- are handled correctly.
166 */
167 final void write(HandshakeOutStream s) throws IOException {
168 int len = messageLength();
169 if (len >= Record.OVERFLOW_OF_INT24) {
170 throw new SSLException("Handshake message too big"
171 + ", type = " + messageType() + ", len = " + len);
172 }
173 s.write(messageType());
174 s.putInt24(len);
175 send(s);
176 s.complete();
177 }
178
179 /*
180 * Subclasses implement these methods so those kinds of
181 * messages can be emitted. Base class delegates to subclass.
182 */
183 abstract int messageType();
184 abstract int messageLength();
185 abstract void send(HandshakeOutStream s) throws IOException;
186
187 /*
188 * Write a descriptive message on the output stream; for debugging.
189 */
190 abstract void print(PrintStream p) throws IOException;
191
192 //
193 // NOTE: the rest of these classes are nested within this one, and are
194 // imported by other classes in this package. There are a few other
195 // handshake message classes, not neatly nested here because of current
196 // licensing requirement for native (RSA) methods. They belong here,
197 // but those native methods complicate things a lot!
198 //
199
200
201 /*
202 * HelloRequest ... SERVER --> CLIENT
203 *
204 * Server can ask the client to initiate a new handshake, e.g. to change
205 * session parameters after a connection has been (re)established.
206 */
207 static final class HelloRequest extends HandshakeMessage {
208 @Override
209 int messageType() { return ht_hello_request; }
210
211 HelloRequest() { }
212
213 HelloRequest(HandshakeInStream in) throws IOException
214 {
215 // nothing in this message
216 }
217
218 @Override
219 int messageLength() { return 0; }
220
221 @Override
222 void send(HandshakeOutStream out) throws IOException
223 {
224 // nothing in this messaage
225 }
226
227 @Override
228 void print(PrintStream out) throws IOException
229 {
230 out.println("*** HelloRequest (empty)");
231 }
232
233 }
234
235 /*
236 * HelloVerifyRequest ... SERVER --> CLIENT [DTLS only]
237 *
238 * The definition of HelloVerifyRequest is as follows:
239 *
240 * struct {
241 * ProtocolVersion server_version;
242 * opaque cookie<0..2^8-1>;
243 * } HelloVerifyRequest;
244 *
245 * For DTLS protocols, once the client has transmitted the ClientHello message,
246 * it expects to see a HelloVerifyRequest from the server. However, if the
247 * server's message is lost, the client knows that either the ClientHello or
248 * the HelloVerifyRequest has been lost and retransmits. [RFC 6347]
249 */
250 static final class HelloVerifyRequest extends HandshakeMessage {
251 ProtocolVersion protocolVersion;
252 byte[] cookie; // 1 to 2^8 - 1 bytes
253
254 HelloVerifyRequest(HelloCookieManager helloCookieManager,
255 ClientHello clientHelloMsg) {
256
257 this.protocolVersion = clientHelloMsg.protocolVersion;
258 this.cookie = helloCookieManager.getCookie(clientHelloMsg);
259 }
260
261 HelloVerifyRequest(
262 HandshakeInStream input, int messageLength) throws IOException {
263
264 this.protocolVersion =
265 ProtocolVersion.valueOf(input.getInt8(), input.getInt8());
266 this.cookie = input.getBytes8();
267
268 // Is it a valid cookie?
269 HelloCookieManager.checkCookie(protocolVersion, cookie);
270 }
271
272 @Override
273 int messageType() {
274 return ht_hello_verify_request;
275 }
276
277 @Override
278 int messageLength() {
279 return 2 + cookie.length; // 2: the length of protocolVersion
280 }
281
282 @Override
283 void send(HandshakeOutStream hos) throws IOException {
284 hos.putInt8(protocolVersion.major);
285 hos.putInt8(protocolVersion.minor);
286 hos.putBytes8(cookie);
287 }
288
289 @Override
290 void print(PrintStream out) throws IOException {
291 out.println("*** HelloVerifyRequest");
292 if (debug != null && Debug.isOn("verbose")) {
293 out.println("server_version: " + protocolVersion);
294 Debug.println(out, "cookie", cookie);
295 }
296 }
297 }
298
299 /*
300 * ClientHello ... CLIENT --> SERVER
301 *
302 * Client initiates handshake by telling server what it wants, and what it
303 * can support (prioritized by what's first in the ciphe suite list).
304 *
305 * By RFC2246:7.4.1.2 it's explicitly anticipated that this message
306 * will have more data added at the end ... e.g. what CAs the client trusts.
307 * Until we know how to parse it, we will just read what we know
308 * about, and let our caller handle the jumps over unknown data.
309 */
310 static final class ClientHello extends HandshakeMessage {
311
312 ProtocolVersion protocolVersion;
313 RandomCookie clnt_random;
314 SessionId sessionId;
315 byte[] cookie; // DTLS only
316 private CipherSuiteList cipherSuites;
317 private final boolean isDTLS;
318 byte[] compression_methods;
319
320 HelloExtensions extensions = new HelloExtensions();
321
322 private static final byte[] NULL_COMPRESSION = new byte[] {0};
323
324 ClientHello(SecureRandom generator, ProtocolVersion protocolVersion,
325 SessionId sessionId, CipherSuiteList cipherSuites,
326 boolean isDTLS) {
327
328 this.isDTLS = isDTLS;
329 this.protocolVersion = protocolVersion;
330 this.sessionId = sessionId;
331 this.cipherSuites = cipherSuites;
332 if (isDTLS) {
333 this.cookie = new byte[0];
334 } else {
335 this.cookie = null;
336 }
337
338 clnt_random = new RandomCookie(generator);
339 compression_methods = NULL_COMPRESSION;
340 }
341
342 ClientHello(HandshakeInStream s,
343 int messageLength, boolean isDTLS) throws IOException {
344
345 this.isDTLS = isDTLS;
346
347 protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8());
348 clnt_random = new RandomCookie(s);
349 sessionId = new SessionId(s.getBytes8());
350 sessionId.checkLength(protocolVersion);
351 if (isDTLS) {
352 cookie = s.getBytes8();
353 } else {
354 cookie = null;
355 }
356
357 cipherSuites = new CipherSuiteList(s);
358 compression_methods = s.getBytes8();
359 if (messageLength() != messageLength) {
360 extensions = new HelloExtensions(s);
361 }
362 }
363
364 CipherSuiteList getCipherSuites() {
365 return cipherSuites;
366 }
367
368 // add renegotiation_info extension
369 void addRenegotiationInfoExtension(byte[] clientVerifyData) {
370 HelloExtension renegotiationInfo = new RenegotiationInfoExtension(
371 clientVerifyData, new byte[0]);
372 extensions.add(renegotiationInfo);
373 }
374
375 // add server_name extension
376 void addSNIExtension(List<SNIServerName> serverNames) {
377 try {
378 extensions.add(new ServerNameExtension(serverNames));
379 } catch (IOException ioe) {
380 // ignore the exception and return
381 }
382 }
383
384 // add signature_algorithm extension
385 void addSignatureAlgorithmsExtension(
386 Collection<SignatureAndHashAlgorithm> algorithms) {
387 HelloExtension signatureAlgorithm =
388 new SignatureAlgorithmsExtension(algorithms);
389 extensions.add(signatureAlgorithm);
390 }
391
392 void addExtendedMasterSecretExtension() {
393 extensions.add(new ExtendedMasterSecretExtension());
394 }
395
396 void addMFLExtension(int maximumPacketSize) {
397 HelloExtension maxFragmentLength =
398 new MaxFragmentLengthExtension(maximumPacketSize);
399 extensions.add(maxFragmentLength);
400 }
401
402 void updateHelloCookie(MessageDigest cookieDigest) {
403 //
404 // Just use HandshakeOutStream to compute the hello verify cookie.
405 // Not actually used to output handshake message records.
406 //
407 HandshakeOutStream hos = new HandshakeOutStream(null);
408
409 try {
410 send(hos, false); // Do not count hello verify cookie.
411 } catch (IOException ioe) {
412 // unlikely to happen
413 }
414
415 cookieDigest.update(hos.toByteArray());
416 }
417
418 // Add status_request extension type
419 void addCertStatusRequestExtension() {
420 extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP,
421 new OCSPStatusRequest()));
422 }
423
424 // Add status_request_v2 extension type
425 void addCertStatusReqListV2Extension() {
426 // Create a default OCSPStatusRequest that we can use for both
427 // OCSP_MULTI and OCSP request list items.
428 OCSPStatusRequest osr = new OCSPStatusRequest();
429 List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
430 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
431 osr));
432 itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
433 extensions.add(new CertStatusReqListV2Extension(itemList));
434 }
435
436 // add application_layer_protocol_negotiation extension
437 void addALPNExtension(String[] applicationProtocols) throws SSLException {
438 extensions.add(new ALPNExtension(applicationProtocols));
439 }
440
441 @Override
442 int messageType() { return ht_client_hello; }
443
444 @Override
445 int messageLength() {
446 /*
447 * Add fixed size parts of each field...
448 * version + random + session + cipher + compress
449 */
450 return (2 + 32 + 1 + 2 + 1
451 + sessionId.length() /* ... + variable parts */
452 + (isDTLS ? (1 + cookie.length) : 0)
453 + (cipherSuites.size() * 2)
454 + compression_methods.length)
455 + extensions.length();
456 }
457
458 @Override
459 void send(HandshakeOutStream s) throws IOException {
460 send(s, true); // Count hello verify cookie.
461 }
462
463 @Override
464 void print(PrintStream s) throws IOException {
465 s.println("*** ClientHello, " + protocolVersion);
466
467 if (debug != null && Debug.isOn("verbose")) {
468 s.print("RandomCookie: ");
469 clnt_random.print(s);
470
471 s.print("Session ID: ");
472 s.println(sessionId);
473
474 if (isDTLS) {
475 Debug.println(s, "cookie", cookie);
476 }
477
478 s.println("Cipher Suites: " + cipherSuites);
479
480 Debug.println(s, "Compression Methods", compression_methods);
481 extensions.print(s);
482 s.println("***");
483 }
484 }
485
486 private void send(HandshakeOutStream s,
487 boolean computeCookie) throws IOException {
488 s.putInt8(protocolVersion.major);
489 s.putInt8(protocolVersion.minor);
490 clnt_random.send(s);
491 s.putBytes8(sessionId.getId());
492 if (isDTLS && computeCookie) {
493 s.putBytes8(cookie);
494 }
495 cipherSuites.send(s);
496 s.putBytes8(compression_methods);
497 extensions.send(s);
498 }
499
500 }
501
502 /*
503 * ServerHello ... SERVER --> CLIENT
504 *
505 * Server chooses protocol options from among those it supports and the
506 * client supports. Then it sends the basic session descriptive parameters
507 * back to the client.
508 */
509 static final
510 class ServerHello extends HandshakeMessage
511 {
512 @Override
513 int messageType() { return ht_server_hello; }
514
515 ProtocolVersion protocolVersion;
516 RandomCookie svr_random;
517 SessionId sessionId;
518 CipherSuite cipherSuite;
519 byte compression_method;
520 HelloExtensions extensions = new HelloExtensions();
521
522 ServerHello() {
523 // empty
524 }
525
526 ServerHello(HandshakeInStream input, int messageLength)
527 throws IOException {
528 protocolVersion = ProtocolVersion.valueOf(input.getInt8(),
529 input.getInt8());
530 svr_random = new RandomCookie(input);
531 sessionId = new SessionId(input.getBytes8());
532 sessionId.checkLength(protocolVersion);
533 cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8());
534 compression_method = (byte)input.getInt8();
535 if (messageLength() != messageLength) {
536 extensions = new HelloExtensions(input);
537 }
538 }
539
540 @Override
541 int messageLength()
542 {
543 // almost fixed size, except session ID and extensions:
544 // major + minor = 2
545 // random = 32
546 // session ID len field = 1
547 // cipher suite + compression = 3
548 // extensions: if present, 2 + length of extensions
549 return 38 + sessionId.length() + extensions.length();
550 }
551
552 @Override
553 void send(HandshakeOutStream s) throws IOException
554 {
555 s.putInt8(protocolVersion.major);
556 s.putInt8(protocolVersion.minor);
557 svr_random.send(s);
558 s.putBytes8(sessionId.getId());
559 s.putInt8(cipherSuite.id >> 8);
560 s.putInt8(cipherSuite.id & 0xff);
561 s.putInt8(compression_method);
562 extensions.send(s);
563 }
564
565 @Override
566 void print(PrintStream s) throws IOException
567 {
568 s.println("*** ServerHello, " + protocolVersion);
569
570 if (debug != null && Debug.isOn("verbose")) {
571 s.print("RandomCookie: ");
572 svr_random.print(s);
573
574 s.print("Session ID: ");
575 s.println(sessionId);
576
577 s.println("Cipher Suite: " + cipherSuite);
578 s.println("Compression Method: " + compression_method);
579 extensions.print(s);
580 s.println("***");
581 }
582 }
583 }
584
585
586 /*
587 * CertificateMsg ... send by both CLIENT and SERVER
588 *
589 * Each end of a connection may need to pass its certificate chain to
590 * the other end. Such chains are intended to validate an identity with
591 * reference to some certifying authority. Examples include companies
592 * like Verisign, or financial institutions. There's some control over
593 * the certifying authorities which are sent.
594 *
595 * NOTE: that these messages might be huge, taking many handshake records.
596 * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14
597 * bytes each ... up to 2^32 records sent on the output stream.
598 */
599 static final
600 class CertificateMsg extends HandshakeMessage
601 {
602 @Override
603 int messageType() { return ht_certificate; }
604
605 private X509Certificate[] chain;
606
607 private List<byte[]> encodedChain;
608
609 private int messageLength;
610
611 CertificateMsg(X509Certificate[] certs) {
612 chain = certs;
613 }
614
615 CertificateMsg(HandshakeInStream input) throws IOException {
616 int chainLen = input.getInt24();
617 List<Certificate> v = new ArrayList<>(4);
618
619 CertificateFactory cf = null;
620 while (chainLen > 0) {
621 byte[] cert = input.getBytes24();
622 chainLen -= (3 + cert.length);
623 try {
624 if (cf == null) {
625 cf = CertificateFactory.getInstance("X.509");
626 }
627 v.add(cf.generateCertificate(new ByteArrayInputStream(cert)));
628 } catch (CertificateException e) {
629 throw (SSLProtocolException)new SSLProtocolException(
630 e.getMessage()).initCause(e);
631 }
632 }
633
634 chain = v.toArray(new X509Certificate[v.size()]);
635 }
636
637 @Override
638 int messageLength() {
639 if (encodedChain == null) {
640 messageLength = 3;
641 encodedChain = new ArrayList<byte[]>(chain.length);
642 try {
643 for (X509Certificate cert : chain) {
644 byte[] b = cert.getEncoded();
645 encodedChain.add(b);
646 messageLength += b.length + 3;
647 }
648 } catch (CertificateEncodingException e) {
649 encodedChain = null;
650 throw new RuntimeException("Could not encode certificates", e);
651 }
652 }
653 return messageLength;
654 }
655
656 @Override
657 void send(HandshakeOutStream s) throws IOException {
658 s.putInt24(messageLength() - 3);
659 for (byte[] b : encodedChain) {
660 s.putBytes24(b);
661 }
662 }
663
664 @Override
665 void print(PrintStream s) throws IOException {
666 s.println("*** Certificate chain");
667
668 if (chain.length == 0) {
669 s.println("<Empty>");
670 } else if (debug != null && Debug.isOn("verbose")) {
671 for (int i = 0; i < chain.length; i++) {
672 s.println("chain [" + i + "] = " + chain[i]);
673 }
674 }
675 s.println("***");
676 }
677
678 X509Certificate[] getCertificateChain() {
679 return chain.clone();
680 }
681 }
682
683 /*
684 * CertificateStatus ... SERVER --> CLIENT
685 *
686 * When a ClientHello asserting the status_request or status_request_v2
687 * extensions is accepted by the server, it will fetch and return one
688 * or more status responses in this handshake message.
689 *
690 * NOTE: Like the Certificate handshake message, this can potentially
691 * be a very large message both due to the size of multiple status
692 * responses and the certificate chains that are often attached to them.
693 * Up to 2^24 bytes of status responses may be sent, possibly fragmented
694 * over multiple TLS records.
695 */
696 static final class CertificateStatus extends HandshakeMessage
697 {
698 private final StatusRequestType statusType;
699 private int encodedResponsesLen;
700 private int messageLength = -1;
701 private List<byte[]> encodedResponses;
702
703 @Override
704 int messageType() { return ht_certificate_status; }
705
706 /**
707 * Create a CertificateStatus message from the certificates and their
708 * respective OCSP responses
709 *
710 * @param type an indication of the type of response (OCSP or OCSP_MULTI)
711 * @param responses a {@code List} of OCSP responses in DER-encoded form.
712 * For the OCSP type, only the first entry in the response list is
713 * used, and must correspond to the end-entity certificate sent to the
714 * peer. Zero-length or null values for the response data are not
715 * allowed for the OCSP type. For the OCSP_MULTI type, each entry in
716 * the list should match its corresponding certificate sent in the
717 * Server Certificate message. Where an OCSP response does not exist,
718 * either a zero-length array or a null value should be used.
719 *
720 * @throws SSLException if an unsupported StatusRequestType or invalid
721 * OCSP response data is provided.
722 */
723 CertificateStatus(StatusRequestType type, X509Certificate[] chain,
724 Map<X509Certificate, byte[]> responses) {
725 statusType = type;
726 encodedResponsesLen = 0;
727 encodedResponses = new ArrayList<>(chain.length);
728
729 Objects.requireNonNull(chain, "Null chain not allowed");
730 Objects.requireNonNull(responses, "Null responses not allowed");
731
732 if (statusType == StatusRequestType.OCSP) {
733 // Just get the response for the end-entity certificate
734 byte[] respDER = responses.get(chain[0]);
735 if (respDER != null && respDER.length > 0) {
736 encodedResponses.add(respDER);
737 encodedResponsesLen = 3 + respDER.length;
738 } else {
739 throw new IllegalArgumentException("Zero-length or null " +
740 "OCSP Response");
741 }
742 } else if (statusType == StatusRequestType.OCSP_MULTI) {
743 for (X509Certificate cert : chain) {
744 byte[] respDER = responses.get(cert);
745 if (respDER != null) {
746 encodedResponses.add(respDER);
747 encodedResponsesLen += (respDER.length + 3);
748 } else {
749 // If we cannot find a response for a given certificate
750 // then use a zero-length placeholder.
751 encodedResponses.add(new byte[0]);
752 encodedResponsesLen += 3;
753 }
754 }
755 } else {
756 throw new IllegalArgumentException(
757 "Unsupported StatusResponseType: " + statusType);
758 }
759 }
760
761 /**
762 * Decode the CertificateStatus handshake message coming from a
763 * {@code HandshakeInputStream}.
764 *
765 * @param input the {@code HandshakeInputStream} containing the
766 * CertificateStatus message bytes.
767 *
768 * @throws SSLHandshakeException if a zero-length response is found in the
769 * OCSP response type, or an unsupported response type is detected.
770 * @throws IOException if a decoding error occurs.
771 */
772 CertificateStatus(HandshakeInStream input) throws IOException {
773 encodedResponsesLen = 0;
774 encodedResponses = new ArrayList<>();
775
776 statusType = StatusRequestType.get(input.getInt8());
777 if (statusType == StatusRequestType.OCSP) {
778 byte[] respDER = input.getBytes24();
779 // Convert the incoming bytes to a OCSPResponse strucutre
780 if (respDER.length > 0) {
781 encodedResponses.add(respDER);
782 encodedResponsesLen = 3 + respDER.length;
783 } else {
784 throw new SSLHandshakeException("Zero-length OCSP Response");
785 }
786 } else if (statusType == StatusRequestType.OCSP_MULTI) {
787 int respListLen = input.getInt24();
788 encodedResponsesLen = respListLen;
789
790 // Add each OCSP reponse into the array list in the order
791 // we receive them off the wire. A zero-length array is
792 // allowed for ocsp_multi, and means that a response for
793 // a given certificate is not available.
794 while (respListLen > 0) {
795 byte[] respDER = input.getBytes24();
796 encodedResponses.add(respDER);
797 respListLen -= (respDER.length + 3);
798 }
799
800 if (respListLen != 0) {
801 throw new SSLHandshakeException(
802 "Bad OCSP response list length");
803 }
804 } else {
805 throw new SSLHandshakeException("Unsupported StatusResponseType: " +
806 statusType);
807 }
808 }
809
810 /**
811 * Get the length of the CertificateStatus message.
812 *
813 * @return the length of the message in bytes.
814 */
815 @Override
816 int messageLength() {
817 int len = 1; // Length + Status type
818
819 if (messageLength == -1) {
820 if (statusType == StatusRequestType.OCSP) {
821 len += encodedResponsesLen;
822 } else if (statusType == StatusRequestType.OCSP_MULTI) {
823 len += 3 + encodedResponsesLen;
824 }
825 messageLength = len;
826 }
827
828 return messageLength;
829 }
830
831 /**
832 * Encode the CertificateStatus handshake message and place it on a
833 * {@code HandshakeOutputStream}.
834 *
835 * @param s the HandshakeOutputStream that will the message bytes.
836 *
837 * @throws IOException if an encoding error occurs.
838 */
839 @Override
840 void send(HandshakeOutStream s) throws IOException {
841 s.putInt8(statusType.id);
842 if (statusType == StatusRequestType.OCSP) {
843 s.putBytes24(encodedResponses.get(0));
844 } else if (statusType == StatusRequestType.OCSP_MULTI) {
845 s.putInt24(encodedResponsesLen);
846 for (byte[] respBytes : encodedResponses) {
847 if (respBytes != null) {
848 s.putBytes24(respBytes);
849 } else {
850 s.putBytes24(null);
851 }
852 }
853 } else {
854 // It is highly unlikely that we will fall into this section of
855 // the code.
856 throw new SSLHandshakeException("Unsupported status_type: " +
857 statusType.id);
858 }
859 }
860
861 /**
862 * Display a human-readable representation of the CertificateStatus message.
863 *
864 * @param s the PrintStream used to display the message data.
865 *
866 * @throws IOException if any errors occur while parsing the OCSP response
867 * bytes into a readable form.
868 */
869 @Override
870 void print(PrintStream s) throws IOException {
871 s.println("*** CertificateStatus");
872 if (debug != null && Debug.isOn("verbose")) {
873 s.println("Type: " + statusType);
874 if (statusType == StatusRequestType.OCSP) {
875 OCSPResponse oResp = new OCSPResponse(encodedResponses.get(0));
876 s.println(oResp);
877 } else if (statusType == StatusRequestType.OCSP_MULTI) {
878 int numResponses = encodedResponses.size();
879 s.println(numResponses +
880 (numResponses == 1 ? " entry:" : " entries:"));
881 for (byte[] respDER : encodedResponses) {
882 if (respDER.length > 0) {
883 OCSPResponse oResp = new OCSPResponse(respDER);
884 s.println(oResp);
885 } else {
886 s.println("<Zero-length entry>");
887 }
888 }
889 }
890 }
891 }
892
893 /**
894 * Get the type of CertificateStatus message
895 *
896 * @return the {@code StatusRequestType} for this CertificateStatus
897 * message.
898 */
899 StatusRequestType getType() {
900 return statusType;
901 }
902
903 /**
904 * Get the list of non-zero length OCSP responses.
905 * The responses returned in this list can be used to map to
906 * {@code X509Certificate} objects provided by the peer and
907 * provided to a {@code PKIXRevocationChecker}.
908 *
909 * @return an unmodifiable List of zero or more byte arrays, each one
910 * consisting of a single status response.
911 */
912 List<byte[]> getResponses() {
913 return Collections.unmodifiableList(encodedResponses);
914 }
915 }
916
917 /*
918 * ServerKeyExchange ... SERVER --> CLIENT
919 *
920 * The cipher suite selected, when combined with the certificate exchanged,
921 * implies one of several different kinds of key exchange. Most current
922 * cipher suites require the server to send more than its certificate.
923 *
924 * The primary exceptions are when a server sends an encryption-capable
925 * RSA public key in its cert, to be used with RSA (or RSA_export) key
926 * exchange; and when a server sends its Diffie-Hellman cert. Those kinds
927 * of key exchange do not require a ServerKeyExchange message.
928 *
929 * Key exchange can be viewed as having three modes, which are explicit
930 * for the Diffie-Hellman flavors and poorly specified for RSA ones:
931 *
932 * - "Ephemeral" keys. Here, a "temporary" key is allocated by the
933 * server, and signed. Diffie-Hellman keys signed using RSA or
934 * DSS are ephemeral (DHE flavor). RSA keys get used to do the same
935 * thing, to cut the key size down to 512 bits (export restrictions)
936 * or for signing-only RSA certificates.
937 *
938 * - Anonymity. Here no server certificate is sent, only the public
939 * key of the server. This case is subject to man-in-the-middle
940 * attacks. This can be done with Diffie-Hellman keys (DH_anon) or
941 * with RSA keys, but is only used in SSLv3 for DH_anon.
942 *
943 * - "Normal" case. Here a server certificate is sent, and the public
944 * key there is used directly in exchanging the premaster secret.
945 * For example, Diffie-Hellman "DH" flavor, and any RSA flavor with
946 * only 512 bit keys.
947 *
948 * If a server certificate is sent, there is no anonymity. However,
949 * when a certificate is sent, ephemeral keys may still be used to
950 * exchange the premaster secret. That's how RSA_EXPORT often works,
951 * as well as how the DHE_* flavors work.
952 */
953 abstract static class ServerKeyExchange extends HandshakeMessage
954 {
955 @Override
956 int messageType() { return ht_server_key_exchange; }
957 }
958
959
960 /*
961 * Using RSA for Key Exchange: exchange a session key that's not as big
962 * as the signing-only key. Used for export applications, since exported
963 * RSA encryption keys can't be bigger than 512 bytes.
964 *
965 * This is never used when keys are 512 bits or smaller, and isn't used
966 * on "US Domestic" ciphers in any case.
967 */
968 static final
969 class RSA_ServerKeyExchange extends ServerKeyExchange
970 {
971 private byte[] rsa_modulus; // 1 to 2^16 - 1 bytes
972 private byte[] rsa_exponent; // 1 to 2^16 - 1 bytes
973
974 private Signature signature;
975 private byte[] signatureBytes;
976
977 /*
978 * Hash the nonces and the ephemeral RSA public key.
979 */
980 private void updateSignature(byte[] clntNonce, byte[] svrNonce)
981 throws SignatureException {
982 int tmp;
983
984 signature.update(clntNonce);
985 signature.update(svrNonce);
986
987 tmp = rsa_modulus.length;
988 signature.update((byte)(tmp >> 8));
989 signature.update((byte)(tmp & 0x0ff));
990 signature.update(rsa_modulus);
991
992 tmp = rsa_exponent.length;
993 signature.update((byte)(tmp >> 8));
994 signature.update((byte)(tmp & 0x0ff));
995 signature.update(rsa_exponent);
996 }
997
998
999 /*
1000 * Construct an RSA server key exchange message, using data
1001 * known _only_ to the server.
1002 *
1003 * The client knows the public key corresponding to this private
1004 * key, from the Certificate message sent previously. To comply
1005 * with US export regulations we use short RSA keys ... either
1006 * long term ones in the server's X509 cert, or else ephemeral
1007 * ones sent using this message.
1008 */
1009 RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey,
1010 RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr)
1011 throws GeneralSecurityException {
1012 RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey);
1013 rsa_modulus = toByteArray(rsaKey.getModulus());
1014 rsa_exponent = toByteArray(rsaKey.getPublicExponent());
1015 signature = RSASignature.getInstance();
1016 signature.initSign(privateKey, sr);
1017 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
1018 signatureBytes = signature.sign();
1019 }
1020
1021
1022 /*
1023 * Parse an RSA server key exchange message, using data known
1024 * to the client (and, in some situations, eavesdroppers).
1025 */
1026 RSA_ServerKeyExchange(HandshakeInStream input)
1027 throws IOException, NoSuchAlgorithmException {
1028 signature = RSASignature.getInstance();
1029 rsa_modulus = input.getBytes16();
1030 rsa_exponent = input.getBytes16();
1031 signatureBytes = input.getBytes16();
1032 }
1033
1034 /*
1035 * Get the ephemeral RSA public key that will be used in this
1036 * SSL connection.
1037 */
1038 PublicKey getPublicKey() {
1039 try {
1040 KeyFactory kfac = JsseJce.getKeyFactory("RSA");
1041 // modulus and exponent are always positive
1042 RSAPublicKeySpec kspec = new RSAPublicKeySpec(
1043 new BigInteger(1, rsa_modulus),
1044 new BigInteger(1, rsa_exponent));
1045 return kfac.generatePublic(kspec);
1046 } catch (Exception e) {
1047 throw new RuntimeException(e);
1048 }
1049 }
1050
1051 /*
1052 * Verify the signed temporary key using the hashes computed
1053 * from it and the two nonces. This is called by clients
1054 * with "exportable" RSA flavors.
1055 */
1056 boolean verify(PublicKey certifiedKey, RandomCookie clntNonce,
1057 RandomCookie svrNonce) throws GeneralSecurityException {
1058 signature.initVerify(certifiedKey);
1059 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
1060 return signature.verify(signatureBytes);
1061 }
1062
1063 @Override
1064 int messageLength() {
1065 return 6 + rsa_modulus.length + rsa_exponent.length
1066 + signatureBytes.length;
1067 }
1068
1069 @Override
1070 void send(HandshakeOutStream s) throws IOException {
1071 s.putBytes16(rsa_modulus);
1072 s.putBytes16(rsa_exponent);
1073 s.putBytes16(signatureBytes);
1074 }
1075
1076 @Override
1077 void print(PrintStream s) throws IOException {
1078 s.println("*** RSA ServerKeyExchange");
1079
1080 if (debug != null && Debug.isOn("verbose")) {
1081 Debug.println(s, "RSA Modulus", rsa_modulus);
1082 Debug.println(s, "RSA Public Exponent", rsa_exponent);
1083 }
1084 }
1085 }
1086
1087
1088 /*
1089 * Using Diffie-Hellman algorithm for key exchange. All we really need to
1090 * do is securely get Diffie-Hellman keys (using the same P, G parameters)
1091 * to our peer, then we automatically have a shared secret without need
1092 * to exchange any more data. (D-H only solutions, such as SKIP, could
1093 * eliminate key exchange negotiations and get faster connection setup.
1094 * But they still need a signature algorithm like DSS/DSA to support the
1095 * trusted distribution of keys without relying on unscalable physical
1096 * key distribution systems.)
1097 *
1098 * This class supports several DH-based key exchange algorithms, though
1099 * perhaps eventually each deserves its own class. Notably, this has
1100 * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants.
1101 */
1102 static final
1103 class DH_ServerKeyExchange extends ServerKeyExchange
1104 {
1105 // Fix message encoding, see 4348279
1106 private static final boolean dhKeyExchangeFix =
1107 Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true);
1108
1109 private byte[] dh_p; // 1 to 2^16 - 1 bytes
1110 private byte[] dh_g; // 1 to 2^16 - 1 bytes
1111 private byte[] dh_Ys; // 1 to 2^16 - 1 bytes
1112
1113 private byte[] signature;
1114
1115 // protocol version being established using this ServerKeyExchange message
1116 ProtocolVersion protocolVersion;
1117
1118 // the preferable signature algorithm used by this ServerKeyExchange message
1119 private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
1120
1121 /*
1122 * Construct from initialized DH key object, for DH_anon
1123 * key exchange.
1124 */
1125 DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) {
1126 this.protocolVersion = protocolVersion;
1127 this.preferableSignatureAlgorithm = null;
1128
1129 // The DH key has been validated in the constructor of DHCrypt.
1130 setValues(obj);
1131 signature = null;
1132 }
1133
1134 /*
1135 * Construct from initialized DH key object and the key associated
1136 * with the cert chain which was sent ... for DHE_DSS and DHE_RSA
1137 * key exchange. (Constructor called by server.)
1138 */
1139 DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte[] clntNonce,
1140 byte[] svrNonce, SecureRandom sr,
1141 SignatureAndHashAlgorithm signAlgorithm,
1142 ProtocolVersion protocolVersion) throws GeneralSecurityException {
1143
1144 this.protocolVersion = protocolVersion;
1145
1146 // The DH key has been validated in the constructor of DHCrypt.
1147 setValues(obj);
1148
1149 Signature sig;
1150 if (protocolVersion.useTLS12PlusSpec()) {
1151 this.preferableSignatureAlgorithm = signAlgorithm;
1152 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1153 } else {
1154 this.preferableSignatureAlgorithm = null;
1155 if (key.getAlgorithm().equals("DSA")) {
1156 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
1157 } else {
1158 sig = RSASignature.getInstance();
1159 }
1160 }
1161
1162 sig.initSign(key, sr);
1163 updateSignature(sig, clntNonce, svrNonce);
1164 signature = sig.sign();
1165 }
1166
1167 /*
1168 * Construct a DH_ServerKeyExchange message from an input
1169 * stream, as if sent from server to client for use with
1170 * DH_anon key exchange
1171 */
1172 DH_ServerKeyExchange(HandshakeInStream input,
1173 ProtocolVersion protocolVersion)
1174 throws IOException, GeneralSecurityException {
1175
1176 this.protocolVersion = protocolVersion;
1177 this.preferableSignatureAlgorithm = null;
1178
1179 dh_p = input.getBytes16();
1180 dh_g = input.getBytes16();
1181 dh_Ys = input.getBytes16();
1182 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
1183 new BigInteger(1, dh_p),
1184 new BigInteger(1, dh_g)));
1185
1186 signature = null;
1187 }
1188
1189 /*
1190 * Construct a DH_ServerKeyExchange message from an input stream
1191 * and a certificate, as if sent from server to client for use with
1192 * DHE_DSS or DHE_RSA key exchange. (Called by client.)
1193 */
1194 DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey,
1195 byte[] clntNonce, byte[] svrNonce, int messageSize,
1196 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1197 ProtocolVersion protocolVersion)
1198 throws IOException, GeneralSecurityException {
1199
1200 this.protocolVersion = protocolVersion;
1201
1202 // read params: ServerDHParams
1203 dh_p = input.getBytes16();
1204 dh_g = input.getBytes16();
1205 dh_Ys = input.getBytes16();
1206 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
1207 new BigInteger(1, dh_p),
1208 new BigInteger(1, dh_g)));
1209
1210 // read the signature and hash algorithm
1211 if (protocolVersion.useTLS12PlusSpec()) {
1212 int hash = input.getInt8(); // hash algorithm
1213 int signature = input.getInt8(); // signature algorithm
1214
1215 preferableSignatureAlgorithm =
1216 SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
1217
1218 // Is it a local supported signature algorithm?
1219 if (!localSupportedSignAlgs.contains(
1220 preferableSignatureAlgorithm)) {
1221 throw new SSLHandshakeException(
1222 "Unsupported SignatureAndHashAlgorithm in " +
1223 "ServerKeyExchange message: " +
1224 preferableSignatureAlgorithm);
1225 }
1226 } else {
1227 this.preferableSignatureAlgorithm = null;
1228 }
1229
1230 // read the signature
1231 byte[] signature;
1232 if (dhKeyExchangeFix) {
1233 signature = input.getBytes16();
1234 } else {
1235 messageSize -= (dh_p.length + 2);
1236 messageSize -= (dh_g.length + 2);
1237 messageSize -= (dh_Ys.length + 2);
1238
1239 signature = new byte[messageSize];
1240 input.read(signature);
1241 }
1242
1243 Signature sig;
1244 String algorithm = publicKey.getAlgorithm();
1245 if (protocolVersion.useTLS12PlusSpec()) {
1246 sig = JsseJce.getSignature(
1247 preferableSignatureAlgorithm.getAlgorithmName());
1248 } else {
1249 switch (algorithm) {
1250 case "DSA":
1251 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
1252 break;
1253 case "RSA":
1254 sig = RSASignature.getInstance();
1255 break;
1256 default:
1257 throw new SSLKeyException(
1258 "neither an RSA or a DSA key: " + algorithm);
1259 }
1260 }
1261
1262 sig.initVerify(publicKey);
1263 updateSignature(sig, clntNonce, svrNonce);
1264
1265 if (sig.verify(signature) == false ) {
1266 throw new SSLKeyException("Server D-H key verification failed");
1267 }
1268 }
1269
1270 /* Return the Diffie-Hellman modulus */
1271 BigInteger getModulus() {
1272 return new BigInteger(1, dh_p);
1273 }
1274
1275 /* Return the Diffie-Hellman base/generator */
1276 BigInteger getBase() {
1277 return new BigInteger(1, dh_g);
1278 }
1279
1280 /* Return the server's Diffie-Hellman public key */
1281 BigInteger getServerPublicKey() {
1282 return new BigInteger(1, dh_Ys);
1283 }
1284
1285 /*
1286 * Update sig with nonces and Diffie-Hellman public key.
1287 */
1288 private void updateSignature(Signature sig, byte[] clntNonce,
1289 byte[] svrNonce) throws SignatureException {
1290 int tmp;
1291
1292 sig.update(clntNonce);
1293 sig.update(svrNonce);
1294
1295 tmp = dh_p.length;
1296 sig.update((byte)(tmp >> 8));
1297 sig.update((byte)(tmp & 0x0ff));
1298 sig.update(dh_p);
1299
1300 tmp = dh_g.length;
1301 sig.update((byte)(tmp >> 8));
1302 sig.update((byte)(tmp & 0x0ff));
1303 sig.update(dh_g);
1304
1305 tmp = dh_Ys.length;
1306 sig.update((byte)(tmp >> 8));
1307 sig.update((byte)(tmp & 0x0ff));
1308 sig.update(dh_Ys);
1309 }
1310
1311 private void setValues(DHCrypt obj) {
1312 dh_p = toByteArray(obj.getModulus());
1313 dh_g = toByteArray(obj.getBase());
1314 dh_Ys = toByteArray(obj.getPublicKey());
1315 }
1316
1317 @Override
1318 int messageLength() {
1319 int temp = 6; // overhead for p, g, y(s) values.
1320
1321 temp += dh_p.length;
1322 temp += dh_g.length;
1323 temp += dh_Ys.length;
1324
1325 if (signature != null) {
1326 if (protocolVersion.useTLS12PlusSpec()) {
1327 temp += SignatureAndHashAlgorithm.sizeInRecord();
1328 }
1329
1330 temp += signature.length;
1331 if (dhKeyExchangeFix) {
1332 temp += 2;
1333 }
1334 }
1335
1336 return temp;
1337 }
1338
1339 @Override
1340 void send(HandshakeOutStream s) throws IOException {
1341 s.putBytes16(dh_p);
1342 s.putBytes16(dh_g);
1343 s.putBytes16(dh_Ys);
1344
1345 if (signature != null) {
1346 if (protocolVersion.useTLS12PlusSpec()) {
1347 s.putInt8(preferableSignatureAlgorithm.getHashValue());
1348 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
1349 }
1350
1351 if (dhKeyExchangeFix) {
1352 s.putBytes16(signature);
1353 } else {
1354 s.write(signature);
1355 }
1356 }
1357 }
1358
1359 @Override
1360 void print(PrintStream s) throws IOException {
1361 s.println("*** Diffie-Hellman ServerKeyExchange");
1362
1363 if (debug != null && Debug.isOn("verbose")) {
1364 Debug.println(s, "DH Modulus", dh_p);
1365 Debug.println(s, "DH Base", dh_g);
1366 Debug.println(s, "Server DH Public Key", dh_Ys);
1367
1368 if (signature == null) {
1369 s.println("Anonymous");
1370 } else {
1371 if (protocolVersion.useTLS12PlusSpec()) {
1372 s.println("Signature Algorithm " +
1373 preferableSignatureAlgorithm.getAlgorithmName());
1374 }
1375
1376 s.println("Signed with a DSA or RSA public key");
1377 }
1378 }
1379 }
1380 }
1381
1382 /*
1383 * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon
1384 * ciphersuites to communicate its ephemeral public key (including the
1385 * EC domain parameters).
1386 *
1387 * We support named curves only, no explicitly encoded curves.
1388 */
1389 static final
1390 class ECDH_ServerKeyExchange extends ServerKeyExchange {
1391
1392 // constants for ECCurveType
1393 private static final int CURVE_EXPLICIT_PRIME = 1;
1394 private static final int CURVE_EXPLICIT_CHAR2 = 2;
1395 private static final int CURVE_NAMED_CURVE = 3;
1396
1397 // id of the named group we are using
1398 private int groupId;
1399
1400 // encoded public point
1401 private byte[] pointBytes;
1402
1403 // signature bytes (or null if anonymous)
1404 private byte[] signatureBytes;
1405
1406 // public key object encapsulated in this message
1407 private ECPublicKey publicKey;
1408
1409 // protocol version being established using this ServerKeyExchange message
1410 ProtocolVersion protocolVersion;
1411
1412 // the preferable signature algorithm used by this ServerKeyExchange message
1413 private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
1414
1415 ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey,
1416 byte[] clntNonce, byte[] svrNonce, SecureRandom sr,
1417 SignatureAndHashAlgorithm signAlgorithm,
1418 ProtocolVersion protocolVersion)
1419 throws SSLHandshakeException, GeneralSecurityException {
1420
1421 this.protocolVersion = protocolVersion;
1422
1423 publicKey = (ECPublicKey)obj.getPublicKey();
1424 ECParameterSpec params = publicKey.getParams();
1425 ECPoint point = publicKey.getW();
1426 pointBytes = JsseJce.encodePoint(point, params.getCurve());
1427
1428 NamedGroup namedGroup = NamedGroup.valueOf(params);
1429 if ((namedGroup == null) || (namedGroup.oid == null) ){
1430 // unlikely
1431 throw new SSLHandshakeException(
1432 "Unnamed EC parameter spec: " + params);
1433 }
1434 groupId = namedGroup.id;
1435
1436 if (privateKey == null) {
1437 // ECDH_anon
1438 return;
1439 }
1440
1441 Signature sig;
1442 if (protocolVersion.useTLS12PlusSpec()) {
1443 this.preferableSignatureAlgorithm = signAlgorithm;
1444 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
1445 } else {
1446 sig = getSignature(privateKey.getAlgorithm());
1447 }
1448 sig.initSign(privateKey, sr);
1449
1450 updateSignature(sig, clntNonce, svrNonce);
1451 signatureBytes = sig.sign();
1452 }
1453
1454 /*
1455 * Parse an ECDH server key exchange message.
1456 */
1457 ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey,
1458 byte[] clntNonce, byte[] svrNonce,
1459 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
1460 ProtocolVersion protocolVersion)
1461 throws IOException, GeneralSecurityException {
1462
1463 this.protocolVersion = protocolVersion;
1464
1465 // read params: ServerECDHParams
1466 int curveType = input.getInt8();
1467 ECParameterSpec parameters;
1468 // These parsing errors should never occur as we negotiated
1469 // the supported curves during the exchange of the Hello messages.
1470 if (curveType == CURVE_NAMED_CURVE) {
1471 groupId = input.getInt16();
1472 NamedGroup namedGroup = NamedGroup.valueOf(groupId);
1473 if (namedGroup == null) {
1474 throw new SSLHandshakeException(
1475 "Unknown named group ID: " + groupId);
1476 }
1477
1478 if (!SupportedGroupsExtension.supports(namedGroup)) {
1479 throw new SSLHandshakeException(
1480 "Unsupported named group: " + namedGroup);
1481 }
1482
1483 if (namedGroup.oid == null) {
1484 throw new SSLHandshakeException(
1485 "Unknown named EC curve: " + namedGroup);
1486 }
1487
1488 parameters = JsseJce.getECParameterSpec(namedGroup.oid);
1489 if (parameters == null) {
1490 throw new SSLHandshakeException(
1491 "No supported EC parameter for named group: " + namedGroup);
1492 }
1493 } else {
1494 throw new SSLHandshakeException(
1495 "Unsupported ECCurveType: " + curveType);
1496 }
1497 pointBytes = input.getBytes8();
1498
1499 ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve());
1500 KeyFactory factory = JsseJce.getKeyFactory("EC");
1501 publicKey = (ECPublicKey)factory.generatePublic(
1502 new ECPublicKeySpec(point, parameters));
1503
1504 if (signingKey == null) {
1505 // ECDH_anon
1506 return;
1507 }
1508
1509 // read the signature and hash algorithm
1510 if (protocolVersion.useTLS12PlusSpec()) {
1511 int hash = input.getInt8(); // hash algorithm
1512 int signature = input.getInt8(); // signature algorithm
1513
1514 preferableSignatureAlgorithm =
1515 SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
1516
1517 // Is it a local supported signature algorithm?
1518 if (!localSupportedSignAlgs.contains(
1519 preferableSignatureAlgorithm)) {
1520 throw new SSLHandshakeException(
1521 "Unsupported SignatureAndHashAlgorithm in " +
1522 "ServerKeyExchange message: " +
1523 preferableSignatureAlgorithm);
1524 }
1525 }
1526
1527 // read the signature
1528 signatureBytes = input.getBytes16();
1529
1530 // verify the signature
1531 Signature sig;
1532 if (protocolVersion.useTLS12PlusSpec()) {
1533 sig = JsseJce.getSignature(
1534 preferableSignatureAlgorithm.getAlgorithmName());
1535 } else {
1536 sig = getSignature(signingKey.getAlgorithm());
1537 }
1538 sig.initVerify(signingKey);
1539
1540 updateSignature(sig, clntNonce, svrNonce);
1541
1542 if (sig.verify(signatureBytes) == false ) {
1543 throw new SSLKeyException(
1544 "Invalid signature on ECDH server key exchange message");
1545 }
1546 }
1547
1548 /*
1549 * Get the ephemeral EC public key encapsulated in this message.
1550 */
1551 ECPublicKey getPublicKey() {
1552 return publicKey;
1553 }
1554
1555 private static Signature getSignature(String keyAlgorithm)
1556 throws NoSuchAlgorithmException {
1557 switch (keyAlgorithm) {
1558 case "EC":
1559 return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
1560 case "RSA":
1561 return RSASignature.getInstance();
1562 default:
1563 throw new NoSuchAlgorithmException(
1564 "neither an RSA or a EC key : " + keyAlgorithm);
1565 }
1566 }
1567
1568 private void updateSignature(Signature sig, byte[] clntNonce,
1569 byte[] svrNonce) throws SignatureException {
1570 sig.update(clntNonce);
1571 sig.update(svrNonce);
1572
1573 sig.update((byte)CURVE_NAMED_CURVE);
1574 sig.update((byte)(groupId >> 8));
1575 sig.update((byte)groupId);
1576 sig.update((byte)pointBytes.length);
1577 sig.update(pointBytes);
1578 }
1579
1580 @Override
1581 int messageLength() {
1582 int sigLen = 0;
1583 if (signatureBytes != null) {
1584 sigLen = 2 + signatureBytes.length;
1585 if (protocolVersion.useTLS12PlusSpec()) {
1586 sigLen += SignatureAndHashAlgorithm.sizeInRecord();
1587 }
1588 }
1589
1590 return 4 + pointBytes.length + sigLen;
1591 }
1592
1593 @Override
1594 void send(HandshakeOutStream s) throws IOException {
1595 s.putInt8(CURVE_NAMED_CURVE);
1596 s.putInt16(groupId);
1597 s.putBytes8(pointBytes);
1598
1599 if (signatureBytes != null) {
1600 if (protocolVersion.useTLS12PlusSpec()) {
1601 s.putInt8(preferableSignatureAlgorithm.getHashValue());
1602 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
1603 }
1604
1605 s.putBytes16(signatureBytes);
1606 }
1607 }
1608
1609 @Override
1610 void print(PrintStream s) throws IOException {
1611 s.println("*** ECDH ServerKeyExchange");
1612
1613 if (debug != null && Debug.isOn("verbose")) {
1614 if (signatureBytes == null) {
1615 s.println("Anonymous");
1616 } else {
1617 if (protocolVersion.useTLS12PlusSpec()) {
1618 s.println("Signature Algorithm " +
1619 preferableSignatureAlgorithm.getAlgorithmName());
1620 }
1621 }
1622
1623 s.println("Server key: " + publicKey);
1624 }
1625 }
1626 }
1627
1628 static final class DistinguishedName {
1629
1630 /*
1631 * DER encoded distinguished name.
1632 * TLS requires that its not longer than 65535 bytes.
1633 */
1634 byte[] name;
1635
1636 DistinguishedName(HandshakeInStream input) throws IOException {
1637 name = input.getBytes16();
1638 }
1639
1640 DistinguishedName(X500Principal dn) {
1641 name = dn.getEncoded();
1642 }
1643
1644 X500Principal getX500Principal() throws IOException {
1645 try {
1646 return new X500Principal(name);
1647 } catch (IllegalArgumentException e) {
1648 throw (SSLProtocolException)new SSLProtocolException(
1649 e.getMessage()).initCause(e);
1650 }
1651 }
1652
1653 int length() {
1654 return 2 + name.length;
1655 }
1656
1657 void send(HandshakeOutStream output) throws IOException {
1658 output.putBytes16(name);
1659 }
1660
1661 void print(PrintStream output) throws IOException {
1662 X500Principal principal = new X500Principal(name);
1663 output.println("<" + principal.toString() + ">");
1664 }
1665 }
1666
1667 /*
1668 * CertificateRequest ... SERVER --> CLIENT
1669 *
1670 * Authenticated servers may ask clients to authenticate themselves
1671 * in turn, using this message.
1672 *
1673 * Prior to TLS 1.2, the structure of the message is defined as:
1674 * struct {
1675 * ClientCertificateType certificate_types<1..2^8-1>;
1676 * DistinguishedName certificate_authorities<0..2^16-1>;
1677 * } CertificateRequest;
1678 *
1679 * In TLS 1.2, the structure is changed to:
1680 * struct {
1681 * ClientCertificateType certificate_types<1..2^8-1>;
1682 * SignatureAndHashAlgorithm
1683 * supported_signature_algorithms<2^16-1>;
1684 * DistinguishedName certificate_authorities<0..2^16-1>;
1685 * } CertificateRequest;
1686 *
1687 */
1688 static final
1689 class CertificateRequest extends HandshakeMessage
1690 {
1691 // enum ClientCertificateType
1692 static final int cct_rsa_sign = 1;
1693 static final int cct_dss_sign = 2;
1694 static final int cct_rsa_fixed_dh = 3;
1695 static final int cct_dss_fixed_dh = 4;
1696
1697 // The existance of these two values is a bug in the SSL specification.
1698 // They are never used in the protocol.
1699 static final int cct_rsa_ephemeral_dh = 5;
1700 static final int cct_dss_ephemeral_dh = 6;
1701
1702 // From RFC 4492 (ECC)
1703 static final int cct_ecdsa_sign = 64;
1704 static final int cct_rsa_fixed_ecdh = 65;
1705 static final int cct_ecdsa_fixed_ecdh = 66;
1706
1707 private static final byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign };
1708 private static final byte[] TYPES_ECC =
1709 { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign };
1710
1711 byte[] types; // 1 to 255 types
1712 DistinguishedName[] authorities; // 3 to 2^16 - 1
1713 // ... "3" because that's the smallest DER-encoded X500 DN
1714
1715 // protocol version being established using this CertificateRequest message
1716 ProtocolVersion protocolVersion;
1717
1718 // supported_signature_algorithms for TLS 1.2 or later
1719 private Collection<SignatureAndHashAlgorithm> algorithms;
1720
1721 // length of supported_signature_algorithms
1722 private int algorithmsLen;
1723
1724 CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange,
1725 Collection<SignatureAndHashAlgorithm> signAlgs,
1726 ProtocolVersion protocolVersion) throws IOException {
1727
1728 this.protocolVersion = protocolVersion;
1729
1730 // always use X500Principal
1731 authorities = new DistinguishedName[ca.length];
1732 for (int i = 0; i < ca.length; i++) {
1733 X500Principal x500Principal = ca[i].getSubjectX500Principal();
1734 authorities[i] = new DistinguishedName(x500Principal);
1735 }
1736 // we support RSA, DSS, and ECDSA client authentication and they
1737 // can be used with all ciphersuites. If this changes, the code
1738 // needs to be adapted to take keyExchange into account.
1739 // We only request ECDSA client auth if we have ECC crypto available.
1740 this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC;
1741
1742 // Use supported_signature_algorithms for TLS 1.2 or later.
1743 if (protocolVersion.useTLS12PlusSpec()) {
1744 if (signAlgs == null || signAlgs.isEmpty()) {
1745 throw new SSLProtocolException(
1746 "No supported signature algorithms");
1747 }
1748
1749 algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs);
1750 algorithmsLen =
1751 SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size();
1752 } else {
1753 algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1754 algorithmsLen = 0;
1755 }
1756 }
1757
1758 CertificateRequest(HandshakeInStream input,
1759 ProtocolVersion protocolVersion) throws IOException {
1760
1761 this.protocolVersion = protocolVersion;
1762
1763 // Read the certificate_types.
1764 types = input.getBytes8();
1765
1766 // Read the supported_signature_algorithms for TLS 1.2 or later.
1767 if (protocolVersion.useTLS12PlusSpec()) {
1768 algorithmsLen = input.getInt16();
1769 if (algorithmsLen < 2) {
1770 throw new SSLProtocolException(
1771 "Invalid supported_signature_algorithms field: " +
1772 algorithmsLen);
1773 }
1774
1775 algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1776 int remains = algorithmsLen;
1777 int sequence = 0;
1778 while (remains > 1) { // needs at least two bytes
1779 int hash = input.getInt8(); // hash algorithm
1780 int signature = input.getInt8(); // signature algorithm
1781
1782 SignatureAndHashAlgorithm algorithm =
1783 SignatureAndHashAlgorithm.valueOf(hash, signature,
1784 ++sequence);
1785 algorithms.add(algorithm);
1786 remains -= 2; // one byte for hash, one byte for signature
1787 }
1788
1789 if (remains != 0) {
1790 throw new SSLProtocolException(
1791 "Invalid supported_signature_algorithms field. remains: " +
1792 remains);
1793 }
1794 } else {
1795 algorithms = new ArrayList<SignatureAndHashAlgorithm>();
1796 algorithmsLen = 0;
1797 }
1798
1799 // read the certificate_authorities
1800 int len = input.getInt16();
1801 ArrayList<DistinguishedName> v = new ArrayList<>();
1802 while (len >= 3) {
1803 DistinguishedName dn = new DistinguishedName(input);
1804 v.add(dn);
1805 len -= dn.length();
1806 }
1807
1808 if (len != 0) {
1809 throw new SSLProtocolException(
1810 "Bad CertificateRequest DN length: " + len);
1811 }
1812
1813 authorities = v.toArray(new DistinguishedName[v.size()]);
1814 }
1815
1816 X500Principal[] getAuthorities() throws IOException {
1817 X500Principal[] ret = new X500Principal[authorities.length];
1818 for (int i = 0; i < authorities.length; i++) {
1819 ret[i] = authorities[i].getX500Principal();
1820 }
1821 return ret;
1822 }
1823
1824 Collection<SignatureAndHashAlgorithm> getSignAlgorithms() {
1825 return algorithms;
1826 }
1827
1828 @Override
1829 int messageType() {
1830 return ht_certificate_request;
1831 }
1832
1833 @Override
1834 int messageLength() {
1835 int len = 1 + types.length + 2;
1836
1837 if (protocolVersion.useTLS12PlusSpec()) {
1838 len += algorithmsLen + 2;
1839 }
1840
1841 for (int i = 0; i < authorities.length; i++) {
1842 len += authorities[i].length();
1843 }
1844
1845 return len;
1846 }
1847
1848 @Override
1849 void send(HandshakeOutStream output) throws IOException {
1850 // put certificate_types
1851 output.putBytes8(types);
1852
1853 // put supported_signature_algorithms
1854 if (protocolVersion.useTLS12PlusSpec()) {
1855 output.putInt16(algorithmsLen);
1856 for (SignatureAndHashAlgorithm algorithm : algorithms) {
1857 output.putInt8(algorithm.getHashValue()); // hash
1858 output.putInt8(algorithm.getSignatureValue()); // signature
1859 }
1860 }
1861
1862 // put certificate_authorities
1863 int len = 0;
1864 for (int i = 0; i < authorities.length; i++) {
1865 len += authorities[i].length();
1866 }
1867
1868 output.putInt16(len);
1869 for (int i = 0; i < authorities.length; i++) {
1870 authorities[i].send(output);
1871 }
1872 }
1873
1874 @Override
1875 void print(PrintStream s) throws IOException {
1876 s.println("*** CertificateRequest");
1877
1878 if (debug != null && Debug.isOn("verbose")) {
1879 s.print("Cert Types: ");
1880 for (int i = 0; i < types.length; i++) {
1881 switch (types[i]) {
1882 case cct_rsa_sign:
1883 s.print("RSA"); break;
1884 case cct_dss_sign:
1885 s.print("DSS"); break;
1886 case cct_rsa_fixed_dh:
1887 s.print("Fixed DH (RSA sig)"); break;
1888 case cct_dss_fixed_dh:
1889 s.print("Fixed DH (DSS sig)"); break;
1890 case cct_rsa_ephemeral_dh:
1891 s.print("Ephemeral DH (RSA sig)"); break;
1892 case cct_dss_ephemeral_dh:
1893 s.print("Ephemeral DH (DSS sig)"); break;
1894 case cct_ecdsa_sign:
1895 s.print("ECDSA"); break;
1896 case cct_rsa_fixed_ecdh:
1897 s.print("Fixed ECDH (RSA sig)"); break;
1898 case cct_ecdsa_fixed_ecdh:
1899 s.print("Fixed ECDH (ECDSA sig)"); break;
1900 default:
1901 s.print("Type-" + (types[i] & 0xff)); break;
1902 }
1903 if (i != types.length - 1) {
1904 s.print(", ");
1905 }
1906 }
1907 s.println();
1908
1909 if (protocolVersion.useTLS12PlusSpec()) {
1910 StringBuilder sb = new StringBuilder();
1911 boolean opened = false;
1912 for (SignatureAndHashAlgorithm signAlg : algorithms) {
1913 if (opened) {
1914 sb.append(", ").append(signAlg.getAlgorithmName());
1915 } else {
1916 sb.append(signAlg.getAlgorithmName());
1917 opened = true;
1918 }
1919 }
1920 s.println("Supported Signature Algorithms: " + sb);
1921 }
1922
1923 s.println("Cert Authorities:");
1924 if (authorities.length == 0) {
1925 s.println("<Empty>");
1926 } else {
1927 for (int i = 0; i < authorities.length; i++) {
1928 authorities[i].print(s);
1929 }
1930 }
1931 }
1932 }
1933 }
1934
1935
1936 /*
1937 * ServerHelloDone ... SERVER --> CLIENT
1938 *
1939 * When server's done sending its messages in response to the client's
1940 * "hello" (e.g. its own hello, certificate, key exchange message, perhaps
1941 * client certificate request) it sends this message to flag that it's
1942 * done that part of the handshake.
1943 */
1944 static final
1945 class ServerHelloDone extends HandshakeMessage
1946 {
1947 @Override
1948 int messageType() { return ht_server_hello_done; }
1949
1950 ServerHelloDone() { }
1951
1952 ServerHelloDone(HandshakeInStream input)
1953 {
1954 // nothing to do
1955 }
1956
1957 @Override
1958 int messageLength()
1959 {
1960 return 0;
1961 }
1962
1963 @Override
1964 void send(HandshakeOutStream s) throws IOException
1965 {
1966 // nothing to send
1967 }
1968
1969 @Override
1970 void print(PrintStream s) throws IOException
1971 {
1972 s.println("*** ServerHelloDone");
1973 }
1974 }
1975
1976
1977 /*
1978 * CertificateVerify ... CLIENT --> SERVER
1979 *
1980 * Sent after client sends signature-capable certificates (e.g. not
1981 * Diffie-Hellman) to verify.
1982 */
1983 static final class CertificateVerify extends HandshakeMessage {
1984
1985 // the signature bytes
1986 private byte[] signature;
1987
1988 // protocol version being established using this CertificateVerify message
1989 ProtocolVersion protocolVersion;
1990
1991 // the preferable signature algorithm used by this CertificateVerify message
1992 private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
1993
1994 /*
1995 * Create an RSA or DSA signed certificate verify message.
1996 */
1997 CertificateVerify(ProtocolVersion protocolVersion,
1998 HandshakeHash handshakeHash, PrivateKey privateKey,
1999 SecretKey masterSecret, SecureRandom sr,
2000 SignatureAndHashAlgorithm signAlgorithm)
2001 throws GeneralSecurityException {
2002
2003 this.protocolVersion = protocolVersion;
2004
2005 String algorithm = privateKey.getAlgorithm();
2006 Signature sig = null;
2007 if (protocolVersion.useTLS12PlusSpec()) {
2008 this.preferableSignatureAlgorithm = signAlgorithm;
2009 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
2010 } else {
2011 sig = getSignature(protocolVersion, algorithm);
2012 }
2013 sig.initSign(privateKey, sr);
2014 updateSignature(sig, protocolVersion, handshakeHash, algorithm,
2015 masterSecret);
2016 signature = sig.sign();
2017 }
2018
2019 //
2020 // Unmarshal the signed data from the input stream.
2021 //
2022 CertificateVerify(HandshakeInStream input,
2023 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
2024 ProtocolVersion protocolVersion) throws IOException {
2025
2026 this.protocolVersion = protocolVersion;
2027
2028 // read the signature and hash algorithm
2029 if (protocolVersion.useTLS12PlusSpec()) {
2030 int hashAlg = input.getInt8(); // hash algorithm
2031 int signAlg = input.getInt8(); // signature algorithm
2032
2033 preferableSignatureAlgorithm =
2034 SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0);
2035
2036 // Is it a local supported signature algorithm?
2037 if (!localSupportedSignAlgs.contains(
2038 preferableSignatureAlgorithm)) {
2039 throw new SSLHandshakeException(
2040 "Unsupported SignatureAndHashAlgorithm in " +
2041 "CertificateVerify message: " + preferableSignatureAlgorithm);
2042 }
2043 }
2044
2045 // read the signature
2046 signature = input.getBytes16();
2047 }
2048
2049 /*
2050 * Get the preferable signature algorithm used by this message
2051 */
2052 SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() {
2053 return preferableSignatureAlgorithm;
2054 }
2055
2056 /*
2057 * Verify a certificate verify message. Return the result of verification,
2058 * if there is a problem throw a GeneralSecurityException.
2059 */
2060 boolean verify(ProtocolVersion protocolVersion,
2061 HandshakeHash handshakeHash, PublicKey publicKey,
2062 SecretKey masterSecret) throws GeneralSecurityException {
2063 String algorithm = publicKey.getAlgorithm();
2064 Signature sig = null;
2065 if (protocolVersion.useTLS12PlusSpec()) {
2066 sig = JsseJce.getSignature(
2067 preferableSignatureAlgorithm.getAlgorithmName());
2068 } else {
2069 sig = getSignature(protocolVersion, algorithm);
2070 }
2071 sig.initVerify(publicKey);
2072 updateSignature(sig, protocolVersion, handshakeHash, algorithm,
2073 masterSecret);
2074 return sig.verify(signature);
2075 }
2076
2077 /*
2078 * Get the Signature object appropriate for verification using the
2079 * given signature algorithm and protocol version.
2080 */
2081 private static Signature getSignature(ProtocolVersion protocolVersion,
2082 String algorithm) throws GeneralSecurityException {
2083 switch (algorithm) {
2084 case "RSA":
2085 return RSASignature.getInternalInstance();
2086 case "DSA":
2087 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
2088 case "EC":
2089 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
2090 default:
2091 throw new SignatureException("Unrecognized algorithm: "
2092 + algorithm);
2093 }
2094 }
2095
2096 /*
2097 * Update the Signature with the data appropriate for the given
2098 * signature algorithm and protocol version so that the object is
2099 * ready for signing or verifying.
2100 */
2101 private static void updateSignature(Signature sig,
2102 ProtocolVersion protocolVersion,
2103 HandshakeHash handshakeHash, String algorithm, SecretKey masterKey)
2104 throws SignatureException {
2105
2106 if (algorithm.equals("RSA")) {
2107 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1-
2108 MessageDigest md5Clone = handshakeHash.getMD5Clone();
2109 MessageDigest shaClone = handshakeHash.getSHAClone();
2110
2111 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3
2112 updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey);
2113 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
2114 }
2115
2116 // The signature must be an instance of RSASignature, need
2117 // to use these hashes directly.
2118 RSASignature.setHashes(sig, md5Clone, shaClone);
2119 } else { // TLS1.2+
2120 sig.update(handshakeHash.getAllHandshakeMessages());
2121 }
2122 } else { // DSA, ECDSA
2123 if (!protocolVersion.useTLS12PlusSpec()) { // TLS1.1-
2124 MessageDigest shaClone = handshakeHash.getSHAClone();
2125
2126 if (!protocolVersion.useTLS10PlusSpec()) { // SSLv3
2127 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
2128 }
2129
2130 sig.update(shaClone.digest());
2131 } else { // TLS1.2+
2132 sig.update(handshakeHash.getAllHandshakeMessages());
2133 }
2134 }
2135 }
2136
2137 /*
2138 * Update the MessageDigest for SSLv3 certificate verify or finished
2139 * message calculation. The digest must already have been updated with
2140 * all preceding handshake messages.
2141 * Used by the Finished class as well.
2142 */
2143 private static void updateDigest(MessageDigest md,
2144 byte[] pad1, byte[] pad2,
2145 SecretKey masterSecret) {
2146 // Digest the key bytes if available.
2147 // Otherwise (sensitive key), try digesting the key directly.
2148 // That is currently only implemented in SunPKCS11 using a private
2149 // reflection API, so we avoid that if possible.
2150 byte[] keyBytes = "RAW".equals(masterSecret.getFormat())
2151 ? masterSecret.getEncoded() : null;
2152 if (keyBytes != null) {
2153 md.update(keyBytes);
2154 } else {
2155 digestKey(md, masterSecret);
2156 }
2157 md.update(pad1);
2158 byte[] temp = md.digest();
2159
2160 if (keyBytes != null) {
2161 md.update(keyBytes);
2162 } else {
2163 digestKey(md, masterSecret);
2164 }
2165 md.update(pad2);
2166 md.update(temp);
2167 }
2168
2169 private static void digestKey(MessageDigest md, SecretKey key) {
2170 try {
2171 if (md instanceof MessageDigestSpi2) {
2172 ((MessageDigestSpi2)md).engineUpdate(key);
2173 } else {
2174 throw new Exception(
2175 "Digest does not support implUpdate(SecretKey)");
2176 }
2177 } catch (Exception e) {
2178 throw new RuntimeException(
2179 "Could not obtain encoded key and "
2180 + "MessageDigest cannot digest key", e);
2181 }
2182 }
2183
2184 @Override
2185 int messageType() {
2186 return ht_certificate_verify;
2187 }
2188
2189 @Override
2190 int messageLength() {
2191 int temp = 2;
2192
2193 if (protocolVersion.useTLS12PlusSpec()) {
2194 temp += SignatureAndHashAlgorithm.sizeInRecord();
2195 }
2196
2197 return temp + signature.length;
2198 }
2199
2200 @Override
2201 void send(HandshakeOutStream s) throws IOException {
2202 if (protocolVersion.useTLS12PlusSpec()) {
2203 s.putInt8(preferableSignatureAlgorithm.getHashValue());
2204 s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
2205 }
2206
2207 s.putBytes16(signature);
2208 }
2209
2210 @Override
2211 void print(PrintStream s) throws IOException {
2212 s.println("*** CertificateVerify");
2213
2214 if (debug != null && Debug.isOn("verbose")) {
2215 if (protocolVersion.useTLS12PlusSpec()) {
2216 s.println("Signature Algorithm " +
2217 preferableSignatureAlgorithm.getAlgorithmName());
2218 }
2219 }
2220 }
2221 }
2222
2223
2224 /*
2225 * FINISHED ... sent by both CLIENT and SERVER
2226 *
2227 * This is the FINISHED message as defined in the SSL and TLS protocols.
2228 * Both protocols define this handshake message slightly differently.
2229 * This class supports both formats.
2230 *
2231 * When handshaking is finished, each side sends a "change_cipher_spec"
2232 * record, then immediately sends a "finished" handshake message prepared
2233 * according to the newly adopted cipher spec.
2234 *
2235 * NOTE that until this is sent, no application data may be passed, unless
2236 * some non-default cipher suite has already been set up on this connection
2237 * connection (e.g. a previous handshake arranged one).
2238 */
2239 static final class Finished extends HandshakeMessage {
2240
2241 // constant for a Finished message sent by the client
2242 static final int CLIENT = 1;
2243
2244 // constant for a Finished message sent by the server
2245 static final int SERVER = 2;
2246
2247 // enum Sender: "CLNT" and "SRVR"
2248 private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 };
2249 private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 };
2250
2251 /*
2252 * Contents of the finished message ("checksum"). For TLS, it
2253 * is 12 bytes long, for SSLv3 36 bytes.
2254 */
2255 private byte[] verifyData;
2256
2257 /*
2258 * Current cipher suite we are negotiating. TLS 1.2 has
2259 * ciphersuite-defined PRF algorithms.
2260 */
2261 private ProtocolVersion protocolVersion;
2262 private CipherSuite cipherSuite;
2263
2264 /*
2265 * Create a finished message to send to the remote peer.
2266 */
2267 Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash,
2268 int sender, SecretKey master, CipherSuite cipherSuite) {
2269 this.protocolVersion = protocolVersion;
2270 this.cipherSuite = cipherSuite;
2271 verifyData = getFinished(handshakeHash, sender, master);
2272 }
2273
2274 /*
2275 * Constructor that reads FINISHED message from stream.
2276 */
2277 Finished(ProtocolVersion protocolVersion, HandshakeInStream input,
2278 CipherSuite cipherSuite) throws IOException {
2279 this.protocolVersion = protocolVersion;
2280 this.cipherSuite = cipherSuite;
2281 int msgLen = protocolVersion.useTLS10PlusSpec() ? 12 : 36;
2282 verifyData = new byte[msgLen];
2283 input.read(verifyData);
2284 }
2285
2286 /*
2287 * Verify that the hashes here are what would have been produced
2288 * according to a given set of inputs. This is used to ensure that
2289 * both client and server are fully in sync, and that the handshake
2290 * computations have been successful.
2291 */
2292 boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) {
2293 byte[] myFinished = getFinished(handshakeHash, sender, master);
2294 return MessageDigest.isEqual(myFinished, verifyData);
2295 }
2296
2297 /*
2298 * Perform the actual finished message calculation.
2299 */
2300 private byte[] getFinished(HandshakeHash handshakeHash,
2301 int sender, SecretKey masterKey) {
2302 byte[] sslLabel;
2303 String tlsLabel;
2304 if (sender == CLIENT) {
2305 sslLabel = SSL_CLIENT;
2306 tlsLabel = "client finished";
2307 } else if (sender == SERVER) {
2308 sslLabel = SSL_SERVER;
2309 tlsLabel = "server finished";
2310 } else {
2311 throw new RuntimeException("Invalid sender: " + sender);
2312 }
2313
2314 if (protocolVersion.useTLS10PlusSpec()) {
2315 // TLS 1.0+
2316 try {
2317 byte[] seed;
2318 String prfAlg;
2319 PRF prf;
2320
2321 // Get the KeyGenerator alg and calculate the seed.
2322 if (protocolVersion.useTLS12PlusSpec()) {
2323 // TLS 1.2+ or DTLS 1.2+
2324 seed = handshakeHash.getFinishedHash();
2325
2326 prfAlg = "SunTls12Prf";
2327 prf = cipherSuite.prfAlg;
2328 } else {
2329 // TLS 1.0/1.1, DTLS 1.0
2330 MessageDigest md5Clone = handshakeHash.getMD5Clone();
2331 MessageDigest shaClone = handshakeHash.getSHAClone();
2332 seed = new byte[36];
2333 md5Clone.digest(seed, 0, 16);
2334 shaClone.digest(seed, 16, 20);
2335
2336 prfAlg = "SunTlsPrf";
2337 prf = P_NONE;
2338 }
2339
2340 String prfHashAlg = prf.getPRFHashAlg();
2341 int prfHashLength = prf.getPRFHashLength();
2342 int prfBlockSize = prf.getPRFBlockSize();
2343
2344 /*
2345 * RFC 5246/7.4.9 says that finished messages can
2346 * be ciphersuite-specific in both length/PRF hash
2347 * algorithm. If we ever run across a different
2348 * length, this call will need to be updated.
2349 */
2350 @SuppressWarnings("deprecation")
2351 TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
2352 masterKey, tlsLabel, seed, 12,
2353 prfHashAlg, prfHashLength, prfBlockSize);
2354
2355 KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
2356 kg.init(spec);
2357 SecretKey prfKey = kg.generateKey();
2358 if ("RAW".equals(prfKey.getFormat()) == false) {
2359 throw new ProviderException(
2360 "Invalid PRF output, format must be RAW. " +
2361 "Format received: " + prfKey.getFormat());
2362 }
2363 byte[] finished = prfKey.getEncoded();
2364 return finished;
2365 } catch (GeneralSecurityException e) {
2366 throw new RuntimeException("PRF failed", e);
2367 }
2368 } else {
2369 // SSLv3
2370 MessageDigest md5Clone = handshakeHash.getMD5Clone();
2371 MessageDigest shaClone = handshakeHash.getSHAClone();
2372 updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey);
2373 updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey);
2374 byte[] finished = new byte[36];
2375 try {
2376 md5Clone.digest(finished, 0, 16);
2377 shaClone.digest(finished, 16, 20);
2378 } catch (DigestException e) {
2379 // cannot occur
2380 throw new RuntimeException("Digest failed", e);
2381 }
2382 return finished;
2383 }
2384 }
2385
2386 /*
2387 * Update the MessageDigest for SSLv3 finished message calculation.
2388 * The digest must already have been updated with all preceding handshake
2389 * messages. This operation is almost identical to the certificate verify
2390 * hash, reuse that code.
2391 */
2392 private static void updateDigest(MessageDigest md, byte[] sender,
2393 byte[] pad1, byte[] pad2, SecretKey masterSecret) {
2394 md.update(sender);
2395 CertificateVerify.updateDigest(md, pad1, pad2, masterSecret);
2396 }
2397
2398 // get the verify_data of the finished message
2399 byte[] getVerifyData() {
2400 return verifyData;
2401 }
2402
2403 @Override
2404 int messageType() { return ht_finished; }
2405
2406 @Override
2407 int messageLength() {
2408 return verifyData.length;
2409 }
2410
2411 @Override
2412 void send(HandshakeOutStream out) throws IOException {
2413 out.write(verifyData);
2414 }
2415
2416 @Override
2417 void print(PrintStream s) throws IOException {
2418 s.println("*** Finished");
2419 if (debug != null && Debug.isOn("verbose")) {
2420 Debug.println(s, "verify_data", verifyData);
2421 s.println("***");
2422 }
2423 }
2424 }
2425
2426 //
2427 // END of nested classes
2428 //
2429
2430 }