1 /*
2 * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.util.*;
31 import java.security.*;
32 import java.security.cert.*;
33 import java.security.interfaces.*;
34 import java.security.spec.ECParameterSpec;
35
36 import javax.crypto.SecretKey;
37 import javax.crypto.spec.SecretKeySpec;
38
39 import javax.net.ssl.*;
40
41 import javax.security.auth.Subject;
42
43 import sun.security.ssl.HandshakeMessage.*;
44 import sun.security.ssl.CipherSuite.*;
45 import sun.security.ssl.SignatureAndHashAlgorithm.*;
46 import static sun.security.ssl.CipherSuite.KeyExchange.*;
47
48 /**
49 * ServerHandshaker does the protocol handshaking from the point
50 * of view of a server. It is driven asychronously by handshake messages
51 * as delivered by the parent Handshaker class, and also uses
52 * common functionality (e.g. key generation) that is provided there.
53 *
54 * @author David Brownell
55 */
56 final class ServerHandshaker extends Handshaker {
57
58 // is the server going to require the client to authenticate?
59 private byte doClientAuth;
60
61 // our authentication info
62 private X509Certificate[] certs;
63 private PrivateKey privateKey;
64
65 private Object serviceCreds;
66
67 // flag to check for clientCertificateVerify message
68 private boolean needClientVerify = false;
69
70 /*
71 * For exportable ciphersuites using non-exportable key sizes, we use
72 * ephemeral RSA keys. We could also do anonymous RSA in the same way
73 * but there are no such ciphersuites currently defined.
74 */
75 private PrivateKey tempPrivateKey;
76 private PublicKey tempPublicKey;
77
78 /*
79 * For anonymous and ephemeral Diffie-Hellman key exchange, we use
80 * ephemeral Diffie-Hellman keys.
81 */
82 private DHCrypt dh;
83
84 // Helper for ECDH based key exchanges
85 private ECDHCrypt ecdh;
86
87 // version request by the client in its ClientHello
88 // we remember it for the RSA premaster secret version check
89 private ProtocolVersion clientRequestedVersion;
90
91 private SupportedEllipticCurvesExtension supportedCurves;
92
93 // the preferable signature algorithm used by ServerKeyExchange message
94 SignatureAndHashAlgorithm preferableSignatureAlgorithm;
95
96 /*
97 * Constructor ... use the keys found in the auth context.
98 */
99 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
100 ProtocolList enabledProtocols, byte clientAuth,
101 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
102 boolean secureRenegotiation,
103 byte[] clientVerifyData, byte[] serverVerifyData) {
104
105 super(socket, context, enabledProtocols,
106 (clientAuth != SSLEngineImpl.clauth_none), false,
107 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
108 clientVerifyData, serverVerifyData);
109 doClientAuth = clientAuth;
110 }
111
112 /*
113 * Constructor ... use the keys found in the auth context.
114 */
115 ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context,
116 ProtocolList enabledProtocols, byte clientAuth,
117 ProtocolVersion activeProtocolVersion,
118 boolean isInitialHandshake, boolean secureRenegotiation,
119 byte[] clientVerifyData, byte[] serverVerifyData) {
120
121 super(engine, context, enabledProtocols,
122 (clientAuth != SSLEngineImpl.clauth_none), false,
123 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
124 clientVerifyData, serverVerifyData);
125 doClientAuth = clientAuth;
126 }
127
128 /*
129 * As long as handshaking has not started, we can change
130 * whether client authentication is required. Otherwise,
131 * we will need to wait for the next handshake.
132 */
133 void setClientAuth(byte clientAuth) {
134 doClientAuth = clientAuth;
135 }
136
137 /*
138 * This routine handles all the server side handshake messages, one at
139 * a time. Given the message type (and in some cases the pending cipher
140 * spec) it parses the type-specific message. Then it calls a function
141 * that handles that specific message.
142 *
143 * It updates the state machine as each message is processed, and writes
144 * responses as needed using the connection in the constructor.
145 */
146 @Override
147 void processMessage(byte type, int message_len)
148 throws IOException {
149 //
150 // In SSLv3 and TLS, messages follow strictly increasing
151 // numerical order _except_ for one annoying special case.
152 //
153 if ((state >= type)
154 && (state != HandshakeMessage.ht_client_key_exchange
155 && type != HandshakeMessage.ht_certificate_verify)) {
156 throw new SSLProtocolException(
157 "Handshake message sequence violation, state = " + state
158 + ", type = " + type);
159 }
160
161 switch (type) {
162 case HandshakeMessage.ht_client_hello:
163 ClientHello ch = new ClientHello(input, message_len);
164 /*
165 * send it off for processing.
166 */
167 this.clientHello(ch);
168 break;
169
170 case HandshakeMessage.ht_certificate:
171 if (doClientAuth == SSLEngineImpl.clauth_none) {
172 fatalSE(Alerts.alert_unexpected_message,
173 "client sent unsolicited cert chain");
174 // NOTREACHED
175 }
176 this.clientCertificate(new CertificateMsg(input));
177 break;
178
179 case HandshakeMessage.ht_client_key_exchange:
180 SecretKey preMasterSecret;
181 switch (keyExchange) {
182 case K_RSA:
183 case K_RSA_EXPORT:
184 /*
185 * The client's pre-master secret is decrypted using
186 * either the server's normal private RSA key, or the
187 * temporary one used for non-export or signing-only
188 * certificates/keys.
189 */
190 RSAClientKeyExchange pms = new RSAClientKeyExchange(
191 protocolVersion, clientRequestedVersion,
192 sslContext.getSecureRandom(), input,
193 message_len, privateKey);
194 preMasterSecret = this.clientKeyExchange(pms);
195 break;
196 case K_KRB5:
197 case K_KRB5_EXPORT:
198 preMasterSecret = this.clientKeyExchange(
199 new KerberosClientKeyExchange(protocolVersion,
200 clientRequestedVersion,
201 sslContext.getSecureRandom(),
202 input,
203 this.getAccSE(),
204 serviceCreds));
205 break;
206 case K_DHE_RSA:
207 case K_DHE_DSS:
208 case K_DH_ANON:
209 /*
210 * The pre-master secret is derived using the normal
211 * Diffie-Hellman calculation. Note that the main
212 * protocol difference in these five flavors is in how
213 * the ServerKeyExchange message was constructed!
214 */
215 preMasterSecret = this.clientKeyExchange(
216 new DHClientKeyExchange(input));
217 break;
218 case K_ECDH_RSA:
219 case K_ECDH_ECDSA:
220 case K_ECDHE_RSA:
221 case K_ECDHE_ECDSA:
222 case K_ECDH_ANON:
223 preMasterSecret = this.clientKeyExchange
224 (new ECDHClientKeyExchange(input));
225 break;
226 default:
227 throw new SSLProtocolException
228 ("Unrecognized key exchange: " + keyExchange);
229 }
230
231 //
232 // All keys are calculated from the premaster secret
233 // and the exchanged nonces in the same way.
234 //
235 calculateKeys(preMasterSecret, clientRequestedVersion);
236 break;
237
238 case HandshakeMessage.ht_certificate_verify:
239 this.clientCertificateVerify(new CertificateVerify(input,
240 localSupportedSignAlgs, protocolVersion));
241 break;
242
243 case HandshakeMessage.ht_finished:
244 this.clientFinished(
245 new Finished(protocolVersion, input, cipherSuite));
246 break;
247
248 default:
249 throw new SSLProtocolException(
250 "Illegal server handshake msg, " + type);
251 }
252
253 //
254 // Move state machine forward if the message handling
255 // code didn't already do so
256 //
257 if (state < type) {
258 if(type == HandshakeMessage.ht_certificate_verify) {
259 state = type + 2; // an annoying special case
260 } else {
261 state = type;
262 }
263 }
264 }
265
266
267 /*
268 * ClientHello presents the server with a bunch of options, to which the
269 * server replies with a ServerHello listing the ones which this session
270 * will use. If needed, it also writes its Certificate plus in some cases
271 * a ServerKeyExchange message. It may also write a CertificateRequest,
272 * to elicit a client certificate.
273 *
274 * All these messages are terminated by a ServerHelloDone message. In
275 * most cases, all this can be sent in a single Record.
276 */
277 private void clientHello(ClientHello mesg) throws IOException {
278 if (debug != null && Debug.isOn("handshake")) {
279 mesg.print(System.out);
280 }
281
282 // check the server name indication if required
283 ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
284 mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
285 if (!sniMatchers.isEmpty()) {
286 // we do not reject client without SNI extension
287 if (clientHelloSNIExt != null &&
288 !clientHelloSNIExt.isMatched(sniMatchers)) {
289 fatalSE(Alerts.alert_unrecognized_name,
290 "Unrecognized server name indication");
291 }
292 }
293
294 // Does the message include security renegotiation indication?
295 boolean renegotiationIndicated = false;
296
297 // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV
298 CipherSuiteList cipherSuites = mesg.getCipherSuites();
299 if (cipherSuites.contains(CipherSuite.C_SCSV)) {
300 renegotiationIndicated = true;
301 if (isInitialHandshake) {
302 secureRenegotiation = true;
303 } else {
304 // abort the handshake with a fatal handshake_failure alert
305 if (secureRenegotiation) {
306 fatalSE(Alerts.alert_handshake_failure,
307 "The SCSV is present in a secure renegotiation");
308 } else {
309 fatalSE(Alerts.alert_handshake_failure,
310 "The SCSV is present in a insecure renegotiation");
311 }
312 }
313 }
314
315 // check the "renegotiation_info" extension
316 RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension)
317 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
318 if (clientHelloRI != null) {
319 renegotiationIndicated = true;
320 if (isInitialHandshake) {
321 // verify the length of the "renegotiated_connection" field
322 if (!clientHelloRI.isEmpty()) {
323 // abort the handshake with a fatal handshake_failure alert
324 fatalSE(Alerts.alert_handshake_failure,
325 "The renegotiation_info field is not empty");
326 }
327
328 secureRenegotiation = true;
329 } else {
330 if (!secureRenegotiation) {
331 // unexpected RI extension for insecure renegotiation,
332 // abort the handshake with a fatal handshake_failure alert
333 fatalSE(Alerts.alert_handshake_failure,
334 "The renegotiation_info is present in a insecure " +
335 "renegotiation");
336 }
337
338 // verify the client_verify_data value
339 if (!Arrays.equals(clientVerifyData,
340 clientHelloRI.getRenegotiatedConnection())) {
341 fatalSE(Alerts.alert_handshake_failure,
342 "Incorrect verify data in ClientHello " +
343 "renegotiation_info message");
344 }
345 }
346 } else if (!isInitialHandshake && secureRenegotiation) {
347 // if the connection's "secure_renegotiation" flag is set to TRUE
348 // and the "renegotiation_info" extension is not present, abort
349 // the handshake.
350 fatalSE(Alerts.alert_handshake_failure,
351 "Inconsistent secure renegotiation indication");
352 }
353
354 // if there is no security renegotiation indication or the previous
355 // handshake is insecure.
356 if (!renegotiationIndicated || !secureRenegotiation) {
357 if (isInitialHandshake) {
358 if (!allowLegacyHelloMessages) {
359 // abort the handshake with a fatal handshake_failure alert
360 fatalSE(Alerts.alert_handshake_failure,
361 "Failed to negotiate the use of secure renegotiation");
362 }
363
364 // continue with legacy ClientHello
365 if (debug != null && Debug.isOn("handshake")) {
366 System.out.println("Warning: No renegotiation " +
367 "indication in ClientHello, allow legacy ClientHello");
368 }
369 } else if (!allowUnsafeRenegotiation) {
370 // abort the handshake
371 if (activeProtocolVersion.v >= ProtocolVersion.TLS10.v) {
372 // response with a no_renegotiation warning,
373 warningSE(Alerts.alert_no_renegotiation);
374
375 // invalidate the handshake so that the caller can
376 // dispose this object.
377 invalidated = true;
378
379 // If there is still unread block in the handshake
380 // input stream, it would be truncated with the disposal
381 // and the next handshake message will become incomplete.
382 //
383 // However, according to SSL/TLS specifications, no more
384 // handshake message could immediately follow ClientHello
385 // or HelloRequest. But in case of any improper messages,
386 // we'd better check to ensure there is no remaining bytes
387 // in the handshake input stream.
388 if (input.available() > 0) {
389 fatalSE(Alerts.alert_unexpected_message,
390 "ClientHello followed by an unexpected " +
391 "handshake message");
392 }
393
394 return;
395 } else {
396 // For SSLv3, send the handshake_failure fatal error.
397 // Note that SSLv3 does not define a no_renegotiation
398 // alert like TLSv1. However we cannot ignore the message
399 // simply, otherwise the other side was waiting for a
400 // response that would never come.
401 fatalSE(Alerts.alert_handshake_failure,
402 "Renegotiation is not allowed");
403 }
404 } else { // !isInitialHandshake && allowUnsafeRenegotiation
405 // continue with unsafe renegotiation.
406 if (debug != null && Debug.isOn("handshake")) {
407 System.out.println(
408 "Warning: continue with insecure renegotiation");
409 }
410 }
411 }
412
413 /*
414 * Always make sure this entire record has been digested before we
415 * start emitting output, to ensure correct digesting order.
416 */
417 input.digestNow();
418
419 /*
420 * FIRST, construct the ServerHello using the options and priorities
421 * from the ClientHello. Update the (pending) cipher spec as we do
422 * so, and save the client's version to protect against rollback
423 * attacks.
424 *
425 * There are a bunch of minor tasks here, and one major one: deciding
426 * if the short or the full handshake sequence will be used.
427 */
428 ServerHello m1 = new ServerHello();
429
430 clientRequestedVersion = mesg.protocolVersion;
431
432 // select a proper protocol version.
433 ProtocolVersion selectedVersion =
434 selectProtocolVersion(clientRequestedVersion);
435 if (selectedVersion == null ||
436 selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
437 fatalSE(Alerts.alert_handshake_failure,
438 "Client requested protocol " + clientRequestedVersion +
439 " not enabled or not supported");
440 }
441
442 handshakeHash.protocolDetermined(selectedVersion);
443 setVersion(selectedVersion);
444
445 m1.protocolVersion = protocolVersion;
446
447 //
448 // random ... save client and server values for later use
449 // in computing the master secret (from pre-master secret)
450 // and thence the other crypto keys.
451 //
452 // NOTE: this use of three inputs to generating _each_ set
453 // of ciphers slows things down, but it does increase the
454 // security since each connection in the session can hold
455 // its own authenticated (and strong) keys. One could make
456 // creation of a session a rare thing...
457 //
458 clnt_random = mesg.clnt_random;
459 svr_random = new RandomCookie(sslContext.getSecureRandom());
460 m1.svr_random = svr_random;
461
462 session = null; // forget about the current session
463 //
464 // Here we go down either of two paths: (a) the fast one, where
465 // the client's asked to rejoin an existing session, and the server
466 // permits this; (b) the other one, where a new session is created.
467 //
468 if (mesg.sessionId.length() != 0) {
469 // client is trying to resume a session, let's see...
470
471 SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext
472 .engineGetServerSessionContext())
473 .get(mesg.sessionId.getId());
474 //
475 // Check if we can use the fast path, resuming a session. We
476 // can do so iff we have a valid record for that session, and
477 // the cipher suite for that session was on the list which the
478 // client requested, and if we're not forgetting any needed
479 // authentication on the part of the client.
480 //
481 if (previous != null) {
482 resumingSession = previous.isRejoinable();
483
484 if (resumingSession) {
485 ProtocolVersion oldVersion = previous.getProtocolVersion();
486 // cannot resume session with different version
487 if (oldVersion != protocolVersion) {
488 resumingSession = false;
489 }
490 }
491
492 // cannot resume session with different server name indication
493 if (resumingSession) {
494 List<SNIServerName> oldServerNames =
495 previous.getRequestedServerNames();
496 if (clientHelloSNIExt != null) {
497 if (!clientHelloSNIExt.isIdentical(oldServerNames)) {
498 resumingSession = false;
499 }
500 } else if (!oldServerNames.isEmpty()) {
501 resumingSession = false;
502 }
503
504 if (!resumingSession &&
505 debug != null && Debug.isOn("handshake")) {
506 System.out.println(
507 "The requested server name indication " +
508 "is not identical to the previous one");
509 }
510 }
511
512 if (resumingSession &&
513 (doClientAuth == SSLEngineImpl.clauth_required)) {
514 try {
515 previous.getPeerPrincipal();
516 } catch (SSLPeerUnverifiedException e) {
517 resumingSession = false;
518 }
519 }
520
521 // validate subject identity
522 if (resumingSession) {
523 CipherSuite suite = previous.getSuite();
524 if (suite.keyExchange == K_KRB5 ||
525 suite.keyExchange == K_KRB5_EXPORT) {
526 Principal localPrincipal = previous.getLocalPrincipal();
527
528 Subject subject = null;
529 try {
530 subject = AccessController.doPrivileged(
531 new PrivilegedExceptionAction<Subject>() {
532 @Override
533 public Subject run() throws Exception {
534 return
535 Krb5Helper.getServerSubject(getAccSE());
536 }});
537 } catch (PrivilegedActionException e) {
538 subject = null;
539 if (debug != null && Debug.isOn("session")) {
540 System.out.println("Attempt to obtain" +
541 " subject failed!");
542 }
543 }
544
545 if (subject != null) {
546 // Eliminate dependency on KerberosPrincipal
547 if (Krb5Helper.isRelated(subject, localPrincipal)) {
548 if (debug != null && Debug.isOn("session"))
549 System.out.println("Subject can" +
550 " provide creds for princ");
551 } else {
552 resumingSession = false;
553 if (debug != null && Debug.isOn("session"))
554 System.out.println("Subject cannot" +
555 " provide creds for princ");
556 }
557 } else {
558 resumingSession = false;
559 if (debug != null && Debug.isOn("session"))
560 System.out.println("Kerberos credentials are" +
561 " not present in the current Subject;" +
562 " check if " +
563 " javax.security.auth.useSubjectAsCreds" +
564 " system property has been set to false");
565 }
566 }
567 }
568
569 if (resumingSession) {
570 CipherSuite suite = previous.getSuite();
571 // verify that the ciphersuite from the cached session
572 // is in the list of client requested ciphersuites and
573 // we have it enabled
574 if ((isNegotiable(suite) == false) ||
575 (mesg.getCipherSuites().contains(suite) == false)) {
576 resumingSession = false;
577 } else {
578 // everything looks ok, set the ciphersuite
579 // this should be done last when we are sure we
580 // will resume
581 setCipherSuite(suite);
582 }
583 }
584
585 if (resumingSession) {
586 session = previous;
587 if (debug != null &&
588 (Debug.isOn("handshake") || Debug.isOn("session"))) {
589 System.out.println("%% Resuming " + session);
590 }
591 }
592 }
593 } // else client did not try to resume
594
595 //
596 // If client hasn't specified a session we can resume, start a
597 // new one and choose its cipher suite and compression options.
598 // Unless new session creation is disabled for this connection!
599 //
600 if (session == null) {
601 if (!enableNewSession) {
602 throw new SSLException("Client did not resume a session");
603 }
604
605 supportedCurves = (SupportedEllipticCurvesExtension)
606 mesg.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES);
607
608 // We only need to handle the "signature_algorithm" extension
609 // for full handshakes and TLS 1.2 or later.
610 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
611 SignatureAlgorithmsExtension signAlgs =
612 (SignatureAlgorithmsExtension)mesg.extensions.get(
613 ExtensionType.EXT_SIGNATURE_ALGORITHMS);
614 if (signAlgs != null) {
615 Collection<SignatureAndHashAlgorithm> peerSignAlgs =
616 signAlgs.getSignAlgorithms();
617 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
618 throw new SSLHandshakeException(
619 "No peer supported signature algorithms");
620 }
621
622 Collection<SignatureAndHashAlgorithm>
623 supportedPeerSignAlgs =
624 SignatureAndHashAlgorithm.getSupportedAlgorithms(
625 peerSignAlgs);
626 if (supportedPeerSignAlgs.isEmpty()) {
627 throw new SSLHandshakeException(
628 "No supported signature and hash algorithm " +
629 "in common");
630 }
631
632 setPeerSupportedSignAlgs(supportedPeerSignAlgs);
633 } // else, need to use peer implicit supported signature algs
634 }
635
636 session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL,
637 getLocalSupportedSignAlgs(),
638 sslContext.getSecureRandom(),
639 getHostAddressSE(), getPortSE());
640
641 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
642 if (peerSupportedSignAlgs != null) {
643 session.setPeerSupportedSignatureAlgorithms(
644 peerSupportedSignAlgs);
645 } // else, we will set the implicit peer supported signature
646 // algorithms in chooseCipherSuite()
647 }
648
649 // set the server name indication in the session
650 List<SNIServerName> clientHelloSNI =
651 Collections.<SNIServerName>emptyList();
652 if (clientHelloSNIExt != null) {
653 clientHelloSNI = clientHelloSNIExt.getServerNames();
654 }
655 session.setRequestedServerNames(clientHelloSNI);
656
657 // set the handshake session
658 setHandshakeSessionSE(session);
659
660 // choose cipher suite and corresponding private key
661 chooseCipherSuite(mesg);
662
663 session.setSuite(cipherSuite);
664 session.setLocalPrivateKey(privateKey);
665
666 // chooseCompression(mesg);
667 } else {
668 // set the handshake session
669 setHandshakeSessionSE(session);
670 }
671
672 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
673 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
674 }
675
676 m1.cipherSuite = cipherSuite;
677 m1.sessionId = session.getSessionId();
678 m1.compression_method = session.getCompression();
679
680 if (secureRenegotiation) {
681 // For ServerHellos that are initial handshakes, then the
682 // "renegotiated_connection" field in "renegotiation_info"
683 // extension is of zero length.
684 //
685 // For ServerHellos that are renegotiating, this field contains
686 // the concatenation of client_verify_data and server_verify_data.
687 //
688 // Note that for initial handshakes, both the clientVerifyData
689 // variable and serverVerifyData variable are of zero length.
690 HelloExtension serverHelloRI = new RenegotiationInfoExtension(
691 clientVerifyData, serverVerifyData);
692 m1.extensions.add(serverHelloRI);
693 }
694
695 if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) {
696 // When resuming a session, the server MUST NOT include a
697 // server_name extension in the server hello.
698 if (!resumingSession) {
699 ServerNameExtension serverHelloSNI = new ServerNameExtension();
700 m1.extensions.add(serverHelloSNI);
701 }
702 }
703
704 if (debug != null && Debug.isOn("handshake")) {
705 m1.print(System.out);
706 System.out.println("Cipher suite: " + session.getSuite());
707 }
708 m1.write(output);
709
710 //
711 // If we are resuming a session, we finish writing handshake
712 // messages right now and then finish.
713 //
714 if (resumingSession) {
715 calculateConnectionKeys(session.getMasterSecret());
716 sendChangeCipherAndFinish(false);
717 return;
718 }
719
720
721 /*
722 * SECOND, write the server Certificate(s) if we need to.
723 *
724 * NOTE: while an "anonymous RSA" mode is explicitly allowed by
725 * the protocol, we can't support it since all of the SSL flavors
726 * defined in the protocol spec are explicitly stated to require
727 * using RSA certificates.
728 */
729 if (keyExchange == K_KRB5 || keyExchange == K_KRB5_EXPORT) {
730 // Server certificates are omitted for Kerberos ciphers
731
732 } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) {
733 if (certs == null) {
734 throw new RuntimeException("no certificates");
735 }
736
737 CertificateMsg m2 = new CertificateMsg(certs);
738
739 /*
740 * Set local certs in the SSLSession, output
741 * debug info, and then actually write to the client.
742 */
743 session.setLocalCertificates(certs);
744 if (debug != null && Debug.isOn("handshake")) {
745 m2.print(System.out);
746 }
747 m2.write(output);
748
749 // XXX has some side effects with OS TCP buffering,
750 // leave it out for now
751
752 // let client verify chain in the meantime...
753 // output.flush();
754 } else {
755 if (certs != null) {
756 throw new RuntimeException("anonymous keyexchange with certs");
757 }
758 }
759
760 /*
761 * THIRD, the ServerKeyExchange message ... iff it's needed.
762 *
763 * It's usually needed unless there's an encryption-capable
764 * RSA cert, or a D-H cert. The notable exception is that
765 * exportable ciphers used with big RSA keys need to downgrade
766 * to use short RSA keys, even when the key/cert encrypts OK.
767 */
768
769 ServerKeyExchange m3;
770 switch (keyExchange) {
771 case K_RSA:
772 case K_KRB5:
773 case K_KRB5_EXPORT:
774 // no server key exchange for RSA or KRB5 ciphersuites
775 m3 = null;
776 break;
777 case K_RSA_EXPORT:
778 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
779 try {
780 m3 = new RSA_ServerKeyExchange(
781 tempPublicKey, privateKey,
782 clnt_random, svr_random,
783 sslContext.getSecureRandom());
784 privateKey = tempPrivateKey;
785 } catch (GeneralSecurityException e) {
786 throwSSLException
787 ("Error generating RSA server key exchange", e);
788 m3 = null; // make compiler happy
789 }
790 } else {
791 // RSA_EXPORT with short key, don't need ServerKeyExchange
792 m3 = null;
793 }
794 break;
795 case K_DHE_RSA:
796 case K_DHE_DSS:
797 try {
798 m3 = new DH_ServerKeyExchange(dh,
799 privateKey,
800 clnt_random.random_bytes,
801 svr_random.random_bytes,
802 sslContext.getSecureRandom(),
803 preferableSignatureAlgorithm,
804 protocolVersion);
805 } catch (GeneralSecurityException e) {
806 throwSSLException("Error generating DH server key exchange", e);
807 m3 = null; // make compiler happy
808 }
809 break;
810 case K_DH_ANON:
811 m3 = new DH_ServerKeyExchange(dh, protocolVersion);
812 break;
813 case K_ECDHE_RSA:
814 case K_ECDHE_ECDSA:
815 case K_ECDH_ANON:
816 try {
817 m3 = new ECDH_ServerKeyExchange(ecdh,
818 privateKey,
819 clnt_random.random_bytes,
820 svr_random.random_bytes,
821 sslContext.getSecureRandom(),
822 preferableSignatureAlgorithm,
823 protocolVersion);
824 } catch (GeneralSecurityException e) {
825 throwSSLException(
826 "Error generating ECDH server key exchange", e);
827 m3 = null; // make compiler happy
828 }
829 break;
830 case K_ECDH_RSA:
831 case K_ECDH_ECDSA:
832 // ServerKeyExchange not used for fixed ECDH
833 m3 = null;
834 break;
835 default:
836 throw new RuntimeException("internal error: " + keyExchange);
837 }
838 if (m3 != null) {
839 if (debug != null && Debug.isOn("handshake")) {
840 m3.print(System.out);
841 }
842 m3.write(output);
843 }
844
845 //
846 // FOURTH, the CertificateRequest message. The details of
847 // the message can be affected by the key exchange algorithm
848 // in use. For example, certs with fixed Diffie-Hellman keys
849 // are only useful with the DH_DSS and DH_RSA key exchange
850 // algorithms.
851 //
852 // Needed only if server requires client to authenticate self.
853 // Illegal for anonymous flavors, so we need to check that.
854 //
855 // CertificateRequest is omitted for Kerberos ciphers
856 if (doClientAuth != SSLEngineImpl.clauth_none &&
857 keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON &&
858 keyExchange != K_KRB5 && keyExchange != K_KRB5_EXPORT) {
859
860 CertificateRequest m4;
861 X509Certificate caCerts[];
862
863 Collection<SignatureAndHashAlgorithm> localSignAlgs = null;
864 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
865 // We currently use all local upported signature and hash
866 // algorithms. However, to minimize the computation cost
867 // of requested hash algorithms, we may use a restricted
868 // set of signature algorithms in the future.
869 localSignAlgs = getLocalSupportedSignAlgs();
870 if (localSignAlgs.isEmpty()) {
871 throw new SSLHandshakeException(
872 "No supported signature algorithm");
873 }
874
875 Set<String> localHashAlgs =
876 SignatureAndHashAlgorithm.getHashAlgorithmNames(
877 localSignAlgs);
878 if (localHashAlgs.isEmpty()) {
879 throw new SSLHandshakeException(
880 "No supported signature algorithm");
881 }
882 }
883
884 caCerts = sslContext.getX509TrustManager().getAcceptedIssuers();
885 m4 = new CertificateRequest(caCerts, keyExchange,
886 localSignAlgs, protocolVersion);
887
888 if (debug != null && Debug.isOn("handshake")) {
889 m4.print(System.out);
890 }
891 m4.write(output);
892 }
893
894 /*
895 * FIFTH, say ServerHelloDone.
896 */
897 ServerHelloDone m5 = new ServerHelloDone();
898
899 if (debug != null && Debug.isOn("handshake")) {
900 m5.print(System.out);
901 }
902 m5.write(output);
903
904 /*
905 * Flush any buffered messages so the client will see them.
906 * Ideally, all the messages above go in a single network level
907 * message to the client. Without big Certificate chains, it's
908 * going to be the common case.
909 */
910 output.flush();
911 }
912
913 /*
914 * Choose cipher suite from among those supported by client. Sets
915 * the cipherSuite and keyExchange variables.
916 */
917 private void chooseCipherSuite(ClientHello mesg) throws IOException {
918 for (CipherSuite suite : mesg.getCipherSuites().collection()) {
919 if (isNegotiable(suite) == false) {
920 continue;
921 }
922
923 if (doClientAuth == SSLEngineImpl.clauth_required) {
924 if ((suite.keyExchange == K_DH_ANON) ||
925 (suite.keyExchange == K_ECDH_ANON)) {
926 continue;
927 }
928 }
929 if (trySetCipherSuite(suite) == false) {
930 continue;
931 }
932 return;
933 }
934 fatalSE(Alerts.alert_handshake_failure,
935 "no cipher suites in common");
936 }
937
938 /**
939 * Set the given CipherSuite, if possible. Return the result.
940 * The call succeeds if the CipherSuite is available and we have
941 * the necessary certificates to complete the handshake. We don't
942 * check if the CipherSuite is actually enabled.
943 *
944 * If successful, this method also generates ephemeral keys if
945 * required for this ciphersuite. This may take some time, so this
946 * method should only be called if you really want to use the
947 * CipherSuite.
948 *
949 * This method is called from chooseCipherSuite() in this class.
950 */
951 boolean trySetCipherSuite(CipherSuite suite) {
952 /*
953 * If we're resuming a session we know we can
954 * support this key exchange algorithm and in fact
955 * have already cached the result of it in
956 * the session state.
957 */
958 if (resumingSession) {
959 return true;
960 }
961
962 if (suite.isNegotiable() == false) {
963 return false;
964 }
965
966 // must not negotiate the obsoleted weak cipher suites.
967 if (protocolVersion.v >= suite.obsoleted) {
968 return false;
969 }
970
971 // must not negotiate unsupported cipher suites.
972 if (protocolVersion.v < suite.supported) {
973 return false;
974 }
975
976 KeyExchange keyExchange = suite.keyExchange;
977
978 // null out any existing references
979 privateKey = null;
980 certs = null;
981 dh = null;
982 tempPrivateKey = null;
983 tempPublicKey = null;
984
985 Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null;
986 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
987 if (peerSupportedSignAlgs != null) {
988 supportedSignAlgs = peerSupportedSignAlgs;
989 } else {
990 SignatureAndHashAlgorithm algorithm = null;
991
992 // we may optimize the performance
993 switch (keyExchange) {
994 // If the negotiated key exchange algorithm is one of
995 // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA),
996 // behave as if client had sent the value {sha1,rsa}.
997 case K_RSA:
998 case K_DHE_RSA:
999 case K_DH_RSA:
1000 // case K_RSA_PSK:
1001 case K_ECDH_RSA:
1002 case K_ECDHE_RSA:
1003 algorithm = SignatureAndHashAlgorithm.valueOf(
1004 HashAlgorithm.SHA1.value,
1005 SignatureAlgorithm.RSA.value, 0);
1006 break;
1007 // If the negotiated key exchange algorithm is one of
1008 // (DHE_DSS, DH_DSS), behave as if the client had
1009 // sent the value {sha1,dsa}.
1010 case K_DHE_DSS:
1011 case K_DH_DSS:
1012 algorithm = SignatureAndHashAlgorithm.valueOf(
1013 HashAlgorithm.SHA1.value,
1014 SignatureAlgorithm.DSA.value, 0);
1015 break;
1016 // If the negotiated key exchange algorithm is one of
1017 // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client
1018 // had sent value {sha1,ecdsa}.
1019 case K_ECDH_ECDSA:
1020 case K_ECDHE_ECDSA:
1021 algorithm = SignatureAndHashAlgorithm.valueOf(
1022 HashAlgorithm.SHA1.value,
1023 SignatureAlgorithm.ECDSA.value, 0);
1024 break;
1025 default:
1026 // no peer supported signature algorithms
1027 }
1028
1029 if (algorithm == null) {
1030 supportedSignAlgs =
1031 Collections.<SignatureAndHashAlgorithm>emptySet();
1032 } else {
1033 supportedSignAlgs =
1034 new ArrayList<SignatureAndHashAlgorithm>(1);
1035 supportedSignAlgs.add(algorithm);
1036 }
1037
1038 // Sets the peer supported signature algorithm to use in KM
1039 // temporarily.
1040 session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs);
1041 }
1042 }
1043
1044 switch (keyExchange) {
1045 case K_RSA:
1046 // need RSA certs for authentication
1047 if (setupPrivateKeyAndChain("RSA") == false) {
1048 return false;
1049 }
1050 break;
1051 case K_RSA_EXPORT:
1052 // need RSA certs for authentication
1053 if (setupPrivateKeyAndChain("RSA") == false) {
1054 return false;
1055 }
1056
1057 try {
1058 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
1059 if (!setupEphemeralRSAKeys(suite.exportable)) {
1060 return false;
1061 }
1062 }
1063 } catch (RuntimeException e) {
1064 // could not determine keylength, ignore key
1065 return false;
1066 }
1067 break;
1068 case K_DHE_RSA:
1069 // need RSA certs for authentication
1070 if (setupPrivateKeyAndChain("RSA") == false) {
1071 return false;
1072 }
1073
1074 // get preferable peer signature algorithm for server key exchange
1075 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1076 preferableSignatureAlgorithm =
1077 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1078 supportedSignAlgs, "RSA", privateKey);
1079 if (preferableSignatureAlgorithm == null) {
1080 return false;
1081 }
1082 }
1083
1084 setupEphemeralDHKeys(suite.exportable);
1085 break;
1086 case K_ECDHE_RSA:
1087 // need RSA certs for authentication
1088 if (setupPrivateKeyAndChain("RSA") == false) {
1089 return false;
1090 }
1091
1092 // get preferable peer signature algorithm for server key exchange
1093 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1094 preferableSignatureAlgorithm =
1095 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1096 supportedSignAlgs, "RSA", privateKey);
1097 if (preferableSignatureAlgorithm == null) {
1098 return false;
1099 }
1100 }
1101
1102 if (setupEphemeralECDHKeys() == false) {
1103 return false;
1104 }
1105 break;
1106 case K_DHE_DSS:
1107 // get preferable peer signature algorithm for server key exchange
1108 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1109 preferableSignatureAlgorithm =
1110 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1111 supportedSignAlgs, "DSA");
1112 if (preferableSignatureAlgorithm == null) {
1113 return false;
1114 }
1115 }
1116
1117 // need DSS certs for authentication
1118 if (setupPrivateKeyAndChain("DSA") == false) {
1119 return false;
1120 }
1121 setupEphemeralDHKeys(suite.exportable);
1122 break;
1123 case K_ECDHE_ECDSA:
1124 // get preferable peer signature algorithm for server key exchange
1125 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1126 preferableSignatureAlgorithm =
1127 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1128 supportedSignAlgs, "ECDSA");
1129 if (preferableSignatureAlgorithm == null) {
1130 return false;
1131 }
1132 }
1133
1134 // need EC cert signed using EC
1135 if (setupPrivateKeyAndChain("EC_EC") == false) {
1136 return false;
1137 }
1138 if (setupEphemeralECDHKeys() == false) {
1139 return false;
1140 }
1141 break;
1142 case K_ECDH_RSA:
1143 // need EC cert signed using RSA
1144 if (setupPrivateKeyAndChain("EC_RSA") == false) {
1145 return false;
1146 }
1147 setupStaticECDHKeys();
1148 break;
1149 case K_ECDH_ECDSA:
1150 // need EC cert signed using EC
1151 if (setupPrivateKeyAndChain("EC_EC") == false) {
1152 return false;
1153 }
1154 setupStaticECDHKeys();
1155 break;
1156 case K_KRB5:
1157 case K_KRB5_EXPORT:
1158 // need Kerberos Key
1159 if (!setupKerberosKeys()) {
1160 return false;
1161 }
1162 break;
1163 case K_DH_ANON:
1164 // no certs needed for anonymous
1165 setupEphemeralDHKeys(suite.exportable);
1166 break;
1167 case K_ECDH_ANON:
1168 // no certs needed for anonymous
1169 if (setupEphemeralECDHKeys() == false) {
1170 return false;
1171 }
1172 break;
1173 default:
1174 // internal error, unknown key exchange
1175 throw new RuntimeException("Unrecognized cipherSuite: " + suite);
1176 }
1177 setCipherSuite(suite);
1178
1179 // set the peer implicit supported signature algorithms
1180 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1181 if (peerSupportedSignAlgs == null) {
1182 setPeerSupportedSignAlgs(supportedSignAlgs);
1183 // we had alreay update the session
1184 }
1185 }
1186 return true;
1187 }
1188
1189 /*
1190 * Get some "ephemeral" RSA keys for this context. This means
1191 * generating them if it's not already been done.
1192 *
1193 * Note that we currently do not implement any ciphersuites that use
1194 * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites
1195 * and standard RSA ciphersuites prohibit ephemeral mode for some reason)
1196 * This means that export is always true and 512 bit keys are generated.
1197 */
1198 private boolean setupEphemeralRSAKeys(boolean export) {
1199 KeyPair kp = sslContext.getEphemeralKeyManager().
1200 getRSAKeyPair(export, sslContext.getSecureRandom());
1201 if (kp == null) {
1202 return false;
1203 } else {
1204 tempPublicKey = kp.getPublic();
1205 tempPrivateKey = kp.getPrivate();
1206 return true;
1207 }
1208 }
1209
1210 /*
1211 * Acquire some "ephemeral" Diffie-Hellman keys for this handshake.
1212 * We don't reuse these, for improved forward secrecy.
1213 */
1214 private void setupEphemeralDHKeys(boolean export) {
1215 /*
1216 * Diffie-Hellman keys ... we use 768 bit private keys due
1217 * to the "use twice as many key bits as bits you want secret"
1218 * rule of thumb, assuming we want the same size premaster
1219 * secret with Diffie-Hellman and RSA key exchanges. Except
1220 * that exportable ciphers max out at 512 bits modulus values.
1221 */
1222 dh = new DHCrypt((export ? 512 : 768), sslContext.getSecureRandom());
1223 }
1224
1225 // Setup the ephemeral ECDH parameters.
1226 // If we cannot continue because we do not support any of the curves that
1227 // the client requested, return false. Otherwise (all is well), return true.
1228 private boolean setupEphemeralECDHKeys() {
1229 int index = -1;
1230 if (supportedCurves != null) {
1231 // if the client sent the supported curves extension, pick the
1232 // first one that we support;
1233 for (int curveId : supportedCurves.curveIds()) {
1234 if (SupportedEllipticCurvesExtension.isSupported(curveId)) {
1235 index = curveId;
1236 break;
1237 }
1238 }
1239 if (index < 0) {
1240 // no match found, cannot use this ciphersuite
1241 return false;
1242 }
1243 } else {
1244 // pick our preference
1245 index = SupportedEllipticCurvesExtension.DEFAULT.curveIds()[0];
1246 }
1247 String oid = SupportedEllipticCurvesExtension.getCurveOid(index);
1248 ecdh = new ECDHCrypt(oid, sslContext.getSecureRandom());
1249 return true;
1250 }
1251
1252 private void setupStaticECDHKeys() {
1253 // don't need to check whether the curve is supported, already done
1254 // in setupPrivateKeyAndChain().
1255 ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey());
1256 }
1257
1258 /**
1259 * Retrieve the server key and certificate for the specified algorithm
1260 * from the KeyManager and set the instance variables.
1261 *
1262 * @return true if successful, false if not available or invalid
1263 */
1264 private boolean setupPrivateKeyAndChain(String algorithm) {
1265 X509ExtendedKeyManager km = sslContext.getX509KeyManager();
1266 String alias;
1267 if (conn != null) {
1268 alias = km.chooseServerAlias(algorithm, null, conn);
1269 } else {
1270 alias = km.chooseEngineServerAlias(algorithm, null, engine);
1271 }
1272 if (alias == null) {
1273 return false;
1274 }
1275 PrivateKey tempPrivateKey = km.getPrivateKey(alias);
1276 if (tempPrivateKey == null) {
1277 return false;
1278 }
1279 X509Certificate[] tempCerts = km.getCertificateChain(alias);
1280 if ((tempCerts == null) || (tempCerts.length == 0)) {
1281 return false;
1282 }
1283 String keyAlgorithm = algorithm.split("_")[0];
1284 PublicKey publicKey = tempCerts[0].getPublicKey();
1285 if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false)
1286 || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) {
1287 return false;
1288 }
1289 // For ECC certs, check whether we support the EC domain parameters.
1290 // If the client sent a SupportedEllipticCurves ClientHello extension,
1291 // check against that too.
1292 if (keyAlgorithm.equals("EC")) {
1293 if (publicKey instanceof ECPublicKey == false) {
1294 return false;
1295 }
1296 ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
1297 int index = SupportedEllipticCurvesExtension.getCurveIndex(params);
1298 if (SupportedEllipticCurvesExtension.isSupported(index) == false) {
1299 return false;
1300 }
1301 if ((supportedCurves != null) && !supportedCurves.contains(index)) {
1302 return false;
1303 }
1304 }
1305 this.privateKey = tempPrivateKey;
1306 this.certs = tempCerts;
1307 return true;
1308 }
1309
1310 /**
1311 * Retrieve the Kerberos key for the specified server principal
1312 * from the JAAS configuration file.
1313 *
1314 * @return true if successful, false if not available or invalid
1315 */
1316 private boolean setupKerberosKeys() {
1317 if (serviceCreds != null) {
1318 return true;
1319 }
1320 try {
1321 final AccessControlContext acc = getAccSE();
1322 serviceCreds = AccessController.doPrivileged(
1323 // Eliminate dependency on KerberosKey
1324 new PrivilegedExceptionAction<Object>() {
1325 @Override
1326 public Object run() throws Exception {
1327 // get kerberos key for the default principal
1328 return Krb5Helper.getServiceCreds(acc);
1329 }});
1330
1331 // check permission to access and use the secret key of the
1332 // Kerberized "host" service
1333 if (serviceCreds != null) {
1334 if (debug != null && Debug.isOn("handshake")) {
1335 System.out.println("Using Kerberos creds");
1336 }
1337 String serverPrincipal =
1338 Krb5Helper.getServerPrincipalName(serviceCreds);
1339 if (serverPrincipal != null) {
1340 // When service is bound, we check ASAP. Otherwise,
1341 // will check after client request is received
1342 // in in Kerberos ClientKeyExchange
1343 SecurityManager sm = System.getSecurityManager();
1344 try {
1345 if (sm != null) {
1346 // Eliminate dependency on ServicePermission
1347 sm.checkPermission(Krb5Helper.getServicePermission(
1348 serverPrincipal, "accept"), acc);
1349 }
1350 } catch (SecurityException se) {
1351 serviceCreds = null;
1352 // Do not destroy keys. Will affect Subject
1353 if (debug != null && Debug.isOn("handshake")) {
1354 System.out.println("Permission to access Kerberos"
1355 + " secret key denied");
1356 }
1357 return false;
1358 }
1359 }
1360 }
1361 return serviceCreds != null;
1362 } catch (PrivilegedActionException e) {
1363 // Likely exception here is LoginExceptin
1364 if (debug != null && Debug.isOn("handshake")) {
1365 System.out.println("Attempt to obtain Kerberos key failed: "
1366 + e.toString());
1367 }
1368 return false;
1369 }
1370 }
1371
1372 /*
1373 * For Kerberos ciphers, the premaster secret is encrypted using
1374 * the session key. See RFC 2712.
1375 */
1376 private SecretKey clientKeyExchange(KerberosClientKeyExchange mesg)
1377 throws IOException {
1378
1379 if (debug != null && Debug.isOn("handshake")) {
1380 mesg.print(System.out);
1381 }
1382
1383 // Record the principals involved in exchange
1384 session.setPeerPrincipal(mesg.getPeerPrincipal());
1385 session.setLocalPrincipal(mesg.getLocalPrincipal());
1386
1387 byte[] b = mesg.getUnencryptedPreMasterSecret();
1388 return new SecretKeySpec(b, "TlsPremasterSecret");
1389 }
1390
1391 /*
1392 * Diffie Hellman key exchange is used when the server presented
1393 * D-H parameters in its certificate (signed using RSA or DSS/DSA),
1394 * or else the server presented no certificate but sent D-H params
1395 * in a ServerKeyExchange message. Use of D-H is specified by the
1396 * cipher suite chosen.
1397 *
1398 * The message optionally contains the client's D-H public key (if
1399 * it wasn't not sent in a client certificate). As always with D-H,
1400 * if a client and a server have each other's D-H public keys and
1401 * they use common algorithm parameters, they have a shared key
1402 * that's derived via the D-H calculation. That key becomes the
1403 * pre-master secret.
1404 */
1405 private SecretKey clientKeyExchange(DHClientKeyExchange mesg)
1406 throws IOException {
1407
1408 if (debug != null && Debug.isOn("handshake")) {
1409 mesg.print(System.out);
1410 }
1411 return dh.getAgreedSecret(mesg.getClientPublicKey(), false);
1412 }
1413
1414 private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
1415 throws IOException {
1416
1417 if (debug != null && Debug.isOn("handshake")) {
1418 mesg.print(System.out);
1419 }
1420 return ecdh.getAgreedSecret(mesg.getEncodedPoint());
1421 }
1422
1423 /*
1424 * Client wrote a message to verify the certificate it sent earlier.
1425 *
1426 * Note that this certificate isn't involved in key exchange. Client
1427 * authentication messages are included in the checksums used to
1428 * validate the handshake (e.g. Finished messages). Other than that,
1429 * the _exact_ identity of the client is less fundamental to protocol
1430 * security than its role in selecting keys via the pre-master secret.
1431 */
1432 private void clientCertificateVerify(CertificateVerify mesg)
1433 throws IOException {
1434
1435 if (debug != null && Debug.isOn("handshake")) {
1436 mesg.print(System.out);
1437 }
1438
1439 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1440 SignatureAndHashAlgorithm signAlg =
1441 mesg.getPreferableSignatureAlgorithm();
1442 if (signAlg == null) {
1443 throw new SSLHandshakeException(
1444 "Illegal CertificateVerify message");
1445 }
1446
1447 String hashAlg =
1448 SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg);
1449 if (hashAlg == null || hashAlg.length() == 0) {
1450 throw new SSLHandshakeException(
1451 "No supported hash algorithm");
1452 }
1453 }
1454
1455 try {
1456 PublicKey publicKey =
1457 session.getPeerCertificates()[0].getPublicKey();
1458
1459 boolean valid = mesg.verify(protocolVersion, handshakeHash,
1460 publicKey, session.getMasterSecret());
1461 if (valid == false) {
1462 fatalSE(Alerts.alert_bad_certificate,
1463 "certificate verify message signature error");
1464 }
1465 } catch (GeneralSecurityException e) {
1466 fatalSE(Alerts.alert_bad_certificate,
1467 "certificate verify format error", e);
1468 }
1469
1470 // reset the flag for clientCertificateVerify message
1471 needClientVerify = false;
1472 }
1473
1474
1475 /*
1476 * Client writes "finished" at the end of its handshake, after cipher
1477 * spec is changed. We verify it and then send ours.
1478 *
1479 * When we're resuming a session, we'll have already sent our own
1480 * Finished message so just the verification is needed.
1481 */
1482 private void clientFinished(Finished mesg) throws IOException {
1483 if (debug != null && Debug.isOn("handshake")) {
1484 mesg.print(System.out);
1485 }
1486
1487 /*
1488 * Verify if client did send the certificate when client
1489 * authentication was required, otherwise server should not proceed
1490 */
1491 if (doClientAuth == SSLEngineImpl.clauth_required) {
1492 // get X500Principal of the end-entity certificate for X509-based
1493 // ciphersuites, or Kerberos principal for Kerberos ciphersuites
1494 session.getPeerPrincipal();
1495 }
1496
1497 /*
1498 * Verify if client did send clientCertificateVerify message following
1499 * the client Certificate, otherwise server should not proceed
1500 */
1501 if (needClientVerify) {
1502 fatalSE(Alerts.alert_handshake_failure,
1503 "client did not send certificate verify message");
1504 }
1505
1506 /*
1507 * Verify the client's message with the "before" digest of messages,
1508 * and forget about continuing to use that digest.
1509 */
1510 boolean verified = mesg.verify(handshakeHash, Finished.CLIENT,
1511 session.getMasterSecret());
1512
1513 if (!verified) {
1514 fatalSE(Alerts.alert_handshake_failure,
1515 "client 'finished' message doesn't verify");
1516 // NOTREACHED
1517 }
1518
1519 /*
1520 * save client verify data for secure renegotiation
1521 */
1522 if (secureRenegotiation) {
1523 clientVerifyData = mesg.getVerifyData();
1524 }
1525
1526 /*
1527 * OK, it verified. If we're doing the full handshake, add that
1528 * "Finished" message to the hash of handshake messages, then send
1529 * the change_cipher_spec and Finished message.
1530 */
1531 if (!resumingSession) {
1532 input.digestNow();
1533 sendChangeCipherAndFinish(true);
1534 }
1535
1536 /*
1537 * Update the session cache only after the handshake completed, else
1538 * we're open to an attack against a partially completed handshake.
1539 */
1540 session.setLastAccessedTime(System.currentTimeMillis());
1541 if (!resumingSession && session.isRejoinable()) {
1542 ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext())
1543 .put(session);
1544 if (debug != null && Debug.isOn("session")) {
1545 System.out.println(
1546 "%% Cached server session: " + session);
1547 }
1548 } else if (!resumingSession &&
1549 debug != null && Debug.isOn("session")) {
1550 System.out.println(
1551 "%% Didn't cache non-resumable server session: "
1552 + session);
1553 }
1554 }
1555
1556 /*
1557 * Compute finished message with the "server" digest (and then forget
1558 * about that digest, it can't be used again).
1559 */
1560 private void sendChangeCipherAndFinish(boolean finishedTag)
1561 throws IOException {
1562
1563 output.flush();
1564
1565 Finished mesg = new Finished(protocolVersion, handshakeHash,
1566 Finished.SERVER, session.getMasterSecret(), cipherSuite);
1567
1568 /*
1569 * Send the change_cipher_spec record; then our Finished handshake
1570 * message will be the last handshake message. Flush, and now we
1571 * are ready for application data!!
1572 */
1573 sendChangeCipherSpec(mesg, finishedTag);
1574
1575 /*
1576 * save server verify data for secure renegotiation
1577 */
1578 if (secureRenegotiation) {
1579 serverVerifyData = mesg.getVerifyData();
1580 }
1581
1582 /*
1583 * Update state machine so client MUST send 'finished' next
1584 * The update should only take place if it is not in the fast
1585 * handshake mode since the server has to wait for a finished
1586 * message from the client.
1587 */
1588 if (finishedTag) {
1589 state = HandshakeMessage.ht_finished;
1590 }
1591 }
1592
1593
1594 /*
1595 * Returns a HelloRequest message to kickstart renegotiations
1596 */
1597 @Override
1598 HandshakeMessage getKickstartMessage() {
1599 return new HelloRequest();
1600 }
1601
1602
1603 /*
1604 * Fault detected during handshake.
1605 */
1606 @Override
1607 void handshakeAlert(byte description) throws SSLProtocolException {
1608
1609 String message = Alerts.alertDescription(description);
1610
1611 if (debug != null && Debug.isOn("handshake")) {
1612 System.out.println("SSL -- handshake alert: "
1613 + message);
1614 }
1615
1616 /*
1617 * It's ok to get a no_certificate alert from a client of which
1618 * we *requested* authentication information.
1619 * However, if we *required* it, then this is not acceptable.
1620 *
1621 * Anyone calling getPeerCertificates() on the
1622 * session will get an SSLPeerUnverifiedException.
1623 */
1624 if ((description == Alerts.alert_no_certificate) &&
1625 (doClientAuth == SSLEngineImpl.clauth_requested)) {
1626 return;
1627 }
1628
1629 throw new SSLProtocolException("handshake alert: " + message);
1630 }
1631
1632 /*
1633 * RSA key exchange is normally used. The client encrypts a "pre-master
1634 * secret" with the server's public key, from the Certificate (or else
1635 * ServerKeyExchange) message that was sent to it by the server. That's
1636 * decrypted using the private key before we get here.
1637 */
1638 private SecretKey clientKeyExchange(RSAClientKeyExchange mesg)
1639 throws IOException {
1640
1641 if (debug != null && Debug.isOn("handshake")) {
1642 mesg.print(System.out);
1643 }
1644 return mesg.preMaster;
1645 }
1646
1647 /*
1648 * Verify the certificate sent by the client. We'll only get one if we
1649 * sent a CertificateRequest to request client authentication. If we
1650 * are in TLS mode, the client may send a message with no certificates
1651 * to indicate it does not have an appropriate chain. (In SSLv3 mode,
1652 * it would send a no certificate alert).
1653 */
1654 private void clientCertificate(CertificateMsg mesg) throws IOException {
1655 if (debug != null && Debug.isOn("handshake")) {
1656 mesg.print(System.out);
1657 }
1658
1659 X509Certificate[] peerCerts = mesg.getCertificateChain();
1660
1661 if (peerCerts.length == 0) {
1662 /*
1663 * If the client authentication is only *REQUESTED* (e.g.
1664 * not *REQUIRED*, this is an acceptable condition.)
1665 */
1666 if (doClientAuth == SSLEngineImpl.clauth_requested) {
1667 return;
1668 } else {
1669 fatalSE(Alerts.alert_bad_certificate,
1670 "null cert chain");
1671 }
1672 }
1673
1674 // ask the trust manager to verify the chain
1675 X509TrustManager tm = sslContext.getX509TrustManager();
1676
1677 try {
1678 // find out the types of client authentication used
1679 PublicKey key = peerCerts[0].getPublicKey();
1680 String keyAlgorithm = key.getAlgorithm();
1681 String authType;
1682 if (keyAlgorithm.equals("RSA")) {
1683 authType = "RSA";
1684 } else if (keyAlgorithm.equals("DSA")) {
1685 authType = "DSA";
1686 } else if (keyAlgorithm.equals("EC")) {
1687 authType = "EC";
1688 } else {
1689 // unknown public key type
1690 authType = "UNKNOWN";
1691 }
1692
1693 if (tm instanceof X509ExtendedTrustManager) {
1694 if (conn != null) {
1695 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1696 peerCerts.clone(),
1697 authType,
1698 conn);
1699 } else {
1700 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1701 peerCerts.clone(),
1702 authType,
1703 engine);
1704 }
1705 } else {
1706 // Unlikely to happen, because we have wrapped the old
1707 // X509TrustManager with the new X509ExtendedTrustManager.
1708 throw new CertificateException(
1709 "Improper X509TrustManager implementation");
1710 }
1711 } catch (CertificateException e) {
1712 // This will throw an exception, so include the original error.
1713 fatalSE(Alerts.alert_certificate_unknown, e);
1714 }
1715 // set the flag for clientCertificateVerify message
1716 needClientVerify = true;
1717
1718 session.setPeerCertificates(peerCerts);
1719 }
1720 }