1 /* 2 * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.*; 29 import java.math.BigInteger; 30 import java.security.*; 31 import java.security.interfaces.*; 32 import java.security.spec.*; 33 import java.security.cert.*; 34 import java.security.cert.Certificate; 35 import java.util.*; 36 import java.util.concurrent.ConcurrentHashMap; 37 38 import java.lang.reflect.*; 39 40 import javax.security.auth.x500.X500Principal; 41 42 import javax.crypto.KeyGenerator; 43 import javax.crypto.SecretKey; 44 import javax.crypto.spec.DHPublicKeySpec; 45 46 import javax.net.ssl.*; 47 48 import sun.security.internal.spec.TlsPrfParameterSpec; 49 import sun.security.ssl.CipherSuite.*; 50 import static sun.security.ssl.CipherSuite.PRF.*; 51 import sun.security.util.KeyUtil; 52 53 /** 54 * Many data structures are involved in the handshake messages. These 55 * classes are used as structures, with public data members. They are 56 * not visible outside the SSL package. 57 * 58 * Handshake messages all have a common header format, and they are all 59 * encoded in a "handshake data" SSL record substream. The base class 60 * here (HandshakeMessage) provides a common framework and records the 61 * SSL record type of the particular handshake message. 62 * 63 * This file contains subclasses for all the basic handshake messages. 64 * All handshake messages know how to encode and decode themselves on 65 * SSL streams; this facilitates using the same code on SSL client and 66 * server sides, although they don't send and receive the same messages. 67 * 68 * Messages also know how to print themselves, which is quite handy 69 * for debugging. They always identify their type, and can optionally 70 * dump all of their content. 71 * 72 * @author David Brownell 73 */ 74 public abstract class HandshakeMessage { 75 76 HandshakeMessage() { } 77 78 // enum HandshakeType: 79 static final byte ht_hello_request = 0; 80 static final byte ht_client_hello = 1; 81 static final byte ht_server_hello = 2; 82 83 static final byte ht_certificate = 11; 84 static final byte ht_server_key_exchange = 12; 85 static final byte ht_certificate_request = 13; 86 static final byte ht_server_hello_done = 14; 87 static final byte ht_certificate_verify = 15; 88 static final byte ht_client_key_exchange = 16; 89 90 static final byte ht_finished = 20; 91 92 /* Class and subclass dynamic debugging support */ 93 public static final Debug debug = Debug.getInstance("ssl"); 94 95 /** 96 * Utility method to convert a BigInteger to a byte array in unsigned 97 * format as needed in the handshake messages. BigInteger uses 98 * 2's complement format, i.e. it prepends an extra zero if the MSB 99 * is set. We remove that. 100 */ 101 static byte[] toByteArray(BigInteger bi) { 102 byte[] b = bi.toByteArray(); 103 if ((b.length > 1) && (b[0] == 0)) { 104 int n = b.length - 1; 105 byte[] newarray = new byte[n]; 106 System.arraycopy(b, 1, newarray, 0, n); 107 b = newarray; 108 } 109 return b; 110 } 111 112 /* 113 * SSL 3.0 MAC padding constants. 114 * Also used by CertificateVerify and Finished during the handshake. 115 */ 116 static final byte[] MD5_pad1 = genPad(0x36, 48); 117 static final byte[] MD5_pad2 = genPad(0x5c, 48); 118 119 static final byte[] SHA_pad1 = genPad(0x36, 40); 120 static final byte[] SHA_pad2 = genPad(0x5c, 40); 121 122 private static byte[] genPad(int b, int count) { 123 byte[] padding = new byte[count]; 124 Arrays.fill(padding, (byte)b); 125 return padding; 126 } 127 128 /* 129 * Write a handshake message on the (handshake) output stream. 130 * This is just a four byte header followed by the data. 131 * 132 * NOTE that huge messages -- notably, ones with huge cert 133 * chains -- are handled correctly. 134 */ 135 final void write(HandshakeOutStream s) throws IOException { 136 int len = messageLength(); 137 if (len >= Record.OVERFLOW_OF_INT24) { 138 throw new SSLException("Handshake message too big" 139 + ", type = " + messageType() + ", len = " + len); 140 } 141 s.write(messageType()); 142 s.putInt24(len); 143 send(s); 144 } 145 146 /* 147 * Subclasses implement these methods so those kinds of 148 * messages can be emitted. Base class delegates to subclass. 149 */ 150 abstract int messageType(); 151 abstract int messageLength(); 152 abstract void send(HandshakeOutStream s) throws IOException; 153 154 /* 155 * Write a descriptive message on the output stream; for debugging. 156 */ 157 abstract void print(PrintStream p) throws IOException; 158 159 // 160 // NOTE: the rest of these classes are nested within this one, and are 161 // imported by other classes in this package. There are a few other 162 // handshake message classes, not neatly nested here because of current 163 // licensing requirement for native (RSA) methods. They belong here, 164 // but those native methods complicate things a lot! 165 // 166 167 168 /* 169 * HelloRequest ... SERVER --> CLIENT 170 * 171 * Server can ask the client to initiate a new handshake, e.g. to change 172 * session parameters after a connection has been (re)established. 173 */ 174 static final class HelloRequest extends HandshakeMessage { 175 @Override 176 int messageType() { return ht_hello_request; } 177 178 HelloRequest() { } 179 180 HelloRequest(HandshakeInStream in) throws IOException 181 { 182 // nothing in this message 183 } 184 185 @Override 186 int messageLength() { return 0; } 187 188 @Override 189 void send(HandshakeOutStream out) throws IOException 190 { 191 // nothing in this messaage 192 } 193 194 @Override 195 void print(PrintStream out) throws IOException 196 { 197 out.println("*** HelloRequest (empty)"); 198 } 199 200 } 201 202 203 /* 204 * ClientHello ... CLIENT --> SERVER 205 * 206 * Client initiates handshake by telling server what it wants, and what it 207 * can support (prioritized by what's first in the ciphe suite list). 208 * 209 * By RFC2246:7.4.1.2 it's explicitly anticipated that this message 210 * will have more data added at the end ... e.g. what CAs the client trusts. 211 * Until we know how to parse it, we will just read what we know 212 * about, and let our caller handle the jumps over unknown data. 213 */ 214 static final class ClientHello extends HandshakeMessage { 215 216 ProtocolVersion protocolVersion; 217 RandomCookie clnt_random; 218 SessionId sessionId; 219 private CipherSuiteList cipherSuites; 220 byte[] compression_methods; 221 222 HelloExtensions extensions = new HelloExtensions(); 223 224 private final static byte[] NULL_COMPRESSION = new byte[] {0}; 225 226 ClientHello(SecureRandom generator, ProtocolVersion protocolVersion, 227 SessionId sessionId, CipherSuiteList cipherSuites) { 228 229 this.protocolVersion = protocolVersion; 230 this.sessionId = sessionId; 231 this.cipherSuites = cipherSuites; 232 233 if (cipherSuites.containsEC()) { 234 extensions.add(SupportedEllipticCurvesExtension.DEFAULT); 235 extensions.add(SupportedEllipticPointFormatsExtension.DEFAULT); 236 } 237 238 clnt_random = new RandomCookie(generator); 239 compression_methods = NULL_COMPRESSION; 240 } 241 242 ClientHello(HandshakeInStream s, int messageLength) throws IOException { 243 protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8()); 244 clnt_random = new RandomCookie(s); 245 sessionId = new SessionId(s.getBytes8()); 246 sessionId.checkLength(protocolVersion); 247 cipherSuites = new CipherSuiteList(s); 248 compression_methods = s.getBytes8(); 249 if (messageLength() != messageLength) { 250 extensions = new HelloExtensions(s); 251 } 252 } 253 254 CipherSuiteList getCipherSuites() { 255 return cipherSuites; 256 } 257 258 // add renegotiation_info extension 259 void addRenegotiationInfoExtension(byte[] clientVerifyData) { 260 HelloExtension renegotiationInfo = new RenegotiationInfoExtension( 261 clientVerifyData, new byte[0]); 262 extensions.add(renegotiationInfo); 263 } 264 265 // add server_name extension 266 void addSNIExtension(List<SNIServerName> serverNames) { 267 try { 268 extensions.add(new ServerNameExtension(serverNames)); 269 } catch (IOException ioe) { 270 // ignore the exception and return 271 } 272 } 273 274 // add signature_algorithm extension 275 void addSignatureAlgorithmsExtension( 276 Collection<SignatureAndHashAlgorithm> algorithms) { 277 HelloExtension signatureAlgorithm = 278 new SignatureAlgorithmsExtension(algorithms); 279 extensions.add(signatureAlgorithm); 280 } 281 282 @Override 283 int messageType() { return ht_client_hello; } 284 285 @Override 286 int messageLength() { 287 /* 288 * Add fixed size parts of each field... 289 * version + random + session + cipher + compress 290 */ 291 return (2 + 32 + 1 + 2 + 1 292 + sessionId.length() /* ... + variable parts */ 293 + (cipherSuites.size() * 2) 294 + compression_methods.length) 295 + extensions.length(); 296 } 297 298 @Override 299 void send(HandshakeOutStream s) throws IOException { 300 s.putInt8(protocolVersion.major); 301 s.putInt8(protocolVersion.minor); 302 clnt_random.send(s); 303 s.putBytes8(sessionId.getId()); 304 cipherSuites.send(s); 305 s.putBytes8(compression_methods); 306 extensions.send(s); 307 } 308 309 @Override 310 void print(PrintStream s) throws IOException { 311 s.println("*** ClientHello, " + protocolVersion); 312 313 if (debug != null && Debug.isOn("verbose")) { 314 s.print("RandomCookie: "); 315 clnt_random.print(s); 316 317 s.print("Session ID: "); 318 s.println(sessionId); 319 320 s.println("Cipher Suites: " + cipherSuites); 321 322 Debug.println(s, "Compression Methods", compression_methods); 323 extensions.print(s); 324 s.println("***"); 325 } 326 } 327 } 328 329 /* 330 * ServerHello ... SERVER --> CLIENT 331 * 332 * Server chooses protocol options from among those it supports and the 333 * client supports. Then it sends the basic session descriptive parameters 334 * back to the client. 335 */ 336 static final 337 class ServerHello extends HandshakeMessage 338 { 339 @Override 340 int messageType() { return ht_server_hello; } 341 342 ProtocolVersion protocolVersion; 343 RandomCookie svr_random; 344 SessionId sessionId; 345 CipherSuite cipherSuite; 346 byte compression_method; 347 HelloExtensions extensions = new HelloExtensions(); 348 349 ServerHello() { 350 // empty 351 } 352 353 ServerHello(HandshakeInStream input, int messageLength) 354 throws IOException { 355 protocolVersion = ProtocolVersion.valueOf(input.getInt8(), 356 input.getInt8()); 357 svr_random = new RandomCookie(input); 358 sessionId = new SessionId(input.getBytes8()); 359 sessionId.checkLength(protocolVersion); 360 cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8()); 361 compression_method = (byte)input.getInt8(); 362 if (messageLength() != messageLength) { 363 extensions = new HelloExtensions(input); 364 } 365 } 366 367 @Override 368 int messageLength() 369 { 370 // almost fixed size, except session ID and extensions: 371 // major + minor = 2 372 // random = 32 373 // session ID len field = 1 374 // cipher suite + compression = 3 375 // extensions: if present, 2 + length of extensions 376 return 38 + sessionId.length() + extensions.length(); 377 } 378 379 @Override 380 void send(HandshakeOutStream s) throws IOException 381 { 382 s.putInt8(protocolVersion.major); 383 s.putInt8(protocolVersion.minor); 384 svr_random.send(s); 385 s.putBytes8(sessionId.getId()); 386 s.putInt8(cipherSuite.id >> 8); 387 s.putInt8(cipherSuite.id & 0xff); 388 s.putInt8(compression_method); 389 extensions.send(s); 390 } 391 392 @Override 393 void print(PrintStream s) throws IOException 394 { 395 s.println("*** ServerHello, " + protocolVersion); 396 397 if (debug != null && Debug.isOn("verbose")) { 398 s.print("RandomCookie: "); 399 svr_random.print(s); 400 401 s.print("Session ID: "); 402 s.println(sessionId); 403 404 s.println("Cipher Suite: " + cipherSuite); 405 s.println("Compression Method: " + compression_method); 406 extensions.print(s); 407 s.println("***"); 408 } 409 } 410 } 411 412 413 /* 414 * CertificateMsg ... send by both CLIENT and SERVER 415 * 416 * Each end of a connection may need to pass its certificate chain to 417 * the other end. Such chains are intended to validate an identity with 418 * reference to some certifying authority. Examples include companies 419 * like Verisign, or financial institutions. There's some control over 420 * the certifying authorities which are sent. 421 * 422 * NOTE: that these messages might be huge, taking many handshake records. 423 * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14 424 * bytes each ... up to 2^32 records sent on the output stream. 425 */ 426 static final 427 class CertificateMsg extends HandshakeMessage 428 { 429 @Override 430 int messageType() { return ht_certificate; } 431 432 private X509Certificate[] chain; 433 434 private List<byte[]> encodedChain; 435 436 private int messageLength; 437 438 CertificateMsg(X509Certificate[] certs) { 439 chain = certs; 440 } 441 442 CertificateMsg(HandshakeInStream input) throws IOException { 443 int chainLen = input.getInt24(); 444 List<Certificate> v = new ArrayList<>(4); 445 446 CertificateFactory cf = null; 447 while (chainLen > 0) { 448 byte[] cert = input.getBytes24(); 449 chainLen -= (3 + cert.length); 450 try { 451 if (cf == null) { 452 cf = CertificateFactory.getInstance("X.509"); 453 } 454 v.add(cf.generateCertificate(new ByteArrayInputStream(cert))); 455 } catch (CertificateException e) { 456 throw (SSLProtocolException)new SSLProtocolException( 457 e.getMessage()).initCause(e); 458 } 459 } 460 461 chain = v.toArray(new X509Certificate[v.size()]); 462 } 463 464 @Override 465 int messageLength() { 466 if (encodedChain == null) { 467 messageLength = 3; 468 encodedChain = new ArrayList<byte[]>(chain.length); 469 try { 470 for (X509Certificate cert : chain) { 471 byte[] b = cert.getEncoded(); 472 encodedChain.add(b); 473 messageLength += b.length + 3; 474 } 475 } catch (CertificateEncodingException e) { 476 encodedChain = null; 477 throw new RuntimeException("Could not encode certificates", e); 478 } 479 } 480 return messageLength; 481 } 482 483 @Override 484 void send(HandshakeOutStream s) throws IOException { 485 s.putInt24(messageLength() - 3); 486 for (byte[] b : encodedChain) { 487 s.putBytes24(b); 488 } 489 } 490 491 @Override 492 void print(PrintStream s) throws IOException { 493 s.println("*** Certificate chain"); 494 495 if (chain.length == 0) { 496 s.println("<Empty>"); 497 } else if (debug != null && Debug.isOn("verbose")) { 498 for (int i = 0; i < chain.length; i++) { 499 s.println("chain [" + i + "] = " + chain[i]); 500 } 501 } 502 s.println("***"); 503 } 504 505 X509Certificate[] getCertificateChain() { 506 return chain.clone(); 507 } 508 } 509 510 /* 511 * ServerKeyExchange ... SERVER --> CLIENT 512 * 513 * The cipher suite selected, when combined with the certificate exchanged, 514 * implies one of several different kinds of key exchange. Most current 515 * cipher suites require the server to send more than its certificate. 516 * 517 * The primary exceptions are when a server sends an encryption-capable 518 * RSA public key in its cert, to be used with RSA (or RSA_export) key 519 * exchange; and when a server sends its Diffie-Hellman cert. Those kinds 520 * of key exchange do not require a ServerKeyExchange message. 521 * 522 * Key exchange can be viewed as having three modes, which are explicit 523 * for the Diffie-Hellman flavors and poorly specified for RSA ones: 524 * 525 * - "Ephemeral" keys. Here, a "temporary" key is allocated by the 526 * server, and signed. Diffie-Hellman keys signed using RSA or 527 * DSS are ephemeral (DHE flavor). RSA keys get used to do the same 528 * thing, to cut the key size down to 512 bits (export restrictions) 529 * or for signing-only RSA certificates. 530 * 531 * - Anonymity. Here no server certificate is sent, only the public 532 * key of the server. This case is subject to man-in-the-middle 533 * attacks. This can be done with Diffie-Hellman keys (DH_anon) or 534 * with RSA keys, but is only used in SSLv3 for DH_anon. 535 * 536 * - "Normal" case. Here a server certificate is sent, and the public 537 * key there is used directly in exchanging the premaster secret. 538 * For example, Diffie-Hellman "DH" flavor, and any RSA flavor with 539 * only 512 bit keys. 540 * 541 * If a server certificate is sent, there is no anonymity. However, 542 * when a certificate is sent, ephemeral keys may still be used to 543 * exchange the premaster secret. That's how RSA_EXPORT often works, 544 * as well as how the DHE_* flavors work. 545 */ 546 static abstract class ServerKeyExchange extends HandshakeMessage 547 { 548 @Override 549 int messageType() { return ht_server_key_exchange; } 550 } 551 552 553 /* 554 * Using RSA for Key Exchange: exchange a session key that's not as big 555 * as the signing-only key. Used for export applications, since exported 556 * RSA encryption keys can't be bigger than 512 bytes. 557 * 558 * This is never used when keys are 512 bits or smaller, and isn't used 559 * on "US Domestic" ciphers in any case. 560 */ 561 static final 562 class RSA_ServerKeyExchange extends ServerKeyExchange 563 { 564 private byte rsa_modulus[]; // 1 to 2^16 - 1 bytes 565 private byte rsa_exponent[]; // 1 to 2^16 - 1 bytes 566 567 private Signature signature; 568 private byte[] signatureBytes; 569 570 /* 571 * Hash the nonces and the ephemeral RSA public key. 572 */ 573 private void updateSignature(byte clntNonce[], byte svrNonce[]) 574 throws SignatureException { 575 int tmp; 576 577 signature.update(clntNonce); 578 signature.update(svrNonce); 579 580 tmp = rsa_modulus.length; 581 signature.update((byte)(tmp >> 8)); 582 signature.update((byte)(tmp & 0x0ff)); 583 signature.update(rsa_modulus); 584 585 tmp = rsa_exponent.length; 586 signature.update((byte)(tmp >> 8)); 587 signature.update((byte)(tmp & 0x0ff)); 588 signature.update(rsa_exponent); 589 } 590 591 592 /* 593 * Construct an RSA server key exchange message, using data 594 * known _only_ to the server. 595 * 596 * The client knows the public key corresponding to this private 597 * key, from the Certificate message sent previously. To comply 598 * with US export regulations we use short RSA keys ... either 599 * long term ones in the server's X509 cert, or else ephemeral 600 * ones sent using this message. 601 */ 602 RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey, 603 RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr) 604 throws GeneralSecurityException { 605 RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey); 606 rsa_modulus = toByteArray(rsaKey.getModulus()); 607 rsa_exponent = toByteArray(rsaKey.getPublicExponent()); 608 signature = RSASignature.getInstance(); 609 signature.initSign(privateKey, sr); 610 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); 611 signatureBytes = signature.sign(); 612 } 613 614 615 /* 616 * Parse an RSA server key exchange message, using data known 617 * to the client (and, in some situations, eavesdroppers). 618 */ 619 RSA_ServerKeyExchange(HandshakeInStream input) 620 throws IOException, NoSuchAlgorithmException { 621 signature = RSASignature.getInstance(); 622 rsa_modulus = input.getBytes16(); 623 rsa_exponent = input.getBytes16(); 624 signatureBytes = input.getBytes16(); 625 } 626 627 /* 628 * Get the ephemeral RSA public key that will be used in this 629 * SSL connection. 630 */ 631 PublicKey getPublicKey() { 632 try { 633 KeyFactory kfac = JsseJce.getKeyFactory("RSA"); 634 // modulus and exponent are always positive 635 RSAPublicKeySpec kspec = new RSAPublicKeySpec( 636 new BigInteger(1, rsa_modulus), 637 new BigInteger(1, rsa_exponent)); 638 return kfac.generatePublic(kspec); 639 } catch (Exception e) { 640 throw new RuntimeException(e); 641 } 642 } 643 644 /* 645 * Verify the signed temporary key using the hashes computed 646 * from it and the two nonces. This is called by clients 647 * with "exportable" RSA flavors. 648 */ 649 boolean verify(PublicKey certifiedKey, RandomCookie clntNonce, 650 RandomCookie svrNonce) throws GeneralSecurityException { 651 signature.initVerify(certifiedKey); 652 updateSignature(clntNonce.random_bytes, svrNonce.random_bytes); 653 return signature.verify(signatureBytes); 654 } 655 656 @Override 657 int messageLength() { 658 return 6 + rsa_modulus.length + rsa_exponent.length 659 + signatureBytes.length; 660 } 661 662 @Override 663 void send(HandshakeOutStream s) throws IOException { 664 s.putBytes16(rsa_modulus); 665 s.putBytes16(rsa_exponent); 666 s.putBytes16(signatureBytes); 667 } 668 669 @Override 670 void print(PrintStream s) throws IOException { 671 s.println("*** RSA ServerKeyExchange"); 672 673 if (debug != null && Debug.isOn("verbose")) { 674 Debug.println(s, "RSA Modulus", rsa_modulus); 675 Debug.println(s, "RSA Public Exponent", rsa_exponent); 676 } 677 } 678 } 679 680 681 /* 682 * Using Diffie-Hellman algorithm for key exchange. All we really need to 683 * do is securely get Diffie-Hellman keys (using the same P, G parameters) 684 * to our peer, then we automatically have a shared secret without need 685 * to exchange any more data. (D-H only solutions, such as SKIP, could 686 * eliminate key exchange negotiations and get faster connection setup. 687 * But they still need a signature algorithm like DSS/DSA to support the 688 * trusted distribution of keys without relying on unscalable physical 689 * key distribution systems.) 690 * 691 * This class supports several DH-based key exchange algorithms, though 692 * perhaps eventually each deserves its own class. Notably, this has 693 * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants. 694 */ 695 static final 696 class DH_ServerKeyExchange extends ServerKeyExchange 697 { 698 // Fix message encoding, see 4348279 699 private final static boolean dhKeyExchangeFix = 700 Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true); 701 702 private byte dh_p []; // 1 to 2^16 - 1 bytes 703 private byte dh_g []; // 1 to 2^16 - 1 bytes 704 private byte dh_Ys []; // 1 to 2^16 - 1 bytes 705 706 private byte signature []; 707 708 // protocol version being established using this ServerKeyExchange message 709 ProtocolVersion protocolVersion; 710 711 // the preferable signature algorithm used by this ServerKeyExchange message 712 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; 713 714 /* 715 * Construct from initialized DH key object, for DH_anon 716 * key exchange. 717 */ 718 DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) { 719 this.protocolVersion = protocolVersion; 720 this.preferableSignatureAlgorithm = null; 721 722 // The DH key has been validated in the constructor of DHCrypt. 723 setValues(obj); 724 signature = null; 725 } 726 727 /* 728 * Construct from initialized DH key object and the key associated 729 * with the cert chain which was sent ... for DHE_DSS and DHE_RSA 730 * key exchange. (Constructor called by server.) 731 */ 732 DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte clntNonce[], 733 byte svrNonce[], SecureRandom sr, 734 SignatureAndHashAlgorithm signAlgorithm, 735 ProtocolVersion protocolVersion) throws GeneralSecurityException { 736 737 this.protocolVersion = protocolVersion; 738 739 // The DH key has been validated in the constructor of DHCrypt. 740 setValues(obj); 741 742 Signature sig; 743 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 744 this.preferableSignatureAlgorithm = signAlgorithm; 745 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 746 } else { 747 this.preferableSignatureAlgorithm = null; 748 if (key.getAlgorithm().equals("DSA")) { 749 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); 750 } else { 751 sig = RSASignature.getInstance(); 752 } 753 } 754 755 sig.initSign(key, sr); 756 updateSignature(sig, clntNonce, svrNonce); 757 signature = sig.sign(); 758 } 759 760 /* 761 * Construct a DH_ServerKeyExchange message from an input 762 * stream, as if sent from server to client for use with 763 * DH_anon key exchange 764 */ 765 DH_ServerKeyExchange(HandshakeInStream input, 766 ProtocolVersion protocolVersion) 767 throws IOException, GeneralSecurityException { 768 769 this.protocolVersion = protocolVersion; 770 this.preferableSignatureAlgorithm = null; 771 772 dh_p = input.getBytes16(); 773 dh_g = input.getBytes16(); 774 dh_Ys = input.getBytes16(); 775 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), 776 new BigInteger(1, dh_p), 777 new BigInteger(1, dh_g))); 778 779 signature = null; 780 } 781 782 /* 783 * Construct a DH_ServerKeyExchange message from an input stream 784 * and a certificate, as if sent from server to client for use with 785 * DHE_DSS or DHE_RSA key exchange. (Called by client.) 786 */ 787 DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey, 788 byte clntNonce[], byte svrNonce[], int messageSize, 789 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 790 ProtocolVersion protocolVersion) 791 throws IOException, GeneralSecurityException { 792 793 this.protocolVersion = protocolVersion; 794 795 // read params: ServerDHParams 796 dh_p = input.getBytes16(); 797 dh_g = input.getBytes16(); 798 dh_Ys = input.getBytes16(); 799 KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys), 800 new BigInteger(1, dh_p), 801 new BigInteger(1, dh_g))); 802 803 // read the signature and hash algorithm 804 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 805 int hash = input.getInt8(); // hash algorithm 806 int signature = input.getInt8(); // signature algorithm 807 808 preferableSignatureAlgorithm = 809 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); 810 811 // Is it a local supported signature algorithm? 812 if (!localSupportedSignAlgs.contains( 813 preferableSignatureAlgorithm)) { 814 throw new SSLHandshakeException( 815 "Unsupported SignatureAndHashAlgorithm in " + 816 "ServerKeyExchange message"); 817 } 818 } else { 819 this.preferableSignatureAlgorithm = null; 820 } 821 822 // read the signature 823 byte signature[]; 824 if (dhKeyExchangeFix) { 825 signature = input.getBytes16(); 826 } else { 827 messageSize -= (dh_p.length + 2); 828 messageSize -= (dh_g.length + 2); 829 messageSize -= (dh_Ys.length + 2); 830 831 signature = new byte[messageSize]; 832 input.read(signature); 833 } 834 835 Signature sig; 836 String algorithm = publicKey.getAlgorithm(); 837 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 838 sig = JsseJce.getSignature( 839 preferableSignatureAlgorithm.getAlgorithmName()); 840 } else { 841 switch (algorithm) { 842 case "DSA": 843 sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); 844 break; 845 case "RSA": 846 sig = RSASignature.getInstance(); 847 break; 848 default: 849 throw new SSLKeyException("neither an RSA or a DSA key"); 850 } 851 } 852 853 sig.initVerify(publicKey); 854 updateSignature(sig, clntNonce, svrNonce); 855 856 if (sig.verify(signature) == false ) { 857 throw new SSLKeyException("Server D-H key verification failed"); 858 } 859 } 860 861 /* Return the Diffie-Hellman modulus */ 862 BigInteger getModulus() { 863 return new BigInteger(1, dh_p); 864 } 865 866 /* Return the Diffie-Hellman base/generator */ 867 BigInteger getBase() { 868 return new BigInteger(1, dh_g); 869 } 870 871 /* Return the server's Diffie-Hellman public key */ 872 BigInteger getServerPublicKey() { 873 return new BigInteger(1, dh_Ys); 874 } 875 876 /* 877 * Update sig with nonces and Diffie-Hellman public key. 878 */ 879 private void updateSignature(Signature sig, byte clntNonce[], 880 byte svrNonce[]) throws SignatureException { 881 int tmp; 882 883 sig.update(clntNonce); 884 sig.update(svrNonce); 885 886 tmp = dh_p.length; 887 sig.update((byte)(tmp >> 8)); 888 sig.update((byte)(tmp & 0x0ff)); 889 sig.update(dh_p); 890 891 tmp = dh_g.length; 892 sig.update((byte)(tmp >> 8)); 893 sig.update((byte)(tmp & 0x0ff)); 894 sig.update(dh_g); 895 896 tmp = dh_Ys.length; 897 sig.update((byte)(tmp >> 8)); 898 sig.update((byte)(tmp & 0x0ff)); 899 sig.update(dh_Ys); 900 } 901 902 private void setValues(DHCrypt obj) { 903 dh_p = toByteArray(obj.getModulus()); 904 dh_g = toByteArray(obj.getBase()); 905 dh_Ys = toByteArray(obj.getPublicKey()); 906 } 907 908 @Override 909 int messageLength() { 910 int temp = 6; // overhead for p, g, y(s) values. 911 912 temp += dh_p.length; 913 temp += dh_g.length; 914 temp += dh_Ys.length; 915 916 if (signature != null) { 917 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 918 temp += SignatureAndHashAlgorithm.sizeInRecord(); 919 } 920 921 temp += signature.length; 922 if (dhKeyExchangeFix) { 923 temp += 2; 924 } 925 } 926 927 return temp; 928 } 929 930 @Override 931 void send(HandshakeOutStream s) throws IOException { 932 s.putBytes16(dh_p); 933 s.putBytes16(dh_g); 934 s.putBytes16(dh_Ys); 935 936 if (signature != null) { 937 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 938 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 939 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 940 } 941 942 if (dhKeyExchangeFix) { 943 s.putBytes16(signature); 944 } else { 945 s.write(signature); 946 } 947 } 948 } 949 950 @Override 951 void print(PrintStream s) throws IOException { 952 s.println("*** Diffie-Hellman ServerKeyExchange"); 953 954 if (debug != null && Debug.isOn("verbose")) { 955 Debug.println(s, "DH Modulus", dh_p); 956 Debug.println(s, "DH Base", dh_g); 957 Debug.println(s, "Server DH Public Key", dh_Ys); 958 959 if (signature == null) { 960 s.println("Anonymous"); 961 } else { 962 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 963 s.println("Signature Algorithm " + 964 preferableSignatureAlgorithm.getAlgorithmName()); 965 } 966 967 s.println("Signed with a DSA or RSA public key"); 968 } 969 } 970 } 971 } 972 973 /* 974 * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon 975 * ciphersuites to communicate its ephemeral public key (including the 976 * EC domain parameters). 977 * 978 * We support named curves only, no explicitly encoded curves. 979 */ 980 static final 981 class ECDH_ServerKeyExchange extends ServerKeyExchange { 982 983 // constants for ECCurveType 984 private final static int CURVE_EXPLICIT_PRIME = 1; 985 private final static int CURVE_EXPLICIT_CHAR2 = 2; 986 private final static int CURVE_NAMED_CURVE = 3; 987 988 // id of the curve we are using 989 private int curveId; 990 // encoded public point 991 private byte[] pointBytes; 992 993 // signature bytes (or null if anonymous) 994 private byte[] signatureBytes; 995 996 // public key object encapsulated in this message 997 private ECPublicKey publicKey; 998 999 // protocol version being established using this ServerKeyExchange message 1000 ProtocolVersion protocolVersion; 1001 1002 // the preferable signature algorithm used by this ServerKeyExchange message 1003 private SignatureAndHashAlgorithm preferableSignatureAlgorithm; 1004 1005 ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey, 1006 byte[] clntNonce, byte[] svrNonce, SecureRandom sr, 1007 SignatureAndHashAlgorithm signAlgorithm, 1008 ProtocolVersion protocolVersion) throws GeneralSecurityException { 1009 1010 this.protocolVersion = protocolVersion; 1011 1012 publicKey = (ECPublicKey)obj.getPublicKey(); 1013 ECParameterSpec params = publicKey.getParams(); 1014 ECPoint point = publicKey.getW(); 1015 pointBytes = JsseJce.encodePoint(point, params.getCurve()); 1016 curveId = SupportedEllipticCurvesExtension.getCurveIndex(params); 1017 1018 if (privateKey == null) { 1019 // ECDH_anon 1020 return; 1021 } 1022 1023 Signature sig; 1024 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1025 this.preferableSignatureAlgorithm = signAlgorithm; 1026 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 1027 } else { 1028 sig = getSignature(privateKey.getAlgorithm()); 1029 } 1030 sig.initSign(privateKey); // where is the SecureRandom? 1031 1032 updateSignature(sig, clntNonce, svrNonce); 1033 signatureBytes = sig.sign(); 1034 } 1035 1036 /* 1037 * Parse an ECDH server key exchange message. 1038 */ 1039 ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey, 1040 byte[] clntNonce, byte[] svrNonce, 1041 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 1042 ProtocolVersion protocolVersion) 1043 throws IOException, GeneralSecurityException { 1044 1045 this.protocolVersion = protocolVersion; 1046 1047 // read params: ServerECDHParams 1048 int curveType = input.getInt8(); 1049 ECParameterSpec parameters; 1050 // These parsing errors should never occur as we negotiated 1051 // the supported curves during the exchange of the Hello messages. 1052 if (curveType == CURVE_NAMED_CURVE) { 1053 curveId = input.getInt16(); 1054 if (SupportedEllipticCurvesExtension.isSupported(curveId) 1055 == false) { 1056 throw new SSLHandshakeException( 1057 "Unsupported curveId: " + curveId); 1058 } 1059 String curveOid = 1060 SupportedEllipticCurvesExtension.getCurveOid(curveId); 1061 if (curveOid == null) { 1062 throw new SSLHandshakeException( 1063 "Unknown named curve: " + curveId); 1064 } 1065 parameters = JsseJce.getECParameterSpec(curveOid); 1066 if (parameters == null) { 1067 throw new SSLHandshakeException( 1068 "Unsupported curve: " + curveOid); 1069 } 1070 } else { 1071 throw new SSLHandshakeException( 1072 "Unsupported ECCurveType: " + curveType); 1073 } 1074 pointBytes = input.getBytes8(); 1075 1076 ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve()); 1077 KeyFactory factory = JsseJce.getKeyFactory("EC"); 1078 publicKey = (ECPublicKey)factory.generatePublic( 1079 new ECPublicKeySpec(point, parameters)); 1080 1081 if (signingKey == null) { 1082 // ECDH_anon 1083 return; 1084 } 1085 1086 // read the signature and hash algorithm 1087 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1088 int hash = input.getInt8(); // hash algorithm 1089 int signature = input.getInt8(); // signature algorithm 1090 1091 preferableSignatureAlgorithm = 1092 SignatureAndHashAlgorithm.valueOf(hash, signature, 0); 1093 1094 // Is it a local supported signature algorithm? 1095 if (!localSupportedSignAlgs.contains( 1096 preferableSignatureAlgorithm)) { 1097 throw new SSLHandshakeException( 1098 "Unsupported SignatureAndHashAlgorithm in " + 1099 "ServerKeyExchange message"); 1100 } 1101 } 1102 1103 // read the signature 1104 signatureBytes = input.getBytes16(); 1105 1106 // verify the signature 1107 Signature sig; 1108 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1109 sig = JsseJce.getSignature( 1110 preferableSignatureAlgorithm.getAlgorithmName()); 1111 } else { 1112 sig = getSignature(signingKey.getAlgorithm()); 1113 } 1114 sig.initVerify(signingKey); 1115 1116 updateSignature(sig, clntNonce, svrNonce); 1117 1118 if (sig.verify(signatureBytes) == false ) { 1119 throw new SSLKeyException( 1120 "Invalid signature on ECDH server key exchange message"); 1121 } 1122 } 1123 1124 /* 1125 * Get the ephemeral EC public key encapsulated in this message. 1126 */ 1127 ECPublicKey getPublicKey() { 1128 return publicKey; 1129 } 1130 1131 private static Signature getSignature(String keyAlgorithm) 1132 throws NoSuchAlgorithmException { 1133 switch (keyAlgorithm) { 1134 case "EC": 1135 return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA); 1136 case "RSA": 1137 return RSASignature.getInstance(); 1138 default: 1139 throw new NoSuchAlgorithmException("neither an RSA or a EC key"); 1140 } 1141 } 1142 1143 private void updateSignature(Signature sig, byte clntNonce[], 1144 byte svrNonce[]) throws SignatureException { 1145 sig.update(clntNonce); 1146 sig.update(svrNonce); 1147 1148 sig.update((byte)CURVE_NAMED_CURVE); 1149 sig.update((byte)(curveId >> 8)); 1150 sig.update((byte)curveId); 1151 sig.update((byte)pointBytes.length); 1152 sig.update(pointBytes); 1153 } 1154 1155 @Override 1156 int messageLength() { 1157 int sigLen = 0; 1158 if (signatureBytes != null) { 1159 sigLen = 2 + signatureBytes.length; 1160 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1161 sigLen += SignatureAndHashAlgorithm.sizeInRecord(); 1162 } 1163 } 1164 1165 return 4 + pointBytes.length + sigLen; 1166 } 1167 1168 @Override 1169 void send(HandshakeOutStream s) throws IOException { 1170 s.putInt8(CURVE_NAMED_CURVE); 1171 s.putInt16(curveId); 1172 s.putBytes8(pointBytes); 1173 1174 if (signatureBytes != null) { 1175 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1176 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 1177 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 1178 } 1179 1180 s.putBytes16(signatureBytes); 1181 } 1182 } 1183 1184 @Override 1185 void print(PrintStream s) throws IOException { 1186 s.println("*** ECDH ServerKeyExchange"); 1187 1188 if (debug != null && Debug.isOn("verbose")) { 1189 if (signatureBytes == null) { 1190 s.println("Anonymous"); 1191 } else { 1192 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1193 s.println("Signature Algorithm " + 1194 preferableSignatureAlgorithm.getAlgorithmName()); 1195 } 1196 } 1197 1198 s.println("Server key: " + publicKey); 1199 } 1200 } 1201 } 1202 1203 static final class DistinguishedName { 1204 1205 /* 1206 * DER encoded distinguished name. 1207 * TLS requires that its not longer than 65535 bytes. 1208 */ 1209 byte name[]; 1210 1211 DistinguishedName(HandshakeInStream input) throws IOException { 1212 name = input.getBytes16(); 1213 } 1214 1215 DistinguishedName(X500Principal dn) { 1216 name = dn.getEncoded(); 1217 } 1218 1219 X500Principal getX500Principal() throws IOException { 1220 try { 1221 return new X500Principal(name); 1222 } catch (IllegalArgumentException e) { 1223 throw (SSLProtocolException)new SSLProtocolException( 1224 e.getMessage()).initCause(e); 1225 } 1226 } 1227 1228 int length() { 1229 return 2 + name.length; 1230 } 1231 1232 void send(HandshakeOutStream output) throws IOException { 1233 output.putBytes16(name); 1234 } 1235 1236 void print(PrintStream output) throws IOException { 1237 X500Principal principal = new X500Principal(name); 1238 output.println("<" + principal.toString() + ">"); 1239 } 1240 } 1241 1242 /* 1243 * CertificateRequest ... SERVER --> CLIENT 1244 * 1245 * Authenticated servers may ask clients to authenticate themselves 1246 * in turn, using this message. 1247 * 1248 * Prior to TLS 1.2, the structure of the message is defined as: 1249 * struct { 1250 * ClientCertificateType certificate_types<1..2^8-1>; 1251 * DistinguishedName certificate_authorities<0..2^16-1>; 1252 * } CertificateRequest; 1253 * 1254 * In TLS 1.2, the structure is changed to: 1255 * struct { 1256 * ClientCertificateType certificate_types<1..2^8-1>; 1257 * SignatureAndHashAlgorithm 1258 * supported_signature_algorithms<2^16-1>; 1259 * DistinguishedName certificate_authorities<0..2^16-1>; 1260 * } CertificateRequest; 1261 * 1262 */ 1263 static final 1264 class CertificateRequest extends HandshakeMessage 1265 { 1266 // enum ClientCertificateType 1267 static final int cct_rsa_sign = 1; 1268 static final int cct_dss_sign = 2; 1269 static final int cct_rsa_fixed_dh = 3; 1270 static final int cct_dss_fixed_dh = 4; 1271 1272 // The existance of these two values is a bug in the SSL specification. 1273 // They are never used in the protocol. 1274 static final int cct_rsa_ephemeral_dh = 5; 1275 static final int cct_dss_ephemeral_dh = 6; 1276 1277 // From RFC 4492 (ECC) 1278 static final int cct_ecdsa_sign = 64; 1279 static final int cct_rsa_fixed_ecdh = 65; 1280 static final int cct_ecdsa_fixed_ecdh = 66; 1281 1282 private final static byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign }; 1283 private final static byte[] TYPES_ECC = 1284 { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign }; 1285 1286 byte types []; // 1 to 255 types 1287 DistinguishedName authorities []; // 3 to 2^16 - 1 1288 // ... "3" because that's the smallest DER-encoded X500 DN 1289 1290 // protocol version being established using this CertificateRequest message 1291 ProtocolVersion protocolVersion; 1292 1293 // supported_signature_algorithms for TLS 1.2 or later 1294 private Collection<SignatureAndHashAlgorithm> algorithms; 1295 1296 // length of supported_signature_algorithms 1297 private int algorithmsLen; 1298 1299 CertificateRequest(X509Certificate ca[], KeyExchange keyExchange, 1300 Collection<SignatureAndHashAlgorithm> signAlgs, 1301 ProtocolVersion protocolVersion) throws IOException { 1302 1303 this.protocolVersion = protocolVersion; 1304 1305 // always use X500Principal 1306 authorities = new DistinguishedName[ca.length]; 1307 for (int i = 0; i < ca.length; i++) { 1308 X500Principal x500Principal = ca[i].getSubjectX500Principal(); 1309 authorities[i] = new DistinguishedName(x500Principal); 1310 } 1311 // we support RSA, DSS, and ECDSA client authentication and they 1312 // can be used with all ciphersuites. If this changes, the code 1313 // needs to be adapted to take keyExchange into account. 1314 // We only request ECDSA client auth if we have ECC crypto available. 1315 this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC; 1316 1317 // Use supported_signature_algorithms for TLS 1.2 or later. 1318 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1319 if (signAlgs == null || signAlgs.isEmpty()) { 1320 throw new SSLProtocolException( 1321 "No supported signature algorithms"); 1322 } 1323 1324 algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs); 1325 algorithmsLen = 1326 SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size(); 1327 } else { 1328 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1329 algorithmsLen = 0; 1330 } 1331 } 1332 1333 CertificateRequest(HandshakeInStream input, 1334 ProtocolVersion protocolVersion) throws IOException { 1335 1336 this.protocolVersion = protocolVersion; 1337 1338 // Read the certificate_types. 1339 types = input.getBytes8(); 1340 1341 // Read the supported_signature_algorithms for TLS 1.2 or later. 1342 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1343 algorithmsLen = input.getInt16(); 1344 if (algorithmsLen < 2) { 1345 throw new SSLProtocolException( 1346 "Invalid supported_signature_algorithms field"); 1347 } 1348 1349 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1350 int remains = algorithmsLen; 1351 int sequence = 0; 1352 while (remains > 1) { // needs at least two bytes 1353 int hash = input.getInt8(); // hash algorithm 1354 int signature = input.getInt8(); // signature algorithm 1355 1356 SignatureAndHashAlgorithm algorithm = 1357 SignatureAndHashAlgorithm.valueOf(hash, signature, 1358 ++sequence); 1359 algorithms.add(algorithm); 1360 remains -= 2; // one byte for hash, one byte for signature 1361 } 1362 1363 if (remains != 0) { 1364 throw new SSLProtocolException( 1365 "Invalid supported_signature_algorithms field"); 1366 } 1367 } else { 1368 algorithms = new ArrayList<SignatureAndHashAlgorithm>(); 1369 algorithmsLen = 0; 1370 } 1371 1372 // read the certificate_authorities 1373 int len = input.getInt16(); 1374 ArrayList<DistinguishedName> v = new ArrayList<>(); 1375 while (len >= 3) { 1376 DistinguishedName dn = new DistinguishedName(input); 1377 v.add(dn); 1378 len -= dn.length(); 1379 } 1380 1381 if (len != 0) { 1382 throw new SSLProtocolException("Bad CertificateRequest DN length"); 1383 } 1384 1385 authorities = v.toArray(new DistinguishedName[v.size()]); 1386 } 1387 1388 X500Principal[] getAuthorities() throws IOException { 1389 X500Principal[] ret = new X500Principal[authorities.length]; 1390 for (int i = 0; i < authorities.length; i++) { 1391 ret[i] = authorities[i].getX500Principal(); 1392 } 1393 return ret; 1394 } 1395 1396 Collection<SignatureAndHashAlgorithm> getSignAlgorithms() { 1397 return algorithms; 1398 } 1399 1400 @Override 1401 int messageType() { 1402 return ht_certificate_request; 1403 } 1404 1405 @Override 1406 int messageLength() { 1407 int len = 1 + types.length + 2; 1408 1409 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1410 len += algorithmsLen + 2; 1411 } 1412 1413 for (int i = 0; i < authorities.length; i++) { 1414 len += authorities[i].length(); 1415 } 1416 1417 return len; 1418 } 1419 1420 @Override 1421 void send(HandshakeOutStream output) throws IOException { 1422 // put certificate_types 1423 output.putBytes8(types); 1424 1425 // put supported_signature_algorithms 1426 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1427 output.putInt16(algorithmsLen); 1428 for (SignatureAndHashAlgorithm algorithm : algorithms) { 1429 output.putInt8(algorithm.getHashValue()); // hash 1430 output.putInt8(algorithm.getSignatureValue()); // signature 1431 } 1432 } 1433 1434 // put certificate_authorities 1435 int len = 0; 1436 for (int i = 0; i < authorities.length; i++) { 1437 len += authorities[i].length(); 1438 } 1439 1440 output.putInt16(len); 1441 for (int i = 0; i < authorities.length; i++) { 1442 authorities[i].send(output); 1443 } 1444 } 1445 1446 @Override 1447 void print(PrintStream s) throws IOException { 1448 s.println("*** CertificateRequest"); 1449 1450 if (debug != null && Debug.isOn("verbose")) { 1451 s.print("Cert Types: "); 1452 for (int i = 0; i < types.length; i++) { 1453 switch (types[i]) { 1454 case cct_rsa_sign: 1455 s.print("RSA"); break; 1456 case cct_dss_sign: 1457 s.print("DSS"); break; 1458 case cct_rsa_fixed_dh: 1459 s.print("Fixed DH (RSA sig)"); break; 1460 case cct_dss_fixed_dh: 1461 s.print("Fixed DH (DSS sig)"); break; 1462 case cct_rsa_ephemeral_dh: 1463 s.print("Ephemeral DH (RSA sig)"); break; 1464 case cct_dss_ephemeral_dh: 1465 s.print("Ephemeral DH (DSS sig)"); break; 1466 case cct_ecdsa_sign: 1467 s.print("ECDSA"); break; 1468 case cct_rsa_fixed_ecdh: 1469 s.print("Fixed ECDH (RSA sig)"); break; 1470 case cct_ecdsa_fixed_ecdh: 1471 s.print("Fixed ECDH (ECDSA sig)"); break; 1472 default: 1473 s.print("Type-" + (types[i] & 0xff)); break; 1474 } 1475 if (i != types.length - 1) { 1476 s.print(", "); 1477 } 1478 } 1479 s.println(); 1480 1481 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1482 StringBuilder sb = new StringBuilder(); 1483 boolean opened = false; 1484 for (SignatureAndHashAlgorithm signAlg : algorithms) { 1485 if (opened) { 1486 sb.append(", ").append(signAlg.getAlgorithmName()); 1487 } else { 1488 sb.append(signAlg.getAlgorithmName()); 1489 opened = true; 1490 } 1491 } 1492 s.println("Supported Signature Algorithms: " + sb); 1493 } 1494 1495 s.println("Cert Authorities:"); 1496 if (authorities.length == 0) { 1497 s.println("<Empty>"); 1498 } else { 1499 for (int i = 0; i < authorities.length; i++) { 1500 authorities[i].print(s); 1501 } 1502 } 1503 } 1504 } 1505 } 1506 1507 1508 /* 1509 * ServerHelloDone ... SERVER --> CLIENT 1510 * 1511 * When server's done sending its messages in response to the client's 1512 * "hello" (e.g. its own hello, certificate, key exchange message, perhaps 1513 * client certificate request) it sends this message to flag that it's 1514 * done that part of the handshake. 1515 */ 1516 static final 1517 class ServerHelloDone extends HandshakeMessage 1518 { 1519 @Override 1520 int messageType() { return ht_server_hello_done; } 1521 1522 ServerHelloDone() { } 1523 1524 ServerHelloDone(HandshakeInStream input) 1525 { 1526 // nothing to do 1527 } 1528 1529 @Override 1530 int messageLength() 1531 { 1532 return 0; 1533 } 1534 1535 @Override 1536 void send(HandshakeOutStream s) throws IOException 1537 { 1538 // nothing to send 1539 } 1540 1541 @Override 1542 void print(PrintStream s) throws IOException 1543 { 1544 s.println("*** ServerHelloDone"); 1545 } 1546 } 1547 1548 1549 /* 1550 * CertificateVerify ... CLIENT --> SERVER 1551 * 1552 * Sent after client sends signature-capable certificates (e.g. not 1553 * Diffie-Hellman) to verify. 1554 */ 1555 static final class CertificateVerify extends HandshakeMessage { 1556 1557 // the signature bytes 1558 private byte[] signature; 1559 1560 // protocol version being established using this ServerKeyExchange message 1561 ProtocolVersion protocolVersion; 1562 1563 // the preferable signature algorithm used by this CertificateVerify message 1564 private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null; 1565 1566 /* 1567 * Create an RSA or DSA signed certificate verify message. 1568 */ 1569 CertificateVerify(ProtocolVersion protocolVersion, 1570 HandshakeHash handshakeHash, PrivateKey privateKey, 1571 SecretKey masterSecret, SecureRandom sr, 1572 SignatureAndHashAlgorithm signAlgorithm) 1573 throws GeneralSecurityException { 1574 1575 this.protocolVersion = protocolVersion; 1576 1577 String algorithm = privateKey.getAlgorithm(); 1578 Signature sig = null; 1579 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1580 this.preferableSignatureAlgorithm = signAlgorithm; 1581 sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName()); 1582 } else { 1583 sig = getSignature(protocolVersion, algorithm); 1584 } 1585 sig.initSign(privateKey, sr); 1586 updateSignature(sig, protocolVersion, handshakeHash, algorithm, 1587 masterSecret); 1588 signature = sig.sign(); 1589 } 1590 1591 // 1592 // Unmarshal the signed data from the input stream. 1593 // 1594 CertificateVerify(HandshakeInStream input, 1595 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs, 1596 ProtocolVersion protocolVersion) throws IOException { 1597 1598 this.protocolVersion = protocolVersion; 1599 1600 // read the signature and hash algorithm 1601 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1602 int hashAlg = input.getInt8(); // hash algorithm 1603 int signAlg = input.getInt8(); // signature algorithm 1604 1605 preferableSignatureAlgorithm = 1606 SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0); 1607 1608 // Is it a local supported signature algorithm? 1609 if (!localSupportedSignAlgs.contains( 1610 preferableSignatureAlgorithm)) { 1611 throw new SSLHandshakeException( 1612 "Unsupported SignatureAndHashAlgorithm in " + 1613 "ServerKeyExchange message"); 1614 } 1615 } 1616 1617 // read the signature 1618 signature = input.getBytes16(); 1619 } 1620 1621 /* 1622 * Get the preferable signature algorithm used by this message 1623 */ 1624 SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() { 1625 return preferableSignatureAlgorithm; 1626 } 1627 1628 /* 1629 * Verify a certificate verify message. Return the result of verification, 1630 * if there is a problem throw a GeneralSecurityException. 1631 */ 1632 boolean verify(ProtocolVersion protocolVersion, 1633 HandshakeHash handshakeHash, PublicKey publicKey, 1634 SecretKey masterSecret) throws GeneralSecurityException { 1635 String algorithm = publicKey.getAlgorithm(); 1636 Signature sig = null; 1637 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1638 sig = JsseJce.getSignature( 1639 preferableSignatureAlgorithm.getAlgorithmName()); 1640 } else { 1641 sig = getSignature(protocolVersion, algorithm); 1642 } 1643 sig.initVerify(publicKey); 1644 updateSignature(sig, protocolVersion, handshakeHash, algorithm, 1645 masterSecret); 1646 return sig.verify(signature); 1647 } 1648 1649 /* 1650 * Get the Signature object appropriate for verification using the 1651 * given signature algorithm and protocol version. 1652 */ 1653 private static Signature getSignature(ProtocolVersion protocolVersion, 1654 String algorithm) throws GeneralSecurityException { 1655 switch (algorithm) { 1656 case "RSA": 1657 return RSASignature.getInternalInstance(); 1658 case "DSA": 1659 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA); 1660 case "EC": 1661 return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA); 1662 default: 1663 throw new SignatureException("Unrecognized algorithm: " 1664 + algorithm); 1665 } 1666 } 1667 1668 /* 1669 * Update the Signature with the data appropriate for the given 1670 * signature algorithm and protocol version so that the object is 1671 * ready for signing or verifying. 1672 */ 1673 private static void updateSignature(Signature sig, 1674 ProtocolVersion protocolVersion, 1675 HandshakeHash handshakeHash, String algorithm, SecretKey masterKey) 1676 throws SignatureException { 1677 1678 if (algorithm.equals("RSA")) { 1679 if (protocolVersion.v < ProtocolVersion.TLS12.v) { // TLS1.1- 1680 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 1681 MessageDigest shaClone = handshakeHash.getSHAClone(); 1682 1683 if (protocolVersion.v < ProtocolVersion.TLS10.v) { // SSLv3 1684 updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey); 1685 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); 1686 } 1687 1688 // The signature must be an instance of RSASignature, need 1689 // to use these hashes directly. 1690 RSASignature.setHashes(sig, md5Clone, shaClone); 1691 } else { // TLS1.2+ 1692 sig.update(handshakeHash.getAllHandshakeMessages()); 1693 } 1694 } else { // DSA, ECDSA 1695 if (protocolVersion.v < ProtocolVersion.TLS12.v) { // TLS1.1- 1696 MessageDigest shaClone = handshakeHash.getSHAClone(); 1697 1698 if (protocolVersion.v < ProtocolVersion.TLS10.v) { // SSLv3 1699 updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey); 1700 } 1701 1702 sig.update(shaClone.digest()); 1703 } else { // TLS1.2+ 1704 sig.update(handshakeHash.getAllHandshakeMessages()); 1705 } 1706 } 1707 } 1708 1709 /* 1710 * Update the MessageDigest for SSLv3 certificate verify or finished 1711 * message calculation. The digest must already have been updated with 1712 * all preceding handshake messages. 1713 * Used by the Finished class as well. 1714 */ 1715 private static void updateDigest(MessageDigest md, 1716 byte[] pad1, byte[] pad2, 1717 SecretKey masterSecret) { 1718 // Digest the key bytes if available. 1719 // Otherwise (sensitive key), try digesting the key directly. 1720 // That is currently only implemented in SunPKCS11 using a private 1721 // reflection API, so we avoid that if possible. 1722 byte[] keyBytes = "RAW".equals(masterSecret.getFormat()) 1723 ? masterSecret.getEncoded() : null; 1724 if (keyBytes != null) { 1725 md.update(keyBytes); 1726 } else { 1727 digestKey(md, masterSecret); 1728 } 1729 md.update(pad1); 1730 byte[] temp = md.digest(); 1731 1732 if (keyBytes != null) { 1733 md.update(keyBytes); 1734 } else { 1735 digestKey(md, masterSecret); 1736 } 1737 md.update(pad2); 1738 md.update(temp); 1739 } 1740 1741 private final static Class<?> delegate; 1742 private final static Field spiField; 1743 1744 static { 1745 try { 1746 delegate = Class.forName("java.security.MessageDigest$Delegate"); 1747 spiField = delegate.getDeclaredField("digestSpi"); 1748 } catch (Exception e) { 1749 throw new RuntimeException("Reflection failed", e); 1750 } 1751 makeAccessible(spiField); 1752 } 1753 1754 private static void makeAccessible(final AccessibleObject o) { 1755 AccessController.doPrivileged(new PrivilegedAction<Object>() { 1756 @Override 1757 public Object run() { 1758 o.setAccessible(true); 1759 return null; 1760 } 1761 }); 1762 } 1763 1764 // ConcurrentHashMap does not allow null values, use this marker object 1765 private final static Object NULL_OBJECT = new Object(); 1766 1767 // cache Method objects per Spi class 1768 // Note that this will prevent the Spi classes from being GC'd. We assume 1769 // that is not a problem. 1770 private final static Map<Class<?>,Object> methodCache = 1771 new ConcurrentHashMap<>(); 1772 1773 private static void digestKey(MessageDigest md, SecretKey key) { 1774 try { 1775 // Verify that md is implemented via MessageDigestSpi, not 1776 // via JDK 1.1 style MessageDigest subclassing. 1777 if (md.getClass() != delegate) { 1778 throw new Exception("Digest is not a MessageDigestSpi"); 1779 } 1780 MessageDigestSpi spi = (MessageDigestSpi)spiField.get(md); 1781 Class<?> clazz = spi.getClass(); 1782 Object r = methodCache.get(clazz); 1783 if (r == null) { 1784 try { 1785 r = clazz.getDeclaredMethod("implUpdate", SecretKey.class); 1786 makeAccessible((Method)r); 1787 } catch (NoSuchMethodException e) { 1788 r = NULL_OBJECT; 1789 } 1790 methodCache.put(clazz, r); 1791 } 1792 if (r == NULL_OBJECT) { 1793 throw new Exception( 1794 "Digest does not support implUpdate(SecretKey)"); 1795 } 1796 Method update = (Method)r; 1797 update.invoke(spi, key); 1798 } catch (Exception e) { 1799 throw new RuntimeException( 1800 "Could not obtain encoded key and " 1801 + "MessageDigest cannot digest key", e); 1802 } 1803 } 1804 1805 @Override 1806 int messageType() { 1807 return ht_certificate_verify; 1808 } 1809 1810 @Override 1811 int messageLength() { 1812 int temp = 2; 1813 1814 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1815 temp += SignatureAndHashAlgorithm.sizeInRecord(); 1816 } 1817 1818 return temp + signature.length; 1819 } 1820 1821 @Override 1822 void send(HandshakeOutStream s) throws IOException { 1823 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1824 s.putInt8(preferableSignatureAlgorithm.getHashValue()); 1825 s.putInt8(preferableSignatureAlgorithm.getSignatureValue()); 1826 } 1827 1828 s.putBytes16(signature); 1829 } 1830 1831 @Override 1832 void print(PrintStream s) throws IOException { 1833 s.println("*** CertificateVerify"); 1834 1835 if (debug != null && Debug.isOn("verbose")) { 1836 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1837 s.println("Signature Algorithm " + 1838 preferableSignatureAlgorithm.getAlgorithmName()); 1839 } 1840 } 1841 } 1842 } 1843 1844 1845 /* 1846 * FINISHED ... sent by both CLIENT and SERVER 1847 * 1848 * This is the FINISHED message as defined in the SSL and TLS protocols. 1849 * Both protocols define this handshake message slightly differently. 1850 * This class supports both formats. 1851 * 1852 * When handshaking is finished, each side sends a "change_cipher_spec" 1853 * record, then immediately sends a "finished" handshake message prepared 1854 * according to the newly adopted cipher spec. 1855 * 1856 * NOTE that until this is sent, no application data may be passed, unless 1857 * some non-default cipher suite has already been set up on this connection 1858 * connection (e.g. a previous handshake arranged one). 1859 */ 1860 static final class Finished extends HandshakeMessage { 1861 1862 // constant for a Finished message sent by the client 1863 final static int CLIENT = 1; 1864 1865 // constant for a Finished message sent by the server 1866 final static int SERVER = 2; 1867 1868 // enum Sender: "CLNT" and "SRVR" 1869 private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 }; 1870 private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 }; 1871 1872 /* 1873 * Contents of the finished message ("checksum"). For TLS, it 1874 * is 12 bytes long, for SSLv3 36 bytes. 1875 */ 1876 private byte[] verifyData; 1877 1878 /* 1879 * Current cipher suite we are negotiating. TLS 1.2 has 1880 * ciphersuite-defined PRF algorithms. 1881 */ 1882 private ProtocolVersion protocolVersion; 1883 private CipherSuite cipherSuite; 1884 1885 /* 1886 * Create a finished message to send to the remote peer. 1887 */ 1888 Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, 1889 int sender, SecretKey master, CipherSuite cipherSuite) { 1890 this.protocolVersion = protocolVersion; 1891 this.cipherSuite = cipherSuite; 1892 verifyData = getFinished(handshakeHash, sender, master); 1893 } 1894 1895 /* 1896 * Constructor that reads FINISHED message from stream. 1897 */ 1898 Finished(ProtocolVersion protocolVersion, HandshakeInStream input, 1899 CipherSuite cipherSuite) throws IOException { 1900 this.protocolVersion = protocolVersion; 1901 this.cipherSuite = cipherSuite; 1902 int msgLen = (protocolVersion.v >= ProtocolVersion.TLS10.v) ? 12 : 36; 1903 verifyData = new byte[msgLen]; 1904 input.read(verifyData); 1905 } 1906 1907 /* 1908 * Verify that the hashes here are what would have been produced 1909 * according to a given set of inputs. This is used to ensure that 1910 * both client and server are fully in sync, and that the handshake 1911 * computations have been successful. 1912 */ 1913 boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) { 1914 byte[] myFinished = getFinished(handshakeHash, sender, master); 1915 return Arrays.equals(myFinished, verifyData); 1916 } 1917 1918 /* 1919 * Perform the actual finished message calculation. 1920 */ 1921 private byte[] getFinished(HandshakeHash handshakeHash, 1922 int sender, SecretKey masterKey) { 1923 byte[] sslLabel; 1924 String tlsLabel; 1925 if (sender == CLIENT) { 1926 sslLabel = SSL_CLIENT; 1927 tlsLabel = "client finished"; 1928 } else if (sender == SERVER) { 1929 sslLabel = SSL_SERVER; 1930 tlsLabel = "server finished"; 1931 } else { 1932 throw new RuntimeException("Invalid sender: " + sender); 1933 } 1934 1935 if (protocolVersion.v >= ProtocolVersion.TLS10.v) { 1936 // TLS 1.0+ 1937 try { 1938 byte [] seed; 1939 String prfAlg; 1940 PRF prf; 1941 1942 // Get the KeyGenerator alg and calculate the seed. 1943 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1944 // TLS 1.2 1945 seed = handshakeHash.getFinishedHash(); 1946 1947 prfAlg = "SunTls12Prf"; 1948 prf = cipherSuite.prfAlg; 1949 } else { 1950 // TLS 1.0/1.1 1951 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 1952 MessageDigest shaClone = handshakeHash.getSHAClone(); 1953 seed = new byte[36]; 1954 md5Clone.digest(seed, 0, 16); 1955 shaClone.digest(seed, 16, 20); 1956 1957 prfAlg = "SunTlsPrf"; 1958 prf = P_NONE; 1959 } 1960 1961 String prfHashAlg = prf.getPRFHashAlg(); 1962 int prfHashLength = prf.getPRFHashLength(); 1963 int prfBlockSize = prf.getPRFBlockSize(); 1964 1965 /* 1966 * RFC 5246/7.4.9 says that finished messages can 1967 * be ciphersuite-specific in both length/PRF hash 1968 * algorithm. If we ever run across a different 1969 * length, this call will need to be updated. 1970 */ 1971 @SuppressWarnings("deprecation") 1972 TlsPrfParameterSpec spec = new TlsPrfParameterSpec( 1973 masterKey, tlsLabel, seed, 12, 1974 prfHashAlg, prfHashLength, prfBlockSize); 1975 1976 KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg); 1977 kg.init(spec); 1978 SecretKey prfKey = kg.generateKey(); 1979 if ("RAW".equals(prfKey.getFormat()) == false) { 1980 throw new ProviderException( 1981 "Invalid PRF output, format must be RAW"); 1982 } 1983 byte[] finished = prfKey.getEncoded(); 1984 return finished; 1985 } catch (GeneralSecurityException e) { 1986 throw new RuntimeException("PRF failed", e); 1987 } 1988 } else { 1989 // SSLv3 1990 MessageDigest md5Clone = handshakeHash.getMD5Clone(); 1991 MessageDigest shaClone = handshakeHash.getSHAClone(); 1992 updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey); 1993 updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey); 1994 byte[] finished = new byte[36]; 1995 try { 1996 md5Clone.digest(finished, 0, 16); 1997 shaClone.digest(finished, 16, 20); 1998 } catch (DigestException e) { 1999 // cannot occur 2000 throw new RuntimeException("Digest failed", e); 2001 } 2002 return finished; 2003 } 2004 } 2005 2006 /* 2007 * Update the MessageDigest for SSLv3 finished message calculation. 2008 * The digest must already have been updated with all preceding handshake 2009 * messages. This operation is almost identical to the certificate verify 2010 * hash, reuse that code. 2011 */ 2012 private static void updateDigest(MessageDigest md, byte[] sender, 2013 byte[] pad1, byte[] pad2, SecretKey masterSecret) { 2014 md.update(sender); 2015 CertificateVerify.updateDigest(md, pad1, pad2, masterSecret); 2016 } 2017 2018 // get the verify_data of the finished message 2019 byte[] getVerifyData() { 2020 return verifyData; 2021 } 2022 2023 @Override 2024 int messageType() { return ht_finished; } 2025 2026 @Override 2027 int messageLength() { 2028 return verifyData.length; 2029 } 2030 2031 @Override 2032 void send(HandshakeOutStream out) throws IOException { 2033 out.write(verifyData); 2034 } 2035 2036 @Override 2037 void print(PrintStream s) throws IOException { 2038 s.println("*** Finished"); 2039 if (debug != null && Debug.isOn("verbose")) { 2040 Debug.println(s, "verify_data", verifyData); 2041 s.println("***"); 2042 } 2043 } 2044 } 2045 2046 // 2047 // END of nested classes 2048 // 2049 2050 }