1 /*
2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.util.*;
31 import java.util.concurrent.TimeUnit;
32 import java.security.*;
33 import java.security.cert.*;
34 import java.security.interfaces.*;
35 import java.security.spec.ECParameterSpec;
36 import java.math.BigInteger;
37
38 import javax.crypto.SecretKey;
39 import javax.net.ssl.*;
40
41 import sun.security.action.GetLongAction;
42 import sun.security.util.KeyUtil;
43 import sun.security.util.LegacyAlgorithmConstraints;
44 import sun.security.action.GetPropertyAction;
45 import sun.security.ssl.HandshakeMessage.*;
46 import sun.security.ssl.CipherSuite.*;
47 import sun.security.ssl.SignatureAndHashAlgorithm.*;
48 import static sun.security.ssl.CipherSuite.KeyExchange.*;
49
50 /**
51 * ServerHandshaker does the protocol handshaking from the point
52 * of view of a server. It is driven asychronously by handshake messages
53 * as delivered by the parent Handshaker class, and also uses
54 * common functionality (e.g. key generation) that is provided there.
55 *
56 * @author David Brownell
57 */
58 final class ServerHandshaker extends Handshaker {
59
60 // The default number of milliseconds the handshaker will wait for
61 // revocation status responses.
62 private static final long DEFAULT_STATUS_RESP_DELAY = 5000;
63
64 // is the server going to require the client to authenticate?
65 private ClientAuthType doClientAuth;
66
67 // our authentication info
68 private X509Certificate[] certs;
69 private PrivateKey privateKey;
70
71 private Object serviceCreds;
72
73 // flag to check for clientCertificateVerify message
74 private boolean needClientVerify = false;
75
76 /*
77 * For exportable ciphersuites using non-exportable key sizes, we use
78 * ephemeral RSA keys. We could also do anonymous RSA in the same way
79 * but there are no such ciphersuites currently defined.
80 */
81 private PrivateKey tempPrivateKey;
82 private PublicKey tempPublicKey;
83
84 /*
85 * For anonymous and ephemeral Diffie-Hellman key exchange, we use
86 * ephemeral Diffie-Hellman keys.
87 */
88 private DHCrypt dh;
89
90 // Helper for ECDH based key exchanges
91 private ECDHCrypt ecdh;
92
93 // version request by the client in its ClientHello
94 // we remember it for the RSA premaster secret version check
95 private ProtocolVersion clientRequestedVersion;
96
97 private SupportedEllipticCurvesExtension supportedCurves;
98
99 // the preferable signature algorithm used by ServerKeyExchange message
100 SignatureAndHashAlgorithm preferableSignatureAlgorithm;
101
102 // Flag to use smart ephemeral DH key which size matches the corresponding
103 // authentication key
104 private static final boolean useSmartEphemeralDHKeys;
105
106 // Flag to use legacy ephemeral DH key which size is 512 bits for
107 // exportable cipher suites, and 768 bits for others
108 private static final boolean useLegacyEphemeralDHKeys;
109
110 // The customized ephemeral DH key size for non-exportable cipher suites.
111 private static final int customizedDHKeySize;
112
113 // legacy algorithm constraints
114 private static final AlgorithmConstraints legacyAlgorithmConstraints =
115 new LegacyAlgorithmConstraints(
116 LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
117 new SSLAlgorithmDecomposer());
118
119 private long statusRespTimeout;
120
121 static {
122 String property = AccessController.doPrivileged(
123 new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
124 if (property == null || property.length() == 0) {
125 useLegacyEphemeralDHKeys = false;
126 useSmartEphemeralDHKeys = false;
127 customizedDHKeySize = -1;
128 } else if ("matched".equals(property)) {
129 useLegacyEphemeralDHKeys = false;
130 useSmartEphemeralDHKeys = true;
131 customizedDHKeySize = -1;
132 } else if ("legacy".equals(property)) {
133 useLegacyEphemeralDHKeys = true;
134 useSmartEphemeralDHKeys = false;
135 customizedDHKeySize = -1;
136 } else {
137 useLegacyEphemeralDHKeys = false;
138 useSmartEphemeralDHKeys = false;
139
140 try {
141 customizedDHKeySize = Integer.parseUnsignedInt(property);
142 if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
143 throw new IllegalArgumentException(
144 "Customized DH key size should be positive integer " +
145 "between 1024 and 2048 bits, inclusive");
146 }
147 } catch (NumberFormatException nfe) {
148 throw new IllegalArgumentException(
149 "Invalid system property jdk.tls.ephemeralDHKeySize");
150 }
151 }
152 }
153
154 /*
155 * Constructor ... use the keys found in the auth context.
156 */
157 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
158 ProtocolList enabledProtocols, ClientAuthType clientAuth,
159 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
160 boolean secureRenegotiation,
161 byte[] clientVerifyData, byte[] serverVerifyData) {
162
163 super(socket, context, enabledProtocols,
164 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
165 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
166 clientVerifyData, serverVerifyData);
167 doClientAuth = clientAuth;
168 statusRespTimeout = AccessController.doPrivileged(
169 new GetLongAction("jdk.tls.stapling.responseTimeout",
170 DEFAULT_STATUS_RESP_DELAY));
171 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
172 DEFAULT_STATUS_RESP_DELAY;
173 }
174
175 /*
176 * Constructor ... use the keys found in the auth context.
177 */
178 ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context,
179 ProtocolList enabledProtocols, ClientAuthType clientAuth,
180 ProtocolVersion activeProtocolVersion,
181 boolean isInitialHandshake, boolean secureRenegotiation,
182 byte[] clientVerifyData, byte[] serverVerifyData,
183 boolean isDTLS) {
184
185 super(engine, context, enabledProtocols,
186 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
187 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
188 clientVerifyData, serverVerifyData, isDTLS);
189 doClientAuth = clientAuth;
190 statusRespTimeout = AccessController.doPrivileged(
191 new GetLongAction("jdk.tls.stapling.responseTimeout",
192 DEFAULT_STATUS_RESP_DELAY));
193 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
194 DEFAULT_STATUS_RESP_DELAY;
195 }
196
197 /*
198 * As long as handshaking has not started, we can change
199 * whether client authentication is required. Otherwise,
200 * we will need to wait for the next handshake.
201 */
202 void setClientAuth(ClientAuthType clientAuth) {
203 doClientAuth = clientAuth;
204 }
205
206 /*
207 * This routine handles all the server side handshake messages, one at
208 * a time. Given the message type (and in some cases the pending cipher
209 * spec) it parses the type-specific message. Then it calls a function
210 * that handles that specific message.
211 *
212 * It updates the state machine as each message is processed, and writes
213 * responses as needed using the connection in the constructor.
214 */
215 @Override
216 void processMessage(byte type, int message_len)
217 throws IOException {
218
219 // check the handshake state
220 handshakeState.check(type);
221
222 switch (type) {
223 case HandshakeMessage.ht_client_hello:
224 ClientHello ch = new ClientHello(input, message_len, isDTLS);
225 handshakeState.update(ch, resumingSession);
226
227 /*
228 * send it off for processing.
229 */
230 this.clientHello(ch);
231 break;
232
233 case HandshakeMessage.ht_certificate:
234 if (doClientAuth == ClientAuthType.CLIENT_AUTH_NONE) {
235 fatalSE(Alerts.alert_unexpected_message,
236 "client sent unsolicited cert chain");
237 // NOTREACHED
238 }
239 CertificateMsg certificateMsg = new CertificateMsg(input);
240 handshakeState.update(certificateMsg, resumingSession);
241 this.clientCertificate(certificateMsg);
242 break;
243
244 case HandshakeMessage.ht_client_key_exchange:
245 SecretKey preMasterSecret;
246 switch (keyExchange) {
247 case K_RSA:
248 case K_RSA_EXPORT:
249 /*
250 * The client's pre-master secret is decrypted using
251 * either the server's normal private RSA key, or the
252 * temporary one used for non-export or signing-only
253 * certificates/keys.
254 */
255 RSAClientKeyExchange pms = new RSAClientKeyExchange(
256 protocolVersion, clientRequestedVersion,
257 sslContext.getSecureRandom(), input,
258 message_len, privateKey);
259 handshakeState.update(pms, resumingSession);
260 preMasterSecret = this.clientKeyExchange(pms);
261 break;
262 case K_DHE_RSA:
263 case K_DHE_DSS:
264 case K_DH_ANON:
265 /*
266 * The pre-master secret is derived using the normal
267 * Diffie-Hellman calculation. Note that the main
268 * protocol difference in these five flavors is in how
269 * the ServerKeyExchange message was constructed!
270 */
271 DHClientKeyExchange dhcke = new DHClientKeyExchange(input);
272 handshakeState.update(dhcke, resumingSession);
273 preMasterSecret = this.clientKeyExchange(dhcke);
274 break;
275 case K_ECDH_RSA:
276 case K_ECDH_ECDSA:
277 case K_ECDHE_RSA:
278 case K_ECDHE_ECDSA:
279 case K_ECDH_ANON:
280 ECDHClientKeyExchange ecdhcke =
281 new ECDHClientKeyExchange(input);
282 handshakeState.update(ecdhcke, resumingSession);
283 preMasterSecret = this.clientKeyExchange(ecdhcke);
284 break;
285 default:
286 ClientKeyExchangeService p =
287 ClientKeyExchangeService.find(keyExchange.name);
288 if (p == null) {
289 throw new SSLProtocolException
290 ("Unrecognized key exchange: " + keyExchange);
291 }
292 byte[] encodedTicket = input.getBytes16();
293 input.getBytes16();
294 byte[] secret = input.getBytes16();
295 ClientKeyExchange cke = p.createServerExchange(protocolVersion,
296 clientRequestedVersion,
297 sslContext.getSecureRandom(),
298 encodedTicket,
299 secret,
300 this.getAccSE(), serviceCreds);
301 handshakeState.update(cke, resumingSession);
302 preMasterSecret = this.clientKeyExchange(cke);
303 break;
304 }
305
306 //
307 // All keys are calculated from the premaster secret
308 // and the exchanged nonces in the same way.
309 //
310 calculateKeys(preMasterSecret, clientRequestedVersion);
311 break;
312
313 case HandshakeMessage.ht_certificate_verify:
314 CertificateVerify cvm =
315 new CertificateVerify(input,
316 getLocalSupportedSignAlgs(), protocolVersion);
317 handshakeState.update(cvm, resumingSession);
318 this.clientCertificateVerify(cvm);
319
320 break;
321
322 case HandshakeMessage.ht_finished:
323 Finished cfm =
324 new Finished(protocolVersion, input, cipherSuite);
325 handshakeState.update(cfm, resumingSession);
326 this.clientFinished(cfm);
327
328 break;
329
330 default:
331 throw new SSLProtocolException(
332 "Illegal server handshake msg, " + type);
333 }
334
335 }
336
337
338 /*
339 * ClientHello presents the server with a bunch of options, to which the
340 * server replies with a ServerHello listing the ones which this session
341 * will use. If needed, it also writes its Certificate plus in some cases
342 * a ServerKeyExchange message. It may also write a CertificateRequest,
343 * to elicit a client certificate.
344 *
345 * All these messages are terminated by a ServerHelloDone message. In
346 * most cases, all this can be sent in a single Record.
347 */
348 private void clientHello(ClientHello mesg) throws IOException {
349 if (debug != null && Debug.isOn("handshake")) {
350 mesg.print(System.out);
351 }
352
353 // Reject client initiated renegotiation?
354 //
355 // If server side should reject client-initiated renegotiation,
356 // send an alert_handshake_failure fatal alert, not a no_renegotiation
357 // warning alert (no_renegotiation must be a warning: RFC 2246).
358 // no_renegotiation might seem more natural at first, but warnings
359 // are not appropriate because the sending party does not know how
360 // the receiving party will behave. This state must be treated as
361 // a fatal server condition.
362 //
363 // This will not have any impact on server initiated renegotiation.
364 if (rejectClientInitiatedRenego && !isInitialHandshake &&
365 !serverHelloRequested) {
366 fatalSE(Alerts.alert_handshake_failure,
367 "Client initiated renegotiation is not allowed");
368 }
369
370 // check the server name indication if required
371 ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
372 mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
373 if (!sniMatchers.isEmpty()) {
374 // we do not reject client without SNI extension
375 if (clientHelloSNIExt != null &&
376 !clientHelloSNIExt.isMatched(sniMatchers)) {
377 fatalSE(Alerts.alert_unrecognized_name,
378 "Unrecognized server name indication");
379 }
380 }
381
382 // Does the message include security renegotiation indication?
383 boolean renegotiationIndicated = false;
384
385 // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV
386 CipherSuiteList cipherSuites = mesg.getCipherSuites();
387 if (cipherSuites.contains(CipherSuite.C_SCSV)) {
388 renegotiationIndicated = true;
389 if (isInitialHandshake) {
390 secureRenegotiation = true;
391 } else {
392 // abort the handshake with a fatal handshake_failure alert
393 if (secureRenegotiation) {
394 fatalSE(Alerts.alert_handshake_failure,
395 "The SCSV is present in a secure renegotiation");
396 } else {
397 fatalSE(Alerts.alert_handshake_failure,
398 "The SCSV is present in a insecure renegotiation");
399 }
400 }
401 }
402
403 // check the "renegotiation_info" extension
404 RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension)
405 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
406 if (clientHelloRI != null) {
407 renegotiationIndicated = true;
408 if (isInitialHandshake) {
409 // verify the length of the "renegotiated_connection" field
410 if (!clientHelloRI.isEmpty()) {
411 // abort the handshake with a fatal handshake_failure alert
412 fatalSE(Alerts.alert_handshake_failure,
413 "The renegotiation_info field is not empty");
414 }
415
416 secureRenegotiation = true;
417 } else {
418 if (!secureRenegotiation) {
419 // unexpected RI extension for insecure renegotiation,
420 // abort the handshake with a fatal handshake_failure alert
421 fatalSE(Alerts.alert_handshake_failure,
422 "The renegotiation_info is present in a insecure " +
423 "renegotiation");
424 }
425
426 // verify the client_verify_data value
427 if (!MessageDigest.isEqual(clientVerifyData,
428 clientHelloRI.getRenegotiatedConnection())) {
429 fatalSE(Alerts.alert_handshake_failure,
430 "Incorrect verify data in ClientHello " +
431 "renegotiation_info message");
432 }
433 }
434 } else if (!isInitialHandshake && secureRenegotiation) {
435 // if the connection's "secure_renegotiation" flag is set to TRUE
436 // and the "renegotiation_info" extension is not present, abort
437 // the handshake.
438 fatalSE(Alerts.alert_handshake_failure,
439 "Inconsistent secure renegotiation indication");
440 }
441
442 // if there is no security renegotiation indication or the previous
443 // handshake is insecure.
444 if (!renegotiationIndicated || !secureRenegotiation) {
445 if (isInitialHandshake) {
446 if (!allowLegacyHelloMessages) {
447 // abort the handshake with a fatal handshake_failure alert
448 fatalSE(Alerts.alert_handshake_failure,
449 "Failed to negotiate the use of secure renegotiation");
450 }
451
452 // continue with legacy ClientHello
453 if (debug != null && Debug.isOn("handshake")) {
454 System.out.println("Warning: No renegotiation " +
455 "indication in ClientHello, allow legacy ClientHello");
456 }
457 } else if (!allowUnsafeRenegotiation) {
458 // abort the handshake
459 if (activeProtocolVersion.useTLS10PlusSpec()) {
460 // respond with a no_renegotiation warning
461 warningSE(Alerts.alert_no_renegotiation);
462
463 // invalidate the handshake so that the caller can
464 // dispose this object.
465 invalidated = true;
466
467 // If there is still unread block in the handshake
468 // input stream, it would be truncated with the disposal
469 // and the next handshake message will become incomplete.
470 //
471 // However, according to SSL/TLS specifications, no more
472 // handshake message could immediately follow ClientHello
473 // or HelloRequest. But in case of any improper messages,
474 // we'd better check to ensure there is no remaining bytes
475 // in the handshake input stream.
476 if (input.available() > 0) {
477 fatalSE(Alerts.alert_unexpected_message,
478 "ClientHello followed by an unexpected " +
479 "handshake message");
480 }
481
482 return;
483 } else {
484 // For SSLv3, send the handshake_failure fatal error.
485 // Note that SSLv3 does not define a no_renegotiation
486 // alert like TLSv1. However we cannot ignore the message
487 // simply, otherwise the other side was waiting for a
488 // response that would never come.
489 fatalSE(Alerts.alert_handshake_failure,
490 "Renegotiation is not allowed");
491 }
492 } else { // !isInitialHandshake && allowUnsafeRenegotiation
493 // continue with unsafe renegotiation.
494 if (debug != null && Debug.isOn("handshake")) {
495 System.out.println(
496 "Warning: continue with insecure renegotiation");
497 }
498 }
499 }
500
501 // check the "max_fragment_length" extension
502 MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
503 mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
504 if ((maxFragLenExt != null) && (maximumPacketSize != 0)) {
505 // Not yet consider the impact of IV/MAC/padding.
506 int estimatedMaxFragSize = maximumPacketSize;
507 if (isDTLS) {
508 estimatedMaxFragSize -= DTLSRecord.headerSize;
509 } else {
510 estimatedMaxFragSize -= SSLRecord.headerSize;
511 }
512
513 if (maxFragLenExt.getMaxFragLen() > estimatedMaxFragSize) {
514 // For better interoperability, abort the maximum fragment
515 // length negotiation, rather than terminate the connection
516 // with a fatal alert.
517 maxFragLenExt = null;
518
519 // fatalSE(Alerts.alert_illegal_parameter,
520 // "Not an allowed max_fragment_length value");
521 }
522 }
523
524 // check the ALPN extension
525 ALPNExtension clientHelloALPN = (ALPNExtension)
526 mesg.extensions.get(ExtensionType.EXT_ALPN);
527
528 if ((clientHelloALPN != null) && (localApl.length > 0)) {
529
530 // Intersect the requested and the locally supported,
531 // and save for later.
532 String negotiatedValue = null;
533 List<String> protocols = clientHelloALPN.getPeerAPs();
534
535 // Use server preference order
536 for (String ap : localApl) {
537 if (protocols.contains(ap)) {
538 negotiatedValue = ap;
539 break;
540 }
541 }
542
543 if (negotiatedValue == null) {
544 fatalSE(Alerts.alert_no_application_protocol,
545 new SSLHandshakeException(
546 "No matching ALPN values"));
547 }
548 applicationProtocol = negotiatedValue;
549
550 } else {
551 applicationProtocol = "";
552 }
553
554 // cookie exchange
555 if (isDTLS) {
556 HelloCookieManager hcMgr = sslContext.getHelloCookieManager();
557 if ((mesg.cookie == null) || (mesg.cookie.length == 0) ||
558 (!hcMgr.isValid(mesg))) {
559
560 //
561 // Perform cookie exchange for DTLS handshaking if no cookie
562 // or the cookie is invalid in the ClientHello message.
563 //
564 HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg);
565
566 if (debug != null && Debug.isOn("handshake")) {
567 m0.print(System.out);
568 }
569
570 m0.write(output);
571 handshakeState.update(m0, resumingSession);
572 output.flush();
573
574 return;
575 }
576 }
577
578 /*
579 * FIRST, construct the ServerHello using the options and priorities
580 * from the ClientHello. Update the (pending) cipher spec as we do
581 * so, and save the client's version to protect against rollback
582 * attacks.
583 *
584 * There are a bunch of minor tasks here, and one major one: deciding
585 * if the short or the full handshake sequence will be used.
586 */
587 ServerHello m1 = new ServerHello();
588
589 clientRequestedVersion = mesg.protocolVersion;
590
591 // select a proper protocol version.
592 ProtocolVersion selectedVersion =
593 selectProtocolVersion(clientRequestedVersion);
594 if (selectedVersion == null ||
595 selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
596 fatalSE(Alerts.alert_handshake_failure,
597 "Client requested protocol " + clientRequestedVersion +
598 " not enabled or not supported");
599 }
600
601 handshakeHash.protocolDetermined(selectedVersion);
602 setVersion(selectedVersion);
603
604 m1.protocolVersion = protocolVersion;
605
606 //
607 // random ... save client and server values for later use
608 // in computing the master secret (from pre-master secret)
609 // and thence the other crypto keys.
610 //
611 // NOTE: this use of three inputs to generating _each_ set
612 // of ciphers slows things down, but it does increase the
613 // security since each connection in the session can hold
614 // its own authenticated (and strong) keys. One could make
615 // creation of a session a rare thing...
616 //
617 clnt_random = mesg.clnt_random;
618 svr_random = new RandomCookie(sslContext.getSecureRandom());
619 m1.svr_random = svr_random;
620
621 session = null; // forget about the current session
622 //
623 // Here we go down either of two paths: (a) the fast one, where
624 // the client's asked to rejoin an existing session, and the server
625 // permits this; (b) the other one, where a new session is created.
626 //
627 if (mesg.sessionId.length() != 0) {
628 // client is trying to resume a session, let's see...
629
630 SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext
631 .engineGetServerSessionContext())
632 .get(mesg.sessionId.getId());
633 //
634 // Check if we can use the fast path, resuming a session. We
635 // can do so iff we have a valid record for that session, and
636 // the cipher suite for that session was on the list which the
637 // client requested, and if we're not forgetting any needed
638 // authentication on the part of the client.
639 //
640 if (previous != null) {
641 resumingSession = previous.isRejoinable();
642
643 if (resumingSession) {
644 ProtocolVersion oldVersion = previous.getProtocolVersion();
645 // cannot resume session with different version
646 if (oldVersion != protocolVersion) {
647 resumingSession = false;
648 }
649 }
650
651 // cannot resume session with different server name indication
652 if (resumingSession) {
653 List<SNIServerName> oldServerNames =
654 previous.getRequestedServerNames();
655 if (clientHelloSNIExt != null) {
656 if (!clientHelloSNIExt.isIdentical(oldServerNames)) {
657 resumingSession = false;
658 }
659 } else if (!oldServerNames.isEmpty()) {
660 resumingSession = false;
661 }
662
663 if (!resumingSession &&
664 debug != null && Debug.isOn("handshake")) {
665 System.out.println(
666 "The requested server name indication " +
667 "is not identical to the previous one");
668 }
669 }
670
671 if (resumingSession &&
672 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED)) {
673 try {
674 previous.getPeerPrincipal();
675 } catch (SSLPeerUnverifiedException e) {
676 resumingSession = false;
677 }
678 }
679
680 // validate subject identity
681 if (resumingSession) {
682 CipherSuite suite = previous.getSuite();
683 ClientKeyExchangeService p =
684 ClientKeyExchangeService.find(suite.keyExchange.name);
685 if (p != null) {
686 Principal localPrincipal = previous.getLocalPrincipal();
687
688 if (p.isRelated(
689 false, getAccSE(), localPrincipal)) {
690 if (debug != null && Debug.isOn("session"))
691 System.out.println("Subject can" +
692 " provide creds for princ");
693 } else {
694 resumingSession = false;
695 if (debug != null && Debug.isOn("session"))
696 System.out.println("Subject cannot" +
697 " provide creds for princ");
698 }
699 }
700 }
701
702 if (resumingSession) {
703 CipherSuite suite = previous.getSuite();
704 // verify that the ciphersuite from the cached session
705 // is in the list of client requested ciphersuites and
706 // we have it enabled
707 if ((isNegotiable(suite) == false) ||
708 (mesg.getCipherSuites().contains(suite) == false)) {
709 resumingSession = false;
710 } else {
711 // everything looks ok, set the ciphersuite
712 // this should be done last when we are sure we
713 // will resume
714 setCipherSuite(suite);
715 }
716 }
717
718 if (resumingSession) {
719 session = previous;
720 if (debug != null &&
721 (Debug.isOn("handshake") || Debug.isOn("session"))) {
722 System.out.println("%% Resuming " + session);
723 }
724 }
725 }
726 } // else client did not try to resume
727
728 //
729 // If client hasn't specified a session we can resume, start a
730 // new one and choose its cipher suite and compression options.
731 // Unless new session creation is disabled for this connection!
732 //
733 if (session == null) {
734 if (!enableNewSession) {
735 throw new SSLException("Client did not resume a session");
736 }
737
738 supportedCurves = (SupportedEllipticCurvesExtension)
739 mesg.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES);
740
741 // We only need to handle the "signature_algorithm" extension
742 // for full handshakes and TLS 1.2 or later.
743 if (protocolVersion.useTLS12PlusSpec()) {
744 SignatureAlgorithmsExtension signAlgs =
745 (SignatureAlgorithmsExtension)mesg.extensions.get(
746 ExtensionType.EXT_SIGNATURE_ALGORITHMS);
747 if (signAlgs != null) {
748 Collection<SignatureAndHashAlgorithm> peerSignAlgs =
749 signAlgs.getSignAlgorithms();
750 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
751 throw new SSLHandshakeException(
752 "No peer supported signature algorithms");
753 }
754
755 Collection<SignatureAndHashAlgorithm>
756 supportedPeerSignAlgs =
757 SignatureAndHashAlgorithm.getSupportedAlgorithms(
758 algorithmConstraints, peerSignAlgs);
759 if (supportedPeerSignAlgs.isEmpty()) {
760 throw new SSLHandshakeException(
761 "No signature and hash algorithm in common");
762 }
763
764 setPeerSupportedSignAlgs(supportedPeerSignAlgs);
765 } // else, need to use peer implicit supported signature algs
766 }
767
768 session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL,
769 getLocalSupportedSignAlgs(),
770 sslContext.getSecureRandom(),
771 getHostAddressSE(), getPortSE());
772
773 if (protocolVersion.useTLS12PlusSpec()) {
774 if (peerSupportedSignAlgs != null) {
775 session.setPeerSupportedSignatureAlgorithms(
776 peerSupportedSignAlgs);
777 } // else, we will set the implicit peer supported signature
778 // algorithms in chooseCipherSuite()
779 }
780
781 // set the server name indication in the session
782 List<SNIServerName> clientHelloSNI =
783 Collections.<SNIServerName>emptyList();
784 if (clientHelloSNIExt != null) {
785 clientHelloSNI = clientHelloSNIExt.getServerNames();
786 }
787 session.setRequestedServerNames(clientHelloSNI);
788
789 // set the handshake session
790 setHandshakeSessionSE(session);
791
792 // choose cipher suite and corresponding private key
793 chooseCipherSuite(mesg);
794
795 session.setSuite(cipherSuite);
796 session.setLocalPrivateKey(privateKey);
797
798 // chooseCompression(mesg);
799
800 // set the negotiated maximum fragment in the session
801 //
802 // The protocol version and cipher suite have been negotiated
803 // in previous processes.
804 if (maxFragLenExt != null) {
805 int maxFragLen = maxFragLenExt.getMaxFragLen();
806
807 // More check of the requested "max_fragment_length" extension.
808 if (maximumPacketSize != 0) {
809 int estimatedMaxFragSize = cipherSuite.calculatePacketSize(
810 maxFragLen, protocolVersion, isDTLS);
811 if (estimatedMaxFragSize > maximumPacketSize) {
812 // For better interoperability, abort the maximum
813 // fragment length negotiation, rather than terminate
814 // the connection with a fatal alert.
815 maxFragLenExt = null;
816
817 // fatalSE(Alerts.alert_illegal_parameter,
818 // "Not an allowed max_fragment_length value");
819 }
820 }
821
822 if (maxFragLenExt != null) {
823 session.setNegotiatedMaxFragSize(maxFragLen);
824 }
825 }
826
827 session.setMaximumPacketSize(maximumPacketSize);
828 } else {
829 // set the handshake session
830 setHandshakeSessionSE(session);
831 }
832
833 if (protocolVersion.useTLS12PlusSpec()) {
834 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
835 }
836
837 m1.cipherSuite = cipherSuite;
838 m1.sessionId = session.getSessionId();
839 m1.compression_method = session.getCompression();
840
841 if (secureRenegotiation) {
842 // For ServerHellos that are initial handshakes, then the
843 // "renegotiated_connection" field in "renegotiation_info"
844 // extension is of zero length.
845 //
846 // For ServerHellos that are renegotiating, this field contains
847 // the concatenation of client_verify_data and server_verify_data.
848 //
849 // Note that for initial handshakes, both the clientVerifyData
850 // variable and serverVerifyData variable are of zero length.
851 HelloExtension serverHelloRI = new RenegotiationInfoExtension(
852 clientVerifyData, serverVerifyData);
853 m1.extensions.add(serverHelloRI);
854 }
855
856 if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) {
857 // When resuming a session, the server MUST NOT include a
858 // server_name extension in the server hello.
859 if (!resumingSession) {
860 ServerNameExtension serverHelloSNI = new ServerNameExtension();
861 m1.extensions.add(serverHelloSNI);
862 }
863 }
864
865 if ((maxFragLenExt != null) && !resumingSession) {
866 // When resuming a session, the server MUST NOT include a
867 // max_fragment_length extension in the server hello.
868 //
869 // Otherwise, use the same value as the requested extension.
870 m1.extensions.add(maxFragLenExt);
871 }
872
873 StaplingParameters staplingParams = processStapling(mesg);
874 if (staplingParams != null) {
875 // We now can safely assert status_request[_v2] in our
876 // ServerHello, and know for certain that we can provide
877 // responses back to this client for this connection.
878 if (staplingParams.statusRespExt ==
879 ExtensionType.EXT_STATUS_REQUEST) {
880 m1.extensions.add(new CertStatusReqExtension());
881 } else if (staplingParams.statusRespExt ==
882 ExtensionType.EXT_STATUS_REQUEST_V2) {
883 m1.extensions.add(new CertStatusReqListV2Extension());
884 }
885 }
886
887 // Prepare the ALPN response
888 if (applicationProtocol != null && !applicationProtocol.isEmpty()) {
889 m1.extensions.add(new ALPNExtension(applicationProtocol));
890 }
891
892 if (debug != null && Debug.isOn("handshake")) {
893 m1.print(System.out);
894 System.out.println("Cipher suite: " + session.getSuite());
895 }
896 m1.write(output);
897 handshakeState.update(m1, resumingSession);
898
899 //
900 // If we are resuming a session, we finish writing handshake
901 // messages right now and then finish.
902 //
903 if (resumingSession) {
904 calculateConnectionKeys(session.getMasterSecret());
905 sendChangeCipherAndFinish(false);
906
907 // expecting the final ChangeCipherSpec and Finished messages
908 expectingFinishFlightSE();
909
910 return;
911 }
912
913
914 /*
915 * SECOND, write the server Certificate(s) if we need to.
916 *
917 * NOTE: while an "anonymous RSA" mode is explicitly allowed by
918 * the protocol, we can't support it since all of the SSL flavors
919 * defined in the protocol spec are explicitly stated to require
920 * using RSA certificates.
921 */
922 if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
923 // No external key exchange provider needs a cert now.
924 } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) {
925 if (certs == null) {
926 throw new RuntimeException("no certificates");
927 }
928
929 CertificateMsg m2 = new CertificateMsg(certs);
930
931 /*
932 * Set local certs in the SSLSession, output
933 * debug info, and then actually write to the client.
934 */
935 session.setLocalCertificates(certs);
936 if (debug != null && Debug.isOn("handshake")) {
937 m2.print(System.out);
938 }
939 m2.write(output);
940 handshakeState.update(m2, resumingSession);
941
942 // XXX has some side effects with OS TCP buffering,
943 // leave it out for now
944
945 // let client verify chain in the meantime...
946 // output.flush();
947 } else {
948 if (certs != null) {
949 throw new RuntimeException("anonymous keyexchange with certs");
950 }
951 }
952
953 /**
954 * The CertificateStatus message ... only if it is needed.
955 * This would only be needed if we've established that this handshake
956 * supports status stapling and there is at least one response to
957 * return to the client.
958 */
959 if (staplingParams != null) {
960 CertificateStatus csMsg = new CertificateStatus(
961 staplingParams.statReqType, certs,
962 staplingParams.responseMap);
963 if (debug != null && Debug.isOn("handshake")) {
964 csMsg.print(System.out);
965 }
966 csMsg.write(output);
967 handshakeState.update(csMsg, resumingSession);
968 }
969
970 /*
971 * THIRD, the ServerKeyExchange message ... iff it's needed.
972 *
973 * It's usually needed unless there's an encryption-capable
974 * RSA cert, or a D-H cert. The notable exception is that
975 * exportable ciphers used with big RSA keys need to downgrade
976 * to use short RSA keys, even when the key/cert encrypts OK.
977 */
978
979 ServerKeyExchange m3;
980 switch (keyExchange) {
981 case K_RSA:
982 // no server key exchange for RSA ciphersuites
983 m3 = null;
984 break;
985 case K_RSA_EXPORT:
986 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
987 try {
988 m3 = new RSA_ServerKeyExchange(
989 tempPublicKey, privateKey,
990 clnt_random, svr_random,
991 sslContext.getSecureRandom());
992 privateKey = tempPrivateKey;
993 } catch (GeneralSecurityException e) {
994 m3 = null; // make compiler happy
995 throw new SSLException(
996 "Error generating RSA server key exchange", e);
997 }
998 } else {
999 // RSA_EXPORT with short key, don't need ServerKeyExchange
1000 m3 = null;
1001 }
1002 break;
1003 case K_DHE_RSA:
1004 case K_DHE_DSS:
1005 try {
1006 m3 = new DH_ServerKeyExchange(dh,
1007 privateKey,
1008 clnt_random.random_bytes,
1009 svr_random.random_bytes,
1010 sslContext.getSecureRandom(),
1011 preferableSignatureAlgorithm,
1012 protocolVersion);
1013 } catch (GeneralSecurityException e) {
1014 m3 = null; // make compiler happy
1015 throw new SSLException(
1016 "Error generating DH server key exchange", e);
1017 }
1018 break;
1019 case K_DH_ANON:
1020 m3 = new DH_ServerKeyExchange(dh, protocolVersion);
1021 break;
1022 case K_ECDHE_RSA:
1023 case K_ECDHE_ECDSA:
1024 case K_ECDH_ANON:
1025 try {
1026 m3 = new ECDH_ServerKeyExchange(ecdh,
1027 privateKey,
1028 clnt_random.random_bytes,
1029 svr_random.random_bytes,
1030 sslContext.getSecureRandom(),
1031 preferableSignatureAlgorithm,
1032 protocolVersion);
1033 } catch (GeneralSecurityException e) {
1034 m3 = null; // make compiler happy
1035 throw new SSLException(
1036 "Error generating ECDH server key exchange", e);
1037 }
1038 break;
1039 case K_ECDH_RSA:
1040 case K_ECDH_ECDSA:
1041 // ServerKeyExchange not used for fixed ECDH
1042 m3 = null;
1043 break;
1044 default:
1045 ClientKeyExchangeService p =
1046 ClientKeyExchangeService.find(keyExchange.name);
1047 if (p != null) {
1048 // No external key exchange provider needs a cert now.
1049 m3 = null;
1050 break;
1051 }
1052 throw new RuntimeException("internal error: " + keyExchange);
1053 }
1054 if (m3 != null) {
1055 if (debug != null && Debug.isOn("handshake")) {
1056 m3.print(System.out);
1057 }
1058 m3.write(output);
1059 handshakeState.update(m3, resumingSession);
1060 }
1061
1062 //
1063 // FOURTH, the CertificateRequest message. The details of
1064 // the message can be affected by the key exchange algorithm
1065 // in use. For example, certs with fixed Diffie-Hellman keys
1066 // are only useful with the DH_DSS and DH_RSA key exchange
1067 // algorithms.
1068 //
1069 // Needed only if server requires client to authenticate self.
1070 // Illegal for anonymous flavors, so we need to check that.
1071 //
1072 // No external key exchange provider needs a cert now.
1073 if (doClientAuth != ClientAuthType.CLIENT_AUTH_NONE &&
1074 keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON &&
1075 ClientKeyExchangeService.find(keyExchange.name) == null) {
1076
1077 CertificateRequest m4;
1078 X509Certificate[] caCerts;
1079
1080 Collection<SignatureAndHashAlgorithm> localSignAlgs = null;
1081 if (protocolVersion.useTLS12PlusSpec()) {
1082 // We currently use all local upported signature and hash
1083 // algorithms. However, to minimize the computation cost
1084 // of requested hash algorithms, we may use a restricted
1085 // set of signature algorithms in the future.
1086 localSignAlgs = getLocalSupportedSignAlgs();
1087 if (localSignAlgs.isEmpty()) {
1088 throw new SSLHandshakeException(
1089 "No supported signature algorithm");
1090 }
1091
1092 Set<String> localHashAlgs =
1093 SignatureAndHashAlgorithm.getHashAlgorithmNames(
1094 localSignAlgs);
1095 if (localHashAlgs.isEmpty()) {
1096 throw new SSLHandshakeException(
1097 "No supported signature algorithm");
1098 }
1099 }
1100
1101 caCerts = sslContext.getX509TrustManager().getAcceptedIssuers();
1102 m4 = new CertificateRequest(caCerts, keyExchange,
1103 localSignAlgs, protocolVersion);
1104
1105 if (debug != null && Debug.isOn("handshake")) {
1106 m4.print(System.out);
1107 }
1108 m4.write(output);
1109 handshakeState.update(m4, resumingSession);
1110 }
1111
1112 /*
1113 * FIFTH, say ServerHelloDone.
1114 */
1115 ServerHelloDone m5 = new ServerHelloDone();
1116
1117 if (debug != null && Debug.isOn("handshake")) {
1118 m5.print(System.out);
1119 }
1120 m5.write(output);
1121 handshakeState.update(m5, resumingSession);
1122
1123 /*
1124 * Flush any buffered messages so the client will see them.
1125 * Ideally, all the messages above go in a single network level
1126 * message to the client. Without big Certificate chains, it's
1127 * going to be the common case.
1128 */
1129 output.flush();
1130 }
1131
1132 /*
1133 * Choose cipher suite from among those supported by client. Sets
1134 * the cipherSuite and keyExchange variables.
1135 */
1136 private void chooseCipherSuite(ClientHello mesg) throws IOException {
1137 CipherSuiteList prefered;
1138 CipherSuiteList proposed;
1139 if (preferLocalCipherSuites) {
1140 prefered = getActiveCipherSuites();
1141 proposed = mesg.getCipherSuites();
1142 } else {
1143 prefered = mesg.getCipherSuites();
1144 proposed = getActiveCipherSuites();
1145 }
1146
1147 List<CipherSuite> legacySuites = new ArrayList<>();
1148 for (CipherSuite suite : prefered.collection()) {
1149 if (isNegotiable(proposed, suite) == false) {
1150 continue;
1151 }
1152
1153 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1154 if ((suite.keyExchange == K_DH_ANON) ||
1155 (suite.keyExchange == K_ECDH_ANON)) {
1156 continue;
1157 }
1158 }
1159
1160 if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
1161 legacySuites.add(suite);
1162 continue;
1163 }
1164
1165 if (trySetCipherSuite(suite) == false) {
1166 continue;
1167 }
1168 return;
1169 }
1170
1171 for (CipherSuite suite : legacySuites) {
1172 if (trySetCipherSuite(suite)) {
1173 return;
1174 }
1175 }
1176
1177 fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
1178 }
1179
1180 /**
1181 * Set the given CipherSuite, if possible. Return the result.
1182 * The call succeeds if the CipherSuite is available and we have
1183 * the necessary certificates to complete the handshake. We don't
1184 * check if the CipherSuite is actually enabled.
1185 *
1186 * If successful, this method also generates ephemeral keys if
1187 * required for this ciphersuite. This may take some time, so this
1188 * method should only be called if you really want to use the
1189 * CipherSuite.
1190 *
1191 * This method is called from chooseCipherSuite() in this class.
1192 */
1193 boolean trySetCipherSuite(CipherSuite suite) {
1194 /*
1195 * If we're resuming a session we know we can
1196 * support this key exchange algorithm and in fact
1197 * have already cached the result of it in
1198 * the session state.
1199 */
1200 if (resumingSession) {
1201 return true;
1202 }
1203
1204 if (suite.isNegotiable() == false) {
1205 return false;
1206 }
1207
1208 // must not negotiate the obsoleted weak cipher suites.
1209 if (protocolVersion.obsoletes(suite)) {
1210 return false;
1211 }
1212
1213 // must not negotiate unsupported cipher suites.
1214 if (!protocolVersion.supports(suite)) {
1215 return false;
1216 }
1217
1218 KeyExchange keyExchange = suite.keyExchange;
1219
1220 // null out any existing references
1221 privateKey = null;
1222 certs = null;
1223 dh = null;
1224 tempPrivateKey = null;
1225 tempPublicKey = null;
1226
1227 Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null;
1228 if (protocolVersion.useTLS12PlusSpec()) {
1229 if (peerSupportedSignAlgs != null) {
1230 supportedSignAlgs = peerSupportedSignAlgs;
1231 } else {
1232 SignatureAndHashAlgorithm algorithm = null;
1233
1234 // we may optimize the performance
1235 switch (keyExchange) {
1236 // If the negotiated key exchange algorithm is one of
1237 // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA),
1238 // behave as if client had sent the value {sha1,rsa}.
1239 case K_RSA:
1240 case K_DHE_RSA:
1241 case K_DH_RSA:
1242 // case K_RSA_PSK:
1243 case K_ECDH_RSA:
1244 case K_ECDHE_RSA:
1245 algorithm = SignatureAndHashAlgorithm.valueOf(
1246 HashAlgorithm.SHA1.value,
1247 SignatureAlgorithm.RSA.value, 0);
1248 break;
1249 // If the negotiated key exchange algorithm is one of
1250 // (DHE_DSS, DH_DSS), behave as if the client had
1251 // sent the value {sha1,dsa}.
1252 case K_DHE_DSS:
1253 case K_DH_DSS:
1254 algorithm = SignatureAndHashAlgorithm.valueOf(
1255 HashAlgorithm.SHA1.value,
1256 SignatureAlgorithm.DSA.value, 0);
1257 break;
1258 // If the negotiated key exchange algorithm is one of
1259 // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client
1260 // had sent value {sha1,ecdsa}.
1261 case K_ECDH_ECDSA:
1262 case K_ECDHE_ECDSA:
1263 algorithm = SignatureAndHashAlgorithm.valueOf(
1264 HashAlgorithm.SHA1.value,
1265 SignatureAlgorithm.ECDSA.value, 0);
1266 break;
1267 default:
1268 // no peer supported signature algorithms
1269 }
1270
1271 if (algorithm == null) {
1272 supportedSignAlgs =
1273 Collections.<SignatureAndHashAlgorithm>emptySet();
1274 } else {
1275 supportedSignAlgs =
1276 new ArrayList<SignatureAndHashAlgorithm>(1);
1277 supportedSignAlgs.add(algorithm);
1278
1279 supportedSignAlgs =
1280 SignatureAndHashAlgorithm.getSupportedAlgorithms(
1281 algorithmConstraints, supportedSignAlgs);
1282
1283 // May be no default activated signature algorithm, but
1284 // let the following process make the final decision.
1285 }
1286
1287 // Sets the peer supported signature algorithm to use in KM
1288 // temporarily.
1289 session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs);
1290 }
1291 }
1292
1293 switch (keyExchange) {
1294 case K_RSA:
1295 // need RSA certs for authentication
1296 if (setupPrivateKeyAndChain("RSA") == false) {
1297 return false;
1298 }
1299 break;
1300 case K_RSA_EXPORT:
1301 // need RSA certs for authentication
1302 if (setupPrivateKeyAndChain("RSA") == false) {
1303 return false;
1304 }
1305
1306 try {
1307 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
1308 if (!setupEphemeralRSAKeys(suite.exportable)) {
1309 return false;
1310 }
1311 }
1312 } catch (RuntimeException e) {
1313 // could not determine keylength, ignore key
1314 return false;
1315 }
1316 break;
1317 case K_DHE_RSA:
1318 // need RSA certs for authentication
1319 if (setupPrivateKeyAndChain("RSA") == false) {
1320 return false;
1321 }
1322
1323 // get preferable peer signature algorithm for server key exchange
1324 if (protocolVersion.useTLS12PlusSpec()) {
1325 preferableSignatureAlgorithm =
1326 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1327 supportedSignAlgs, "RSA", privateKey);
1328 if (preferableSignatureAlgorithm == null) {
1329 if ((debug != null) && Debug.isOn("handshake")) {
1330 System.out.println(
1331 "No signature and hash algorithm for cipher " +
1332 suite);
1333 }
1334 return false;
1335 }
1336 }
1337
1338 setupEphemeralDHKeys(suite.exportable, privateKey);
1339 break;
1340 case K_ECDHE_RSA:
1341 // need RSA certs for authentication
1342 if (setupPrivateKeyAndChain("RSA") == false) {
1343 return false;
1344 }
1345
1346 // get preferable peer signature algorithm for server key exchange
1347 if (protocolVersion.useTLS12PlusSpec()) {
1348 preferableSignatureAlgorithm =
1349 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1350 supportedSignAlgs, "RSA", privateKey);
1351 if (preferableSignatureAlgorithm == null) {
1352 if ((debug != null) && Debug.isOn("handshake")) {
1353 System.out.println(
1354 "No signature and hash algorithm for cipher " +
1355 suite);
1356 }
1357 return false;
1358 }
1359 }
1360
1361 if (setupEphemeralECDHKeys() == false) {
1362 return false;
1363 }
1364 break;
1365 case K_DHE_DSS:
1366 // get preferable peer signature algorithm for server key exchange
1367 if (protocolVersion.useTLS12PlusSpec()) {
1368 preferableSignatureAlgorithm =
1369 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1370 supportedSignAlgs, "DSA");
1371 if (preferableSignatureAlgorithm == null) {
1372 if ((debug != null) && Debug.isOn("handshake")) {
1373 System.out.println(
1374 "No signature and hash algorithm for cipher " +
1375 suite);
1376 }
1377 return false;
1378 }
1379 }
1380
1381 // need DSS certs for authentication
1382 if (setupPrivateKeyAndChain("DSA") == false) {
1383 return false;
1384 }
1385
1386 setupEphemeralDHKeys(suite.exportable, privateKey);
1387 break;
1388 case K_ECDHE_ECDSA:
1389 // get preferable peer signature algorithm for server key exchange
1390 if (protocolVersion.useTLS12PlusSpec()) {
1391 preferableSignatureAlgorithm =
1392 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1393 supportedSignAlgs, "ECDSA");
1394 if (preferableSignatureAlgorithm == null) {
1395 if ((debug != null) && Debug.isOn("handshake")) {
1396 System.out.println(
1397 "No signature and hash algorithm for cipher " +
1398 suite);
1399 }
1400 return false;
1401 }
1402 }
1403
1404 // need EC cert
1405 if (setupPrivateKeyAndChain("EC") == false) {
1406 return false;
1407 }
1408 if (setupEphemeralECDHKeys() == false) {
1409 return false;
1410 }
1411 break;
1412 case K_ECDH_RSA:
1413 // need EC cert
1414 if (setupPrivateKeyAndChain("EC") == false) {
1415 return false;
1416 }
1417 setupStaticECDHKeys();
1418 break;
1419 case K_ECDH_ECDSA:
1420 // need EC cert
1421 if (setupPrivateKeyAndChain("EC") == false) {
1422 return false;
1423 }
1424 setupStaticECDHKeys();
1425 break;
1426 case K_DH_ANON:
1427 // no certs needed for anonymous
1428 setupEphemeralDHKeys(suite.exportable, null);
1429 break;
1430 case K_ECDH_ANON:
1431 // no certs needed for anonymous
1432 if (setupEphemeralECDHKeys() == false) {
1433 return false;
1434 }
1435 break;
1436 default:
1437 ClientKeyExchangeService p =
1438 ClientKeyExchangeService.find(keyExchange.name);
1439 if (p == null) {
1440 // internal error, unknown key exchange
1441 throw new RuntimeException(
1442 "Unrecognized cipherSuite: " + suite);
1443 }
1444 // need service creds
1445 if (serviceCreds == null) {
1446 AccessControlContext acc = getAccSE();
1447 serviceCreds = p.getServiceCreds(acc);
1448 if (serviceCreds != null) {
1449 if (debug != null && Debug.isOn("handshake")) {
1450 System.out.println("Using serviceCreds");
1451 }
1452 }
1453 if (serviceCreds == null) {
1454 return false;
1455 }
1456 }
1457 break;
1458 }
1459 setCipherSuite(suite);
1460
1461 // set the peer implicit supported signature algorithms
1462 if (protocolVersion.useTLS12PlusSpec()) {
1463 if (peerSupportedSignAlgs == null) {
1464 setPeerSupportedSignAlgs(supportedSignAlgs);
1465 // we had alreay update the session
1466 }
1467 }
1468 return true;
1469 }
1470
1471 /*
1472 * Get some "ephemeral" RSA keys for this context. This means
1473 * generating them if it's not already been done.
1474 *
1475 * Note that we currently do not implement any ciphersuites that use
1476 * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites
1477 * and standard RSA ciphersuites prohibit ephemeral mode for some reason)
1478 * This means that export is always true and 512 bit keys are generated.
1479 */
1480 private boolean setupEphemeralRSAKeys(boolean export) {
1481 KeyPair kp = sslContext.getEphemeralKeyManager().
1482 getRSAKeyPair(export, sslContext.getSecureRandom());
1483 if (kp == null) {
1484 return false;
1485 } else {
1486 tempPublicKey = kp.getPublic();
1487 tempPrivateKey = kp.getPrivate();
1488 return true;
1489 }
1490 }
1491
1492 /*
1493 * Acquire some "ephemeral" Diffie-Hellman keys for this handshake.
1494 * We don't reuse these, for improved forward secrecy.
1495 */
1496 private void setupEphemeralDHKeys(boolean export, Key key) {
1497 /*
1498 * 768 bits ephemeral DH private keys were used to be used in
1499 * ServerKeyExchange except that exportable ciphers max out at 512
1500 * bits modulus values. We still adhere to this behavior in legacy
1501 * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
1502 * as "legacy").
1503 *
1504 * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1505 * than 1024 bits. We have to consider the compatibility requirement.
1506 * 1024 bits DH key is always used for non-exportable cipher suites
1507 * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1508 * is not defined).
1509 *
1510 * However, if applications want more stronger strength, setting
1511 * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1512 * is a workaround to use ephemeral DH key which size matches the
1513 * corresponding authentication key. For example, if the public key
1514 * size of an authentication certificate is 2048 bits, then the
1515 * ephemeral DH key size should be 2048 bits accordingly unless
1516 * the cipher suite is exportable. This key sizing scheme keeps
1517 * the cryptographic strength consistent between authentication
1518 * keys and key-exchange keys.
1519 *
1520 * Applications may also want to customize the ephemeral DH key size
1521 * to a fixed length for non-exportable cipher suites. This can be
1522 * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1523 * to a valid positive integer between 1024 and 2048 bits, inclusive.
1524 *
1525 * Note that the minimum acceptable key size is 1024 bits except
1526 * exportable cipher suites or legacy mode.
1527 *
1528 * Note that the maximum acceptable key size is 2048 bits because
1529 * DH keys bigger than 2048 are not always supported by underlying
1530 * JCE providers.
1531 *
1532 * Note that per RFC 2246, the key size limit of DH is 512 bits for
1533 * exportable cipher suites. Because of the weakness, exportable
1534 * cipher suites are deprecated since TLS v1.1 and they are not
1535 * enabled by default in Oracle provider. The legacy behavior is
1536 * reserved and 512 bits DH key is always used for exportable
1537 * cipher suites.
1538 */
1539 int keySize = export ? 512 : 1024; // default mode
1540 if (!export) {
1541 if (useLegacyEphemeralDHKeys) { // legacy mode
1542 keySize = 768;
1543 } else if (useSmartEphemeralDHKeys) { // matched mode
1544 if (key != null) {
1545 int ks = KeyUtil.getKeySize(key);
1546 // Note that SunJCE provider only supports 2048 bits DH
1547 // keys bigger than 1024. Please DON'T use value other
1548 // than 1024 and 2048 at present. We may improve the
1549 // underlying providers and key size here in the future.
1550 //
1551 // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1552 keySize = ks <= 1024 ? 1024 : 2048;
1553 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1554 } else if (customizedDHKeySize > 0) { // customized mode
1555 keySize = customizedDHKeySize;
1556 }
1557 }
1558
1559 dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1560 }
1561
1562 // Setup the ephemeral ECDH parameters.
1563 // If we cannot continue because we do not support any of the curves that
1564 // the client requested, return false. Otherwise (all is well), return true.
1565 private boolean setupEphemeralECDHKeys() {
1566 int index = -1;
1567 if (supportedCurves != null) {
1568 // if the client sent the supported curves extension, pick the
1569 // first one that we support;
1570 for (int curveId : supportedCurves.curveIds()) {
1571 if (SupportedEllipticCurvesExtension.isSupported(curveId)) {
1572 index = curveId;
1573 break;
1574 }
1575 }
1576 if (index < 0) {
1577 // no match found, cannot use this ciphersuite
1578 return false;
1579 }
1580 } else {
1581 // pick our preference
1582 index = SupportedEllipticCurvesExtension.DEFAULT.curveIds()[0];
1583 }
1584 String oid = SupportedEllipticCurvesExtension.getCurveOid(index);
1585 ecdh = new ECDHCrypt(oid, sslContext.getSecureRandom());
1586 return true;
1587 }
1588
1589 private void setupStaticECDHKeys() {
1590 // don't need to check whether the curve is supported, already done
1591 // in setupPrivateKeyAndChain().
1592 ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey());
1593 }
1594
1595 /**
1596 * Retrieve the server key and certificate for the specified algorithm
1597 * from the KeyManager and set the instance variables.
1598 *
1599 * @return true if successful, false if not available or invalid
1600 */
1601 private boolean setupPrivateKeyAndChain(String algorithm) {
1602 X509ExtendedKeyManager km = sslContext.getX509KeyManager();
1603 String alias;
1604 if (conn != null) {
1605 alias = km.chooseServerAlias(algorithm, null, conn);
1606 } else {
1607 alias = km.chooseEngineServerAlias(algorithm, null, engine);
1608 }
1609 if (alias == null) {
1610 return false;
1611 }
1612 PrivateKey tempPrivateKey = km.getPrivateKey(alias);
1613 if (tempPrivateKey == null) {
1614 return false;
1615 }
1616 X509Certificate[] tempCerts = km.getCertificateChain(alias);
1617 if ((tempCerts == null) || (tempCerts.length == 0)) {
1618 return false;
1619 }
1620 String keyAlgorithm = algorithm.split("_")[0];
1621 PublicKey publicKey = tempCerts[0].getPublicKey();
1622 if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false)
1623 || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) {
1624 return false;
1625 }
1626 // For ECC certs, check whether we support the EC domain parameters.
1627 // If the client sent a SupportedEllipticCurves ClientHello extension,
1628 // check against that too.
1629 if (keyAlgorithm.equals("EC")) {
1630 if (publicKey instanceof ECPublicKey == false) {
1631 return false;
1632 }
1633 ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
1634 int index = SupportedEllipticCurvesExtension.getCurveIndex(params);
1635 if (SupportedEllipticCurvesExtension.isSupported(index) == false) {
1636 return false;
1637 }
1638 if ((supportedCurves != null) && !supportedCurves.contains(index)) {
1639 return false;
1640 }
1641 }
1642 this.privateKey = tempPrivateKey;
1643 this.certs = tempCerts;
1644 return true;
1645 }
1646
1647 /*
1648 * Returns premaster secret for external key exchange services.
1649 */
1650 private SecretKey clientKeyExchange(ClientKeyExchange mesg)
1651 throws IOException {
1652
1653 if (debug != null && Debug.isOn("handshake")) {
1654 mesg.print(System.out);
1655 }
1656
1657 // Record the principals involved in exchange
1658 session.setPeerPrincipal(mesg.getPeerPrincipal());
1659 session.setLocalPrincipal(mesg.getLocalPrincipal());
1660
1661 return mesg.clientKeyExchange();
1662 }
1663
1664 /*
1665 * Diffie Hellman key exchange is used when the server presented
1666 * D-H parameters in its certificate (signed using RSA or DSS/DSA),
1667 * or else the server presented no certificate but sent D-H params
1668 * in a ServerKeyExchange message. Use of D-H is specified by the
1669 * cipher suite chosen.
1670 *
1671 * The message optionally contains the client's D-H public key (if
1672 * it wasn't not sent in a client certificate). As always with D-H,
1673 * if a client and a server have each other's D-H public keys and
1674 * they use common algorithm parameters, they have a shared key
1675 * that's derived via the D-H calculation. That key becomes the
1676 * pre-master secret.
1677 */
1678 private SecretKey clientKeyExchange(DHClientKeyExchange mesg)
1679 throws IOException {
1680
1681 if (debug != null && Debug.isOn("handshake")) {
1682 mesg.print(System.out);
1683 }
1684
1685 BigInteger publicKeyValue = mesg.getClientPublicKey();
1686
1687 // check algorithm constraints
1688 dh.checkConstraints(algorithmConstraints, publicKeyValue);
1689
1690 return dh.getAgreedSecret(publicKeyValue, false);
1691 }
1692
1693 private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
1694 throws IOException {
1695
1696 if (debug != null && Debug.isOn("handshake")) {
1697 mesg.print(System.out);
1698 }
1699
1700 byte[] publicPoint = mesg.getEncodedPoint();
1701
1702 // check algorithm constraints
1703 ecdh.checkConstraints(algorithmConstraints, publicPoint);
1704
1705 return ecdh.getAgreedSecret(publicPoint);
1706 }
1707
1708 /*
1709 * Client wrote a message to verify the certificate it sent earlier.
1710 *
1711 * Note that this certificate isn't involved in key exchange. Client
1712 * authentication messages are included in the checksums used to
1713 * validate the handshake (e.g. Finished messages). Other than that,
1714 * the _exact_ identity of the client is less fundamental to protocol
1715 * security than its role in selecting keys via the pre-master secret.
1716 */
1717 private void clientCertificateVerify(CertificateVerify mesg)
1718 throws IOException {
1719
1720 if (debug != null && Debug.isOn("handshake")) {
1721 mesg.print(System.out);
1722 }
1723
1724 if (protocolVersion.useTLS12PlusSpec()) {
1725 SignatureAndHashAlgorithm signAlg =
1726 mesg.getPreferableSignatureAlgorithm();
1727 if (signAlg == null) {
1728 throw new SSLHandshakeException(
1729 "Illegal CertificateVerify message");
1730 }
1731
1732 String hashAlg =
1733 SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg);
1734 if (hashAlg == null || hashAlg.length() == 0) {
1735 throw new SSLHandshakeException(
1736 "No supported hash algorithm");
1737 }
1738 }
1739
1740 try {
1741 PublicKey publicKey =
1742 session.getPeerCertificates()[0].getPublicKey();
1743
1744 boolean valid = mesg.verify(protocolVersion, handshakeHash,
1745 publicKey, session.getMasterSecret());
1746 if (valid == false) {
1747 fatalSE(Alerts.alert_bad_certificate,
1748 "certificate verify message signature error");
1749 }
1750 } catch (GeneralSecurityException e) {
1751 fatalSE(Alerts.alert_bad_certificate,
1752 "certificate verify format error", e);
1753 }
1754
1755 // reset the flag for clientCertificateVerify message
1756 needClientVerify = false;
1757 }
1758
1759
1760 /*
1761 * Client writes "finished" at the end of its handshake, after cipher
1762 * spec is changed. We verify it and then send ours.
1763 *
1764 * When we're resuming a session, we'll have already sent our own
1765 * Finished message so just the verification is needed.
1766 */
1767 private void clientFinished(Finished mesg) throws IOException {
1768 if (debug != null && Debug.isOn("handshake")) {
1769 mesg.print(System.out);
1770 }
1771
1772 /*
1773 * Verify if client did send the certificate when client
1774 * authentication was required, otherwise server should not proceed
1775 */
1776 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1777 // get X500Principal of the end-entity certificate for X509-based
1778 // ciphersuites, or Kerberos principal for Kerberos ciphersuites, etc
1779 session.getPeerPrincipal();
1780 }
1781
1782 /*
1783 * Verify if client did send clientCertificateVerify message following
1784 * the client Certificate, otherwise server should not proceed
1785 */
1786 if (needClientVerify) {
1787 fatalSE(Alerts.alert_handshake_failure,
1788 "client did not send certificate verify message");
1789 }
1790
1791 /*
1792 * Verify the client's message with the "before" digest of messages,
1793 * and forget about continuing to use that digest.
1794 */
1795 boolean verified = mesg.verify(handshakeHash, Finished.CLIENT,
1796 session.getMasterSecret());
1797
1798 if (!verified) {
1799 fatalSE(Alerts.alert_handshake_failure,
1800 "client 'finished' message doesn't verify");
1801 // NOTREACHED
1802 }
1803
1804 /*
1805 * save client verify data for secure renegotiation
1806 */
1807 if (secureRenegotiation) {
1808 clientVerifyData = mesg.getVerifyData();
1809 }
1810
1811 /*
1812 * OK, it verified. If we're doing the full handshake, add that
1813 * "Finished" message to the hash of handshake messages, then send
1814 * the change_cipher_spec and Finished message.
1815 */
1816 if (!resumingSession) {
1817 sendChangeCipherAndFinish(true);
1818 } else {
1819 handshakeFinished = true;
1820 }
1821
1822 /*
1823 * Update the session cache only after the handshake completed, else
1824 * we're open to an attack against a partially completed handshake.
1825 */
1826 session.setLastAccessedTime(System.currentTimeMillis());
1827 if (!resumingSession && session.isRejoinable()) {
1828 ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext())
1829 .put(session);
1830 if (debug != null && Debug.isOn("session")) {
1831 System.out.println(
1832 "%% Cached server session: " + session);
1833 }
1834 } else if (!resumingSession &&
1835 debug != null && Debug.isOn("session")) {
1836 System.out.println(
1837 "%% Didn't cache non-resumable server session: "
1838 + session);
1839 }
1840 }
1841
1842 /*
1843 * Compute finished message with the "server" digest (and then forget
1844 * about that digest, it can't be used again).
1845 */
1846 private void sendChangeCipherAndFinish(boolean finishedTag)
1847 throws IOException {
1848
1849 // Reload if this message has been reserved.
1850 handshakeHash.reload();
1851
1852 Finished mesg = new Finished(protocolVersion, handshakeHash,
1853 Finished.SERVER, session.getMasterSecret(), cipherSuite);
1854
1855 /*
1856 * Send the change_cipher_spec record; then our Finished handshake
1857 * message will be the last handshake message. Flush, and now we
1858 * are ready for application data!!
1859 */
1860 sendChangeCipherSpec(mesg, finishedTag);
1861
1862 /*
1863 * save server verify data for secure renegotiation
1864 */
1865 if (secureRenegotiation) {
1866 serverVerifyData = mesg.getVerifyData();
1867 }
1868 }
1869
1870
1871 /*
1872 * Returns a HelloRequest message to kickstart renegotiations
1873 */
1874 @Override
1875 HandshakeMessage getKickstartMessage() {
1876 return new HelloRequest();
1877 }
1878
1879
1880 /*
1881 * Fault detected during handshake.
1882 */
1883 @Override
1884 void handshakeAlert(byte description) throws SSLProtocolException {
1885
1886 String message = Alerts.alertDescription(description);
1887
1888 if (debug != null && Debug.isOn("handshake")) {
1889 System.out.println("SSL -- handshake alert: "
1890 + message);
1891 }
1892
1893 /*
1894 * It's ok to get a no_certificate alert from a client of which
1895 * we *requested* authentication information.
1896 * However, if we *required* it, then this is not acceptable.
1897 *
1898 * Anyone calling getPeerCertificates() on the
1899 * session will get an SSLPeerUnverifiedException.
1900 */
1901 if ((description == Alerts.alert_no_certificate) &&
1902 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED)) {
1903 return;
1904 }
1905
1906 throw new SSLProtocolException("handshake alert: " + message);
1907 }
1908
1909 /*
1910 * RSA key exchange is normally used. The client encrypts a "pre-master
1911 * secret" with the server's public key, from the Certificate (or else
1912 * ServerKeyExchange) message that was sent to it by the server. That's
1913 * decrypted using the private key before we get here.
1914 */
1915 private SecretKey clientKeyExchange(RSAClientKeyExchange mesg)
1916 throws IOException {
1917
1918 if (debug != null && Debug.isOn("handshake")) {
1919 mesg.print(System.out);
1920 }
1921 return mesg.preMaster;
1922 }
1923
1924 /*
1925 * Verify the certificate sent by the client. We'll only get one if we
1926 * sent a CertificateRequest to request client authentication. If we
1927 * are in TLS mode, the client may send a message with no certificates
1928 * to indicate it does not have an appropriate chain. (In SSLv3 mode,
1929 * it would send a no certificate alert).
1930 */
1931 private void clientCertificate(CertificateMsg mesg) throws IOException {
1932 if (debug != null && Debug.isOn("handshake")) {
1933 mesg.print(System.out);
1934 }
1935
1936 X509Certificate[] peerCerts = mesg.getCertificateChain();
1937
1938 if (peerCerts.length == 0) {
1939 /*
1940 * If the client authentication is only *REQUESTED* (e.g.
1941 * not *REQUIRED*, this is an acceptable condition.)
1942 */
1943 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED) {
1944 return;
1945 } else {
1946 fatalSE(Alerts.alert_bad_certificate,
1947 "null cert chain");
1948 }
1949 }
1950
1951 // ask the trust manager to verify the chain
1952 X509TrustManager tm = sslContext.getX509TrustManager();
1953
1954 try {
1955 // find out the types of client authentication used
1956 PublicKey key = peerCerts[0].getPublicKey();
1957 String keyAlgorithm = key.getAlgorithm();
1958 String authType;
1959 if (keyAlgorithm.equals("RSA")) {
1960 authType = "RSA";
1961 } else if (keyAlgorithm.equals("DSA")) {
1962 authType = "DSA";
1963 } else if (keyAlgorithm.equals("EC")) {
1964 authType = "EC";
1965 } else {
1966 // unknown public key type
1967 authType = "UNKNOWN";
1968 }
1969
1970 if (tm instanceof X509ExtendedTrustManager) {
1971 if (conn != null) {
1972 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1973 peerCerts.clone(),
1974 authType,
1975 conn);
1976 } else {
1977 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1978 peerCerts.clone(),
1979 authType,
1980 engine);
1981 }
1982 } else {
1983 // Unlikely to happen, because we have wrapped the old
1984 // X509TrustManager with the new X509ExtendedTrustManager.
1985 throw new CertificateException(
1986 "Improper X509TrustManager implementation");
1987 }
1988 } catch (CertificateException e) {
1989 // This will throw an exception, so include the original error.
1990 fatalSE(Alerts.alert_certificate_unknown, e);
1991 }
1992 // set the flag for clientCertificateVerify message
1993 needClientVerify = true;
1994
1995 session.setPeerCertificates(peerCerts);
1996 }
1997
1998 private StaplingParameters processStapling(ClientHello mesg) {
1999 StaplingParameters params = null;
2000 ExtensionType ext;
2001 StatusRequestType type = null;
2002 StatusRequest req = null;
2003 Map<X509Certificate, byte[]> responses;
2004
2005 // If this feature has not been enabled, then no more processing
2006 // is necessary. Also we will only staple if we're doing a full
2007 // handshake.
2008 if (!sslContext.isStaplingEnabled(false) || resumingSession) {
2009 return null;
2010 }
2011
2012 // Check if the client has asserted the status_request[_v2] extension(s)
2013 CertStatusReqExtension statReqExt = (CertStatusReqExtension)
2014 mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST);
2015 CertStatusReqListV2Extension statReqExtV2 =
2016 (CertStatusReqListV2Extension)mesg.extensions.get(
2017 ExtensionType.EXT_STATUS_REQUEST_V2);
2018 // Keep processing only if either status_request or status_request_v2
2019 // has been sent in the ClientHello.
2020 if (statReqExt == null && statReqExtV2 == null) {
2021 return null;
2022 }
2023
2024 // Determine which type of stapling we are doing and assert the
2025 // proper extension in the server hello.
2026 // Favor status_request_v2 over status_request and ocsp_multi
2027 // over ocsp.
2028 // If multiple ocsp or ocsp_multi types exist, select the first
2029 // instance of a given type
2030 ext = ExtensionType.EXT_STATUS_REQUEST;
2031 if (statReqExtV2 != null) { // RFC 6961 stapling
2032 ext = ExtensionType.EXT_STATUS_REQUEST_V2;
2033 List<CertStatusReqItemV2> reqItems =
2034 statReqExtV2.getRequestItems();
2035 int ocspIdx = -1;
2036 int ocspMultiIdx = -1;
2037 for (int pos = 0; pos < reqItems.size(); pos++) {
2038 CertStatusReqItemV2 item = reqItems.get(pos);
2039 if (ocspIdx < 0 && item.getType() ==
2040 StatusRequestType.OCSP) {
2041 ocspIdx = pos;
2042 } else if (ocspMultiIdx < 0 && item.getType() ==
2043 StatusRequestType.OCSP_MULTI) {
2044 ocspMultiIdx = pos;
2045 }
2046 }
2047 if (ocspMultiIdx >= 0) {
2048 type = reqItems.get(ocspMultiIdx).getType();
2049 req = reqItems.get(ocspMultiIdx).getRequest();
2050 } else if (ocspIdx >= 0) {
2051 type = reqItems.get(ocspIdx).getType();
2052 req = reqItems.get(ocspIdx).getRequest();
2053 }
2054 } else { // RFC 6066 stapling
2055 type = StatusRequestType.OCSP;
2056 req = statReqExt.getRequest();
2057 }
2058
2059 // If, after walking through the extensions we were unable to
2060 // find a suitable StatusRequest, then stapling is disabled.
2061 // Both statReqType and statReqData must have been set to continue.
2062 if (type == null || req == null) {
2063 return null;
2064 }
2065
2066 // Get the OCSP responses from the StatusResponseManager
2067 StatusResponseManager statRespMgr =
2068 sslContext.getStatusResponseManager();
2069 if (statRespMgr != null) {
2070 responses = statRespMgr.get(type, req, certs, statusRespTimeout,
2071 TimeUnit.MILLISECONDS);
2072 if (!responses.isEmpty()) {
2073 // If this RFC 6066-style stapling (SSL cert only) then the
2074 // response cannot be zero length
2075 if (type == StatusRequestType.OCSP) {
2076 byte[] respDER = responses.get(certs[0]);
2077 if (respDER == null || respDER.length <= 0) {
2078 return null;
2079 }
2080 }
2081 params = new StaplingParameters(ext, type, req, responses);
2082 }
2083 } else {
2084 // This should not happen, but if lazy initialization of the
2085 // StatusResponseManager doesn't occur we should turn off stapling.
2086 if (debug != null && Debug.isOn("handshake")) {
2087 System.out.println("Warning: lazy initialization " +
2088 "of the StatusResponseManager failed. " +
2089 "Stapling has been disabled.");
2090 }
2091 }
2092
2093 return params;
2094 }
2095
2096 /**
2097 * Inner class used to hold stapling parameters needed by the handshaker
2098 * when stapling is active.
2099 */
2100 private class StaplingParameters {
2101 private final ExtensionType statusRespExt;
2102 private final StatusRequestType statReqType;
2103 private final StatusRequest statReqData;
2104 private final Map<X509Certificate, byte[]> responseMap;
2105
2106 StaplingParameters(ExtensionType ext, StatusRequestType type,
2107 StatusRequest req, Map<X509Certificate, byte[]> responses) {
2108 statusRespExt = ext;
2109 statReqType = type;
2110 statReqData = req;
2111 responseMap = responses;
2112 }
2113 }
2114 }