1 /* 2 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.IOException; 29 import java.math.BigInteger; 30 import java.nio.ByteBuffer; 31 import java.security.CryptoPrimitive; 32 import java.security.GeneralSecurityException; 33 import java.security.InvalidAlgorithmParameterException; 34 import java.security.InvalidKeyException; 35 import java.security.Key; 36 import java.security.KeyFactory; 37 import java.security.NoSuchAlgorithmException; 38 import java.security.PrivateKey; 39 import java.security.PublicKey; 40 import java.security.Signature; 41 import java.security.SignatureException; 42 import java.text.MessageFormat; 43 import java.util.EnumSet; 44 import java.util.Locale; 45 import java.util.Map; 46 import javax.crypto.interfaces.DHPublicKey; 47 import javax.crypto.spec.DHParameterSpec; 48 import javax.crypto.spec.DHPublicKeySpec; 49 import sun.security.ssl.DHKeyExchange.DHECredentials; 50 import sun.security.ssl.DHKeyExchange.DHEPossession; 51 import sun.security.ssl.SSLHandshake.HandshakeMessage; 52 import sun.security.ssl.X509Authentication.X509Credentials; 53 import sun.security.ssl.X509Authentication.X509Possession; 54 import sun.security.util.HexDumpEncoder; 55 import sun.security.util.KeyUtil; 56 57 /** 58 * Pack of the ServerKeyExchange handshake message. 59 */ 60 final class DHServerKeyExchange { 61 static final SSLConsumer dhHandshakeConsumer = 62 new DHServerKeyExchangeConsumer(); 63 static final HandshakeProducer dhHandshakeProducer = 64 new DHServerKeyExchangeProducer(); 65 66 /** 67 * The DiffieHellman ServerKeyExchange handshake message. 68 */ 69 private static final 70 class DHServerKeyExchangeMessage extends HandshakeMessage { 71 // public key encapsulated in this message 72 private final byte[] p; // 1 to 2^16 - 1 bytes 73 private final byte[] g; // 1 to 2^16 - 1 bytes 74 private final byte[] y; // 1 to 2^16 - 1 bytes 75 76 // the signature algorithm used by this ServerKeyExchange message 77 private final boolean useExplicitSigAlgorithm; 78 private final SignatureScheme signatureScheme; 79 80 // signature bytes, or null if anonymous 81 private final byte[] paramsSignature; 82 83 DHServerKeyExchangeMessage( 84 HandshakeContext handshakeContext) throws IOException { 85 super(handshakeContext); 86 87 // This happens in server side only. 88 ServerHandshakeContext shc = 89 (ServerHandshakeContext)handshakeContext; 90 91 DHEPossession dhePossession = null; 92 X509Possession x509Possession = null; 93 for (SSLPossession possession : shc.handshakePossessions) { 94 if (possession instanceof DHEPossession) { 95 dhePossession = (DHEPossession)possession; 96 if (x509Possession != null) { 97 break; 98 } 99 } else if (possession instanceof X509Possession) { 100 x509Possession = (X509Possession)possession; 101 if (dhePossession != null) { 102 break; 103 } 104 } 105 } 106 107 if (dhePossession == null) { 108 // unlikely 109 throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, 110 "No DHE credentials negotiated for server key exchange"); 111 } 112 DHPublicKey publicKey = dhePossession.publicKey; 113 DHParameterSpec params = publicKey.getParams(); 114 this.p = Utilities.toByteArray(params.getP()); 115 this.g = Utilities.toByteArray(params.getG()); 116 this.y = Utilities.toByteArray(publicKey.getY()); 117 118 if (x509Possession == null) { 119 // anonymous, no authentication, no signature 120 paramsSignature = null; 121 signatureScheme = null; 122 useExplicitSigAlgorithm = false; 123 } else { 124 useExplicitSigAlgorithm = 125 shc.negotiatedProtocol.useTLS12PlusSpec(); 126 Signature signer = null; 127 if (useExplicitSigAlgorithm) { 128 Map.Entry<SignatureScheme, Signature> schemeAndSigner = 129 SignatureScheme.getSignerOfPreferableAlgorithm( 130 shc.peerRequestedSignatureSchemes, 131 x509Possession, 132 shc.negotiatedProtocol); 133 if (schemeAndSigner == null) { 134 // Unlikely, the credentials generator should have 135 // selected the preferable signature algorithm properly. 136 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, 137 "No supported signature algorithm for " + 138 x509Possession.popPrivateKey.getAlgorithm() + 139 " key"); 140 } else { 141 signatureScheme = schemeAndSigner.getKey(); 142 signer = schemeAndSigner.getValue(); 143 } 144 } else { 145 signatureScheme = null; 146 try { 147 signer = getSignature( 148 x509Possession.popPrivateKey.getAlgorithm(), 149 x509Possession.popPrivateKey); 150 } catch (NoSuchAlgorithmException | InvalidKeyException e) { 151 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, 152 "Unsupported signature algorithm: " + 153 x509Possession.popPrivateKey.getAlgorithm(), e); 154 } 155 } 156 157 byte[] signature = null; 158 try { 159 updateSignature(signer, shc.clientHelloRandom.randomBytes, 160 shc.serverHelloRandom.randomBytes); 161 signature = signer.sign(); 162 } catch (SignatureException ex) { 163 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, 164 "Failed to sign dhe parameters: " + 165 x509Possession.popPrivateKey.getAlgorithm(), ex); 166 } 167 paramsSignature = signature; 168 } 169 } 170 171 DHServerKeyExchangeMessage(HandshakeContext handshakeContext, 172 ByteBuffer m) throws IOException { 173 super(handshakeContext); 174 175 // This happens in client side only. 176 ClientHandshakeContext chc = 177 (ClientHandshakeContext)handshakeContext; 178 179 this.p = Record.getBytes16(m); 180 this.g = Record.getBytes16(m); 181 this.y = Record.getBytes16(m); 182 183 try { 184 KeyUtil.validate(new DHPublicKeySpec( 185 new BigInteger(1, y), 186 new BigInteger(1, p), 187 new BigInteger(1, p))); 188 } catch (InvalidKeyException ike) { 189 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 190 "Invalid DH ServerKeyExchange: invalid parameters", ike); 191 } 192 193 X509Credentials x509Credentials = null; 194 for (SSLCredentials cd : chc.handshakeCredentials) { 195 if (cd instanceof X509Credentials) { 196 x509Credentials = (X509Credentials)cd; 197 break; 198 } 199 } 200 201 if (x509Credentials == null) { 202 // anonymous, no authentication, no signature 203 if (m.hasRemaining()) { 204 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 205 "Invalid DH ServerKeyExchange: unknown extra data"); 206 } 207 208 this.signatureScheme = null; 209 this.paramsSignature = null; 210 this.useExplicitSigAlgorithm = false; 211 212 return; 213 } 214 215 this.useExplicitSigAlgorithm = 216 chc.negotiatedProtocol.useTLS12PlusSpec(); 217 if (useExplicitSigAlgorithm) { 218 int ssid = Record.getInt16(m); 219 signatureScheme = SignatureScheme.valueOf(ssid); 220 if (signatureScheme == null) { 221 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 222 "Invalid signature algorithm (" + ssid + 223 ") used in DH ServerKeyExchange handshake message"); 224 } 225 226 if (!chc.localSupportedSignAlgs.contains(signatureScheme)) { 227 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 228 "Unsupported signature algorithm (" + 229 signatureScheme.name + 230 ") used in DH ServerKeyExchange handshake message"); 231 } 232 } else { 233 this.signatureScheme = null; 234 } 235 236 // read and verify the signature 237 this.paramsSignature = Record.getBytes16(m); 238 Signature signer; 239 if (useExplicitSigAlgorithm) { 240 try { 241 signer = signatureScheme.getVerifier( 242 x509Credentials.popPublicKey); 243 } catch (NoSuchAlgorithmException | InvalidKeyException | 244 InvalidAlgorithmParameterException nsae) { 245 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, 246 "Unsupported signature algorithm: " + 247 signatureScheme.name, nsae); 248 } 249 } else { 250 try { 251 signer = getSignature( 252 x509Credentials.popPublicKey.getAlgorithm(), 253 x509Credentials.popPublicKey); 254 } catch (NoSuchAlgorithmException | InvalidKeyException e) { 255 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, 256 "Unsupported signature algorithm: " + 257 x509Credentials.popPublicKey.getAlgorithm(), e); 258 } 259 } 260 261 try { 262 updateSignature(signer, 263 chc.clientHelloRandom.randomBytes, 264 chc.serverHelloRandom.randomBytes); 265 266 if (!signer.verify(paramsSignature)) { 267 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 268 "Invalid signature on DH ServerKeyExchange message"); 269 } 270 } catch (SignatureException ex) { 271 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 272 "Cannot verify DH ServerKeyExchange signature", ex); 273 } 274 } 275 276 @Override 277 public SSLHandshake handshakeType() { 278 return SSLHandshake.SERVER_KEY_EXCHANGE; 279 } 280 281 @Override 282 public int messageLength() { 283 int sigLen = 0; 284 if (paramsSignature != null) { 285 sigLen = 2 + paramsSignature.length; 286 if (useExplicitSigAlgorithm) { 287 sigLen += SignatureScheme.sizeInRecord(); 288 } 289 } 290 291 return 6 + p.length + g.length + y.length + sigLen; 292 // 6: overhead for p, g, y values 293 } 294 295 @Override 296 public void send(HandshakeOutStream hos) throws IOException { 297 hos.putBytes16(p); 298 hos.putBytes16(g); 299 hos.putBytes16(y); 300 301 if (paramsSignature != null) { 302 if (useExplicitSigAlgorithm) { 303 hos.putInt16(signatureScheme.id); 304 } 305 306 hos.putBytes16(paramsSignature); 307 } 308 } 309 310 @Override 311 public String toString() { 312 if (paramsSignature == null) { // anonymous 313 MessageFormat messageFormat = new MessageFormat( 314 "\"DH ServerKeyExchange\": '{'\n" + 315 " \"parameters\": '{'\n" + 316 " \"dh_p\": '{'\n" + 317 "{0}\n" + 318 " '}',\n" + 319 " \"dh_g\": '{'\n" + 320 "{1}\n" + 321 " '}',\n" + 322 " \"dh_Ys\": '{'\n" + 323 "{2}\n" + 324 " '}',\n" + 325 " '}'\n" + 326 "'}'", 327 Locale.ENGLISH); 328 329 HexDumpEncoder hexEncoder = new HexDumpEncoder(); 330 Object[] messageFields = { 331 Utilities.indent( 332 hexEncoder.encodeBuffer(p), " "), 333 Utilities.indent( 334 hexEncoder.encodeBuffer(g), " "), 335 Utilities.indent( 336 hexEncoder.encodeBuffer(y), " "), 337 }; 338 339 return messageFormat.format(messageFields); 340 } 341 342 if (useExplicitSigAlgorithm) { 343 MessageFormat messageFormat = new MessageFormat( 344 "\"DH ServerKeyExchange\": '{'\n" + 345 " \"parameters\": '{'\n" + 346 " \"dh_p\": '{'\n" + 347 "{0}\n" + 348 " '}',\n" + 349 " \"dh_g\": '{'\n" + 350 "{1}\n" + 351 " '}',\n" + 352 " \"dh_Ys\": '{'\n" + 353 "{2}\n" + 354 " '}',\n" + 355 " '}',\n" + 356 " \"digital signature\": '{'\n" + 357 " \"signature algorithm\": \"{3}\"\n" + 358 " \"signature\": '{'\n" + 359 "{4}\n" + 360 " '}',\n" + 361 " '}'\n" + 362 "'}'", 363 Locale.ENGLISH); 364 365 HexDumpEncoder hexEncoder = new HexDumpEncoder(); 366 Object[] messageFields = { 367 Utilities.indent( 368 hexEncoder.encodeBuffer(p), " "), 369 Utilities.indent( 370 hexEncoder.encodeBuffer(g), " "), 371 Utilities.indent( 372 hexEncoder.encodeBuffer(y), " "), 373 signatureScheme.name, 374 Utilities.indent( 375 hexEncoder.encodeBuffer(paramsSignature), " ") 376 }; 377 378 return messageFormat.format(messageFields); 379 } else { 380 MessageFormat messageFormat = new MessageFormat( 381 "\"DH ServerKeyExchange\": '{'\n" + 382 " \"parameters\": '{'\n" + 383 " \"dh_p\": '{'\n" + 384 "{0}\n" + 385 " '}',\n" + 386 " \"dh_g\": '{'\n" + 387 "{1}\n" + 388 " '}',\n" + 389 " \"dh_Ys\": '{'\n" + 390 "{2}\n" + 391 " '}',\n" + 392 " '}',\n" + 393 " \"signature\": '{'\n" + 394 "{3}\n" + 395 " '}'\n" + 396 "'}'", 397 Locale.ENGLISH); 398 399 HexDumpEncoder hexEncoder = new HexDumpEncoder(); 400 Object[] messageFields = { 401 Utilities.indent( 402 hexEncoder.encodeBuffer(p), " "), 403 Utilities.indent( 404 hexEncoder.encodeBuffer(g), " "), 405 Utilities.indent( 406 hexEncoder.encodeBuffer(y), " "), 407 Utilities.indent( 408 hexEncoder.encodeBuffer(paramsSignature), " ") 409 }; 410 411 return messageFormat.format(messageFields); 412 } 413 } 414 415 private static Signature getSignature(String keyAlgorithm, 416 Key key) throws NoSuchAlgorithmException, InvalidKeyException { 417 Signature signer = null; 418 switch (keyAlgorithm) { 419 case "DSA": 420 signer = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); 421 break; 422 case "RSA": 423 signer = RSASignature.getInstance(); 424 break; 425 default: 426 throw new NoSuchAlgorithmException( 427 "neither an RSA or a DSA key : " + keyAlgorithm); 428 } 429 430 if (signer != null) { 431 if (key instanceof PublicKey) { 432 signer.initVerify((PublicKey)(key)); 433 } else { 434 signer.initSign((PrivateKey)key); 435 } 436 } 437 438 return signer; 439 } 440 441 /* 442 * Update sig with nonces and Diffie-Hellman public key. 443 */ 444 private void updateSignature(Signature sig, byte[] clntNonce, 445 byte[] svrNonce) throws SignatureException { 446 int tmp; 447 448 sig.update(clntNonce); 449 sig.update(svrNonce); 450 451 sig.update((byte)(p.length >> 8)); 452 sig.update((byte)(p.length & 0x0ff)); 453 sig.update(p); 454 455 sig.update((byte)(g.length >> 8)); 456 sig.update((byte)(g.length & 0x0ff)); 457 sig.update(g); 458 459 sig.update((byte)(y.length >> 8)); 460 sig.update((byte)(y.length & 0x0ff)); 461 sig.update(y); 462 } 463 } 464 465 /** 466 * The DiffieHellman "ServerKeyExchange" handshake message producer. 467 */ 468 static final class DHServerKeyExchangeProducer 469 implements HandshakeProducer { 470 // Prevent instantiation of this class. 471 private DHServerKeyExchangeProducer() { 472 // blank 473 } 474 475 @Override 476 public byte[] produce(ConnectionContext context, 477 HandshakeMessage message) throws IOException { 478 // The producing happens in server side only. 479 ServerHandshakeContext shc = (ServerHandshakeContext)context; 480 DHServerKeyExchangeMessage skem = 481 new DHServerKeyExchangeMessage(shc); 482 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { 483 SSLLogger.fine( 484 "Produced DH ServerKeyExchange handshake message", skem); 485 } 486 487 // Output the handshake message. 488 skem.write(shc.handshakeOutput); 489 shc.handshakeOutput.flush(); 490 491 // The handshake message has been delivered. 492 return null; 493 } 494 } 495 496 /** 497 * The DiffieHellman "ServerKeyExchange" handshake message consumer. 498 */ 499 static final class DHServerKeyExchangeConsumer implements SSLConsumer { 500 // Prevent instantiation of this class. 501 private DHServerKeyExchangeConsumer() { 502 // blank 503 } 504 505 @Override 506 public void consume(ConnectionContext context, 507 ByteBuffer message) throws IOException { 508 // The consuming happens in client side only. 509 ClientHandshakeContext chc = (ClientHandshakeContext)context; 510 511 DHServerKeyExchangeMessage skem = 512 new DHServerKeyExchangeMessage(chc, message); 513 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { 514 SSLLogger.fine( 515 "Consuming DH ServerKeyExchange handshake message", skem); 516 } 517 518 // 519 // validate 520 // 521 // check constraints of EC PublicKey 522 DHPublicKey publicKey; 523 try { 524 KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman"); 525 DHPublicKeySpec spec = new DHPublicKeySpec( 526 new BigInteger(1, skem.y), 527 new BigInteger(1, skem.p), 528 new BigInteger(1, skem.g)); 529 publicKey = (DHPublicKey)kf.generatePublic(spec); 530 } catch (GeneralSecurityException gse) { 531 throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, 532 "Could not generate DHPublicKey", gse); 533 } 534 535 if (!chc.algorithmConstraints.permits( 536 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) { 537 throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, 538 "DH ServerKeyExchange does not comply to " + 539 "algorithm constraints"); 540 } 541 542 // 543 // update 544 // 545 NamedGroup namedGroup = NamedGroup.valueOf(publicKey.getParams()); 546 chc.handshakeCredentials.add( 547 new DHECredentials(publicKey, namedGroup)); 548 549 // 550 // produce 551 // 552 // Need no new handshake message producers here. 553 } 554 } 555 } 556