/* * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.ByteBuffer; import java.security.PublicKey; import java.security.cert.CertPathValidatorException; import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.CertPathValidatorException.Reason; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.text.MessageFormat; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.LinkedList; import java.util.List; import java.util.Locale; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; import javax.net.ssl.SSLProtocolException; import javax.net.ssl.SSLSocket; import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; import javax.security.auth.x500.X500Principal; import static sun.security.ssl.ClientAuthType.CLIENT_AUTH_REQUIRED; import sun.security.ssl.ClientHello.ClientHelloMessage; import sun.security.ssl.SSLHandshake.HandshakeMessage; import sun.security.ssl.X509Authentication.X509Credentials; import sun.security.ssl.X509Authentication.X509Possession; /** * Pack of the CertificateMessage handshake message. */ final class CertificateMessage { static final SSLConsumer t12HandshakeConsumer = new T12CertificateConsumer(); static final HandshakeProducer t12HandshakeProducer = new T12CertificateProducer(); static final SSLConsumer t13HandshakeConsumer = new T13CertificateConsumer(); static final HandshakeProducer t13HandshakeProducer = new T13CertificateProducer(); /** * The Certificate handshake message for TLS 1.2 and previous * SSL/TLS protocol versions. * * In server mode, the certificate handshake message is sent whenever the * agreed-upon key exchange method uses certificates for authentication. * In client mode, this message is only sent if the server requests a * certificate for client authentication. * * opaque ASN.1Cert<1..2^24-1>; * * SSL 3.0: * struct { * ASN.1Cert certificate_list<1..2^24-1>; * } Certificate; * Note: For SSL 3.0 client authentication, if no suitable certificate * is available, the client should send a no_certificate alert instead. * This alert is only a warning; however, the server may respond with * a fatal handshake failure alert if client authentication is required. * * TLS 1.0/1.1/1.2: * struct { * ASN.1Cert certificate_list<0..2^24-1>; * } Certificate; */ static final class T12CertificateMessage extends HandshakeMessage { final List encodedCertChain; T12CertificateMessage(HandshakeContext handshakeContext, X509Certificate[] certChain) throws SSLException { super(handshakeContext); List encodedCerts = new ArrayList<>(certChain.length); for (X509Certificate cert : certChain) { try { encodedCerts.add(cert.getEncoded()); } catch (CertificateEncodingException cee) { // unlikely throw handshakeContext.conContext.fatal( Alert.INTERNAL_ERROR, "Could not encode certificate (" + cert.getSubjectX500Principal() + ")", cee); } } this.encodedCertChain = encodedCerts; } T12CertificateMessage(HandshakeContext handshakeContext, ByteBuffer m) throws IOException { super(handshakeContext); int listLen = Record.getInt24(m); if (listLen > m.remaining()) { throw handshakeContext.conContext.fatal( Alert.ILLEGAL_PARAMETER, "Error parsing certificate message:no sufficient data"); } if (listLen > 0) { List encodedCerts = new LinkedList<>(); while (listLen > 0) { byte[] encodedCert = Record.getBytes24(m); listLen -= (3 + encodedCert.length); encodedCerts.add(encodedCert); if (encodedCerts.size() > SSLConfiguration.maxCertificateChainLength) { throw new SSLProtocolException( "The certificate chain length (" + encodedCerts.size() + ") exceeds the maximum allowed length (" + SSLConfiguration.maxCertificateChainLength + ")"); } } this.encodedCertChain = encodedCerts; } else { this.encodedCertChain = Collections.emptyList(); } } @Override public SSLHandshake handshakeType() { return SSLHandshake.CERTIFICATE; } @Override public int messageLength() { int msgLen = 3; for (byte[] encodedCert : encodedCertChain) { msgLen += (encodedCert.length + 3); } return msgLen; } @Override public void send(HandshakeOutStream hos) throws IOException { int listLen = 0; for (byte[] encodedCert : encodedCertChain) { listLen += (encodedCert.length + 3); } hos.putInt24(listLen); for (byte[] encodedCert : encodedCertChain) { hos.putBytes24(encodedCert); } } @Override public String toString() { if (encodedCertChain.isEmpty()) { return "\"Certificates\": "; } Object[] x509Certs = new Object[encodedCertChain.size()]; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); int i = 0; for (byte[] encodedCert : encodedCertChain) { Object obj; try { obj = (X509Certificate)cf.generateCertificate( new ByteArrayInputStream(encodedCert)); } catch (CertificateException ce) { obj = encodedCert; } x509Certs[i++] = obj; } } catch (CertificateException ce) { // no X.509 certificate factory service int i = 0; for (byte[] encodedCert : encodedCertChain) { x509Certs[i++] = encodedCert; } } MessageFormat messageFormat = new MessageFormat( "\"Certificates\": [\n" + "{0}\n" + "]", Locale.ENGLISH); Object[] messageFields = { SSLLogger.toString(x509Certs) }; return messageFormat.format(messageFields); } } /** * The "Certificate" handshake message producer for TLS 1.2 and * previous SSL/TLS protocol versions. */ private static final class T12CertificateProducer implements HandshakeProducer { // Prevent instantiation of this class. private T12CertificateProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in handshake context only. HandshakeContext hc = (HandshakeContext)context; if (hc.sslConfig.isClientMode) { return onProduceCertificate( (ClientHandshakeContext)context, message); } else { return onProduceCertificate( (ServerHandshakeContext)context, message); } } private byte[] onProduceCertificate(ServerHandshakeContext shc, SSLHandshake.HandshakeMessage message) throws IOException { X509Possession x509Possession = null; for (SSLPossession possession : shc.handshakePossessions) { if (possession instanceof X509Possession) { x509Possession = (X509Possession)possession; break; } } if (x509Possession == null) { // unlikely throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "No expected X.509 certificate for server authentication"); } shc.handshakeSession.setLocalPrivateKey( x509Possession.popPrivateKey); shc.handshakeSession.setLocalCertificates(x509Possession.popCerts); T12CertificateMessage cm = new T12CertificateMessage(shc, x509Possession.popCerts); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Produced server Certificate handshake message", cm); } // Output the handshake message. cm.write(shc.handshakeOutput); shc.handshakeOutput.flush(); // The handshake message has been delivered. return null; } private byte[] onProduceCertificate(ClientHandshakeContext chc, SSLHandshake.HandshakeMessage message) throws IOException { X509Possession x509Possession = null; for (SSLPossession possession : chc.handshakePossessions) { if (possession instanceof X509Possession) { x509Possession = (X509Possession)possession; break; } } // Report to the server if no appropriate cert was found. For // SSL 3.0, send a no_certificate alert; TLS 1.0/1.1/1.2 uses // an empty cert chain instead. if (x509Possession == null) { if (chc.negotiatedProtocol.useTLS10PlusSpec()) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "No X.509 certificate for client authentication, " + "use empty Certificate message instead"); } x509Possession = new X509Possession(null, new X509Certificate[0]); } else { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "No X.509 certificate for client authentication, " + "send a no_certificate alert"); } chc.conContext.warning(Alert.NO_CERTIFICATE); return null; } } chc.handshakeSession.setLocalPrivateKey( x509Possession.popPrivateKey); if (x509Possession.popCerts != null && x509Possession.popCerts.length != 0) { chc.handshakeSession.setLocalCertificates( x509Possession.popCerts); } else { chc.handshakeSession.setLocalCertificates(null); } T12CertificateMessage cm = new T12CertificateMessage(chc, x509Possession.popCerts); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Produced client Certificate handshake message", cm); } // Output the handshake message. cm.write(chc.handshakeOutput); chc.handshakeOutput.flush(); // The handshake message has been delivered. return null; } } /** * The "Certificate" handshake message consumer for TLS 1.2 and * previous SSL/TLS protocol versions. */ static final class T12CertificateConsumer implements SSLConsumer { // Prevent instantiation of this class. private T12CertificateConsumer() { // blank } @Override public void consume(ConnectionContext context, ByteBuffer message) throws IOException { // The consuming happens in handshake context only. HandshakeContext hc = (HandshakeContext)context; // clean up this consumer hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id); T12CertificateMessage cm = new T12CertificateMessage(hc, message); if (hc.sslConfig.isClientMode) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming server Certificate handshake message", cm); } onCertificate((ClientHandshakeContext)context, cm); } else { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming client Certificate handshake message", cm); } onCertificate((ServerHandshakeContext)context, cm); } } private void onCertificate(ServerHandshakeContext shc, T12CertificateMessage certificateMessage )throws IOException { List encodedCerts = certificateMessage.encodedCertChain; if (encodedCerts == null || encodedCerts.isEmpty()) { // For empty Certificate messages, we should not expect // a CertificateVerify message to follow shc.handshakeConsumers.remove( SSLHandshake.CERTIFICATE_VERIFY.id); if (shc.sslConfig.clientAuthType != ClientAuthType.CLIENT_AUTH_REQUESTED) { // unexpected or require client authentication throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, "Empty server certificate chain"); } else { return; } } X509Certificate[] x509Certs = new X509Certificate[encodedCerts.size()]; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); int i = 0; for (byte[] encodedCert : encodedCerts) { x509Certs[i++] = (X509Certificate)cf.generateCertificate( new ByteArrayInputStream(encodedCert)); } } catch (CertificateException ce) { throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, "Failed to parse server certificates", ce); } checkClientCerts(shc, x509Certs); // // update // shc.handshakeCredentials.add( new X509Credentials(x509Certs[0].getPublicKey(), x509Certs)); shc.handshakeSession.setPeerCertificates(x509Certs); } private void onCertificate(ClientHandshakeContext chc, T12CertificateMessage certificateMessage) throws IOException { List encodedCerts = certificateMessage.encodedCertChain; if (encodedCerts == null || encodedCerts.isEmpty()) { throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, "Empty server certificate chain"); } X509Certificate[] x509Certs = new X509Certificate[encodedCerts.size()]; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); int i = 0; for (byte[] encodedCert : encodedCerts) { x509Certs[i++] = (X509Certificate)cf.generateCertificate( new ByteArrayInputStream(encodedCert)); } } catch (CertificateException ce) { throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, "Failed to parse server certificates", ce); } // Allow server certificate change in client side during // renegotiation after a session-resumption abbreviated // initial handshake? // // DO NOT need to check allowUnsafeServerCertChange here. We only // reserve server certificates when allowUnsafeServerCertChange is // false. if (chc.reservedServerCerts != null && !chc.handshakeSession.useExtendedMasterSecret) { // It is not necessary to check the certificate update if // endpoint identification is enabled. String identityAlg = chc.sslConfig.identificationProtocol; if ((identityAlg == null || identityAlg.isEmpty()) && !isIdentityEquivalent(x509Certs[0], chc.reservedServerCerts[0])) { throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, "server certificate change is restricted " + "during renegotiation"); } } // ask the trust manager to verify the chain if (chc.staplingActive) { // Defer the certificate check until after we've received the // CertificateStatus message. If that message doesn't come in // immediately following this message we will execute the // check from CertificateStatus' absent handler. chc.deferredCerts = x509Certs; } else { // We're not doing stapling, so perform the check right now checkServerCerts(chc, x509Certs); } // // update // chc.handshakeCredentials.add( new X509Credentials(x509Certs[0].getPublicKey(), x509Certs)); chc.handshakeSession.setPeerCertificates(x509Certs); } /* * Whether the certificates can represent the same identity? * * The certificates can be used to represent the same identity: * 1. If the subject alternative names of IP address are present * in both certificates, they should be identical; otherwise, * 2. if the subject alternative names of DNS name are present in * both certificates, they should be identical; otherwise, * 3. if the subject fields are present in both certificates, the * certificate subjects and issuers should be identical. */ private static boolean isIdentityEquivalent(X509Certificate thisCert, X509Certificate prevCert) { if (thisCert.equals(prevCert)) { return true; } // check subject alternative names Collection> thisSubjectAltNames = null; try { thisSubjectAltNames = thisCert.getSubjectAlternativeNames(); } catch (CertificateParsingException cpe) { if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { SSLLogger.fine( "Attempt to obtain subjectAltNames extension failed!"); } } Collection> prevSubjectAltNames = null; try { prevSubjectAltNames = prevCert.getSubjectAlternativeNames(); } catch (CertificateParsingException cpe) { if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { SSLLogger.fine( "Attempt to obtain subjectAltNames extension failed!"); } } if (thisSubjectAltNames != null && prevSubjectAltNames != null) { // check the iPAddress field in subjectAltName extension // // 7: subject alternative name of type IP. Collection thisSubAltIPAddrs = getSubjectAltNames(thisSubjectAltNames, 7); Collection prevSubAltIPAddrs = getSubjectAltNames(prevSubjectAltNames, 7); if (thisSubAltIPAddrs != null && prevSubAltIPAddrs != null && isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs)) { return true; } // check the dNSName field in subjectAltName extension // 2: subject alternative name of type IP. Collection thisSubAltDnsNames = getSubjectAltNames(thisSubjectAltNames, 2); Collection prevSubAltDnsNames = getSubjectAltNames(prevSubjectAltNames, 2); if (thisSubAltDnsNames != null && prevSubAltDnsNames != null && isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames)) { return true; } } // check the certificate subject and issuer X500Principal thisSubject = thisCert.getSubjectX500Principal(); X500Principal prevSubject = prevCert.getSubjectX500Principal(); X500Principal thisIssuer = thisCert.getIssuerX500Principal(); X500Principal prevIssuer = prevCert.getIssuerX500Principal(); return (!thisSubject.getName().isEmpty() && !prevSubject.getName().isEmpty() && thisSubject.equals(prevSubject) && thisIssuer.equals(prevIssuer)); } /* * Returns the subject alternative name of the specified type in the * subjectAltNames extension of a certificate. * * Note that only those subjectAltName types that use String data * should be passed into this function. */ private static Collection getSubjectAltNames( Collection> subjectAltNames, int type) { HashSet subAltDnsNames = null; for (List subjectAltName : subjectAltNames) { int subjectAltNameType = (Integer)subjectAltName.get(0); if (subjectAltNameType == type) { String subAltDnsName = (String)subjectAltName.get(1); if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) { if (subAltDnsNames == null) { subAltDnsNames = new HashSet<>(subjectAltNames.size()); } subAltDnsNames.add(subAltDnsName); } } } return subAltDnsNames; } private static boolean isEquivalent(Collection thisSubAltNames, Collection prevSubAltNames) { for (String thisSubAltName : thisSubAltNames) { for (String prevSubAltName : prevSubAltNames) { // Only allow the exactly match. No wildcard character // checking. if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) { return true; } } } return false; } /** * Perform client-side checking of server certificates. * * @param certs an array of {@code X509Certificate} objects presented * by the server in the ServerCertificate message. * * @throws IOException if a failure occurs during validation or * the trust manager associated with the {@code SSLContext} is not * an {@code X509ExtendedTrustManager}. */ static void checkServerCerts(ClientHandshakeContext chc, X509Certificate[] certs) throws IOException { X509TrustManager tm = chc.sslContext.getX509TrustManager(); // find out the key exchange algorithm used // use "RSA" for non-ephemeral "RSA_EXPORT" String keyExchangeString; if (chc.negotiatedCipherSuite.keyExchange == CipherSuite.KeyExchange.K_RSA_EXPORT || chc.negotiatedCipherSuite.keyExchange == CipherSuite.KeyExchange.K_DHE_RSA_EXPORT) { keyExchangeString = CipherSuite.KeyExchange.K_RSA.name; } else { keyExchangeString = chc.negotiatedCipherSuite.keyExchange.name; } try { if (tm instanceof X509ExtendedTrustManager) { if (chc.conContext.transport instanceof SSLEngine) { SSLEngine engine = (SSLEngine)chc.conContext.transport; ((X509ExtendedTrustManager)tm).checkServerTrusted( certs.clone(), keyExchangeString, engine); } else { SSLSocket socket = (SSLSocket)chc.conContext.transport; ((X509ExtendedTrustManager)tm).checkServerTrusted( certs.clone(), keyExchangeString, socket); } } else { // Unlikely to happen, because we have wrapped the old // X509TrustManager with the new X509ExtendedTrustManager. throw new CertificateException( "Improper X509TrustManager implementation"); } // Once the server certificate chain has been validated, set // the certificate chain in the TLS session. chc.handshakeSession.setPeerCertificates(certs); } catch (CertificateException ce) { throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce); } } private static void checkClientCerts(ServerHandshakeContext shc, X509Certificate[] certs) throws IOException { X509TrustManager tm = shc.sslContext.getX509TrustManager(); // find out the types of client authentication used PublicKey key = certs[0].getPublicKey(); String keyAlgorithm = key.getAlgorithm(); String authType; switch (keyAlgorithm) { case "RSA": case "DSA": case "EC": case "RSASSA-PSS": authType = keyAlgorithm; break; default: // unknown public key type authType = "UNKNOWN"; } try { if (tm instanceof X509ExtendedTrustManager) { if (shc.conContext.transport instanceof SSLEngine) { SSLEngine engine = (SSLEngine)shc.conContext.transport; ((X509ExtendedTrustManager)tm).checkClientTrusted( certs.clone(), authType, engine); } else { SSLSocket socket = (SSLSocket)shc.conContext.transport; ((X509ExtendedTrustManager)tm).checkClientTrusted( certs.clone(), authType, socket); } } else { // Unlikely to happen, because we have wrapped the old // X509TrustManager with the new X509ExtendedTrustManager. throw new CertificateException( "Improper X509TrustManager implementation"); } } catch (CertificateException ce) { throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce); } } /** * When a failure happens during certificate checking from an * {@link X509TrustManager}, determine what TLS alert description * to use. * * @param cexc The exception thrown by the {@link X509TrustManager} * * @return A byte value corresponding to a TLS alert description number. */ private static Alert getCertificateAlert( ClientHandshakeContext chc, CertificateException cexc) { // The specific reason for the failure will determine how to // set the alert description value Alert alert = Alert.CERTIFICATE_UNKNOWN; Throwable baseCause = cexc.getCause(); if (baseCause instanceof CertPathValidatorException) { CertPathValidatorException cpve = (CertPathValidatorException)baseCause; Reason reason = cpve.getReason(); if (reason == BasicReason.REVOKED) { alert = chc.staplingActive ? Alert.BAD_CERT_STATUS_RESPONSE : Alert.CERTIFICATE_REVOKED; } else if ( reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) { alert = chc.staplingActive ? Alert.BAD_CERT_STATUS_RESPONSE : Alert.CERTIFICATE_UNKNOWN; } else if (reason == BasicReason.ALGORITHM_CONSTRAINED) { alert = Alert.UNSUPPORTED_CERTIFICATE; } else if (reason == BasicReason.EXPIRED) { alert = Alert.CERTIFICATE_EXPIRED; } else if (reason == BasicReason.INVALID_SIGNATURE || reason == BasicReason.NOT_YET_VALID) { alert = Alert.BAD_CERTIFICATE; } } return alert; } } /** * The certificate entry used in Certificate handshake message for TLS 1.3. */ static final class CertificateEntry { final byte[] encoded; // encoded cert or public key private final SSLExtensions extensions; CertificateEntry(byte[] encoded, SSLExtensions extensions) { this.encoded = encoded; this.extensions = extensions; } private int getEncodedSize() { int extLen = extensions.length(); if (extLen == 0) { extLen = 2; // empty extensions } return 3 + encoded.length + extLen; } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\n'{'\n" + "{0}\n" + // X.509 certificate " \"extensions\": '{'\n" + "{1}\n" + " '}'\n" + "'}',", Locale.ENGLISH); Object x509Certs; try { // Don't support certificate type extension (RawPublicKey) yet. CertificateFactory cf = CertificateFactory.getInstance("X.509"); x509Certs = cf.generateCertificate(new ByteArrayInputStream(encoded)); } catch (CertificateException ce) { // no X.509 certificate factory service x509Certs = encoded; } Object[] messageFields = { SSLLogger.toString(x509Certs), Utilities.indent(extensions.toString(), " ") }; return messageFormat.format(messageFields); } } /** * The Certificate handshake message for TLS 1.3. */ static final class T13CertificateMessage extends HandshakeMessage { private final byte[] requestContext; private final List certEntries; T13CertificateMessage(HandshakeContext context, byte[] requestContext, X509Certificate[] certificates) throws SSLException, CertificateException { super(context); this.requestContext = requestContext.clone(); this.certEntries = new LinkedList<>(); for (X509Certificate cert : certificates) { byte[] encoded = cert.getEncoded(); SSLExtensions extensions = new SSLExtensions(this); certEntries.add(new CertificateEntry(encoded, extensions)); } } T13CertificateMessage(HandshakeContext handshakeContext, byte[] requestContext, List certificates) { super(handshakeContext); this.requestContext = requestContext.clone(); this.certEntries = certificates; } T13CertificateMessage(HandshakeContext handshakeContext, ByteBuffer m) throws IOException { super(handshakeContext); // struct { // opaque certificate_request_context<0..2^8-1>; // CertificateEntry certificate_list<0..2^24-1>; // } Certificate; if (m.remaining() < 4) { throw new SSLProtocolException( "Invalid Certificate message: " + "insufficient data (length=" + m.remaining() + ")"); } this.requestContext = Record.getBytes8(m); if (m.remaining() < 3) { throw new SSLProtocolException( "Invalid Certificate message: " + "insufficient certificate entries data (length=" + m.remaining() + ")"); } int listLen = Record.getInt24(m); if (listLen != m.remaining()) { throw new SSLProtocolException( "Invalid Certificate message: " + "incorrect list length (length=" + listLen + ")"); } SSLExtension[] enabledExtensions = handshakeContext.sslConfig.getEnabledExtensions( SSLHandshake.CERTIFICATE); List certList = new LinkedList<>(); while (m.hasRemaining()) { // Note: support only X509 CertificateType right now. byte[] encodedCert = Record.getBytes24(m); if (encodedCert.length == 0) { throw new SSLProtocolException( "Invalid Certificate message: empty cert_data"); } SSLExtensions extensions = new SSLExtensions(this, m, enabledExtensions); certList.add(new CertificateEntry(encodedCert, extensions)); if (certList.size() > SSLConfiguration.maxCertificateChainLength) { throw new SSLProtocolException( "The certificate chain length (" + certList.size() + ") exceeds the maximum allowed length (" + SSLConfiguration.maxCertificateChainLength + ")"); } } this.certEntries = Collections.unmodifiableList(certList); } @Override public SSLHandshake handshakeType() { return SSLHandshake.CERTIFICATE; } @Override public int messageLength() { int msgLen = 4 + requestContext.length; for (CertificateEntry entry : certEntries) { msgLen += entry.getEncodedSize(); } return msgLen; } @Override public void send(HandshakeOutStream hos) throws IOException { int entryListLen = 0; for (CertificateEntry entry : certEntries) { entryListLen += entry.getEncodedSize(); } hos.putBytes8(requestContext); hos.putInt24(entryListLen); for (CertificateEntry entry : certEntries) { hos.putBytes24(entry.encoded); // Is it an empty extensions? if (entry.extensions.length() == 0) { hos.putInt16(0); } else { entry.extensions.send(hos); } } } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"Certificate\": '{'\n" + " \"certificate_request_context\": \"{0}\",\n" + " \"certificate_list\": [{1}\n]\n" + "'}'", Locale.ENGLISH); StringBuilder builder = new StringBuilder(512); for (CertificateEntry entry : certEntries) { builder.append(entry.toString()); } Object[] messageFields = { Utilities.toHexString(requestContext), Utilities.indent(builder.toString()) }; return messageFormat.format(messageFields); } } /** * The "Certificate" handshake message producer for TLS 1.3. */ private static final class T13CertificateProducer implements HandshakeProducer { // Prevent instantiation of this class. private T13CertificateProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in handshake context only. HandshakeContext hc = (HandshakeContext)context; if (hc.sslConfig.isClientMode) { return onProduceCertificate( (ClientHandshakeContext)context, message); } else { return onProduceCertificate( (ServerHandshakeContext)context, message); } } private byte[] onProduceCertificate(ServerHandshakeContext shc, HandshakeMessage message) throws IOException { ClientHelloMessage clientHello = (ClientHelloMessage)message; SSLPossession pos = choosePossession(shc, clientHello); if (pos == null) { throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "No available authentication scheme"); } if (!(pos instanceof X509Possession)) { throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "No X.509 certificate for server authentication"); } X509Possession x509Possession = (X509Possession)pos; X509Certificate[] localCerts = x509Possession.popCerts; if (localCerts == null || localCerts.length == 0) { throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "No X.509 certificate for server authentication"); } // update the context shc.handshakePossessions.add(x509Possession); shc.handshakeSession.setLocalPrivateKey( x509Possession.popPrivateKey); shc.handshakeSession.setLocalCertificates(localCerts); T13CertificateMessage cm; try { cm = new T13CertificateMessage(shc, (new byte[0]), localCerts); } catch (SSLException | CertificateException ce) { throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Failed to produce server Certificate message", ce); } // Check the OCSP stapling extensions and attempt // to get responses. If the resulting stapleParams is non // null, it implies that stapling is enabled on the server side. shc.stapleParams = StatusResponseManager.processStapling(shc); shc.staplingActive = (shc.stapleParams != null); // Process extensions for each CertificateEntry. // Since there can be multiple CertificateEntries within a // single CT message, we will pin a specific CertificateEntry // into the ServerHandshakeContext so individual extension // producers know which X509Certificate it is processing in // each call. SSLExtension[] enabledCTExts = shc.sslConfig.getEnabledExtensions( SSLHandshake.CERTIFICATE, Arrays.asList(ProtocolVersion.PROTOCOLS_OF_13)); for (CertificateEntry certEnt : cm.certEntries) { shc.currentCertEntry = certEnt; certEnt.extensions.produce(shc, enabledCTExts); } if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine("Produced server Certificate message", cm); } // Output the handshake message. cm.write(shc.handshakeOutput); shc.handshakeOutput.flush(); // The handshake message has been delivered. return null; } private static SSLPossession choosePossession( HandshakeContext hc, ClientHelloMessage clientHello) throws IOException { if (hc.peerRequestedCertSignSchemes == null || hc.peerRequestedCertSignSchemes.isEmpty()) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "No signature_algorithms(_cert) in ClientHello"); } return null; } Collection checkedKeyTypes = new HashSet<>(); for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) { if (checkedKeyTypes.contains(ss.keyAlgorithm)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Unsupported authentication scheme: " + ss.name); } continue; } // Don't select a signature scheme unless we will be able to // produce a CertificateVerify message later if (SignatureScheme.getPreferableAlgorithm( hc.algorithmConstraints, hc.peerRequestedSignatureSchemes, ss, hc.negotiatedProtocol) == null) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Unable to produce CertificateVerify for " + "signature scheme: " + ss.name); } checkedKeyTypes.add(ss.keyAlgorithm); continue; } SSLAuthentication ka = X509Authentication.valueOf(ss); if (ka == null) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Unsupported authentication scheme: " + ss.name); } checkedKeyTypes.add(ss.keyAlgorithm); continue; } SSLPossession pos = ka.createPossession(hc); if (pos == null) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Unavailable authentication scheme: " + ss.name); } continue; } return pos; } if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning("No available authentication scheme"); } return null; } private byte[] onProduceCertificate(ClientHandshakeContext chc, HandshakeMessage message) throws IOException { ClientHelloMessage clientHello = (ClientHelloMessage)message; SSLPossession pos = choosePossession(chc, clientHello); X509Certificate[] localCerts; if (pos == null) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine("No available client authentication scheme"); } localCerts = new X509Certificate[0]; } else { chc.handshakePossessions.add(pos); if (!(pos instanceof X509Possession)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "No X.509 certificate for client authentication"); } localCerts = new X509Certificate[0]; } else { X509Possession x509Possession = (X509Possession)pos; localCerts = x509Possession.popCerts; chc.handshakeSession.setLocalPrivateKey( x509Possession.popPrivateKey); } } if (localCerts != null && localCerts.length != 0) { chc.handshakeSession.setLocalCertificates(localCerts); } else { chc.handshakeSession.setLocalCertificates(null); } T13CertificateMessage cm; try { cm = new T13CertificateMessage( chc, chc.certRequestContext, localCerts); } catch (SSLException | CertificateException ce) { throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Failed to produce client Certificate message", ce); } if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine("Produced client Certificate message", cm); } // Output the handshake message. cm.write(chc.handshakeOutput); chc.handshakeOutput.flush(); // The handshake message has been delivered. return null; } } /** * The "Certificate" handshake message consumer for TLS 1.3. */ private static final class T13CertificateConsumer implements SSLConsumer { // Prevent instantiation of this class. private T13CertificateConsumer() { // blank } @Override public void consume(ConnectionContext context, ByteBuffer message) throws IOException { // The consuming happens in handshake context only. HandshakeContext hc = (HandshakeContext)context; // clean up this consumer hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id); T13CertificateMessage cm = new T13CertificateMessage(hc, message); if (hc.sslConfig.isClientMode) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming server Certificate handshake message", cm); } onConsumeCertificate((ClientHandshakeContext)context, cm); } else { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming client Certificate handshake message", cm); } onConsumeCertificate((ServerHandshakeContext)context, cm); } } private void onConsumeCertificate(ServerHandshakeContext shc, T13CertificateMessage certificateMessage )throws IOException { if (certificateMessage.certEntries == null || certificateMessage.certEntries.isEmpty()) { // For empty Certificate messages, we should not expect // a CertificateVerify message to follow shc.handshakeConsumers.remove( SSLHandshake.CERTIFICATE_VERIFY.id); if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) { throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, "Empty client certificate chain"); } else { // optional client authentication return; } } // check client certificate entries X509Certificate[] cliCerts = checkClientCerts(shc, certificateMessage.certEntries); // // update // shc.handshakeCredentials.add( new X509Credentials(cliCerts[0].getPublicKey(), cliCerts)); shc.handshakeSession.setPeerCertificates(cliCerts); } private void onConsumeCertificate(ClientHandshakeContext chc, T13CertificateMessage certificateMessage )throws IOException { if (certificateMessage.certEntries == null || certificateMessage.certEntries.isEmpty()) { throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, "Empty server certificate chain"); } // Each CertificateEntry will have its own set of extensions // which must be consumed. SSLExtension[] enabledExtensions = chc.sslConfig.getEnabledExtensions(SSLHandshake.CERTIFICATE); for (CertificateEntry certEnt : certificateMessage.certEntries) { certEnt.extensions.consumeOnLoad(chc, enabledExtensions); } // check server certificate entries X509Certificate[] srvCerts = checkServerCerts(chc, certificateMessage.certEntries); // // update // chc.handshakeCredentials.add( new X509Credentials(srvCerts[0].getPublicKey(), srvCerts)); chc.handshakeSession.setPeerCertificates(srvCerts); } private static X509Certificate[] checkClientCerts( ServerHandshakeContext shc, List certEntries) throws IOException { X509Certificate[] certs = new X509Certificate[certEntries.size()]; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); int i = 0; for (CertificateEntry entry : certEntries) { certs[i++] = (X509Certificate)cf.generateCertificate( new ByteArrayInputStream(entry.encoded)); } } catch (CertificateException ce) { throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, "Failed to parse server certificates", ce); } // find out the types of client authentication used String keyAlgorithm = certs[0].getPublicKey().getAlgorithm(); String authType; switch (keyAlgorithm) { case "RSA": case "DSA": case "EC": case "RSASSA-PSS": authType = keyAlgorithm; break; default: // unknown public key type authType = "UNKNOWN"; } try { X509TrustManager tm = shc.sslContext.getX509TrustManager(); if (tm instanceof X509ExtendedTrustManager) { if (shc.conContext.transport instanceof SSLEngine) { SSLEngine engine = (SSLEngine)shc.conContext.transport; ((X509ExtendedTrustManager)tm).checkClientTrusted( certs.clone(), authType, engine); } else { SSLSocket socket = (SSLSocket)shc.conContext.transport; ((X509ExtendedTrustManager)tm).checkClientTrusted( certs.clone(), authType, socket); } } else { // Unlikely to happen, because we have wrapped the old // X509TrustManager with the new X509ExtendedTrustManager. throw new CertificateException( "Improper X509TrustManager implementation"); } // Once the client certificate chain has been validated, set // the certificate chain in the TLS session. shc.handshakeSession.setPeerCertificates(certs); } catch (CertificateException ce) { throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce); } return certs; } private static X509Certificate[] checkServerCerts( ClientHandshakeContext chc, List certEntries) throws IOException { X509Certificate[] certs = new X509Certificate[certEntries.size()]; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); int i = 0; for (CertificateEntry entry : certEntries) { certs[i++] = (X509Certificate)cf.generateCertificate( new ByteArrayInputStream(entry.encoded)); } } catch (CertificateException ce) { throw chc.conContext.fatal(Alert.BAD_CERTIFICATE, "Failed to parse server certificates", ce); } // find out the types of server authentication used // // Note that the "UNKNOWN" authentication type is sufficient to // check the required digitalSignature KeyUsage for TLS 1.3. String authType = "UNKNOWN"; try { X509TrustManager tm = chc.sslContext.getX509TrustManager(); if (tm instanceof X509ExtendedTrustManager) { if (chc.conContext.transport instanceof SSLEngine) { SSLEngine engine = (SSLEngine)chc.conContext.transport; ((X509ExtendedTrustManager)tm).checkServerTrusted( certs.clone(), authType, engine); } else { SSLSocket socket = (SSLSocket)chc.conContext.transport; ((X509ExtendedTrustManager)tm).checkServerTrusted( certs.clone(), authType, socket); } } else { // Unlikely to happen, because we have wrapped the old // X509TrustManager with the new X509ExtendedTrustManager. throw new CertificateException( "Improper X509TrustManager implementation"); } // Once the server certificate chain has been validated, set // the certificate chain in the TLS session. chc.handshakeSession.setPeerCertificates(certs); } catch (CertificateException ce) { throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce); } return certs; } /** * When a failure happens during certificate checking from an * {@link X509TrustManager}, determine what TLS alert description * to use. * * @param cexc The exception thrown by the {@link X509TrustManager} * * @return A byte value corresponding to a TLS alert description number. */ private static Alert getCertificateAlert( ClientHandshakeContext chc, CertificateException cexc) { // The specific reason for the failure will determine how to // set the alert description value Alert alert = Alert.CERTIFICATE_UNKNOWN; Throwable baseCause = cexc.getCause(); if (baseCause instanceof CertPathValidatorException) { CertPathValidatorException cpve = (CertPathValidatorException)baseCause; Reason reason = cpve.getReason(); if (reason == BasicReason.REVOKED) { alert = chc.staplingActive ? Alert.BAD_CERT_STATUS_RESPONSE : Alert.CERTIFICATE_REVOKED; } else if ( reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) { alert = chc.staplingActive ? Alert.BAD_CERT_STATUS_RESPONSE : Alert.CERTIFICATE_UNKNOWN; } } return alert; } } }