1 /* 2 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.IOException; 29 import java.nio.ByteBuffer; 30 import java.security.GeneralSecurityException; 31 import java.security.InvalidAlgorithmParameterException; 32 import java.security.InvalidKeyException; 33 import java.security.Key; 34 import java.security.NoSuchAlgorithmException; 35 import java.security.PrivateKey; 36 import java.security.PublicKey; 37 import java.security.Signature; 38 import java.security.SignatureException; 39 import java.text.MessageFormat; 40 import java.util.Locale; 41 import java.util.Map; 42 import sun.security.ssl.SSLHandshake.HandshakeMessage; 43 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups; 44 import sun.security.ssl.X509Authentication.X509Credentials; 45 import sun.security.ssl.X509Authentication.X509Possession; 46 import sun.security.util.HexDumpEncoder; 47 48 /** 49 * Pack of the ServerKeyExchange handshake message. 50 */ 51 final class ECDHServerKeyExchange { 52 static final SSLConsumer ecdheHandshakeConsumer = 53 new ECDHServerKeyExchangeConsumer(); 54 static final HandshakeProducer ecdheHandshakeProducer = 55 new ECDHServerKeyExchangeProducer(); 56 57 /** 58 * The ECDH ServerKeyExchange handshake message. 59 */ 60 private static final 61 class ECDHServerKeyExchangeMessage extends HandshakeMessage { 62 private static final byte CURVE_NAMED_CURVE = (byte)0x03; 63 64 // id of the named curve 65 private final NamedGroup namedGroup; 66 67 // encoded public point 68 private final byte[] publicPoint; 69 70 // signature bytes, or null if anonymous 71 private final byte[] paramsSignature; 72 73 private final boolean useExplicitSigAlgorithm; 74 75 // the signature algorithm used by this ServerKeyExchange message 76 private final SignatureScheme signatureScheme; 77 78 // the parsed credential object 79 private SSLCredentials sslCredentials; 80 81 ECDHServerKeyExchangeMessage( 82 HandshakeContext handshakeContext) throws IOException { 83 super(handshakeContext); 84 85 // This happens in server side only. 86 ServerHandshakeContext shc = 87 (ServerHandshakeContext)handshakeContext; 88 89 // Find the Possessions needed 90 NamedGroupPossession namedGroupPossession = null; 91 X509Possession x509Possession = null; 92 for (SSLPossession possession : shc.handshakePossessions) { 93 if (possession instanceof NamedGroupPossession) { 94 namedGroupPossession = (NamedGroupPossession)possession; 95 if (x509Possession != null) { 96 break; 97 } 98 } else if (possession instanceof X509Possession) { 99 x509Possession = (X509Possession)possession; 100 if (namedGroupPossession != null) { 101 break; 102 } 103 } 104 } 105 106 if (namedGroupPossession == null) { 107 // unlikely 108 throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, 109 "No ECDHE credentials negotiated for server key exchange"); 110 } 111 112 // Find the NamedGroup used for the ephemeral keys. 113 namedGroup = namedGroupPossession.getNamedGroup(); 114 publicPoint = namedGroup.encodePossessionPublicKey( 115 namedGroupPossession); 116 117 if ((namedGroup == null) || (namedGroup.oid == null) ) { 118 // unlikely 119 throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, 120 "Missing Named Group"); 121 } 122 123 if (x509Possession == null) { 124 // anonymous, no authentication, no signature 125 paramsSignature = null; 126 signatureScheme = null; 127 useExplicitSigAlgorithm = false; 128 } else { 129 useExplicitSigAlgorithm = 130 shc.negotiatedProtocol.useTLS12PlusSpec(); 131 Signature signer = null; 132 if (useExplicitSigAlgorithm) { 133 Map.Entry<SignatureScheme, Signature> schemeAndSigner = 134 SignatureScheme.getSignerOfPreferableAlgorithm( 135 shc.peerRequestedSignatureSchemes, 136 x509Possession, 137 shc.negotiatedProtocol); 138 if (schemeAndSigner == null) { 139 // Unlikely, the credentials generator should have 140 // selected the preferable signature algorithm properly. 141 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, 142 "No supported signature algorithm for " + 143 x509Possession.popPrivateKey.getAlgorithm() + 144 " key"); 145 } else { 146 signatureScheme = schemeAndSigner.getKey(); 147 signer = schemeAndSigner.getValue(); 148 } 149 } else { 150 signatureScheme = null; 151 try { 152 signer = getSignature( 153 x509Possession.popPrivateKey.getAlgorithm(), 154 x509Possession.popPrivateKey); 155 } catch (NoSuchAlgorithmException | InvalidKeyException e) { 156 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, 157 "Unsupported signature algorithm: " + 158 x509Possession.popPrivateKey.getAlgorithm(), e); 159 } 160 } 161 162 byte[] signature = null; 163 try { 164 updateSignature(signer, shc.clientHelloRandom.randomBytes, 165 shc.serverHelloRandom.randomBytes, 166 namedGroup.id, publicPoint); 167 signature = signer.sign(); 168 } catch (SignatureException ex) { 169 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, 170 "Failed to sign ecdhe parameters: " + 171 x509Possession.popPrivateKey.getAlgorithm(), ex); 172 } 173 paramsSignature = signature; 174 } 175 } 176 177 ECDHServerKeyExchangeMessage(HandshakeContext handshakeContext, 178 ByteBuffer m) throws IOException { 179 super(handshakeContext); 180 181 // This happens in client side only. 182 ClientHandshakeContext chc = 183 (ClientHandshakeContext)handshakeContext; 184 185 byte curveType = (byte)Record.getInt8(m); 186 if (curveType != CURVE_NAMED_CURVE) { 187 // Unlikely as only the named curves should be negotiated. 188 throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, 189 "Unsupported ECCurveType: " + curveType); 190 } 191 192 int namedGroupId = Record.getInt16(m); 193 this.namedGroup = NamedGroup.valueOf(namedGroupId); 194 if (namedGroup == null) { 195 throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, 196 "Unknown named group ID: " + namedGroupId); 197 } 198 199 if (!SupportedGroups.isSupported(namedGroup)) { 200 throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, 201 "Unsupported named group: " + namedGroup); 202 } 203 204 publicPoint = Record.getBytes8(m); 205 if (publicPoint.length == 0) { 206 throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, 207 "Insufficient Point data: " + namedGroup); 208 } 209 210 try { 211 sslCredentials = namedGroup.decodeCredentials( 212 publicPoint, handshakeContext.algorithmConstraints, 213 s -> chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, 214 "ServerKeyExchange " + namedGroup + ": " + (s))); 215 } catch (GeneralSecurityException ex) { 216 throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, 217 "Cannot decode named group: " + 218 NamedGroup.nameOf(namedGroupId)); 219 } 220 221 X509Credentials x509Credentials = null; 222 for (SSLCredentials cd : chc.handshakeCredentials) { 223 if (cd instanceof X509Credentials) { 224 x509Credentials = (X509Credentials)cd; 225 break; 226 } 227 } 228 229 if (x509Credentials == null) { 230 // anonymous, no authentication, no signature 231 if (m.hasRemaining()) { 232 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 233 "Invalid DH ServerKeyExchange: unknown extra data"); 234 } 235 this.signatureScheme = null; 236 this.paramsSignature = null; 237 this.useExplicitSigAlgorithm = false; 238 239 return; 240 } 241 242 this.useExplicitSigAlgorithm = 243 chc.negotiatedProtocol.useTLS12PlusSpec(); 244 if (useExplicitSigAlgorithm) { 245 int ssid = Record.getInt16(m); 246 signatureScheme = SignatureScheme.valueOf(ssid); 247 if (signatureScheme == null) { 248 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 249 "Invalid signature algorithm (" + ssid + 250 ") used in ECDH ServerKeyExchange handshake message"); 251 } 252 253 if (!chc.localSupportedSignAlgs.contains(signatureScheme)) { 254 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 255 "Unsupported signature algorithm (" + 256 signatureScheme.name + 257 ") used in ECDH ServerKeyExchange handshake message"); 258 } 259 } else { 260 signatureScheme = null; 261 } 262 263 // read and verify the signature 264 paramsSignature = Record.getBytes16(m); 265 Signature signer; 266 if (useExplicitSigAlgorithm) { 267 try { 268 signer = signatureScheme.getVerifier( 269 x509Credentials.popPublicKey); 270 } catch (NoSuchAlgorithmException | InvalidKeyException | 271 InvalidAlgorithmParameterException nsae) { 272 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, 273 "Unsupported signature algorithm: " + 274 signatureScheme.name, nsae); 275 } 276 } else { 277 try { 278 signer = getSignature( 279 x509Credentials.popPublicKey.getAlgorithm(), 280 x509Credentials.popPublicKey); 281 } catch (NoSuchAlgorithmException | InvalidKeyException e) { 282 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, 283 "Unsupported signature algorithm: " + 284 x509Credentials.popPublicKey.getAlgorithm(), e); 285 } 286 } 287 288 try { 289 updateSignature(signer, 290 chc.clientHelloRandom.randomBytes, 291 chc.serverHelloRandom.randomBytes, 292 namedGroup.id, publicPoint); 293 294 if (!signer.verify(paramsSignature)) { 295 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 296 "Invalid ECDH ServerKeyExchange signature"); 297 } 298 } catch (SignatureException ex) { 299 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, 300 "Cannot verify ECDH ServerKeyExchange signature", ex); 301 } 302 } 303 304 @Override 305 public SSLHandshake handshakeType() { 306 return SSLHandshake.SERVER_KEY_EXCHANGE; 307 } 308 309 @Override 310 public int messageLength() { 311 int sigLen = 0; 312 if (paramsSignature != null) { 313 sigLen = 2 + paramsSignature.length; 314 if (useExplicitSigAlgorithm) { 315 sigLen += SignatureScheme.sizeInRecord(); 316 } 317 } 318 319 return 4 + publicPoint.length + sigLen; 320 } 321 322 @Override 323 public void send(HandshakeOutStream hos) throws IOException { 324 hos.putInt8(CURVE_NAMED_CURVE); 325 hos.putInt16(namedGroup.id); 326 hos.putBytes8(publicPoint); 327 if (paramsSignature != null) { 328 if (useExplicitSigAlgorithm) { 329 hos.putInt16(signatureScheme.id); 330 } 331 332 hos.putBytes16(paramsSignature); 333 } 334 } 335 336 @Override 337 public String toString() { 338 if (useExplicitSigAlgorithm) { 339 MessageFormat messageFormat = new MessageFormat( 340 "\"ECDH ServerKeyExchange\": '{'\n" + 341 " \"parameters\": '{'\n" + 342 " \"named group\": \"{0}\"\n" + 343 " \"ecdh public\": '{'\n" + 344 "{1}\n" + 345 " '}',\n" + 346 " '}',\n" + 347 " \"digital signature\": '{'\n" + 348 " \"signature algorithm\": \"{2}\"\n" + 349 " \"signature\": '{'\n" + 350 "{3}\n" + 351 " '}',\n" + 352 " '}'\n" + 353 "'}'", 354 Locale.ENGLISH); 355 356 HexDumpEncoder hexEncoder = new HexDumpEncoder(); 357 Object[] messageFields = { 358 namedGroup.name, 359 Utilities.indent( 360 hexEncoder.encodeBuffer(publicPoint), " "), 361 signatureScheme.name, 362 Utilities.indent( 363 hexEncoder.encodeBuffer(paramsSignature), " ") 364 }; 365 return messageFormat.format(messageFields); 366 } else if (paramsSignature != null) { 367 MessageFormat messageFormat = new MessageFormat( 368 "\"ECDH ServerKeyExchange\": '{'\n" + 369 " \"parameters\": '{'\n" + 370 " \"named group\": \"{0}\"\n" + 371 " \"ecdh public\": '{'\n" + 372 "{1}\n" + 373 " '}',\n" + 374 " '}',\n" + 375 " \"signature\": '{'\n" + 376 "{2}\n" + 377 " '}'\n" + 378 "'}'", 379 Locale.ENGLISH); 380 381 HexDumpEncoder hexEncoder = new HexDumpEncoder(); 382 Object[] messageFields = { 383 namedGroup.name, 384 Utilities.indent( 385 hexEncoder.encodeBuffer(publicPoint), " "), 386 Utilities.indent( 387 hexEncoder.encodeBuffer(paramsSignature), " ") 388 }; 389 390 return messageFormat.format(messageFields); 391 } else { // anonymous 392 MessageFormat messageFormat = new MessageFormat( 393 "\"ECDH ServerKeyExchange\": '{'\n" + 394 " \"parameters\": '{'\n" + 395 " \"named group\": \"{0}\"\n" + 396 " \"ecdh public\": '{'\n" + 397 "{1}\n" + 398 " '}',\n" + 399 " '}'\n" + 400 "'}'", 401 Locale.ENGLISH); 402 403 HexDumpEncoder hexEncoder = new HexDumpEncoder(); 404 Object[] messageFields = { 405 namedGroup.name, 406 Utilities.indent( 407 hexEncoder.encodeBuffer(publicPoint), " "), 408 }; 409 410 return messageFormat.format(messageFields); 411 } 412 } 413 414 private static Signature getSignature(String keyAlgorithm, 415 Key key) throws NoSuchAlgorithmException, InvalidKeyException { 416 Signature signer = null; 417 switch (keyAlgorithm) { 418 case "EC": 419 signer = JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA); 420 break; 421 case "RSA": 422 signer = RSASignature.getInstance(); 423 break; 424 default: 425 throw new NoSuchAlgorithmException( 426 "neither an RSA or a EC key : " + keyAlgorithm); 427 } 428 429 if (signer != null) { 430 if (key instanceof PublicKey) { 431 signer.initVerify((PublicKey)(key)); 432 } else { 433 signer.initSign((PrivateKey)key); 434 } 435 } 436 437 return signer; 438 } 439 440 private static void updateSignature(Signature sig, 441 byte[] clntNonce, byte[] svrNonce, int namedGroupId, 442 byte[] publicPoint) throws SignatureException { 443 sig.update(clntNonce); 444 sig.update(svrNonce); 445 446 sig.update(CURVE_NAMED_CURVE); 447 sig.update((byte)((namedGroupId >> 8) & 0xFF)); 448 sig.update((byte)(namedGroupId & 0xFF)); 449 sig.update((byte)publicPoint.length); 450 sig.update(publicPoint); 451 } 452 } 453 454 /** 455 * The ECDH "ServerKeyExchange" handshake message producer. 456 */ 457 private static final 458 class ECDHServerKeyExchangeProducer implements HandshakeProducer { 459 // Prevent instantiation of this class. 460 private ECDHServerKeyExchangeProducer() { 461 // blank 462 } 463 464 @Override 465 public byte[] produce(ConnectionContext context, 466 HandshakeMessage message) throws IOException { 467 // The producing happens in server side only. 468 ServerHandshakeContext shc = (ServerHandshakeContext)context; 469 ECDHServerKeyExchangeMessage skem = 470 new ECDHServerKeyExchangeMessage(shc); 471 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { 472 SSLLogger.fine( 473 "Produced ECDH ServerKeyExchange handshake message", skem); 474 } 475 476 // Output the handshake message. 477 skem.write(shc.handshakeOutput); 478 shc.handshakeOutput.flush(); 479 480 // The handshake message has been delivered. 481 return null; 482 } 483 } 484 485 /** 486 * The ECDH "ServerKeyExchange" handshake message consumer. 487 */ 488 private static final 489 class ECDHServerKeyExchangeConsumer implements SSLConsumer { 490 // Prevent instantiation of this class. 491 private ECDHServerKeyExchangeConsumer() { 492 // blank 493 } 494 495 @Override 496 public void consume(ConnectionContext context, 497 ByteBuffer message) throws IOException { 498 // The consuming happens in client side only. 499 ClientHandshakeContext chc = (ClientHandshakeContext)context; 500 501 // AlgorithmConstraints are checked during decoding 502 ECDHServerKeyExchangeMessage skem = 503 new ECDHServerKeyExchangeMessage(chc, message); 504 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { 505 SSLLogger.fine( 506 "Consuming ECDH ServerKeyExchange handshake message", skem); 507 } 508 509 // 510 // update 511 // 512 chc.handshakeCredentials.add(skem.sslCredentials); 513 514 // 515 // produce 516 // 517 // Need no new handshake message producers here. 518 } 519 } 520 } 521