1 /* 2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package sun.security.ssl; 28 29 import java.io.*; 30 import java.util.*; 31 import java.util.concurrent.TimeUnit; 32 import java.security.*; 33 import java.security.cert.*; 34 import java.security.interfaces.*; 35 import java.security.spec.ECParameterSpec; 36 import java.math.BigInteger; 37 38 import javax.crypto.SecretKey; 39 import javax.net.ssl.*; 40 41 import sun.security.action.GetLongAction; 42 import sun.security.util.KeyUtil; 43 import sun.security.util.LegacyAlgorithmConstraints; 44 import sun.security.action.GetPropertyAction; 45 import sun.security.ssl.HandshakeMessage.*; 46 import sun.security.ssl.CipherSuite.*; 47 import sun.security.ssl.SignatureAndHashAlgorithm.*; 48 import static sun.security.ssl.CipherSuite.KeyExchange.*; 49 50 /** 51 * ServerHandshaker does the protocol handshaking from the point 52 * of view of a server. It is driven asychronously by handshake messages 53 * as delivered by the parent Handshaker class, and also uses 54 * common functionality (e.g. key generation) that is provided there. 55 * 56 * @author David Brownell 57 */ 58 final class ServerHandshaker extends Handshaker { 59 60 // The default number of milliseconds the handshaker will wait for 61 // revocation status responses. 62 private static final long DEFAULT_STATUS_RESP_DELAY = 5000; 63 64 // is the server going to require the client to authenticate? 65 private ClientAuthType doClientAuth; 66 67 // our authentication info 68 private X509Certificate[] certs; 69 private PrivateKey privateKey; 70 71 private Object serviceCreds; 72 73 // flag to check for clientCertificateVerify message 74 private boolean needClientVerify = false; 75 76 /* 77 * For exportable ciphersuites using non-exportable key sizes, we use 78 * ephemeral RSA keys. We could also do anonymous RSA in the same way 79 * but there are no such ciphersuites currently defined. 80 */ 81 private PrivateKey tempPrivateKey; 82 private PublicKey tempPublicKey; 83 84 /* 85 * For anonymous and ephemeral Diffie-Hellman key exchange, we use 86 * ephemeral Diffie-Hellman keys. 87 */ 88 private DHCrypt dh; 89 90 // Helper for ECDH based key exchanges 91 private ECDHCrypt ecdh; 92 93 // version request by the client in its ClientHello 94 // we remember it for the RSA premaster secret version check 95 private ProtocolVersion clientRequestedVersion; 96 97 // client supported elliptic curves 98 private EllipticCurvesExtension requestedCurves; 99 100 // the preferable signature algorithm used by ServerKeyExchange message 101 SignatureAndHashAlgorithm preferableSignatureAlgorithm; 102 103 // Flag to use smart ephemeral DH key which size matches the corresponding 104 // authentication key 105 private static final boolean useSmartEphemeralDHKeys; 106 107 // Flag to use legacy ephemeral DH key which size is 512 bits for 108 // exportable cipher suites, and 768 bits for others 109 private static final boolean useLegacyEphemeralDHKeys; 110 111 // The customized ephemeral DH key size for non-exportable cipher suites. 112 private static final int customizedDHKeySize; 113 114 // legacy algorithm constraints 115 private static final AlgorithmConstraints legacyAlgorithmConstraints = 116 new LegacyAlgorithmConstraints( 117 LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS, 118 new SSLAlgorithmDecomposer()); 119 120 private long statusRespTimeout; 121 122 static { 123 String property = GetPropertyAction 124 .privilegedGetProperty("jdk.tls.ephemeralDHKeySize"); 125 if (property == null || property.length() == 0) { 126 useLegacyEphemeralDHKeys = false; 127 useSmartEphemeralDHKeys = false; 128 customizedDHKeySize = -1; 129 } else if ("matched".equals(property)) { 130 useLegacyEphemeralDHKeys = false; 131 useSmartEphemeralDHKeys = true; 132 customizedDHKeySize = -1; 133 } else if ("legacy".equals(property)) { 134 useLegacyEphemeralDHKeys = true; 135 useSmartEphemeralDHKeys = false; 136 customizedDHKeySize = -1; 137 } else { 138 useLegacyEphemeralDHKeys = false; 139 useSmartEphemeralDHKeys = false; 140 141 try { 142 // DH parameter generation can be extremely slow, best to 143 // use one of the supported pre-computed DH parameters 144 // (see DHCrypt class). 145 customizedDHKeySize = Integer.parseUnsignedInt(property); 146 if (customizedDHKeySize < 1024 || customizedDHKeySize > 8192 || 147 (customizedDHKeySize & 0x3f) != 0) { 148 throw new IllegalArgumentException( 149 "Unsupported customized DH key size: " + 150 customizedDHKeySize + ". " + 151 "The key size must be multiple of 64, " + 152 "and can only range from 1024 to 8192 (inclusive)"); 153 } 154 } catch (NumberFormatException nfe) { 155 throw new IllegalArgumentException( 156 "Invalid system property jdk.tls.ephemeralDHKeySize"); 157 } 158 } 159 } 160 161 /* 162 * Constructor ... use the keys found in the auth context. 163 */ 164 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context, 165 ProtocolList enabledProtocols, ClientAuthType clientAuth, 166 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake, 167 boolean secureRenegotiation, 168 byte[] clientVerifyData, byte[] serverVerifyData) { 169 170 super(socket, context, enabledProtocols, 171 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false, 172 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 173 clientVerifyData, serverVerifyData); 174 doClientAuth = clientAuth; 175 statusRespTimeout = AccessController.doPrivileged( 176 new GetLongAction("jdk.tls.stapling.responseTimeout", 177 DEFAULT_STATUS_RESP_DELAY)); 178 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout : 179 DEFAULT_STATUS_RESP_DELAY; 180 } 181 182 /* 183 * Constructor ... use the keys found in the auth context. 184 */ 185 ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context, 186 ProtocolList enabledProtocols, ClientAuthType clientAuth, 187 ProtocolVersion activeProtocolVersion, 188 boolean isInitialHandshake, boolean secureRenegotiation, 189 byte[] clientVerifyData, byte[] serverVerifyData, 190 boolean isDTLS) { 191 192 super(engine, context, enabledProtocols, 193 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false, 194 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 195 clientVerifyData, serverVerifyData, isDTLS); 196 doClientAuth = clientAuth; 197 statusRespTimeout = AccessController.doPrivileged( 198 new GetLongAction("jdk.tls.stapling.responseTimeout", 199 DEFAULT_STATUS_RESP_DELAY)); 200 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout : 201 DEFAULT_STATUS_RESP_DELAY; 202 } 203 204 /* 205 * As long as handshaking has not started, we can change 206 * whether client authentication is required. Otherwise, 207 * we will need to wait for the next handshake. 208 */ 209 void setClientAuth(ClientAuthType clientAuth) { 210 doClientAuth = clientAuth; 211 } 212 213 /* 214 * This routine handles all the server side handshake messages, one at 215 * a time. Given the message type (and in some cases the pending cipher 216 * spec) it parses the type-specific message. Then it calls a function 217 * that handles that specific message. 218 * 219 * It updates the state machine as each message is processed, and writes 220 * responses as needed using the connection in the constructor. 221 */ 222 @Override 223 void processMessage(byte type, int message_len) 224 throws IOException { 225 226 // check the handshake state 227 handshakeState.check(type); 228 229 switch (type) { 230 case HandshakeMessage.ht_client_hello: 231 ClientHello ch = new ClientHello(input, message_len, isDTLS); 232 handshakeState.update(ch, resumingSession); 233 234 /* 235 * send it off for processing. 236 */ 237 this.clientHello(ch); 238 break; 239 240 case HandshakeMessage.ht_certificate: 241 if (doClientAuth == ClientAuthType.CLIENT_AUTH_NONE) { 242 fatalSE(Alerts.alert_unexpected_message, 243 "client sent unsolicited cert chain"); 244 // NOTREACHED 245 } 246 CertificateMsg certificateMsg = new CertificateMsg(input); 247 handshakeState.update(certificateMsg, resumingSession); 248 this.clientCertificate(certificateMsg); 249 break; 250 251 case HandshakeMessage.ht_client_key_exchange: 252 SecretKey preMasterSecret; 253 switch (keyExchange) { 254 case K_RSA: 255 case K_RSA_EXPORT: 256 /* 257 * The client's pre-master secret is decrypted using 258 * either the server's normal private RSA key, or the 259 * temporary one used for non-export or signing-only 260 * certificates/keys. 261 */ 262 RSAClientKeyExchange pms = new RSAClientKeyExchange( 263 protocolVersion, clientRequestedVersion, 264 sslContext.getSecureRandom(), input, 265 message_len, privateKey); 266 handshakeState.update(pms, resumingSession); 267 preMasterSecret = this.clientKeyExchange(pms); 268 break; 269 case K_DHE_RSA: 270 case K_DHE_DSS: 271 case K_DH_ANON: 272 /* 273 * The pre-master secret is derived using the normal 274 * Diffie-Hellman calculation. Note that the main 275 * protocol difference in these five flavors is in how 276 * the ServerKeyExchange message was constructed! 277 */ 278 DHClientKeyExchange dhcke = new DHClientKeyExchange(input); 279 handshakeState.update(dhcke, resumingSession); 280 preMasterSecret = this.clientKeyExchange(dhcke); 281 break; 282 case K_ECDH_RSA: 283 case K_ECDH_ECDSA: 284 case K_ECDHE_RSA: 285 case K_ECDHE_ECDSA: 286 case K_ECDH_ANON: 287 ECDHClientKeyExchange ecdhcke = 288 new ECDHClientKeyExchange(input); 289 handshakeState.update(ecdhcke, resumingSession); 290 preMasterSecret = this.clientKeyExchange(ecdhcke); 291 break; 292 default: 293 ClientKeyExchangeService p = 294 ClientKeyExchangeService.find(keyExchange.name); 295 if (p == null) { 296 throw new SSLProtocolException 297 ("Unrecognized key exchange: " + keyExchange); 298 } 299 byte[] encodedTicket = input.getBytes16(); 300 input.getBytes16(); 301 byte[] secret = input.getBytes16(); 302 ClientKeyExchange cke = p.createServerExchange(protocolVersion, 303 clientRequestedVersion, 304 sslContext.getSecureRandom(), 305 encodedTicket, 306 secret, 307 this.getAccSE(), serviceCreds); 308 handshakeState.update(cke, resumingSession); 309 preMasterSecret = this.clientKeyExchange(cke); 310 break; 311 } 312 313 // 314 // All keys are calculated from the premaster secret 315 // and the exchanged nonces in the same way. 316 // 317 calculateKeys(preMasterSecret, clientRequestedVersion); 318 break; 319 320 case HandshakeMessage.ht_certificate_verify: 321 CertificateVerify cvm = 322 new CertificateVerify(input, 323 getLocalSupportedSignAlgs(), protocolVersion); 324 handshakeState.update(cvm, resumingSession); 325 this.clientCertificateVerify(cvm); 326 327 break; 328 329 case HandshakeMessage.ht_finished: 330 Finished cfm = 331 new Finished(protocolVersion, input, cipherSuite); 332 handshakeState.update(cfm, resumingSession); 333 this.clientFinished(cfm); 334 335 break; 336 337 default: 338 throw new SSLProtocolException( 339 "Illegal server handshake msg, " + type); 340 } 341 342 } 343 344 345 /* 346 * ClientHello presents the server with a bunch of options, to which the 347 * server replies with a ServerHello listing the ones which this session 348 * will use. If needed, it also writes its Certificate plus in some cases 349 * a ServerKeyExchange message. It may also write a CertificateRequest, 350 * to elicit a client certificate. 351 * 352 * All these messages are terminated by a ServerHelloDone message. In 353 * most cases, all this can be sent in a single Record. 354 */ 355 private void clientHello(ClientHello mesg) throws IOException { 356 if (debug != null && Debug.isOn("handshake")) { 357 mesg.print(System.out); 358 } 359 360 // Reject client initiated renegotiation? 361 // 362 // If server side should reject client-initiated renegotiation, 363 // send an alert_handshake_failure fatal alert, not a no_renegotiation 364 // warning alert (no_renegotiation must be a warning: RFC 2246). 365 // no_renegotiation might seem more natural at first, but warnings 366 // are not appropriate because the sending party does not know how 367 // the receiving party will behave. This state must be treated as 368 // a fatal server condition. 369 // 370 // This will not have any impact on server initiated renegotiation. 371 if (rejectClientInitiatedRenego && !isInitialHandshake && 372 !serverHelloRequested) { 373 fatalSE(Alerts.alert_handshake_failure, 374 "Client initiated renegotiation is not allowed"); 375 } 376 377 // check the server name indication if required 378 ServerNameExtension clientHelloSNIExt = (ServerNameExtension) 379 mesg.extensions.get(ExtensionType.EXT_SERVER_NAME); 380 if (!sniMatchers.isEmpty()) { 381 // we do not reject client without SNI extension 382 if (clientHelloSNIExt != null && 383 !clientHelloSNIExt.isMatched(sniMatchers)) { 384 fatalSE(Alerts.alert_unrecognized_name, 385 "Unrecognized server name indication"); 386 } 387 } 388 389 // Does the message include security renegotiation indication? 390 boolean renegotiationIndicated = false; 391 392 // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV 393 CipherSuiteList cipherSuites = mesg.getCipherSuites(); 394 if (cipherSuites.contains(CipherSuite.C_SCSV)) { 395 renegotiationIndicated = true; 396 if (isInitialHandshake) { 397 secureRenegotiation = true; 398 } else { 399 // abort the handshake with a fatal handshake_failure alert 400 if (secureRenegotiation) { 401 fatalSE(Alerts.alert_handshake_failure, 402 "The SCSV is present in a secure renegotiation"); 403 } else { 404 fatalSE(Alerts.alert_handshake_failure, 405 "The SCSV is present in a insecure renegotiation"); 406 } 407 } 408 } 409 410 // check the "renegotiation_info" extension 411 RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension) 412 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO); 413 if (clientHelloRI != null) { 414 renegotiationIndicated = true; 415 if (isInitialHandshake) { 416 // verify the length of the "renegotiated_connection" field 417 if (!clientHelloRI.isEmpty()) { 418 // abort the handshake with a fatal handshake_failure alert 419 fatalSE(Alerts.alert_handshake_failure, 420 "The renegotiation_info field is not empty"); 421 } 422 423 secureRenegotiation = true; 424 } else { 425 if (!secureRenegotiation) { 426 // unexpected RI extension for insecure renegotiation, 427 // abort the handshake with a fatal handshake_failure alert 428 fatalSE(Alerts.alert_handshake_failure, 429 "The renegotiation_info is present in a insecure " + 430 "renegotiation"); 431 } 432 433 // verify the client_verify_data value 434 if (!MessageDigest.isEqual(clientVerifyData, 435 clientHelloRI.getRenegotiatedConnection())) { 436 fatalSE(Alerts.alert_handshake_failure, 437 "Incorrect verify data in ClientHello " + 438 "renegotiation_info message"); 439 } 440 } 441 } else if (!isInitialHandshake && secureRenegotiation) { 442 // if the connection's "secure_renegotiation" flag is set to TRUE 443 // and the "renegotiation_info" extension is not present, abort 444 // the handshake. 445 fatalSE(Alerts.alert_handshake_failure, 446 "Inconsistent secure renegotiation indication"); 447 } 448 449 // if there is no security renegotiation indication or the previous 450 // handshake is insecure. 451 if (!renegotiationIndicated || !secureRenegotiation) { 452 if (isInitialHandshake) { 453 if (!allowLegacyHelloMessages) { 454 // abort the handshake with a fatal handshake_failure alert 455 fatalSE(Alerts.alert_handshake_failure, 456 "Failed to negotiate the use of secure renegotiation"); 457 } 458 459 // continue with legacy ClientHello 460 if (debug != null && Debug.isOn("handshake")) { 461 System.out.println("Warning: No renegotiation " + 462 "indication in ClientHello, allow legacy ClientHello"); 463 } 464 } else if (!allowUnsafeRenegotiation) { 465 // abort the handshake 466 if (activeProtocolVersion.useTLS10PlusSpec()) { 467 // respond with a no_renegotiation warning 468 warningSE(Alerts.alert_no_renegotiation); 469 470 // invalidate the handshake so that the caller can 471 // dispose this object. 472 invalidated = true; 473 474 // If there is still unread block in the handshake 475 // input stream, it would be truncated with the disposal 476 // and the next handshake message will become incomplete. 477 // 478 // However, according to SSL/TLS specifications, no more 479 // handshake message could immediately follow ClientHello 480 // or HelloRequest. But in case of any improper messages, 481 // we'd better check to ensure there is no remaining bytes 482 // in the handshake input stream. 483 if (input.available() > 0) { 484 fatalSE(Alerts.alert_unexpected_message, 485 "ClientHello followed by an unexpected " + 486 "handshake message"); 487 } 488 489 return; 490 } else { 491 // For SSLv3, send the handshake_failure fatal error. 492 // Note that SSLv3 does not define a no_renegotiation 493 // alert like TLSv1. However we cannot ignore the message 494 // simply, otherwise the other side was waiting for a 495 // response that would never come. 496 fatalSE(Alerts.alert_handshake_failure, 497 "Renegotiation is not allowed"); 498 } 499 } else { // !isInitialHandshake && allowUnsafeRenegotiation 500 // continue with unsafe renegotiation. 501 if (debug != null && Debug.isOn("handshake")) { 502 System.out.println( 503 "Warning: continue with insecure renegotiation"); 504 } 505 } 506 } 507 508 // check the "max_fragment_length" extension 509 MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension) 510 mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH); 511 if ((maxFragLenExt != null) && (maximumPacketSize != 0)) { 512 // Not yet consider the impact of IV/MAC/padding. 513 int estimatedMaxFragSize = maximumPacketSize; 514 if (isDTLS) { 515 estimatedMaxFragSize -= DTLSRecord.headerSize; 516 } else { 517 estimatedMaxFragSize -= SSLRecord.headerSize; 518 } 519 520 if (maxFragLenExt.getMaxFragLen() > estimatedMaxFragSize) { 521 // For better interoperability, abort the maximum fragment 522 // length negotiation, rather than terminate the connection 523 // with a fatal alert. 524 maxFragLenExt = null; 525 526 // fatalSE(Alerts.alert_illegal_parameter, 527 // "Not an allowed max_fragment_length value"); 528 } 529 } 530 531 // check the ALPN extension 532 ALPNExtension clientHelloALPN = (ALPNExtension) 533 mesg.extensions.get(ExtensionType.EXT_ALPN); 534 535 if ((clientHelloALPN != null) && (localApl.length > 0)) { 536 537 // Intersect the requested and the locally supported, 538 // and save for later. 539 String negotiatedValue = null; 540 List<String> protocols = clientHelloALPN.getPeerAPs(); 541 542 // Use server preference order 543 for (String ap : localApl) { 544 if (protocols.contains(ap)) { 545 negotiatedValue = ap; 546 break; 547 } 548 } 549 550 if (negotiatedValue == null) { 551 fatalSE(Alerts.alert_no_application_protocol, 552 new SSLHandshakeException( 553 "No matching ALPN values")); 554 } 555 applicationProtocol = negotiatedValue; 556 557 } else { 558 applicationProtocol = ""; 559 } 560 561 session = null; // forget about the current session 562 // 563 // Here we go down either of two paths: (a) the fast one, where 564 // the client's asked to rejoin an existing session, and the server 565 // permits this; (b) the other one, where a new session is created. 566 // 567 if (mesg.sessionId.length() != 0) { 568 // client is trying to resume a session, let's see... 569 570 SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext 571 .engineGetServerSessionContext()) 572 .get(mesg.sessionId.getId()); 573 // 574 // Check if we can use the fast path, resuming a session. We 575 // can do so iff we have a valid record for that session, and 576 // the cipher suite for that session was on the list which the 577 // client requested, and if we're not forgetting any needed 578 // authentication on the part of the client. 579 // 580 if (previous != null) { 581 resumingSession = previous.isRejoinable(); 582 583 if (resumingSession) { 584 ProtocolVersion oldVersion = previous.getProtocolVersion(); 585 // cannot resume session with different version 586 if (oldVersion != protocolVersion) { 587 resumingSession = false; 588 } 589 } 590 591 // cannot resume session with different server name indication 592 if (resumingSession) { 593 List<SNIServerName> oldServerNames = 594 previous.getRequestedServerNames(); 595 if (clientHelloSNIExt != null) { 596 if (!clientHelloSNIExt.isIdentical(oldServerNames)) { 597 resumingSession = false; 598 } 599 } else if (!oldServerNames.isEmpty()) { 600 resumingSession = false; 601 } 602 603 if (!resumingSession && 604 debug != null && Debug.isOn("handshake")) { 605 System.out.println( 606 "The requested server name indication " + 607 "is not identical to the previous one"); 608 } 609 } 610 611 if (resumingSession && 612 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED)) { 613 try { 614 previous.getPeerPrincipal(); 615 } catch (SSLPeerUnverifiedException e) { 616 resumingSession = false; 617 } 618 } 619 620 // validate subject identity 621 if (resumingSession) { 622 CipherSuite suite = previous.getSuite(); 623 ClientKeyExchangeService p = 624 ClientKeyExchangeService.find(suite.keyExchange.name); 625 if (p != null) { 626 Principal localPrincipal = previous.getLocalPrincipal(); 627 628 if (p.isRelated( 629 false, getAccSE(), localPrincipal)) { 630 if (debug != null && Debug.isOn("session")) 631 System.out.println("Subject can" + 632 " provide creds for princ"); 633 } else { 634 resumingSession = false; 635 if (debug != null && Debug.isOn("session")) 636 System.out.println("Subject cannot" + 637 " provide creds for princ"); 638 } 639 } 640 } 641 642 if (resumingSession) { 643 CipherSuite suite = previous.getSuite(); 644 // verify that the ciphersuite from the cached session 645 // is in the list of client requested ciphersuites and 646 // we have it enabled 647 if ((isNegotiable(suite) == false) || 648 (mesg.getCipherSuites().contains(suite) == false)) { 649 resumingSession = false; 650 } else { 651 // everything looks ok, set the ciphersuite 652 // this should be done last when we are sure we 653 // will resume 654 setCipherSuite(suite); 655 } 656 } 657 658 if (resumingSession) { 659 session = previous; 660 if (debug != null && 661 (Debug.isOn("handshake") || Debug.isOn("session"))) { 662 System.out.println("%% Resuming " + session); 663 } 664 } 665 } 666 } // else client did not try to resume 667 668 // cookie exchange 669 if (isDTLS && !resumingSession) { 670 HelloCookieManager hcMgr = sslContext.getHelloCookieManager(); 671 if ((mesg.cookie == null) || (mesg.cookie.length == 0) || 672 (!hcMgr.isValid(mesg))) { 673 674 // 675 // Perform cookie exchange for DTLS handshaking if no cookie 676 // or the cookie is invalid in the ClientHello message. 677 // 678 HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg); 679 680 if (debug != null && Debug.isOn("handshake")) { 681 m0.print(System.out); 682 } 683 684 m0.write(output); 685 handshakeState.update(m0, resumingSession); 686 output.flush(); 687 688 return; 689 } 690 } 691 692 /* 693 * FIRST, construct the ServerHello using the options and priorities 694 * from the ClientHello. Update the (pending) cipher spec as we do 695 * so, and save the client's version to protect against rollback 696 * attacks. 697 * 698 * There are a bunch of minor tasks here, and one major one: deciding 699 * if the short or the full handshake sequence will be used. 700 */ 701 ServerHello m1 = new ServerHello(); 702 703 clientRequestedVersion = mesg.protocolVersion; 704 705 // select a proper protocol version. 706 ProtocolVersion selectedVersion = 707 selectProtocolVersion(clientRequestedVersion); 708 if (selectedVersion == null || 709 selectedVersion.v == ProtocolVersion.SSL20Hello.v) { 710 fatalSE(Alerts.alert_handshake_failure, 711 "Client requested protocol " + clientRequestedVersion + 712 " not enabled or not supported"); 713 } 714 715 handshakeHash.protocolDetermined(selectedVersion); 716 setVersion(selectedVersion); 717 718 m1.protocolVersion = protocolVersion; 719 720 // 721 // random ... save client and server values for later use 722 // in computing the master secret (from pre-master secret) 723 // and thence the other crypto keys. 724 // 725 // NOTE: this use of three inputs to generating _each_ set 726 // of ciphers slows things down, but it does increase the 727 // security since each connection in the session can hold 728 // its own authenticated (and strong) keys. One could make 729 // creation of a session a rare thing... 730 // 731 clnt_random = mesg.clnt_random; 732 svr_random = new RandomCookie(sslContext.getSecureRandom()); 733 m1.svr_random = svr_random; 734 735 // 736 // If client hasn't specified a session we can resume, start a 737 // new one and choose its cipher suite and compression options. 738 // Unless new session creation is disabled for this connection! 739 // 740 if (session == null) { 741 if (!enableNewSession) { 742 throw new SSLException("Client did not resume a session"); 743 } 744 745 requestedCurves = (EllipticCurvesExtension) 746 mesg.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES); 747 748 // We only need to handle the "signature_algorithm" extension 749 // for full handshakes and TLS 1.2 or later. 750 if (protocolVersion.useTLS12PlusSpec()) { 751 SignatureAlgorithmsExtension signAlgs = 752 (SignatureAlgorithmsExtension)mesg.extensions.get( 753 ExtensionType.EXT_SIGNATURE_ALGORITHMS); 754 if (signAlgs != null) { 755 Collection<SignatureAndHashAlgorithm> peerSignAlgs = 756 signAlgs.getSignAlgorithms(); 757 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) { 758 throw new SSLHandshakeException( 759 "No peer supported signature algorithms"); 760 } 761 762 Collection<SignatureAndHashAlgorithm> 763 supportedPeerSignAlgs = 764 SignatureAndHashAlgorithm.getSupportedAlgorithms( 765 algorithmConstraints, peerSignAlgs); 766 if (supportedPeerSignAlgs.isEmpty()) { 767 throw new SSLHandshakeException( 768 "No signature and hash algorithm in common"); 769 } 770 771 setPeerSupportedSignAlgs(supportedPeerSignAlgs); 772 } // else, need to use peer implicit supported signature algs 773 } 774 775 session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL, 776 getLocalSupportedSignAlgs(), 777 sslContext.getSecureRandom(), 778 getHostAddressSE(), getPortSE()); 779 780 if (protocolVersion.useTLS12PlusSpec()) { 781 if (peerSupportedSignAlgs != null) { 782 session.setPeerSupportedSignatureAlgorithms( 783 peerSupportedSignAlgs); 784 } // else, we will set the implicit peer supported signature 785 // algorithms in chooseCipherSuite() 786 } 787 788 // set the server name indication in the session 789 List<SNIServerName> clientHelloSNI = 790 Collections.<SNIServerName>emptyList(); 791 if (clientHelloSNIExt != null) { 792 clientHelloSNI = clientHelloSNIExt.getServerNames(); 793 } 794 session.setRequestedServerNames(clientHelloSNI); 795 796 // set the handshake session 797 setHandshakeSessionSE(session); 798 799 // choose cipher suite and corresponding private key 800 chooseCipherSuite(mesg); 801 802 session.setSuite(cipherSuite); 803 session.setLocalPrivateKey(privateKey); 804 805 // chooseCompression(mesg); 806 807 // set the negotiated maximum fragment in the session 808 // 809 // The protocol version and cipher suite have been negotiated 810 // in previous processes. 811 if (maxFragLenExt != null) { 812 int maxFragLen = maxFragLenExt.getMaxFragLen(); 813 814 // More check of the requested "max_fragment_length" extension. 815 if (maximumPacketSize != 0) { 816 int estimatedMaxFragSize = cipherSuite.calculatePacketSize( 817 maxFragLen, protocolVersion, isDTLS); 818 if (estimatedMaxFragSize > maximumPacketSize) { 819 // For better interoperability, abort the maximum 820 // fragment length negotiation, rather than terminate 821 // the connection with a fatal alert. 822 maxFragLenExt = null; 823 824 // fatalSE(Alerts.alert_illegal_parameter, 825 // "Not an allowed max_fragment_length value"); 826 } 827 } 828 829 if (maxFragLenExt != null) { 830 session.setNegotiatedMaxFragSize(maxFragLen); 831 } 832 } 833 834 session.setMaximumPacketSize(maximumPacketSize); 835 } else { 836 // set the handshake session 837 setHandshakeSessionSE(session); 838 } 839 840 if (protocolVersion.useTLS12PlusSpec()) { 841 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg()); 842 } 843 844 m1.cipherSuite = cipherSuite; 845 m1.sessionId = session.getSessionId(); 846 m1.compression_method = session.getCompression(); 847 848 if (secureRenegotiation) { 849 // For ServerHellos that are initial handshakes, then the 850 // "renegotiated_connection" field in "renegotiation_info" 851 // extension is of zero length. 852 // 853 // For ServerHellos that are renegotiating, this field contains 854 // the concatenation of client_verify_data and server_verify_data. 855 // 856 // Note that for initial handshakes, both the clientVerifyData 857 // variable and serverVerifyData variable are of zero length. 858 HelloExtension serverHelloRI = new RenegotiationInfoExtension( 859 clientVerifyData, serverVerifyData); 860 m1.extensions.add(serverHelloRI); 861 } 862 863 if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) { 864 // When resuming a session, the server MUST NOT include a 865 // server_name extension in the server hello. 866 if (!resumingSession) { 867 ServerNameExtension serverHelloSNI = new ServerNameExtension(); 868 m1.extensions.add(serverHelloSNI); 869 } 870 } 871 872 if ((maxFragLenExt != null) && !resumingSession) { 873 // When resuming a session, the server MUST NOT include a 874 // max_fragment_length extension in the server hello. 875 // 876 // Otherwise, use the same value as the requested extension. 877 m1.extensions.add(maxFragLenExt); 878 } 879 880 StaplingParameters staplingParams = processStapling(mesg); 881 if (staplingParams != null) { 882 // We now can safely assert status_request[_v2] in our 883 // ServerHello, and know for certain that we can provide 884 // responses back to this client for this connection. 885 if (staplingParams.statusRespExt == 886 ExtensionType.EXT_STATUS_REQUEST) { 887 m1.extensions.add(new CertStatusReqExtension()); 888 } else if (staplingParams.statusRespExt == 889 ExtensionType.EXT_STATUS_REQUEST_V2) { 890 m1.extensions.add(new CertStatusReqListV2Extension()); 891 } 892 } 893 894 // Prepare the ALPN response 895 if (applicationProtocol != null && !applicationProtocol.isEmpty()) { 896 m1.extensions.add(new ALPNExtension(applicationProtocol)); 897 } 898 899 if (debug != null && Debug.isOn("handshake")) { 900 m1.print(System.out); 901 System.out.println("Cipher suite: " + session.getSuite()); 902 } 903 m1.write(output); 904 handshakeState.update(m1, resumingSession); 905 906 // 907 // If we are resuming a session, we finish writing handshake 908 // messages right now and then finish. 909 // 910 if (resumingSession) { 911 calculateConnectionKeys(session.getMasterSecret()); 912 sendChangeCipherAndFinish(false); 913 914 // expecting the final ChangeCipherSpec and Finished messages 915 expectingFinishFlightSE(); 916 917 return; 918 } 919 920 921 /* 922 * SECOND, write the server Certificate(s) if we need to. 923 * 924 * NOTE: while an "anonymous RSA" mode is explicitly allowed by 925 * the protocol, we can't support it since all of the SSL flavors 926 * defined in the protocol spec are explicitly stated to require 927 * using RSA certificates. 928 */ 929 if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) { 930 // No external key exchange provider needs a cert now. 931 } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) { 932 if (certs == null) { 933 throw new RuntimeException("no certificates"); 934 } 935 936 CertificateMsg m2 = new CertificateMsg(certs); 937 938 /* 939 * Set local certs in the SSLSession, output 940 * debug info, and then actually write to the client. 941 */ 942 session.setLocalCertificates(certs); 943 if (debug != null && Debug.isOn("handshake")) { 944 m2.print(System.out); 945 } 946 m2.write(output); 947 handshakeState.update(m2, resumingSession); 948 949 // XXX has some side effects with OS TCP buffering, 950 // leave it out for now 951 952 // let client verify chain in the meantime... 953 // output.flush(); 954 } else { 955 if (certs != null) { 956 throw new RuntimeException("anonymous keyexchange with certs"); 957 } 958 } 959 960 /** 961 * The CertificateStatus message ... only if it is needed. 962 * This would only be needed if we've established that this handshake 963 * supports status stapling and there is at least one response to 964 * return to the client. 965 */ 966 if (staplingParams != null) { 967 CertificateStatus csMsg = new CertificateStatus( 968 staplingParams.statReqType, certs, 969 staplingParams.responseMap); 970 if (debug != null && Debug.isOn("handshake")) { 971 csMsg.print(System.out); 972 } 973 csMsg.write(output); 974 handshakeState.update(csMsg, resumingSession); 975 } 976 977 /* 978 * THIRD, the ServerKeyExchange message ... iff it's needed. 979 * 980 * It's usually needed unless there's an encryption-capable 981 * RSA cert, or a D-H cert. The notable exception is that 982 * exportable ciphers used with big RSA keys need to downgrade 983 * to use short RSA keys, even when the key/cert encrypts OK. 984 */ 985 986 ServerKeyExchange m3; 987 switch (keyExchange) { 988 case K_RSA: 989 // no server key exchange for RSA ciphersuites 990 m3 = null; 991 break; 992 case K_RSA_EXPORT: 993 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) { 994 try { 995 m3 = new RSA_ServerKeyExchange( 996 tempPublicKey, privateKey, 997 clnt_random, svr_random, 998 sslContext.getSecureRandom()); 999 privateKey = tempPrivateKey; 1000 } catch (GeneralSecurityException e) { 1001 m3 = null; // make compiler happy 1002 throw new SSLException( 1003 "Error generating RSA server key exchange", e); 1004 } 1005 } else { 1006 // RSA_EXPORT with short key, don't need ServerKeyExchange 1007 m3 = null; 1008 } 1009 break; 1010 case K_DHE_RSA: 1011 case K_DHE_DSS: 1012 try { 1013 m3 = new DH_ServerKeyExchange(dh, 1014 privateKey, 1015 clnt_random.random_bytes, 1016 svr_random.random_bytes, 1017 sslContext.getSecureRandom(), 1018 preferableSignatureAlgorithm, 1019 protocolVersion); 1020 } catch (GeneralSecurityException e) { 1021 m3 = null; // make compiler happy 1022 throw new SSLException( 1023 "Error generating DH server key exchange", e); 1024 } 1025 break; 1026 case K_DH_ANON: 1027 m3 = new DH_ServerKeyExchange(dh, protocolVersion); 1028 break; 1029 case K_ECDHE_RSA: 1030 case K_ECDHE_ECDSA: 1031 case K_ECDH_ANON: 1032 try { 1033 m3 = new ECDH_ServerKeyExchange(ecdh, 1034 privateKey, 1035 clnt_random.random_bytes, 1036 svr_random.random_bytes, 1037 sslContext.getSecureRandom(), 1038 preferableSignatureAlgorithm, 1039 protocolVersion); 1040 } catch (GeneralSecurityException e) { 1041 m3 = null; // make compiler happy 1042 throw new SSLException( 1043 "Error generating ECDH server key exchange", e); 1044 } 1045 break; 1046 case K_ECDH_RSA: 1047 case K_ECDH_ECDSA: 1048 // ServerKeyExchange not used for fixed ECDH 1049 m3 = null; 1050 break; 1051 default: 1052 ClientKeyExchangeService p = 1053 ClientKeyExchangeService.find(keyExchange.name); 1054 if (p != null) { 1055 // No external key exchange provider needs a cert now. 1056 m3 = null; 1057 break; 1058 } 1059 throw new RuntimeException("internal error: " + keyExchange); 1060 } 1061 if (m3 != null) { 1062 if (debug != null && Debug.isOn("handshake")) { 1063 m3.print(System.out); 1064 } 1065 m3.write(output); 1066 handshakeState.update(m3, resumingSession); 1067 } 1068 1069 // 1070 // FOURTH, the CertificateRequest message. The details of 1071 // the message can be affected by the key exchange algorithm 1072 // in use. For example, certs with fixed Diffie-Hellman keys 1073 // are only useful with the DH_DSS and DH_RSA key exchange 1074 // algorithms. 1075 // 1076 // Needed only if server requires client to authenticate self. 1077 // Illegal for anonymous flavors, so we need to check that. 1078 // 1079 // No external key exchange provider needs a cert now. 1080 if (doClientAuth != ClientAuthType.CLIENT_AUTH_NONE && 1081 keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON && 1082 ClientKeyExchangeService.find(keyExchange.name) == null) { 1083 1084 CertificateRequest m4; 1085 X509Certificate[] caCerts; 1086 1087 Collection<SignatureAndHashAlgorithm> localSignAlgs = null; 1088 if (protocolVersion.useTLS12PlusSpec()) { 1089 // We currently use all local upported signature and hash 1090 // algorithms. However, to minimize the computation cost 1091 // of requested hash algorithms, we may use a restricted 1092 // set of signature algorithms in the future. 1093 localSignAlgs = getLocalSupportedSignAlgs(); 1094 if (localSignAlgs.isEmpty()) { 1095 throw new SSLHandshakeException( 1096 "No supported signature algorithm"); 1097 } 1098 1099 Set<String> localHashAlgs = 1100 SignatureAndHashAlgorithm.getHashAlgorithmNames( 1101 localSignAlgs); 1102 if (localHashAlgs.isEmpty()) { 1103 throw new SSLHandshakeException( 1104 "No supported signature algorithm"); 1105 } 1106 } 1107 1108 caCerts = sslContext.getX509TrustManager().getAcceptedIssuers(); 1109 m4 = new CertificateRequest(caCerts, keyExchange, 1110 localSignAlgs, protocolVersion); 1111 1112 if (debug != null && Debug.isOn("handshake")) { 1113 m4.print(System.out); 1114 } 1115 m4.write(output); 1116 handshakeState.update(m4, resumingSession); 1117 } 1118 1119 /* 1120 * FIFTH, say ServerHelloDone. 1121 */ 1122 ServerHelloDone m5 = new ServerHelloDone(); 1123 1124 if (debug != null && Debug.isOn("handshake")) { 1125 m5.print(System.out); 1126 } 1127 m5.write(output); 1128 handshakeState.update(m5, resumingSession); 1129 1130 /* 1131 * Flush any buffered messages so the client will see them. 1132 * Ideally, all the messages above go in a single network level 1133 * message to the client. Without big Certificate chains, it's 1134 * going to be the common case. 1135 */ 1136 output.flush(); 1137 } 1138 1139 /* 1140 * Choose cipher suite from among those supported by client. Sets 1141 * the cipherSuite and keyExchange variables. 1142 */ 1143 private void chooseCipherSuite(ClientHello mesg) throws IOException { 1144 CipherSuiteList prefered; 1145 CipherSuiteList proposed; 1146 if (preferLocalCipherSuites) { 1147 prefered = getActiveCipherSuites(); 1148 proposed = mesg.getCipherSuites(); 1149 } else { 1150 prefered = mesg.getCipherSuites(); 1151 proposed = getActiveCipherSuites(); 1152 } 1153 1154 List<CipherSuite> legacySuites = new ArrayList<>(); 1155 for (CipherSuite suite : prefered.collection()) { 1156 if (isNegotiable(proposed, suite) == false) { 1157 continue; 1158 } 1159 1160 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) { 1161 if ((suite.keyExchange == K_DH_ANON) || 1162 (suite.keyExchange == K_ECDH_ANON)) { 1163 continue; 1164 } 1165 } 1166 1167 if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) { 1168 legacySuites.add(suite); 1169 continue; 1170 } 1171 1172 if (trySetCipherSuite(suite) == false) { 1173 continue; 1174 } 1175 return; 1176 } 1177 1178 for (CipherSuite suite : legacySuites) { 1179 if (trySetCipherSuite(suite)) { 1180 return; 1181 } 1182 } 1183 1184 fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common"); 1185 } 1186 1187 /** 1188 * Set the given CipherSuite, if possible. Return the result. 1189 * The call succeeds if the CipherSuite is available and we have 1190 * the necessary certificates to complete the handshake. We don't 1191 * check if the CipherSuite is actually enabled. 1192 * 1193 * If successful, this method also generates ephemeral keys if 1194 * required for this ciphersuite. This may take some time, so this 1195 * method should only be called if you really want to use the 1196 * CipherSuite. 1197 * 1198 * This method is called from chooseCipherSuite() in this class. 1199 */ 1200 boolean trySetCipherSuite(CipherSuite suite) { 1201 /* 1202 * If we're resuming a session we know we can 1203 * support this key exchange algorithm and in fact 1204 * have already cached the result of it in 1205 * the session state. 1206 */ 1207 if (resumingSession) { 1208 return true; 1209 } 1210 1211 if (suite.isNegotiable() == false) { 1212 return false; 1213 } 1214 1215 // must not negotiate the obsoleted weak cipher suites. 1216 if (protocolVersion.obsoletes(suite)) { 1217 return false; 1218 } 1219 1220 // must not negotiate unsupported cipher suites. 1221 if (!protocolVersion.supports(suite)) { 1222 return false; 1223 } 1224 1225 KeyExchange keyExchange = suite.keyExchange; 1226 1227 // null out any existing references 1228 privateKey = null; 1229 certs = null; 1230 dh = null; 1231 tempPrivateKey = null; 1232 tempPublicKey = null; 1233 1234 Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null; 1235 if (protocolVersion.useTLS12PlusSpec()) { 1236 if (peerSupportedSignAlgs != null) { 1237 supportedSignAlgs = peerSupportedSignAlgs; 1238 } else { 1239 SignatureAndHashAlgorithm algorithm = null; 1240 1241 // we may optimize the performance 1242 switch (keyExchange) { 1243 // If the negotiated key exchange algorithm is one of 1244 // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), 1245 // behave as if client had sent the value {sha1,rsa}. 1246 case K_RSA: 1247 case K_DHE_RSA: 1248 case K_DH_RSA: 1249 // case K_RSA_PSK: 1250 case K_ECDH_RSA: 1251 case K_ECDHE_RSA: 1252 algorithm = SignatureAndHashAlgorithm.valueOf( 1253 HashAlgorithm.SHA1.value, 1254 SignatureAlgorithm.RSA.value, 0); 1255 break; 1256 // If the negotiated key exchange algorithm is one of 1257 // (DHE_DSS, DH_DSS), behave as if the client had 1258 // sent the value {sha1,dsa}. 1259 case K_DHE_DSS: 1260 case K_DH_DSS: 1261 algorithm = SignatureAndHashAlgorithm.valueOf( 1262 HashAlgorithm.SHA1.value, 1263 SignatureAlgorithm.DSA.value, 0); 1264 break; 1265 // If the negotiated key exchange algorithm is one of 1266 // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client 1267 // had sent value {sha1,ecdsa}. 1268 case K_ECDH_ECDSA: 1269 case K_ECDHE_ECDSA: 1270 algorithm = SignatureAndHashAlgorithm.valueOf( 1271 HashAlgorithm.SHA1.value, 1272 SignatureAlgorithm.ECDSA.value, 0); 1273 break; 1274 default: 1275 // no peer supported signature algorithms 1276 } 1277 1278 if (algorithm == null) { 1279 supportedSignAlgs = 1280 Collections.<SignatureAndHashAlgorithm>emptySet(); 1281 } else { 1282 supportedSignAlgs = 1283 new ArrayList<SignatureAndHashAlgorithm>(1); 1284 supportedSignAlgs.add(algorithm); 1285 1286 supportedSignAlgs = 1287 SignatureAndHashAlgorithm.getSupportedAlgorithms( 1288 algorithmConstraints, supportedSignAlgs); 1289 1290 // May be no default activated signature algorithm, but 1291 // let the following process make the final decision. 1292 } 1293 1294 // Sets the peer supported signature algorithm to use in KM 1295 // temporarily. 1296 session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs); 1297 } 1298 } 1299 1300 switch (keyExchange) { 1301 case K_RSA: 1302 // need RSA certs for authentication 1303 if (setupPrivateKeyAndChain("RSA") == false) { 1304 return false; 1305 } 1306 break; 1307 case K_RSA_EXPORT: 1308 // need RSA certs for authentication 1309 if (setupPrivateKeyAndChain("RSA") == false) { 1310 return false; 1311 } 1312 1313 try { 1314 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) { 1315 if (!setupEphemeralRSAKeys(suite.exportable)) { 1316 return false; 1317 } 1318 } 1319 } catch (RuntimeException e) { 1320 // could not determine keylength, ignore key 1321 return false; 1322 } 1323 break; 1324 case K_DHE_RSA: 1325 // need RSA certs for authentication 1326 if (setupPrivateKeyAndChain("RSA") == false) { 1327 return false; 1328 } 1329 1330 // get preferable peer signature algorithm for server key exchange 1331 if (protocolVersion.useTLS12PlusSpec()) { 1332 preferableSignatureAlgorithm = 1333 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1334 supportedSignAlgs, "RSA", privateKey); 1335 if (preferableSignatureAlgorithm == null) { 1336 if ((debug != null) && Debug.isOn("handshake")) { 1337 System.out.println( 1338 "No signature and hash algorithm for cipher " + 1339 suite); 1340 } 1341 return false; 1342 } 1343 } 1344 1345 setupEphemeralDHKeys(suite.exportable, privateKey); 1346 break; 1347 case K_ECDHE_RSA: 1348 // need RSA certs for authentication 1349 if (setupPrivateKeyAndChain("RSA") == false) { 1350 return false; 1351 } 1352 1353 // get preferable peer signature algorithm for server key exchange 1354 if (protocolVersion.useTLS12PlusSpec()) { 1355 preferableSignatureAlgorithm = 1356 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1357 supportedSignAlgs, "RSA", privateKey); 1358 if (preferableSignatureAlgorithm == null) { 1359 if ((debug != null) && Debug.isOn("handshake")) { 1360 System.out.println( 1361 "No signature and hash algorithm for cipher " + 1362 suite); 1363 } 1364 return false; 1365 } 1366 } 1367 1368 if (setupEphemeralECDHKeys() == false) { 1369 return false; 1370 } 1371 break; 1372 case K_DHE_DSS: 1373 // get preferable peer signature algorithm for server key exchange 1374 if (protocolVersion.useTLS12PlusSpec()) { 1375 preferableSignatureAlgorithm = 1376 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1377 supportedSignAlgs, "DSA"); 1378 if (preferableSignatureAlgorithm == null) { 1379 if ((debug != null) && Debug.isOn("handshake")) { 1380 System.out.println( 1381 "No signature and hash algorithm for cipher " + 1382 suite); 1383 } 1384 return false; 1385 } 1386 } 1387 1388 // need DSS certs for authentication 1389 if (setupPrivateKeyAndChain("DSA") == false) { 1390 return false; 1391 } 1392 1393 setupEphemeralDHKeys(suite.exportable, privateKey); 1394 break; 1395 case K_ECDHE_ECDSA: 1396 // get preferable peer signature algorithm for server key exchange 1397 if (protocolVersion.useTLS12PlusSpec()) { 1398 preferableSignatureAlgorithm = 1399 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1400 supportedSignAlgs, "ECDSA"); 1401 if (preferableSignatureAlgorithm == null) { 1402 if ((debug != null) && Debug.isOn("handshake")) { 1403 System.out.println( 1404 "No signature and hash algorithm for cipher " + 1405 suite); 1406 } 1407 return false; 1408 } 1409 } 1410 1411 // need EC cert 1412 if (setupPrivateKeyAndChain("EC") == false) { 1413 return false; 1414 } 1415 if (setupEphemeralECDHKeys() == false) { 1416 return false; 1417 } 1418 break; 1419 case K_ECDH_RSA: 1420 // need EC cert 1421 if (setupPrivateKeyAndChain("EC") == false) { 1422 return false; 1423 } 1424 setupStaticECDHKeys(); 1425 break; 1426 case K_ECDH_ECDSA: 1427 // need EC cert 1428 if (setupPrivateKeyAndChain("EC") == false) { 1429 return false; 1430 } 1431 setupStaticECDHKeys(); 1432 break; 1433 case K_DH_ANON: 1434 // no certs needed for anonymous 1435 setupEphemeralDHKeys(suite.exportable, null); 1436 break; 1437 case K_ECDH_ANON: 1438 // no certs needed for anonymous 1439 if (setupEphemeralECDHKeys() == false) { 1440 return false; 1441 } 1442 break; 1443 default: 1444 ClientKeyExchangeService p = 1445 ClientKeyExchangeService.find(keyExchange.name); 1446 if (p == null) { 1447 // internal error, unknown key exchange 1448 throw new RuntimeException( 1449 "Unrecognized cipherSuite: " + suite); 1450 } 1451 // need service creds 1452 if (serviceCreds == null) { 1453 AccessControlContext acc = getAccSE(); 1454 serviceCreds = p.getServiceCreds(acc); 1455 if (serviceCreds != null) { 1456 if (debug != null && Debug.isOn("handshake")) { 1457 System.out.println("Using serviceCreds"); 1458 } 1459 } 1460 if (serviceCreds == null) { 1461 return false; 1462 } 1463 } 1464 break; 1465 } 1466 setCipherSuite(suite); 1467 1468 // set the peer implicit supported signature algorithms 1469 if (protocolVersion.useTLS12PlusSpec()) { 1470 if (peerSupportedSignAlgs == null) { 1471 setPeerSupportedSignAlgs(supportedSignAlgs); 1472 // we had alreay update the session 1473 } 1474 } 1475 return true; 1476 } 1477 1478 /* 1479 * Get some "ephemeral" RSA keys for this context. This means 1480 * generating them if it's not already been done. 1481 * 1482 * Note that we currently do not implement any ciphersuites that use 1483 * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites 1484 * and standard RSA ciphersuites prohibit ephemeral mode for some reason) 1485 * This means that export is always true and 512 bit keys are generated. 1486 */ 1487 private boolean setupEphemeralRSAKeys(boolean export) { 1488 KeyPair kp = sslContext.getEphemeralKeyManager(). 1489 getRSAKeyPair(export, sslContext.getSecureRandom()); 1490 if (kp == null) { 1491 return false; 1492 } else { 1493 tempPublicKey = kp.getPublic(); 1494 tempPrivateKey = kp.getPrivate(); 1495 return true; 1496 } 1497 } 1498 1499 /* 1500 * Acquire some "ephemeral" Diffie-Hellman keys for this handshake. 1501 * We don't reuse these, for improved forward secrecy. 1502 */ 1503 private void setupEphemeralDHKeys(boolean export, Key key) { 1504 /* 1505 * 768 bits ephemeral DH private keys were used to be used in 1506 * ServerKeyExchange except that exportable ciphers max out at 512 1507 * bits modulus values. We still adhere to this behavior in legacy 1508 * mode (system property "jdk.tls.ephemeralDHKeySize" is defined 1509 * as "legacy"). 1510 * 1511 * Old JDK (JDK 7 and previous) releases don't support DH keys bigger 1512 * than 1024 bits. We have to consider the compatibility requirement. 1513 * 1024 bits DH key is always used for non-exportable cipher suites 1514 * in default mode (system property "jdk.tls.ephemeralDHKeySize" 1515 * is not defined). 1516 * 1517 * However, if applications want more stronger strength, setting 1518 * system property "jdk.tls.ephemeralDHKeySize" to "matched" 1519 * is a workaround to use ephemeral DH key which size matches the 1520 * corresponding authentication key. For example, if the public key 1521 * size of an authentication certificate is 2048 bits, then the 1522 * ephemeral DH key size should be 2048 bits accordingly unless 1523 * the cipher suite is exportable. This key sizing scheme keeps 1524 * the cryptographic strength consistent between authentication 1525 * keys and key-exchange keys. 1526 * 1527 * Applications may also want to customize the ephemeral DH key size 1528 * to a fixed length for non-exportable cipher suites. This can be 1529 * approached by setting system property "jdk.tls.ephemeralDHKeySize" 1530 * to a valid positive integer between 1024 and 8192 bits, inclusive. 1531 * 1532 * Note that the minimum acceptable key size is 1024 bits except 1533 * exportable cipher suites or legacy mode. 1534 * 1535 * Note that per RFC 2246, the key size limit of DH is 512 bits for 1536 * exportable cipher suites. Because of the weakness, exportable 1537 * cipher suites are deprecated since TLS v1.1 and they are not 1538 * enabled by default in Oracle provider. The legacy behavior is 1539 * reserved and 512 bits DH key is always used for exportable 1540 * cipher suites. 1541 */ 1542 int keySize = export ? 512 : 1024; // default mode 1543 if (!export) { 1544 if (useLegacyEphemeralDHKeys) { // legacy mode 1545 keySize = 768; 1546 } else if (useSmartEphemeralDHKeys) { // matched mode 1547 if (key != null) { 1548 int ks = KeyUtil.getKeySize(key); 1549 1550 // DH parameter generation can be extremely slow, make 1551 // sure to use one of the supported pre-computed DH 1552 // parameters (see DHCrypt class). 1553 // 1554 // Old deployed applications may not be ready to support 1555 // DH key sizes bigger than 2048 bits. Please DON'T use 1556 // value other than 1024 and 2048 at present. May improve 1557 // the underlying providers and key size limit in the 1558 // future when the compatibility and interoperability 1559 // impact is limited. 1560 // 1561 // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks); 1562 keySize = ks <= 1024 ? 1024 : 2048; 1563 } // Otherwise, anonymous cipher suites, 1024-bit is used. 1564 } else if (customizedDHKeySize > 0) { // customized mode 1565 keySize = customizedDHKeySize; 1566 } 1567 } 1568 1569 dh = new DHCrypt(keySize, sslContext.getSecureRandom()); 1570 } 1571 1572 // Setup the ephemeral ECDH parameters. 1573 // If we cannot continue because we do not support any of the curves that 1574 // the client requested, return false. Otherwise (all is well), return true. 1575 private boolean setupEphemeralECDHKeys() { 1576 int index = (requestedCurves != null) ? 1577 requestedCurves.getPreferredCurve(algorithmConstraints) : 1578 EllipticCurvesExtension.getActiveCurves(algorithmConstraints); 1579 if (index < 0) { 1580 // no match found, cannot use this ciphersuite 1581 return false; 1582 } 1583 1584 ecdh = new ECDHCrypt(index, sslContext.getSecureRandom()); 1585 return true; 1586 } 1587 1588 private void setupStaticECDHKeys() { 1589 // don't need to check whether the curve is supported, already done 1590 // in setupPrivateKeyAndChain(). 1591 ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey()); 1592 } 1593 1594 /** 1595 * Retrieve the server key and certificate for the specified algorithm 1596 * from the KeyManager and set the instance variables. 1597 * 1598 * @return true if successful, false if not available or invalid 1599 */ 1600 private boolean setupPrivateKeyAndChain(String algorithm) { 1601 X509ExtendedKeyManager km = sslContext.getX509KeyManager(); 1602 String alias; 1603 if (conn != null) { 1604 alias = km.chooseServerAlias(algorithm, null, conn); 1605 } else { 1606 alias = km.chooseEngineServerAlias(algorithm, null, engine); 1607 } 1608 if (alias == null) { 1609 return false; 1610 } 1611 PrivateKey tempPrivateKey = km.getPrivateKey(alias); 1612 if (tempPrivateKey == null) { 1613 return false; 1614 } 1615 X509Certificate[] tempCerts = km.getCertificateChain(alias); 1616 if ((tempCerts == null) || (tempCerts.length == 0)) { 1617 return false; 1618 } 1619 String keyAlgorithm = algorithm.split("_")[0]; 1620 PublicKey publicKey = tempCerts[0].getPublicKey(); 1621 if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false) 1622 || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) { 1623 return false; 1624 } 1625 // For ECC certs, check whether we support the EC domain parameters. 1626 // If the client sent a SupportedEllipticCurves ClientHello extension, 1627 // check against that too. 1628 if (keyAlgorithm.equals("EC")) { 1629 if (publicKey instanceof ECPublicKey == false) { 1630 return false; 1631 } 1632 ECParameterSpec params = ((ECPublicKey)publicKey).getParams(); 1633 int id = EllipticCurvesExtension.getCurveIndex(params); 1634 if ((id <= 0) || !EllipticCurvesExtension.isSupported(id) || 1635 ((requestedCurves != null) && !requestedCurves.contains(id))) { 1636 return false; 1637 } 1638 } 1639 this.privateKey = tempPrivateKey; 1640 this.certs = tempCerts; 1641 return true; 1642 } 1643 1644 /* 1645 * Returns premaster secret for external key exchange services. 1646 */ 1647 private SecretKey clientKeyExchange(ClientKeyExchange mesg) 1648 throws IOException { 1649 1650 if (debug != null && Debug.isOn("handshake")) { 1651 mesg.print(System.out); 1652 } 1653 1654 // Record the principals involved in exchange 1655 session.setPeerPrincipal(mesg.getPeerPrincipal()); 1656 session.setLocalPrincipal(mesg.getLocalPrincipal()); 1657 1658 return mesg.clientKeyExchange(); 1659 } 1660 1661 /* 1662 * Diffie Hellman key exchange is used when the server presented 1663 * D-H parameters in its certificate (signed using RSA or DSS/DSA), 1664 * or else the server presented no certificate but sent D-H params 1665 * in a ServerKeyExchange message. Use of D-H is specified by the 1666 * cipher suite chosen. 1667 * 1668 * The message optionally contains the client's D-H public key (if 1669 * it wasn't not sent in a client certificate). As always with D-H, 1670 * if a client and a server have each other's D-H public keys and 1671 * they use common algorithm parameters, they have a shared key 1672 * that's derived via the D-H calculation. That key becomes the 1673 * pre-master secret. 1674 */ 1675 private SecretKey clientKeyExchange(DHClientKeyExchange mesg) 1676 throws IOException { 1677 1678 if (debug != null && Debug.isOn("handshake")) { 1679 mesg.print(System.out); 1680 } 1681 1682 BigInteger publicKeyValue = mesg.getClientPublicKey(); 1683 1684 // check algorithm constraints 1685 dh.checkConstraints(algorithmConstraints, publicKeyValue); 1686 1687 return dh.getAgreedSecret(publicKeyValue, false); 1688 } 1689 1690 private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg) 1691 throws IOException { 1692 1693 if (debug != null && Debug.isOn("handshake")) { 1694 mesg.print(System.out); 1695 } 1696 1697 byte[] publicPoint = mesg.getEncodedPoint(); 1698 1699 // check algorithm constraints 1700 ecdh.checkConstraints(algorithmConstraints, publicPoint); 1701 1702 return ecdh.getAgreedSecret(publicPoint); 1703 } 1704 1705 /* 1706 * Client wrote a message to verify the certificate it sent earlier. 1707 * 1708 * Note that this certificate isn't involved in key exchange. Client 1709 * authentication messages are included in the checksums used to 1710 * validate the handshake (e.g. Finished messages). Other than that, 1711 * the _exact_ identity of the client is less fundamental to protocol 1712 * security than its role in selecting keys via the pre-master secret. 1713 */ 1714 private void clientCertificateVerify(CertificateVerify mesg) 1715 throws IOException { 1716 1717 if (debug != null && Debug.isOn("handshake")) { 1718 mesg.print(System.out); 1719 } 1720 1721 if (protocolVersion.useTLS12PlusSpec()) { 1722 SignatureAndHashAlgorithm signAlg = 1723 mesg.getPreferableSignatureAlgorithm(); 1724 if (signAlg == null) { 1725 throw new SSLHandshakeException( 1726 "Illegal CertificateVerify message"); 1727 } 1728 1729 String hashAlg = 1730 SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg); 1731 if (hashAlg == null || hashAlg.length() == 0) { 1732 throw new SSLHandshakeException( 1733 "No supported hash algorithm"); 1734 } 1735 } 1736 1737 try { 1738 PublicKey publicKey = 1739 session.getPeerCertificates()[0].getPublicKey(); 1740 1741 boolean valid = mesg.verify(protocolVersion, handshakeHash, 1742 publicKey, session.getMasterSecret()); 1743 if (valid == false) { 1744 fatalSE(Alerts.alert_bad_certificate, 1745 "certificate verify message signature error"); 1746 } 1747 } catch (GeneralSecurityException e) { 1748 fatalSE(Alerts.alert_bad_certificate, 1749 "certificate verify format error", e); 1750 } 1751 1752 // reset the flag for clientCertificateVerify message 1753 needClientVerify = false; 1754 } 1755 1756 1757 /* 1758 * Client writes "finished" at the end of its handshake, after cipher 1759 * spec is changed. We verify it and then send ours. 1760 * 1761 * When we're resuming a session, we'll have already sent our own 1762 * Finished message so just the verification is needed. 1763 */ 1764 private void clientFinished(Finished mesg) throws IOException { 1765 if (debug != null && Debug.isOn("handshake")) { 1766 mesg.print(System.out); 1767 } 1768 1769 /* 1770 * Verify if client did send the certificate when client 1771 * authentication was required, otherwise server should not proceed 1772 */ 1773 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) { 1774 // get X500Principal of the end-entity certificate for X509-based 1775 // ciphersuites, or Kerberos principal for Kerberos ciphersuites, etc 1776 session.getPeerPrincipal(); 1777 } 1778 1779 /* 1780 * Verify if client did send clientCertificateVerify message following 1781 * the client Certificate, otherwise server should not proceed 1782 */ 1783 if (needClientVerify) { 1784 fatalSE(Alerts.alert_handshake_failure, 1785 "client did not send certificate verify message"); 1786 } 1787 1788 /* 1789 * Verify the client's message with the "before" digest of messages, 1790 * and forget about continuing to use that digest. 1791 */ 1792 boolean verified = mesg.verify(handshakeHash, Finished.CLIENT, 1793 session.getMasterSecret()); 1794 1795 if (!verified) { 1796 fatalSE(Alerts.alert_handshake_failure, 1797 "client 'finished' message doesn't verify"); 1798 // NOTREACHED 1799 } 1800 1801 /* 1802 * save client verify data for secure renegotiation 1803 */ 1804 if (secureRenegotiation) { 1805 clientVerifyData = mesg.getVerifyData(); 1806 } 1807 1808 /* 1809 * OK, it verified. If we're doing the full handshake, add that 1810 * "Finished" message to the hash of handshake messages, then send 1811 * the change_cipher_spec and Finished message. 1812 */ 1813 if (!resumingSession) { 1814 sendChangeCipherAndFinish(true); 1815 } else { 1816 handshakeFinished = true; 1817 } 1818 1819 /* 1820 * Update the session cache only after the handshake completed, else 1821 * we're open to an attack against a partially completed handshake. 1822 */ 1823 session.setLastAccessedTime(System.currentTimeMillis()); 1824 if (!resumingSession && session.isRejoinable()) { 1825 ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext()) 1826 .put(session); 1827 if (debug != null && Debug.isOn("session")) { 1828 System.out.println( 1829 "%% Cached server session: " + session); 1830 } 1831 } else if (!resumingSession && 1832 debug != null && Debug.isOn("session")) { 1833 System.out.println( 1834 "%% Didn't cache non-resumable server session: " 1835 + session); 1836 } 1837 } 1838 1839 /* 1840 * Compute finished message with the "server" digest (and then forget 1841 * about that digest, it can't be used again). 1842 */ 1843 private void sendChangeCipherAndFinish(boolean finishedTag) 1844 throws IOException { 1845 1846 // Reload if this message has been reserved. 1847 handshakeHash.reload(); 1848 1849 Finished mesg = new Finished(protocolVersion, handshakeHash, 1850 Finished.SERVER, session.getMasterSecret(), cipherSuite); 1851 1852 /* 1853 * Send the change_cipher_spec record; then our Finished handshake 1854 * message will be the last handshake message. Flush, and now we 1855 * are ready for application data!! 1856 */ 1857 sendChangeCipherSpec(mesg, finishedTag); 1858 1859 /* 1860 * save server verify data for secure renegotiation 1861 */ 1862 if (secureRenegotiation) { 1863 serverVerifyData = mesg.getVerifyData(); 1864 } 1865 } 1866 1867 1868 /* 1869 * Returns a HelloRequest message to kickstart renegotiations 1870 */ 1871 @Override 1872 HandshakeMessage getKickstartMessage() { 1873 return new HelloRequest(); 1874 } 1875 1876 1877 /* 1878 * Fault detected during handshake. 1879 */ 1880 @Override 1881 void handshakeAlert(byte description) throws SSLProtocolException { 1882 1883 String message = Alerts.alertDescription(description); 1884 1885 if (debug != null && Debug.isOn("handshake")) { 1886 System.out.println("SSL -- handshake alert: " 1887 + message); 1888 } 1889 1890 /* 1891 * It's ok to get a no_certificate alert from a client of which 1892 * we *requested* authentication information. 1893 * However, if we *required* it, then this is not acceptable. 1894 * 1895 * Anyone calling getPeerCertificates() on the 1896 * session will get an SSLPeerUnverifiedException. 1897 */ 1898 if ((description == Alerts.alert_no_certificate) && 1899 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED)) { 1900 return; 1901 } 1902 1903 throw new SSLProtocolException("handshake alert: " + message); 1904 } 1905 1906 /* 1907 * RSA key exchange is normally used. The client encrypts a "pre-master 1908 * secret" with the server's public key, from the Certificate (or else 1909 * ServerKeyExchange) message that was sent to it by the server. That's 1910 * decrypted using the private key before we get here. 1911 */ 1912 private SecretKey clientKeyExchange(RSAClientKeyExchange mesg) 1913 throws IOException { 1914 1915 if (debug != null && Debug.isOn("handshake")) { 1916 mesg.print(System.out); 1917 } 1918 return mesg.preMaster; 1919 } 1920 1921 /* 1922 * Verify the certificate sent by the client. We'll only get one if we 1923 * sent a CertificateRequest to request client authentication. If we 1924 * are in TLS mode, the client may send a message with no certificates 1925 * to indicate it does not have an appropriate chain. (In SSLv3 mode, 1926 * it would send a no certificate alert). 1927 */ 1928 private void clientCertificate(CertificateMsg mesg) throws IOException { 1929 if (debug != null && Debug.isOn("handshake")) { 1930 mesg.print(System.out); 1931 } 1932 1933 X509Certificate[] peerCerts = mesg.getCertificateChain(); 1934 1935 if (peerCerts.length == 0) { 1936 /* 1937 * If the client authentication is only *REQUESTED* (e.g. 1938 * not *REQUIRED*, this is an acceptable condition.) 1939 */ 1940 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED) { 1941 return; 1942 } else { 1943 fatalSE(Alerts.alert_bad_certificate, 1944 "null cert chain"); 1945 } 1946 } 1947 1948 // ask the trust manager to verify the chain 1949 X509TrustManager tm = sslContext.getX509TrustManager(); 1950 1951 try { 1952 // find out the types of client authentication used 1953 PublicKey key = peerCerts[0].getPublicKey(); 1954 String keyAlgorithm = key.getAlgorithm(); 1955 String authType; 1956 if (keyAlgorithm.equals("RSA")) { 1957 authType = "RSA"; 1958 } else if (keyAlgorithm.equals("DSA")) { 1959 authType = "DSA"; 1960 } else if (keyAlgorithm.equals("EC")) { 1961 authType = "EC"; 1962 } else { 1963 // unknown public key type 1964 authType = "UNKNOWN"; 1965 } 1966 1967 if (tm instanceof X509ExtendedTrustManager) { 1968 if (conn != null) { 1969 ((X509ExtendedTrustManager)tm).checkClientTrusted( 1970 peerCerts.clone(), 1971 authType, 1972 conn); 1973 } else { 1974 ((X509ExtendedTrustManager)tm).checkClientTrusted( 1975 peerCerts.clone(), 1976 authType, 1977 engine); 1978 } 1979 } else { 1980 // Unlikely to happen, because we have wrapped the old 1981 // X509TrustManager with the new X509ExtendedTrustManager. 1982 throw new CertificateException( 1983 "Improper X509TrustManager implementation"); 1984 } 1985 } catch (CertificateException e) { 1986 // This will throw an exception, so include the original error. 1987 fatalSE(Alerts.alert_certificate_unknown, e); 1988 } 1989 // set the flag for clientCertificateVerify message 1990 needClientVerify = true; 1991 1992 session.setPeerCertificates(peerCerts); 1993 } 1994 1995 private StaplingParameters processStapling(ClientHello mesg) { 1996 StaplingParameters params = null; 1997 ExtensionType ext = null; 1998 StatusRequestType type = null; 1999 StatusRequest req = null; 2000 Map<X509Certificate, byte[]> responses; 2001 2002 // If this feature has not been enabled, then no more processing 2003 // is necessary. Also we will only staple if we're doing a full 2004 // handshake. 2005 if (!sslContext.isStaplingEnabled(false) || resumingSession) { 2006 return null; 2007 } 2008 2009 // Check if the client has asserted the status_request[_v2] extension(s) 2010 CertStatusReqExtension statReqExt = (CertStatusReqExtension) 2011 mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST); 2012 CertStatusReqListV2Extension statReqExtV2 = 2013 (CertStatusReqListV2Extension)mesg.extensions.get( 2014 ExtensionType.EXT_STATUS_REQUEST_V2); 2015 2016 // Determine which type of stapling we are doing and assert the 2017 // proper extension in the server hello. 2018 // Favor status_request_v2 over status_request and ocsp_multi 2019 // over ocsp. 2020 // If multiple ocsp or ocsp_multi types exist, select the first 2021 // instance of a given type. Also since we don't support ResponderId 2022 // selection yet, only accept a request if the ResponderId field 2023 // is empty. 2024 if (statReqExtV2 != null) { // RFC 6961 stapling 2025 ext = ExtensionType.EXT_STATUS_REQUEST_V2; 2026 List<CertStatusReqItemV2> reqItems = 2027 statReqExtV2.getRequestItems(); 2028 int ocspIdx = -1; 2029 int ocspMultiIdx = -1; 2030 for (int pos = 0; (pos < reqItems.size() && 2031 (ocspIdx == -1 || ocspMultiIdx == -1)); pos++) { 2032 CertStatusReqItemV2 item = reqItems.get(pos); 2033 StatusRequestType curType = item.getType(); 2034 if (ocspIdx < 0 && curType == StatusRequestType.OCSP) { 2035 OCSPStatusRequest ocspReq = 2036 (OCSPStatusRequest)item.getRequest(); 2037 if (ocspReq.getResponderIds().isEmpty()) { 2038 ocspIdx = pos; 2039 } 2040 } else if (ocspMultiIdx < 0 && 2041 curType == StatusRequestType.OCSP_MULTI) { 2042 // If the type is OCSP, then the request 2043 // is guaranteed to be OCSPStatusRequest 2044 OCSPStatusRequest ocspReq = 2045 (OCSPStatusRequest)item.getRequest(); 2046 if (ocspReq.getResponderIds().isEmpty()) { 2047 ocspMultiIdx = pos; 2048 } 2049 } 2050 } 2051 if (ocspMultiIdx >= 0) { 2052 type = reqItems.get(ocspMultiIdx).getType(); 2053 req = reqItems.get(ocspMultiIdx).getRequest(); 2054 } else if (ocspIdx >= 0) { 2055 type = reqItems.get(ocspIdx).getType(); 2056 req = reqItems.get(ocspIdx).getRequest(); 2057 } else { 2058 if (debug != null && Debug.isOn("handshake")) { 2059 System.out.println("Warning: No suitable request " + 2060 "found in the status_request_v2 extension."); 2061 } 2062 } 2063 } 2064 2065 // Only attempt to process a status_request extension if: 2066 // * The status_request extension is set AND 2067 // * either the status_request_v2 extension is not present OR 2068 // * none of the underlying OCSPStatusRequest structures is suitable 2069 // for stapling. 2070 // If either of the latter two bullet items is true the ext, type and 2071 // req variables should all be null. If any are null we will try 2072 // processing an asserted status_request. 2073 if ((statReqExt != null) && 2074 (ext == null || type == null || req == null)) { 2075 ext = ExtensionType.EXT_STATUS_REQUEST; 2076 type = statReqExt.getType(); 2077 if (type == StatusRequestType.OCSP) { 2078 // If the type is OCSP, then the request is guaranteed 2079 // to be OCSPStatusRequest 2080 OCSPStatusRequest ocspReq = 2081 (OCSPStatusRequest)statReqExt.getRequest(); 2082 if (ocspReq.getResponderIds().isEmpty()) { 2083 req = ocspReq; 2084 } else { 2085 if (debug != null && Debug.isOn("handshake")) { 2086 req = null; 2087 System.out.println("Warning: No suitable request " + 2088 "found in the status_request extension."); 2089 } 2090 } 2091 } 2092 } 2093 2094 // If, after walking through the extensions we were unable to 2095 // find a suitable StatusRequest, then stapling is disabled. 2096 // The ext, type and req variables must have been set to continue. 2097 if (type == null || req == null || ext == null) { 2098 return null; 2099 } 2100 2101 // Get the OCSP responses from the StatusResponseManager 2102 StatusResponseManager statRespMgr = 2103 sslContext.getStatusResponseManager(); 2104 if (statRespMgr != null) { 2105 responses = statRespMgr.get(type, req, certs, statusRespTimeout, 2106 TimeUnit.MILLISECONDS); 2107 if (!responses.isEmpty()) { 2108 // If this RFC 6066-style stapling (SSL cert only) then the 2109 // response cannot be zero length 2110 if (type == StatusRequestType.OCSP) { 2111 byte[] respDER = responses.get(certs[0]); 2112 if (respDER == null || respDER.length <= 0) { 2113 return null; 2114 } 2115 } 2116 params = new StaplingParameters(ext, type, req, responses); 2117 } 2118 } else { 2119 // This should not happen, but if lazy initialization of the 2120 // StatusResponseManager doesn't occur we should turn off stapling. 2121 if (debug != null && Debug.isOn("handshake")) { 2122 System.out.println("Warning: lazy initialization " + 2123 "of the StatusResponseManager failed. " + 2124 "Stapling has been disabled."); 2125 } 2126 } 2127 2128 return params; 2129 } 2130 2131 /** 2132 * Inner class used to hold stapling parameters needed by the handshaker 2133 * when stapling is active. 2134 */ 2135 private class StaplingParameters { 2136 private final ExtensionType statusRespExt; 2137 private final StatusRequestType statReqType; 2138 private final StatusRequest statReqData; 2139 private final Map<X509Certificate, byte[]> responseMap; 2140 2141 StaplingParameters(ExtensionType ext, StatusRequestType type, 2142 StatusRequest req, Map<X509Certificate, byte[]> responses) { 2143 statusRespExt = ext; 2144 statReqType = type; 2145 statReqData = req; 2146 responseMap = responses; 2147 } 2148 } 2149 }