1 /*
2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.util.*;
31 import java.util.concurrent.TimeUnit;
32 import java.security.*;
33 import java.security.cert.*;
34 import java.security.interfaces.*;
35 import java.security.spec.ECParameterSpec;
36 import java.math.BigInteger;
37
38 import javax.crypto.SecretKey;
39 import javax.net.ssl.*;
40
41 import sun.security.action.GetLongAction;
42 import sun.security.util.KeyUtil;
43 import sun.security.util.LegacyAlgorithmConstraints;
44 import sun.security.action.GetPropertyAction;
45 import sun.security.ssl.HandshakeMessage.*;
46 import sun.security.ssl.CipherSuite.*;
47 import sun.security.ssl.SignatureAndHashAlgorithm.*;
48 import static sun.security.ssl.CipherSuite.KeyExchange.*;
49
50 /**
51 * ServerHandshaker does the protocol handshaking from the point
52 * of view of a server. It is driven asychronously by handshake messages
53 * as delivered by the parent Handshaker class, and also uses
54 * common functionality (e.g. key generation) that is provided there.
55 *
56 * @author David Brownell
57 */
58 final class ServerHandshaker extends Handshaker {
59
60 // The default number of milliseconds the handshaker will wait for
61 // revocation status responses.
62 private static final long DEFAULT_STATUS_RESP_DELAY = 5000;
63
64 // is the server going to require the client to authenticate?
65 private ClientAuthType doClientAuth;
66
67 // our authentication info
68 private X509Certificate[] certs;
69 private PrivateKey privateKey;
70
71 private Object serviceCreds;
72
73 // flag to check for clientCertificateVerify message
74 private boolean needClientVerify = false;
75
76 /*
77 * For exportable ciphersuites using non-exportable key sizes, we use
78 * ephemeral RSA keys. We could also do anonymous RSA in the same way
79 * but there are no such ciphersuites currently defined.
80 */
81 private PrivateKey tempPrivateKey;
82 private PublicKey tempPublicKey;
83
84 /*
85 * For anonymous and ephemeral Diffie-Hellman key exchange, we use
86 * ephemeral Diffie-Hellman keys.
87 */
88 private DHCrypt dh;
89
90 // Helper for ECDH based key exchanges
91 private ECDHCrypt ecdh;
92
93 // version request by the client in its ClientHello
94 // we remember it for the RSA premaster secret version check
95 private ProtocolVersion clientRequestedVersion;
96
97 // client supported elliptic curves
98 private EllipticCurvesExtension requestedCurves;
99
100 // the preferable signature algorithm used by ServerKeyExchange message
101 SignatureAndHashAlgorithm preferableSignatureAlgorithm;
102
103 // Flag to use smart ephemeral DH key which size matches the corresponding
104 // authentication key
105 private static final boolean useSmartEphemeralDHKeys;
106
107 // Flag to use legacy ephemeral DH key which size is 512 bits for
108 // exportable cipher suites, and 768 bits for others
109 private static final boolean useLegacyEphemeralDHKeys;
110
111 // The customized ephemeral DH key size for non-exportable cipher suites.
112 private static final int customizedDHKeySize;
113
114 // legacy algorithm constraints
115 private static final AlgorithmConstraints legacyAlgorithmConstraints =
116 new LegacyAlgorithmConstraints(
117 LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
118 new SSLAlgorithmDecomposer());
119
120 private long statusRespTimeout;
121
122 static {
123 String property = GetPropertyAction
124 .privilegedGetProperty("jdk.tls.ephemeralDHKeySize");
125 if (property == null || property.length() == 0) {
126 useLegacyEphemeralDHKeys = false;
127 useSmartEphemeralDHKeys = false;
128 customizedDHKeySize = -1;
129 } else if ("matched".equals(property)) {
130 useLegacyEphemeralDHKeys = false;
131 useSmartEphemeralDHKeys = true;
132 customizedDHKeySize = -1;
133 } else if ("legacy".equals(property)) {
134 useLegacyEphemeralDHKeys = true;
135 useSmartEphemeralDHKeys = false;
136 customizedDHKeySize = -1;
137 } else {
138 useLegacyEphemeralDHKeys = false;
139 useSmartEphemeralDHKeys = false;
140
141 try {
142 // DH parameter generation can be extremely slow, best to
143 // use one of the supported pre-computed DH parameters
144 // (see DHCrypt class).
145 customizedDHKeySize = Integer.parseUnsignedInt(property);
146 if (customizedDHKeySize < 1024 || customizedDHKeySize > 8192 ||
147 (customizedDHKeySize & 0x3f) != 0) {
148 throw new IllegalArgumentException(
149 "Unsupported customized DH key size: " +
150 customizedDHKeySize + ". " +
151 "The key size must be multiple of 64, " +
152 "and can only range from 1024 to 8192 (inclusive)");
153 }
154 } catch (NumberFormatException nfe) {
155 throw new IllegalArgumentException(
156 "Invalid system property jdk.tls.ephemeralDHKeySize");
157 }
158 }
159 }
160
161 /*
162 * Constructor ... use the keys found in the auth context.
163 */
164 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
165 ProtocolList enabledProtocols, ClientAuthType clientAuth,
166 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
167 boolean secureRenegotiation,
168 byte[] clientVerifyData, byte[] serverVerifyData) {
169
170 super(socket, context, enabledProtocols,
171 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
172 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
173 clientVerifyData, serverVerifyData);
174 doClientAuth = clientAuth;
175 statusRespTimeout = AccessController.doPrivileged(
176 new GetLongAction("jdk.tls.stapling.responseTimeout",
177 DEFAULT_STATUS_RESP_DELAY));
178 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
179 DEFAULT_STATUS_RESP_DELAY;
180 }
181
182 /*
183 * Constructor ... use the keys found in the auth context.
184 */
185 ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context,
186 ProtocolList enabledProtocols, ClientAuthType clientAuth,
187 ProtocolVersion activeProtocolVersion,
188 boolean isInitialHandshake, boolean secureRenegotiation,
189 byte[] clientVerifyData, byte[] serverVerifyData,
190 boolean isDTLS) {
191
192 super(engine, context, enabledProtocols,
193 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
194 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
195 clientVerifyData, serverVerifyData, isDTLS);
196 doClientAuth = clientAuth;
197 statusRespTimeout = AccessController.doPrivileged(
198 new GetLongAction("jdk.tls.stapling.responseTimeout",
199 DEFAULT_STATUS_RESP_DELAY));
200 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
201 DEFAULT_STATUS_RESP_DELAY;
202 }
203
204 /*
205 * As long as handshaking has not started, we can change
206 * whether client authentication is required. Otherwise,
207 * we will need to wait for the next handshake.
208 */
209 void setClientAuth(ClientAuthType clientAuth) {
210 doClientAuth = clientAuth;
211 }
212
213 /*
214 * This routine handles all the server side handshake messages, one at
215 * a time. Given the message type (and in some cases the pending cipher
216 * spec) it parses the type-specific message. Then it calls a function
217 * that handles that specific message.
218 *
219 * It updates the state machine as each message is processed, and writes
220 * responses as needed using the connection in the constructor.
221 */
222 @Override
223 void processMessage(byte type, int message_len)
224 throws IOException {
225
226 // check the handshake state
227 handshakeState.check(type);
228
229 switch (type) {
230 case HandshakeMessage.ht_client_hello:
231 ClientHello ch = new ClientHello(input, message_len, isDTLS);
232 handshakeState.update(ch, resumingSession);
233
234 /*
235 * send it off for processing.
236 */
237 this.clientHello(ch);
238 break;
239
240 case HandshakeMessage.ht_certificate:
241 if (doClientAuth == ClientAuthType.CLIENT_AUTH_NONE) {
242 fatalSE(Alerts.alert_unexpected_message,
243 "client sent unsolicited cert chain");
244 // NOTREACHED
245 }
246 CertificateMsg certificateMsg = new CertificateMsg(input);
247 handshakeState.update(certificateMsg, resumingSession);
248 this.clientCertificate(certificateMsg);
249 break;
250
251 case HandshakeMessage.ht_client_key_exchange:
252 SecretKey preMasterSecret;
253 switch (keyExchange) {
254 case K_RSA:
255 case K_RSA_EXPORT:
256 /*
257 * The client's pre-master secret is decrypted using
258 * either the server's normal private RSA key, or the
259 * temporary one used for non-export or signing-only
260 * certificates/keys.
261 */
262 RSAClientKeyExchange pms = new RSAClientKeyExchange(
263 protocolVersion, clientRequestedVersion,
264 sslContext.getSecureRandom(), input,
265 message_len, privateKey);
266 handshakeState.update(pms, resumingSession);
267 preMasterSecret = this.clientKeyExchange(pms);
268 break;
269 case K_DHE_RSA:
270 case K_DHE_DSS:
271 case K_DH_ANON:
272 /*
273 * The pre-master secret is derived using the normal
274 * Diffie-Hellman calculation. Note that the main
275 * protocol difference in these five flavors is in how
276 * the ServerKeyExchange message was constructed!
277 */
278 DHClientKeyExchange dhcke = new DHClientKeyExchange(input);
279 handshakeState.update(dhcke, resumingSession);
280 preMasterSecret = this.clientKeyExchange(dhcke);
281 break;
282 case K_ECDH_RSA:
283 case K_ECDH_ECDSA:
284 case K_ECDHE_RSA:
285 case K_ECDHE_ECDSA:
286 case K_ECDH_ANON:
287 ECDHClientKeyExchange ecdhcke =
288 new ECDHClientKeyExchange(input);
289 handshakeState.update(ecdhcke, resumingSession);
290 preMasterSecret = this.clientKeyExchange(ecdhcke);
291 break;
292 default:
293 ClientKeyExchangeService p =
294 ClientKeyExchangeService.find(keyExchange.name);
295 if (p == null) {
296 throw new SSLProtocolException
297 ("Unrecognized key exchange: " + keyExchange);
298 }
299 byte[] encodedTicket = input.getBytes16();
300 input.getBytes16();
301 byte[] secret = input.getBytes16();
302 ClientKeyExchange cke = p.createServerExchange(protocolVersion,
303 clientRequestedVersion,
304 sslContext.getSecureRandom(),
305 encodedTicket,
306 secret,
307 this.getAccSE(), serviceCreds);
308 handshakeState.update(cke, resumingSession);
309 preMasterSecret = this.clientKeyExchange(cke);
310 break;
311 }
312
313 //
314 // All keys are calculated from the premaster secret
315 // and the exchanged nonces in the same way.
316 //
317 calculateKeys(preMasterSecret, clientRequestedVersion);
318 break;
319
320 case HandshakeMessage.ht_certificate_verify:
321 CertificateVerify cvm =
322 new CertificateVerify(input,
323 getLocalSupportedSignAlgs(), protocolVersion);
324 handshakeState.update(cvm, resumingSession);
325 this.clientCertificateVerify(cvm);
326
327 break;
328
329 case HandshakeMessage.ht_finished:
330 Finished cfm =
331 new Finished(protocolVersion, input, cipherSuite);
332 handshakeState.update(cfm, resumingSession);
333 this.clientFinished(cfm);
334
335 break;
336
337 default:
338 throw new SSLProtocolException(
339 "Illegal server handshake msg, " + type);
340 }
341
342 }
343
344
345 /*
346 * ClientHello presents the server with a bunch of options, to which the
347 * server replies with a ServerHello listing the ones which this session
348 * will use. If needed, it also writes its Certificate plus in some cases
349 * a ServerKeyExchange message. It may also write a CertificateRequest,
350 * to elicit a client certificate.
351 *
352 * All these messages are terminated by a ServerHelloDone message. In
353 * most cases, all this can be sent in a single Record.
354 */
355 private void clientHello(ClientHello mesg) throws IOException {
356 if (debug != null && Debug.isOn("handshake")) {
357 mesg.print(System.out);
358 }
359
360 // Reject client initiated renegotiation?
361 //
362 // If server side should reject client-initiated renegotiation,
363 // send an alert_handshake_failure fatal alert, not a no_renegotiation
364 // warning alert (no_renegotiation must be a warning: RFC 2246).
365 // no_renegotiation might seem more natural at first, but warnings
366 // are not appropriate because the sending party does not know how
367 // the receiving party will behave. This state must be treated as
368 // a fatal server condition.
369 //
370 // This will not have any impact on server initiated renegotiation.
371 if (rejectClientInitiatedRenego && !isInitialHandshake &&
372 !serverHelloRequested) {
373 fatalSE(Alerts.alert_handshake_failure,
374 "Client initiated renegotiation is not allowed");
375 }
376
377 // check the server name indication if required
378 ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
379 mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
380 if (!sniMatchers.isEmpty()) {
381 // we do not reject client without SNI extension
382 if (clientHelloSNIExt != null &&
383 !clientHelloSNIExt.isMatched(sniMatchers)) {
384 fatalSE(Alerts.alert_unrecognized_name,
385 "Unrecognized server name indication");
386 }
387 }
388
389 // Does the message include security renegotiation indication?
390 boolean renegotiationIndicated = false;
391
392 // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV
393 CipherSuiteList cipherSuites = mesg.getCipherSuites();
394 if (cipherSuites.contains(CipherSuite.C_SCSV)) {
395 renegotiationIndicated = true;
396 if (isInitialHandshake) {
397 secureRenegotiation = true;
398 } else {
399 // abort the handshake with a fatal handshake_failure alert
400 if (secureRenegotiation) {
401 fatalSE(Alerts.alert_handshake_failure,
402 "The SCSV is present in a secure renegotiation");
403 } else {
404 fatalSE(Alerts.alert_handshake_failure,
405 "The SCSV is present in a insecure renegotiation");
406 }
407 }
408 }
409
410 // check the "renegotiation_info" extension
411 RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension)
412 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
413 if (clientHelloRI != null) {
414 renegotiationIndicated = true;
415 if (isInitialHandshake) {
416 // verify the length of the "renegotiated_connection" field
417 if (!clientHelloRI.isEmpty()) {
418 // abort the handshake with a fatal handshake_failure alert
419 fatalSE(Alerts.alert_handshake_failure,
420 "The renegotiation_info field is not empty");
421 }
422
423 secureRenegotiation = true;
424 } else {
425 if (!secureRenegotiation) {
426 // unexpected RI extension for insecure renegotiation,
427 // abort the handshake with a fatal handshake_failure alert
428 fatalSE(Alerts.alert_handshake_failure,
429 "The renegotiation_info is present in a insecure " +
430 "renegotiation");
431 }
432
433 // verify the client_verify_data value
434 if (!MessageDigest.isEqual(clientVerifyData,
435 clientHelloRI.getRenegotiatedConnection())) {
436 fatalSE(Alerts.alert_handshake_failure,
437 "Incorrect verify data in ClientHello " +
438 "renegotiation_info message");
439 }
440 }
441 } else if (!isInitialHandshake && secureRenegotiation) {
442 // if the connection's "secure_renegotiation" flag is set to TRUE
443 // and the "renegotiation_info" extension is not present, abort
444 // the handshake.
445 fatalSE(Alerts.alert_handshake_failure,
446 "Inconsistent secure renegotiation indication");
447 }
448
449 // if there is no security renegotiation indication or the previous
450 // handshake is insecure.
451 if (!renegotiationIndicated || !secureRenegotiation) {
452 if (isInitialHandshake) {
453 if (!allowLegacyHelloMessages) {
454 // abort the handshake with a fatal handshake_failure alert
455 fatalSE(Alerts.alert_handshake_failure,
456 "Failed to negotiate the use of secure renegotiation");
457 }
458
459 // continue with legacy ClientHello
460 if (debug != null && Debug.isOn("handshake")) {
461 System.out.println("Warning: No renegotiation " +
462 "indication in ClientHello, allow legacy ClientHello");
463 }
464 } else if (!allowUnsafeRenegotiation) {
465 // abort the handshake
466 if (activeProtocolVersion.useTLS10PlusSpec()) {
467 // respond with a no_renegotiation warning
468 warningSE(Alerts.alert_no_renegotiation);
469
470 // invalidate the handshake so that the caller can
471 // dispose this object.
472 invalidated = true;
473
474 // If there is still unread block in the handshake
475 // input stream, it would be truncated with the disposal
476 // and the next handshake message will become incomplete.
477 //
478 // However, according to SSL/TLS specifications, no more
479 // handshake message could immediately follow ClientHello
480 // or HelloRequest. But in case of any improper messages,
481 // we'd better check to ensure there is no remaining bytes
482 // in the handshake input stream.
483 if (input.available() > 0) {
484 fatalSE(Alerts.alert_unexpected_message,
485 "ClientHello followed by an unexpected " +
486 "handshake message");
487 }
488
489 return;
490 } else {
491 // For SSLv3, send the handshake_failure fatal error.
492 // Note that SSLv3 does not define a no_renegotiation
493 // alert like TLSv1. However we cannot ignore the message
494 // simply, otherwise the other side was waiting for a
495 // response that would never come.
496 fatalSE(Alerts.alert_handshake_failure,
497 "Renegotiation is not allowed");
498 }
499 } else { // !isInitialHandshake && allowUnsafeRenegotiation
500 // continue with unsafe renegotiation.
501 if (debug != null && Debug.isOn("handshake")) {
502 System.out.println(
503 "Warning: continue with insecure renegotiation");
504 }
505 }
506 }
507
508 // check the "max_fragment_length" extension
509 MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
510 mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
511 if ((maxFragLenExt != null) && (maximumPacketSize != 0)) {
512 // Not yet consider the impact of IV/MAC/padding.
513 int estimatedMaxFragSize = maximumPacketSize;
514 if (isDTLS) {
515 estimatedMaxFragSize -= DTLSRecord.headerSize;
516 } else {
517 estimatedMaxFragSize -= SSLRecord.headerSize;
518 }
519
520 if (maxFragLenExt.getMaxFragLen() > estimatedMaxFragSize) {
521 // For better interoperability, abort the maximum fragment
522 // length negotiation, rather than terminate the connection
523 // with a fatal alert.
524 maxFragLenExt = null;
525
526 // fatalSE(Alerts.alert_illegal_parameter,
527 // "Not an allowed max_fragment_length value");
528 }
529 }
530
531 // check the ALPN extension
532 ALPNExtension clientHelloALPN = (ALPNExtension)
533 mesg.extensions.get(ExtensionType.EXT_ALPN);
534
535 if ((clientHelloALPN != null) && (localApl.length > 0)) {
536
537 // Intersect the requested and the locally supported,
538 // and save for later.
539 String negotiatedValue = null;
540 List<String> protocols = clientHelloALPN.getPeerAPs();
541
542 // Use server preference order
543 for (String ap : localApl) {
544 if (protocols.contains(ap)) {
545 negotiatedValue = ap;
546 break;
547 }
548 }
549
550 if (negotiatedValue == null) {
551 fatalSE(Alerts.alert_no_application_protocol,
552 new SSLHandshakeException(
553 "No matching ALPN values"));
554 }
555 applicationProtocol = negotiatedValue;
556
557 } else {
558 applicationProtocol = "";
559 }
560
561 session = null; // forget about the current session
562 //
563 // Here we go down either of two paths: (a) the fast one, where
564 // the client's asked to rejoin an existing session, and the server
565 // permits this; (b) the other one, where a new session is created.
566 //
567 if (mesg.sessionId.length() != 0) {
568 // client is trying to resume a session, let's see...
569
570 SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext
571 .engineGetServerSessionContext())
572 .get(mesg.sessionId.getId());
573 //
574 // Check if we can use the fast path, resuming a session. We
575 // can do so iff we have a valid record for that session, and
576 // the cipher suite for that session was on the list which the
577 // client requested, and if we're not forgetting any needed
578 // authentication on the part of the client.
579 //
580 if (previous != null) {
581 resumingSession = previous.isRejoinable();
582
583 if (resumingSession) {
584 ProtocolVersion oldVersion = previous.getProtocolVersion();
585 // cannot resume session with different version
586 if (oldVersion != protocolVersion) {
587 resumingSession = false;
588 }
589 }
590
591 // cannot resume session with different server name indication
592 if (resumingSession) {
593 List<SNIServerName> oldServerNames =
594 previous.getRequestedServerNames();
595 if (clientHelloSNIExt != null) {
596 if (!clientHelloSNIExt.isIdentical(oldServerNames)) {
597 resumingSession = false;
598 }
599 } else if (!oldServerNames.isEmpty()) {
600 resumingSession = false;
601 }
602
603 if (!resumingSession &&
604 debug != null && Debug.isOn("handshake")) {
605 System.out.println(
606 "The requested server name indication " +
607 "is not identical to the previous one");
608 }
609 }
610
611 if (resumingSession &&
612 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED)) {
613 try {
614 previous.getPeerPrincipal();
615 } catch (SSLPeerUnverifiedException e) {
616 resumingSession = false;
617 }
618 }
619
620 // validate subject identity
621 if (resumingSession) {
622 CipherSuite suite = previous.getSuite();
623 ClientKeyExchangeService p =
624 ClientKeyExchangeService.find(suite.keyExchange.name);
625 if (p != null) {
626 Principal localPrincipal = previous.getLocalPrincipal();
627
628 if (p.isRelated(
629 false, getAccSE(), localPrincipal)) {
630 if (debug != null && Debug.isOn("session"))
631 System.out.println("Subject can" +
632 " provide creds for princ");
633 } else {
634 resumingSession = false;
635 if (debug != null && Debug.isOn("session"))
636 System.out.println("Subject cannot" +
637 " provide creds for princ");
638 }
639 }
640 }
641
642 if (resumingSession) {
643 CipherSuite suite = previous.getSuite();
644 // verify that the ciphersuite from the cached session
645 // is in the list of client requested ciphersuites and
646 // we have it enabled
647 if ((isNegotiable(suite) == false) ||
648 (mesg.getCipherSuites().contains(suite) == false)) {
649 resumingSession = false;
650 } else {
651 // everything looks ok, set the ciphersuite
652 // this should be done last when we are sure we
653 // will resume
654 setCipherSuite(suite);
655 }
656 }
657
658 if (resumingSession) {
659 session = previous;
660 if (debug != null &&
661 (Debug.isOn("handshake") || Debug.isOn("session"))) {
662 System.out.println("%% Resuming " + session);
663 }
664 }
665 }
666 } // else client did not try to resume
667
668 // cookie exchange
669 if (isDTLS && !resumingSession) {
670 HelloCookieManager hcMgr = sslContext.getHelloCookieManager();
671 if ((mesg.cookie == null) || (mesg.cookie.length == 0) ||
672 (!hcMgr.isValid(mesg))) {
673
674 //
675 // Perform cookie exchange for DTLS handshaking if no cookie
676 // or the cookie is invalid in the ClientHello message.
677 //
678 HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg);
679
680 if (debug != null && Debug.isOn("handshake")) {
681 m0.print(System.out);
682 }
683
684 m0.write(output);
685 handshakeState.update(m0, resumingSession);
686 output.flush();
687
688 return;
689 }
690 }
691
692 /*
693 * FIRST, construct the ServerHello using the options and priorities
694 * from the ClientHello. Update the (pending) cipher spec as we do
695 * so, and save the client's version to protect against rollback
696 * attacks.
697 *
698 * There are a bunch of minor tasks here, and one major one: deciding
699 * if the short or the full handshake sequence will be used.
700 */
701 ServerHello m1 = new ServerHello();
702
703 clientRequestedVersion = mesg.protocolVersion;
704
705 // select a proper protocol version.
706 ProtocolVersion selectedVersion =
707 selectProtocolVersion(clientRequestedVersion);
708 if (selectedVersion == null ||
709 selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
710 fatalSE(Alerts.alert_handshake_failure,
711 "Client requested protocol " + clientRequestedVersion +
712 " not enabled or not supported");
713 }
714
715 handshakeHash.protocolDetermined(selectedVersion);
716 setVersion(selectedVersion);
717
718 m1.protocolVersion = protocolVersion;
719
720 //
721 // random ... save client and server values for later use
722 // in computing the master secret (from pre-master secret)
723 // and thence the other crypto keys.
724 //
725 // NOTE: this use of three inputs to generating _each_ set
726 // of ciphers slows things down, but it does increase the
727 // security since each connection in the session can hold
728 // its own authenticated (and strong) keys. One could make
729 // creation of a session a rare thing...
730 //
731 clnt_random = mesg.clnt_random;
732 svr_random = new RandomCookie(sslContext.getSecureRandom());
733 m1.svr_random = svr_random;
734
735 //
736 // If client hasn't specified a session we can resume, start a
737 // new one and choose its cipher suite and compression options.
738 // Unless new session creation is disabled for this connection!
739 //
740 if (session == null) {
741 if (!enableNewSession) {
742 throw new SSLException("Client did not resume a session");
743 }
744
745 requestedCurves = (EllipticCurvesExtension)
746 mesg.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES);
747
748 // We only need to handle the "signature_algorithm" extension
749 // for full handshakes and TLS 1.2 or later.
750 if (protocolVersion.useTLS12PlusSpec()) {
751 SignatureAlgorithmsExtension signAlgs =
752 (SignatureAlgorithmsExtension)mesg.extensions.get(
753 ExtensionType.EXT_SIGNATURE_ALGORITHMS);
754 if (signAlgs != null) {
755 Collection<SignatureAndHashAlgorithm> peerSignAlgs =
756 signAlgs.getSignAlgorithms();
757 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
758 throw new SSLHandshakeException(
759 "No peer supported signature algorithms");
760 }
761
762 Collection<SignatureAndHashAlgorithm>
763 supportedPeerSignAlgs =
764 SignatureAndHashAlgorithm.getSupportedAlgorithms(
765 algorithmConstraints, peerSignAlgs);
766 if (supportedPeerSignAlgs.isEmpty()) {
767 throw new SSLHandshakeException(
768 "No signature and hash algorithm in common");
769 }
770
771 setPeerSupportedSignAlgs(supportedPeerSignAlgs);
772 } // else, need to use peer implicit supported signature algs
773 }
774
775 session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL,
776 getLocalSupportedSignAlgs(),
777 sslContext.getSecureRandom(),
778 getHostAddressSE(), getPortSE());
779
780 if (protocolVersion.useTLS12PlusSpec()) {
781 if (peerSupportedSignAlgs != null) {
782 session.setPeerSupportedSignatureAlgorithms(
783 peerSupportedSignAlgs);
784 } // else, we will set the implicit peer supported signature
785 // algorithms in chooseCipherSuite()
786 }
787
788 // set the server name indication in the session
789 List<SNIServerName> clientHelloSNI =
790 Collections.<SNIServerName>emptyList();
791 if (clientHelloSNIExt != null) {
792 clientHelloSNI = clientHelloSNIExt.getServerNames();
793 }
794 session.setRequestedServerNames(clientHelloSNI);
795
796 // set the handshake session
797 setHandshakeSessionSE(session);
798
799 // choose cipher suite and corresponding private key
800 chooseCipherSuite(mesg);
801
802 session.setSuite(cipherSuite);
803 session.setLocalPrivateKey(privateKey);
804
805 // chooseCompression(mesg);
806
807 // set the negotiated maximum fragment in the session
808 //
809 // The protocol version and cipher suite have been negotiated
810 // in previous processes.
811 if (maxFragLenExt != null) {
812 int maxFragLen = maxFragLenExt.getMaxFragLen();
813
814 // More check of the requested "max_fragment_length" extension.
815 if (maximumPacketSize != 0) {
816 int estimatedMaxFragSize = cipherSuite.calculatePacketSize(
817 maxFragLen, protocolVersion, isDTLS);
818 if (estimatedMaxFragSize > maximumPacketSize) {
819 // For better interoperability, abort the maximum
820 // fragment length negotiation, rather than terminate
821 // the connection with a fatal alert.
822 maxFragLenExt = null;
823
824 // fatalSE(Alerts.alert_illegal_parameter,
825 // "Not an allowed max_fragment_length value");
826 }
827 }
828
829 if (maxFragLenExt != null) {
830 session.setNegotiatedMaxFragSize(maxFragLen);
831 }
832 }
833
834 session.setMaximumPacketSize(maximumPacketSize);
835 } else {
836 // set the handshake session
837 setHandshakeSessionSE(session);
838 }
839
840 if (protocolVersion.useTLS12PlusSpec()) {
841 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
842 }
843
844 m1.cipherSuite = cipherSuite;
845 m1.sessionId = session.getSessionId();
846 m1.compression_method = session.getCompression();
847
848 if (secureRenegotiation) {
849 // For ServerHellos that are initial handshakes, then the
850 // "renegotiated_connection" field in "renegotiation_info"
851 // extension is of zero length.
852 //
853 // For ServerHellos that are renegotiating, this field contains
854 // the concatenation of client_verify_data and server_verify_data.
855 //
856 // Note that for initial handshakes, both the clientVerifyData
857 // variable and serverVerifyData variable are of zero length.
858 HelloExtension serverHelloRI = new RenegotiationInfoExtension(
859 clientVerifyData, serverVerifyData);
860 m1.extensions.add(serverHelloRI);
861 }
862
863 if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) {
864 // When resuming a session, the server MUST NOT include a
865 // server_name extension in the server hello.
866 if (!resumingSession) {
867 ServerNameExtension serverHelloSNI = new ServerNameExtension();
868 m1.extensions.add(serverHelloSNI);
869 }
870 }
871
872 if ((maxFragLenExt != null) && !resumingSession) {
873 // When resuming a session, the server MUST NOT include a
874 // max_fragment_length extension in the server hello.
875 //
876 // Otherwise, use the same value as the requested extension.
877 m1.extensions.add(maxFragLenExt);
878 }
879
880 StaplingParameters staplingParams = processStapling(mesg);
881 if (staplingParams != null) {
882 // We now can safely assert status_request[_v2] in our
883 // ServerHello, and know for certain that we can provide
884 // responses back to this client for this connection.
885 if (staplingParams.statusRespExt ==
886 ExtensionType.EXT_STATUS_REQUEST) {
887 m1.extensions.add(new CertStatusReqExtension());
888 } else if (staplingParams.statusRespExt ==
889 ExtensionType.EXT_STATUS_REQUEST_V2) {
890 m1.extensions.add(new CertStatusReqListV2Extension());
891 }
892 }
893
894 // Prepare the ALPN response
895 if (applicationProtocol != null && !applicationProtocol.isEmpty()) {
896 m1.extensions.add(new ALPNExtension(applicationProtocol));
897 }
898
899 if (debug != null && Debug.isOn("handshake")) {
900 m1.print(System.out);
901 System.out.println("Cipher suite: " + session.getSuite());
902 }
903 m1.write(output);
904 handshakeState.update(m1, resumingSession);
905
906 //
907 // If we are resuming a session, we finish writing handshake
908 // messages right now and then finish.
909 //
910 if (resumingSession) {
911 calculateConnectionKeys(session.getMasterSecret());
912 sendChangeCipherAndFinish(false);
913
914 // expecting the final ChangeCipherSpec and Finished messages
915 expectingFinishFlightSE();
916
917 return;
918 }
919
920
921 /*
922 * SECOND, write the server Certificate(s) if we need to.
923 *
924 * NOTE: while an "anonymous RSA" mode is explicitly allowed by
925 * the protocol, we can't support it since all of the SSL flavors
926 * defined in the protocol spec are explicitly stated to require
927 * using RSA certificates.
928 */
929 if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
930 // No external key exchange provider needs a cert now.
931 } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) {
932 if (certs == null) {
933 throw new RuntimeException("no certificates");
934 }
935
936 CertificateMsg m2 = new CertificateMsg(certs);
937
938 /*
939 * Set local certs in the SSLSession, output
940 * debug info, and then actually write to the client.
941 */
942 session.setLocalCertificates(certs);
943 if (debug != null && Debug.isOn("handshake")) {
944 m2.print(System.out);
945 }
946 m2.write(output);
947 handshakeState.update(m2, resumingSession);
948
949 // XXX has some side effects with OS TCP buffering,
950 // leave it out for now
951
952 // let client verify chain in the meantime...
953 // output.flush();
954 } else {
955 if (certs != null) {
956 throw new RuntimeException("anonymous keyexchange with certs");
957 }
958 }
959
960 /**
961 * The CertificateStatus message ... only if it is needed.
962 * This would only be needed if we've established that this handshake
963 * supports status stapling and there is at least one response to
964 * return to the client.
965 */
966 if (staplingParams != null) {
967 CertificateStatus csMsg = new CertificateStatus(
968 staplingParams.statReqType, certs,
969 staplingParams.responseMap);
970 if (debug != null && Debug.isOn("handshake")) {
971 csMsg.print(System.out);
972 }
973 csMsg.write(output);
974 handshakeState.update(csMsg, resumingSession);
975 }
976
977 /*
978 * THIRD, the ServerKeyExchange message ... iff it's needed.
979 *
980 * It's usually needed unless there's an encryption-capable
981 * RSA cert, or a D-H cert. The notable exception is that
982 * exportable ciphers used with big RSA keys need to downgrade
983 * to use short RSA keys, even when the key/cert encrypts OK.
984 */
985
986 ServerKeyExchange m3;
987 switch (keyExchange) {
988 case K_RSA:
989 // no server key exchange for RSA ciphersuites
990 m3 = null;
991 break;
992 case K_RSA_EXPORT:
993 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
994 try {
995 m3 = new RSA_ServerKeyExchange(
996 tempPublicKey, privateKey,
997 clnt_random, svr_random,
998 sslContext.getSecureRandom());
999 privateKey = tempPrivateKey;
1000 } catch (GeneralSecurityException e) {
1001 m3 = null; // make compiler happy
1002 throw new SSLException(
1003 "Error generating RSA server key exchange", e);
1004 }
1005 } else {
1006 // RSA_EXPORT with short key, don't need ServerKeyExchange
1007 m3 = null;
1008 }
1009 break;
1010 case K_DHE_RSA:
1011 case K_DHE_DSS:
1012 try {
1013 m3 = new DH_ServerKeyExchange(dh,
1014 privateKey,
1015 clnt_random.random_bytes,
1016 svr_random.random_bytes,
1017 sslContext.getSecureRandom(),
1018 preferableSignatureAlgorithm,
1019 protocolVersion);
1020 } catch (GeneralSecurityException e) {
1021 m3 = null; // make compiler happy
1022 throw new SSLException(
1023 "Error generating DH server key exchange", e);
1024 }
1025 break;
1026 case K_DH_ANON:
1027 m3 = new DH_ServerKeyExchange(dh, protocolVersion);
1028 break;
1029 case K_ECDHE_RSA:
1030 case K_ECDHE_ECDSA:
1031 case K_ECDH_ANON:
1032 try {
1033 m3 = new ECDH_ServerKeyExchange(ecdh,
1034 privateKey,
1035 clnt_random.random_bytes,
1036 svr_random.random_bytes,
1037 sslContext.getSecureRandom(),
1038 preferableSignatureAlgorithm,
1039 protocolVersion);
1040 } catch (GeneralSecurityException e) {
1041 m3 = null; // make compiler happy
1042 throw new SSLException(
1043 "Error generating ECDH server key exchange", e);
1044 }
1045 break;
1046 case K_ECDH_RSA:
1047 case K_ECDH_ECDSA:
1048 // ServerKeyExchange not used for fixed ECDH
1049 m3 = null;
1050 break;
1051 default:
1052 ClientKeyExchangeService p =
1053 ClientKeyExchangeService.find(keyExchange.name);
1054 if (p != null) {
1055 // No external key exchange provider needs a cert now.
1056 m3 = null;
1057 break;
1058 }
1059 throw new RuntimeException("internal error: " + keyExchange);
1060 }
1061 if (m3 != null) {
1062 if (debug != null && Debug.isOn("handshake")) {
1063 m3.print(System.out);
1064 }
1065 m3.write(output);
1066 handshakeState.update(m3, resumingSession);
1067 }
1068
1069 //
1070 // FOURTH, the CertificateRequest message. The details of
1071 // the message can be affected by the key exchange algorithm
1072 // in use. For example, certs with fixed Diffie-Hellman keys
1073 // are only useful with the DH_DSS and DH_RSA key exchange
1074 // algorithms.
1075 //
1076 // Needed only if server requires client to authenticate self.
1077 // Illegal for anonymous flavors, so we need to check that.
1078 //
1079 // No external key exchange provider needs a cert now.
1080 if (doClientAuth != ClientAuthType.CLIENT_AUTH_NONE &&
1081 keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON &&
1082 ClientKeyExchangeService.find(keyExchange.name) == null) {
1083
1084 CertificateRequest m4;
1085 X509Certificate[] caCerts;
1086
1087 Collection<SignatureAndHashAlgorithm> localSignAlgs = null;
1088 if (protocolVersion.useTLS12PlusSpec()) {
1089 // We currently use all local upported signature and hash
1090 // algorithms. However, to minimize the computation cost
1091 // of requested hash algorithms, we may use a restricted
1092 // set of signature algorithms in the future.
1093 localSignAlgs = getLocalSupportedSignAlgs();
1094 if (localSignAlgs.isEmpty()) {
1095 throw new SSLHandshakeException(
1096 "No supported signature algorithm");
1097 }
1098
1099 Set<String> localHashAlgs =
1100 SignatureAndHashAlgorithm.getHashAlgorithmNames(
1101 localSignAlgs);
1102 if (localHashAlgs.isEmpty()) {
1103 throw new SSLHandshakeException(
1104 "No supported signature algorithm");
1105 }
1106 }
1107
1108 caCerts = sslContext.getX509TrustManager().getAcceptedIssuers();
1109 m4 = new CertificateRequest(caCerts, keyExchange,
1110 localSignAlgs, protocolVersion);
1111
1112 if (debug != null && Debug.isOn("handshake")) {
1113 m4.print(System.out);
1114 }
1115 m4.write(output);
1116 handshakeState.update(m4, resumingSession);
1117 }
1118
1119 /*
1120 * FIFTH, say ServerHelloDone.
1121 */
1122 ServerHelloDone m5 = new ServerHelloDone();
1123
1124 if (debug != null && Debug.isOn("handshake")) {
1125 m5.print(System.out);
1126 }
1127 m5.write(output);
1128 handshakeState.update(m5, resumingSession);
1129
1130 /*
1131 * Flush any buffered messages so the client will see them.
1132 * Ideally, all the messages above go in a single network level
1133 * message to the client. Without big Certificate chains, it's
1134 * going to be the common case.
1135 */
1136 output.flush();
1137 }
1138
1139 /*
1140 * Choose cipher suite from among those supported by client. Sets
1141 * the cipherSuite and keyExchange variables.
1142 */
1143 private void chooseCipherSuite(ClientHello mesg) throws IOException {
1144 CipherSuiteList prefered;
1145 CipherSuiteList proposed;
1146 if (preferLocalCipherSuites) {
1147 prefered = getActiveCipherSuites();
1148 proposed = mesg.getCipherSuites();
1149 } else {
1150 prefered = mesg.getCipherSuites();
1151 proposed = getActiveCipherSuites();
1152 }
1153
1154 List<CipherSuite> legacySuites = new ArrayList<>();
1155 for (CipherSuite suite : prefered.collection()) {
1156 if (isNegotiable(proposed, suite) == false) {
1157 continue;
1158 }
1159
1160 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1161 if ((suite.keyExchange == K_DH_ANON) ||
1162 (suite.keyExchange == K_ECDH_ANON)) {
1163 continue;
1164 }
1165 }
1166
1167 if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
1168 legacySuites.add(suite);
1169 continue;
1170 }
1171
1172 if (trySetCipherSuite(suite) == false) {
1173 continue;
1174 }
1175 return;
1176 }
1177
1178 for (CipherSuite suite : legacySuites) {
1179 if (trySetCipherSuite(suite)) {
1180 return;
1181 }
1182 }
1183
1184 fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
1185 }
1186
1187 /**
1188 * Set the given CipherSuite, if possible. Return the result.
1189 * The call succeeds if the CipherSuite is available and we have
1190 * the necessary certificates to complete the handshake. We don't
1191 * check if the CipherSuite is actually enabled.
1192 *
1193 * If successful, this method also generates ephemeral keys if
1194 * required for this ciphersuite. This may take some time, so this
1195 * method should only be called if you really want to use the
1196 * CipherSuite.
1197 *
1198 * This method is called from chooseCipherSuite() in this class.
1199 */
1200 boolean trySetCipherSuite(CipherSuite suite) {
1201 /*
1202 * If we're resuming a session we know we can
1203 * support this key exchange algorithm and in fact
1204 * have already cached the result of it in
1205 * the session state.
1206 */
1207 if (resumingSession) {
1208 return true;
1209 }
1210
1211 if (suite.isNegotiable() == false) {
1212 return false;
1213 }
1214
1215 // must not negotiate the obsoleted weak cipher suites.
1216 if (protocolVersion.obsoletes(suite)) {
1217 return false;
1218 }
1219
1220 // must not negotiate unsupported cipher suites.
1221 if (!protocolVersion.supports(suite)) {
1222 return false;
1223 }
1224
1225 KeyExchange keyExchange = suite.keyExchange;
1226
1227 // null out any existing references
1228 privateKey = null;
1229 certs = null;
1230 dh = null;
1231 tempPrivateKey = null;
1232 tempPublicKey = null;
1233
1234 Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null;
1235 if (protocolVersion.useTLS12PlusSpec()) {
1236 if (peerSupportedSignAlgs != null) {
1237 supportedSignAlgs = peerSupportedSignAlgs;
1238 } else {
1239 SignatureAndHashAlgorithm algorithm = null;
1240
1241 // we may optimize the performance
1242 switch (keyExchange) {
1243 // If the negotiated key exchange algorithm is one of
1244 // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA),
1245 // behave as if client had sent the value {sha1,rsa}.
1246 case K_RSA:
1247 case K_DHE_RSA:
1248 case K_DH_RSA:
1249 // case K_RSA_PSK:
1250 case K_ECDH_RSA:
1251 case K_ECDHE_RSA:
1252 algorithm = SignatureAndHashAlgorithm.valueOf(
1253 HashAlgorithm.SHA1.value,
1254 SignatureAlgorithm.RSA.value, 0);
1255 break;
1256 // If the negotiated key exchange algorithm is one of
1257 // (DHE_DSS, DH_DSS), behave as if the client had
1258 // sent the value {sha1,dsa}.
1259 case K_DHE_DSS:
1260 case K_DH_DSS:
1261 algorithm = SignatureAndHashAlgorithm.valueOf(
1262 HashAlgorithm.SHA1.value,
1263 SignatureAlgorithm.DSA.value, 0);
1264 break;
1265 // If the negotiated key exchange algorithm is one of
1266 // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client
1267 // had sent value {sha1,ecdsa}.
1268 case K_ECDH_ECDSA:
1269 case K_ECDHE_ECDSA:
1270 algorithm = SignatureAndHashAlgorithm.valueOf(
1271 HashAlgorithm.SHA1.value,
1272 SignatureAlgorithm.ECDSA.value, 0);
1273 break;
1274 default:
1275 // no peer supported signature algorithms
1276 }
1277
1278 if (algorithm == null) {
1279 supportedSignAlgs =
1280 Collections.<SignatureAndHashAlgorithm>emptySet();
1281 } else {
1282 supportedSignAlgs =
1283 new ArrayList<SignatureAndHashAlgorithm>(1);
1284 supportedSignAlgs.add(algorithm);
1285
1286 supportedSignAlgs =
1287 SignatureAndHashAlgorithm.getSupportedAlgorithms(
1288 algorithmConstraints, supportedSignAlgs);
1289
1290 // May be no default activated signature algorithm, but
1291 // let the following process make the final decision.
1292 }
1293
1294 // Sets the peer supported signature algorithm to use in KM
1295 // temporarily.
1296 session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs);
1297 }
1298 }
1299
1300 switch (keyExchange) {
1301 case K_RSA:
1302 // need RSA certs for authentication
1303 if (setupPrivateKeyAndChain("RSA") == false) {
1304 return false;
1305 }
1306 break;
1307 case K_RSA_EXPORT:
1308 // need RSA certs for authentication
1309 if (setupPrivateKeyAndChain("RSA") == false) {
1310 return false;
1311 }
1312
1313 try {
1314 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
1315 if (!setupEphemeralRSAKeys(suite.exportable)) {
1316 return false;
1317 }
1318 }
1319 } catch (RuntimeException e) {
1320 // could not determine keylength, ignore key
1321 return false;
1322 }
1323 break;
1324 case K_DHE_RSA:
1325 // need RSA certs for authentication
1326 if (setupPrivateKeyAndChain("RSA") == false) {
1327 return false;
1328 }
1329
1330 // get preferable peer signature algorithm for server key exchange
1331 if (protocolVersion.useTLS12PlusSpec()) {
1332 preferableSignatureAlgorithm =
1333 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1334 supportedSignAlgs, "RSA", privateKey);
1335 if (preferableSignatureAlgorithm == null) {
1336 if ((debug != null) && Debug.isOn("handshake")) {
1337 System.out.println(
1338 "No signature and hash algorithm for cipher " +
1339 suite);
1340 }
1341 return false;
1342 }
1343 }
1344
1345 setupEphemeralDHKeys(suite.exportable, privateKey);
1346 break;
1347 case K_ECDHE_RSA:
1348 // need RSA certs for authentication
1349 if (setupPrivateKeyAndChain("RSA") == false) {
1350 return false;
1351 }
1352
1353 // get preferable peer signature algorithm for server key exchange
1354 if (protocolVersion.useTLS12PlusSpec()) {
1355 preferableSignatureAlgorithm =
1356 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1357 supportedSignAlgs, "RSA", privateKey);
1358 if (preferableSignatureAlgorithm == null) {
1359 if ((debug != null) && Debug.isOn("handshake")) {
1360 System.out.println(
1361 "No signature and hash algorithm for cipher " +
1362 suite);
1363 }
1364 return false;
1365 }
1366 }
1367
1368 if (setupEphemeralECDHKeys() == false) {
1369 return false;
1370 }
1371 break;
1372 case K_DHE_DSS:
1373 // get preferable peer signature algorithm for server key exchange
1374 if (protocolVersion.useTLS12PlusSpec()) {
1375 preferableSignatureAlgorithm =
1376 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1377 supportedSignAlgs, "DSA");
1378 if (preferableSignatureAlgorithm == null) {
1379 if ((debug != null) && Debug.isOn("handshake")) {
1380 System.out.println(
1381 "No signature and hash algorithm for cipher " +
1382 suite);
1383 }
1384 return false;
1385 }
1386 }
1387
1388 // need DSS certs for authentication
1389 if (setupPrivateKeyAndChain("DSA") == false) {
1390 return false;
1391 }
1392
1393 setupEphemeralDHKeys(suite.exportable, privateKey);
1394 break;
1395 case K_ECDHE_ECDSA:
1396 // get preferable peer signature algorithm for server key exchange
1397 if (protocolVersion.useTLS12PlusSpec()) {
1398 preferableSignatureAlgorithm =
1399 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1400 supportedSignAlgs, "ECDSA");
1401 if (preferableSignatureAlgorithm == null) {
1402 if ((debug != null) && Debug.isOn("handshake")) {
1403 System.out.println(
1404 "No signature and hash algorithm for cipher " +
1405 suite);
1406 }
1407 return false;
1408 }
1409 }
1410
1411 // need EC cert
1412 if (setupPrivateKeyAndChain("EC") == false) {
1413 return false;
1414 }
1415 if (setupEphemeralECDHKeys() == false) {
1416 return false;
1417 }
1418 break;
1419 case K_ECDH_RSA:
1420 // need EC cert
1421 if (setupPrivateKeyAndChain("EC") == false) {
1422 return false;
1423 }
1424 setupStaticECDHKeys();
1425 break;
1426 case K_ECDH_ECDSA:
1427 // need EC cert
1428 if (setupPrivateKeyAndChain("EC") == false) {
1429 return false;
1430 }
1431 setupStaticECDHKeys();
1432 break;
1433 case K_DH_ANON:
1434 // no certs needed for anonymous
1435 setupEphemeralDHKeys(suite.exportable, null);
1436 break;
1437 case K_ECDH_ANON:
1438 // no certs needed for anonymous
1439 if (setupEphemeralECDHKeys() == false) {
1440 return false;
1441 }
1442 break;
1443 default:
1444 ClientKeyExchangeService p =
1445 ClientKeyExchangeService.find(keyExchange.name);
1446 if (p == null) {
1447 // internal error, unknown key exchange
1448 throw new RuntimeException(
1449 "Unrecognized cipherSuite: " + suite);
1450 }
1451 // need service creds
1452 if (serviceCreds == null) {
1453 AccessControlContext acc = getAccSE();
1454 serviceCreds = p.getServiceCreds(acc);
1455 if (serviceCreds != null) {
1456 if (debug != null && Debug.isOn("handshake")) {
1457 System.out.println("Using serviceCreds");
1458 }
1459 }
1460 if (serviceCreds == null) {
1461 return false;
1462 }
1463 }
1464 break;
1465 }
1466 setCipherSuite(suite);
1467
1468 // set the peer implicit supported signature algorithms
1469 if (protocolVersion.useTLS12PlusSpec()) {
1470 if (peerSupportedSignAlgs == null) {
1471 setPeerSupportedSignAlgs(supportedSignAlgs);
1472 // we had alreay update the session
1473 }
1474 }
1475 return true;
1476 }
1477
1478 /*
1479 * Get some "ephemeral" RSA keys for this context. This means
1480 * generating them if it's not already been done.
1481 *
1482 * Note that we currently do not implement any ciphersuites that use
1483 * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites
1484 * and standard RSA ciphersuites prohibit ephemeral mode for some reason)
1485 * This means that export is always true and 512 bit keys are generated.
1486 */
1487 private boolean setupEphemeralRSAKeys(boolean export) {
1488 KeyPair kp = sslContext.getEphemeralKeyManager().
1489 getRSAKeyPair(export, sslContext.getSecureRandom());
1490 if (kp == null) {
1491 return false;
1492 } else {
1493 tempPublicKey = kp.getPublic();
1494 tempPrivateKey = kp.getPrivate();
1495 return true;
1496 }
1497 }
1498
1499 /*
1500 * Acquire some "ephemeral" Diffie-Hellman keys for this handshake.
1501 * We don't reuse these, for improved forward secrecy.
1502 */
1503 private void setupEphemeralDHKeys(boolean export, Key key) {
1504 /*
1505 * 768 bits ephemeral DH private keys were used to be used in
1506 * ServerKeyExchange except that exportable ciphers max out at 512
1507 * bits modulus values. We still adhere to this behavior in legacy
1508 * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
1509 * as "legacy").
1510 *
1511 * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1512 * than 1024 bits. We have to consider the compatibility requirement.
1513 * 1024 bits DH key is always used for non-exportable cipher suites
1514 * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1515 * is not defined).
1516 *
1517 * However, if applications want more stronger strength, setting
1518 * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1519 * is a workaround to use ephemeral DH key which size matches the
1520 * corresponding authentication key. For example, if the public key
1521 * size of an authentication certificate is 2048 bits, then the
1522 * ephemeral DH key size should be 2048 bits accordingly unless
1523 * the cipher suite is exportable. This key sizing scheme keeps
1524 * the cryptographic strength consistent between authentication
1525 * keys and key-exchange keys.
1526 *
1527 * Applications may also want to customize the ephemeral DH key size
1528 * to a fixed length for non-exportable cipher suites. This can be
1529 * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1530 * to a valid positive integer between 1024 and 8192 bits, inclusive.
1531 *
1532 * Note that the minimum acceptable key size is 1024 bits except
1533 * exportable cipher suites or legacy mode.
1534 *
1535 * Note that per RFC 2246, the key size limit of DH is 512 bits for
1536 * exportable cipher suites. Because of the weakness, exportable
1537 * cipher suites are deprecated since TLS v1.1 and they are not
1538 * enabled by default in Oracle provider. The legacy behavior is
1539 * reserved and 512 bits DH key is always used for exportable
1540 * cipher suites.
1541 */
1542 int keySize = export ? 512 : 1024; // default mode
1543 if (!export) {
1544 if (useLegacyEphemeralDHKeys) { // legacy mode
1545 keySize = 768;
1546 } else if (useSmartEphemeralDHKeys) { // matched mode
1547 if (key != null) {
1548 int ks = KeyUtil.getKeySize(key);
1549
1550 // DH parameter generation can be extremely slow, make
1551 // sure to use one of the supported pre-computed DH
1552 // parameters (see DHCrypt class).
1553 //
1554 // Old deployed applications may not be ready to support
1555 // DH key sizes bigger than 2048 bits. Please DON'T use
1556 // value other than 1024 and 2048 at present. May improve
1557 // the underlying providers and key size limit in the
1558 // future when the compatibility and interoperability
1559 // impact is limited.
1560 //
1561 // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1562 keySize = ks <= 1024 ? 1024 : 2048;
1563 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1564 } else if (customizedDHKeySize > 0) { // customized mode
1565 keySize = customizedDHKeySize;
1566 }
1567 }
1568
1569 dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1570 }
1571
1572 // Setup the ephemeral ECDH parameters.
1573 // If we cannot continue because we do not support any of the curves that
1574 // the client requested, return false. Otherwise (all is well), return true.
1575 private boolean setupEphemeralECDHKeys() {
1576 int index = (requestedCurves != null) ?
1577 requestedCurves.getPreferredCurve(algorithmConstraints) :
1578 EllipticCurvesExtension.getActiveCurves(algorithmConstraints);
1579 if (index < 0) {
1580 // no match found, cannot use this ciphersuite
1581 return false;
1582 }
1583
1584 ecdh = new ECDHCrypt(index, sslContext.getSecureRandom());
1585 return true;
1586 }
1587
1588 private void setupStaticECDHKeys() {
1589 // don't need to check whether the curve is supported, already done
1590 // in setupPrivateKeyAndChain().
1591 ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey());
1592 }
1593
1594 /**
1595 * Retrieve the server key and certificate for the specified algorithm
1596 * from the KeyManager and set the instance variables.
1597 *
1598 * @return true if successful, false if not available or invalid
1599 */
1600 private boolean setupPrivateKeyAndChain(String algorithm) {
1601 X509ExtendedKeyManager km = sslContext.getX509KeyManager();
1602 String alias;
1603 if (conn != null) {
1604 alias = km.chooseServerAlias(algorithm, null, conn);
1605 } else {
1606 alias = km.chooseEngineServerAlias(algorithm, null, engine);
1607 }
1608 if (alias == null) {
1609 return false;
1610 }
1611 PrivateKey tempPrivateKey = km.getPrivateKey(alias);
1612 if (tempPrivateKey == null) {
1613 return false;
1614 }
1615 X509Certificate[] tempCerts = km.getCertificateChain(alias);
1616 if ((tempCerts == null) || (tempCerts.length == 0)) {
1617 return false;
1618 }
1619 String keyAlgorithm = algorithm.split("_")[0];
1620 PublicKey publicKey = tempCerts[0].getPublicKey();
1621 if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false)
1622 || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) {
1623 return false;
1624 }
1625 // For ECC certs, check whether we support the EC domain parameters.
1626 // If the client sent a SupportedEllipticCurves ClientHello extension,
1627 // check against that too.
1628 if (keyAlgorithm.equals("EC")) {
1629 if (publicKey instanceof ECPublicKey == false) {
1630 return false;
1631 }
1632 ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
1633 int id = EllipticCurvesExtension.getCurveIndex(params);
1634 if ((id <= 0) || !EllipticCurvesExtension.isSupported(id) ||
1635 ((requestedCurves != null) && !requestedCurves.contains(id))) {
1636 return false;
1637 }
1638 }
1639 this.privateKey = tempPrivateKey;
1640 this.certs = tempCerts;
1641 return true;
1642 }
1643
1644 /*
1645 * Returns premaster secret for external key exchange services.
1646 */
1647 private SecretKey clientKeyExchange(ClientKeyExchange mesg)
1648 throws IOException {
1649
1650 if (debug != null && Debug.isOn("handshake")) {
1651 mesg.print(System.out);
1652 }
1653
1654 // Record the principals involved in exchange
1655 session.setPeerPrincipal(mesg.getPeerPrincipal());
1656 session.setLocalPrincipal(mesg.getLocalPrincipal());
1657
1658 return mesg.clientKeyExchange();
1659 }
1660
1661 /*
1662 * Diffie Hellman key exchange is used when the server presented
1663 * D-H parameters in its certificate (signed using RSA or DSS/DSA),
1664 * or else the server presented no certificate but sent D-H params
1665 * in a ServerKeyExchange message. Use of D-H is specified by the
1666 * cipher suite chosen.
1667 *
1668 * The message optionally contains the client's D-H public key (if
1669 * it wasn't not sent in a client certificate). As always with D-H,
1670 * if a client and a server have each other's D-H public keys and
1671 * they use common algorithm parameters, they have a shared key
1672 * that's derived via the D-H calculation. That key becomes the
1673 * pre-master secret.
1674 */
1675 private SecretKey clientKeyExchange(DHClientKeyExchange mesg)
1676 throws IOException {
1677
1678 if (debug != null && Debug.isOn("handshake")) {
1679 mesg.print(System.out);
1680 }
1681
1682 BigInteger publicKeyValue = mesg.getClientPublicKey();
1683
1684 // check algorithm constraints
1685 dh.checkConstraints(algorithmConstraints, publicKeyValue);
1686
1687 return dh.getAgreedSecret(publicKeyValue, false);
1688 }
1689
1690 private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
1691 throws IOException {
1692
1693 if (debug != null && Debug.isOn("handshake")) {
1694 mesg.print(System.out);
1695 }
1696
1697 byte[] publicPoint = mesg.getEncodedPoint();
1698
1699 // check algorithm constraints
1700 ecdh.checkConstraints(algorithmConstraints, publicPoint);
1701
1702 return ecdh.getAgreedSecret(publicPoint);
1703 }
1704
1705 /*
1706 * Client wrote a message to verify the certificate it sent earlier.
1707 *
1708 * Note that this certificate isn't involved in key exchange. Client
1709 * authentication messages are included in the checksums used to
1710 * validate the handshake (e.g. Finished messages). Other than that,
1711 * the _exact_ identity of the client is less fundamental to protocol
1712 * security than its role in selecting keys via the pre-master secret.
1713 */
1714 private void clientCertificateVerify(CertificateVerify mesg)
1715 throws IOException {
1716
1717 if (debug != null && Debug.isOn("handshake")) {
1718 mesg.print(System.out);
1719 }
1720
1721 if (protocolVersion.useTLS12PlusSpec()) {
1722 SignatureAndHashAlgorithm signAlg =
1723 mesg.getPreferableSignatureAlgorithm();
1724 if (signAlg == null) {
1725 throw new SSLHandshakeException(
1726 "Illegal CertificateVerify message");
1727 }
1728
1729 String hashAlg =
1730 SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg);
1731 if (hashAlg == null || hashAlg.length() == 0) {
1732 throw new SSLHandshakeException(
1733 "No supported hash algorithm");
1734 }
1735 }
1736
1737 try {
1738 PublicKey publicKey =
1739 session.getPeerCertificates()[0].getPublicKey();
1740
1741 boolean valid = mesg.verify(protocolVersion, handshakeHash,
1742 publicKey, session.getMasterSecret());
1743 if (valid == false) {
1744 fatalSE(Alerts.alert_bad_certificate,
1745 "certificate verify message signature error");
1746 }
1747 } catch (GeneralSecurityException e) {
1748 fatalSE(Alerts.alert_bad_certificate,
1749 "certificate verify format error", e);
1750 }
1751
1752 // reset the flag for clientCertificateVerify message
1753 needClientVerify = false;
1754 }
1755
1756
1757 /*
1758 * Client writes "finished" at the end of its handshake, after cipher
1759 * spec is changed. We verify it and then send ours.
1760 *
1761 * When we're resuming a session, we'll have already sent our own
1762 * Finished message so just the verification is needed.
1763 */
1764 private void clientFinished(Finished mesg) throws IOException {
1765 if (debug != null && Debug.isOn("handshake")) {
1766 mesg.print(System.out);
1767 }
1768
1769 /*
1770 * Verify if client did send the certificate when client
1771 * authentication was required, otherwise server should not proceed
1772 */
1773 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1774 // get X500Principal of the end-entity certificate for X509-based
1775 // ciphersuites, or Kerberos principal for Kerberos ciphersuites, etc
1776 session.getPeerPrincipal();
1777 }
1778
1779 /*
1780 * Verify if client did send clientCertificateVerify message following
1781 * the client Certificate, otherwise server should not proceed
1782 */
1783 if (needClientVerify) {
1784 fatalSE(Alerts.alert_handshake_failure,
1785 "client did not send certificate verify message");
1786 }
1787
1788 /*
1789 * Verify the client's message with the "before" digest of messages,
1790 * and forget about continuing to use that digest.
1791 */
1792 boolean verified = mesg.verify(handshakeHash, Finished.CLIENT,
1793 session.getMasterSecret());
1794
1795 if (!verified) {
1796 fatalSE(Alerts.alert_handshake_failure,
1797 "client 'finished' message doesn't verify");
1798 // NOTREACHED
1799 }
1800
1801 /*
1802 * save client verify data for secure renegotiation
1803 */
1804 if (secureRenegotiation) {
1805 clientVerifyData = mesg.getVerifyData();
1806 }
1807
1808 /*
1809 * OK, it verified. If we're doing the full handshake, add that
1810 * "Finished" message to the hash of handshake messages, then send
1811 * the change_cipher_spec and Finished message.
1812 */
1813 if (!resumingSession) {
1814 sendChangeCipherAndFinish(true);
1815 } else {
1816 handshakeFinished = true;
1817 }
1818
1819 /*
1820 * Update the session cache only after the handshake completed, else
1821 * we're open to an attack against a partially completed handshake.
1822 */
1823 session.setLastAccessedTime(System.currentTimeMillis());
1824 if (!resumingSession && session.isRejoinable()) {
1825 ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext())
1826 .put(session);
1827 if (debug != null && Debug.isOn("session")) {
1828 System.out.println(
1829 "%% Cached server session: " + session);
1830 }
1831 } else if (!resumingSession &&
1832 debug != null && Debug.isOn("session")) {
1833 System.out.println(
1834 "%% Didn't cache non-resumable server session: "
1835 + session);
1836 }
1837 }
1838
1839 /*
1840 * Compute finished message with the "server" digest (and then forget
1841 * about that digest, it can't be used again).
1842 */
1843 private void sendChangeCipherAndFinish(boolean finishedTag)
1844 throws IOException {
1845
1846 // Reload if this message has been reserved.
1847 handshakeHash.reload();
1848
1849 Finished mesg = new Finished(protocolVersion, handshakeHash,
1850 Finished.SERVER, session.getMasterSecret(), cipherSuite);
1851
1852 /*
1853 * Send the change_cipher_spec record; then our Finished handshake
1854 * message will be the last handshake message. Flush, and now we
1855 * are ready for application data!!
1856 */
1857 sendChangeCipherSpec(mesg, finishedTag);
1858
1859 /*
1860 * save server verify data for secure renegotiation
1861 */
1862 if (secureRenegotiation) {
1863 serverVerifyData = mesg.getVerifyData();
1864 }
1865 }
1866
1867
1868 /*
1869 * Returns a HelloRequest message to kickstart renegotiations
1870 */
1871 @Override
1872 HandshakeMessage getKickstartMessage() {
1873 return new HelloRequest();
1874 }
1875
1876
1877 /*
1878 * Fault detected during handshake.
1879 */
1880 @Override
1881 void handshakeAlert(byte description) throws SSLProtocolException {
1882
1883 String message = Alerts.alertDescription(description);
1884
1885 if (debug != null && Debug.isOn("handshake")) {
1886 System.out.println("SSL -- handshake alert: "
1887 + message);
1888 }
1889
1890 /*
1891 * It's ok to get a no_certificate alert from a client of which
1892 * we *requested* authentication information.
1893 * However, if we *required* it, then this is not acceptable.
1894 *
1895 * Anyone calling getPeerCertificates() on the
1896 * session will get an SSLPeerUnverifiedException.
1897 */
1898 if ((description == Alerts.alert_no_certificate) &&
1899 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED)) {
1900 return;
1901 }
1902
1903 throw new SSLProtocolException("handshake alert: " + message);
1904 }
1905
1906 /*
1907 * RSA key exchange is normally used. The client encrypts a "pre-master
1908 * secret" with the server's public key, from the Certificate (or else
1909 * ServerKeyExchange) message that was sent to it by the server. That's
1910 * decrypted using the private key before we get here.
1911 */
1912 private SecretKey clientKeyExchange(RSAClientKeyExchange mesg)
1913 throws IOException {
1914
1915 if (debug != null && Debug.isOn("handshake")) {
1916 mesg.print(System.out);
1917 }
1918 return mesg.preMaster;
1919 }
1920
1921 /*
1922 * Verify the certificate sent by the client. We'll only get one if we
1923 * sent a CertificateRequest to request client authentication. If we
1924 * are in TLS mode, the client may send a message with no certificates
1925 * to indicate it does not have an appropriate chain. (In SSLv3 mode,
1926 * it would send a no certificate alert).
1927 */
1928 private void clientCertificate(CertificateMsg mesg) throws IOException {
1929 if (debug != null && Debug.isOn("handshake")) {
1930 mesg.print(System.out);
1931 }
1932
1933 X509Certificate[] peerCerts = mesg.getCertificateChain();
1934
1935 if (peerCerts.length == 0) {
1936 /*
1937 * If the client authentication is only *REQUESTED* (e.g.
1938 * not *REQUIRED*, this is an acceptable condition.)
1939 */
1940 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED) {
1941 return;
1942 } else {
1943 fatalSE(Alerts.alert_bad_certificate,
1944 "null cert chain");
1945 }
1946 }
1947
1948 // ask the trust manager to verify the chain
1949 X509TrustManager tm = sslContext.getX509TrustManager();
1950
1951 try {
1952 // find out the types of client authentication used
1953 PublicKey key = peerCerts[0].getPublicKey();
1954 String keyAlgorithm = key.getAlgorithm();
1955 String authType;
1956 if (keyAlgorithm.equals("RSA")) {
1957 authType = "RSA";
1958 } else if (keyAlgorithm.equals("DSA")) {
1959 authType = "DSA";
1960 } else if (keyAlgorithm.equals("EC")) {
1961 authType = "EC";
1962 } else {
1963 // unknown public key type
1964 authType = "UNKNOWN";
1965 }
1966
1967 if (tm instanceof X509ExtendedTrustManager) {
1968 if (conn != null) {
1969 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1970 peerCerts.clone(),
1971 authType,
1972 conn);
1973 } else {
1974 ((X509ExtendedTrustManager)tm).checkClientTrusted(
1975 peerCerts.clone(),
1976 authType,
1977 engine);
1978 }
1979 } else {
1980 // Unlikely to happen, because we have wrapped the old
1981 // X509TrustManager with the new X509ExtendedTrustManager.
1982 throw new CertificateException(
1983 "Improper X509TrustManager implementation");
1984 }
1985 } catch (CertificateException e) {
1986 // This will throw an exception, so include the original error.
1987 fatalSE(Alerts.alert_certificate_unknown, e);
1988 }
1989 // set the flag for clientCertificateVerify message
1990 needClientVerify = true;
1991
1992 session.setPeerCertificates(peerCerts);
1993 }
1994
1995 private StaplingParameters processStapling(ClientHello mesg) {
1996 StaplingParameters params = null;
1997 ExtensionType ext = null;
1998 StatusRequestType type = null;
1999 StatusRequest req = null;
2000 Map<X509Certificate, byte[]> responses;
2001
2002 // If this feature has not been enabled, then no more processing
2003 // is necessary. Also we will only staple if we're doing a full
2004 // handshake.
2005 if (!sslContext.isStaplingEnabled(false) || resumingSession) {
2006 return null;
2007 }
2008
2009 // Check if the client has asserted the status_request[_v2] extension(s)
2010 CertStatusReqExtension statReqExt = (CertStatusReqExtension)
2011 mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST);
2012 CertStatusReqListV2Extension statReqExtV2 =
2013 (CertStatusReqListV2Extension)mesg.extensions.get(
2014 ExtensionType.EXT_STATUS_REQUEST_V2);
2015
2016 // Determine which type of stapling we are doing and assert the
2017 // proper extension in the server hello.
2018 // Favor status_request_v2 over status_request and ocsp_multi
2019 // over ocsp.
2020 // If multiple ocsp or ocsp_multi types exist, select the first
2021 // instance of a given type. Also since we don't support ResponderId
2022 // selection yet, only accept a request if the ResponderId field
2023 // is empty.
2024 if (statReqExtV2 != null) { // RFC 6961 stapling
2025 ext = ExtensionType.EXT_STATUS_REQUEST_V2;
2026 List<CertStatusReqItemV2> reqItems =
2027 statReqExtV2.getRequestItems();
2028 int ocspIdx = -1;
2029 int ocspMultiIdx = -1;
2030 for (int pos = 0; (pos < reqItems.size() &&
2031 (ocspIdx == -1 || ocspMultiIdx == -1)); pos++) {
2032 CertStatusReqItemV2 item = reqItems.get(pos);
2033 StatusRequestType curType = item.getType();
2034 if (ocspIdx < 0 && curType == StatusRequestType.OCSP) {
2035 OCSPStatusRequest ocspReq =
2036 (OCSPStatusRequest)item.getRequest();
2037 if (ocspReq.getResponderIds().isEmpty()) {
2038 ocspIdx = pos;
2039 }
2040 } else if (ocspMultiIdx < 0 &&
2041 curType == StatusRequestType.OCSP_MULTI) {
2042 // If the type is OCSP, then the request
2043 // is guaranteed to be OCSPStatusRequest
2044 OCSPStatusRequest ocspReq =
2045 (OCSPStatusRequest)item.getRequest();
2046 if (ocspReq.getResponderIds().isEmpty()) {
2047 ocspMultiIdx = pos;
2048 }
2049 }
2050 }
2051 if (ocspMultiIdx >= 0) {
2052 type = reqItems.get(ocspMultiIdx).getType();
2053 req = reqItems.get(ocspMultiIdx).getRequest();
2054 } else if (ocspIdx >= 0) {
2055 type = reqItems.get(ocspIdx).getType();
2056 req = reqItems.get(ocspIdx).getRequest();
2057 } else {
2058 if (debug != null && Debug.isOn("handshake")) {
2059 System.out.println("Warning: No suitable request " +
2060 "found in the status_request_v2 extension.");
2061 }
2062 }
2063 }
2064
2065 // Only attempt to process a status_request extension if:
2066 // * The status_request extension is set AND
2067 // * either the status_request_v2 extension is not present OR
2068 // * none of the underlying OCSPStatusRequest structures is suitable
2069 // for stapling.
2070 // If either of the latter two bullet items is true the ext, type and
2071 // req variables should all be null. If any are null we will try
2072 // processing an asserted status_request.
2073 if ((statReqExt != null) &&
2074 (ext == null || type == null || req == null)) {
2075 ext = ExtensionType.EXT_STATUS_REQUEST;
2076 type = statReqExt.getType();
2077 if (type == StatusRequestType.OCSP) {
2078 // If the type is OCSP, then the request is guaranteed
2079 // to be OCSPStatusRequest
2080 OCSPStatusRequest ocspReq =
2081 (OCSPStatusRequest)statReqExt.getRequest();
2082 if (ocspReq.getResponderIds().isEmpty()) {
2083 req = ocspReq;
2084 } else {
2085 if (debug != null && Debug.isOn("handshake")) {
2086 req = null;
2087 System.out.println("Warning: No suitable request " +
2088 "found in the status_request extension.");
2089 }
2090 }
2091 }
2092 }
2093
2094 // If, after walking through the extensions we were unable to
2095 // find a suitable StatusRequest, then stapling is disabled.
2096 // The ext, type and req variables must have been set to continue.
2097 if (type == null || req == null || ext == null) {
2098 return null;
2099 }
2100
2101 // Get the OCSP responses from the StatusResponseManager
2102 StatusResponseManager statRespMgr =
2103 sslContext.getStatusResponseManager();
2104 if (statRespMgr != null) {
2105 responses = statRespMgr.get(type, req, certs, statusRespTimeout,
2106 TimeUnit.MILLISECONDS);
2107 if (!responses.isEmpty()) {
2108 // If this RFC 6066-style stapling (SSL cert only) then the
2109 // response cannot be zero length
2110 if (type == StatusRequestType.OCSP) {
2111 byte[] respDER = responses.get(certs[0]);
2112 if (respDER == null || respDER.length <= 0) {
2113 return null;
2114 }
2115 }
2116 params = new StaplingParameters(ext, type, req, responses);
2117 }
2118 } else {
2119 // This should not happen, but if lazy initialization of the
2120 // StatusResponseManager doesn't occur we should turn off stapling.
2121 if (debug != null && Debug.isOn("handshake")) {
2122 System.out.println("Warning: lazy initialization " +
2123 "of the StatusResponseManager failed. " +
2124 "Stapling has been disabled.");
2125 }
2126 }
2127
2128 return params;
2129 }
2130
2131 /**
2132 * Inner class used to hold stapling parameters needed by the handshaker
2133 * when stapling is active.
2134 */
2135 private class StaplingParameters {
2136 private final ExtensionType statusRespExt;
2137 private final StatusRequestType statReqType;
2138 private final StatusRequest statReqData;
2139 private final Map<X509Certificate, byte[]> responseMap;
2140
2141 StaplingParameters(ExtensionType ext, StatusRequestType type,
2142 StatusRequest req, Map<X509Certificate, byte[]> responses) {
2143 statusRespExt = ext;
2144 statReqType = type;
2145 statReqData = req;
2146 responseMap = responses;
2147 }
2148 }
2149 }