mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-28 23:34:52 +02:00
339 lines
13 KiB
Java
339 lines
13 KiB
Java
/*
|
|
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation. Oracle designates this
|
|
* particular file as subject to the "Classpath" exception as provided
|
|
* by Oracle in the LICENSE file that accompanied this code.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
package sun.security.ssl;
|
|
|
|
import java.io.IOException;
|
|
import java.math.BigInteger;
|
|
import java.nio.ByteBuffer;
|
|
import java.security.CryptoPrimitive;
|
|
import java.security.GeneralSecurityException;
|
|
import java.security.InvalidKeyException;
|
|
import java.security.KeyFactory;
|
|
import java.security.NoSuchAlgorithmException;
|
|
import java.security.Signature;
|
|
import java.security.SignatureException;
|
|
import java.security.interfaces.RSAPublicKey;
|
|
import java.security.spec.RSAPublicKeySpec;
|
|
import java.text.MessageFormat;
|
|
import java.util.EnumSet;
|
|
import java.util.Locale;
|
|
import sun.security.ssl.RSAKeyExchange.EphemeralRSACredentials;
|
|
import sun.security.ssl.RSAKeyExchange.EphemeralRSAPossession;
|
|
import sun.security.ssl.SSLHandshake.HandshakeMessage;
|
|
import sun.security.ssl.X509Authentication.X509Credentials;
|
|
import sun.security.ssl.X509Authentication.X509Possession;
|
|
import sun.security.util.HexDumpEncoder;
|
|
|
|
/**
|
|
* Pack of the ServerKeyExchange handshake message.
|
|
*/
|
|
final class RSAServerKeyExchange {
|
|
static final SSLConsumer rsaHandshakeConsumer =
|
|
new RSAServerKeyExchangeConsumer();
|
|
static final HandshakeProducer rsaHandshakeProducer =
|
|
new RSAServerKeyExchangeProducer();
|
|
|
|
/**
|
|
* The ephemeral RSA ServerKeyExchange handshake message.
|
|
*
|
|
* Used for RSA_EXPORT, SSL 3.0 and TLS 1.0 only.
|
|
*/
|
|
private static final
|
|
class RSAServerKeyExchangeMessage extends HandshakeMessage {
|
|
// public key encapsulated in this message
|
|
private final byte[] modulus; // 1 to 2^16 - 1 bytes
|
|
private final byte[] exponent; // 1 to 2^16 - 1 bytes
|
|
|
|
// signature bytes, none-null as no anonymous RSA key exchange.
|
|
private final byte[] paramsSignature;
|
|
|
|
private RSAServerKeyExchangeMessage(HandshakeContext handshakeContext,
|
|
X509Possession x509Possession,
|
|
EphemeralRSAPossession rsaPossession) throws IOException {
|
|
super(handshakeContext);
|
|
|
|
// This happens in server side only.
|
|
ServerHandshakeContext shc =
|
|
(ServerHandshakeContext)handshakeContext;
|
|
|
|
RSAPublicKey publicKey = rsaPossession.popPublicKey;
|
|
RSAPublicKeySpec spec = JsseJce.getRSAPublicKeySpec(publicKey);
|
|
this.modulus = Utilities.toByteArray(spec.getModulus());
|
|
this.exponent = Utilities.toByteArray(spec.getPublicExponent());
|
|
byte[] signature = null;
|
|
try {
|
|
Signature signer = RSASignature.getInstance();
|
|
signer.initSign(x509Possession.popPrivateKey,
|
|
shc.sslContext.getSecureRandom());
|
|
updateSignature(signer,
|
|
shc.clientHelloRandom.randomBytes,
|
|
shc.serverHelloRandom.randomBytes);
|
|
signature = signer.sign();
|
|
} catch (NoSuchAlgorithmException |
|
|
InvalidKeyException | SignatureException ex) {
|
|
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
|
|
"Failed to sign ephemeral RSA parameters", ex);
|
|
}
|
|
|
|
this.paramsSignature = signature;
|
|
}
|
|
|
|
RSAServerKeyExchangeMessage(HandshakeContext handshakeContext,
|
|
ByteBuffer m) throws IOException {
|
|
super(handshakeContext);
|
|
|
|
// This happens in client side only.
|
|
ClientHandshakeContext chc =
|
|
(ClientHandshakeContext)handshakeContext;
|
|
|
|
this.modulus = Record.getBytes16(m);
|
|
this.exponent = Record.getBytes16(m);
|
|
this.paramsSignature = Record.getBytes16(m);
|
|
|
|
X509Credentials x509Credentials = null;
|
|
for (SSLCredentials cd : chc.handshakeCredentials) {
|
|
if (cd instanceof X509Credentials) {
|
|
x509Credentials = (X509Credentials)cd;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (x509Credentials == null) {
|
|
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
|
|
"No RSA credentials negotiated for server key exchange");
|
|
}
|
|
|
|
try {
|
|
Signature signer = RSASignature.getInstance();
|
|
signer.initVerify(x509Credentials.popPublicKey);
|
|
updateSignature(signer,
|
|
chc.clientHelloRandom.randomBytes,
|
|
chc.serverHelloRandom.randomBytes);
|
|
if (!signer.verify(paramsSignature)) {
|
|
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
|
|
"Invalid signature of RSA ServerKeyExchange message");
|
|
}
|
|
} catch (NoSuchAlgorithmException |
|
|
InvalidKeyException | SignatureException ex) {
|
|
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
|
|
"Failed to sign ephemeral RSA parameters", ex);
|
|
}
|
|
}
|
|
|
|
@Override
|
|
SSLHandshake handshakeType() {
|
|
return SSLHandshake.SERVER_KEY_EXCHANGE;
|
|
}
|
|
|
|
@Override
|
|
int messageLength() {
|
|
return 6 + modulus.length + exponent.length
|
|
+ paramsSignature.length;
|
|
}
|
|
|
|
@Override
|
|
void send(HandshakeOutStream hos) throws IOException {
|
|
hos.putBytes16(modulus);
|
|
hos.putBytes16(exponent);
|
|
hos.putBytes16(paramsSignature);
|
|
}
|
|
|
|
@Override
|
|
public String toString() {
|
|
MessageFormat messageFormat = new MessageFormat(
|
|
"\"RSA ServerKeyExchange\": '{'\n" +
|
|
" \"parameters\": '{'\n" +
|
|
" \"rsa_modulus\": '{'\n" +
|
|
"{0}\n" +
|
|
" '}',\n" +
|
|
" \"rsa_exponent\": '{'\n" +
|
|
"{1}\n" +
|
|
" '}'\n" +
|
|
" '}',\n" +
|
|
" \"digital signature\": '{'\n" +
|
|
" \"signature\": '{'\n" +
|
|
"{2}\n" +
|
|
" '}',\n" +
|
|
" '}'\n" +
|
|
"'}'",
|
|
Locale.ENGLISH);
|
|
|
|
HexDumpEncoder hexEncoder = new HexDumpEncoder();
|
|
Object[] messageFields = {
|
|
Utilities.indent(
|
|
hexEncoder.encodeBuffer(modulus), " "),
|
|
Utilities.indent(
|
|
hexEncoder.encodeBuffer(exponent), " "),
|
|
Utilities.indent(
|
|
hexEncoder.encodeBuffer(paramsSignature), " ")
|
|
};
|
|
return messageFormat.format(messageFields);
|
|
}
|
|
|
|
/*
|
|
* Hash the nonces and the ephemeral RSA public key.
|
|
*/
|
|
private void updateSignature(Signature signature,
|
|
byte[] clntNonce, byte[] svrNonce) throws SignatureException {
|
|
signature.update(clntNonce);
|
|
signature.update(svrNonce);
|
|
|
|
signature.update((byte)(modulus.length >> 8));
|
|
signature.update((byte)(modulus.length & 0x0ff));
|
|
signature.update(modulus);
|
|
|
|
signature.update((byte)(exponent.length >> 8));
|
|
signature.update((byte)(exponent.length & 0x0ff));
|
|
signature.update(exponent);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* The RSA "ServerKeyExchange" handshake message producer.
|
|
*/
|
|
private static final
|
|
class RSAServerKeyExchangeProducer implements HandshakeProducer {
|
|
// Prevent instantiation of this class.
|
|
private RSAServerKeyExchangeProducer() {
|
|
// blank
|
|
}
|
|
|
|
@Override
|
|
public byte[] produce(ConnectionContext context,
|
|
HandshakeMessage message) throws IOException {
|
|
// The producing happens in server side only.
|
|
ServerHandshakeContext shc = (ServerHandshakeContext)context;
|
|
|
|
EphemeralRSAPossession rsaPossession = null;
|
|
X509Possession x509Possession = null;
|
|
for (SSLPossession possession : shc.handshakePossessions) {
|
|
if (possession instanceof EphemeralRSAPossession) {
|
|
rsaPossession = (EphemeralRSAPossession)possession;
|
|
if (x509Possession != null) {
|
|
break;
|
|
}
|
|
} else if (possession instanceof X509Possession) {
|
|
x509Possession = (X509Possession)possession;
|
|
if (rsaPossession != null) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (rsaPossession == null) {
|
|
// The X.509 certificate itself should be used for RSA_EXPORT
|
|
// key exchange. The ServerKeyExchange handshake message is
|
|
// not needed.
|
|
return null;
|
|
} else if (x509Possession == null) {
|
|
// unlikely
|
|
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
|
|
"No RSA certificate negotiated for server key exchange");
|
|
} else if (!"RSA".equals(
|
|
x509Possession.popPrivateKey.getAlgorithm())) {
|
|
// unlikely
|
|
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
|
|
"No X.509 possession can be used for " +
|
|
"ephemeral RSA ServerKeyExchange");
|
|
}
|
|
|
|
RSAServerKeyExchangeMessage skem =
|
|
new RSAServerKeyExchangeMessage(
|
|
shc, x509Possession, rsaPossession);
|
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
SSLLogger.fine(
|
|
"Produced RSA ServerKeyExchange handshake message", skem);
|
|
}
|
|
|
|
// Output the handshake message.
|
|
skem.write(shc.handshakeOutput);
|
|
shc.handshakeOutput.flush();
|
|
|
|
// The handshake message has been delivered.
|
|
return null;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* The RSA "ServerKeyExchange" handshake message consumer.
|
|
*/
|
|
private static final
|
|
class RSAServerKeyExchangeConsumer implements SSLConsumer {
|
|
// Prevent instantiation of this class.
|
|
private RSAServerKeyExchangeConsumer() {
|
|
// blank
|
|
}
|
|
|
|
@Override
|
|
public void consume(ConnectionContext context,
|
|
ByteBuffer message) throws IOException {
|
|
// The consuming happens in client side only.
|
|
ClientHandshakeContext chc = (ClientHandshakeContext)context;
|
|
|
|
RSAServerKeyExchangeMessage skem =
|
|
new RSAServerKeyExchangeMessage(chc, message);
|
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
SSLLogger.fine(
|
|
"Consuming RSA ServerKeyExchange handshake message", skem);
|
|
}
|
|
|
|
//
|
|
// validate
|
|
//
|
|
// check constraints of RSA PublicKey
|
|
RSAPublicKey publicKey;
|
|
try {
|
|
KeyFactory kf = JsseJce.getKeyFactory("RSA");
|
|
RSAPublicKeySpec spec = new RSAPublicKeySpec(
|
|
new BigInteger(1, skem.modulus),
|
|
new BigInteger(1, skem.exponent));
|
|
publicKey = (RSAPublicKey)kf.generatePublic(spec);
|
|
} catch (GeneralSecurityException gse) {
|
|
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
|
|
"Could not generate RSAPublicKey", gse);
|
|
}
|
|
|
|
if (!chc.algorithmConstraints.permits(
|
|
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
|
|
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
|
|
"RSA ServerKeyExchange does not comply to " +
|
|
"algorithm constraints");
|
|
}
|
|
|
|
//
|
|
// update
|
|
//
|
|
chc.handshakeCredentials.add(
|
|
new EphemeralRSACredentials(publicKey));
|
|
|
|
//
|
|
// produce
|
|
//
|
|
// Need no new handshake message producers here.
|
|
}
|
|
}
|
|
}
|
|
|