/*
 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.ssl;

import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPublicKeySpec;
import java.text.MessageFormat;
import java.util.EnumSet;
import java.util.Locale;
import sun.security.ssl.RSAKeyExchange.EphemeralRSACredentials;
import sun.security.ssl.RSAKeyExchange.EphemeralRSAPossession;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.ssl.X509Authentication.X509Credentials;
import sun.security.ssl.X509Authentication.X509Possession;
import sun.security.util.HexDumpEncoder;

Pack of the ServerKeyExchange handshake message.
/** * Pack of the ServerKeyExchange handshake message. */
final class RSAServerKeyExchange { static final SSLConsumer rsaHandshakeConsumer = new RSAServerKeyExchangeConsumer(); static final HandshakeProducer rsaHandshakeProducer = new RSAServerKeyExchangeProducer();
The ephemeral RSA ServerKeyExchange handshake message. Used for RSA_EXPORT, SSL 3.0 and TLS 1.0 only.
/** * The ephemeral RSA ServerKeyExchange handshake message. * * Used for RSA_EXPORT, SSL 3.0 and TLS 1.0 only. */
private static final class RSAServerKeyExchangeMessage extends HandshakeMessage { // public key encapsulated in this message private final byte[] modulus; // 1 to 2^16 - 1 bytes private final byte[] exponent; // 1 to 2^16 - 1 bytes // signature bytes, none-null as no anonymous RSA key exchange. private final byte[] paramsSignature; private RSAServerKeyExchangeMessage(HandshakeContext handshakeContext, X509Possession x509Possession, EphemeralRSAPossession rsaPossession) throws IOException { super(handshakeContext); // This happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)handshakeContext; RSAPublicKey publicKey = rsaPossession.popPublicKey; RSAPublicKeySpec spec = JsseJce.getRSAPublicKeySpec(publicKey); this.modulus = Utilities.toByteArray(spec.getModulus()); this.exponent = Utilities.toByteArray(spec.getPublicExponent()); byte[] signature = null; try { Signature signer = RSASignature.getInstance(); signer.initSign(x509Possession.popPrivateKey, shc.sslContext.getSecureRandom()); updateSignature(signer, shc.clientHelloRandom.randomBytes, shc.serverHelloRandom.randomBytes); signature = signer.sign(); } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException ex) { throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign ephemeral RSA parameters", ex); } this.paramsSignature = signature; } RSAServerKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer m) throws IOException { super(handshakeContext); // This happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)handshakeContext; this.modulus = Record.getBytes16(m); this.exponent = Record.getBytes16(m); this.paramsSignature = Record.getBytes16(m); X509Credentials x509Credentials = null; for (SSLCredentials cd : chc.handshakeCredentials) { if (cd instanceof X509Credentials) { x509Credentials = (X509Credentials)cd; break; } } if (x509Credentials == null) { throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No RSA credentials negotiated for server key exchange"); } try { Signature signer = RSASignature.getInstance(); signer.initVerify(x509Credentials.popPublicKey); updateSignature(signer, chc.clientHelloRandom.randomBytes, chc.serverHelloRandom.randomBytes); if (!signer.verify(paramsSignature)) { throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature of RSA ServerKeyExchange message"); } } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException ex) { throw chc.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign ephemeral RSA parameters", ex); } } @Override SSLHandshake handshakeType() { return SSLHandshake.SERVER_KEY_EXCHANGE; } @Override int messageLength() { return 6 + modulus.length + exponent.length + paramsSignature.length; } @Override void send(HandshakeOutStream hos) throws IOException { hos.putBytes16(modulus); hos.putBytes16(exponent); hos.putBytes16(paramsSignature); } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"RSA ServerKeyExchange\": '{'\n" + " \"parameters\": '{'\n" + " \"rsa_modulus\": '{'\n" + "{0}\n" + " '}',\n" + " \"rsa_exponent\": '{'\n" + "{1}\n" + " '}'\n" + " '}',\n" + " \"digital signature\": '{'\n" + " \"signature\": '{'\n" + "{2}\n" + " '}',\n" + " '}'\n" + "'}'", Locale.ENGLISH); HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { Utilities.indent( hexEncoder.encodeBuffer(modulus), " "), Utilities.indent( hexEncoder.encodeBuffer(exponent), " "), Utilities.indent( hexEncoder.encodeBuffer(paramsSignature), " ") }; return messageFormat.format(messageFields); } /* * Hash the nonces and the ephemeral RSA public key. */ private void updateSignature(Signature signature, byte[] clntNonce, byte[] svrNonce) throws SignatureException { signature.update(clntNonce); signature.update(svrNonce); signature.update((byte)(modulus.length >> 8)); signature.update((byte)(modulus.length & 0x0ff)); signature.update(modulus); signature.update((byte)(exponent.length >> 8)); signature.update((byte)(exponent.length & 0x0ff)); signature.update(exponent); } }
The RSA "ServerKeyExchange" handshake message producer.
/** * The RSA "ServerKeyExchange" handshake message producer. */
private static final class RSAServerKeyExchangeProducer implements HandshakeProducer { // Prevent instantiation of this class. private RSAServerKeyExchangeProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; EphemeralRSAPossession rsaPossession = null; X509Possession x509Possession = null; for (SSLPossession possession : shc.handshakePossessions) { if (possession instanceof EphemeralRSAPossession) { rsaPossession = (EphemeralRSAPossession)possession; if (x509Possession != null) { break; } } else if (possession instanceof X509Possession) { x509Possession = (X509Possession)possession; if (rsaPossession != null) { break; } } } if (rsaPossession == null) { // The X.509 certificate itself should be used for RSA_EXPORT // key exchange. The ServerKeyExchange handshake message is // not needed. return null; } else if (x509Possession == null) { // unlikely throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No RSA certificate negotiated for server key exchange"); } else if (!"RSA".equals( x509Possession.popPrivateKey.getAlgorithm())) { // unlikely throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No X.509 possession can be used for " + "ephemeral RSA ServerKeyExchange"); } RSAServerKeyExchangeMessage skem = new RSAServerKeyExchangeMessage( shc, x509Possession, rsaPossession); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Produced RSA ServerKeyExchange handshake message", skem); } // Output the handshake message. skem.write(shc.handshakeOutput); shc.handshakeOutput.flush(); // The handshake message has been delivered. return null; } }
The RSA "ServerKeyExchange" handshake message consumer.
/** * The RSA "ServerKeyExchange" handshake message consumer. */
private static final class RSAServerKeyExchangeConsumer implements SSLConsumer { // Prevent instantiation of this class. private RSAServerKeyExchangeConsumer() { // blank } @Override public void consume(ConnectionContext context, ByteBuffer message) throws IOException { // The consuming happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; RSAServerKeyExchangeMessage skem = new RSAServerKeyExchangeMessage(chc, message); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming RSA ServerKeyExchange handshake message", skem); } // // validate // // check constraints of RSA PublicKey RSAPublicKey publicKey; try { KeyFactory kf = JsseJce.getKeyFactory("RSA"); RSAPublicKeySpec spec = new RSAPublicKeySpec( new BigInteger(1, skem.modulus), new BigInteger(1, skem.exponent)); publicKey = (RSAPublicKey)kf.generatePublic(spec); } catch (GeneralSecurityException gse) { throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "Could not generate RSAPublicKey", gse); } if (!chc.algorithmConstraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) { throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "RSA ServerKeyExchange does not comply to " + "algorithm constraints"); } // // update // chc.handshakeCredentials.add( new EphemeralRSACredentials(publicKey)); // // produce // // Need no new handshake message producers here. } } }