/*
 * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.ssl;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.XECPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.NamedParameterSpec;
import java.text.MessageFormat;
import java.util.Locale;
import javax.crypto.SecretKey;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.ssl.X509Authentication.X509Credentials;
import sun.security.ssl.X509Authentication.X509Possession;
import sun.security.util.HexDumpEncoder;

Pack of the "ClientKeyExchange" handshake message. This file is used by both the ECDH/ECDHE/XDH code since much of the code is the same between the EC named groups (i.e. x25519/x448/secp*r1), even though the APIs are very different (i.e. ECPublicKey/XECPublicKey, KeyExchange.getInstance("EC"/"XDH"), etc.).
/** * Pack of the "ClientKeyExchange" handshake message. * * This file is used by both the ECDH/ECDHE/XDH code since much of the * code is the same between the EC named groups (i.e. * x25519/x448/secp*r1), even though the APIs are very different (i.e. * ECPublicKey/XECPublicKey, KeyExchange.getInstance("EC"/"XDH"), etc.). */
final class ECDHClientKeyExchange { static final SSLConsumer ecdhHandshakeConsumer = new ECDHClientKeyExchangeConsumer(); static final HandshakeProducer ecdhHandshakeProducer = new ECDHClientKeyExchangeProducer(); static final SSLConsumer ecdheHandshakeConsumer = new ECDHEClientKeyExchangeConsumer(); static final HandshakeProducer ecdheHandshakeProducer = new ECDHEClientKeyExchangeProducer();
The ECDH/ECDHE/XDH ClientKeyExchange handshake message.
/** * The ECDH/ECDHE/XDH ClientKeyExchange handshake message. */
private static final class ECDHClientKeyExchangeMessage extends HandshakeMessage { private final byte[] encodedPoint; ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext, byte[] encodedPublicKey) { super(handshakeContext); this.encodedPoint = encodedPublicKey; } ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer m) throws IOException { super(handshakeContext); if (m.remaining() != 0) { // explicit PublicValueEncoding this.encodedPoint = Record.getBytes8(m); } else { this.encodedPoint = new byte[0]; } } @Override public SSLHandshake handshakeType() { return SSLHandshake.CLIENT_KEY_EXCHANGE; } @Override public int messageLength() { if (encodedPoint == null || encodedPoint.length == 0) { return 0; } else { return 1 + encodedPoint.length; } } @Override public void send(HandshakeOutStream hos) throws IOException { if (encodedPoint != null && encodedPoint.length != 0) { hos.putBytes8(encodedPoint); } } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"ECDH ClientKeyExchange\": '{'\n" + " \"ecdh public\": '{'\n" + "{0}\n" + " '}',\n" + "'}'", Locale.ENGLISH); if (encodedPoint == null || encodedPoint.length == 0) { Object[] messageFields = { " <implicit>" }; return messageFormat.format(messageFields); } else { HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { Utilities.indent( hexEncoder.encodeBuffer(encodedPoint), " "), }; return messageFormat.format(messageFields); } } }
The ECDH "ClientKeyExchange" handshake message producer.
/** * The ECDH "ClientKeyExchange" handshake message producer. */
private static final class ECDHClientKeyExchangeProducer implements HandshakeProducer { // Prevent instantiation of this class. private ECDHClientKeyExchangeProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; X509Credentials x509Credentials = null; for (SSLCredentials credential : chc.handshakeCredentials) { if (credential instanceof X509Credentials) { x509Credentials = (X509Credentials)credential; break; } } if (x509Credentials == null) { throw chc.conContext.fatal(Alert.INTERNAL_ERROR, "No server certificate for ECDH client key exchange"); } PublicKey publicKey = x509Credentials.popPublicKey; NamedGroup namedGroup = null; String algorithm = publicKey.getAlgorithm(); // Determine which NamedGroup we'll be using, then use // the creator functions. if (algorithm.equals("EC")) { ECParameterSpec params = ((ECPublicKey)publicKey).getParams(); namedGroup = NamedGroup.valueOf(params); } else if (algorithm.equals("XDH")) { AlgorithmParameterSpec params = ((XECPublicKey)publicKey).getParams(); if (params instanceof NamedParameterSpec) { String name = ((NamedParameterSpec)params).getName(); namedGroup = NamedGroup.nameOf(name); } } else { throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Not EC/XDH server certificate for " + "ECDH client key exchange"); } if (namedGroup == null) { throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unsupported EC/XDH server cert for " + "ECDH client key exchange"); } SSLPossession sslPossession = namedGroup.createPossession( chc.sslContext.getSecureRandom()); chc.handshakePossessions.add(sslPossession); ECDHClientKeyExchangeMessage cke = new ECDHClientKeyExchangeMessage( chc, sslPossession.encode()); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Produced ECDH ClientKeyExchange handshake message", cke); } // Output the handshake message. cke.write(chc.handshakeOutput); chc.handshakeOutput.flush(); // update the states SSLKeyExchange ke = SSLKeyExchange.valueOf( chc.negotiatedCipherSuite.keyExchange, chc.negotiatedProtocol); if (ke == null) { // unlikely throw chc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type"); } else { SSLKeyDerivation masterKD = ke.createKeyDerivation(chc); SecretKey masterSecret = masterKD.deriveKey("MasterSecret", null); chc.handshakeSession.setMasterSecret(masterSecret); SSLTrafficKeyDerivation kd = SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); if (kd == null) { // unlikely throw chc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + chc.negotiatedProtocol); } else { chc.handshakeKeyDerivation = kd.createKeyDerivation(chc, masterSecret); } } // The handshake message has been delivered. return null; } }
The ECDH "ClientKeyExchange" handshake message consumer.
/** * The ECDH "ClientKeyExchange" handshake message consumer. */
private static final class ECDHClientKeyExchangeConsumer implements SSLConsumer { // Prevent instantiation of this class. private ECDHClientKeyExchangeConsumer() { // blank } @Override public void consume(ConnectionContext context, ByteBuffer message) throws IOException { // The consuming happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; X509Possession x509Possession = null; for (SSLPossession possession : shc.handshakePossessions) { if (possession instanceof X509Possession) { x509Possession = (X509Possession)possession; break; } } if (x509Possession == null) { // unlikely, have been checked during cipher suite negotiation. throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "No expected EC server cert for ECDH client key exchange"); } // Determine which NamedGroup we'll be using, then use // the creator functions. NamedGroup namedGroup = null; // Iteratively determine the X509Possession type's ParameterSpec. ECParameterSpec ecParams = x509Possession.getECParameterSpec(); NamedParameterSpec namedParams = null; if (ecParams != null) { namedGroup = NamedGroup.valueOf(ecParams); } // Wasn't EC, try XEC. if (ecParams == null) { namedParams = x509Possession.getXECParameterSpec(); namedGroup = NamedGroup.nameOf(namedParams.getName()); } // Can't figure this out, bail. if ((ecParams == null) && (namedParams == null)) { // unlikely, have been checked during cipher suite negotiation. throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Not EC/XDH server cert for ECDH client key exchange"); } // unlikely, have been checked during cipher suite negotiation. if (namedGroup == null) { throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unknown named group in server cert for " + "ECDH client key exchange"); } SSLKeyExchange ke = SSLKeyExchange.valueOf( shc.negotiatedCipherSuite.keyExchange, shc.negotiatedProtocol); if (ke == null) { // unlikely throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type"); } // parse either handshake message containing either EC/XEC. ECDHClientKeyExchangeMessage cke = new ECDHClientKeyExchangeMessage(shc, message); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming ECDH ClientKeyExchange handshake message", cke); } // create the credentials try { NamedGroup ng = namedGroup; // "effectively final" the lambda // AlgorithmConstraints are checked internally. SSLCredentials sslCredentials = namedGroup.decodeCredentials( cke.encodedPoint, shc.algorithmConstraints, s -> shc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "ClientKeyExchange " + ng + ": " + s)); shc.handshakeCredentials.add(sslCredentials); } catch (GeneralSecurityException e) { throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Cannot decode ECDH PublicKey: " + namedGroup); } // update the states SSLKeyDerivation masterKD = ke.createKeyDerivation(shc); SecretKey masterSecret = masterKD.deriveKey("MasterSecret", null); shc.handshakeSession.setMasterSecret(masterSecret); SSLTrafficKeyDerivation kd = SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); if (kd == null) { // unlikely throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + shc.negotiatedProtocol); } else { shc.handshakeKeyDerivation = kd.createKeyDerivation(shc, masterSecret); } } }
The ECDHE "ClientKeyExchange" handshake message producer.
/** * The ECDHE "ClientKeyExchange" handshake message producer. */
private static final class ECDHEClientKeyExchangeProducer implements HandshakeProducer { // Prevent instantiation of this class. private ECDHEClientKeyExchangeProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; SSLCredentials sslCredentials = null; NamedGroup ng = null; PublicKey publicKey = null; // Find a good EC/XEC credential to use, determine the // NamedGroup to use for creating Possessions/Credentials/Keys. for (SSLCredentials cd : chc.handshakeCredentials) { if (cd instanceof NamedGroupCredentials) { NamedGroupCredentials creds = (NamedGroupCredentials)cd; ng = creds.getNamedGroup(); publicKey = creds.getPublicKey(); sslCredentials = cd; break; } } if (sslCredentials == null) { throw chc.conContext.fatal(Alert.INTERNAL_ERROR, "No ECDHE credentials negotiated for client key exchange"); } SSLPossession sslPossession = ng.createPossession( chc.sslContext.getSecureRandom()); chc.handshakePossessions.add(sslPossession); // Write the EC/XEC message. ECDHClientKeyExchangeMessage cke = new ECDHClientKeyExchangeMessage( chc, sslPossession.encode()); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Produced ECDHE ClientKeyExchange handshake message", cke); } // Output the handshake message. cke.write(chc.handshakeOutput); chc.handshakeOutput.flush(); // update the states SSLKeyExchange ke = SSLKeyExchange.valueOf( chc.negotiatedCipherSuite.keyExchange, chc.negotiatedProtocol); if (ke == null) { // unlikely throw chc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type"); } else { SSLKeyDerivation masterKD = ke.createKeyDerivation(chc); SecretKey masterSecret = masterKD.deriveKey("MasterSecret", null); chc.handshakeSession.setMasterSecret(masterSecret); SSLTrafficKeyDerivation kd = SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); if (kd == null) { // unlikely throw chc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + chc.negotiatedProtocol); } else { chc.handshakeKeyDerivation = kd.createKeyDerivation(chc, masterSecret); } } // The handshake message has been delivered. return null; } }
The ECDHE "ClientKeyExchange" handshake message consumer.
/** * The ECDHE "ClientKeyExchange" handshake message consumer. */
private static final class ECDHEClientKeyExchangeConsumer implements SSLConsumer { // Prevent instantiation of this class. private ECDHEClientKeyExchangeConsumer() { // blank } @Override public void consume(ConnectionContext context, ByteBuffer message) throws IOException { // The consuming happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; SSLPossession sslPossession = null; NamedGroup namedGroup = null; // Find a good EC/XEC credential to use, determine the // NamedGroup to use for creating Possessions/Credentials/Keys. for (SSLPossession possession : shc.handshakePossessions) { if (possession instanceof NamedGroupPossession) { NamedGroupPossession poss = (NamedGroupPossession)possession; namedGroup = poss.getNamedGroup(); sslPossession = poss; break; } } if (sslPossession == null) { // unlikely throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "No expected ECDHE possessions for client key exchange"); } if (namedGroup == null) { // unlikely, have been checked during cipher suite negotiation throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unsupported EC server cert for ECDHE client key exchange"); } SSLKeyExchange ke = SSLKeyExchange.valueOf( shc.negotiatedCipherSuite.keyExchange, shc.negotiatedProtocol); if (ke == null) { // unlikely throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key exchange type"); } // parse the EC/XEC handshake message ECDHClientKeyExchangeMessage cke = new ECDHClientKeyExchangeMessage(shc, message); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Consuming ECDHE ClientKeyExchange handshake message", cke); } // create the credentials try { NamedGroup ng = namedGroup; // "effectively final" the lambda // AlgorithmConstraints are checked internally. SSLCredentials sslCredentials = namedGroup.decodeCredentials( cke.encodedPoint, shc.algorithmConstraints, s -> shc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "ClientKeyExchange " + ng + ": " + s)); shc.handshakeCredentials.add(sslCredentials); } catch (GeneralSecurityException e) { throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Cannot decode named group: " + namedGroup); } // update the states SSLKeyDerivation masterKD = ke.createKeyDerivation(shc); SecretKey masterSecret = masterKD.deriveKey("MasterSecret", null); shc.handshakeSession.setMasterSecret(masterSecret); SSLTrafficKeyDerivation kd = SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); if (kd == null) { // unlikely throw shc.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + shc.negotiatedProtocol); } else { shc.handshakeKeyDerivation = kd.createKeyDerivation(shc, masterSecret); } } } }