Back to index...

	/*
	* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package sun.security.ssl;

	import java.io.IOException;
	import java.math.BigInteger;
	import java.nio.ByteBuffer;
	import java.security.CryptoPrimitive;
	import java.security.GeneralSecurityException;
	import java.security.InvalidKeyException;
	import java.security.KeyFactory;
	import java.security.NoSuchAlgorithmException;
	import java.security.Signature;
	import java.security.SignatureException;
	import java.security.interfaces.RSAPublicKey;
	import java.security.spec.RSAPublicKeySpec;
	import java.text.MessageFormat;
	import java.util.EnumSet;
	import java.util.Locale;
	import sun.security.ssl.RSAKeyExchange.EphemeralRSACredentials;
	import sun.security.ssl.RSAKeyExchange.EphemeralRSAPossession;
	import sun.security.ssl.SSLHandshake.HandshakeMessage;
	import sun.security.ssl.X509Authentication.X509Credentials;
	import sun.security.ssl.X509Authentication.X509Possession;
	import sun.security.util.HexDumpEncoder;

	/**
	* Pack of the ServerKeyExchange handshake message.
	*/
	final class RSAServerKeyExchange {
	static final SSLConsumer rsaHandshakeConsumer =
	new RSAServerKeyExchangeConsumer();
	static final HandshakeProducer rsaHandshakeProducer =
	new RSAServerKeyExchangeProducer();

	/**
	* The ephemeral RSA ServerKeyExchange handshake message.
	*
	* Used for RSA_EXPORT, SSL 3.0 and TLS 1.0 only.
	*/
	private static final
	class RSAServerKeyExchangeMessage extends HandshakeMessage {
	// public key encapsulated in this message
	private final byte[] modulus; // 1 to 2^16 - 1 bytes
	private final byte[] exponent; // 1 to 2^16 - 1 bytes

	// signature bytes, none-null as no anonymous RSA key exchange.
	private final byte[] paramsSignature;

	private RSAServerKeyExchangeMessage(HandshakeContext handshakeContext,
	X509Possession x509Possession,
	EphemeralRSAPossession rsaPossession) throws IOException {
	super(handshakeContext);

	// This happens in server side only.
	ServerHandshakeContext shc =
	(ServerHandshakeContext)handshakeContext;

	RSAPublicKey publicKey = rsaPossession.popPublicKey;
	RSAPublicKeySpec spec = JsseJce.getRSAPublicKeySpec(publicKey);
	this.modulus = Utilities.toByteArray(spec.getModulus());
	this.exponent = Utilities.toByteArray(spec.getPublicExponent());
	byte[] signature = null;
	try {
	Signature signer = RSASignature.getInstance();
	signer.initSign(x509Possession.popPrivateKey,
	shc.sslContext.getSecureRandom());
	updateSignature(signer,
	shc.clientHelloRandom.randomBytes,
	shc.serverHelloRandom.randomBytes);
	signature = signer.sign();
	} catch (NoSuchAlgorithmException \|
	InvalidKeyException \| SignatureException ex) {
	shc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Failed to sign ephemeral RSA parameters", ex);
	}

	this.paramsSignature = signature;
	}

	RSAServerKeyExchangeMessage(HandshakeContext handshakeContext,
	ByteBuffer m) throws IOException {
	super(handshakeContext);

	// This happens in client side only.
	ClientHandshakeContext chc =
	(ClientHandshakeContext)handshakeContext;

	this.modulus = Record.getBytes16(m);
	this.exponent = Record.getBytes16(m);
	this.paramsSignature = Record.getBytes16(m);

	X509Credentials x509Credentials = null;
	for (SSLCredentials cd : chc.handshakeCredentials) {
	if (cd instanceof X509Credentials) {
	x509Credentials = (X509Credentials)cd;
	break;
	}
	}

	if (x509Credentials == null) {
	chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"No RSA credentials negotiated for server key exchange");
	}

	try {
	Signature signer = RSASignature.getInstance();
	signer.initVerify(x509Credentials.popPublicKey);
	updateSignature(signer,
	chc.clientHelloRandom.randomBytes,
	chc.serverHelloRandom.randomBytes);
	if (!signer.verify(paramsSignature)) {
	chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
	"Invalid signature of RSA ServerKeyExchange message");
	}
	} catch (NoSuchAlgorithmException \|
	InvalidKeyException \| SignatureException ex) {
	chc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Failed to sign ephemeral RSA parameters", ex);
	}
	}

	@Override
	SSLHandshake handshakeType() {
	return SSLHandshake.SERVER_KEY_EXCHANGE;
	}

	@Override
	int messageLength() {
	return 6 + modulus.length + exponent.length
	+ paramsSignature.length;
	}

	@Override
	void send(HandshakeOutStream hos) throws IOException {
	hos.putBytes16(modulus);
	hos.putBytes16(exponent);
	hos.putBytes16(paramsSignature);
	}

	@Override
	public String toString() {
	MessageFormat messageFormat = new MessageFormat(
	"\"RSA ServerKeyExchange\": '{'\n" +
	" \"parameters\": '{'\n" +
	" \"rsa_modulus\": '{'\n" +
	"{0}\n" +
	" '}',\n" +
	" \"rsa_exponent\": '{'\n" +
	"{1}\n" +
	" '}'\n" +
	" '}',\n" +
	" \"digital signature\": '{'\n" +
	" \"signature\": '{'\n" +
	"{2}\n" +
	" '}',\n" +
	" '}'\n" +
	"'}'",
	Locale.ENGLISH);

	HexDumpEncoder hexEncoder = new HexDumpEncoder();
	Object[] messageFields = {
	Utilities.indent(
	hexEncoder.encodeBuffer(modulus), " "),
	Utilities.indent(
	hexEncoder.encodeBuffer(exponent), " "),
	Utilities.indent(
	hexEncoder.encodeBuffer(paramsSignature), " ")
	};
	return messageFormat.format(messageFields);
	}

	/*
	* Hash the nonces and the ephemeral RSA public key.
	*/
	private void updateSignature(Signature signature,
	byte[] clntNonce, byte[] svrNonce) throws SignatureException {
	signature.update(clntNonce);
	signature.update(svrNonce);

	signature.update((byte)(modulus.length >> 8));
	signature.update((byte)(modulus.length & 0x0ff));
	signature.update(modulus);

	signature.update((byte)(exponent.length >> 8));
	signature.update((byte)(exponent.length & 0x0ff));
	signature.update(exponent);
	}
	}

	/**
	* The RSA "ServerKeyExchange" handshake message producer.
	*/
	private static final
	class RSAServerKeyExchangeProducer implements HandshakeProducer {
	// Prevent instantiation of this class.
	private RSAServerKeyExchangeProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	EphemeralRSAPossession rsaPossession = null;
	X509Possession x509Possession = null;
	for (SSLPossession possession : shc.handshakePossessions) {
	if (possession instanceof EphemeralRSAPossession) {
	rsaPossession = (EphemeralRSAPossession)possession;
	if (x509Possession != null) {
	break;
	}
	} else if (possession instanceof X509Possession) {
	x509Possession = (X509Possession)possession;
	if (rsaPossession != null) {
	break;
	}
	}
	}

	if (rsaPossession == null) {
	// The X.509 certificate itself should be used for RSA_EXPORT
	// key exchange. The ServerKeyExchange handshake message is
	// not needed.
	return null;
	} else if (x509Possession == null) {
	// unlikely
	shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"No RSA certificate negotiated for server key exchange");
	} else if (!"RSA".equals(
	x509Possession.popPrivateKey.getAlgorithm())) {
	// unlikely
	shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"No X.509 possession can be used for " +
	"ephemeral RSA ServerKeyExchange");
	}

	RSAServerKeyExchangeMessage skem =
	new RSAServerKeyExchangeMessage(
	shc, x509Possession, rsaPossession);
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Produced RSA ServerKeyExchange handshake message", skem);
	}

	// Output the handshake message.
	skem.write(shc.handshakeOutput);
	shc.handshakeOutput.flush();

	// The handshake message has been delivered.
	return null;
	}
	}

	/**
	* The RSA "ServerKeyExchange" handshake message consumer.
	*/
	private static final
	class RSAServerKeyExchangeConsumer implements SSLConsumer {
	// Prevent instantiation of this class.
	private RSAServerKeyExchangeConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	ByteBuffer message) throws IOException {
	// The consuming happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	RSAServerKeyExchangeMessage skem =
	new RSAServerKeyExchangeMessage(chc, message);
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Consuming RSA ServerKeyExchange handshake message", skem);
	}

	//
	// validate
	//
	// check constraints of RSA PublicKey
	RSAPublicKey publicKey;
	try {
	KeyFactory kf = JsseJce.getKeyFactory("RSA");
	RSAPublicKeySpec spec = new RSAPublicKeySpec(
	new BigInteger(1, skem.modulus),
	new BigInteger(1, skem.exponent));
	publicKey = (RSAPublicKey)kf.generatePublic(spec);
	} catch (GeneralSecurityException gse) {
	chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
	"Could not generate RSAPublicKey", gse);

	return; // make the compiler happy
	}

	if (!chc.algorithmConstraints.permits(
	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
	chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
	"RSA ServerKeyExchange does not comply to " +
	"algorithm constraints");
	}

	//
	// update
	//
	chc.handshakeCredentials.add(new EphemeralRSACredentials(publicKey));

	//
	// produce
	//
	// Need no new handshake message producers here.
	}
	}
	}

Back to index...