Back to index...

	/*
	* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package sun.security.ssl;

	import java.io.IOException;
	import java.nio.ByteBuffer;
	import java.security.AlgorithmConstraints;
	import java.security.CryptoPrimitive;
	import java.security.GeneralSecurityException;
	import java.security.KeyFactory;
	import java.security.PublicKey;
	import java.security.interfaces.ECPublicKey;
	import java.security.spec.ECParameterSpec;
	import java.security.spec.ECPoint;
	import java.security.spec.ECPublicKeySpec;
	import java.text.MessageFormat;
	import java.util.EnumSet;
	import java.util.Locale;
	import javax.crypto.SecretKey;
	import javax.net.ssl.SSLHandshakeException;
	import sun.security.ssl.ECDHKeyExchange.ECDHECredentials;
	import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
	import sun.security.ssl.SSLHandshake.HandshakeMessage;
	import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
	import sun.security.ssl.X509Authentication.X509Credentials;
	import sun.security.ssl.X509Authentication.X509Possession;
	import sun.misc.HexDumpEncoder;

	/**
	* Pack of the "ClientKeyExchange" handshake message.
	*/
	final class ECDHClientKeyExchange {
	static final SSLConsumer ecdhHandshakeConsumer =
	new ECDHClientKeyExchangeConsumer();
	static final HandshakeProducer ecdhHandshakeProducer =
	new ECDHClientKeyExchangeProducer();

	static final SSLConsumer ecdheHandshakeConsumer =
	new ECDHEClientKeyExchangeConsumer();
	static final HandshakeProducer ecdheHandshakeProducer =
	new ECDHEClientKeyExchangeProducer();

	/**
	* The ECDH/ECDHE ClientKeyExchange handshake message.
	*/
	private static final
	class ECDHClientKeyExchangeMessage extends HandshakeMessage {
	private final byte[] encodedPoint;

	ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext,
	ECPublicKey publicKey) {
	super(handshakeContext);

	ECPoint point = publicKey.getW();
	ECParameterSpec params = publicKey.getParams();
	encodedPoint = JsseJce.encodePoint(point, params.getCurve());
	}

	ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext,
	ByteBuffer m) throws IOException {
	super(handshakeContext);
	if (m.remaining() != 0) { // explicit PublicValueEncoding
	this.encodedPoint = Record.getBytes8(m);
	} else {
	this.encodedPoint = new byte[0];
	}
	}

	// Check constraints of the specified EC public key.
	static void checkConstraints(AlgorithmConstraints constraints,
	ECPublicKey publicKey,
	byte[] encodedPoint) throws SSLHandshakeException {

	try {
	ECParameterSpec params = publicKey.getParams();
	ECPoint point =
	JsseJce.decodePoint(encodedPoint, params.getCurve());
	ECPublicKeySpec spec = new ECPublicKeySpec(point, params);

	KeyFactory kf = JsseJce.getKeyFactory("EC");
	ECPublicKey peerPublicKey =
	(ECPublicKey)kf.generatePublic(spec);

	// check constraints of ECPublicKey
	if (!constraints.permits(
	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
	peerPublicKey)) {
	throw new SSLHandshakeException(
	"ECPublicKey does not comply to algorithm constraints");
	}
	} catch (GeneralSecurityException \| java.io.IOException e) {
	throw (SSLHandshakeException) new SSLHandshakeException(
	"Could not generate ECPublicKey").initCause(e);
	}
	}

	@Override
	public SSLHandshake handshakeType() {
	return SSLHandshake.CLIENT_KEY_EXCHANGE;
	}

	@Override
	public int messageLength() {
	if (encodedPoint == null \|\| encodedPoint.length == 0) {
	return 0;
	} else {
	return 1 + encodedPoint.length;
	}
	}

	@Override
	public void send(HandshakeOutStream hos) throws IOException {
	if (encodedPoint != null && encodedPoint.length != 0) {
	hos.putBytes8(encodedPoint);
	}
	}

	@Override
	public String toString() {
	MessageFormat messageFormat = new MessageFormat(
	"\"ECDH ClientKeyExchange\": '{'\n" +
	" \"ecdh public\": '{'\n" +
	"{0}\n" +
	" '}',\n" +
	"'}'",
	Locale.ENGLISH);
	if (encodedPoint == null \|\| encodedPoint.length == 0) {
	Object[] messageFields = {
	" <implicit>"
	};
	return messageFormat.format(messageFields);
	} else {
	HexDumpEncoder hexEncoder = new HexDumpEncoder();
	Object[] messageFields = {
	Utilities.indent(
	hexEncoder.encodeBuffer(encodedPoint), " "),
	};
	return messageFormat.format(messageFields);
	}
	}
	}

	/**
	* The ECDH "ClientKeyExchange" handshake message producer.
	*/
	private static final
	class ECDHClientKeyExchangeProducer implements HandshakeProducer {
	// Prevent instantiation of this class.
	private ECDHClientKeyExchangeProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	X509Credentials x509Credentials = null;
	for (SSLCredentials credential : chc.handshakeCredentials) {
	if (credential instanceof X509Credentials) {
	x509Credentials = (X509Credentials)credential;
	break;
	}
	}

	if (x509Credentials == null) {
	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
	"No server certificate for ECDH client key exchange");
	}

	PublicKey publicKey = x509Credentials.popPublicKey;
	if (!publicKey.getAlgorithm().equals("EC")) {
	throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"Not EC server certificate for ECDH client key exchange");
	}

	ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
	NamedGroup namedGroup = NamedGroup.valueOf(params);
	if (namedGroup == null) {
	throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"Unsupported EC server cert for ECDH client key exchange");
	}

	ECDHEPossession ecdhePossession = new ECDHEPossession(
	namedGroup, chc.sslContext.getSecureRandom());
	chc.handshakePossessions.add(ecdhePossession);
	ECDHClientKeyExchangeMessage cke =
	new ECDHClientKeyExchangeMessage(
	chc, ecdhePossession.publicKey);
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Produced ECDH ClientKeyExchange handshake message", cke);
	}

	// Output the handshake message.
	cke.write(chc.handshakeOutput);
	chc.handshakeOutput.flush();

	// update the states
	SSLKeyExchange ke = SSLKeyExchange.valueOf(
	chc.negotiatedCipherSuite.keyExchange,
	chc.negotiatedProtocol);
	if (ke == null) {
	// unlikely
	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key exchange type");
	} else {
	SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
	SecretKey masterSecret =
	masterKD.deriveKey("MasterSecret", null);
	chc.handshakeSession.setMasterSecret(masterSecret);

	SSLTrafficKeyDerivation kd =
	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
	if (kd == null) {
	// unlikely
	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key derivation: " +
	chc.negotiatedProtocol);
	} else {
	chc.handshakeKeyDerivation =
	kd.createKeyDerivation(chc, masterSecret);
	}
	}

	// The handshake message has been delivered.
	return null;
	}
	}

	/**
	* The ECDH "ClientKeyExchange" handshake message consumer.
	*/
	private static final
	class ECDHClientKeyExchangeConsumer implements SSLConsumer {
	// Prevent instantiation of this class.
	private ECDHClientKeyExchangeConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	ByteBuffer message) throws IOException {
	// The consuming happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	X509Possession x509Possession = null;
	for (SSLPossession possession : shc.handshakePossessions) {
	if (possession instanceof X509Possession) {
	x509Possession = (X509Possession)possession;
	break;
	}
	}

	if (x509Possession == null) {
	// unlikely, have been checked during cipher suite negotiation.
	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
	"No expected EC server cert for ECDH client key exchange");
	}

	ECParameterSpec params = x509Possession.getECParameterSpec();
	if (params == null) {
	// unlikely, have been checked during cipher suite negotiation.
	throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"Not EC server cert for ECDH client key exchange");
	}

	NamedGroup namedGroup = NamedGroup.valueOf(params);
	if (namedGroup == null) {
	// unlikely, have been checked during cipher suite negotiation.
	throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"Unsupported EC server cert for ECDH client key exchange");
	}

	SSLKeyExchange ke = SSLKeyExchange.valueOf(
	shc.negotiatedCipherSuite.keyExchange,
	shc.negotiatedProtocol);
	if (ke == null) {
	// unlikely
	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key exchange type");
	}

	// parse the handshake message
	ECDHClientKeyExchangeMessage cke =
	new ECDHClientKeyExchangeMessage(shc, message);
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Consuming ECDH ClientKeyExchange handshake message", cke);
	}

	// create the credentials
	try {
	ECPoint point =
	JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
	ECPublicKeySpec spec = new ECPublicKeySpec(point, params);

	KeyFactory kf = JsseJce.getKeyFactory("EC");
	ECPublicKey peerPublicKey =
	(ECPublicKey)kf.generatePublic(spec);

	// check constraints of peer ECPublicKey
	if (!shc.algorithmConstraints.permits(
	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
	peerPublicKey)) {
	throw new SSLHandshakeException(
	"ECPublicKey does not comply to algorithm constraints");
	}

	shc.handshakeCredentials.add(new ECDHECredentials(
	peerPublicKey, namedGroup));
	} catch (GeneralSecurityException \| java.io.IOException e) {
	throw (SSLHandshakeException)(new SSLHandshakeException(
	"Could not generate ECPublicKey").initCause(e));
	}

	// update the states
	SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
	SecretKey masterSecret =
	masterKD.deriveKey("MasterSecret", null);
	shc.handshakeSession.setMasterSecret(masterSecret);

	SSLTrafficKeyDerivation kd =
	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
	if (kd == null) {
	// unlikely
	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key derivation: " + shc.negotiatedProtocol);
	} else {
	shc.handshakeKeyDerivation =
	kd.createKeyDerivation(shc, masterSecret);
	}
	}
	}

	/**
	* The ECDHE "ClientKeyExchange" handshake message producer.
	*/
	private static final
	class ECDHEClientKeyExchangeProducer implements HandshakeProducer {
	// Prevent instantiation of this class.
	private ECDHEClientKeyExchangeProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	ECDHECredentials ecdheCredentials = null;
	for (SSLCredentials cd : chc.handshakeCredentials) {
	if (cd instanceof ECDHECredentials) {
	ecdheCredentials = (ECDHECredentials)cd;
	break;
	}
	}

	if (ecdheCredentials == null) {
	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
	"No ECDHE credentials negotiated for client key exchange");
	}

	ECDHEPossession ecdhePossession = new ECDHEPossession(
	ecdheCredentials, chc.sslContext.getSecureRandom());
	chc.handshakePossessions.add(ecdhePossession);
	ECDHClientKeyExchangeMessage cke =
	new ECDHClientKeyExchangeMessage(
	chc, ecdhePossession.publicKey);
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Produced ECDHE ClientKeyExchange handshake message", cke);
	}

	// Output the handshake message.
	cke.write(chc.handshakeOutput);
	chc.handshakeOutput.flush();

	// update the states
	SSLKeyExchange ke = SSLKeyExchange.valueOf(
	chc.negotiatedCipherSuite.keyExchange,
	chc.negotiatedProtocol);
	if (ke == null) {
	// unlikely
	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key exchange type");
	} else {
	SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
	SecretKey masterSecret =
	masterKD.deriveKey("MasterSecret", null);
	chc.handshakeSession.setMasterSecret(masterSecret);

	SSLTrafficKeyDerivation kd =
	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
	if (kd == null) {
	// unlikely
	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key derivation: " +
	chc.negotiatedProtocol);
	} else {
	chc.handshakeKeyDerivation =
	kd.createKeyDerivation(chc, masterSecret);
	}
	}

	// The handshake message has been delivered.
	return null;
	}
	}

	/**
	* The ECDHE "ClientKeyExchange" handshake message consumer.
	*/
	private static final
	class ECDHEClientKeyExchangeConsumer implements SSLConsumer {
	// Prevent instantiation of this class.
	private ECDHEClientKeyExchangeConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	ByteBuffer message) throws IOException {
	// The consuming happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	ECDHEPossession ecdhePossession = null;
	for (SSLPossession possession : shc.handshakePossessions) {
	if (possession instanceof ECDHEPossession) {
	ecdhePossession = (ECDHEPossession)possession;
	break;
	}
	}
	if (ecdhePossession == null) {
	// unlikely
	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
	"No expected ECDHE possessions for client key exchange");
	}

	ECParameterSpec params = ecdhePossession.publicKey.getParams();
	NamedGroup namedGroup = NamedGroup.valueOf(params);
	if (namedGroup == null) {
	// unlikely, have been checked during cipher suite negotiation.
	throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
	"Unsupported EC server cert for ECDHE client key exchange");
	}

	SSLKeyExchange ke = SSLKeyExchange.valueOf(
	shc.negotiatedCipherSuite.keyExchange,
	shc.negotiatedProtocol);
	if (ke == null) {
	// unlikely
	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key exchange type");
	}

	// parse the handshake message
	ECDHClientKeyExchangeMessage cke =
	new ECDHClientKeyExchangeMessage(shc, message);
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Consuming ECDHE ClientKeyExchange handshake message", cke);
	}

	// create the credentials
	try {
	ECPoint point =
	JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
	ECPublicKeySpec spec = new ECPublicKeySpec(point, params);

	KeyFactory kf = JsseJce.getKeyFactory("EC");
	ECPublicKey peerPublicKey =
	(ECPublicKey)kf.generatePublic(spec);

	// check constraints of peer ECPublicKey
	if (!shc.algorithmConstraints.permits(
	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
	peerPublicKey)) {
	throw new SSLHandshakeException(
	"ECPublicKey does not comply to algorithm constraints");
	}

	shc.handshakeCredentials.add(new ECDHECredentials(
	peerPublicKey, namedGroup));
	} catch (GeneralSecurityException \| java.io.IOException e) {
	throw (SSLHandshakeException)(new SSLHandshakeException(
	"Could not generate ECPublicKey").initCause(e));
	}

	// update the states
	SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
	SecretKey masterSecret =
	masterKD.deriveKey("MasterSecret", null);
	shc.handshakeSession.setMasterSecret(masterSecret);

	SSLTrafficKeyDerivation kd =
	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
	if (kd == null) {
	// unlikely
	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
	"Not supported key derivation: " + shc.negotiatedProtocol);
	} else {
	shc.handshakeKeyDerivation =
	kd.createKeyDerivation(shc, masterSecret);
	}
	}
	}
	}

Back to index...