< prev index next >

src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java

Print this page




  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.io.IOException;
  29 import java.math.BigInteger;
  30 import java.security.GeneralSecurityException;
  31 import java.security.InvalidKeyException;
  32 import java.security.KeyFactory;
  33 import java.security.KeyPair;
  34 import java.security.KeyPairGenerator;
  35 import java.security.NoSuchAlgorithmException;
  36 import java.security.PrivateKey;
  37 import java.security.PublicKey;
  38 import java.security.SecureRandom;

  39 import java.security.spec.InvalidKeySpecException;


  40 import javax.crypto.interfaces.DHPublicKey;
  41 import javax.crypto.spec.DHParameterSpec;
  42 import javax.crypto.spec.DHPublicKeySpec;


  43 import sun.security.action.GetPropertyAction;
  44 import sun.security.ssl.NamedGroup.NamedGroupType;


  45 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
  46 import sun.security.ssl.X509Authentication.X509Possession;
  47 import sun.security.util.KeyUtil;
  48 
  49 final class DHKeyExchange {
  50     static final SSLPossessionGenerator poGenerator =
  51             new DHEPossessionGenerator(false);
  52     static final SSLPossessionGenerator poExportableGenerator =
  53             new DHEPossessionGenerator(true);
  54     static final SSLKeyAgreementGenerator kaGenerator =
  55             new DHEKAGenerator();
  56 
  57     static final class DHECredentials implements NamedGroupCredentials {
  58         final DHPublicKey popPublicKey;
  59         final NamedGroup namedGroup;
  60 
  61         DHECredentials(DHPublicKey popPublicKey, NamedGroup namedGroup) {
  62             this.popPublicKey = popPublicKey;
  63             this.namedGroup = namedGroup;
  64         }
  65 
  66         @Override
  67         public PublicKey getPublicKey() {
  68             return popPublicKey;
  69         }
  70 
  71         @Override
  72         public NamedGroup getNamedGroup() {
  73             return namedGroup;
  74         }
  75 
  76         static DHECredentials valueOf(NamedGroup ng,
  77             byte[] encodedPublic) throws IOException, GeneralSecurityException {
  78 
  79             if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
  80                 throw new RuntimeException(
  81                         "Credentials decoding:  Not FFDHE named group");
  82             }
  83 
  84             if (encodedPublic == null || encodedPublic.length == 0) {
  85                 return null;
  86             }
  87 
  88             DHParameterSpec params = (DHParameterSpec)ng.getParameterSpec();
  89             if (params == null) {
  90                 return null;
  91             }
  92 
  93             KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
  94             DHPublicKeySpec spec = new DHPublicKeySpec(
  95                     new BigInteger(1, encodedPublic),
  96                     params.getP(), params.getG());
  97             DHPublicKey publicKey =
  98                     (DHPublicKey)kf.generatePublic(spec);
  99 
 100             return new DHECredentials(publicKey, ng);
 101         }
 102     }
 103 
 104     static final class DHEPossession implements NamedGroupPossession {
 105         final PrivateKey privateKey;
 106         final DHPublicKey publicKey;
 107         final NamedGroup namedGroup;
 108 
 109         DHEPossession(NamedGroup namedGroup, SecureRandom random) {
 110             try {
 111                 KeyPairGenerator kpg =
 112                         KeyPairGenerator.getInstance("DiffieHellman");
 113                 DHParameterSpec params =
 114                         (DHParameterSpec)namedGroup.getParameterSpec();
 115                 kpg.initialize(params, random);
 116                 KeyPair kp = generateDHKeyPair(kpg);
 117                 if (kp == null) {
 118                     throw new RuntimeException("Could not generate DH keypair");
 119                 }
 120                 privateKey = kp.getPrivate();
 121                 publicKey = (DHPublicKey)kp.getPublic();
 122             } catch (GeneralSecurityException gse) {
 123                 throw new RuntimeException(
 124                         "Could not generate DH keypair", gse);


 160                 KeyPairGenerator kpg =
 161                         KeyPairGenerator.getInstance("DiffieHellman");
 162                 kpg.initialize(credentials.popPublicKey.getParams(), random);
 163                 KeyPair kp = generateDHKeyPair(kpg);
 164                 if (kp == null) {
 165                     throw new RuntimeException("Could not generate DH keypair");
 166                 }
 167                 privateKey = kp.getPrivate();
 168                 publicKey = (DHPublicKey)kp.getPublic();
 169             } catch (GeneralSecurityException gse) {
 170                 throw new RuntimeException(
 171                         "Could not generate DH keypair", gse);
 172             }
 173 
 174             this.namedGroup = credentials.namedGroup;
 175         }
 176 
 177         // Generate and validate DHPublicKeySpec
 178         private KeyPair generateDHKeyPair(
 179                 KeyPairGenerator kpg) throws GeneralSecurityException {
 180             boolean doExtraValidation =
 181                     (!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
 182             boolean isRecovering = false;
 183             for (int i = 0; i <= 2; i++) {      // Try to recover from failure.
 184                 KeyPair kp = kpg.generateKeyPair();
 185                 // validate the Diffie-Hellman public key
 186                 if (doExtraValidation) {
 187                     DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
 188                     try {
 189                         KeyUtil.validate(spec);
 190                     } catch (InvalidKeyException ivke) {
 191                         if (isRecovering) {
 192                             throw ivke;
 193                         }
 194                         // otherwise, ignore the exception and try again
 195                         isRecovering = true;
 196                         continue;
 197                     }
 198                 }
 199 
 200                 return kp;
 201             }
 202 
 203             return null;
 204         }
 205 
 206         private static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {


 217                 // unlikely
 218                 throw new RuntimeException("Unable to get DHPublicKeySpec", e);
 219             }
 220         }
 221 
 222         @Override
 223         public byte[] encode() {
 224             // Note: the DH public value is encoded as a big-endian integer
 225             // and padded to the left with zeros to the size of p in bytes.
 226             byte[] encoded = Utilities.toByteArray(publicKey.getY());
 227             int pSize = (KeyUtil.getKeySize(publicKey) + 7) >>> 3;
 228             if (pSize > 0 && encoded.length < pSize) {
 229                 byte[] buffer = new byte[pSize];
 230                 System.arraycopy(encoded, 0,
 231                         buffer, pSize - encoded.length, encoded.length);
 232                 encoded = buffer;
 233             }
 234 
 235             return encoded;
 236         }
 237 
 238         @Override
 239         public PublicKey getPublicKey() {
 240             return publicKey;
 241         }
 242 
 243         @Override
 244         public NamedGroup getNamedGroup() {
 245             return namedGroup;
 246         }
 247 
 248         @Override
 249         public PrivateKey getPrivateKey() {
 250             return privateKey;
 251         }
 252     }
 253 
 254     private static final class
 255             DHEPossessionGenerator implements SSLPossessionGenerator {
 256         // Flag to use smart ephemeral DH key which size matches the
 257         // corresponding authentication key
 258         private static final boolean useSmartEphemeralDHKeys;
 259 
 260         // Flag to use legacy ephemeral DH key which size is 512 bits for
 261         // exportable cipher suites, and 768 bits for others
 262         private static final boolean useLegacyEphemeralDHKeys;
 263 
 264         // The customized ephemeral DH key size for non-exportable
 265         // cipher suites.
 266         private static final int customizedDHKeySize;
 267 
 268         // Is it for exportable cipher suite?
 269         private final boolean exportable;
 270 
 271         static {


 299                             "Unsupported customized DH key size: " +
 300                             customizedDHKeySize + ". " +
 301                             "The key size must be multiple of 64, " +
 302                             "and range from 1024 to 8192 (inclusive)");
 303                     }
 304                 } catch (NumberFormatException nfe) {
 305                     throw new IllegalArgumentException(
 306                         "Invalid system property jdk.tls.ephemeralDHKeySize");
 307                 }
 308             }
 309         }
 310 
 311         // Prevent instantiation of this class.
 312         private DHEPossessionGenerator(boolean exportable) {
 313             this.exportable = exportable;
 314         }
 315 
 316         // Used for ServerKeyExchange, TLS 1.2 and prior versions.
 317         @Override
 318         public SSLPossession createPossession(HandshakeContext context) {
 319             NamedGroup preferableNamedGroup;
 320             if (!useLegacyEphemeralDHKeys &&
 321                     (context.clientRequestedNamedGroups != null) &&
 322                     (!context.clientRequestedNamedGroups.isEmpty())) {
 323                 preferableNamedGroup =
 324                         SupportedGroups.getPreferredGroup(
 325                                 context.negotiatedProtocol,
 326                                 context.algorithmConstraints,
 327                                 new NamedGroupType [] {
 328                                     NamedGroupType.NAMED_GROUP_FFDHE },
 329                                 context.clientRequestedNamedGroups);
 330                 if (preferableNamedGroup != null) {
 331                     return new DHEPossession(preferableNamedGroup,
 332                                 context.sslContext.getSecureRandom());
 333                 }
 334             }
 335 
 336             /*
 337              * 768 bits ephemeral DH private keys were used to be used in
 338              * ServerKeyExchange except that exportable ciphers max out at 512
 339              * bits modulus values. We still adhere to this behavior in legacy
 340              * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
 341              * as "legacy").
 342              *
 343              * Old JDK (JDK 7 and previous) releases don't support DH keys
 344              * bigger than 1024 bits. We have to consider the compatibility
 345              * requirement. 1024 bits DH key is always used for non-exportable
 346              * cipher suites in default mode (system property
 347              * "jdk.tls.ephemeralDHKeySize" is not defined).
 348              *


 394                         // Old deployed applications may not be ready to
 395                         // support DH key sizes bigger than 2048 bits.  Please
 396                         // DON'T use value other than 1024 and 2048 at present.
 397                         // May improve the underlying providers and key size
 398                         // limit in the future when the compatibility and
 399                         // interoperability impact is limited.
 400                         keySize = ks <= 1024 ? 1024 : 2048;
 401                     } // Otherwise, anonymous cipher suites, 1024-bit is used.
 402                 } else if (customizedDHKeySize > 0) {    // customized mode
 403                     keySize = customizedDHKeySize;
 404                 }
 405             }
 406 
 407             return new DHEPossession(
 408                     keySize, context.sslContext.getSecureRandom());
 409         }
 410     }
 411 
 412     private static final
 413             class DHEKAGenerator implements SSLKeyAgreementGenerator {
 414         private static final DHEKAGenerator instance = new DHEKAGenerator();
 415 
 416         // Prevent instantiation of this class.
 417         private DHEKAGenerator() {
 418             // blank
 419         }
 420 
 421         @Override
 422         public SSLKeyDerivation createKeyDerivation(
 423                 HandshakeContext context) throws IOException {
 424             DHEPossession dhePossession = null;
 425             DHECredentials dheCredentials = null;
 426             for (SSLPossession poss : context.handshakePossessions) {
 427                 if (!(poss instanceof DHEPossession)) {
 428                     continue;
 429                 }
 430 
 431                 DHEPossession dhep = (DHEPossession)poss;
 432                 for (SSLCredentials cred : context.handshakeCredentials) {
 433                     if (!(cred instanceof DHECredentials)) {
 434                         continue;


 444                         DHParameterSpec cps = dhec.popPublicKey.getParams();
 445                         if (pps.getP().equals(cps.getP()) &&
 446                                 pps.getG().equals(cps.getG())) {
 447                             dheCredentials = (DHECredentials)cred;
 448                             break;
 449                         }
 450                     }
 451                 }
 452 
 453                 if (dheCredentials != null) {
 454                     dhePossession = (DHEPossession)poss;
 455                     break;
 456                 }
 457             }
 458 
 459             if (dhePossession == null || dheCredentials == null) {
 460                 throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
 461                     "No sufficient DHE key agreement parameters negotiated");
 462             }
 463 
 464             return new KAKeyDerivation("DiffieHellman", context,
 465                     dhePossession.privateKey, dheCredentials.popPublicKey);





















































































 466         }
 467     }
 468 }


  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.io.IOException;
  29 import java.math.BigInteger;
  30 import java.security.GeneralSecurityException;
  31 import java.security.InvalidKeyException;
  32 import java.security.KeyFactory;
  33 import java.security.KeyPair;
  34 import java.security.KeyPairGenerator;
  35 import java.security.NoSuchAlgorithmException;
  36 import java.security.PrivateKey;
  37 import java.security.PublicKey;
  38 import java.security.SecureRandom;
  39 import java.security.spec.AlgorithmParameterSpec;
  40 import java.security.spec.InvalidKeySpecException;
  41 import javax.crypto.KeyAgreement;
  42 import javax.crypto.SecretKey;
  43 import javax.crypto.interfaces.DHPublicKey;
  44 import javax.crypto.spec.DHParameterSpec;
  45 import javax.crypto.spec.DHPublicKeySpec;
  46 import javax.crypto.spec.SecretKeySpec;
  47 import javax.net.ssl.SSLHandshakeException;
  48 import sun.security.action.GetPropertyAction;
  49 import sun.security.ssl.CipherSuite.HashAlg;
  50 import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
  51 import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
  52 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
  53 import sun.security.ssl.X509Authentication.X509Possession;
  54 import sun.security.util.KeyUtil;
  55 
  56 final class DHKeyExchange {
  57     static final SSLPossessionGenerator poGenerator =
  58             new DHEPossessionGenerator(false);
  59     static final SSLPossessionGenerator poExportableGenerator =
  60             new DHEPossessionGenerator(true);
  61     static final SSLKeyAgreementGenerator kaGenerator =
  62             new DHEKAGenerator();
  63 
  64     static final class DHECredentials implements SSLCredentials {
  65         final DHPublicKey popPublicKey;
  66         final NamedGroup namedGroup;
  67 
  68         DHECredentials(DHPublicKey popPublicKey, NamedGroup namedGroup) {
  69             this.popPublicKey = popPublicKey;
  70             this.namedGroup = namedGroup;
  71         }
  72 










  73         static DHECredentials valueOf(NamedGroup ng,
  74             byte[] encodedPublic) throws IOException, GeneralSecurityException {
  75 
  76             if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
  77                 throw new RuntimeException(
  78                         "Credentials decoding:  Not FFDHE named group");
  79             }
  80 
  81             if (encodedPublic == null || encodedPublic.length == 0) {
  82                 return null;
  83             }
  84 
  85             DHParameterSpec params = (DHParameterSpec)ng.getParameterSpec();
  86             if (params == null) {
  87                 return null;
  88             }
  89 
  90             KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
  91             DHPublicKeySpec spec = new DHPublicKeySpec(
  92                     new BigInteger(1, encodedPublic),
  93                     params.getP(), params.getG());
  94             DHPublicKey publicKey =
  95                     (DHPublicKey)kf.generatePublic(spec);
  96 
  97             return new DHECredentials(publicKey, ng);
  98         }
  99     }
 100 
 101     static final class DHEPossession implements SSLPossession {
 102         final PrivateKey privateKey;
 103         final DHPublicKey publicKey;
 104         final NamedGroup namedGroup;
 105 
 106         DHEPossession(NamedGroup namedGroup, SecureRandom random) {
 107             try {
 108                 KeyPairGenerator kpg =
 109                         KeyPairGenerator.getInstance("DiffieHellman");
 110                 DHParameterSpec params =
 111                         (DHParameterSpec)namedGroup.getParameterSpec();
 112                 kpg.initialize(params, random);
 113                 KeyPair kp = generateDHKeyPair(kpg);
 114                 if (kp == null) {
 115                     throw new RuntimeException("Could not generate DH keypair");
 116                 }
 117                 privateKey = kp.getPrivate();
 118                 publicKey = (DHPublicKey)kp.getPublic();
 119             } catch (GeneralSecurityException gse) {
 120                 throw new RuntimeException(
 121                         "Could not generate DH keypair", gse);


 157                 KeyPairGenerator kpg =
 158                         KeyPairGenerator.getInstance("DiffieHellman");
 159                 kpg.initialize(credentials.popPublicKey.getParams(), random);
 160                 KeyPair kp = generateDHKeyPair(kpg);
 161                 if (kp == null) {
 162                     throw new RuntimeException("Could not generate DH keypair");
 163                 }
 164                 privateKey = kp.getPrivate();
 165                 publicKey = (DHPublicKey)kp.getPublic();
 166             } catch (GeneralSecurityException gse) {
 167                 throw new RuntimeException(
 168                         "Could not generate DH keypair", gse);
 169             }
 170 
 171             this.namedGroup = credentials.namedGroup;
 172         }
 173 
 174         // Generate and validate DHPublicKeySpec
 175         private KeyPair generateDHKeyPair(
 176                 KeyPairGenerator kpg) throws GeneralSecurityException {
 177             boolean doExtraValiadtion =
 178                     (!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
 179             boolean isRecovering = false;
 180             for (int i = 0; i <= 2; i++) {      // Try to recover from failure.
 181                 KeyPair kp = kpg.generateKeyPair();
 182                 // validate the Diffie-Hellman public key
 183                 if (doExtraValiadtion) {
 184                     DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
 185                     try {
 186                         KeyUtil.validate(spec);
 187                     } catch (InvalidKeyException ivke) {
 188                         if (isRecovering) {
 189                             throw ivke;
 190                         }
 191                         // otherwise, ignore the exception and try again
 192                         isRecovering = true;
 193                         continue;
 194                     }
 195                 }
 196 
 197                 return kp;
 198             }
 199 
 200             return null;
 201         }
 202 
 203         private static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {


 214                 // unlikely
 215                 throw new RuntimeException("Unable to get DHPublicKeySpec", e);
 216             }
 217         }
 218 
 219         @Override
 220         public byte[] encode() {
 221             // Note: the DH public value is encoded as a big-endian integer
 222             // and padded to the left with zeros to the size of p in bytes.
 223             byte[] encoded = Utilities.toByteArray(publicKey.getY());
 224             int pSize = (KeyUtil.getKeySize(publicKey) + 7) >>> 3;
 225             if (pSize > 0 && encoded.length < pSize) {
 226                 byte[] buffer = new byte[pSize];
 227                 System.arraycopy(encoded, 0,
 228                         buffer, pSize - encoded.length, encoded.length);
 229                 encoded = buffer;
 230             }
 231 
 232             return encoded;
 233         }















 234     }
 235 
 236     private static final class
 237             DHEPossessionGenerator implements SSLPossessionGenerator {
 238         // Flag to use smart ephemeral DH key which size matches the
 239         // corresponding authentication key
 240         private static final boolean useSmartEphemeralDHKeys;
 241 
 242         // Flag to use legacy ephemeral DH key which size is 512 bits for
 243         // exportable cipher suites, and 768 bits for others
 244         private static final boolean useLegacyEphemeralDHKeys;
 245 
 246         // The customized ephemeral DH key size for non-exportable
 247         // cipher suites.
 248         private static final int customizedDHKeySize;
 249 
 250         // Is it for exportable cipher suite?
 251         private final boolean exportable;
 252 
 253         static {


 281                             "Unsupported customized DH key size: " +
 282                             customizedDHKeySize + ". " +
 283                             "The key size must be multiple of 64, " +
 284                             "and range from 1024 to 8192 (inclusive)");
 285                     }
 286                 } catch (NumberFormatException nfe) {
 287                     throw new IllegalArgumentException(
 288                         "Invalid system property jdk.tls.ephemeralDHKeySize");
 289                 }
 290             }
 291         }
 292 
 293         // Prevent instantiation of this class.
 294         private DHEPossessionGenerator(boolean exportable) {
 295             this.exportable = exportable;
 296         }
 297 
 298         // Used for ServerKeyExchange, TLS 1.2 and prior versions.
 299         @Override
 300         public SSLPossession createPossession(HandshakeContext context) {
 301             NamedGroup preferableNamedGroup = null;
 302             if (!useLegacyEphemeralDHKeys &&
 303                     (context.clientRequestedNamedGroups != null) &&
 304                     (!context.clientRequestedNamedGroups.isEmpty())) {
 305                 preferableNamedGroup =
 306                         SupportedGroups.getPreferredGroup(
 307                                 context.negotiatedProtocol,
 308                                 context.algorithmConstraints,
 309                                 NamedGroupType.NAMED_GROUP_FFDHE,

 310                                 context.clientRequestedNamedGroups);
 311                 if (preferableNamedGroup != null) {
 312                     return new DHEPossession(preferableNamedGroup,
 313                                 context.sslContext.getSecureRandom());
 314                 }
 315             }
 316 
 317             /*
 318              * 768 bits ephemeral DH private keys were used to be used in
 319              * ServerKeyExchange except that exportable ciphers max out at 512
 320              * bits modulus values. We still adhere to this behavior in legacy
 321              * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
 322              * as "legacy").
 323              *
 324              * Old JDK (JDK 7 and previous) releases don't support DH keys
 325              * bigger than 1024 bits. We have to consider the compatibility
 326              * requirement. 1024 bits DH key is always used for non-exportable
 327              * cipher suites in default mode (system property
 328              * "jdk.tls.ephemeralDHKeySize" is not defined).
 329              *


 375                         // Old deployed applications may not be ready to
 376                         // support DH key sizes bigger than 2048 bits.  Please
 377                         // DON'T use value other than 1024 and 2048 at present.
 378                         // May improve the underlying providers and key size
 379                         // limit in the future when the compatibility and
 380                         // interoperability impact is limited.
 381                         keySize = ks <= 1024 ? 1024 : 2048;
 382                     } // Otherwise, anonymous cipher suites, 1024-bit is used.
 383                 } else if (customizedDHKeySize > 0) {    // customized mode
 384                     keySize = customizedDHKeySize;
 385                 }
 386             }
 387 
 388             return new DHEPossession(
 389                     keySize, context.sslContext.getSecureRandom());
 390         }
 391     }
 392 
 393     private static final
 394             class DHEKAGenerator implements SSLKeyAgreementGenerator {
 395         static private DHEKAGenerator instance = new DHEKAGenerator();
 396 
 397         // Prevent instantiation of this class.
 398         private DHEKAGenerator() {
 399             // blank
 400         }
 401 
 402         @Override
 403         public SSLKeyDerivation createKeyDerivation(
 404                 HandshakeContext context) throws IOException {
 405             DHEPossession dhePossession = null;
 406             DHECredentials dheCredentials = null;
 407             for (SSLPossession poss : context.handshakePossessions) {
 408                 if (!(poss instanceof DHEPossession)) {
 409                     continue;
 410                 }
 411 
 412                 DHEPossession dhep = (DHEPossession)poss;
 413                 for (SSLCredentials cred : context.handshakeCredentials) {
 414                     if (!(cred instanceof DHECredentials)) {
 415                         continue;


 425                         DHParameterSpec cps = dhec.popPublicKey.getParams();
 426                         if (pps.getP().equals(cps.getP()) &&
 427                                 pps.getG().equals(cps.getG())) {
 428                             dheCredentials = (DHECredentials)cred;
 429                             break;
 430                         }
 431                     }
 432                 }
 433 
 434                 if (dheCredentials != null) {
 435                     dhePossession = (DHEPossession)poss;
 436                     break;
 437                 }
 438             }
 439 
 440             if (dhePossession == null || dheCredentials == null) {
 441                 throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
 442                     "No sufficient DHE key agreement parameters negotiated");
 443             }
 444 
 445             return new DHEKAKeyDerivation(context,
 446                     dhePossession.privateKey, dheCredentials.popPublicKey);
 447         }
 448 
 449         private static final
 450                 class DHEKAKeyDerivation implements SSLKeyDerivation {
 451             private final HandshakeContext context;
 452             private final PrivateKey localPrivateKey;
 453             private final PublicKey peerPublicKey;
 454 
 455             DHEKAKeyDerivation(HandshakeContext context,
 456                     PrivateKey localPrivateKey,
 457                     PublicKey peerPublicKey) {
 458                 this.context = context;
 459                 this.localPrivateKey = localPrivateKey;
 460                 this.peerPublicKey = peerPublicKey;
 461             }
 462 
 463             @Override
 464             public SecretKey deriveKey(String algorithm,
 465                     AlgorithmParameterSpec params) throws IOException {
 466                 if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
 467                     return t12DeriveKey(algorithm, params);
 468                 } else {
 469                     return t13DeriveKey(algorithm, params);
 470                 }
 471             }
 472 
 473             private SecretKey t12DeriveKey(String algorithm,
 474                     AlgorithmParameterSpec params) throws IOException {
 475                 try {
 476                     KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
 477                     ka.init(localPrivateKey);
 478                     ka.doPhase(peerPublicKey, true);
 479                     SecretKey preMasterSecret =
 480                             ka.generateSecret("TlsPremasterSecret");
 481                     SSLMasterKeyDerivation mskd =
 482                             SSLMasterKeyDerivation.valueOf(
 483                                     context.negotiatedProtocol);
 484                     if (mskd == null) {
 485                         // unlikely
 486                         throw new SSLHandshakeException(
 487                             "No expected master key derivation for protocol: " +
 488                             context.negotiatedProtocol.name);
 489                     }
 490                     SSLKeyDerivation kd = mskd.createKeyDerivation(
 491                             context, preMasterSecret);
 492                     return kd.deriveKey("MasterSecret", params);
 493                 } catch (GeneralSecurityException gse) {
 494                     throw (SSLHandshakeException) new SSLHandshakeException(
 495                         "Could not generate secret").initCause(gse);
 496                 }
 497             }
 498 
 499             private SecretKey t13DeriveKey(String algorithm,
 500                     AlgorithmParameterSpec params) throws IOException {
 501                 try {
 502                     KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
 503                     ka.init(localPrivateKey);
 504                     ka.doPhase(peerPublicKey, true);
 505                     SecretKey sharedSecret =
 506                             ka.generateSecret("TlsPremasterSecret");
 507 
 508                     HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;
 509                     SSLKeyDerivation kd = context.handshakeKeyDerivation;
 510                     HKDF hkdf = new HKDF(hashAlg.name);
 511                     if (kd == null) {   // No PSK is in use.
 512                         // If PSK is not in use Early Secret will still be
 513                         // HKDF-Extract(0, 0).
 514                         byte[] zeros = new byte[hashAlg.hashLength];
 515                         SecretKeySpec ikm =
 516                                 new SecretKeySpec(zeros, "TlsPreSharedSecret");
 517                         SecretKey earlySecret =
 518                                 hkdf.extract(zeros, ikm, "TlsEarlySecret");
 519                         kd = new SSLSecretDerivation(context, earlySecret);
 520                     }
 521 
 522                     // derive salt secret
 523                     SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
 524 
 525                     // derive handshake secret
 526                     return hkdf.extract(saltSecret, sharedSecret, algorithm);
 527                 } catch (GeneralSecurityException gse) {
 528                     throw (SSLHandshakeException) new SSLHandshakeException(
 529                         "Could not generate secret").initCause(gse);
 530                 }
 531             }
 532         }
 533     }
 534 }
< prev index next >