< prev index next >

src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java

Print this page

        

*** 1,7 **** /* ! * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this --- 1,7 ---- /* ! * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this
*** 25,47 **** --- 25,55 ---- package sun.security.ssl; import java.io.IOException; import java.nio.ByteBuffer; + import java.security.CryptoPrimitive; import java.security.GeneralSecurityException; import java.text.MessageFormat; import java.util.Arrays; import java.util.Collections; + import java.util.EnumSet; import java.util.LinkedList; import java.util.List; import java.util.Locale; import java.util.Map; import javax.net.ssl.SSLProtocolException; + import sun.security.ssl.DHKeyExchange.DHECredentials; + import sun.security.ssl.DHKeyExchange.DHEPossession; + import sun.security.ssl.ECDHKeyExchange.ECDHECredentials; + import sun.security.ssl.ECDHKeyExchange.ECDHEPossession; import sun.security.ssl.KeyShareExtension.CHKeyShareSpec; import sun.security.ssl.SSLExtension.ExtensionConsumer; import sun.security.ssl.SSLExtension.SSLExtensionSpec; import sun.security.ssl.SSLHandshake.HandshakeMessage; + import sun.security.ssl.SupportedGroupsExtension.NamedGroup; + import sun.security.ssl.SupportedGroupsExtension.NamedGroupType; import sun.security.ssl.SupportedGroupsExtension.SupportedGroups; import sun.security.util.HexDumpEncoder; /** * Pack of the "key_share" extensions.
*** 254,264 **** SSLPossession[] poses = ke.createPossessions(chc); for (SSLPossession pos : poses) { // update the context chc.handshakePossessions.add(pos); ! if (!(pos instanceof NamedGroupPossession)) { // May need more possesion types in the future. continue; } keyShares.add(new KeyShareEntry(ng.id, pos.encode())); --- 262,273 ---- SSLPossession[] poses = ke.createPossessions(chc); for (SSLPossession pos : poses) { // update the context chc.handshakePossessions.add(pos); ! if (!(pos instanceof ECDHEPossession) && ! !(pos instanceof DHEPossession)) { // May need more possesion types in the future. continue; } keyShares.add(new KeyShareEntry(ng.id, pos.encode()));
*** 342,363 **** NamedGroup.nameOf(entry.namedGroupId)); } continue; } ! try { ! SSLCredentials kaCred = ! ng.decodeCredentials(entry.keyExchange, ! shc.algorithmConstraints, ! s -> SSLLogger.warning(s)); ! if (kaCred != null) { ! credentials.add(kaCred); } - } catch (GeneralSecurityException ex) { - SSLLogger.warning( - "Cannot decode named group: " + - NamedGroup.nameOf(entry.namedGroupId)); } } if (!credentials.isEmpty()) { shc.handshakeCredentials.addAll(credentials); --- 351,400 ---- NamedGroup.nameOf(entry.namedGroupId)); } continue; } ! if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) { ! try { ! ECDHECredentials ecdhec = ! ECDHECredentials.valueOf(ng, entry.keyExchange); ! if (ecdhec != null) { ! if (!shc.algorithmConstraints.permits( ! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ! ecdhec.popPublicKey)) { ! SSLLogger.warning( ! "ECDHE key share entry does not " + ! "comply to algorithm constraints"); ! } else { ! credentials.add(ecdhec); ! } ! } ! } catch (IOException | GeneralSecurityException ex) { ! SSLLogger.warning( ! "Cannot decode named group: " + ! NamedGroup.nameOf(entry.namedGroupId)); ! } ! } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) { ! try { ! DHECredentials dhec = ! DHECredentials.valueOf(ng, entry.keyExchange); ! if (dhec != null) { ! if (!shc.algorithmConstraints.permits( ! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ! dhec.popPublicKey)) { ! SSLLogger.warning( ! "DHE key share entry does not " + ! "comply to algorithm constraints"); ! } else { ! credentials.add(dhec); ! } ! } ! } catch (IOException | GeneralSecurityException ex) { ! SSLLogger.warning( ! "Cannot decode named group: " + ! NamedGroup.nameOf(entry.namedGroupId)); } } } if (!credentials.isEmpty()) { shc.handshakeCredentials.addAll(credentials);
*** 487,499 **** } KeyShareEntry keyShare = null; for (SSLCredentials cd : shc.handshakeCredentials) { NamedGroup ng = null; ! if (cd instanceof NamedGroupCredentials) { ! NamedGroupCredentials creds = (NamedGroupCredentials)cd; ! ng = creds.getNamedGroup(); } if (ng == null) { continue; } --- 524,537 ---- } KeyShareEntry keyShare = null; for (SSLCredentials cd : shc.handshakeCredentials) { NamedGroup ng = null; ! if (cd instanceof ECDHECredentials) { ! ng = ((ECDHECredentials)cd).namedGroup; ! } else if (cd instanceof DHECredentials) { ! ng = ((DHECredentials)cd).namedGroup; } if (ng == null) { continue; }
*** 507,517 **** continue; } SSLPossession[] poses = ke.createPossessions(shc); for (SSLPossession pos : poses) { ! if (!(pos instanceof NamedGroupPossession)) { // May need more possesion types in the future. continue; } // update the context --- 545,556 ---- continue; } SSLPossession[] poses = ke.createPossessions(shc); for (SSLPossession pos : poses) { ! if (!(pos instanceof ECDHEPossession) && ! !(pos instanceof DHEPossession)) { // May need more possesion types in the future. continue; } // update the context
*** 526,536 **** ke.getHandshakeProducers(shc)) { shc.handshakeProducers.put( me.getKey(), me.getValue()); } ! // We have got one! Don't forget to break. break; } } if (keyShare == null) { --- 565,575 ---- ke.getHandshakeProducers(shc)) { shc.handshakeProducers.put( me.getKey(), me.getValue()); } ! // We have got one! Don't forgor to break. break; } } if (keyShare == null) {
*** 602,621 **** throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "No key exchange for named group " + ng.name); } SSLCredentials credentials = null; ! try { ! SSLCredentials kaCred = ng.decodeCredentials( ! keyShare.keyExchange, chc.algorithmConstraints, ! s -> chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, s)); ! if (kaCred != null) { ! credentials = kaCred; } ! } catch (GeneralSecurityException ex) { throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ! "Cannot decode named group: " + NamedGroup.nameOf(keyShare.namedGroupId)); } if (credentials == null) { throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, --- 641,693 ---- throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "No key exchange for named group " + ng.name); } SSLCredentials credentials = null; ! if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) { ! try { ! ECDHECredentials ecdhec = ! ECDHECredentials.valueOf(ng, keyShare.keyExchange); ! if (ecdhec != null) { ! if (!chc.algorithmConstraints.permits( ! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ! ecdhec.popPublicKey)) { ! throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ! "ECDHE key share entry does not " + ! "comply to algorithm constraints"); ! } else { ! credentials = ecdhec; ! } ! } ! } catch (IOException | GeneralSecurityException ex) { ! throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ! "Cannot decode named group: " + ! NamedGroup.nameOf(keyShare.namedGroupId)); } ! } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) { ! try { ! DHECredentials dhec = ! DHECredentials.valueOf(ng, keyShare.keyExchange); ! if (dhec != null) { ! if (!chc.algorithmConstraints.permits( ! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ! dhec.popPublicKey)) { ! throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ! "DHE key share entry does not " + ! "comply to algorithm constraints"); ! } else { ! credentials = dhec; ! } ! } ! } catch (IOException | GeneralSecurityException ex) { ! throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ! "Cannot decode named group: " + ! NamedGroup.nameOf(keyShare.namedGroupId)); ! } ! } else { throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ! "Unsupported named group: " + NamedGroup.nameOf(keyShare.namedGroupId)); } if (credentials == null) { throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
< prev index next >