Google Git
Sign in
code / edge / openjdk / jdk8u111-b09 / . / jdk / src / share / classes / sun / security / ssl / DHCrypt.java
blob: 4fd224beec71d7c3f12e97100b9f300641f627cd [file] [log] [blame]
/*
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.ssl;
import java.util.Map;
import java.util.HashMap;
import java.util.Collections;
import java.util.regex.Pattern;
import java.util.regex.Matcher;
import java.math.BigInteger;
import java.security.*;
import java.io.IOException;
import javax.net.ssl.SSLHandshakeException;
import javax.crypto.SecretKey;
import javax.crypto.KeyAgreement;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.*;
import java.util.EnumSet;
import sun.security.util.KeyUtil;
/**
* This class implements the Diffie-Hellman key exchange algorithm.
* D-H means combining your private key with your partners public key to
* generate a number. The peer does the same with its private key and our
* public key. Through the magic of Diffie-Hellman we both come up with the
* same number. This number is secret (discounting MITM attacks) and hence
* called the shared secret. It has the same length as the modulus, e.g. 512
* or 1024 bit. Man-in-the-middle attacks are typically countered by an
* independent authentication step using certificates (RSA, DSA, etc.).
*
* The thing to note is that the shared secret is constant for two partners
* with constant private keys. This is often not what we want, which is why
* it is generally a good idea to create a new private key for each session.
* Generating a private key involves one modular exponentiation assuming
* suitable D-H parameters are available.
*
* General usage of this class (TLS DHE case):
* . if we are server, call DHCrypt(keyLength,random). This generates
* an ephemeral keypair of the request length.
* . if we are client, call DHCrypt(modulus, base, random). This
* generates an ephemeral keypair using the parameters specified by
* the server.
* . send parameters and public value to remote peer
* . receive peers ephemeral public key
* . call getAgreedSecret() to calculate the shared secret
*
* In TLS the server chooses the parameter values itself, the client must use
* those sent to it by the server.
*
* The use of ephemeral keys as described above also achieves what is called
* "forward secrecy". This means that even if the authentication keys are
* broken at a later date, the shared secret remains secure. The session is
* compromised only if the authentication keys are already broken at the
* time the key exchange takes place and an active MITM attack is used.
* This is in contrast to straightforward encrypting RSA key exchanges.
*
* @author David Brownell
*/
final class DHCrypt {
// group parameters (prime modulus and generator)
private BigInteger modulus; // P (aka N)
private BigInteger base; // G (aka alpha)
// our private key (including private component x)
private PrivateKey privateKey;
// public component of our key, X = (g ^ x) mod p
private BigInteger publicValue; // X (aka y)
// the times to recove from failure if public key validation
private static int MAX_FAILOVER_TIMES = 2;
/**
* Generate a Diffie-Hellman keypair of the specified size.
*/
DHCrypt(int keyLength, SecureRandom random) {
this(keyLength,
ParametersHolder.definedParams.get(keyLength), random);
}
/**
* Generate a Diffie-Hellman keypair using the specified parameters.
*
* @param modulus the Diffie-Hellman modulus P
* @param base the Diffie-Hellman base G
*/
DHCrypt(BigInteger modulus, BigInteger base, SecureRandom random) {
this(modulus.bitLength(),
new DHParameterSpec(modulus, base), random);
}
/**
* Generate a Diffie-Hellman keypair using the specified size and
* parameters.
*/
private DHCrypt(int keyLength,
DHParameterSpec params, SecureRandom random) {
try {
KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DiffieHellman");
if (params != null) {
kpg.initialize(params, random);
} else {
kpg.initialize(keyLength, random);
}
DHPublicKeySpec spec = generateDHPublicKeySpec(kpg);
if (spec == null) {
throw new RuntimeException("Could not generate DH keypair");
}
publicValue = spec.getY();
modulus = spec.getP();
base = spec.getG();
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not generate DH keypair", e);
}
}
static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
if (key instanceof DHPublicKey) {
DHPublicKey dhKey = (DHPublicKey)key;
DHParameterSpec params = dhKey.getParams();
return new DHPublicKeySpec(dhKey.getY(),
params.getP(), params.getG());
}
try {
KeyFactory factory = JsseJce.getKeyFactory("DH");
return factory.getKeySpec(key, DHPublicKeySpec.class);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
/** Returns the Diffie-Hellman modulus. */
BigInteger getModulus() {
return modulus;
}
/** Returns the Diffie-Hellman base (generator). */
BigInteger getBase() {
return base;
}
/**
* Gets the public key of this end of the key exchange.
*/
BigInteger getPublicKey() {
return publicValue;
}
/**
* Get the secret data that has been agreed on through Diffie-Hellman
* key agreement protocol. Note that in the two party protocol, if
* the peer keys are already known, no other data needs to be sent in
* order to agree on a secret. That is, a secured message may be
* sent without any mandatory round-trip overheads.
*
* <P>It is illegal to call this member function if the private key
* has not been set (or generated).
*
* @param peerPublicKey the peer's public key.
* @param keyIsValidated whether the {@code peerPublicKey} has beed
* validated
* @return the secret, which is an unsigned big-endian integer
* the same size as the Diffie-Hellman modulus.
*/
SecretKey getAgreedSecret(BigInteger peerPublicValue,
boolean keyIsValidated) throws SSLHandshakeException {
try {
KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
DHPublicKeySpec spec =
new DHPublicKeySpec(peerPublicValue, modulus, base);
PublicKey publicKey = kf.generatePublic(spec);
KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
// validate the Diffie-Hellman public key
if (!keyIsValidated &&
!KeyUtil.isOracleJCEProvider(ka.getProvider().getName())) {
try {
KeyUtil.validate(spec);
} catch (InvalidKeyException ike) {
// prefer handshake_failure alert to internal_error alert
throw new SSLHandshakeException(ike.getMessage());
}
}
ka.init(privateKey);
ka.doPhase(publicKey, true);
return ka.generateSecret("TlsPremasterSecret");
} catch (GeneralSecurityException e) {
throw (SSLHandshakeException) new SSLHandshakeException(
"Could not generate secret").initCause(e);
}
}
// Check constraints of the specified DH public key.
void checkConstraints(AlgorithmConstraints constraints,
BigInteger peerPublicValue) throws SSLHandshakeException {
try {
KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
DHPublicKeySpec spec =
new DHPublicKeySpec(peerPublicValue, modulus, base);
DHPublicKey publicKey = (DHPublicKey)kf.generatePublic(spec);
// check constraints of DHPublicKey
if (!constraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
throw new SSLHandshakeException(
"DHPublicKey does not comply to algorithm constraints");
}
} catch (GeneralSecurityException gse) {
throw (SSLHandshakeException) new SSLHandshakeException(
"Could not generate DHPublicKey").initCause(gse);
}
}
// Generate and validate DHPublicKeySpec
private DHPublicKeySpec generateDHPublicKeySpec(KeyPairGenerator kpg)
throws GeneralSecurityException {
boolean doExtraValiadtion =
(!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
for (int i = 0; i <= MAX_FAILOVER_TIMES; i++) {
KeyPair kp = kpg.generateKeyPair();
privateKey = kp.getPrivate();
DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
// validate the Diffie-Hellman public key
if (doExtraValiadtion) {
try {
KeyUtil.validate(spec);
} catch (InvalidKeyException ivke) {
if (i == MAX_FAILOVER_TIMES) {
throw ivke;
}
// otherwise, ignore the exception and try the next one
continue;
}
}
return spec;
}
return null;
}
// lazy initialization holder class idiom for static default parameters
//
// See Effective Java Second Edition: Item 71.
private static class ParametersHolder {
private final static boolean debugIsOn =
(Debug.getInstance("ssl") != null) && Debug.isOn("sslctx");
//
// Default DH ephemeral parameters
//
private static final BigInteger g2 = BigInteger.valueOf(2);
private static final BigInteger p512 = new BigInteger( // generated
"D87780E15FF50B4ABBE89870188B049406B5BEA98AB23A02" +
"41D88EA75B7755E669C08093D3F0CA7FC3A5A25CF067DCB9" +
"A43DD89D1D90921C6328884461E0B6D3", 16);
private static final BigInteger p768 = new BigInteger( // RFC 2409
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
"E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF", 16);
private static final BigInteger p1024 = new BigInteger( // RFC 2409
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" +
"FFFFFFFFFFFFFFFF", 16);
private static final BigInteger p2048 = new BigInteger( // TLS FEDHE
"FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
"D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
"7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
"2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
"984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
"30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
"B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
"0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
"9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
"3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
"886B423861285C97FFFFFFFFFFFFFFFF", 16);
private static final BigInteger[] supportedPrimes = {
p512, p768, p1024, p2048};
// a measure of the uncertainty that prime modulus p is not a prime
//
// see BigInteger.isProbablePrime(int certainty)
private final static int PRIME_CERTAINTY = 120;
// the known security property, jdk.tls.server.defaultDHEParameters
private final static String PROPERTY_NAME =
"jdk.tls.server.defaultDHEParameters";
private static final Pattern spacesPattern = Pattern.compile("\\s+");
private final static Pattern syntaxPattern = Pattern.compile(
"(\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})" +
"(,\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})*");
private static final Pattern paramsPattern = Pattern.compile(
"\\{([0-9A-Fa-f]+),([0-9A-Fa-f]+)\\}");
// cache of predefined default DH ephemeral parameters
private final static Map<Integer,DHParameterSpec> definedParams;
static {
String property = AccessController.doPrivileged(
new PrivilegedAction<String>() {
public String run() {
return Security.getProperty(PROPERTY_NAME);
}
});
if (property != null && !property.isEmpty()) {
// remove double quote marks from beginning/end of the property
if (property.length() >= 2 && property.charAt(0) == '"' &&
property.charAt(property.length() - 1) == '"') {
property = property.substring(1, property.length() - 1);
}
property = property.trim();
}
if (property != null && !property.isEmpty()) {
Matcher spacesMatcher = spacesPattern.matcher(property);
property = spacesMatcher.replaceAll("");
if (debugIsOn) {
System.out.println("The Security Property " +
PROPERTY_NAME + ": " + property);
}
}
Map<Integer,DHParameterSpec> defaultParams = new HashMap<>();
if (property != null && !property.isEmpty()) {
Matcher syntaxMatcher = syntaxPattern.matcher(property);
if (syntaxMatcher.matches()) {
Matcher paramsFinder = paramsPattern.matcher(property);
while(paramsFinder.find()) {
String primeModulus = paramsFinder.group(1);
BigInteger p = new BigInteger(primeModulus, 16);
if (!p.isProbablePrime(PRIME_CERTAINTY)) {
if (debugIsOn) {
System.out.println(
"Prime modulus p in Security Property, " +
PROPERTY_NAME + ", is not a prime: " +
primeModulus);
}
continue;
}
String baseGenerator = paramsFinder.group(2);
BigInteger g = new BigInteger(baseGenerator, 16);
DHParameterSpec spec = new DHParameterSpec(p, g);
int primeLen = p.bitLength();
defaultParams.put(primeLen, spec);
}
} else if (debugIsOn) {
System.out.println("Invalid Security Property, " +
PROPERTY_NAME + ", definition");
}
}
for (BigInteger p : supportedPrimes) {
int primeLen = p.bitLength();
defaultParams.putIfAbsent(primeLen, new DHParameterSpec(p, g2));
}
definedParams =
Collections.<Integer,DHParameterSpec>unmodifiableMap(
defaultParams);
}
}
}