/*
* Get the active protocol versions.
*
* In TLS 1.1, many weak or vulnerable cipher suites were obsoleted,
* such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT
* negotiate these cipher suites in TLS 1.1 or later mode.
*
* For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the
* only enabled cipher suite, the client cannot request TLS 1.1 or
* later, even though TLS 1.1 or later is enabled. We need to create a
* subset of the enabled protocols, called the active protocols, which
* contains protocols appropriate to the list of enabled Ciphersuites.
*
* Return empty list instead of null if no active protocol versions.
*/
ProtocolList getActiveProtocols() {
if (activeProtocols == null) {
ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
for (ProtocolVersion protocol : enabledProtocols.collection()) {
boolean found = false;
for (CipherSuite suite : enabledCipherSuites.collection()) {
if (suite.isAvailable()
&& suite.obsoleted > protocol.v
&& suite.supported <= protocol.v) {
if (algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
protocols.add(protocol);
found = true;
break;
} else if (debug != null && Debug.isOn("verbose")) {
System.out.println("Ignoring disabled cipher suite: " + suite + " for " + protocol);
}
} else if (debug != null && Debug.isOn("verbose")) {
System.out.println("Ignoring unsupported cipher suite: " + suite + " for " + protocol);
}
}
if (!found && (debug != null) && Debug.isOn("handshake")) {
System.out.println("No available cipher suite for " + protocol);
}
}
activeProtocols = new ProtocolList(protocols);
}
return activeProtocols;
}
/*
* Sends a change cipher spec message and updates the write side
* cipher state so that future messages use the just-negotiated spec.
*/
void sendChangeCipherSpec(Finished mesg, boolean lastMessage) throws IOException {
output.flush(); // i.e. handshake data
/*
* The write cipher state is protected by the connection write lock
* so we must grab it while making the change. We also
* make sure no writes occur between sending the ChangeCipherSpec
* message, installing the new cipher state, and sending the
* Finished message.
*
* We already hold SSLEngine/SSLSocket "this" by virtue
* of this being called from the readRecord code.
*/
OutputRecord r;
if (conn != null) {
r = new OutputRecord(Record.ct_change_cipher_spec);
} else {
r = new EngineOutputRecord(Record.ct_change_cipher_spec, engine);
}
r.setVersion(protocolVersion);
r.write(1); // single byte of data
if (conn != null) {
conn.writeLock.lock();
try {
conn.writeRecord(r);
conn.changeWriteCiphers();
if (debug != null && Debug.isOn("handshake")) {
mesg.print(System.out);
}
mesg.write(output);
output.flush();
} finally {
conn.writeLock.unlock();
}
} else {
synchronized (engine.writeLock) {
engine.writeRecord((EngineOutputRecord) r);
engine.changeWriteCiphers();
if (debug != null && Debug.isOn("handshake")) {
mesg.print(System.out);
}
mesg.write(output);
if (lastMessage) {
output.setFinishedMsg();
}
output.flush();
}
}
}
/**
* Get the active cipher suites.
*
* <p>In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, such as
* TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT negotiate these cipher suites in
* TLS 1.1 or later mode.
*
* <p>Therefore, when the active protocols only include TLS 1.1 or later, the client cannot
* request to negotiate those obsoleted cipher suites. That is, the obsoleted suites should not be
* included in the client hello. So we need to create a subset of the enabled cipher suites, the
* active cipher suites, which does not contain obsoleted cipher suites of the minimum active
* protocol.
*
* <p>Return empty list instead of null if no active cipher suites.
*/
CipherSuiteList getActiveCipherSuites() {
if (activeCipherSuites == null) {
if (activeProtocols == null) {
activeProtocols = getActiveProtocols();
}
ArrayList<CipherSuite> suites = new ArrayList<>();
if (!(activeProtocols.collection().isEmpty())
&& activeProtocols.min.v != ProtocolVersion.NONE.v) {
for (CipherSuite suite : enabledCipherSuites.collection()) {
if (suite.obsoleted > activeProtocols.min.v && suite.supported <= activeProtocols.max.v) {
if (algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
suites.add(suite);
}
} else if (debug != null && Debug.isOn("verbose")) {
if (suite.obsoleted <= activeProtocols.min.v) {
System.out.println("Ignoring obsoleted cipher suite: " + suite);
} else {
System.out.println("Ignoring unsupported cipher suite: " + suite);
}
}
}
}
activeCipherSuites = new CipherSuiteList(suites);
}
return activeCipherSuites;
}
private void init(
SSLContextImpl context,
ProtocolList enabledProtocols,
boolean needCertVerify,
boolean isClient,
ProtocolVersion activeProtocolVersion,
boolean isInitialHandshake,
boolean secureRenegotiation,
byte[] clientVerifyData,
byte[] serverVerifyData) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println(
"Allow unsafe renegotiation: "
+ allowUnsafeRenegotiation
+ "\nAllow legacy hello messages: "
+ allowLegacyHelloMessages
+ "\nIs initial handshake: "
+ isInitialHandshake
+ "\nIs secure renegotiation: "
+ secureRenegotiation);
}
this.sslContext = context;
this.isClient = isClient;
this.needCertVerify = needCertVerify;
this.activeProtocolVersion = activeProtocolVersion;
this.isInitialHandshake = isInitialHandshake;
this.secureRenegotiation = secureRenegotiation;
this.clientVerifyData = clientVerifyData;
this.serverVerifyData = serverVerifyData;
enableNewSession = true;
invalidated = false;
setCipherSuite(CipherSuite.C_NULL);
setEnabledProtocols(enabledProtocols);
if (conn != null) {
algorithmConstraints = new SSLAlgorithmConstraints(conn, true);
} else { // engine != null
algorithmConstraints = new SSLAlgorithmConstraints(engine, true);
}
//
// In addition to the connection state machine, controlling
// how the connection deals with the different sorts of records
// that get sent (notably handshake transitions!), there's
// also a handshaking state machine that controls message
// sequencing.
//
// It's a convenient artifact of the protocol that this can,
// with only a couple of minor exceptions, be driven by the
// type constant for the last message seen: except for the
// client's cert verify, those constants are in a convenient
// order to drastically simplify state machine checking.
//
state = -2; // initialized but not activated
}
/*
* Verify the signature of the OCSP response.
* The responder's cert is implicitly trusted.
*/
private boolean verifySignature(X509Certificate cert) throws CertPathValidatorException {
try {
Signature respSignature = Signature.getInstance(sigAlgId.getName());
respSignature.initVerify(cert.getPublicKey());
respSignature.update(tbsResponseData);
if (respSignature.verify(signature)) {
if (debug != null) {
debug.println("Verified signature of OCSP Response");
}
return true;
} else {
if (debug != null) {
debug.println("Error verifying signature of OCSP Response");
}
return false;
}
} catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
throw new CertPathValidatorException(e);
}
}
/*
* Used to kickstart the negotiation ... either writing a
* ClientHello or a HelloRequest as appropriate, whichever
* the subclass returns. NOP if handshaking's already started.
*/
void kickstart() throws IOException {
if (state >= 0) {
return;
}
HandshakeMessage m = getKickstartMessage();
if (debug != null && Debug.isOn("handshake")) {
m.print(System.out);
}
m.write(output);
output.flush();
state = m.messageType();
}
/**
* Handshaker ... processes handshake records from an SSL V3.0 data stream, handling all the details
* of the handshake protocol.
*
* <p>Note that the real protocol work is done in two subclasses, the base class just provides the
* control flow and key generation framework.
*
* @author David Brownell
*/
abstract class Handshaker {
// protocol version being established using this Handshaker
ProtocolVersion protocolVersion;
// the currently active protocol version during a renegotiation
ProtocolVersion activeProtocolVersion;
// security parameters for secure renegotiation.
boolean secureRenegotiation;
byte[] clientVerifyData;
byte[] serverVerifyData;
// Is it an initial negotiation or a renegotiation?
boolean isInitialHandshake;
// List of enabled protocols
private ProtocolList enabledProtocols;
// List of enabled CipherSuites
private CipherSuiteList enabledCipherSuites;
// The endpoint identification protocol
String identificationProtocol;
// The cryptographic algorithm constraints
private AlgorithmConstraints algorithmConstraints = null;
// Local supported signature and algorithms
Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
// Peer supported signature and algorithms
Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;
/*
/*
* List of active protocols
*
* Active protocols is a subset of enabled protocols, and will
* contain only those protocols that have vaild cipher suites
* enabled.
*/
private ProtocolList activeProtocols;
/*
* List of active cipher suites
*
* Active cipher suites is a subset of enabled cipher suites, and will
* contain only those cipher suites available for the active protocols.
*/
private CipherSuiteList activeCipherSuites;
private boolean isClient;
private boolean needCertVerify;
SSLSocketImpl conn = null;
SSLEngineImpl engine = null;
HandshakeHash handshakeHash;
HandshakeInStream input;
HandshakeOutStream output;
int state;
SSLContextImpl sslContext;
RandomCookie clnt_random, svr_random;
SSLSessionImpl session;
// current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL
CipherSuite cipherSuite;
// current key exchange. Never null, initially K_NULL
KeyExchange keyExchange;
/* True if this session is being resumed (fast handshake) */
boolean resumingSession;
/* True if it's OK to start a new SSL session */
boolean enableNewSession;
// Temporary storage for the individual keys. Set by
// calculateConnectionKeys() and cleared once the ciphers are
// activated.
private SecretKey clntWriteKey, svrWriteKey;
private IvParameterSpec clntWriteIV, svrWriteIV;
private SecretKey clntMacSecret, svrMacSecret;
/*
* Delegated task subsystem data structures.
*
* If thrown is set, we need to propagate this back immediately
* on entry into processMessage().
*
* Data is protected by the SSLEngine.this lock.
*/
private volatile boolean taskDelegated = false;
private volatile DelegatedTask delegatedTask = null;
private volatile Exception thrown = null;
// Could probably use a java.util.concurrent.atomic.AtomicReference
// here instead of using this lock. Consider changing.
private Object thrownLock = new Object();
/* Class and subclass dynamic debugging support */
static final Debug debug = Debug.getInstance("ssl");
// By default, disable the unsafe legacy session renegotiation
static final boolean allowUnsafeRenegotiation =
Debug.getBooleanProperty("sun.security.ssl.allowUnsafeRenegotiation", false);
// For maximum interoperability and backward compatibility, RFC 5746
// allows server (or client) to accept ClientHello (or ServerHello)
// message without the secure renegotiation_info extension or SCSV.
//
// For maximum security, RFC 5746 also allows server (or client) to
// reject such message with a fatal "handshake_failure" alert.
//
// By default, allow such legacy hello messages.
static final boolean allowLegacyHelloMessages =
Debug.getBooleanProperty("sun.security.ssl.allowLegacyHelloMessages", true);
// need to dispose the object when it is invalidated
boolean invalidated;
Handshaker(
SSLSocketImpl c,
SSLContextImpl context,
ProtocolList enabledProtocols,
boolean needCertVerify,
boolean isClient,
ProtocolVersion activeProtocolVersion,
boolean isInitialHandshake,
boolean secureRenegotiation,
byte[] clientVerifyData,
byte[] serverVerifyData) {
this.conn = c;
init(
context,
enabledProtocols,
needCertVerify,
isClient,
activeProtocolVersion,
isInitialHandshake,
secureRenegotiation,
clientVerifyData,
serverVerifyData);
}
Handshaker(
SSLEngineImpl engine,
SSLContextImpl context,
ProtocolList enabledProtocols,
boolean needCertVerify,
boolean isClient,
ProtocolVersion activeProtocolVersion,
boolean isInitialHandshake,
boolean secureRenegotiation,
byte[] clientVerifyData,
byte[] serverVerifyData) {
this.engine = engine;
init(
context,
enabledProtocols,
needCertVerify,
isClient,
activeProtocolVersion,
isInitialHandshake,
secureRenegotiation,
clientVerifyData,
serverVerifyData);
}
private void init(
SSLContextImpl context,
ProtocolList enabledProtocols,
boolean needCertVerify,
boolean isClient,
ProtocolVersion activeProtocolVersion,
boolean isInitialHandshake,
boolean secureRenegotiation,
byte[] clientVerifyData,
byte[] serverVerifyData) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println(
"Allow unsafe renegotiation: "
+ allowUnsafeRenegotiation
+ "\nAllow legacy hello messages: "
+ allowLegacyHelloMessages
+ "\nIs initial handshake: "
+ isInitialHandshake
+ "\nIs secure renegotiation: "
+ secureRenegotiation);
}
this.sslContext = context;
this.isClient = isClient;
this.needCertVerify = needCertVerify;
this.activeProtocolVersion = activeProtocolVersion;
this.isInitialHandshake = isInitialHandshake;
this.secureRenegotiation = secureRenegotiation;
this.clientVerifyData = clientVerifyData;
this.serverVerifyData = serverVerifyData;
enableNewSession = true;
invalidated = false;
setCipherSuite(CipherSuite.C_NULL);
setEnabledProtocols(enabledProtocols);
if (conn != null) {
algorithmConstraints = new SSLAlgorithmConstraints(conn, true);
} else { // engine != null
algorithmConstraints = new SSLAlgorithmConstraints(engine, true);
}
//
// In addition to the connection state machine, controlling
// how the connection deals with the different sorts of records
// that get sent (notably handshake transitions!), there's
// also a handshaking state machine that controls message
// sequencing.
//
// It's a convenient artifact of the protocol that this can,
// with only a couple of minor exceptions, be driven by the
// type constant for the last message seen: except for the
// client's cert verify, those constants are in a convenient
// order to drastically simplify state machine checking.
//
state = -2; // initialized but not activated
}
/*
* Reroutes calls to the SSLSocket or SSLEngine (*SE).
*
* We could have also done it by extra classes
* and letting them override, but this seemed much
* less involved.
*/
void fatalSE(byte b, String diagnostic) throws IOException {
fatalSE(b, diagnostic, null);
}
void fatalSE(byte b, Throwable cause) throws IOException {
fatalSE(b, null, cause);
}
void fatalSE(byte b, String diagnostic, Throwable cause) throws IOException {
if (conn != null) {
conn.fatal(b, diagnostic, cause);
} else {
engine.fatal(b, diagnostic, cause);
}
}
void warningSE(byte b) {
if (conn != null) {
conn.warning(b);
} else {
engine.warning(b);
}
}
String getRawHostnameSE() {
if (conn != null) {
return conn.getRawHostname();
} else {
return engine.getPeerHost();
}
}
String getHostSE() {
if (conn != null) {
return conn.getHost();
} else {
return engine.getPeerHost();
}
}
String getHostAddressSE() {
if (conn != null) {
return conn.getInetAddress().getHostAddress();
} else {
/*
* This is for caching only, doesn't matter that's is really
* a hostname. The main thing is that it doesn't do
* a reverse DNS lookup, potentially slowing things down.
*/
return engine.getPeerHost();
}
}
boolean isLoopbackSE() {
if (conn != null) {
return conn.getInetAddress().isLoopbackAddress();
} else {
return false;
}
}
int getPortSE() {
if (conn != null) {
return conn.getPort();
} else {
return engine.getPeerPort();
}
}
int getLocalPortSE() {
if (conn != null) {
return conn.getLocalPort();
} else {
return -1;
}
}
AccessControlContext getAccSE() {
if (conn != null) {
return conn.getAcc();
} else {
return engine.getAcc();
}
}
private void setVersionSE(ProtocolVersion protocolVersion) {
if (conn != null) {
conn.setVersion(protocolVersion);
} else {
engine.setVersion(protocolVersion);
}
}
/**
* Set the active protocol version and propagate it to the SSLSocket and our handshake streams.
* Called from ClientHandshaker and ServerHandshaker with the negotiated protocol version.
*/
void setVersion(ProtocolVersion protocolVersion) {
this.protocolVersion = protocolVersion;
setVersionSE(protocolVersion);
output.r.setVersion(protocolVersion);
}
/**
* Set the enabled protocols. Called from the constructor or
* SSLSocketImpl/SSLEngineImpl.setEnabledProtocols() (if the handshake is not yet in progress).
*/
void setEnabledProtocols(ProtocolList enabledProtocols) {
activeCipherSuites = null;
activeProtocols = null;
this.enabledProtocols = enabledProtocols;
}
/**
* Set the enabled cipher suites. Called from SSLSocketImpl/SSLEngineImpl.setEnabledCipherSuites()
* (if the handshake is not yet in progress).
*/
void setEnabledCipherSuites(CipherSuiteList enabledCipherSuites) {
activeCipherSuites = null;
activeProtocols = null;
this.enabledCipherSuites = enabledCipherSuites;
}
/**
* Set the algorithm constraints. Called from the constructor or
* SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the handshake is not yet in
* progress).
*/
void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
activeCipherSuites = null;
activeProtocols = null;
this.algorithmConstraints = new SSLAlgorithmConstraints(algorithmConstraints);
this.localSupportedSignAlgs = null;
}
Collection<SignatureAndHashAlgorithm> getLocalSupportedSignAlgs() {
if (localSupportedSignAlgs == null) {
localSupportedSignAlgs =
SignatureAndHashAlgorithm.getSupportedAlgorithms(algorithmConstraints);
}
return localSupportedSignAlgs;
}
void setPeerSupportedSignAlgs(Collection<SignatureAndHashAlgorithm> algorithms) {
peerSupportedSignAlgs = new ArrayList<SignatureAndHashAlgorithm>(algorithms);
}
Collection<SignatureAndHashAlgorithm> getPeerSupportedSignAlgs() {
return peerSupportedSignAlgs;
}
/**
* Set the identification protocol. Called from the constructor or
* SSLSocketImpl/SSLEngineImpl.setIdentificationProtocol() (if the handshake is not yet in
* progress).
*/
void setIdentificationProtocol(String protocol) {
this.identificationProtocol = protocol;
}
/**
* Prior to handshaking, activate the handshake and initialize the version, input stream and
* output stream.
*/
void activate(ProtocolVersion helloVersion) throws IOException {
if (activeProtocols == null) {
activeProtocols = getActiveProtocols();
}
if (activeProtocols.collection().isEmpty() || activeProtocols.max.v == ProtocolVersion.NONE.v) {
throw new SSLHandshakeException("No appropriate protocol");
}
if (activeCipherSuites == null) {
activeCipherSuites = getActiveCipherSuites();
}
if (activeCipherSuites.collection().isEmpty()) {
throw new SSLHandshakeException("No appropriate cipher suite");
}
// temporary protocol version until the actual protocol version
// is negotiated in the Hello exchange. This affects the record
// version we sent with the ClientHello.
if (!isInitialHandshake) {
protocolVersion = activeProtocolVersion;
} else {
protocolVersion = activeProtocols.max;
}
if (helloVersion == null || helloVersion.v == ProtocolVersion.NONE.v) {
helloVersion = activeProtocols.helloVersion;
}
// We accumulate digests of the handshake messages so that
// we can read/write CertificateVerify and Finished messages,
// getting assurance against some particular active attacks.
Set<String> localSupportedHashAlgorithms =
SignatureAndHashAlgorithm.getHashAlgorithmNames(getLocalSupportedSignAlgs());
handshakeHash = new HandshakeHash(!isClient, needCertVerify, localSupportedHashAlgorithms);
// Generate handshake input/output stream.
input = new HandshakeInStream(handshakeHash);
if (conn != null) {
output = new HandshakeOutStream(protocolVersion, helloVersion, handshakeHash, conn);
conn.getAppInputStream().r.setHandshakeHash(handshakeHash);
conn.getAppInputStream().r.setHelloVersion(helloVersion);
conn.getAppOutputStream().r.setHelloVersion(helloVersion);
} else {
output = new HandshakeOutStream(protocolVersion, helloVersion, handshakeHash, engine);
engine.inputRecord.setHandshakeHash(handshakeHash);
engine.inputRecord.setHelloVersion(helloVersion);
engine.outputRecord.setHelloVersion(helloVersion);
}
// move state to activated
state = -1;
}
/**
* Set cipherSuite and keyExchange to the given CipherSuite. Does not perform any verification
* that this is a valid selection, this must be done before calling this method.
*/
void setCipherSuite(CipherSuite s) {
this.cipherSuite = s;
this.keyExchange = s.keyExchange;
}
/**
* Check if the given ciphersuite is enabled and available. Does not check if the required server
* certificates are available.
*/
boolean isNegotiable(CipherSuite s) {
if (activeCipherSuites == null) {
activeCipherSuites = getActiveCipherSuites();
}
return activeCipherSuites.contains(s) && s.isNegotiable();
}
/** Check if the given protocol version is enabled and available. */
boolean isNegotiable(ProtocolVersion protocolVersion) {
if (activeProtocols == null) {
activeProtocols = getActiveProtocols();
}
return activeProtocols.contains(protocolVersion);
}
/**
* Select a protocol version from the list. Called from ServerHandshaker to negotiate protocol
* version.
*
* <p>Return the lower of the protocol version suggested in the clien hello and the highest
* supported by the server.
*/
ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) {
if (activeProtocols == null) {
activeProtocols = getActiveProtocols();
}
return activeProtocols.selectProtocolVersion(protocolVersion);
}
/**
* Get the active cipher suites.
*
* <p>In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, such as
* TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT negotiate these cipher suites in
* TLS 1.1 or later mode.
*
* <p>Therefore, when the active protocols only include TLS 1.1 or later, the client cannot
* request to negotiate those obsoleted cipher suites. That is, the obsoleted suites should not be
* included in the client hello. So we need to create a subset of the enabled cipher suites, the
* active cipher suites, which does not contain obsoleted cipher suites of the minimum active
* protocol.
*
* <p>Return empty list instead of null if no active cipher suites.
*/
CipherSuiteList getActiveCipherSuites() {
if (activeCipherSuites == null) {
if (activeProtocols == null) {
activeProtocols = getActiveProtocols();
}
ArrayList<CipherSuite> suites = new ArrayList<>();
if (!(activeProtocols.collection().isEmpty())
&& activeProtocols.min.v != ProtocolVersion.NONE.v) {
for (CipherSuite suite : enabledCipherSuites.collection()) {
if (suite.obsoleted > activeProtocols.min.v && suite.supported <= activeProtocols.max.v) {
if (algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
suites.add(suite);
}
} else if (debug != null && Debug.isOn("verbose")) {
if (suite.obsoleted <= activeProtocols.min.v) {
System.out.println("Ignoring obsoleted cipher suite: " + suite);
} else {
System.out.println("Ignoring unsupported cipher suite: " + suite);
}
}
}
}
activeCipherSuites = new CipherSuiteList(suites);
}
return activeCipherSuites;
}
/*
* Get the active protocol versions.
*
* In TLS 1.1, many weak or vulnerable cipher suites were obsoleted,
* such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT
* negotiate these cipher suites in TLS 1.1 or later mode.
*
* For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the
* only enabled cipher suite, the client cannot request TLS 1.1 or
* later, even though TLS 1.1 or later is enabled. We need to create a
* subset of the enabled protocols, called the active protocols, which
* contains protocols appropriate to the list of enabled Ciphersuites.
*
* Return empty list instead of null if no active protocol versions.
*/
ProtocolList getActiveProtocols() {
if (activeProtocols == null) {
ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
for (ProtocolVersion protocol : enabledProtocols.collection()) {
boolean found = false;
for (CipherSuite suite : enabledCipherSuites.collection()) {
if (suite.isAvailable()
&& suite.obsoleted > protocol.v
&& suite.supported <= protocol.v) {
if (algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
protocols.add(protocol);
found = true;
break;
} else if (debug != null && Debug.isOn("verbose")) {
System.out.println("Ignoring disabled cipher suite: " + suite + " for " + protocol);
}
} else if (debug != null && Debug.isOn("verbose")) {
System.out.println("Ignoring unsupported cipher suite: " + suite + " for " + protocol);
}
}
if (!found && (debug != null) && Debug.isOn("handshake")) {
System.out.println("No available cipher suite for " + protocol);
}
}
activeProtocols = new ProtocolList(protocols);
}
return activeProtocols;
}
/**
* As long as handshaking has not activated, we can change whether session creations are allowed.
*
* <p>Callers should do their own checking if handshaking has activated.
*/
void setEnableSessionCreation(boolean newSessions) {
enableNewSession = newSessions;
}
/** Create a new read cipher and return it to caller. */
CipherBox newReadCipher() throws NoSuchAlgorithmException {
BulkCipher cipher = cipherSuite.cipher;
CipherBox box;
if (isClient) {
box =
cipher.newCipher(
protocolVersion, svrWriteKey, svrWriteIV, sslContext.getSecureRandom(), false);
svrWriteKey = null;
svrWriteIV = null;
} else {
box =
cipher.newCipher(
protocolVersion, clntWriteKey, clntWriteIV, sslContext.getSecureRandom(), false);
clntWriteKey = null;
clntWriteIV = null;
}
return box;
}
/** Create a new write cipher and return it to caller. */
CipherBox newWriteCipher() throws NoSuchAlgorithmException {
BulkCipher cipher = cipherSuite.cipher;
CipherBox box;
if (isClient) {
box =
cipher.newCipher(
protocolVersion, clntWriteKey, clntWriteIV, sslContext.getSecureRandom(), true);
clntWriteKey = null;
clntWriteIV = null;
} else {
box =
cipher.newCipher(
protocolVersion, svrWriteKey, svrWriteIV, sslContext.getSecureRandom(), true);
svrWriteKey = null;
svrWriteIV = null;
}
return box;
}
/** Create a new read MAC and return it to caller. */
MAC newReadMAC() throws NoSuchAlgorithmException, InvalidKeyException {
MacAlg macAlg = cipherSuite.macAlg;
MAC mac;
if (isClient) {
mac = macAlg.newMac(protocolVersion, svrMacSecret);
svrMacSecret = null;
} else {
mac = macAlg.newMac(protocolVersion, clntMacSecret);
clntMacSecret = null;
}
return mac;
}
/** Create a new write MAC and return it to caller. */
MAC newWriteMAC() throws NoSuchAlgorithmException, InvalidKeyException {
MacAlg macAlg = cipherSuite.macAlg;
MAC mac;
if (isClient) {
mac = macAlg.newMac(protocolVersion, clntMacSecret);
clntMacSecret = null;
} else {
mac = macAlg.newMac(protocolVersion, svrMacSecret);
svrMacSecret = null;
}
return mac;
}
/*
* Returns true iff the handshake sequence is done, so that
* this freshly created session can become the current one.
*/
boolean isDone() {
return state == HandshakeMessage.ht_finished;
}
/*
* Returns the session which was created through this
* handshake sequence ... should be called after isDone()
* returns true.
*/
SSLSessionImpl getSession() {
return session;
}
/*
* Set the handshake session
*/
void setHandshakeSessionSE(SSLSessionImpl handshakeSession) {
if (conn != null) {
conn.setHandshakeSession(handshakeSession);
} else {
engine.setHandshakeSession(handshakeSession);
}
}
/*
* Returns true if renegotiation is in use for this connection.
*/
boolean isSecureRenegotiation() {
return secureRenegotiation;
}
/*
* Returns the verify_data from the Finished message sent by the client.
*/
byte[] getClientVerifyData() {
return clientVerifyData;
}
/*
* Returns the verify_data from the Finished message sent by the server.
*/
byte[] getServerVerifyData() {
return serverVerifyData;
}
/*
* This routine is fed SSL handshake records when they become available,
* and processes messages found therein.
*/
void process_record(InputRecord r, boolean expectingFinished) throws IOException {
checkThrown();
/*
* Store the incoming handshake data, then see if we can
* now process any completed handshake messages
*/
input.incomingRecord(r);
/*
* We don't need to create a separate delegatable task
* for finished messages.
*/
if ((conn != null) || expectingFinished) {
processLoop();
} else {
delegateTask(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
processLoop();
return null;
}
});
}
}
/*
* On input, we hash messages one at a time since servers may need
* to access an intermediate hash to validate a CertificateVerify
* message.
*
* Note that many handshake messages can come in one record (and often
* do, to reduce network resource utilization), and one message can also
* require multiple records (e.g. very large Certificate messages).
*/
void processLoop() throws IOException {
// need to read off 4 bytes at least to get the handshake
// message type and length.
while (input.available() >= 4) {
byte messageType;
int messageLen;
/*
* See if we can read the handshake message header, and
* then the entire handshake message. If not, wait till
* we can read and process an entire message.
*/
input.mark(4);
messageType = (byte) input.getInt8();
messageLen = input.getInt24();
if (input.available() < messageLen) {
input.reset();
return;
}
/*
* Process the messsage. We require
* that processMessage() consumes the entire message. In
* lieu of explicit error checks (how?!) we assume that the
* data will look like garbage on encoding/processing errors,
* and that other protocol code will detect such errors.
*
* Note that digesting is normally deferred till after the
* message has been processed, though to process at least the
* client's Finished message (i.e. send the server's) we need
* to acccelerate that digesting.
*
* Also, note that hello request messages are never hashed;
* that includes the hello request header, too.
*/
if (messageType == HandshakeMessage.ht_hello_request) {
input.reset();
processMessage(messageType, messageLen);
input.ignore(4 + messageLen);
} else {
input.mark(messageLen);
processMessage(messageType, messageLen);
input.digestNow();
}
}
}
/**
* Returns true iff the handshaker has been activated.
*
* <p>In activated state, the handshaker may not send any messages out.
*/
boolean activated() {
return state >= -1;
}
/** Returns true iff the handshaker has sent any messages. */
boolean started() {
return state >= 0; // 0: HandshakeMessage.ht_hello_request
// 1: HandshakeMessage.ht_client_hello
}
/*
* Used to kickstart the negotiation ... either writing a
* ClientHello or a HelloRequest as appropriate, whichever
* the subclass returns. NOP if handshaking's already started.
*/
void kickstart() throws IOException {
if (state >= 0) {
return;
}
HandshakeMessage m = getKickstartMessage();
if (debug != null && Debug.isOn("handshake")) {
m.print(System.out);
}
m.write(output);
output.flush();
state = m.messageType();
}
/**
* Both client and server modes can start handshaking; but the message they send to do so is
* different.
*/
abstract HandshakeMessage getKickstartMessage() throws SSLException;
/*
* Client and Server side protocols are each driven though this
* call, which processes a single message and drives the appropriate
* side of the protocol state machine (depending on the subclass).
*/
abstract void processMessage(byte messageType, int messageLen) throws IOException;
/*
* Most alerts in the protocol relate to handshaking problems.
* Alerts are detected as the connection reads data.
*/
abstract void handshakeAlert(byte description) throws SSLProtocolException;
/*
* Sends a change cipher spec message and updates the write side
* cipher state so that future messages use the just-negotiated spec.
*/
void sendChangeCipherSpec(Finished mesg, boolean lastMessage) throws IOException {
output.flush(); // i.e. handshake data
/*
* The write cipher state is protected by the connection write lock
* so we must grab it while making the change. We also
* make sure no writes occur between sending the ChangeCipherSpec
* message, installing the new cipher state, and sending the
* Finished message.
*
* We already hold SSLEngine/SSLSocket "this" by virtue
* of this being called from the readRecord code.
*/
OutputRecord r;
if (conn != null) {
r = new OutputRecord(Record.ct_change_cipher_spec);
} else {
r = new EngineOutputRecord(Record.ct_change_cipher_spec, engine);
}
r.setVersion(protocolVersion);
r.write(1); // single byte of data
if (conn != null) {
conn.writeLock.lock();
try {
conn.writeRecord(r);
conn.changeWriteCiphers();
if (debug != null && Debug.isOn("handshake")) {
mesg.print(System.out);
}
mesg.write(output);
output.flush();
} finally {
conn.writeLock.unlock();
}
} else {
synchronized (engine.writeLock) {
engine.writeRecord((EngineOutputRecord) r);
engine.changeWriteCiphers();
if (debug != null && Debug.isOn("handshake")) {
mesg.print(System.out);
}
mesg.write(output);
if (lastMessage) {
output.setFinishedMsg();
}
output.flush();
}
}
}
/*
* Single access point to key calculation logic. Given the
* pre-master secret and the nonces from client and server,
* produce all the keying material to be used.
*/
void calculateKeys(SecretKey preMasterSecret, ProtocolVersion version) {
SecretKey master = calculateMasterSecret(preMasterSecret, version);
session.setMasterSecret(master);
calculateConnectionKeys(master);
}
/*
* Calculate the master secret from its various components. This is
* used for key exchange by all cipher suites.
*
* The master secret is the catenation of three MD5 hashes, each
* consisting of the pre-master secret and a SHA1 hash. Those three
* SHA1 hashes are of (different) constant strings, the pre-master
* secret, and the nonces provided by the client and the server.
*/
private SecretKey calculateMasterSecret(
SecretKey preMasterSecret, ProtocolVersion requestedVersion) {
if (debug != null && Debug.isOn("keygen")) {
HexDumpEncoder dump = new HexDumpEncoder();
System.out.println("SESSION KEYGEN:");
System.out.println("PreMaster Secret:");
printHex(dump, preMasterSecret.getEncoded());
// Nonces are dumped with connection keygen, no
// benefit to doing it twice
}
// What algs/params do we need to use?
String masterAlg;
PRF prf;
if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
masterAlg = "SunTls12MasterSecret";
prf = cipherSuite.prfAlg;
} else {
masterAlg = "SunTlsMasterSecret";
prf = P_NONE;
}
String prfHashAlg = prf.getPRFHashAlg();
int prfHashLength = prf.getPRFHashLength();
int prfBlockSize = prf.getPRFBlockSize();
TlsMasterSecretParameterSpec spec =
new TlsMasterSecretParameterSpec(
preMasterSecret,
protocolVersion.major,
protocolVersion.minor,
clnt_random.random_bytes,
svr_random.random_bytes,
prfHashAlg,
prfHashLength,
prfBlockSize);
SecretKey masterSecret;
try {
KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
kg.init(spec);
masterSecret = kg.generateKey();
} catch (GeneralSecurityException e) {
// For RSA premaster secrets, do not signal a protocol error
// due to the Bleichenbacher attack. See comments further down.
if (!preMasterSecret.getAlgorithm().equals("TlsRsaPremasterSecret")) {
throw new ProviderException(e);
}
if (debug != null && Debug.isOn("handshake")) {
System.out.println("RSA master secret generation error:");
e.printStackTrace(System.out);
System.out.println("Generating new random premaster secret");
}
if (requestedVersion != null) {
preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);
} else {
preMasterSecret = RSAClientKeyExchange.generateDummySecret(protocolVersion);
}
// recursive call with new premaster secret
return calculateMasterSecret(preMasterSecret, null);
}
// if no version check requested (client side handshake), or version
// information is not available (not an RSA premaster secret),
// return master secret immediately.
if ((requestedVersion == null) || !(masterSecret instanceof TlsMasterSecret)) {
return masterSecret;
}
// we have checked the ClientKeyExchange message when reading TLS
// record, the following check is necessary to ensure that
// JCE provider does not ignore the checking, or the previous
// checking process bypassed the premaster secret version checking.
TlsMasterSecret tlsKey = (TlsMasterSecret) masterSecret;
int major = tlsKey.getMajorVersion();
int minor = tlsKey.getMinorVersion();
if ((major < 0) || (minor < 0)) {
return masterSecret;
}
// check if the premaster secret version is ok
// the specification says that it must be the maximum version supported
// by the client from its ClientHello message. However, many
// implementations send the negotiated version, so accept both
// for SSL v3.0 and TLS v1.0.
// NOTE that we may be comparing two unsupported version numbers, which
// is why we cannot use object reference equality in this special case.
ProtocolVersion premasterVersion = ProtocolVersion.valueOf(major, minor);
boolean versionMismatch = (premasterVersion.v != requestedVersion.v);
/*
* we never checked the client_version in server side
* for TLS v1.0 and SSL v3.0. For compatibility, we
* maintain this behavior.
*/
if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
versionMismatch = (premasterVersion.v != protocolVersion.v);
}
if (versionMismatch == false) {
// check passed, return key
return masterSecret;
}
// Due to the Bleichenbacher attack, do not signal a protocol error.
// Generate a random premaster secret and continue with the handshake,
// which will fail when verifying the finished messages.
// For more information, see comments in PreMasterSecret.
if (debug != null && Debug.isOn("handshake")) {
System.out.println(
"RSA PreMasterSecret version error: expected"
+ protocolVersion
+ " or "
+ requestedVersion
+ ", decrypted: "
+ premasterVersion);
System.out.println("Generating new random premaster secret");
}
preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);
// recursive call with new premaster secret
return calculateMasterSecret(preMasterSecret, null);
}
/*
* Calculate the keys needed for this connection, once the session's
* master secret has been calculated. Uses the master key and nonces;
* the amount of keying material generated is a function of the cipher
* suite that's been negotiated.
*
* This gets called both on the "full handshake" (where we exchanged
* a premaster secret and started a new session) as well as on the
* "fast handshake" (where we just resumed a pre-existing session).
*/
void calculateConnectionKeys(SecretKey masterKey) {
/*
* For both the read and write sides of the protocol, we use the
* master to generate MAC secrets and cipher keying material. Block
* ciphers need initialization vectors, which we also generate.
*
* First we figure out how much keying material is needed.
*/
int hashSize = cipherSuite.macAlg.size;
boolean is_exportable = cipherSuite.exportable;
BulkCipher cipher = cipherSuite.cipher;
int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0;
// Which algs/params do we need to use?
String keyMaterialAlg;
PRF prf;
if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
keyMaterialAlg = "SunTls12KeyMaterial";
prf = cipherSuite.prfAlg;
} else {
keyMaterialAlg = "SunTlsKeyMaterial";
prf = P_NONE;
}
String prfHashAlg = prf.getPRFHashAlg();
int prfHashLength = prf.getPRFHashLength();
int prfBlockSize = prf.getPRFBlockSize();
TlsKeyMaterialParameterSpec spec =
new TlsKeyMaterialParameterSpec(
masterKey,
protocolVersion.major,
protocolVersion.minor,
clnt_random.random_bytes,
svr_random.random_bytes,
cipher.algorithm,
cipher.keySize,
expandedKeySize,
cipher.ivSize,
hashSize,
prfHashAlg,
prfHashLength,
prfBlockSize);
try {
KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
kg.init(spec);
TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec) kg.generateKey();
clntWriteKey = keySpec.getClientCipherKey();
svrWriteKey = keySpec.getServerCipherKey();
// Return null if IVs are not supposed to be generated.
// e.g. TLS 1.1+.
clntWriteIV = keySpec.getClientIv();
svrWriteIV = keySpec.getServerIv();
clntMacSecret = keySpec.getClientMacKey();
svrMacSecret = keySpec.getServerMacKey();
} catch (GeneralSecurityException e) {
throw new ProviderException(e);
}
//
// Dump the connection keys as they're generated.
//
if (debug != null && Debug.isOn("keygen")) {
synchronized (System.out) {
HexDumpEncoder dump = new HexDumpEncoder();
System.out.println("CONNECTION KEYGEN:");
// Inputs:
System.out.println("Client Nonce:");
printHex(dump, clnt_random.random_bytes);
System.out.println("Server Nonce:");
printHex(dump, svr_random.random_bytes);
System.out.println("Master Secret:");
printHex(dump, masterKey.getEncoded());
// Outputs:
System.out.println("Client MAC write Secret:");
printHex(dump, clntMacSecret.getEncoded());
System.out.println("Server MAC write Secret:");
printHex(dump, svrMacSecret.getEncoded());
if (clntWriteKey != null) {
System.out.println("Client write key:");
printHex(dump, clntWriteKey.getEncoded());
System.out.println("Server write key:");
printHex(dump, svrWriteKey.getEncoded());
} else {
System.out.println("... no encryption keys used");
}
if (clntWriteIV != null) {
System.out.println("Client write IV:");
printHex(dump, clntWriteIV.getIV());
System.out.println("Server write IV:");
printHex(dump, svrWriteIV.getIV());
} else {
if (protocolVersion.v >= ProtocolVersion.TLS11.v) {
System.out.println("... no IV derived for this protocol");
} else {
System.out.println("... no IV used for this cipher");
}
}
System.out.flush();
}
}
}
private static void printHex(HexDumpEncoder dump, byte[] bytes) {
if (bytes == null) {
System.out.println("(key bytes not available)");
} else {
try {
dump.encodeBuffer(bytes, System.out);
} catch (IOException e) {
// just for debugging, ignore this
}
}
}
/**
* Throw an SSLException with the specified message and cause. Shorthand until a new SSLException
* constructor is added. This method never returns.
*/
static void throwSSLException(String msg, Throwable cause) throws SSLException {
SSLException e = new SSLException(msg);
e.initCause(cause);
throw e;
}
/*
* Implement a simple task delegator.
*
* We are currently implementing this as a single delegator, may
* try for parallel tasks later. Client Authentication could
* benefit from this, where ClientKeyExchange/CertificateVerify
* could be carried out in parallel.
*/
class DelegatedTask<E> implements Runnable {
private PrivilegedExceptionAction<E> pea;
DelegatedTask(PrivilegedExceptionAction<E> pea) {
this.pea = pea;
}
public void run() {
synchronized (engine) {
try {
AccessController.doPrivileged(pea, engine.getAcc());
} catch (PrivilegedActionException pae) {
thrown = pae.getException();
} catch (RuntimeException rte) {
thrown = rte;
}
delegatedTask = null;
taskDelegated = false;
}
}
}
private <T> void delegateTask(PrivilegedExceptionAction<T> pea) {
delegatedTask = new DelegatedTask<T>(pea);
taskDelegated = false;
thrown = null;
}
DelegatedTask getTask() {
if (!taskDelegated) {
taskDelegated = true;
return delegatedTask;
} else {
return null;
}
}
/*
* See if there are any tasks which need to be delegated
*
* Locked by SSLEngine.this.
*/
boolean taskOutstanding() {
return (delegatedTask != null);
}
/*
* The previous caller failed for some reason, report back the
* Exception. We won't worry about Error's.
*
* Locked by SSLEngine.this.
*/
void checkThrown() throws SSLException {
synchronized (thrownLock) {
if (thrown != null) {
String msg = thrown.getMessage();
if (msg == null) {
msg = "Delegated task threw Exception/Error";
}
/*
* See what the underlying type of exception is. We should
* throw the same thing. Chain thrown to the new exception.
*/
Exception e = thrown;
thrown = null;
if (e instanceof RuntimeException) {
throw (RuntimeException) new RuntimeException(msg).initCause(e);
} else if (e instanceof SSLHandshakeException) {
throw (SSLHandshakeException) new SSLHandshakeException(msg).initCause(e);
} else if (e instanceof SSLKeyException) {
throw (SSLKeyException) new SSLKeyException(msg).initCause(e);
} else if (e instanceof SSLPeerUnverifiedException) {
throw (SSLPeerUnverifiedException) new SSLPeerUnverifiedException(msg).initCause(e);
} else if (e instanceof SSLProtocolException) {
throw (SSLProtocolException) new SSLProtocolException(msg).initCause(e);
} else {
/*
* If it's SSLException or any other Exception,
* we'll wrap it in an SSLException.
*/
throw (SSLException) new SSLException(msg).initCause(e);
}
}
}
}
}
/**
* NEWT Utility class MainThread
*
* <p>This class provides a startup singleton <i>main thread</i>, from which a new thread with the
* users main class is launched.<br>
* Such behavior is necessary for native windowing toolkits, where the windowing management must
* happen on the so called <i>main thread</i> e.g. for Mac OS X !<br>
* Utilizing this class as a launchpad, now you are able to use a NEWT multithreaded application
* with window handling within the different threads, even on these restricted platforms.<br>
* To support your NEWT Window platform, you have to pass your <i>main thread</i> actions to {@link
* #invoke invoke(..)}, have a look at the {@link com.jogamp.newt.macosx.MacWindow MacWindow}
* implementation.<br>
* <i>TODO</i>: Some hardcoded dependencies exist in this implementation, where you have to patch
* this code or factor it out.
*
* <p>If your platform is not Mac OS X, but you want to test your code without modifying this class,
* you have to set the system property <code>newt.MainThread.force</code> to <code>true</code>.
*
* <p>The code is compatible with all other platform, which support multithreaded windowing
* handling. Since those platforms won't trigger the <i>main thread</i> serialization, the main
* method will be simply executed, in case you haven't set <code>newt.MainThread.force</code> to
* <code>true</code>.
*
* <p>Test case on Mac OS X (or any other platform):
*
* <PRE>
* java -XstartOnFirstThread com.jogamp.newt.util.MainThread demos.es1.RedSquare -GL2 -GL2 -GL2 -GL2
* </PRE>
*
* Which starts 4 threads, each with a window and OpenGL rendering.<br>
*/
public class MainThread implements EDTUtil {
private static AccessControlContext localACC = AccessController.getContext();
public static final boolean MAIN_THREAD_CRITERIA =
(!NativeWindowFactory.isAWTAvailable()
&& NativeWindowFactory.TYPE_MACOSX.equals(
NativeWindowFactory.getNativeWindowType(false)))
|| Debug.getBooleanProperty("newt.MainThread.force", true, localACC);
protected static final boolean DEBUG = Debug.debug("MainThread");
private static MainThread singletonMainThread = new MainThread(); // one singleton MainThread
private static boolean isExit = false;
private static volatile boolean isRunning = false;
private static Object taskWorkerLock = new Object();
private static boolean shouldStop;
private static ArrayList tasks;
private static Thread mainThread;
private static Timer pumpMessagesTimer = null;
private static TimerTask pumpMessagesTimerTask = null;
private static Map /*<Display, Runnable>*/ pumpMessageDisplayMap = new HashMap();
private static boolean useMainThread = false;
private static Class cAWTEventQueue = null;
private static Method mAWTInvokeAndWait = null;
private static Method mAWTInvokeLater = null;
private static Method mAWTIsDispatchThread = null;
static class MainAction extends Thread {
private String mainClassName;
private String[] mainClassArgs;
private Class mainClass;
private Method mainClassMain;
public MainAction(String mainClassName, String[] mainClassArgs) {
this.mainClassName = mainClassName;
this.mainClassArgs = mainClassArgs;
}
public void run() {
if (useMainThread) {
// we have to start first to provide the service ..
singletonMainThread.waitUntilRunning();
}
// start user app ..
try {
Class mainClass = ReflectionUtil.getClass(mainClassName, true, getClass().getClassLoader());
if (null == mainClass) {
throw new RuntimeException(
new ClassNotFoundException("MainThread couldn't find main class " + mainClassName));
}
try {
mainClassMain = mainClass.getDeclaredMethod("main", new Class[] {String[].class});
mainClassMain.setAccessible(true);
} catch (Throwable t) {
throw new RuntimeException(t);
}
if (DEBUG)
System.err.println(
"MainAction.run(): " + Thread.currentThread().getName() + " invoke " + mainClassName);
mainClassMain.invoke(null, new Object[] {mainClassArgs});
} catch (InvocationTargetException ite) {
ite.getTargetException().printStackTrace();
} catch (Throwable t) {
t.printStackTrace();
}
if (DEBUG)
System.err.println(
"MainAction.run(): " + Thread.currentThread().getName() + " user app fin");
if (useMainThread) {
singletonMainThread.stop();
if (DEBUG)
System.err.println(
"MainAction.run(): " + Thread.currentThread().getName() + " MainThread fin - stop");
System.exit(0);
}
}
}
private static MainAction mainAction;
/** Your new java application main entry, which pipelines your application */
public static void main(String[] args) {
useMainThread = MAIN_THREAD_CRITERIA;
if (DEBUG)
System.err.println(
"MainThread.main(): "
+ Thread.currentThread().getName()
+ " useMainThread "
+ useMainThread);
if (args.length == 0) {
return;
}
String mainClassName = args[0];
String[] mainClassArgs = new String[args.length - 1];
if (args.length > 1) {
System.arraycopy(args, 1, mainClassArgs, 0, args.length - 1);
}
NEWTJNILibLoader.loadNEWT();
mainAction = new MainAction(mainClassName, mainClassArgs);
if (NativeWindowFactory.TYPE_MACOSX.equals(NativeWindowFactory.getNativeWindowType(false))) {
ReflectionUtil.callStaticMethod(
"com.jogamp.newt.impl.macosx.MacDisplay",
"initSingleton",
null,
null,
MainThread.class.getClassLoader());
}
if (useMainThread) {
shouldStop = false;
tasks = new ArrayList();
mainThread = Thread.currentThread();
// dispatch user's main thread ..
mainAction.start();
// do our main thread task scheduling
singletonMainThread.run();
} else {
// run user's main in this thread
mainAction.run();
}
}
public static final MainThread getSingleton() {
return singletonMainThread;
}
public static Runnable removePumpMessage(Display dpy) {
synchronized (pumpMessageDisplayMap) {
return (Runnable) pumpMessageDisplayMap.remove(dpy);
}
}
public static void addPumpMessage(Display dpy, Runnable pumpMessage) {
if (useMainThread) {
return; // error ?
}
if (null == pumpMessagesTimer) {
synchronized (MainThread.class) {
if (null == pumpMessagesTimer) {
pumpMessagesTimer = new Timer();
pumpMessagesTimerTask =
new TimerTask() {
public void run() {
synchronized (pumpMessageDisplayMap) {
for (Iterator i = pumpMessageDisplayMap.values().iterator(); i.hasNext(); ) {
((Runnable) i.next()).run();
}
}
}
};
pumpMessagesTimer.scheduleAtFixedRate(
pumpMessagesTimerTask, 0, defaultEDTPollGranularity);
}
}
}
synchronized (pumpMessageDisplayMap) {
pumpMessageDisplayMap.put(dpy, pumpMessage);
}
}
private void initAWTReflection() {
if (null == cAWTEventQueue) {
ClassLoader cl = MainThread.class.getClassLoader();
cAWTEventQueue = ReflectionUtil.getClass("java.awt.EventQueue", true, cl);
mAWTInvokeAndWait =
ReflectionUtil.getMethod(
cAWTEventQueue, "invokeAndWait", new Class[] {java.lang.Runnable.class}, cl);
mAWTInvokeLater =
ReflectionUtil.getMethod(
cAWTEventQueue, "invokeLater", new Class[] {java.lang.Runnable.class}, cl);
mAWTIsDispatchThread =
ReflectionUtil.getMethod(cAWTEventQueue, "isDispatchThread", new Class[] {}, cl);
}
}
public void start() {
// nop
}
public void stop() {
if (DEBUG)
System.err.println("MainThread.stop(): " + Thread.currentThread().getName() + " start");
synchronized (taskWorkerLock) {
if (isRunning) {
shouldStop = true;
}
taskWorkerLock.notifyAll();
}
if (DEBUG)
System.err.println("MainThread.stop(): " + Thread.currentThread().getName() + " end");
}
public boolean isCurrentThreadEDT() {
if (NativeWindowFactory.isAWTAvailable()) {
initAWTReflection();
return ((Boolean) ReflectionUtil.callMethod(null, mAWTIsDispatchThread, null)).booleanValue();
}
return isRunning() && mainThread == Thread.currentThread();
}
public boolean isRunning() {
if (useMainThread) {
synchronized (taskWorkerLock) {
return isRunning;
}
}
return true; // AWT is always running
}
private void invokeLater(Runnable task) {
synchronized (taskWorkerLock) {
if (isRunning() && mainThread != Thread.currentThread()) {
tasks.add(task);
taskWorkerLock.notifyAll();
} else {
// if !running or isEDTThread, do it right away
task.run();
}
}
}
/** invokes the given Runnable */
public void invoke(boolean wait, Runnable r) {
if (r == null) {
return;
}
if (NativeWindowFactory.isAWTAvailable()) {
initAWTReflection();
// handover to AWT MainThread ..
try {
if (((Boolean) ReflectionUtil.callMethod(null, mAWTIsDispatchThread, null))
.booleanValue()) {
r.run();
return;
}
if (wait) {
ReflectionUtil.callMethod(null, mAWTInvokeAndWait, new Object[] {r});
} else {
ReflectionUtil.callMethod(null, mAWTInvokeLater, new Object[] {r});
}
} catch (Exception e) {
throw new NativeWindowException(e);
}
return;
}
// if this main thread is not being used or
// if this is already the main thread .. just execute.
if (!isRunning() || mainThread == Thread.currentThread()) {
r.run();
return;
}
boolean doWait = wait && isRunning() && mainThread != Thread.currentThread();
Object lock = new Object();
RunnableTask rTask = new RunnableTask(r, doWait ? lock : null, true);
Throwable throwable = null;
synchronized (lock) {
invokeLater(rTask);
if (doWait) {
try {
lock.wait();
} catch (InterruptedException ie) {
throwable = ie;
}
}
}
if (null == throwable) {
throwable = rTask.getThrowable();
}
if (null != throwable) {
throw new RuntimeException(throwable);
}
}
public void waitUntilIdle() {}
public void waitUntilStopped() {}
private void waitUntilRunning() {
synchronized (taskWorkerLock) {
if (isExit) return;
while (!isRunning) {
try {
taskWorkerLock.wait();
} catch (InterruptedException e) {
e.printStackTrace();
}
}
}
}
public void run() {
if (DEBUG) System.err.println("MainThread.run(): " + Thread.currentThread().getName());
synchronized (taskWorkerLock) {
isRunning = true;
taskWorkerLock.notifyAll();
}
while (!shouldStop) {
try {
// wait for something todo ..
synchronized (taskWorkerLock) {
while (!shouldStop && tasks.size() == 0) {
try {
taskWorkerLock.wait();
} catch (InterruptedException e) {
e.printStackTrace();
}
}
// take over the tasks ..
if (!shouldStop && tasks.size() > 0) {
Runnable task = (Runnable) tasks.remove(0);
task.run(); // FIXME: could be run outside of lock
}
taskWorkerLock.notifyAll();
}
} catch (Throwable t) {
// handle errors ..
t.printStackTrace();
} finally {
// epilog - unlock locked stuff
}
}
if (DEBUG) System.err.println("MainThread.run(): " + Thread.currentThread().getName() + " fin");
synchronized (taskWorkerLock) {
isRunning = false;
isExit = true;
taskWorkerLock.notifyAll();
}
}
}
private SingleResponse(DerValue der) throws IOException {
if (der.tag != DerValue.tag_Sequence) {
throw new IOException("Bad ASN.1 encoding in SingleResponse");
}
DerInputStream tmp = der.data;
certId = new CertId(tmp.getDerValue().data);
DerValue derVal = tmp.getDerValue();
short tag = (byte) (derVal.tag & 0x1f);
if (tag == CERT_STATUS_REVOKED) {
certStatus = CertStatus.REVOKED;
revocationTime = derVal.data.getGeneralizedTime();
if (derVal.data.available() != 0) {
DerValue dv = derVal.data.getDerValue();
tag = (byte) (dv.tag & 0x1f);
if (tag == 0) {
int reason = dv.data.getEnumerated();
// if reason out-of-range just leave as UNSPECIFIED
if (reason >= 0 && reason < values.length) {
revocationReason = values[reason];
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
// RevokedInfo
if (debug != null) {
debug.println("Revocation time: " + revocationTime);
debug.println("Revocation reason: " + revocationReason);
}
} else {
revocationTime = null;
revocationReason = CRLReason.UNSPECIFIED;
if (tag == CERT_STATUS_GOOD) {
certStatus = CertStatus.GOOD;
} else if (tag == CERT_STATUS_UNKNOWN) {
certStatus = CertStatus.UNKNOWN;
} else {
throw new IOException("Invalid certificate status");
}
}
thisUpdate = tmp.getGeneralizedTime();
if (tmp.available() == 0) {
// we are done
nextUpdate = null;
} else {
derVal = tmp.getDerValue();
tag = (byte) (derVal.tag & 0x1f);
if (tag == 0) {
// next update
nextUpdate = derVal.data.getGeneralizedTime();
if (tmp.available() == 0) {
// we are done
} else {
derVal = tmp.getDerValue();
tag = (byte) (derVal.tag & 0x1f);
}
} else {
nextUpdate = null;
}
}
// singleExtensions
if (tmp.available() > 0) {
derVal = tmp.getDerValue();
if (derVal.isContextSpecific((byte) 1)) {
DerValue[] singleExtDer = derVal.data.getSequence(3);
singleExtensions = new HashMap<String, java.security.cert.Extension>(singleExtDer.length);
for (int i = 0; i < singleExtDer.length; i++) {
Extension ext = new Extension(singleExtDer[i]);
if (debug != null) {
debug.println("OCSP single extension: " + ext);
}
// We don't support any extensions yet. Therefore, if it
// is critical we must throw an exception because we
// don't know how to process it.
if (ext.isCritical()) {
throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
}
singleExtensions.put(ext.getId(), ext);
}
} else {
singleExtensions = Collections.emptyMap();
}
} else {
singleExtensions = Collections.emptyMap();
}
}
void verify(List<CertId> certIds, X509Certificate responderCert, Date date, byte[] nonce)
throws CertPathValidatorException {
switch (responseStatus) {
case SUCCESSFUL:
break;
case TRY_LATER:
case INTERNAL_ERROR:
throw new CertPathValidatorException(
"OCSP response error: " + responseStatus,
null,
null,
-1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
case UNAUTHORIZED:
default:
throw new CertPathValidatorException("OCSP response error: " + responseStatus);
}
// Check that the response includes a response for all of the
// certs that were supplied in the request
for (CertId certId : certIds) {
SingleResponse sr = getSingleResponse(certId);
if (sr == null) {
if (debug != null) {
debug.println("No response found for CertId: " + certId);
}
throw new CertPathValidatorException(
"OCSP response does not include a response for a "
+ "certificate supplied in the OCSP request");
}
if (debug != null) {
debug.println(
"Status of certificate (with serial number "
+ certId.getSerialNumber()
+ ") is: "
+ sr.getCertStatus());
}
}
// Check whether the cert returned by the responder is trusted
if (!certs.isEmpty()) {
X509CertImpl cert = certs.get(0);
// First check if the cert matches the expected responder cert
if (cert.equals(responderCert)) {
// cert is trusted, now verify the signed response
// Next check if the cert was issued by the responder cert
// which was set locally.
} else if (cert.getIssuerX500Principal().equals(responderCert.getSubjectX500Principal())) {
// Check for the OCSPSigning key purpose
try {
List<String> keyPurposes = cert.getExtendedKeyUsage();
if (keyPurposes == null || !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
throw new CertPathValidatorException(
"Responder's certificate not valid for signing " + "OCSP responses");
}
} catch (CertificateParsingException cpe) {
// assume cert is not valid for signing
throw new CertPathValidatorException(
"Responder's certificate not valid for signing " + "OCSP responses", cpe);
}
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker algChecker = new AlgorithmChecker(new TrustAnchor(responderCert, null));
algChecker.init(false);
algChecker.check(cert, Collections.<String>emptySet());
// check the validity
try {
if (date == null) {
cert.checkValidity();
} else {
cert.checkValidity(date);
}
} catch (CertificateException e) {
throw new CertPathValidatorException(
"Responder's certificate not within the " + "validity period", e);
}
// check for revocation
//
// A CA may specify that an OCSP client can trust a
// responder for the lifetime of the responder's
// certificate. The CA does so by including the
// extension id-pkix-ocsp-nocheck.
//
Extension noCheck = cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
if (noCheck != null) {
if (debug != null) {
debug.println(
"Responder's certificate includes " + "the extension id-pkix-ocsp-nocheck.");
}
} else {
// we should do the revocation checking of the
// authorized responder in a future update.
}
// verify the signature
try {
cert.verify(responderCert.getPublicKey());
responderCert = cert;
// cert is trusted, now verify the signed response
} catch (GeneralSecurityException e) {
responderCert = null;
}
} else {
throw new CertPathValidatorException(
"Responder's certificate is not authorized to sign " + "OCSP responses");
}
}
// Confirm that the signed response was generated using the public
// key from the trusted responder cert
if (responderCert != null) {
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker.check(responderCert.getPublicKey(), sigAlgId);
if (!verifySignature(responderCert)) {
throw new CertPathValidatorException("Error verifying OCSP Response's signature");
}
} else {
// Need responder's cert in order to verify the signature
throw new CertPathValidatorException("Unable to verify OCSP Response's signature");
}
// Check freshness of OCSPResponse
if (nonce != null) {
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
throw new CertPathValidatorException("Nonces don't match");
}
}
long now = (date == null) ? System.currentTimeMillis() : date.getTime();
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
for (SingleResponse sr : singleResponseMap.values()) {
if (debug != null) {
String until = "";
if (sr.nextUpdate != null) {
until = " until " + sr.nextUpdate;
}
debug.println("Response's validity interval is from " + sr.thisUpdate + until);
}
// Check that the test date is within the validity interval
if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate))
|| (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) {
throw new CertPathValidatorException(
"Response is unreliable: its validity " + "interval is out-of-date");
}
}
}
/*
* Create an OCSP response from its ASN.1 DER encoding.
*/
OCSPResponse(byte[] bytes) throws IOException {
if (dump) {
HexDumpEncoder hexEnc = new HexDumpEncoder();
System.out.println("OCSPResponse bytes are...");
System.out.println(hexEnc.encode(bytes));
}
DerValue der = new DerValue(bytes);
if (der.tag != DerValue.tag_Sequence) {
throw new IOException("Bad encoding in OCSP response: " + "expected ASN.1 SEQUENCE tag.");
}
DerInputStream derIn = der.getData();
// responseStatus
int status = derIn.getEnumerated();
if (status >= 0 && status < rsvalues.length) {
responseStatus = rsvalues[status];
} else {
// unspecified responseStatus
throw new IOException("Unknown OCSPResponse status: " + status);
}
if (debug != null) {
debug.println("OCSP response status: " + responseStatus);
}
if (responseStatus != ResponseStatus.SUCCESSFUL) {
// no need to continue, responseBytes are not set.
singleResponseMap = Collections.emptyMap();
certs = Collections.<X509CertImpl>emptyList();
sigAlgId = null;
signature = null;
tbsResponseData = null;
responseNonce = null;
return;
}
// responseBytes
der = derIn.getDerValue();
if (!der.isContextSpecific((byte) 0)) {
throw new IOException(
"Bad encoding in responseBytes element "
+ "of OCSP response: expected ASN.1 context specific tag 0.");
}
DerValue tmp = der.data.getDerValue();
if (tmp.tag != DerValue.tag_Sequence) {
throw new IOException(
"Bad encoding in responseBytes element "
+ "of OCSP response: expected ASN.1 SEQUENCE tag.");
}
// responseType
derIn = tmp.data;
ObjectIdentifier responseType = derIn.getOID();
if (responseType.equals((Object) OCSP_BASIC_RESPONSE_OID)) {
if (debug != null) {
debug.println("OCSP response type: basic");
}
} else {
if (debug != null) {
debug.println("OCSP response type: " + responseType);
}
throw new IOException("Unsupported OCSP response type: " + responseType);
}
// BasicOCSPResponse
DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString());
DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
if (seqTmp.length < 3) {
throw new IOException("Unexpected BasicOCSPResponse value");
}
DerValue responseData = seqTmp[0];
// Need the DER encoded ResponseData to verify the signature later
tbsResponseData = seqTmp[0].toByteArray();
// tbsResponseData
if (responseData.tag != DerValue.tag_Sequence) {
throw new IOException(
"Bad encoding in tbsResponseData "
+ "element of OCSP response: expected ASN.1 SEQUENCE tag.");
}
DerInputStream seqDerIn = responseData.data;
DerValue seq = seqDerIn.getDerValue();
// version
if (seq.isContextSpecific((byte) 0)) {
// seq[0] is version
if (seq.isConstructed() && seq.isContextSpecific()) {
// System.out.println ("version is available");
seq = seq.data.getDerValue();
int version = seq.getInteger();
if (seq.data.available() != 0) {
throw new IOException(
"Bad encoding in version " + " element of OCSP response: bad format");
}
seq = seqDerIn.getDerValue();
}
}
// responderID
short tag = (byte) (seq.tag & 0x1f);
if (tag == NAME_TAG) {
if (debug != null) {
X500Principal responderName = new X500Principal(seq.getData().toByteArray());
debug.println("OCSP Responder name: " + responderName);
}
} else if (tag == KEY_TAG) {
if (debug != null) {
byte[] responderKey = seq.getData().getOctetString();
debug.println("OCSP Responder key: " + Debug.toString(responderKey));
}
} else {
throw new IOException(
"Bad encoding in responderID element of "
+ "OCSP response: expected ASN.1 context specific tag 0 or 1");
}
// producedAt
seq = seqDerIn.getDerValue();
if (debug != null) {
Date producedAtDate = seq.getGeneralizedTime();
debug.println("OCSP response produced at: " + producedAtDate);
}
// responses
DerValue[] singleResponseDer = seqDerIn.getSequence(1);
singleResponseMap = new HashMap<>(singleResponseDer.length);
if (debug != null) {
debug.println("OCSP number of SingleResponses: " + singleResponseDer.length);
}
for (int i = 0; i < singleResponseDer.length; i++) {
SingleResponse singleResponse = new SingleResponse(singleResponseDer[i]);
singleResponseMap.put(singleResponse.getCertId(), singleResponse);
}
// responseExtensions
byte[] nonce = null;
if (seqDerIn.available() > 0) {
seq = seqDerIn.getDerValue();
if (seq.isContextSpecific((byte) 1)) {
DerValue[] responseExtDer = seq.data.getSequence(3);
for (int i = 0; i < responseExtDer.length; i++) {
Extension ext = new Extension(responseExtDer[i]);
if (debug != null) {
debug.println("OCSP extension: " + ext);
}
// Only the NONCE extension is recognized
if (ext.getExtensionId().equals((Object) OCSP.NONCE_EXTENSION_OID)) {
nonce = ext.getExtensionValue();
} else if (ext.isCritical()) {
throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
}
}
}
}
responseNonce = nonce;
// signatureAlgorithmId
sigAlgId = AlgorithmId.parse(seqTmp[1]);
// signature
signature = seqTmp[2].getBitString();
// if seq[3] is available , then it is a sequence of certificates
if (seqTmp.length > 3) {
// certs are available
DerValue seqCert = seqTmp[3];
if (!seqCert.isContextSpecific((byte) 0)) {
throw new IOException(
"Bad encoding in certs element of "
+ "OCSP response: expected ASN.1 context specific tag 0.");
}
DerValue[] derCerts = seqCert.getData().getSequence(3);
certs = new ArrayList<X509CertImpl>(derCerts.length);
try {
for (int i = 0; i < derCerts.length; i++) {
certs.add(new X509CertImpl(derCerts[i].toByteArray()));
}
} catch (CertificateException ce) {
throw new IOException("Bad encoding in X509 Certificate", ce);
}
} else {
certs = Collections.<X509CertImpl>emptyList();
}
}
/**
* This class is used to process an OCSP response. The OCSP Response is defined in RFC 2560 and the
* ASN.1 encoding is as follows:
*
* <pre>
*
* OCSPResponse ::= SEQUENCE {
* responseStatus OCSPResponseStatus,
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
*
* OCSPResponseStatus ::= ENUMERATED {
* successful (0), --Response has valid confirmations
* malformedRequest (1), --Illegal confirmation request
* internalError (2), --Internal error in issuer
* tryLater (3), --Try again later
* --(4) is not used
* sigRequired (5), --Must sign the request
* unauthorized (6) --Request unauthorized
* }
*
* ResponseBytes ::= SEQUENCE {
* responseType OBJECT IDENTIFIER,
* response OCTET STRING }
*
* BasicOCSPResponse ::= SEQUENCE {
* tbsResponseData ResponseData,
* signatureAlgorithm AlgorithmIdentifier,
* signature BIT STRING,
* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
*
* The value for signature SHALL be computed on the hash of the DER
* encoding ResponseData.
*
* ResponseData ::= SEQUENCE {
* version [0] EXPLICIT Version DEFAULT v1,
* responderID ResponderID,
* producedAt GeneralizedTime,
* responses SEQUENCE OF SingleResponse,
* responseExtensions [1] EXPLICIT Extensions OPTIONAL }
*
* ResponderID ::= CHOICE {
* byName [1] Name,
* byKey [2] KeyHash }
*
* KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
* (excluding the tag and length fields)
*
* SingleResponse ::= SEQUENCE {
* certID CertID,
* certStatus CertStatus,
* thisUpdate GeneralizedTime,
* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
* singleExtensions [1] EXPLICIT Extensions OPTIONAL }
*
* CertStatus ::= CHOICE {
* good [0] IMPLICIT NULL,
* revoked [1] IMPLICIT RevokedInfo,
* unknown [2] IMPLICIT UnknownInfo }
*
* RevokedInfo ::= SEQUENCE {
* revocationTime GeneralizedTime,
* revocationReason [0] EXPLICIT CRLReason OPTIONAL }
*
* UnknownInfo ::= NULL -- this can be replaced with an enumeration
*
* </pre>
*
* @author Ram Marti
*/
public final class OCSPResponse {
public enum ResponseStatus {
SUCCESSFUL, // Response has valid confirmations
MALFORMED_REQUEST, // Illegal request
INTERNAL_ERROR, // Internal error in responder
TRY_LATER, // Try again later
UNUSED, // is not used
SIG_REQUIRED, // Must sign the request
UNAUTHORIZED // Request unauthorized
};
private static ResponseStatus[] rsvalues = ResponseStatus.values();
private static final Debug debug = Debug.getInstance("certpath");
private static final boolean dump = false;
private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID =
ObjectIdentifier.newInternal(new int[] {1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
private static final int CERT_STATUS_GOOD = 0;
private static final int CERT_STATUS_REVOKED = 1;
private static final int CERT_STATUS_UNKNOWN = 2;
// ResponderID CHOICE tags
private static final int NAME_TAG = 1;
private static final int KEY_TAG = 2;
// Object identifier for the OCSPSigning key purpose
private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
// Default maximum clock skew in milliseconds (15 minutes)
// allowed when checking validity of OCSP responses
private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
/**
* Integer value indicating the maximum allowable clock skew, in seconds, to be used for the OCSP
* check.
*/
private static final int MAX_CLOCK_SKEW = initializeClockSkew();
/**
* Initialize the maximum allowable clock skew by getting the OCSP clock skew system property. If
* the property has not been set, or if its value is negative, set the skew to the default.
*/
private static int initializeClockSkew() {
Integer tmp =
java.security.AccessController.doPrivileged(
new GetIntegerAction("com.sun.security.ocsp.clockSkew"));
if (tmp == null || tmp < 0) {
return DEFAULT_MAX_CLOCK_SKEW;
}
// Convert to milliseconds, as the system property will be
// specified in seconds
return tmp * 1000;
}
// an array of all of the CRLReasons (used in SingleResponse)
private static CRLReason[] values = CRLReason.values();
private final ResponseStatus responseStatus;
private final Map<CertId, SingleResponse> singleResponseMap;
private final List<X509CertImpl> certs;
private final AlgorithmId sigAlgId;
private final byte[] signature;
private final byte[] tbsResponseData;
private final byte[] responseNonce;
/*
* Create an OCSP response from its ASN.1 DER encoding.
*/
OCSPResponse(byte[] bytes) throws IOException {
if (dump) {
HexDumpEncoder hexEnc = new HexDumpEncoder();
System.out.println("OCSPResponse bytes are...");
System.out.println(hexEnc.encode(bytes));
}
DerValue der = new DerValue(bytes);
if (der.tag != DerValue.tag_Sequence) {
throw new IOException("Bad encoding in OCSP response: " + "expected ASN.1 SEQUENCE tag.");
}
DerInputStream derIn = der.getData();
// responseStatus
int status = derIn.getEnumerated();
if (status >= 0 && status < rsvalues.length) {
responseStatus = rsvalues[status];
} else {
// unspecified responseStatus
throw new IOException("Unknown OCSPResponse status: " + status);
}
if (debug != null) {
debug.println("OCSP response status: " + responseStatus);
}
if (responseStatus != ResponseStatus.SUCCESSFUL) {
// no need to continue, responseBytes are not set.
singleResponseMap = Collections.emptyMap();
certs = Collections.<X509CertImpl>emptyList();
sigAlgId = null;
signature = null;
tbsResponseData = null;
responseNonce = null;
return;
}
// responseBytes
der = derIn.getDerValue();
if (!der.isContextSpecific((byte) 0)) {
throw new IOException(
"Bad encoding in responseBytes element "
+ "of OCSP response: expected ASN.1 context specific tag 0.");
}
DerValue tmp = der.data.getDerValue();
if (tmp.tag != DerValue.tag_Sequence) {
throw new IOException(
"Bad encoding in responseBytes element "
+ "of OCSP response: expected ASN.1 SEQUENCE tag.");
}
// responseType
derIn = tmp.data;
ObjectIdentifier responseType = derIn.getOID();
if (responseType.equals((Object) OCSP_BASIC_RESPONSE_OID)) {
if (debug != null) {
debug.println("OCSP response type: basic");
}
} else {
if (debug != null) {
debug.println("OCSP response type: " + responseType);
}
throw new IOException("Unsupported OCSP response type: " + responseType);
}
// BasicOCSPResponse
DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString());
DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
if (seqTmp.length < 3) {
throw new IOException("Unexpected BasicOCSPResponse value");
}
DerValue responseData = seqTmp[0];
// Need the DER encoded ResponseData to verify the signature later
tbsResponseData = seqTmp[0].toByteArray();
// tbsResponseData
if (responseData.tag != DerValue.tag_Sequence) {
throw new IOException(
"Bad encoding in tbsResponseData "
+ "element of OCSP response: expected ASN.1 SEQUENCE tag.");
}
DerInputStream seqDerIn = responseData.data;
DerValue seq = seqDerIn.getDerValue();
// version
if (seq.isContextSpecific((byte) 0)) {
// seq[0] is version
if (seq.isConstructed() && seq.isContextSpecific()) {
// System.out.println ("version is available");
seq = seq.data.getDerValue();
int version = seq.getInteger();
if (seq.data.available() != 0) {
throw new IOException(
"Bad encoding in version " + " element of OCSP response: bad format");
}
seq = seqDerIn.getDerValue();
}
}
// responderID
short tag = (byte) (seq.tag & 0x1f);
if (tag == NAME_TAG) {
if (debug != null) {
X500Principal responderName = new X500Principal(seq.getData().toByteArray());
debug.println("OCSP Responder name: " + responderName);
}
} else if (tag == KEY_TAG) {
if (debug != null) {
byte[] responderKey = seq.getData().getOctetString();
debug.println("OCSP Responder key: " + Debug.toString(responderKey));
}
} else {
throw new IOException(
"Bad encoding in responderID element of "
+ "OCSP response: expected ASN.1 context specific tag 0 or 1");
}
// producedAt
seq = seqDerIn.getDerValue();
if (debug != null) {
Date producedAtDate = seq.getGeneralizedTime();
debug.println("OCSP response produced at: " + producedAtDate);
}
// responses
DerValue[] singleResponseDer = seqDerIn.getSequence(1);
singleResponseMap = new HashMap<>(singleResponseDer.length);
if (debug != null) {
debug.println("OCSP number of SingleResponses: " + singleResponseDer.length);
}
for (int i = 0; i < singleResponseDer.length; i++) {
SingleResponse singleResponse = new SingleResponse(singleResponseDer[i]);
singleResponseMap.put(singleResponse.getCertId(), singleResponse);
}
// responseExtensions
byte[] nonce = null;
if (seqDerIn.available() > 0) {
seq = seqDerIn.getDerValue();
if (seq.isContextSpecific((byte) 1)) {
DerValue[] responseExtDer = seq.data.getSequence(3);
for (int i = 0; i < responseExtDer.length; i++) {
Extension ext = new Extension(responseExtDer[i]);
if (debug != null) {
debug.println("OCSP extension: " + ext);
}
// Only the NONCE extension is recognized
if (ext.getExtensionId().equals((Object) OCSP.NONCE_EXTENSION_OID)) {
nonce = ext.getExtensionValue();
} else if (ext.isCritical()) {
throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
}
}
}
}
responseNonce = nonce;
// signatureAlgorithmId
sigAlgId = AlgorithmId.parse(seqTmp[1]);
// signature
signature = seqTmp[2].getBitString();
// if seq[3] is available , then it is a sequence of certificates
if (seqTmp.length > 3) {
// certs are available
DerValue seqCert = seqTmp[3];
if (!seqCert.isContextSpecific((byte) 0)) {
throw new IOException(
"Bad encoding in certs element of "
+ "OCSP response: expected ASN.1 context specific tag 0.");
}
DerValue[] derCerts = seqCert.getData().getSequence(3);
certs = new ArrayList<X509CertImpl>(derCerts.length);
try {
for (int i = 0; i < derCerts.length; i++) {
certs.add(new X509CertImpl(derCerts[i].toByteArray()));
}
} catch (CertificateException ce) {
throw new IOException("Bad encoding in X509 Certificate", ce);
}
} else {
certs = Collections.<X509CertImpl>emptyList();
}
}
void verify(List<CertId> certIds, X509Certificate responderCert, Date date, byte[] nonce)
throws CertPathValidatorException {
switch (responseStatus) {
case SUCCESSFUL:
break;
case TRY_LATER:
case INTERNAL_ERROR:
throw new CertPathValidatorException(
"OCSP response error: " + responseStatus,
null,
null,
-1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
case UNAUTHORIZED:
default:
throw new CertPathValidatorException("OCSP response error: " + responseStatus);
}
// Check that the response includes a response for all of the
// certs that were supplied in the request
for (CertId certId : certIds) {
SingleResponse sr = getSingleResponse(certId);
if (sr == null) {
if (debug != null) {
debug.println("No response found for CertId: " + certId);
}
throw new CertPathValidatorException(
"OCSP response does not include a response for a "
+ "certificate supplied in the OCSP request");
}
if (debug != null) {
debug.println(
"Status of certificate (with serial number "
+ certId.getSerialNumber()
+ ") is: "
+ sr.getCertStatus());
}
}
// Check whether the cert returned by the responder is trusted
if (!certs.isEmpty()) {
X509CertImpl cert = certs.get(0);
// First check if the cert matches the expected responder cert
if (cert.equals(responderCert)) {
// cert is trusted, now verify the signed response
// Next check if the cert was issued by the responder cert
// which was set locally.
} else if (cert.getIssuerX500Principal().equals(responderCert.getSubjectX500Principal())) {
// Check for the OCSPSigning key purpose
try {
List<String> keyPurposes = cert.getExtendedKeyUsage();
if (keyPurposes == null || !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
throw new CertPathValidatorException(
"Responder's certificate not valid for signing " + "OCSP responses");
}
} catch (CertificateParsingException cpe) {
// assume cert is not valid for signing
throw new CertPathValidatorException(
"Responder's certificate not valid for signing " + "OCSP responses", cpe);
}
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker algChecker = new AlgorithmChecker(new TrustAnchor(responderCert, null));
algChecker.init(false);
algChecker.check(cert, Collections.<String>emptySet());
// check the validity
try {
if (date == null) {
cert.checkValidity();
} else {
cert.checkValidity(date);
}
} catch (CertificateException e) {
throw new CertPathValidatorException(
"Responder's certificate not within the " + "validity period", e);
}
// check for revocation
//
// A CA may specify that an OCSP client can trust a
// responder for the lifetime of the responder's
// certificate. The CA does so by including the
// extension id-pkix-ocsp-nocheck.
//
Extension noCheck = cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
if (noCheck != null) {
if (debug != null) {
debug.println(
"Responder's certificate includes " + "the extension id-pkix-ocsp-nocheck.");
}
} else {
// we should do the revocation checking of the
// authorized responder in a future update.
}
// verify the signature
try {
cert.verify(responderCert.getPublicKey());
responderCert = cert;
// cert is trusted, now verify the signed response
} catch (GeneralSecurityException e) {
responderCert = null;
}
} else {
throw new CertPathValidatorException(
"Responder's certificate is not authorized to sign " + "OCSP responses");
}
}
// Confirm that the signed response was generated using the public
// key from the trusted responder cert
if (responderCert != null) {
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker.check(responderCert.getPublicKey(), sigAlgId);
if (!verifySignature(responderCert)) {
throw new CertPathValidatorException("Error verifying OCSP Response's signature");
}
} else {
// Need responder's cert in order to verify the signature
throw new CertPathValidatorException("Unable to verify OCSP Response's signature");
}
// Check freshness of OCSPResponse
if (nonce != null) {
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
throw new CertPathValidatorException("Nonces don't match");
}
}
long now = (date == null) ? System.currentTimeMillis() : date.getTime();
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
for (SingleResponse sr : singleResponseMap.values()) {
if (debug != null) {
String until = "";
if (sr.nextUpdate != null) {
until = " until " + sr.nextUpdate;
}
debug.println("Response's validity interval is from " + sr.thisUpdate + until);
}
// Check that the test date is within the validity interval
if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate))
|| (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) {
throw new CertPathValidatorException(
"Response is unreliable: its validity " + "interval is out-of-date");
}
}
}
/** Returns the OCSP ResponseStatus. */
ResponseStatus getResponseStatus() {
return responseStatus;
}
/*
* Verify the signature of the OCSP response.
* The responder's cert is implicitly trusted.
*/
private boolean verifySignature(X509Certificate cert) throws CertPathValidatorException {
try {
Signature respSignature = Signature.getInstance(sigAlgId.getName());
respSignature.initVerify(cert.getPublicKey());
respSignature.update(tbsResponseData);
if (respSignature.verify(signature)) {
if (debug != null) {
debug.println("Verified signature of OCSP Response");
}
return true;
} else {
if (debug != null) {
debug.println("Error verifying signature of OCSP Response");
}
return false;
}
} catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
throw new CertPathValidatorException(e);
}
}
/**
* Returns the SingleResponse of the specified CertId, or null if there is no response for that
* CertId.
*/
SingleResponse getSingleResponse(CertId certId) {
return singleResponseMap.get(certId);
}
/*
* A class representing a single OCSP response.
*/
static final class SingleResponse implements OCSP.RevocationStatus {
private final CertId certId;
private final CertStatus certStatus;
private final Date thisUpdate;
private final Date nextUpdate;
private final Date revocationTime;
private final CRLReason revocationReason;
private final Map<String, java.security.cert.Extension> singleExtensions;
private SingleResponse(DerValue der) throws IOException {
if (der.tag != DerValue.tag_Sequence) {
throw new IOException("Bad ASN.1 encoding in SingleResponse");
}
DerInputStream tmp = der.data;
certId = new CertId(tmp.getDerValue().data);
DerValue derVal = tmp.getDerValue();
short tag = (byte) (derVal.tag & 0x1f);
if (tag == CERT_STATUS_REVOKED) {
certStatus = CertStatus.REVOKED;
revocationTime = derVal.data.getGeneralizedTime();
if (derVal.data.available() != 0) {
DerValue dv = derVal.data.getDerValue();
tag = (byte) (dv.tag & 0x1f);
if (tag == 0) {
int reason = dv.data.getEnumerated();
// if reason out-of-range just leave as UNSPECIFIED
if (reason >= 0 && reason < values.length) {
revocationReason = values[reason];
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
// RevokedInfo
if (debug != null) {
debug.println("Revocation time: " + revocationTime);
debug.println("Revocation reason: " + revocationReason);
}
} else {
revocationTime = null;
revocationReason = CRLReason.UNSPECIFIED;
if (tag == CERT_STATUS_GOOD) {
certStatus = CertStatus.GOOD;
} else if (tag == CERT_STATUS_UNKNOWN) {
certStatus = CertStatus.UNKNOWN;
} else {
throw new IOException("Invalid certificate status");
}
}
thisUpdate = tmp.getGeneralizedTime();
if (tmp.available() == 0) {
// we are done
nextUpdate = null;
} else {
derVal = tmp.getDerValue();
tag = (byte) (derVal.tag & 0x1f);
if (tag == 0) {
// next update
nextUpdate = derVal.data.getGeneralizedTime();
if (tmp.available() == 0) {
// we are done
} else {
derVal = tmp.getDerValue();
tag = (byte) (derVal.tag & 0x1f);
}
} else {
nextUpdate = null;
}
}
// singleExtensions
if (tmp.available() > 0) {
derVal = tmp.getDerValue();
if (derVal.isContextSpecific((byte) 1)) {
DerValue[] singleExtDer = derVal.data.getSequence(3);
singleExtensions = new HashMap<String, java.security.cert.Extension>(singleExtDer.length);
for (int i = 0; i < singleExtDer.length; i++) {
Extension ext = new Extension(singleExtDer[i]);
if (debug != null) {
debug.println("OCSP single extension: " + ext);
}
// We don't support any extensions yet. Therefore, if it
// is critical we must throw an exception because we
// don't know how to process it.
if (ext.isCritical()) {
throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
}
singleExtensions.put(ext.getId(), ext);
}
} else {
singleExtensions = Collections.emptyMap();
}
} else {
singleExtensions = Collections.emptyMap();
}
}
/*
* Return the certificate's revocation status code
*/
@Override
public CertStatus getCertStatus() {
return certStatus;
}
private CertId getCertId() {
return certId;
}
@Override
public Date getRevocationTime() {
return (Date) revocationTime.clone();
}
@Override
public CRLReason getRevocationReason() {
return revocationReason;
}
@Override
public Map<String, java.security.cert.Extension> getSingleExtensions() {
return Collections.unmodifiableMap(singleExtensions);
}
/** Construct a string representation of a single OCSP response. */
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("SingleResponse: \n");
sb.append(certId);
sb.append("\nCertStatus: " + certStatus + "\n");
if (certStatus == CertStatus.REVOKED) {
sb.append("revocationTime is " + revocationTime + "\n");
sb.append("revocationReason is " + revocationReason + "\n");
}
sb.append("thisUpdate is " + thisUpdate + "\n");
if (nextUpdate != null) {
sb.append("nextUpdate is " + nextUpdate + "\n");
}
return sb.toString();
}
}
}
/*
* Calculate the keys needed for this connection, once the session's
* master secret has been calculated. Uses the master key and nonces;
* the amount of keying material generated is a function of the cipher
* suite that's been negotiated.
*
* This gets called both on the "full handshake" (where we exchanged
* a premaster secret and started a new session) as well as on the
* "fast handshake" (where we just resumed a pre-existing session).
*/
void calculateConnectionKeys(SecretKey masterKey) {
/*
* For both the read and write sides of the protocol, we use the
* master to generate MAC secrets and cipher keying material. Block
* ciphers need initialization vectors, which we also generate.
*
* First we figure out how much keying material is needed.
*/
int hashSize = cipherSuite.macAlg.size;
boolean is_exportable = cipherSuite.exportable;
BulkCipher cipher = cipherSuite.cipher;
int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0;
// Which algs/params do we need to use?
String keyMaterialAlg;
PRF prf;
if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
keyMaterialAlg = "SunTls12KeyMaterial";
prf = cipherSuite.prfAlg;
} else {
keyMaterialAlg = "SunTlsKeyMaterial";
prf = P_NONE;
}
String prfHashAlg = prf.getPRFHashAlg();
int prfHashLength = prf.getPRFHashLength();
int prfBlockSize = prf.getPRFBlockSize();
TlsKeyMaterialParameterSpec spec =
new TlsKeyMaterialParameterSpec(
masterKey,
protocolVersion.major,
protocolVersion.minor,
clnt_random.random_bytes,
svr_random.random_bytes,
cipher.algorithm,
cipher.keySize,
expandedKeySize,
cipher.ivSize,
hashSize,
prfHashAlg,
prfHashLength,
prfBlockSize);
try {
KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
kg.init(spec);
TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec) kg.generateKey();
clntWriteKey = keySpec.getClientCipherKey();
svrWriteKey = keySpec.getServerCipherKey();
// Return null if IVs are not supposed to be generated.
// e.g. TLS 1.1+.
clntWriteIV = keySpec.getClientIv();
svrWriteIV = keySpec.getServerIv();
clntMacSecret = keySpec.getClientMacKey();
svrMacSecret = keySpec.getServerMacKey();
} catch (GeneralSecurityException e) {
throw new ProviderException(e);
}
//
// Dump the connection keys as they're generated.
//
if (debug != null && Debug.isOn("keygen")) {
synchronized (System.out) {
HexDumpEncoder dump = new HexDumpEncoder();
System.out.println("CONNECTION KEYGEN:");
// Inputs:
System.out.println("Client Nonce:");
printHex(dump, clnt_random.random_bytes);
System.out.println("Server Nonce:");
printHex(dump, svr_random.random_bytes);
System.out.println("Master Secret:");
printHex(dump, masterKey.getEncoded());
// Outputs:
System.out.println("Client MAC write Secret:");
printHex(dump, clntMacSecret.getEncoded());
System.out.println("Server MAC write Secret:");
printHex(dump, svrMacSecret.getEncoded());
if (clntWriteKey != null) {
System.out.println("Client write key:");
printHex(dump, clntWriteKey.getEncoded());
System.out.println("Server write key:");
printHex(dump, svrWriteKey.getEncoded());
} else {
System.out.println("... no encryption keys used");
}
if (clntWriteIV != null) {
System.out.println("Client write IV:");
printHex(dump, clntWriteIV.getIV());
System.out.println("Server write IV:");
printHex(dump, svrWriteIV.getIV());
} else {
if (protocolVersion.v >= ProtocolVersion.TLS11.v) {
System.out.println("... no IV derived for this protocol");
} else {
System.out.println("... no IV used for this cipher");
}
}
System.out.flush();
}
}
}
/*
* Calculate the master secret from its various components. This is
* used for key exchange by all cipher suites.
*
* The master secret is the catenation of three MD5 hashes, each
* consisting of the pre-master secret and a SHA1 hash. Those three
* SHA1 hashes are of (different) constant strings, the pre-master
* secret, and the nonces provided by the client and the server.
*/
private SecretKey calculateMasterSecret(
SecretKey preMasterSecret, ProtocolVersion requestedVersion) {
if (debug != null && Debug.isOn("keygen")) {
HexDumpEncoder dump = new HexDumpEncoder();
System.out.println("SESSION KEYGEN:");
System.out.println("PreMaster Secret:");
printHex(dump, preMasterSecret.getEncoded());
// Nonces are dumped with connection keygen, no
// benefit to doing it twice
}
// What algs/params do we need to use?
String masterAlg;
PRF prf;
if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
masterAlg = "SunTls12MasterSecret";
prf = cipherSuite.prfAlg;
} else {
masterAlg = "SunTlsMasterSecret";
prf = P_NONE;
}
String prfHashAlg = prf.getPRFHashAlg();
int prfHashLength = prf.getPRFHashLength();
int prfBlockSize = prf.getPRFBlockSize();
TlsMasterSecretParameterSpec spec =
new TlsMasterSecretParameterSpec(
preMasterSecret,
protocolVersion.major,
protocolVersion.minor,
clnt_random.random_bytes,
svr_random.random_bytes,
prfHashAlg,
prfHashLength,
prfBlockSize);
SecretKey masterSecret;
try {
KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
kg.init(spec);
masterSecret = kg.generateKey();
} catch (GeneralSecurityException e) {
// For RSA premaster secrets, do not signal a protocol error
// due to the Bleichenbacher attack. See comments further down.
if (!preMasterSecret.getAlgorithm().equals("TlsRsaPremasterSecret")) {
throw new ProviderException(e);
}
if (debug != null && Debug.isOn("handshake")) {
System.out.println("RSA master secret generation error:");
e.printStackTrace(System.out);
System.out.println("Generating new random premaster secret");
}
if (requestedVersion != null) {
preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);
} else {
preMasterSecret = RSAClientKeyExchange.generateDummySecret(protocolVersion);
}
// recursive call with new premaster secret
return calculateMasterSecret(preMasterSecret, null);
}
// if no version check requested (client side handshake), or version
// information is not available (not an RSA premaster secret),
// return master secret immediately.
if ((requestedVersion == null) || !(masterSecret instanceof TlsMasterSecret)) {
return masterSecret;
}
// we have checked the ClientKeyExchange message when reading TLS
// record, the following check is necessary to ensure that
// JCE provider does not ignore the checking, or the previous
// checking process bypassed the premaster secret version checking.
TlsMasterSecret tlsKey = (TlsMasterSecret) masterSecret;
int major = tlsKey.getMajorVersion();
int minor = tlsKey.getMinorVersion();
if ((major < 0) || (minor < 0)) {
return masterSecret;
}
// check if the premaster secret version is ok
// the specification says that it must be the maximum version supported
// by the client from its ClientHello message. However, many
// implementations send the negotiated version, so accept both
// for SSL v3.0 and TLS v1.0.
// NOTE that we may be comparing two unsupported version numbers, which
// is why we cannot use object reference equality in this special case.
ProtocolVersion premasterVersion = ProtocolVersion.valueOf(major, minor);
boolean versionMismatch = (premasterVersion.v != requestedVersion.v);
/*
* we never checked the client_version in server side
* for TLS v1.0 and SSL v3.0. For compatibility, we
* maintain this behavior.
*/
if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
versionMismatch = (premasterVersion.v != protocolVersion.v);
}
if (versionMismatch == false) {
// check passed, return key
return masterSecret;
}
// Due to the Bleichenbacher attack, do not signal a protocol error.
// Generate a random premaster secret and continue with the handshake,
// which will fail when verifying the finished messages.
// For more information, see comments in PreMasterSecret.
if (debug != null && Debug.isOn("handshake")) {
System.out.println(
"RSA PreMasterSecret version error: expected"
+ protocolVersion
+ " or "
+ requestedVersion
+ ", decrypted: "
+ premasterVersion);
System.out.println("Generating new random premaster secret");
}
preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);
// recursive call with new premaster secret
return calculateMasterSecret(preMasterSecret, null);
}
