/**
* Get the secret data that has been agreed on through Diffie-Hellman key agreement protocol. Note
* that in the two party protocol, if the peer keys are already known, no other data needs to be
* sent in order to agree on a secret. That is, a secured message may be sent without any
* mandatory round-trip overheads.
*
* <p>It is illegal to call this member function if the private key has not been set (or
* generated).
*
* @param peerPublicKey the peer's public key.
* @returns the secret, which is an unsigned big-endian integer the same size as the
* Diffie-Hellman modulus.
*/
SecretKey getAgreedSecret(BigInteger peerPublicValue) {
try {
KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
DHPublicKeySpec spec = new DHPublicKeySpec(peerPublicValue, modulus, base);
PublicKey publicKey = kf.generatePublic(spec);
KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
ka.init(privateKey);
ka.doPhase(publicKey, true);
return ka.generateSecret("TlsPremasterSecret");
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not generate secret", e);
}
}
static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
if (key instanceof DHPublicKey) {
DHPublicKey dhKey = (DHPublicKey) key;
DHParameterSpec params = dhKey.getParams();
return new DHPublicKeySpec(dhKey.getY(), params.getP(), params.getG());
}
try {
KeyFactory factory = JsseJce.getKeyFactory("DH");
return (DHPublicKeySpec) factory.getKeySpec(key, DHPublicKeySpec.class);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
/** Generate a Diffie-Hellman keypair of the specified size. */
DHCrypt(int keyLength, SecureRandom random) {
try {
KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DiffieHellman");
kpg.initialize(keyLength, random);
KeyPair kp = kpg.generateKeyPair();
privateKey = kp.getPrivate();
DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
publicValue = spec.getY();
modulus = spec.getP();
base = spec.getG();
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not generate DH keypair", e);
}
}
/**
* Generate a Diffie-Hellman keypair using the specified parameters.
*
* @param modulus the Diffie-Hellman modulus P
* @param base the Diffie-Hellman base G
*/
DHCrypt(BigInteger modulus, BigInteger base, SecureRandom random) {
this.modulus = modulus;
this.base = base;
try {
KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DiffieHellman");
DHParameterSpec params = new DHParameterSpec(modulus, base);
kpg.initialize(params, random);
KeyPair kp = kpg.generateKeyPair();
privateKey = kp.getPrivate();
DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
publicValue = spec.getY();
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not generate DH keypair", e);
}
}
/*
* Calculate the keys needed for this connection, once the session's
* master secret has been calculated. Uses the master key and nonces;
* the amount of keying material generated is a function of the cipher
* suite that's been negotiated.
*
* This gets called both on the "full handshake" (where we exchanged
* a premaster secret and started a new session) as well as on the
* "fast handshake" (where we just resumed a pre-existing session).
*/
void calculateConnectionKeys(SecretKey masterKey) {
/*
* For both the read and write sides of the protocol, we use the
* master to generate MAC secrets and cipher keying material. Block
* ciphers need initialization vectors, which we also generate.
*
* First we figure out how much keying material is needed.
*/
int hashSize = cipherSuite.macAlg.size;
boolean is_exportable = cipherSuite.exportable;
BulkCipher cipher = cipherSuite.cipher;
int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0;
// Which algs/params do we need to use?
String keyMaterialAlg;
PRF prf;
if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
keyMaterialAlg = "SunTls12KeyMaterial";
prf = cipherSuite.prfAlg;
} else {
keyMaterialAlg = "SunTlsKeyMaterial";
prf = P_NONE;
}
String prfHashAlg = prf.getPRFHashAlg();
int prfHashLength = prf.getPRFHashLength();
int prfBlockSize = prf.getPRFBlockSize();
TlsKeyMaterialParameterSpec spec =
new TlsKeyMaterialParameterSpec(
masterKey,
protocolVersion.major,
protocolVersion.minor,
clnt_random.random_bytes,
svr_random.random_bytes,
cipher.algorithm,
cipher.keySize,
expandedKeySize,
cipher.ivSize,
hashSize,
prfHashAlg,
prfHashLength,
prfBlockSize);
try {
KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
kg.init(spec);
TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec) kg.generateKey();
clntWriteKey = keySpec.getClientCipherKey();
svrWriteKey = keySpec.getServerCipherKey();
// Return null if IVs are not supposed to be generated.
// e.g. TLS 1.1+.
clntWriteIV = keySpec.getClientIv();
svrWriteIV = keySpec.getServerIv();
clntMacSecret = keySpec.getClientMacKey();
svrMacSecret = keySpec.getServerMacKey();
} catch (GeneralSecurityException e) {
throw new ProviderException(e);
}
//
// Dump the connection keys as they're generated.
//
if (debug != null && Debug.isOn("keygen")) {
synchronized (System.out) {
HexDumpEncoder dump = new HexDumpEncoder();
System.out.println("CONNECTION KEYGEN:");
// Inputs:
System.out.println("Client Nonce:");
printHex(dump, clnt_random.random_bytes);
System.out.println("Server Nonce:");
printHex(dump, svr_random.random_bytes);
System.out.println("Master Secret:");
printHex(dump, masterKey.getEncoded());
// Outputs:
System.out.println("Client MAC write Secret:");
printHex(dump, clntMacSecret.getEncoded());
System.out.println("Server MAC write Secret:");
printHex(dump, svrMacSecret.getEncoded());
if (clntWriteKey != null) {
System.out.println("Client write key:");
printHex(dump, clntWriteKey.getEncoded());
System.out.println("Server write key:");
printHex(dump, svrWriteKey.getEncoded());
} else {
System.out.println("... no encryption keys used");
}
if (clntWriteIV != null) {
System.out.println("Client write IV:");
printHex(dump, clntWriteIV.getIV());
System.out.println("Server write IV:");
printHex(dump, svrWriteIV.getIV());
} else {
if (protocolVersion.v >= ProtocolVersion.TLS11.v) {
System.out.println("... no IV derived for this protocol");
} else {
System.out.println("... no IV used for this cipher");
}
}
System.out.flush();
}
}
}
/*
* Calculate the master secret from its various components. This is
* used for key exchange by all cipher suites.
*
* The master secret is the catenation of three MD5 hashes, each
* consisting of the pre-master secret and a SHA1 hash. Those three
* SHA1 hashes are of (different) constant strings, the pre-master
* secret, and the nonces provided by the client and the server.
*/
private SecretKey calculateMasterSecret(
SecretKey preMasterSecret, ProtocolVersion requestedVersion) {
if (debug != null && Debug.isOn("keygen")) {
HexDumpEncoder dump = new HexDumpEncoder();
System.out.println("SESSION KEYGEN:");
System.out.println("PreMaster Secret:");
printHex(dump, preMasterSecret.getEncoded());
// Nonces are dumped with connection keygen, no
// benefit to doing it twice
}
// What algs/params do we need to use?
String masterAlg;
PRF prf;
if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
masterAlg = "SunTls12MasterSecret";
prf = cipherSuite.prfAlg;
} else {
masterAlg = "SunTlsMasterSecret";
prf = P_NONE;
}
String prfHashAlg = prf.getPRFHashAlg();
int prfHashLength = prf.getPRFHashLength();
int prfBlockSize = prf.getPRFBlockSize();
TlsMasterSecretParameterSpec spec =
new TlsMasterSecretParameterSpec(
preMasterSecret,
protocolVersion.major,
protocolVersion.minor,
clnt_random.random_bytes,
svr_random.random_bytes,
prfHashAlg,
prfHashLength,
prfBlockSize);
SecretKey masterSecret;
try {
KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
kg.init(spec);
masterSecret = kg.generateKey();
} catch (GeneralSecurityException e) {
// For RSA premaster secrets, do not signal a protocol error
// due to the Bleichenbacher attack. See comments further down.
if (!preMasterSecret.getAlgorithm().equals("TlsRsaPremasterSecret")) {
throw new ProviderException(e);
}
if (debug != null && Debug.isOn("handshake")) {
System.out.println("RSA master secret generation error:");
e.printStackTrace(System.out);
System.out.println("Generating new random premaster secret");
}
if (requestedVersion != null) {
preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);
} else {
preMasterSecret = RSAClientKeyExchange.generateDummySecret(protocolVersion);
}
// recursive call with new premaster secret
return calculateMasterSecret(preMasterSecret, null);
}
// if no version check requested (client side handshake), or version
// information is not available (not an RSA premaster secret),
// return master secret immediately.
if ((requestedVersion == null) || !(masterSecret instanceof TlsMasterSecret)) {
return masterSecret;
}
// we have checked the ClientKeyExchange message when reading TLS
// record, the following check is necessary to ensure that
// JCE provider does not ignore the checking, or the previous
// checking process bypassed the premaster secret version checking.
TlsMasterSecret tlsKey = (TlsMasterSecret) masterSecret;
int major = tlsKey.getMajorVersion();
int minor = tlsKey.getMinorVersion();
if ((major < 0) || (minor < 0)) {
return masterSecret;
}
// check if the premaster secret version is ok
// the specification says that it must be the maximum version supported
// by the client from its ClientHello message. However, many
// implementations send the negotiated version, so accept both
// for SSL v3.0 and TLS v1.0.
// NOTE that we may be comparing two unsupported version numbers, which
// is why we cannot use object reference equality in this special case.
ProtocolVersion premasterVersion = ProtocolVersion.valueOf(major, minor);
boolean versionMismatch = (premasterVersion.v != requestedVersion.v);
/*
* we never checked the client_version in server side
* for TLS v1.0 and SSL v3.0. For compatibility, we
* maintain this behavior.
*/
if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
versionMismatch = (premasterVersion.v != protocolVersion.v);
}
if (versionMismatch == false) {
// check passed, return key
return masterSecret;
}
// Due to the Bleichenbacher attack, do not signal a protocol error.
// Generate a random premaster secret and continue with the handshake,
// which will fail when verifying the finished messages.
// For more information, see comments in PreMasterSecret.
if (debug != null && Debug.isOn("handshake")) {
System.out.println(
"RSA PreMasterSecret version error: expected"
+ protocolVersion
+ " or "
+ requestedVersion
+ ", decrypted: "
+ premasterVersion);
System.out.println("Generating new random premaster secret");
}
preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);
// recursive call with new premaster secret
return calculateMasterSecret(preMasterSecret, null);
}
