/* * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.util.Map; import java.util.HashMap; import java.util.Collections; import java.util.regex.Pattern; import java.util.regex.Matcher; import java.math.BigInteger; import java.security.*; import java.io.IOException; import javax.net.ssl.SSLHandshakeException; import javax.crypto.SecretKey; import javax.crypto.KeyAgreement; import javax.crypto.interfaces.DHPublicKey; import javax.crypto.spec.*; import java.util.EnumSet; import sun.security.util.KeyUtil; /** * This class implements the Diffie-Hellman key exchange algorithm. * D-H means combining your private key with your partners public key to * generate a number. The peer does the same with its private key and our * public key. Through the magic of Diffie-Hellman we both come up with the * same number. This number is secret (discounting MITM attacks) and hence * called the shared secret. It has the same length as the modulus, e.g. 512 * or 1024 bit. Man-in-the-middle attacks are typically countered by an * independent authentication step using certificates (RSA, DSA, etc.). * * The thing to note is that the shared secret is constant for two partners * with constant private keys. This is often not what we want, which is why * it is generally a good idea to create a new private key for each session. * Generating a private key involves one modular exponentiation assuming * suitable D-H parameters are available. * * General usage of this class (TLS DHE case): * . if we are server, call DHCrypt(keyLength,random). This generates * an ephemeral keypair of the request length. * . if we are client, call DHCrypt(modulus, base, random). This * generates an ephemeral keypair using the parameters specified by * the server. * . send parameters and public value to remote peer * . receive peers ephemeral public key * . call getAgreedSecret() to calculate the shared secret * * In TLS the server chooses the parameter values itself, the client must use * those sent to it by the server. * * The use of ephemeral keys as described above also achieves what is called * "forward secrecy". This means that even if the authentication keys are * broken at a later date, the shared secret remains secure. The session is * compromised only if the authentication keys are already broken at the * time the key exchange takes place and an active MITM attack is used. * This is in contrast to straightforward encrypting RSA key exchanges. * * @author David Brownell */ final class DHCrypt { // group parameters (prime modulus and generator) private BigInteger modulus; // P (aka N) private BigInteger base; // G (aka alpha) // our private key (including private component x) private PrivateKey privateKey; // public component of our key, X = (g ^ x) mod p private BigInteger publicValue; // X (aka y) // the times to recove from failure if public key validation private static int MAX_FAILOVER_TIMES = 2; /** * Generate a Diffie-Hellman keypair of the specified size. */ DHCrypt(int keyLength, SecureRandom random) { this(keyLength, ParametersHolder.definedParams.get(keyLength), random); } /** * Generate a Diffie-Hellman keypair using the specified parameters. * * @param modulus the Diffie-Hellman modulus P * @param base the Diffie-Hellman base G */ DHCrypt(BigInteger modulus, BigInteger base, SecureRandom random) { this(modulus.bitLength(), new DHParameterSpec(modulus, base), random); } /** * Generate a Diffie-Hellman keypair using the specified size and * parameters. */ private DHCrypt(int keyLength, DHParameterSpec params, SecureRandom random) { try { KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DiffieHellman"); if (params != null) { kpg.initialize(params, random); } else { kpg.initialize(keyLength, random); } DHPublicKeySpec spec = generateDHPublicKeySpec(kpg); if (spec == null) { throw new RuntimeException("Could not generate DH keypair"); } publicValue = spec.getY(); modulus = spec.getP(); base = spec.getG(); } catch (GeneralSecurityException e) { throw new RuntimeException("Could not generate DH keypair", e); } } static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) { if (key instanceof DHPublicKey) { DHPublicKey dhKey = (DHPublicKey)key; DHParameterSpec params = dhKey.getParams(); return new DHPublicKeySpec(dhKey.getY(), params.getP(), params.getG()); } try { KeyFactory factory = JsseJce.getKeyFactory("DH"); return factory.getKeySpec(key, DHPublicKeySpec.class); } catch (Exception e) { throw new RuntimeException(e); } } /** Returns the Diffie-Hellman modulus. */ BigInteger getModulus() { return modulus; } /** Returns the Diffie-Hellman base (generator). */ BigInteger getBase() { return base; } /** * Gets the public key of this end of the key exchange. */ BigInteger getPublicKey() { return publicValue; } /** * Get the secret data that has been agreed on through Diffie-Hellman * key agreement protocol. Note that in the two party protocol, if * the peer keys are already known, no other data needs to be sent in * order to agree on a secret. That is, a secured message may be * sent without any mandatory round-trip overheads. * *

It is illegal to call this member function if the private key * has not been set (or generated). * * @param peerPublicKey the peer's public key. * @param keyIsValidated whether the {@code peerPublicKey} has beed * validated * @return the secret, which is an unsigned big-endian integer * the same size as the Diffie-Hellman modulus. */ SecretKey getAgreedSecret(BigInteger peerPublicValue, boolean keyIsValidated) throws SSLHandshakeException { try { KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman"); DHPublicKeySpec spec = new DHPublicKeySpec(peerPublicValue, modulus, base); PublicKey publicKey = kf.generatePublic(spec); KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman"); // validate the Diffie-Hellman public key if (!keyIsValidated && !KeyUtil.isOracleJCEProvider(ka.getProvider().getName())) { try { KeyUtil.validate(spec); } catch (InvalidKeyException ike) { // prefer handshake_failure alert to internal_error alert throw new SSLHandshakeException(ike.getMessage()); } } ka.init(privateKey); ka.doPhase(publicKey, true); return ka.generateSecret("TlsPremasterSecret"); } catch (GeneralSecurityException e) { throw (SSLHandshakeException) new SSLHandshakeException( "Could not generate secret").initCause(e); } } // Check constraints of the specified DH public key. void checkConstraints(AlgorithmConstraints constraints, BigInteger peerPublicValue) throws SSLHandshakeException { try { KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman"); DHPublicKeySpec spec = new DHPublicKeySpec(peerPublicValue, modulus, base); DHPublicKey publicKey = (DHPublicKey)kf.generatePublic(spec); // check constraints of DHPublicKey if (!constraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) { throw new SSLHandshakeException( "DHPublicKey does not comply to algorithm constraints"); } } catch (GeneralSecurityException gse) { throw (SSLHandshakeException) new SSLHandshakeException( "Could not generate DHPublicKey").initCause(gse); } } // Generate and validate DHPublicKeySpec private DHPublicKeySpec generateDHPublicKeySpec(KeyPairGenerator kpg) throws GeneralSecurityException { boolean doExtraValiadtion = (!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName())); for (int i = 0; i <= MAX_FAILOVER_TIMES; i++) { KeyPair kp = kpg.generateKeyPair(); privateKey = kp.getPrivate(); DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic()); // validate the Diffie-Hellman public key if (doExtraValiadtion) { try { KeyUtil.validate(spec); } catch (InvalidKeyException ivke) { if (i == MAX_FAILOVER_TIMES) { throw ivke; } // otherwise, ignore the exception and try the next one continue; } } return spec; } return null; } // lazy initialization holder class idiom for static default parameters // // See Effective Java Second Edition: Item 71. private static class ParametersHolder { private final static boolean debugIsOn = (Debug.getInstance("ssl") != null) && Debug.isOn("sslctx"); // // Default DH ephemeral parameters // private static final BigInteger g2 = BigInteger.valueOf(2); private static final BigInteger p512 = new BigInteger( // generated "D87780E15FF50B4ABBE89870188B049406B5BEA98AB23A02" + "41D88EA75B7755E669C08093D3F0CA7FC3A5A25CF067DCB9" + "A43DD89D1D90921C6328884461E0B6D3", 16); private static final BigInteger p768 = new BigInteger( // RFC 2409 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF", 16); private static final BigInteger p1024 = new BigInteger( // RFC 2409 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" + "FFFFFFFFFFFFFFFF", 16); private static final BigInteger p2048 = new BigInteger( // TLS FEDHE "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B423861285C97FFFFFFFFFFFFFFFF", 16); private static final BigInteger[] supportedPrimes = { p512, p768, p1024, p2048}; // a measure of the uncertainty that prime modulus p is not a prime // // see BigInteger.isProbablePrime(int certainty) private final static int PRIME_CERTAINTY = 120; // the known security property, jdk.tls.server.defaultDHEParameters private final static String PROPERTY_NAME = "jdk.tls.server.defaultDHEParameters"; private static final Pattern spacesPattern = Pattern.compile("\\s+"); private final static Pattern syntaxPattern = Pattern.compile( "(\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})" + "(,\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})*"); private static final Pattern paramsPattern = Pattern.compile( "\\{([0-9A-Fa-f]+),([0-9A-Fa-f]+)\\}"); // cache of predefined default DH ephemeral parameters private final static Map definedParams; static { String property = AccessController.doPrivileged( new PrivilegedAction() { public String run() { return Security.getProperty(PROPERTY_NAME); } }); if (property != null && !property.isEmpty()) { // remove double quote marks from beginning/end of the property if (property.length() >= 2 && property.charAt(0) == '"' && property.charAt(property.length() - 1) == '"') { property = property.substring(1, property.length() - 1); } property = property.trim(); } if (property != null && !property.isEmpty()) { Matcher spacesMatcher = spacesPattern.matcher(property); property = spacesMatcher.replaceAll(""); if (debugIsOn) { System.out.println("The Security Property " + PROPERTY_NAME + ": " + property); } } Map defaultParams = new HashMap<>(); if (property != null && !property.isEmpty()) { Matcher syntaxMatcher = syntaxPattern.matcher(property); if (syntaxMatcher.matches()) { Matcher paramsFinder = paramsPattern.matcher(property); while(paramsFinder.find()) { String primeModulus = paramsFinder.group(1); BigInteger p = new BigInteger(primeModulus, 16); if (!p.isProbablePrime(PRIME_CERTAINTY)) { if (debugIsOn) { System.out.println( "Prime modulus p in Security Property, " + PROPERTY_NAME + ", is not a prime: " + primeModulus); } continue; } String baseGenerator = paramsFinder.group(2); BigInteger g = new BigInteger(baseGenerator, 16); DHParameterSpec spec = new DHParameterSpec(p, g); int primeLen = p.bitLength(); defaultParams.put(primeLen, spec); } } else if (debugIsOn) { System.out.println("Invalid Security Property, " + PROPERTY_NAME + ", definition"); } } for (BigInteger p : supportedPrimes) { int primeLen = p.bitLength(); defaultParams.putIfAbsent(primeLen, new DHParameterSpec(p, g2)); } definedParams = Collections.unmodifiableMap( defaultParams); } } }