1 package org.bouncycastle.tls; 2 3 import java.io.ByteArrayInputStream; 4 import java.io.ByteArrayOutputStream; 5 import java.io.EOFException; 6 import java.io.IOException; 7 import java.io.InputStream; 8 import java.io.OutputStream; 9 import java.math.BigInteger; 10 import java.util.Enumeration; 11 import java.util.Hashtable; 12 import java.util.Vector; 13 14 import org.bouncycastle.asn1.ASN1Encoding; 15 import org.bouncycastle.asn1.ASN1InputStream; 16 import org.bouncycastle.asn1.ASN1Integer; 17 import org.bouncycastle.asn1.ASN1ObjectIdentifier; 18 import org.bouncycastle.asn1.ASN1Primitive; 19 import org.bouncycastle.asn1.ASN1Sequence; 20 import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers; 21 import org.bouncycastle.asn1.eac.EACObjectIdentifiers; 22 import org.bouncycastle.asn1.edec.EdECObjectIdentifiers; 23 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; 24 import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; 25 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; 26 import org.bouncycastle.asn1.pkcs.RSASSAPSSparams; 27 import org.bouncycastle.asn1.rosstandart.RosstandartObjectIdentifiers; 28 import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; 29 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; 30 import org.bouncycastle.tls.crypto.TlsAgreement; 31 import org.bouncycastle.tls.crypto.TlsCertificate; 32 import org.bouncycastle.tls.crypto.TlsCipher; 33 import org.bouncycastle.tls.crypto.TlsCrypto; 34 import org.bouncycastle.tls.crypto.TlsCryptoParameters; 35 import org.bouncycastle.tls.crypto.TlsCryptoUtils; 36 import org.bouncycastle.tls.crypto.TlsDHConfig; 37 import org.bouncycastle.tls.crypto.TlsECConfig; 38 import org.bouncycastle.tls.crypto.TlsHMAC; 39 import org.bouncycastle.tls.crypto.TlsHash; 40 import org.bouncycastle.tls.crypto.TlsSecret; 41 import org.bouncycastle.tls.crypto.TlsStreamSigner; 42 import org.bouncycastle.tls.crypto.TlsStreamVerifier; 43 import org.bouncycastle.tls.crypto.TlsVerifier; 44 import org.bouncycastle.util.Arrays; 45 import org.bouncycastle.util.Integers; 46 import org.bouncycastle.util.Shorts; 47 import org.bouncycastle.util.encoders.Hex; 48 import org.bouncycastle.util.io.Streams; 49 50 /** 51 * Some helper functions for the TLS API. 52 */ 53 public class TlsUtils 54 { 55 private static byte[] DOWNGRADE_TLS11 = Hex.decodeStrict("444F574E47524400"); 56 private static byte[] DOWNGRADE_TLS12 = Hex.decodeStrict("444F574E47524401"); 57 58 // Map OID strings to HashAlgorithm values 59 private static final Hashtable CERT_SIG_ALG_OIDS = createCertSigAlgOIDs(); 60 private static final Vector DEFAULT_SUPPORTED_SIG_ALGS = createDefaultSupportedSigAlgs(); 61 addCertSigAlgOID(Hashtable h, ASN1ObjectIdentifier oid, SignatureAndHashAlgorithm sigAndHash)62 private static void addCertSigAlgOID(Hashtable h, ASN1ObjectIdentifier oid, SignatureAndHashAlgorithm sigAndHash) 63 { 64 h.put(oid.getId(), sigAndHash); 65 } 66 addCertSigAlgOID(Hashtable h, ASN1ObjectIdentifier oid, short hashAlgorithm, short signatureAlgorithm)67 private static void addCertSigAlgOID(Hashtable h, ASN1ObjectIdentifier oid, short hashAlgorithm, short signatureAlgorithm) 68 { 69 addCertSigAlgOID(h, oid, SignatureAndHashAlgorithm.getInstance(hashAlgorithm, signatureAlgorithm)); 70 } 71 createCertSigAlgOIDs()72 private static Hashtable createCertSigAlgOIDs() 73 { 74 Hashtable h = new Hashtable(); 75 76 addCertSigAlgOID(h, NISTObjectIdentifiers.dsa_with_sha224, HashAlgorithm.sha224, SignatureAlgorithm.dsa); 77 addCertSigAlgOID(h, NISTObjectIdentifiers.dsa_with_sha256, HashAlgorithm.sha256, SignatureAlgorithm.dsa); 78 addCertSigAlgOID(h, NISTObjectIdentifiers.dsa_with_sha384, HashAlgorithm.sha384, SignatureAlgorithm.dsa); 79 addCertSigAlgOID(h, NISTObjectIdentifiers.dsa_with_sha512, HashAlgorithm.sha512, SignatureAlgorithm.dsa); 80 81 addCertSigAlgOID(h, OIWObjectIdentifiers.dsaWithSHA1, HashAlgorithm.sha1, SignatureAlgorithm.dsa); 82 addCertSigAlgOID(h, OIWObjectIdentifiers.sha1WithRSA, HashAlgorithm.sha1, SignatureAlgorithm.rsa); 83 84 addCertSigAlgOID(h, PKCSObjectIdentifiers.sha1WithRSAEncryption, HashAlgorithm.sha1, SignatureAlgorithm.rsa); 85 addCertSigAlgOID(h, PKCSObjectIdentifiers.sha224WithRSAEncryption, HashAlgorithm.sha224, SignatureAlgorithm.rsa); 86 addCertSigAlgOID(h, PKCSObjectIdentifiers.sha256WithRSAEncryption, HashAlgorithm.sha256, SignatureAlgorithm.rsa); 87 addCertSigAlgOID(h, PKCSObjectIdentifiers.sha384WithRSAEncryption, HashAlgorithm.sha384, SignatureAlgorithm.rsa); 88 addCertSigAlgOID(h, PKCSObjectIdentifiers.sha512WithRSAEncryption, HashAlgorithm.sha512, SignatureAlgorithm.rsa); 89 90 addCertSigAlgOID(h, X9ObjectIdentifiers.ecdsa_with_SHA1, HashAlgorithm.sha1, SignatureAlgorithm.ecdsa); 91 addCertSigAlgOID(h, X9ObjectIdentifiers.ecdsa_with_SHA224, HashAlgorithm.sha224, SignatureAlgorithm.ecdsa); 92 addCertSigAlgOID(h, X9ObjectIdentifiers.ecdsa_with_SHA256, HashAlgorithm.sha256, SignatureAlgorithm.ecdsa); 93 addCertSigAlgOID(h, X9ObjectIdentifiers.ecdsa_with_SHA384, HashAlgorithm.sha384, SignatureAlgorithm.ecdsa); 94 addCertSigAlgOID(h, X9ObjectIdentifiers.ecdsa_with_SHA512, HashAlgorithm.sha512, SignatureAlgorithm.ecdsa); 95 addCertSigAlgOID(h, X9ObjectIdentifiers.id_dsa_with_sha1, HashAlgorithm.sha1, SignatureAlgorithm.dsa); 96 97 addCertSigAlgOID(h, EACObjectIdentifiers.id_TA_ECDSA_SHA_1, HashAlgorithm.sha1, SignatureAlgorithm.ecdsa); 98 addCertSigAlgOID(h, EACObjectIdentifiers.id_TA_ECDSA_SHA_224, HashAlgorithm.sha224, SignatureAlgorithm.ecdsa); 99 addCertSigAlgOID(h, EACObjectIdentifiers.id_TA_ECDSA_SHA_256, HashAlgorithm.sha256, SignatureAlgorithm.ecdsa); 100 addCertSigAlgOID(h, EACObjectIdentifiers.id_TA_ECDSA_SHA_384, HashAlgorithm.sha384, SignatureAlgorithm.ecdsa); 101 addCertSigAlgOID(h, EACObjectIdentifiers.id_TA_ECDSA_SHA_512, HashAlgorithm.sha512, SignatureAlgorithm.ecdsa); 102 addCertSigAlgOID(h, EACObjectIdentifiers.id_TA_RSA_v1_5_SHA_1, HashAlgorithm.sha1, SignatureAlgorithm.rsa); 103 addCertSigAlgOID(h, EACObjectIdentifiers.id_TA_RSA_v1_5_SHA_256, HashAlgorithm.sha256, SignatureAlgorithm.rsa); 104 105 addCertSigAlgOID(h, BSIObjectIdentifiers.ecdsa_plain_SHA1, HashAlgorithm.sha1, SignatureAlgorithm.ecdsa); 106 addCertSigAlgOID(h, BSIObjectIdentifiers.ecdsa_plain_SHA224, HashAlgorithm.sha224, SignatureAlgorithm.ecdsa); 107 addCertSigAlgOID(h, BSIObjectIdentifiers.ecdsa_plain_SHA256, HashAlgorithm.sha256, SignatureAlgorithm.ecdsa); 108 addCertSigAlgOID(h, BSIObjectIdentifiers.ecdsa_plain_SHA384, HashAlgorithm.sha384, SignatureAlgorithm.ecdsa); 109 addCertSigAlgOID(h, BSIObjectIdentifiers.ecdsa_plain_SHA512, HashAlgorithm.sha512, SignatureAlgorithm.ecdsa); 110 111 addCertSigAlgOID(h, EdECObjectIdentifiers.id_Ed25519, SignatureAndHashAlgorithm.ed25519); 112 addCertSigAlgOID(h, EdECObjectIdentifiers.id_Ed448, SignatureAndHashAlgorithm.ed448); 113 114 addCertSigAlgOID(h, RosstandartObjectIdentifiers.id_tc26_signwithdigest_gost_3410_12_256, 115 SignatureAndHashAlgorithm.gostr34102012_256); 116 addCertSigAlgOID(h, RosstandartObjectIdentifiers.id_tc26_signwithdigest_gost_3410_12_512, 117 SignatureAndHashAlgorithm.gostr34102012_512); 118 119 // TODO[RFC 8998] 120 // addCertSigAlgOID(h, GMObjectIdentifiers.sm2sign_with_sm3, HashAlgorithm.sm3, SignatureAlgorithm.sm2); 121 122 return h; 123 } 124 createDefaultSupportedSigAlgs()125 private static Vector createDefaultSupportedSigAlgs() 126 { 127 Vector result = new Vector(); 128 result.addElement(SignatureAndHashAlgorithm.ed25519); 129 result.addElement(SignatureAndHashAlgorithm.ed448); 130 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa)); 131 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha384, SignatureAlgorithm.ecdsa)); 132 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha512, SignatureAlgorithm.ecdsa)); 133 result.addElement(SignatureAndHashAlgorithm.rsa_pss_rsae_sha256); 134 result.addElement(SignatureAndHashAlgorithm.rsa_pss_rsae_sha384); 135 result.addElement(SignatureAndHashAlgorithm.rsa_pss_rsae_sha512); 136 result.addElement(SignatureAndHashAlgorithm.rsa_pss_pss_sha256); 137 result.addElement(SignatureAndHashAlgorithm.rsa_pss_pss_sha384); 138 result.addElement(SignatureAndHashAlgorithm.rsa_pss_pss_sha512); 139 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha256, SignatureAlgorithm.rsa)); 140 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha384, SignatureAlgorithm.rsa)); 141 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha512, SignatureAlgorithm.rsa)); 142 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha256, SignatureAlgorithm.dsa)); 143 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha384, SignatureAlgorithm.dsa)); 144 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha512, SignatureAlgorithm.dsa)); 145 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha224, SignatureAlgorithm.ecdsa)); 146 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha224, SignatureAlgorithm.rsa)); 147 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha224, SignatureAlgorithm.dsa)); 148 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa)); 149 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha1, SignatureAlgorithm.rsa)); 150 result.addElement(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha1, SignatureAlgorithm.dsa)); 151 return result; 152 } 153 154 public static final byte[] EMPTY_BYTES = new byte[0]; 155 public static final short[] EMPTY_SHORTS = new short[0]; 156 public static final int[] EMPTY_INTS = new int[0]; 157 public static final long[] EMPTY_LONGS = new long[0]; 158 public static final String[] EMPTY_STRINGS = new String[0]; 159 160 static final short MINIMUM_HASH_STRICT = HashAlgorithm.sha1; 161 static final short MINIMUM_HASH_PREFERRED = HashAlgorithm.sha256; 162 checkUint8(short i)163 public static void checkUint8(short i) throws IOException 164 { 165 if (!isValidUint8(i)) 166 { 167 throw new TlsFatalAlert(AlertDescription.internal_error); 168 } 169 } 170 checkUint8(int i)171 public static void checkUint8(int i) throws IOException 172 { 173 if (!isValidUint8(i)) 174 { 175 throw new TlsFatalAlert(AlertDescription.internal_error); 176 } 177 } 178 checkUint8(long i)179 public static void checkUint8(long i) throws IOException 180 { 181 if (!isValidUint8(i)) 182 { 183 throw new TlsFatalAlert(AlertDescription.internal_error); 184 } 185 } 186 checkUint16(int i)187 public static void checkUint16(int i) throws IOException 188 { 189 if (!isValidUint16(i)) 190 { 191 throw new TlsFatalAlert(AlertDescription.internal_error); 192 } 193 } 194 checkUint16(long i)195 public static void checkUint16(long i) throws IOException 196 { 197 if (!isValidUint16(i)) 198 { 199 throw new TlsFatalAlert(AlertDescription.internal_error); 200 } 201 } 202 checkUint24(int i)203 public static void checkUint24(int i) throws IOException 204 { 205 if (!isValidUint24(i)) 206 { 207 throw new TlsFatalAlert(AlertDescription.internal_error); 208 } 209 } 210 checkUint24(long i)211 public static void checkUint24(long i) throws IOException 212 { 213 if (!isValidUint24(i)) 214 { 215 throw new TlsFatalAlert(AlertDescription.internal_error); 216 } 217 } 218 checkUint32(long i)219 public static void checkUint32(long i) throws IOException 220 { 221 if (!isValidUint32(i)) 222 { 223 throw new TlsFatalAlert(AlertDescription.internal_error); 224 } 225 } 226 checkUint48(long i)227 public static void checkUint48(long i) throws IOException 228 { 229 if (!isValidUint48(i)) 230 { 231 throw new TlsFatalAlert(AlertDescription.internal_error); 232 } 233 } 234 checkUint64(long i)235 public static void checkUint64(long i) throws IOException 236 { 237 if (!isValidUint64(i)) 238 { 239 throw new TlsFatalAlert(AlertDescription.internal_error); 240 } 241 } 242 isValidUint8(short i)243 public static boolean isValidUint8(short i) 244 { 245 return (i & 0xFF) == i; 246 } 247 isValidUint8(int i)248 public static boolean isValidUint8(int i) 249 { 250 return (i & 0xFF) == i; 251 } 252 isValidUint8(long i)253 public static boolean isValidUint8(long i) 254 { 255 return (i & 0xFFL) == i; 256 } 257 isValidUint16(int i)258 public static boolean isValidUint16(int i) 259 { 260 return (i & 0xFFFF) == i; 261 } 262 isValidUint16(long i)263 public static boolean isValidUint16(long i) 264 { 265 return (i & 0xFFFFL) == i; 266 } 267 isValidUint24(int i)268 public static boolean isValidUint24(int i) 269 { 270 return (i & 0xFFFFFF) == i; 271 } 272 isValidUint24(long i)273 public static boolean isValidUint24(long i) 274 { 275 return (i & 0xFFFFFFL) == i; 276 } 277 isValidUint32(long i)278 public static boolean isValidUint32(long i) 279 { 280 return (i & 0xFFFFFFFFL) == i; 281 } 282 isValidUint48(long i)283 public static boolean isValidUint48(long i) 284 { 285 return (i & 0xFFFFFFFFFFFFL) == i; 286 } 287 isValidUint64(long i)288 public static boolean isValidUint64(long i) 289 { 290 return true; 291 } 292 isSSL(TlsContext context)293 public static boolean isSSL(TlsContext context) 294 { 295 return context.getServerVersion().isSSL(); 296 } 297 isTLSv10(ProtocolVersion version)298 public static boolean isTLSv10(ProtocolVersion version) 299 { 300 return ProtocolVersion.TLSv10.isEqualOrEarlierVersionOf(version.getEquivalentTLSVersion()); 301 } 302 isTLSv10(TlsContext context)303 public static boolean isTLSv10(TlsContext context) 304 { 305 return isTLSv10(context.getServerVersion()); 306 } 307 isTLSv11(ProtocolVersion version)308 public static boolean isTLSv11(ProtocolVersion version) 309 { 310 return ProtocolVersion.TLSv11.isEqualOrEarlierVersionOf(version.getEquivalentTLSVersion()); 311 } 312 isTLSv11(TlsContext context)313 public static boolean isTLSv11(TlsContext context) 314 { 315 return isTLSv11(context.getServerVersion()); 316 } 317 isTLSv12(ProtocolVersion version)318 public static boolean isTLSv12(ProtocolVersion version) 319 { 320 return ProtocolVersion.TLSv12.isEqualOrEarlierVersionOf(version.getEquivalentTLSVersion()); 321 } 322 isTLSv12(TlsContext context)323 public static boolean isTLSv12(TlsContext context) 324 { 325 return isTLSv12(context.getServerVersion()); 326 } 327 isTLSv13(ProtocolVersion version)328 public static boolean isTLSv13(ProtocolVersion version) 329 { 330 return ProtocolVersion.TLSv13.isEqualOrEarlierVersionOf(version.getEquivalentTLSVersion()); 331 } 332 isTLSv13(TlsContext context)333 public static boolean isTLSv13(TlsContext context) 334 { 335 return isTLSv13(context.getServerVersion()); 336 } 337 writeUint8(short i, OutputStream output)338 public static void writeUint8(short i, OutputStream output) 339 throws IOException 340 { 341 output.write(i); 342 } 343 writeUint8(int i, OutputStream output)344 public static void writeUint8(int i, OutputStream output) 345 throws IOException 346 { 347 output.write(i); 348 } 349 writeUint8(short i, byte[] buf, int offset)350 public static void writeUint8(short i, byte[] buf, int offset) 351 { 352 buf[offset] = (byte)i; 353 } 354 writeUint8(int i, byte[] buf, int offset)355 public static void writeUint8(int i, byte[] buf, int offset) 356 { 357 buf[offset] = (byte)i; 358 } 359 writeUint16(int i, OutputStream output)360 public static void writeUint16(int i, OutputStream output) 361 throws IOException 362 { 363 output.write(i >>> 8); 364 output.write(i); 365 } 366 writeUint16(int i, byte[] buf, int offset)367 public static void writeUint16(int i, byte[] buf, int offset) 368 { 369 buf[offset] = (byte)(i >>> 8); 370 buf[offset + 1] = (byte)i; 371 } 372 writeUint24(int i, OutputStream output)373 public static void writeUint24(int i, OutputStream output) 374 throws IOException 375 { 376 output.write((byte)(i >>> 16)); 377 output.write((byte)(i >>> 8)); 378 output.write((byte)i); 379 } 380 writeUint24(int i, byte[] buf, int offset)381 public static void writeUint24(int i, byte[] buf, int offset) 382 { 383 buf[offset] = (byte)(i >>> 16); 384 buf[offset + 1] = (byte)(i >>> 8); 385 buf[offset + 2] = (byte)i; 386 } 387 writeUint32(long i, OutputStream output)388 public static void writeUint32(long i, OutputStream output) 389 throws IOException 390 { 391 output.write((byte)(i >>> 24)); 392 output.write((byte)(i >>> 16)); 393 output.write((byte)(i >>> 8)); 394 output.write((byte)i); 395 } 396 writeUint32(long i, byte[] buf, int offset)397 public static void writeUint32(long i, byte[] buf, int offset) 398 { 399 buf[offset] = (byte)(i >>> 24); 400 buf[offset + 1] = (byte)(i >>> 16); 401 buf[offset + 2] = (byte)(i >>> 8); 402 buf[offset + 3] = (byte)i; 403 } 404 writeUint48(long i, OutputStream output)405 public static void writeUint48(long i, OutputStream output) 406 throws IOException 407 { 408 output.write((byte)(i >>> 40)); 409 output.write((byte)(i >>> 32)); 410 output.write((byte)(i >>> 24)); 411 output.write((byte)(i >>> 16)); 412 output.write((byte)(i >>> 8)); 413 output.write((byte)i); 414 } 415 writeUint48(long i, byte[] buf, int offset)416 public static void writeUint48(long i, byte[] buf, int offset) 417 { 418 buf[offset] = (byte)(i >>> 40); 419 buf[offset + 1] = (byte)(i >>> 32); 420 buf[offset + 2] = (byte)(i >>> 24); 421 buf[offset + 3] = (byte)(i >>> 16); 422 buf[offset + 4] = (byte)(i >>> 8); 423 buf[offset + 5] = (byte)i; 424 } 425 writeUint64(long i, OutputStream output)426 public static void writeUint64(long i, OutputStream output) 427 throws IOException 428 { 429 output.write((byte)(i >>> 56)); 430 output.write((byte)(i >>> 48)); 431 output.write((byte)(i >>> 40)); 432 output.write((byte)(i >>> 32)); 433 output.write((byte)(i >>> 24)); 434 output.write((byte)(i >>> 16)); 435 output.write((byte)(i >>> 8)); 436 output.write((byte)i); 437 } 438 writeUint64(long i, byte[] buf, int offset)439 public static void writeUint64(long i, byte[] buf, int offset) 440 { 441 buf[offset] = (byte)(i >>> 56); 442 buf[offset + 1] = (byte)(i >>> 48); 443 buf[offset + 2] = (byte)(i >>> 40); 444 buf[offset + 3] = (byte)(i >>> 32); 445 buf[offset + 4] = (byte)(i >>> 24); 446 buf[offset + 5] = (byte)(i >>> 16); 447 buf[offset + 6] = (byte)(i >>> 8); 448 buf[offset + 7] = (byte)i; 449 } 450 writeOpaque8(byte[] buf, OutputStream output)451 public static void writeOpaque8(byte[] buf, OutputStream output) 452 throws IOException 453 { 454 checkUint8(buf.length); 455 writeUint8(buf.length, output); 456 output.write(buf); 457 } 458 writeOpaque8(byte[] data, byte[] buf, int off)459 public static void writeOpaque8(byte[] data, byte[] buf, int off) 460 throws IOException 461 { 462 checkUint8(data.length); 463 writeUint8(data.length, buf, off); 464 System.arraycopy(data, 0, buf, off + 1, data.length); 465 } 466 writeOpaque16(byte[] buf, OutputStream output)467 public static void writeOpaque16(byte[] buf, OutputStream output) 468 throws IOException 469 { 470 checkUint16(buf.length); 471 writeUint16(buf.length, output); 472 output.write(buf); 473 } 474 writeOpaque16(byte[] data, byte[] buf, int off)475 public static void writeOpaque16(byte[] data, byte[] buf, int off) 476 throws IOException 477 { 478 checkUint16(data.length); 479 writeUint16(data.length, buf, off); 480 System.arraycopy(data, 0, buf, off + 2, data.length); 481 } 482 writeOpaque24(byte[] buf, OutputStream output)483 public static void writeOpaque24(byte[] buf, OutputStream output) 484 throws IOException 485 { 486 checkUint24(buf.length); 487 writeUint24(buf.length, output); 488 output.write(buf); 489 } 490 writeOpaque24(byte[] data, byte[] buf, int off)491 public static void writeOpaque24(byte[] data, byte[] buf, int off) 492 throws IOException 493 { 494 checkUint24(data.length); 495 writeUint24(data.length, buf, off); 496 System.arraycopy(data, 0, buf, off + 3, data.length); 497 } 498 writeUint8Array(short[] uints, OutputStream output)499 public static void writeUint8Array(short[] uints, OutputStream output) 500 throws IOException 501 { 502 for (int i = 0; i < uints.length; ++i) 503 { 504 writeUint8(uints[i], output); 505 } 506 } 507 writeUint8Array(short[] uints, byte[] buf, int offset)508 public static void writeUint8Array(short[] uints, byte[] buf, int offset) 509 throws IOException 510 { 511 for (int i = 0; i < uints.length; ++i) 512 { 513 writeUint8(uints[i], buf, offset); 514 ++offset; 515 } 516 } 517 writeUint8ArrayWithUint8Length(short[] uints, OutputStream output)518 public static void writeUint8ArrayWithUint8Length(short[] uints, OutputStream output) 519 throws IOException 520 { 521 checkUint8(uints.length); 522 writeUint8(uints.length, output); 523 writeUint8Array(uints, output); 524 } 525 writeUint8ArrayWithUint8Length(short[] uints, byte[] buf, int offset)526 public static void writeUint8ArrayWithUint8Length(short[] uints, byte[] buf, int offset) 527 throws IOException 528 { 529 checkUint8(uints.length); 530 writeUint8(uints.length, buf, offset); 531 writeUint8Array(uints, buf, offset + 1); 532 } 533 writeUint16Array(int[] uints, OutputStream output)534 public static void writeUint16Array(int[] uints, OutputStream output) 535 throws IOException 536 { 537 for (int i = 0; i < uints.length; ++i) 538 { 539 writeUint16(uints[i], output); 540 } 541 } 542 writeUint16Array(int[] uints, byte[] buf, int offset)543 public static void writeUint16Array(int[] uints, byte[] buf, int offset) 544 throws IOException 545 { 546 for (int i = 0; i < uints.length; ++i) 547 { 548 writeUint16(uints[i], buf, offset); 549 offset += 2; 550 } 551 } 552 writeUint16ArrayWithUint16Length(int[] uints, OutputStream output)553 public static void writeUint16ArrayWithUint16Length(int[] uints, OutputStream output) 554 throws IOException 555 { 556 int length = 2 * uints.length; 557 checkUint16(length); 558 writeUint16(length, output); 559 writeUint16Array(uints, output); 560 } 561 writeUint16ArrayWithUint16Length(int[] uints, byte[] buf, int offset)562 public static void writeUint16ArrayWithUint16Length(int[] uints, byte[] buf, int offset) 563 throws IOException 564 { 565 int length = 2 * uints.length; 566 checkUint16(length); 567 writeUint16(length, buf, offset); 568 writeUint16Array(uints, buf, offset + 2); 569 } 570 decodeOpaque8(byte[] buf)571 public static byte[] decodeOpaque8(byte[] buf) 572 throws IOException 573 { 574 return decodeOpaque8(buf, 0); 575 } 576 decodeOpaque8(byte[] buf, int minLength)577 public static byte[] decodeOpaque8(byte[] buf, int minLength) 578 throws IOException 579 { 580 if (buf == null) 581 { 582 throw new IllegalArgumentException("'buf' cannot be null"); 583 } 584 if (buf.length < 1) 585 { 586 throw new TlsFatalAlert(AlertDescription.decode_error); 587 } 588 short length = readUint8(buf, 0); 589 if (buf.length != (length + 1) || length < minLength) 590 { 591 throw new TlsFatalAlert(AlertDescription.decode_error); 592 } 593 return copyOfRangeExact(buf, 1, buf.length); 594 } 595 decodeOpaque16(byte[] buf)596 public static byte[] decodeOpaque16(byte[] buf) 597 throws IOException 598 { 599 return decodeOpaque16(buf, 0); 600 } 601 decodeOpaque16(byte[] buf, int minLength)602 public static byte[] decodeOpaque16(byte[] buf, int minLength) 603 throws IOException 604 { 605 if (buf == null) 606 { 607 throw new IllegalArgumentException("'buf' cannot be null"); 608 } 609 if (buf.length < 2) 610 { 611 throw new TlsFatalAlert(AlertDescription.decode_error); 612 } 613 int length = readUint16(buf, 0); 614 if (buf.length != (length + 2) || length < minLength) 615 { 616 throw new TlsFatalAlert(AlertDescription.decode_error); 617 } 618 return copyOfRangeExact(buf, 2, buf.length); 619 } 620 decodeUint8(byte[] buf)621 public static short decodeUint8(byte[] buf) throws IOException 622 { 623 if (buf == null) 624 { 625 throw new IllegalArgumentException("'buf' cannot be null"); 626 } 627 if (buf.length != 1) 628 { 629 throw new TlsFatalAlert(AlertDescription.decode_error); 630 } 631 return readUint8(buf, 0); 632 } 633 decodeUint8ArrayWithUint8Length(byte[] buf)634 public static short[] decodeUint8ArrayWithUint8Length(byte[] buf) throws IOException 635 { 636 if (buf == null) 637 { 638 throw new IllegalArgumentException("'buf' cannot be null"); 639 } 640 641 int count = readUint8(buf, 0); 642 if (buf.length != (count + 1)) 643 { 644 throw new TlsFatalAlert(AlertDescription.decode_error); 645 } 646 647 short[] uints = new short[count]; 648 for (int i = 0; i < count; ++i) 649 { 650 uints[i] = readUint8(buf, i + 1); 651 } 652 return uints; 653 } 654 decodeUint16(byte[] buf)655 public static int decodeUint16(byte[] buf) throws IOException 656 { 657 if (buf == null) 658 { 659 throw new IllegalArgumentException("'buf' cannot be null"); 660 } 661 if (buf.length != 2) 662 { 663 throw new TlsFatalAlert(AlertDescription.decode_error); 664 } 665 return readUint16(buf, 0); 666 } 667 decodeUint32(byte[] buf)668 public static long decodeUint32(byte[] buf) throws IOException 669 { 670 if (buf == null) 671 { 672 throw new IllegalArgumentException("'buf' cannot be null"); 673 } 674 if (buf.length != 4) 675 { 676 throw new TlsFatalAlert(AlertDescription.decode_error); 677 } 678 return readUint32(buf, 0); 679 } 680 encodeOpaque8(byte[] buf)681 public static byte[] encodeOpaque8(byte[] buf) 682 throws IOException 683 { 684 checkUint8(buf.length); 685 return Arrays.prepend(buf, (byte)buf.length); 686 } 687 encodeOpaque16(byte[] buf)688 public static byte[] encodeOpaque16(byte[] buf) 689 throws IOException 690 { 691 return Arrays.concatenate(encodeUint16(buf.length), buf); 692 } 693 encodeUint8(short uint)694 public static byte[] encodeUint8(short uint) throws IOException 695 { 696 checkUint8(uint); 697 698 byte[] encoding = new byte[1]; 699 writeUint8(uint, encoding, 0); 700 return encoding; 701 } 702 encodeUint8ArrayWithUint8Length(short[] uints)703 public static byte[] encodeUint8ArrayWithUint8Length(short[] uints) throws IOException 704 { 705 byte[] result = new byte[1 + uints.length]; 706 writeUint8ArrayWithUint8Length(uints, result, 0); 707 return result; 708 } 709 encodeUint16(int uint)710 public static byte[] encodeUint16(int uint) throws IOException 711 { 712 checkUint16(uint); 713 714 byte[] encoding = new byte[2]; 715 writeUint16(uint, encoding, 0); 716 return encoding; 717 } 718 encodeUint16ArrayWithUint16Length(int[] uints)719 public static byte[] encodeUint16ArrayWithUint16Length(int[] uints) throws IOException 720 { 721 int length = 2 * uints.length; 722 byte[] result = new byte[2 + length]; 723 writeUint16ArrayWithUint16Length(uints, result, 0); 724 return result; 725 } 726 encodeUint32(long uint)727 public static byte[] encodeUint32(long uint) throws IOException 728 { 729 checkUint32(uint); 730 731 byte[] encoding = new byte[4]; 732 writeUint32(uint, encoding, 0); 733 return encoding; 734 } 735 encodeVersion(ProtocolVersion version)736 public static byte[] encodeVersion(ProtocolVersion version) throws IOException 737 { 738 return new byte[]{ 739 (byte)version.getMajorVersion(), 740 (byte)version.getMinorVersion() 741 }; 742 } 743 readInt32(byte[] buf, int offset)744 public static int readInt32(byte[] buf, int offset) 745 { 746 int n = buf[offset] << 24; 747 n |= (buf[++offset] & 0xff) << 16; 748 n |= (buf[++offset] & 0xff) << 8; 749 n |= (buf[++offset] & 0xff); 750 return n; 751 } 752 readUint8(InputStream input)753 public static short readUint8(InputStream input) 754 throws IOException 755 { 756 int i = input.read(); 757 if (i < 0) 758 { 759 throw new EOFException(); 760 } 761 return (short)i; 762 } 763 readUint8(byte[] buf, int offset)764 public static short readUint8(byte[] buf, int offset) 765 { 766 return (short)(buf[offset] & 0xff); 767 } 768 readUint16(InputStream input)769 public static int readUint16(InputStream input) 770 throws IOException 771 { 772 int i1 = input.read(); 773 int i2 = input.read(); 774 if (i2 < 0) 775 { 776 throw new EOFException(); 777 } 778 return (i1 << 8) | i2; 779 } 780 readUint16(byte[] buf, int offset)781 public static int readUint16(byte[] buf, int offset) 782 { 783 int n = (buf[offset] & 0xff) << 8; 784 n |= (buf[++offset] & 0xff); 785 return n; 786 } 787 readUint24(InputStream input)788 public static int readUint24(InputStream input) 789 throws IOException 790 { 791 int i1 = input.read(); 792 int i2 = input.read(); 793 int i3 = input.read(); 794 if (i3 < 0) 795 { 796 throw new EOFException(); 797 } 798 return (i1 << 16) | (i2 << 8) | i3; 799 } 800 readUint24(byte[] buf, int offset)801 public static int readUint24(byte[] buf, int offset) 802 { 803 int n = (buf[offset] & 0xff) << 16; 804 n |= (buf[++offset] & 0xff) << 8; 805 n |= (buf[++offset] & 0xff); 806 return n; 807 } 808 readUint32(InputStream input)809 public static long readUint32(InputStream input) 810 throws IOException 811 { 812 int i1 = input.read(); 813 int i2 = input.read(); 814 int i3 = input.read(); 815 int i4 = input.read(); 816 if (i4 < 0) 817 { 818 throw new EOFException(); 819 } 820 return ((i1 << 24) | (i2 << 16) | (i3 << 8) | i4) & 0xFFFFFFFFL; 821 } 822 readUint32(byte[] buf, int offset)823 public static long readUint32(byte[] buf, int offset) 824 { 825 int n = (buf[offset] & 0xff) << 24; 826 n |= (buf[++offset] & 0xff) << 16; 827 n |= (buf[++offset] & 0xff) << 8; 828 n |= (buf[++offset] & 0xff); 829 return n & 0xFFFFFFFFL; 830 } 831 readUint48(InputStream input)832 public static long readUint48(InputStream input) 833 throws IOException 834 { 835 int hi = readUint24(input); 836 int lo = readUint24(input); 837 return ((long)(hi & 0xffffffffL) << 24) | (long)(lo & 0xffffffffL); 838 } 839 readUint48(byte[] buf, int offset)840 public static long readUint48(byte[] buf, int offset) 841 { 842 int hi = readUint24(buf, offset); 843 int lo = readUint24(buf, offset + 3); 844 return ((long)(hi & 0xffffffffL) << 24) | (long)(lo & 0xffffffffL); 845 } 846 readAllOrNothing(int length, InputStream input)847 public static byte[] readAllOrNothing(int length, InputStream input) 848 throws IOException 849 { 850 if (length < 1) 851 { 852 return EMPTY_BYTES; 853 } 854 byte[] buf = new byte[length]; 855 int read = Streams.readFully(input, buf); 856 if (read == 0) 857 { 858 return null; 859 } 860 if (read != length) 861 { 862 throw new EOFException(); 863 } 864 return buf; 865 } 866 readFully(int length, InputStream input)867 public static byte[] readFully(int length, InputStream input) 868 throws IOException 869 { 870 if (length < 1) 871 { 872 return EMPTY_BYTES; 873 } 874 byte[] buf = new byte[length]; 875 if (length != Streams.readFully(input, buf)) 876 { 877 throw new EOFException(); 878 } 879 return buf; 880 } 881 readFully(byte[] buf, InputStream input)882 public static void readFully(byte[] buf, InputStream input) 883 throws IOException 884 { 885 int length = buf.length; 886 if (length > 0 && length != Streams.readFully(input, buf)) 887 { 888 throw new EOFException(); 889 } 890 } 891 readOpaque8(InputStream input)892 public static byte[] readOpaque8(InputStream input) 893 throws IOException 894 { 895 short length = readUint8(input); 896 return readFully(length, input); 897 } 898 readOpaque8(InputStream input, int minLength)899 public static byte[] readOpaque8(InputStream input, int minLength) 900 throws IOException 901 { 902 short length = readUint8(input); 903 if (length < minLength) 904 { 905 throw new TlsFatalAlert(AlertDescription.decode_error); 906 } 907 return readFully(length, input); 908 } 909 readOpaque8(InputStream input, int minLength, int maxLength)910 public static byte[] readOpaque8(InputStream input, int minLength, int maxLength) 911 throws IOException 912 { 913 short length = readUint8(input); 914 if (length < minLength || maxLength < length) 915 { 916 throw new TlsFatalAlert(AlertDescription.decode_error); 917 } 918 return readFully(length, input); 919 } 920 readOpaque16(InputStream input)921 public static byte[] readOpaque16(InputStream input) 922 throws IOException 923 { 924 int length = readUint16(input); 925 return readFully(length, input); 926 } 927 readOpaque16(InputStream input, int minLength)928 public static byte[] readOpaque16(InputStream input, int minLength) 929 throws IOException 930 { 931 int length = readUint16(input); 932 if (length < minLength) 933 { 934 throw new TlsFatalAlert(AlertDescription.decode_error); 935 } 936 return readFully(length, input); 937 } 938 readOpaque24(InputStream input)939 public static byte[] readOpaque24(InputStream input) 940 throws IOException 941 { 942 int length = readUint24(input); 943 return readFully(length, input); 944 } 945 readOpaque24(InputStream input, int minLength)946 public static byte[] readOpaque24(InputStream input, int minLength) 947 throws IOException 948 { 949 int length = readUint24(input); 950 if (length < minLength) 951 { 952 throw new TlsFatalAlert(AlertDescription.decode_error); 953 } 954 return readFully(length, input); 955 } 956 readUint8Array(int count, InputStream input)957 public static short[] readUint8Array(int count, InputStream input) 958 throws IOException 959 { 960 short[] uints = new short[count]; 961 for (int i = 0; i < count; ++i) 962 { 963 uints[i] = readUint8(input); 964 } 965 return uints; 966 } 967 readUint8ArrayWithUint8Length(InputStream input, int minLength)968 public static short[] readUint8ArrayWithUint8Length(InputStream input, int minLength) 969 throws IOException 970 { 971 int length = readUint8(input); 972 if (length < minLength) 973 { 974 throw new TlsFatalAlert(AlertDescription.decode_error); 975 } 976 977 return readUint8Array(length, input); 978 } 979 readUint16Array(int count, InputStream input)980 public static int[] readUint16Array(int count, InputStream input) 981 throws IOException 982 { 983 int[] uints = new int[count]; 984 for (int i = 0; i < count; ++i) 985 { 986 uints[i] = readUint16(input); 987 } 988 return uints; 989 } 990 readVersion(byte[] buf, int offset)991 public static ProtocolVersion readVersion(byte[] buf, int offset) 992 { 993 return ProtocolVersion.get(buf[offset] & 0xFF, buf[offset + 1] & 0xFF); 994 } 995 readVersion(InputStream input)996 public static ProtocolVersion readVersion(InputStream input) 997 throws IOException 998 { 999 int i1 = input.read(); 1000 int i2 = input.read(); 1001 if (i2 < 0) 1002 { 1003 throw new EOFException(); 1004 } 1005 1006 return ProtocolVersion.get(i1, i2); 1007 } 1008 readASN1Object(byte[] encoding)1009 public static ASN1Primitive readASN1Object(byte[] encoding) throws IOException 1010 { 1011 ASN1InputStream asn1 = new ASN1InputStream(encoding); 1012 ASN1Primitive result = asn1.readObject(); 1013 if (null == result) 1014 { 1015 throw new TlsFatalAlert(AlertDescription.decode_error); 1016 } 1017 if (null != asn1.readObject()) 1018 { 1019 throw new TlsFatalAlert(AlertDescription.decode_error); 1020 } 1021 return result; 1022 } 1023 readDERObject(byte[] encoding)1024 public static ASN1Primitive readDERObject(byte[] encoding) throws IOException 1025 { 1026 /* 1027 * NOTE: The current ASN.1 parsing code can't enforce DER-only parsing, but since DER is 1028 * canonical, we can check it by re-encoding the result and comparing to the original. 1029 */ 1030 ASN1Primitive result = readASN1Object(encoding); 1031 byte[] check = result.getEncoded(ASN1Encoding.DER); 1032 if (!Arrays.areEqual(check, encoding)) 1033 { 1034 throw new TlsFatalAlert(AlertDescription.decode_error); 1035 } 1036 return result; 1037 } 1038 writeGMTUnixTime(byte[] buf, int offset)1039 public static void writeGMTUnixTime(byte[] buf, int offset) 1040 { 1041 int t = (int)(System.currentTimeMillis() / 1000L); 1042 buf[offset] = (byte)(t >>> 24); 1043 buf[offset + 1] = (byte)(t >>> 16); 1044 buf[offset + 2] = (byte)(t >>> 8); 1045 buf[offset + 3] = (byte)t; 1046 } 1047 writeVersion(ProtocolVersion version, OutputStream output)1048 public static void writeVersion(ProtocolVersion version, OutputStream output) 1049 throws IOException 1050 { 1051 output.write(version.getMajorVersion()); 1052 output.write(version.getMinorVersion()); 1053 } 1054 writeVersion(ProtocolVersion version, byte[] buf, int offset)1055 public static void writeVersion(ProtocolVersion version, byte[] buf, int offset) 1056 { 1057 buf[offset] = (byte)version.getMajorVersion(); 1058 buf[offset + 1] = (byte)version.getMinorVersion(); 1059 } 1060 addIfSupported(Vector supportedAlgs, TlsCrypto crypto, SignatureAndHashAlgorithm alg)1061 public static void addIfSupported(Vector supportedAlgs, TlsCrypto crypto, SignatureAndHashAlgorithm alg) 1062 { 1063 if (crypto.hasSignatureAndHashAlgorithm(alg)) 1064 { 1065 supportedAlgs.addElement(alg); 1066 } 1067 } 1068 addIfSupported(Vector supportedGroups, TlsCrypto crypto, int namedGroup)1069 public static void addIfSupported(Vector supportedGroups, TlsCrypto crypto, int namedGroup) 1070 { 1071 if (crypto.hasNamedGroup(namedGroup)) 1072 { 1073 supportedGroups.addElement(Integers.valueOf(namedGroup)); 1074 } 1075 } 1076 addIfSupported(Vector supportedGroups, TlsCrypto crypto, int[] namedGroups)1077 public static void addIfSupported(Vector supportedGroups, TlsCrypto crypto, int[] namedGroups) 1078 { 1079 for (int i = 0; i < namedGroups.length; ++i) 1080 { 1081 addIfSupported(supportedGroups, crypto, namedGroups[i]); 1082 } 1083 } 1084 addToSet(Vector s, int i)1085 public static boolean addToSet(Vector s, int i) 1086 { 1087 boolean result = !s.contains(Integers.valueOf(i)); 1088 if (result) 1089 { 1090 s.add(Integers.valueOf(i)); 1091 } 1092 return result; 1093 } 1094 getDefaultDSSSignatureAlgorithms()1095 public static Vector getDefaultDSSSignatureAlgorithms() 1096 { 1097 return getDefaultSignatureAlgorithms(SignatureAlgorithm.dsa); 1098 } 1099 getDefaultECDSASignatureAlgorithms()1100 public static Vector getDefaultECDSASignatureAlgorithms() 1101 { 1102 return getDefaultSignatureAlgorithms(SignatureAlgorithm.ecdsa); 1103 } 1104 getDefaultRSASignatureAlgorithms()1105 public static Vector getDefaultRSASignatureAlgorithms() 1106 { 1107 return getDefaultSignatureAlgorithms(SignatureAlgorithm.rsa); 1108 } 1109 getDefaultSignatureAlgorithm(short signatureAlgorithm)1110 public static SignatureAndHashAlgorithm getDefaultSignatureAlgorithm(short signatureAlgorithm) 1111 { 1112 /* 1113 * RFC 5246 7.4.1.4.1. If the client does not send the signature_algorithms extension, 1114 * the server MUST do the following: 1115 * 1116 * - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA, DH_RSA, RSA_PSK, 1117 * ECDH_RSA, ECDHE_RSA), behave as if client had sent the value {sha1,rsa}. 1118 * 1119 * - If the negotiated key exchange algorithm is one of (DHE_DSS, DH_DSS), behave as if 1120 * the client had sent the value {sha1,dsa}. 1121 * 1122 * - If the negotiated key exchange algorithm is one of (ECDH_ECDSA, ECDHE_ECDSA), 1123 * behave as if the client had sent value {sha1,ecdsa}. 1124 */ 1125 1126 switch (signatureAlgorithm) 1127 { 1128 case SignatureAlgorithm.dsa: 1129 case SignatureAlgorithm.ecdsa: 1130 case SignatureAlgorithm.rsa: 1131 return SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha1, signatureAlgorithm); 1132 default: 1133 return null; 1134 } 1135 } 1136 getDefaultSignatureAlgorithms(short signatureAlgorithm)1137 public static Vector getDefaultSignatureAlgorithms(short signatureAlgorithm) 1138 { 1139 SignatureAndHashAlgorithm sigAndHashAlg = getDefaultSignatureAlgorithm(signatureAlgorithm); 1140 1141 return null == sigAndHashAlg ? new Vector() : vectorOfOne(sigAndHashAlg); 1142 } 1143 getDefaultSupportedSignatureAlgorithms(TlsContext context)1144 public static Vector getDefaultSupportedSignatureAlgorithms(TlsContext context) 1145 { 1146 TlsCrypto crypto = context.getCrypto(); 1147 1148 int count = DEFAULT_SUPPORTED_SIG_ALGS.size(); 1149 Vector result = new Vector(count); 1150 for (int i = 0; i < count; ++i) 1151 { 1152 addIfSupported(result, crypto, (SignatureAndHashAlgorithm)DEFAULT_SUPPORTED_SIG_ALGS.elementAt(i)); 1153 } 1154 return result; 1155 } 1156 getSignatureAndHashAlgorithm(TlsContext context, TlsCredentialedSigner signerCredentials)1157 public static SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(TlsContext context, 1158 TlsCredentialedSigner signerCredentials) 1159 throws IOException 1160 { 1161 return getSignatureAndHashAlgorithm(context.getServerVersion(), signerCredentials); 1162 } 1163 getSignatureAndHashAlgorithm(ProtocolVersion negotiatedVersion, TlsCredentialedSigner signerCredentials)1164 static SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(ProtocolVersion negotiatedVersion, 1165 TlsCredentialedSigner signerCredentials) throws IOException 1166 { 1167 SignatureAndHashAlgorithm signatureAndHashAlgorithm = null; 1168 if (isTLSv12(negotiatedVersion)) 1169 { 1170 signatureAndHashAlgorithm = signerCredentials.getSignatureAndHashAlgorithm(); 1171 if (signatureAndHashAlgorithm == null) 1172 { 1173 throw new TlsFatalAlert(AlertDescription.internal_error); 1174 } 1175 } 1176 return signatureAndHashAlgorithm; 1177 } 1178 getExtensionData(Hashtable extensions, Integer extensionType)1179 public static byte[] getExtensionData(Hashtable extensions, Integer extensionType) 1180 { 1181 return extensions == null ? null : (byte[])extensions.get(extensionType); 1182 } 1183 hasExpectedEmptyExtensionData(Hashtable extensions, Integer extensionType, short alertDescription)1184 public static boolean hasExpectedEmptyExtensionData(Hashtable extensions, Integer extensionType, 1185 short alertDescription) throws IOException 1186 { 1187 byte[] extension_data = getExtensionData(extensions, extensionType); 1188 if (extension_data == null) 1189 { 1190 return false; 1191 } 1192 if (extension_data.length != 0) 1193 { 1194 throw new TlsFatalAlert(alertDescription); 1195 } 1196 return true; 1197 } 1198 importSession(byte[] sessionID, SessionParameters sessionParameters)1199 public static TlsSession importSession(byte[] sessionID, SessionParameters sessionParameters) 1200 { 1201 return new TlsSessionImpl(sessionID, sessionParameters); 1202 } 1203 isExtendedMasterSecretOptionalDTLS(ProtocolVersion[] activeProtocolVersions)1204 static boolean isExtendedMasterSecretOptionalDTLS(ProtocolVersion[] activeProtocolVersions) 1205 { 1206 return ProtocolVersion.contains(activeProtocolVersions, ProtocolVersion.DTLSv12) 1207 || ProtocolVersion.contains(activeProtocolVersions, ProtocolVersion.DTLSv10); 1208 } 1209 isExtendedMasterSecretOptionalTLS(ProtocolVersion[] activeProtocolVersions)1210 static boolean isExtendedMasterSecretOptionalTLS(ProtocolVersion[] activeProtocolVersions) 1211 { 1212 return ProtocolVersion.contains(activeProtocolVersions, ProtocolVersion.TLSv12) 1213 || ProtocolVersion.contains(activeProtocolVersions, ProtocolVersion.TLSv11) 1214 || ProtocolVersion.contains(activeProtocolVersions, ProtocolVersion.TLSv10); 1215 } 1216 isNullOrContainsNull(Object[] array)1217 public static boolean isNullOrContainsNull(Object[] array) 1218 { 1219 if (null == array) 1220 { 1221 return true; 1222 } 1223 int count = array.length; 1224 for (int i = 0; i < count; ++i) 1225 { 1226 if (null == array[i]) 1227 { 1228 return true; 1229 } 1230 } 1231 return false; 1232 } 1233 isNullOrEmpty(byte[] array)1234 public static boolean isNullOrEmpty(byte[] array) 1235 { 1236 return null == array || array.length < 1; 1237 } 1238 isNullOrEmpty(short[] array)1239 public static boolean isNullOrEmpty(short[] array) 1240 { 1241 return null == array || array.length < 1; 1242 } 1243 isNullOrEmpty(int[] array)1244 public static boolean isNullOrEmpty(int[] array) 1245 { 1246 return null == array || array.length < 1; 1247 } 1248 isNullOrEmpty(Object[] array)1249 public static boolean isNullOrEmpty(Object[] array) 1250 { 1251 return null == array || array.length < 1; 1252 } 1253 isNullOrEmpty(String s)1254 public static boolean isNullOrEmpty(String s) 1255 { 1256 return null == s || s.length() < 1; 1257 } 1258 isSignatureAlgorithmsExtensionAllowed(ProtocolVersion version)1259 public static boolean isSignatureAlgorithmsExtensionAllowed(ProtocolVersion version) 1260 { 1261 return null != version 1262 && ProtocolVersion.TLSv12.isEqualOrEarlierVersionOf(version.getEquivalentTLSVersion()); 1263 } 1264 getLegacyClientCertType(short signatureAlgorithm)1265 public static short getLegacyClientCertType(short signatureAlgorithm) 1266 { 1267 switch (signatureAlgorithm) 1268 { 1269 case SignatureAlgorithm.rsa: 1270 return ClientCertificateType.rsa_sign; 1271 case SignatureAlgorithm.dsa: 1272 return ClientCertificateType.dss_sign; 1273 case SignatureAlgorithm.ecdsa: 1274 return ClientCertificateType.ecdsa_sign; 1275 default: 1276 return -1; 1277 } 1278 } 1279 getLegacySignatureAlgorithmClient(short clientCertificateType)1280 public static short getLegacySignatureAlgorithmClient(short clientCertificateType) 1281 { 1282 switch (clientCertificateType) 1283 { 1284 case ClientCertificateType.dss_sign: 1285 return SignatureAlgorithm.dsa; 1286 case ClientCertificateType.ecdsa_sign: 1287 return SignatureAlgorithm.ecdsa; 1288 case ClientCertificateType.rsa_sign: 1289 return SignatureAlgorithm.rsa; 1290 default: 1291 return -1; 1292 } 1293 } 1294 getLegacySignatureAlgorithmClientCert(short clientCertificateType)1295 public static short getLegacySignatureAlgorithmClientCert(short clientCertificateType) 1296 { 1297 switch (clientCertificateType) 1298 { 1299 case ClientCertificateType.dss_sign: 1300 case ClientCertificateType.dss_fixed_dh: 1301 return SignatureAlgorithm.dsa; 1302 1303 case ClientCertificateType.ecdsa_sign: 1304 case ClientCertificateType.ecdsa_fixed_ecdh: 1305 return SignatureAlgorithm.ecdsa; 1306 1307 case ClientCertificateType.rsa_sign: 1308 case ClientCertificateType.rsa_fixed_dh: 1309 case ClientCertificateType.rsa_fixed_ecdh: 1310 return SignatureAlgorithm.rsa; 1311 default: 1312 return -1; 1313 } 1314 } 1315 getLegacySignatureAlgorithmServer(int keyExchangeAlgorithm)1316 public static short getLegacySignatureAlgorithmServer(int keyExchangeAlgorithm) 1317 { 1318 switch (keyExchangeAlgorithm) 1319 { 1320 case KeyExchangeAlgorithm.DHE_DSS: 1321 case KeyExchangeAlgorithm.SRP_DSS: 1322 return SignatureAlgorithm.dsa; 1323 1324 case KeyExchangeAlgorithm.ECDHE_ECDSA: 1325 return SignatureAlgorithm.ecdsa; 1326 1327 case KeyExchangeAlgorithm.DHE_RSA: 1328 case KeyExchangeAlgorithm.ECDHE_RSA: 1329 case KeyExchangeAlgorithm.SRP_RSA: 1330 return SignatureAlgorithm.rsa; 1331 1332 default: 1333 return -1; 1334 } 1335 } 1336 getLegacySignatureAlgorithmServerCert(int keyExchangeAlgorithm)1337 public static short getLegacySignatureAlgorithmServerCert(int keyExchangeAlgorithm) 1338 { 1339 switch (keyExchangeAlgorithm) 1340 { 1341 case KeyExchangeAlgorithm.DH_DSS: 1342 case KeyExchangeAlgorithm.DHE_DSS: 1343 case KeyExchangeAlgorithm.SRP_DSS: 1344 return SignatureAlgorithm.dsa; 1345 1346 case KeyExchangeAlgorithm.ECDH_ECDSA: 1347 case KeyExchangeAlgorithm.ECDHE_ECDSA: 1348 return SignatureAlgorithm.ecdsa; 1349 1350 case KeyExchangeAlgorithm.DH_RSA: 1351 case KeyExchangeAlgorithm.DHE_RSA: 1352 case KeyExchangeAlgorithm.ECDH_RSA: 1353 case KeyExchangeAlgorithm.ECDHE_RSA: 1354 case KeyExchangeAlgorithm.RSA: 1355 case KeyExchangeAlgorithm.RSA_PSK: 1356 case KeyExchangeAlgorithm.SRP_RSA: 1357 return SignatureAlgorithm.rsa; 1358 1359 default: 1360 return -1; 1361 } 1362 } 1363 getLegacySupportedSignatureAlgorithms()1364 public static Vector getLegacySupportedSignatureAlgorithms() 1365 { 1366 Vector result = new Vector(3); 1367 result.add(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha1, SignatureAlgorithm.dsa)); 1368 result.add(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa)); 1369 result.add(SignatureAndHashAlgorithm.getInstance(HashAlgorithm.sha1, SignatureAlgorithm.rsa)); 1370 return result; 1371 } 1372 encodeSupportedSignatureAlgorithms(Vector supportedSignatureAlgorithms, OutputStream output)1373 public static void encodeSupportedSignatureAlgorithms(Vector supportedSignatureAlgorithms, OutputStream output) 1374 throws IOException 1375 { 1376 if (supportedSignatureAlgorithms == null || supportedSignatureAlgorithms.size() < 1 1377 || supportedSignatureAlgorithms.size() >= (1 << 15)) 1378 { 1379 throw new IllegalArgumentException( 1380 "'supportedSignatureAlgorithms' must have length from 1 to (2^15 - 1)"); 1381 } 1382 1383 // supported_signature_algorithms 1384 int length = 2 * supportedSignatureAlgorithms.size(); 1385 checkUint16(length); 1386 writeUint16(length, output); 1387 for (int i = 0; i < supportedSignatureAlgorithms.size(); ++i) 1388 { 1389 SignatureAndHashAlgorithm entry = (SignatureAndHashAlgorithm)supportedSignatureAlgorithms.elementAt(i); 1390 if (entry.getSignature() == SignatureAlgorithm.anonymous) 1391 { 1392 /* 1393 * RFC 5246 7.4.1.4.1 The "anonymous" value is meaningless in this context but used 1394 * in Section 7.4.3. It MUST NOT appear in this extension. 1395 */ 1396 throw new IllegalArgumentException( 1397 "SignatureAlgorithm.anonymous MUST NOT appear in the signature_algorithms extension"); 1398 } 1399 entry.encode(output); 1400 } 1401 } 1402 parseSupportedSignatureAlgorithms(InputStream input)1403 public static Vector parseSupportedSignatureAlgorithms(InputStream input) 1404 throws IOException 1405 { 1406 // supported_signature_algorithms 1407 int length = readUint16(input); 1408 if (length < 2 || (length & 1) != 0) 1409 { 1410 throw new TlsFatalAlert(AlertDescription.decode_error); 1411 } 1412 int count = length / 2; 1413 Vector supportedSignatureAlgorithms = new Vector(count); 1414 for (int i = 0; i < count; ++i) 1415 { 1416 SignatureAndHashAlgorithm sigAndHashAlg = SignatureAndHashAlgorithm.parse(input); 1417 1418 if (SignatureAlgorithm.anonymous != sigAndHashAlg.getSignature()) 1419 { 1420 supportedSignatureAlgorithms.addElement(sigAndHashAlg); 1421 } 1422 } 1423 return supportedSignatureAlgorithms; 1424 } 1425 verifySupportedSignatureAlgorithm(Vector supportedSignatureAlgorithms, SignatureAndHashAlgorithm signatureAlgorithm)1426 public static void verifySupportedSignatureAlgorithm(Vector supportedSignatureAlgorithms, SignatureAndHashAlgorithm signatureAlgorithm) 1427 throws IOException 1428 { 1429 if (supportedSignatureAlgorithms == null || supportedSignatureAlgorithms.size() < 1 1430 || supportedSignatureAlgorithms.size() >= (1 << 15)) 1431 { 1432 throw new IllegalArgumentException( 1433 "'supportedSignatureAlgorithms' must have length from 1 to (2^15 - 1)"); 1434 } 1435 if (signatureAlgorithm == null) 1436 { 1437 throw new IllegalArgumentException("'signatureAlgorithm' cannot be null"); 1438 } 1439 1440 if (signatureAlgorithm.getSignature() == SignatureAlgorithm.anonymous 1441 || !containsSignatureAlgorithm(supportedSignatureAlgorithms, signatureAlgorithm)) 1442 { 1443 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 1444 } 1445 } 1446 containsSignatureAlgorithm(Vector supportedSignatureAlgorithms, SignatureAndHashAlgorithm signatureAlgorithm)1447 public static boolean containsSignatureAlgorithm(Vector supportedSignatureAlgorithms, SignatureAndHashAlgorithm signatureAlgorithm) 1448 throws IOException 1449 { 1450 for (int i = 0; i < supportedSignatureAlgorithms.size(); ++i) 1451 { 1452 SignatureAndHashAlgorithm entry = (SignatureAndHashAlgorithm)supportedSignatureAlgorithms.elementAt(i); 1453 if (entry.equals(signatureAlgorithm)) 1454 { 1455 return true; 1456 } 1457 } 1458 1459 return false; 1460 } 1461 containsAnySignatureAlgorithm(Vector supportedSignatureAlgorithms, short signatureAlgorithm)1462 public static boolean containsAnySignatureAlgorithm(Vector supportedSignatureAlgorithms, short signatureAlgorithm) 1463 { 1464 for (int i = 0; i < supportedSignatureAlgorithms.size(); ++i) 1465 { 1466 SignatureAndHashAlgorithm entry = (SignatureAndHashAlgorithm)supportedSignatureAlgorithms.elementAt(i); 1467 if (entry.getSignature() == signatureAlgorithm) 1468 { 1469 return true; 1470 } 1471 } 1472 1473 return false; 1474 } 1475 PRF(SecurityParameters securityParameters, TlsSecret secret, String asciiLabel, byte[] seed, int length)1476 public static TlsSecret PRF(SecurityParameters securityParameters, TlsSecret secret, String asciiLabel, byte[] seed, 1477 int length) 1478 { 1479 return secret.deriveUsingPRF(securityParameters.getPRFAlgorithm(), asciiLabel, seed, length); 1480 } 1481 1482 /** 1483 * @deprecated Use {@link #PRF(SecurityParameters, TlsSecret, String, byte[], int)} instead. 1484 */ PRF(TlsContext context, TlsSecret secret, String asciiLabel, byte[] seed, int length)1485 public static TlsSecret PRF(TlsContext context, TlsSecret secret, String asciiLabel, byte[] seed, int length) 1486 { 1487 return PRF(context.getSecurityParametersHandshake(), secret, asciiLabel, seed, length); 1488 } 1489 clone(byte[] data)1490 public static byte[] clone(byte[] data) 1491 { 1492 return null == data ? (byte[])null : data.length == 0 ? EMPTY_BYTES : (byte[])data.clone(); 1493 } 1494 clone(String[] s)1495 public static String[] clone(String[] s) 1496 { 1497 return null == s ? (String[])null : s.length < 1 ? EMPTY_STRINGS : (String[])s.clone(); 1498 } 1499 constantTimeAreEqual(int len, byte[] a, int aOff, byte[] b, int bOff)1500 public static boolean constantTimeAreEqual(int len, byte[] a, int aOff, byte[] b, int bOff) 1501 { 1502 int d = 0; 1503 for (int i = 0; i < len; ++i) 1504 { 1505 d |= (a[aOff + i] ^ b[bOff + i]); 1506 } 1507 return 0 == d; 1508 } 1509 copyOfRangeExact(byte[] original, int from, int to)1510 public static byte[] copyOfRangeExact(byte[] original, int from, int to) 1511 { 1512 int newLength = to - from; 1513 byte[] copy = new byte[newLength]; 1514 System.arraycopy(original, from, copy, 0, newLength); 1515 return copy; 1516 } 1517 concat(byte[] a, byte[] b)1518 static byte[] concat(byte[] a, byte[] b) 1519 { 1520 byte[] c = new byte[a.length + b.length]; 1521 System.arraycopy(a, 0, c, 0, a.length); 1522 System.arraycopy(b, 0, c, a.length, b.length); 1523 return c; 1524 } 1525 calculateEndPointHash(TlsContext context, TlsCertificate certificate, byte[] enc)1526 static byte[] calculateEndPointHash(TlsContext context, TlsCertificate certificate, byte[] enc) throws IOException 1527 { 1528 return calculateEndPointHash(context, certificate, enc, 0, enc.length); 1529 } 1530 calculateEndPointHash(TlsContext context, TlsCertificate certificate, byte[] enc, int encOff, int encLen)1531 static byte[] calculateEndPointHash(TlsContext context, TlsCertificate certificate, byte[] enc, int encOff, 1532 int encLen) throws IOException 1533 { 1534 short hashAlgorithm = HashAlgorithm.none; 1535 1536 String sigAlgOID = certificate.getSigAlgOID(); 1537 if (sigAlgOID != null) 1538 { 1539 if (PKCSObjectIdentifiers.id_RSASSA_PSS.getId().equals(sigAlgOID)) 1540 { 1541 RSASSAPSSparams pssParams = RSASSAPSSparams.getInstance(certificate.getSigAlgParams()); 1542 if (null != pssParams) 1543 { 1544 ASN1ObjectIdentifier hashOID = pssParams.getHashAlgorithm().getAlgorithm(); 1545 if (NISTObjectIdentifiers.id_sha256.equals(hashOID)) 1546 { 1547 hashAlgorithm = HashAlgorithm.sha256; 1548 } 1549 else if (NISTObjectIdentifiers.id_sha384.equals(hashOID)) 1550 { 1551 hashAlgorithm = HashAlgorithm.sha384; 1552 } 1553 else if (NISTObjectIdentifiers.id_sha512.equals(hashOID)) 1554 { 1555 hashAlgorithm = HashAlgorithm.sha512; 1556 } 1557 } 1558 } 1559 else 1560 { 1561 SignatureAndHashAlgorithm sigAndHashAlg = (SignatureAndHashAlgorithm)CERT_SIG_ALG_OIDS.get(sigAlgOID); 1562 if (sigAndHashAlg != null) 1563 { 1564 hashAlgorithm = sigAndHashAlg.getHash(); 1565 } 1566 } 1567 } 1568 1569 switch (hashAlgorithm) 1570 { 1571 case HashAlgorithm.Intrinsic: 1572 hashAlgorithm = HashAlgorithm.none; 1573 break; 1574 case HashAlgorithm.md5: 1575 case HashAlgorithm.sha1: 1576 hashAlgorithm = HashAlgorithm.sha256; 1577 break; 1578 } 1579 1580 if (HashAlgorithm.none != hashAlgorithm) 1581 { 1582 TlsHash hash = createHash(context.getCrypto(), hashAlgorithm); 1583 if (hash != null) 1584 { 1585 hash.update(enc, encOff, encLen); 1586 return hash.calculateHash(); 1587 } 1588 } 1589 1590 return EMPTY_BYTES; 1591 } 1592 calculateExporterSeed(SecurityParameters securityParameters, byte[] context)1593 public static byte[] calculateExporterSeed(SecurityParameters securityParameters, byte[] context) 1594 { 1595 byte[] cr = securityParameters.getClientRandom(), sr = securityParameters.getServerRandom(); 1596 if (null == context) 1597 { 1598 return Arrays.concatenate(cr, sr); 1599 } 1600 1601 if (!isValidUint16(context.length)) 1602 { 1603 throw new IllegalArgumentException("'context' must have length less than 2^16 (or be null)"); 1604 } 1605 1606 byte[] contextLength = new byte[2]; 1607 writeUint16(context.length, contextLength, 0); 1608 1609 return Arrays.concatenate(cr, sr, contextLength, context); 1610 } 1611 calculateMasterSecret(TlsContext context, TlsSecret preMasterSecret)1612 static TlsSecret calculateMasterSecret(TlsContext context, TlsSecret preMasterSecret) 1613 { 1614 SecurityParameters sp = context.getSecurityParametersHandshake(); 1615 1616 String asciiLabel; 1617 byte[] seed; 1618 if (sp.isExtendedMasterSecret()) 1619 { 1620 asciiLabel = ExporterLabel.extended_master_secret; 1621 seed = sp.getSessionHash(); 1622 } 1623 else 1624 { 1625 asciiLabel = ExporterLabel.master_secret; 1626 seed = concat(sp.getClientRandom(), sp.getServerRandom()); 1627 } 1628 1629 return PRF(sp, preMasterSecret, asciiLabel, seed, 48); 1630 } 1631 calculateVerifyData(TlsContext context, TlsHandshakeHash handshakeHash, boolean isServer)1632 static byte[] calculateVerifyData(TlsContext context, TlsHandshakeHash handshakeHash, boolean isServer) 1633 throws IOException 1634 { 1635 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 1636 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 1637 1638 if (isTLSv13(negotiatedVersion)) 1639 { 1640 TlsSecret baseKey = isServer 1641 ? securityParameters.getBaseKeyServer() 1642 : securityParameters.getBaseKeyClient(); 1643 1644 TlsSecret finishedKey = deriveSecret(securityParameters, baseKey, "finished", EMPTY_BYTES); 1645 byte[] transcriptHash = getCurrentPRFHash(handshakeHash); 1646 1647 TlsCrypto crypto = context.getCrypto(); 1648 byte[] hmacKey = crypto.adoptSecret(finishedKey).extract(); 1649 TlsHMAC hmac = crypto.createHMACForHash(TlsCryptoUtils.getHash(securityParameters.getPRFHashAlgorithm())); 1650 hmac.setKey(hmacKey, 0, hmacKey.length); 1651 hmac.update(transcriptHash, 0, transcriptHash.length); 1652 return hmac.calculateMAC(); 1653 } 1654 1655 if (negotiatedVersion.isSSL()) 1656 { 1657 return SSL3Utils.calculateVerifyData(handshakeHash, isServer); 1658 } 1659 1660 String asciiLabel = isServer ? ExporterLabel.server_finished : ExporterLabel.client_finished; 1661 byte[] prfHash = getCurrentPRFHash(handshakeHash); 1662 1663 TlsSecret master_secret = securityParameters.getMasterSecret(); 1664 int verify_data_length = securityParameters.getVerifyDataLength(); 1665 1666 return PRF(securityParameters, master_secret, asciiLabel, prfHash, verify_data_length).extract(); 1667 } 1668 establish13PhaseSecrets(TlsContext context)1669 static void establish13PhaseSecrets(TlsContext context) throws IOException 1670 { 1671 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 1672 int cryptoHashAlgorithm = TlsCryptoUtils.getHash(securityParameters.getPRFHashAlgorithm()); 1673 int hashLen = securityParameters.getPRFHashLength(); 1674 byte[] zeroes = new byte[hashLen]; 1675 1676 byte[] psk = securityParameters.getPSK(); 1677 if (null == psk) 1678 { 1679 psk = zeroes; 1680 } 1681 else 1682 { 1683 securityParameters.psk = null; 1684 } 1685 1686 byte[] ecdhe = zeroes; 1687 TlsSecret sharedSecret = securityParameters.getSharedSecret(); 1688 if (null != sharedSecret) 1689 { 1690 securityParameters.sharedSecret = null; 1691 ecdhe = sharedSecret.extract(); 1692 } 1693 1694 TlsCrypto crypto = context.getCrypto(); 1695 1696 byte[] emptyTranscriptHash = crypto.createHash(cryptoHashAlgorithm).calculateHash(); 1697 1698 TlsSecret earlySecret = crypto.hkdfInit(cryptoHashAlgorithm) 1699 .hkdfExtract(cryptoHashAlgorithm, psk); 1700 TlsSecret handshakeSecret = deriveSecret(securityParameters, earlySecret, "derived", emptyTranscriptHash) 1701 .hkdfExtract(cryptoHashAlgorithm, ecdhe); 1702 TlsSecret masterSecret = deriveSecret(securityParameters, handshakeSecret, "derived", emptyTranscriptHash) 1703 .hkdfExtract(cryptoHashAlgorithm, zeroes); 1704 1705 securityParameters.earlySecret = earlySecret; 1706 securityParameters.handshakeSecret = handshakeSecret; 1707 securityParameters.masterSecret = masterSecret; 1708 } 1709 establish13TrafficSecrets(TlsContext context, byte[] transcriptHash, TlsSecret phaseSecret, String clientLabel, String serverLabel, RecordStream recordStream)1710 private static void establish13TrafficSecrets(TlsContext context, byte[] transcriptHash, TlsSecret phaseSecret, 1711 String clientLabel, String serverLabel, RecordStream recordStream) throws IOException 1712 { 1713 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 1714 1715 securityParameters.trafficSecretClient = deriveSecret(securityParameters, phaseSecret, clientLabel, 1716 transcriptHash); 1717 1718 if (null != serverLabel) 1719 { 1720 securityParameters.trafficSecretServer = deriveSecret(securityParameters, phaseSecret, serverLabel, 1721 transcriptHash); 1722 } 1723 1724 // TODO[tls13] Early data (client->server only) 1725 1726 recordStream.setPendingCipher(initCipher(context)); 1727 } 1728 establish13PhaseApplication(TlsContext context, byte[] serverFinishedTranscriptHash, RecordStream recordStream)1729 static void establish13PhaseApplication(TlsContext context, byte[] serverFinishedTranscriptHash, 1730 RecordStream recordStream) throws IOException 1731 { 1732 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 1733 TlsSecret phaseSecret = securityParameters.getMasterSecret(); 1734 1735 establish13TrafficSecrets(context, serverFinishedTranscriptHash, phaseSecret, "c ap traffic", "s ap traffic", 1736 recordStream); 1737 1738 securityParameters.exporterMasterSecret = deriveSecret(securityParameters, phaseSecret, "exp master", 1739 serverFinishedTranscriptHash); 1740 } 1741 establish13PhaseEarly(TlsContext context, byte[] clientHelloTranscriptHash, RecordStream recordStream)1742 static void establish13PhaseEarly(TlsContext context, byte[] clientHelloTranscriptHash, RecordStream recordStream) 1743 throws IOException 1744 { 1745 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 1746 TlsSecret phaseSecret = securityParameters.getEarlySecret(); 1747 1748 // TODO[tls13] binder_key 1749 1750 // TODO[tls13] Early data (client->server only) 1751 if (null != recordStream) 1752 { 1753 establish13TrafficSecrets(context, clientHelloTranscriptHash, phaseSecret, "c e traffic", null, 1754 recordStream); 1755 } 1756 1757 securityParameters.earlyExporterMasterSecret = deriveSecret(securityParameters, phaseSecret, "e exp master", 1758 clientHelloTranscriptHash); 1759 } 1760 establish13PhaseHandshake(TlsContext context, byte[] serverHelloTranscriptHash, RecordStream recordStream)1761 static void establish13PhaseHandshake(TlsContext context, byte[] serverHelloTranscriptHash, 1762 RecordStream recordStream) throws IOException 1763 { 1764 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 1765 TlsSecret phaseSecret = securityParameters.getHandshakeSecret(); 1766 1767 establish13TrafficSecrets(context, serverHelloTranscriptHash, phaseSecret, "c hs traffic", "s hs traffic", 1768 recordStream); 1769 1770 securityParameters.baseKeyClient = securityParameters.getTrafficSecretClient(); 1771 securityParameters.baseKeyServer = securityParameters.getTrafficSecretServer(); 1772 } 1773 update13TrafficSecretLocal(TlsContext context)1774 static void update13TrafficSecretLocal(TlsContext context) throws IOException 1775 { 1776 update13TrafficSecret(context, context.isServer()); 1777 } 1778 update13TrafficSecretPeer(TlsContext context)1779 static void update13TrafficSecretPeer(TlsContext context) throws IOException 1780 { 1781 update13TrafficSecret(context, !context.isServer()); 1782 } 1783 update13TrafficSecret(TlsContext context, boolean forServer)1784 private static void update13TrafficSecret(TlsContext context, boolean forServer) throws IOException 1785 { 1786 SecurityParameters securityParameters = context.getSecurityParametersConnection(); 1787 1788 TlsSecret current; 1789 if (forServer) 1790 { 1791 current = securityParameters.getTrafficSecretServer(); 1792 securityParameters.trafficSecretServer = update13TrafficSecret(securityParameters, current); 1793 } 1794 else 1795 { 1796 current = securityParameters.getTrafficSecretClient(); 1797 securityParameters.trafficSecretClient = update13TrafficSecret(securityParameters, current); 1798 } 1799 1800 if (null != current) 1801 { 1802 current.destroy(); 1803 } 1804 } 1805 update13TrafficSecret(SecurityParameters securityParameters, TlsSecret secret)1806 private static TlsSecret update13TrafficSecret(SecurityParameters securityParameters, TlsSecret secret) throws IOException 1807 { 1808 return TlsCryptoUtils.hkdfExpandLabel(secret, securityParameters.getPRFHashAlgorithm(), "traffic upd", 1809 EMPTY_BYTES, securityParameters.getPRFHashLength()); 1810 } 1811 getHashAlgorithmForPRFAlgorithm(int prfAlgorithm)1812 public static short getHashAlgorithmForPRFAlgorithm(int prfAlgorithm) 1813 { 1814 switch (prfAlgorithm) 1815 { 1816 case PRFAlgorithm.ssl_prf_legacy: 1817 case PRFAlgorithm.tls_prf_legacy: 1818 throw new IllegalArgumentException("legacy PRF not a valid algorithm"); 1819 case PRFAlgorithm.tls_prf_sha256: 1820 case PRFAlgorithm.tls13_hkdf_sha256: 1821 return HashAlgorithm.sha256; 1822 case PRFAlgorithm.tls_prf_sha384: 1823 case PRFAlgorithm.tls13_hkdf_sha384: 1824 return HashAlgorithm.sha384; 1825 // TODO[RFC 8998] 1826 // case PRFAlgorithm.tls13_hkdf_sm3: 1827 // return HashAlgorithm.sm3; 1828 default: 1829 throw new IllegalArgumentException("unknown PRFAlgorithm: " + PRFAlgorithm.getText(prfAlgorithm)); 1830 } 1831 } 1832 getOIDForHashAlgorithm(short hashAlgorithm)1833 public static ASN1ObjectIdentifier getOIDForHashAlgorithm(short hashAlgorithm) 1834 { 1835 switch (hashAlgorithm) 1836 { 1837 case HashAlgorithm.md5: 1838 return PKCSObjectIdentifiers.md5; 1839 case HashAlgorithm.sha1: 1840 return X509ObjectIdentifiers.id_SHA1; 1841 case HashAlgorithm.sha224: 1842 return NISTObjectIdentifiers.id_sha224; 1843 case HashAlgorithm.sha256: 1844 return NISTObjectIdentifiers.id_sha256; 1845 case HashAlgorithm.sha384: 1846 return NISTObjectIdentifiers.id_sha384; 1847 case HashAlgorithm.sha512: 1848 return NISTObjectIdentifiers.id_sha512; 1849 // TODO[RFC 8998] 1850 // case HashAlgorithm.sm3: 1851 // return GMObjectIdentifiers.sm3; 1852 default: 1853 throw new IllegalArgumentException("invalid HashAlgorithm: " + HashAlgorithm.getText(hashAlgorithm)); 1854 } 1855 } 1856 getPRFAlgorithm(SecurityParameters securityParameters, int cipherSuite)1857 static int getPRFAlgorithm(SecurityParameters securityParameters, int cipherSuite) throws IOException 1858 { 1859 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 1860 1861 final boolean isTLSv13 = isTLSv13(negotiatedVersion); 1862 final boolean isTLSv12Exactly = !isTLSv13 && isTLSv12(negotiatedVersion); 1863 final boolean isSSL = negotiatedVersion.isSSL(); 1864 1865 switch (cipherSuite) 1866 { 1867 case CipherSuite.TLS_AES_128_CCM_SHA256: 1868 case CipherSuite.TLS_AES_128_CCM_8_SHA256: 1869 case CipherSuite.TLS_AES_128_GCM_SHA256: 1870 case CipherSuite.TLS_CHACHA20_POLY1305_SHA256: 1871 { 1872 if (isTLSv13) 1873 { 1874 return PRFAlgorithm.tls13_hkdf_sha256; 1875 } 1876 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 1877 } 1878 1879 case CipherSuite.TLS_AES_256_GCM_SHA384: 1880 { 1881 if (isTLSv13) 1882 { 1883 return PRFAlgorithm.tls13_hkdf_sha384; 1884 } 1885 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 1886 } 1887 1888 case CipherSuite.TLS_SM4_CCM_SM3: 1889 case CipherSuite.TLS_SM4_GCM_SM3: 1890 { 1891 if (isTLSv13) 1892 { 1893 return PRFAlgorithm.tls13_hkdf_sm3; 1894 } 1895 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 1896 } 1897 1898 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA256: 1899 case CipherSuite.TLS_DH_anon_WITH_AES_128_GCM_SHA256: 1900 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA256: 1901 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_CBC_SHA256: 1902 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_GCM_SHA256: 1903 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256: 1904 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256: 1905 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256: 1906 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: 1907 case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: 1908 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: 1909 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: 1910 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: 1911 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: 1912 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: 1913 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: 1914 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: 1915 case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: 1916 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: 1917 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: 1918 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: 1919 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 1920 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 1921 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: 1922 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: 1923 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: 1924 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: 1925 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: 1926 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: 1927 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: 1928 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: 1929 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: 1930 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: 1931 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: 1932 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: 1933 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: 1934 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: 1935 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: 1936 case CipherSuite.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 1937 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 1938 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: 1939 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: 1940 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 1941 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 1942 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: 1943 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: 1944 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: 1945 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: 1946 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 1947 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 1948 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: 1949 case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 1950 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: 1951 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: 1952 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: 1953 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: 1954 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 1955 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 1956 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: 1957 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: 1958 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: 1959 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: 1960 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 1961 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 1962 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 1963 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM: 1964 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: 1965 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 1966 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM: 1967 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: 1968 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: 1969 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: 1970 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 1971 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 1972 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: 1973 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: 1974 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: 1975 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: 1976 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: 1977 case CipherSuite.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 1978 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 1979 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 1980 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: 1981 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: 1982 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 1983 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 1984 case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 1985 case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: 1986 case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: 1987 case CipherSuite.TLS_PSK_WITH_AES_128_CCM: 1988 case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: 1989 case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: 1990 case CipherSuite.TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: 1991 case CipherSuite.TLS_PSK_WITH_AES_256_CCM: 1992 case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: 1993 case CipherSuite.TLS_PSK_WITH_ARIA_128_CBC_SHA256: 1994 case CipherSuite.TLS_PSK_WITH_ARIA_128_GCM_SHA256: 1995 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: 1996 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: 1997 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: 1998 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: 1999 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: 2000 case CipherSuite.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: 2001 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: 2002 case CipherSuite.TLS_RSA_WITH_AES_128_CCM: 2003 case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: 2004 case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: 2005 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: 2006 case CipherSuite.TLS_RSA_WITH_AES_256_CCM: 2007 case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: 2008 case CipherSuite.TLS_RSA_WITH_ARIA_128_CBC_SHA256: 2009 case CipherSuite.TLS_RSA_WITH_ARIA_128_GCM_SHA256: 2010 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: 2011 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: 2012 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: 2013 case CipherSuite.TLS_RSA_WITH_NULL_SHA256: 2014 { 2015 if (isTLSv12Exactly) 2016 { 2017 return PRFAlgorithm.tls_prf_sha256; 2018 } 2019 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 2020 } 2021 2022 case CipherSuite.TLS_DH_anon_WITH_AES_256_GCM_SHA384: 2023 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_CBC_SHA384: 2024 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_GCM_SHA384: 2025 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384: 2026 case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: 2027 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: 2028 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: 2029 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: 2030 case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: 2031 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: 2032 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: 2033 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2034 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: 2035 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: 2036 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: 2037 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: 2038 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: 2039 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: 2040 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: 2041 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: 2042 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: 2043 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: 2044 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: 2045 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2046 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: 2047 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: 2048 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: 2049 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: 2050 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 2051 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 2052 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: 2053 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: 2054 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: 2055 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: 2056 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: 2057 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2058 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 2059 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 2060 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: 2061 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: 2062 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 2063 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 2064 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: 2065 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: 2066 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: 2067 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 2068 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: 2069 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: 2070 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: 2071 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2072 case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: 2073 case CipherSuite.TLS_PSK_WITH_ARIA_256_CBC_SHA384: 2074 case CipherSuite.TLS_PSK_WITH_ARIA_256_GCM_SHA384: 2075 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: 2076 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: 2077 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: 2078 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: 2079 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: 2080 case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: 2081 case CipherSuite.TLS_RSA_WITH_ARIA_256_CBC_SHA384: 2082 case CipherSuite.TLS_RSA_WITH_ARIA_256_GCM_SHA384: 2083 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2084 { 2085 if (isTLSv12Exactly) 2086 { 2087 return PRFAlgorithm.tls_prf_sha384; 2088 } 2089 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 2090 } 2091 2092 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: 2093 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2094 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: 2095 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: 2096 case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2097 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: 2098 case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: 2099 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2100 case CipherSuite.TLS_PSK_WITH_NULL_SHA384: 2101 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: 2102 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2103 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: 2104 { 2105 if (isTLSv13) 2106 { 2107 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 2108 } 2109 if (isTLSv12Exactly) 2110 { 2111 return PRFAlgorithm.tls_prf_sha384; 2112 } 2113 if (isSSL) 2114 { 2115 return PRFAlgorithm.ssl_prf_legacy; 2116 } 2117 return PRFAlgorithm.tls_prf_legacy; 2118 } 2119 2120 default: 2121 { 2122 if (isTLSv13) 2123 { 2124 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 2125 } 2126 if (isTLSv12Exactly) 2127 { 2128 return PRFAlgorithm.tls_prf_sha256; 2129 } 2130 if (isSSL) 2131 { 2132 return PRFAlgorithm.ssl_prf_legacy; 2133 } 2134 return PRFAlgorithm.tls_prf_legacy; 2135 } 2136 } 2137 } 2138 calculateSignatureHash(TlsContext context, SignatureAndHashAlgorithm algorithm, DigestInputBuffer buf)2139 static byte[] calculateSignatureHash(TlsContext context, SignatureAndHashAlgorithm algorithm, DigestInputBuffer buf) 2140 { 2141 TlsCrypto crypto = context.getCrypto(); 2142 2143 TlsHash h = algorithm == null 2144 ? new CombinedHash(crypto) 2145 : createHash(crypto, algorithm.getHash()); 2146 2147 SecurityParameters sp = context.getSecurityParametersHandshake(); 2148 byte[] cr = sp.getClientRandom(), sr = sp.getServerRandom(); 2149 h.update(cr, 0, cr.length); 2150 h.update(sr, 0, sr.length); 2151 buf.updateDigest(h); 2152 2153 return h.calculateHash(); 2154 } 2155 sendSignatureInput(TlsContext context, DigestInputBuffer buf, OutputStream output)2156 static void sendSignatureInput(TlsContext context, DigestInputBuffer buf, OutputStream output) 2157 throws IOException 2158 { 2159 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 2160 // NOTE: The implicit copy here is intended (and important) 2161 output.write(Arrays.concatenate(securityParameters.getClientRandom(), securityParameters.getServerRandom())); 2162 buf.copyTo(output); 2163 output.close(); 2164 } 2165 generateCertificateVerifyClient(TlsClientContext clientContext, TlsCredentialedSigner credentialedSigner, TlsStreamSigner streamSigner, TlsHandshakeHash handshakeHash)2166 static DigitallySigned generateCertificateVerifyClient(TlsClientContext clientContext, 2167 TlsCredentialedSigner credentialedSigner, TlsStreamSigner streamSigner, TlsHandshakeHash handshakeHash) 2168 throws IOException 2169 { 2170 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 2171 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 2172 2173 if (isTLSv13(negotiatedVersion)) 2174 { 2175 // Should be using generateCertificateVerify13 instead 2176 throw new TlsFatalAlert(AlertDescription.internal_error); 2177 } 2178 2179 /* 2180 * RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2 2181 */ 2182 SignatureAndHashAlgorithm signatureAndHashAlgorithm = getSignatureAndHashAlgorithm(negotiatedVersion, 2183 credentialedSigner); 2184 2185 byte[] signature; 2186 if (streamSigner != null) 2187 { 2188 handshakeHash.copyBufferTo(streamSigner.getOutputStream()); 2189 signature = streamSigner.getSignature(); 2190 } 2191 else 2192 { 2193 byte[] hash; 2194 if (signatureAndHashAlgorithm == null) 2195 { 2196 hash = securityParameters.getSessionHash(); 2197 } 2198 else 2199 { 2200 int signatureScheme = SignatureScheme.from(signatureAndHashAlgorithm); 2201 int cryptoHashAlgorithm = SignatureScheme.getCryptoHashAlgorithm(signatureScheme); 2202 2203 hash = handshakeHash.getFinalHash(cryptoHashAlgorithm); 2204 } 2205 2206 signature = credentialedSigner.generateRawSignature(hash); 2207 } 2208 2209 return new DigitallySigned(signatureAndHashAlgorithm, signature); 2210 } 2211 generate13CertificateVerify(TlsContext context, TlsCredentialedSigner credentialedSigner, TlsHandshakeHash handshakeHash)2212 static DigitallySigned generate13CertificateVerify(TlsContext context, TlsCredentialedSigner credentialedSigner, 2213 TlsHandshakeHash handshakeHash) throws IOException 2214 { 2215 SignatureAndHashAlgorithm signatureAndHashAlgorithm = credentialedSigner.getSignatureAndHashAlgorithm(); 2216 if (null == signatureAndHashAlgorithm) 2217 { 2218 throw new TlsFatalAlert(AlertDescription.internal_error); 2219 } 2220 2221 String contextString = context.isServer() 2222 ? "TLS 1.3, server CertificateVerify" 2223 : "TLS 1.3, client CertificateVerify"; 2224 2225 byte[] signature = generate13CertificateVerify(context.getCrypto(), credentialedSigner, contextString, 2226 handshakeHash, signatureAndHashAlgorithm); 2227 2228 return new DigitallySigned(signatureAndHashAlgorithm, signature); 2229 } 2230 generate13CertificateVerify(TlsCrypto crypto, TlsCredentialedSigner credentialedSigner, String contextString, TlsHandshakeHash handshakeHash, SignatureAndHashAlgorithm signatureAndHashAlgorithm)2231 private static byte[] generate13CertificateVerify(TlsCrypto crypto, TlsCredentialedSigner credentialedSigner, 2232 String contextString, TlsHandshakeHash handshakeHash, SignatureAndHashAlgorithm signatureAndHashAlgorithm) 2233 throws IOException 2234 { 2235 TlsStreamSigner streamSigner = credentialedSigner.getStreamSigner(); 2236 2237 byte[] header = getCertificateVerifyHeader(contextString); 2238 byte[] prfHash = getCurrentPRFHash(handshakeHash); 2239 2240 if (null != streamSigner) 2241 { 2242 OutputStream output = streamSigner.getOutputStream(); 2243 output.write(header, 0, header.length); 2244 output.write(prfHash, 0, prfHash.length); 2245 return streamSigner.getSignature(); 2246 } 2247 2248 int signatureScheme = SignatureScheme.from(signatureAndHashAlgorithm); 2249 int cryptoHashAlgorithm = SignatureScheme.getCryptoHashAlgorithm(signatureScheme); 2250 2251 TlsHash tlsHash = crypto.createHash(cryptoHashAlgorithm); 2252 tlsHash.update(header, 0, header.length); 2253 tlsHash.update(prfHash, 0, prfHash.length); 2254 byte[] hash = tlsHash.calculateHash(); 2255 return credentialedSigner.generateRawSignature(hash); 2256 } 2257 verifyCertificateVerifyClient(TlsServerContext serverContext, CertificateRequest certificateRequest, DigitallySigned certificateVerify, TlsHandshakeHash handshakeHash)2258 static void verifyCertificateVerifyClient(TlsServerContext serverContext, CertificateRequest certificateRequest, 2259 DigitallySigned certificateVerify, TlsHandshakeHash handshakeHash) throws IOException 2260 { 2261 SecurityParameters securityParameters = serverContext.getSecurityParametersHandshake(); 2262 Certificate clientCertificate = securityParameters.getPeerCertificate(); 2263 TlsCertificate verifyingCert = clientCertificate.getCertificateAt(0); 2264 SignatureAndHashAlgorithm sigAndHashAlg = certificateVerify.getAlgorithm(); 2265 short signatureAlgorithm; 2266 2267 if (null == sigAndHashAlg) 2268 { 2269 signatureAlgorithm = verifyingCert.getLegacySignatureAlgorithm(); 2270 2271 short clientCertType = getLegacyClientCertType(signatureAlgorithm); 2272 if (clientCertType < 0 || !Arrays.contains(certificateRequest.getCertificateTypes(), clientCertType)) 2273 { 2274 throw new TlsFatalAlert(AlertDescription.unsupported_certificate); 2275 } 2276 } 2277 else 2278 { 2279 signatureAlgorithm = sigAndHashAlg.getSignature(); 2280 2281 // TODO Is it possible (maybe only pre-1.2 to check this immediately when the Certificate arrives? 2282 if (!isValidSignatureAlgorithmForCertificateVerify(signatureAlgorithm, certificateRequest.getCertificateTypes())) 2283 { 2284 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 2285 } 2286 2287 verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(), sigAndHashAlg); 2288 } 2289 2290 // Verify the CertificateVerify message contains a correct signature. 2291 boolean verified; 2292 try 2293 { 2294 TlsVerifier verifier = verifyingCert.createVerifier(signatureAlgorithm); 2295 TlsStreamVerifier streamVerifier = verifier.getStreamVerifier(certificateVerify); 2296 2297 if (streamVerifier != null) 2298 { 2299 handshakeHash.copyBufferTo(streamVerifier.getOutputStream()); 2300 verified = streamVerifier.isVerified(); 2301 } 2302 else 2303 { 2304 byte[] hash; 2305 if (isTLSv12(serverContext)) 2306 { 2307 int signatureScheme = SignatureScheme.from(sigAndHashAlg); 2308 int cryptoHashAlgorithm = SignatureScheme.getCryptoHashAlgorithm(signatureScheme); 2309 2310 hash = handshakeHash.getFinalHash(cryptoHashAlgorithm); 2311 } 2312 else 2313 { 2314 hash = securityParameters.getSessionHash(); 2315 } 2316 2317 verified = verifier.verifyRawSignature(certificateVerify, hash); 2318 } 2319 } 2320 catch (TlsFatalAlert e) 2321 { 2322 throw e; 2323 } 2324 catch (Exception e) 2325 { 2326 throw new TlsFatalAlert(AlertDescription.decrypt_error, e); 2327 } 2328 2329 if (!verified) 2330 { 2331 throw new TlsFatalAlert(AlertDescription.decrypt_error); 2332 } 2333 } 2334 verify13CertificateVerifyClient(TlsServerContext serverContext, CertificateRequest certificateRequest, DigitallySigned certificateVerify, TlsHandshakeHash handshakeHash)2335 static void verify13CertificateVerifyClient(TlsServerContext serverContext, CertificateRequest certificateRequest, 2336 DigitallySigned certificateVerify, TlsHandshakeHash handshakeHash) throws IOException 2337 { 2338 SecurityParameters securityParameters = serverContext.getSecurityParametersHandshake(); 2339 Certificate clientCertificate = securityParameters.getPeerCertificate(); 2340 TlsCertificate verifyingCert = clientCertificate.getCertificateAt(0); 2341 2342 SignatureAndHashAlgorithm sigAndHashAlg = certificateVerify.getAlgorithm(); 2343 verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(), sigAndHashAlg); 2344 2345 int signatureScheme = SignatureScheme.from(sigAndHashAlg); 2346 2347 // Verify the CertificateVerify message contains a correct signature. 2348 boolean verified; 2349 try 2350 { 2351 TlsVerifier verifier = verifyingCert.createVerifier(signatureScheme); 2352 2353 verified = verify13CertificateVerify(serverContext.getCrypto(), certificateVerify, verifier, 2354 "TLS 1.3, client CertificateVerify", handshakeHash); 2355 } 2356 catch (TlsFatalAlert e) 2357 { 2358 throw e; 2359 } 2360 catch (Exception e) 2361 { 2362 throw new TlsFatalAlert(AlertDescription.decrypt_error, e); 2363 } 2364 2365 if (!verified) 2366 { 2367 throw new TlsFatalAlert(AlertDescription.decrypt_error); 2368 } 2369 } 2370 verify13CertificateVerifyServer(TlsClientContext clientContext, DigitallySigned certificateVerify, TlsHandshakeHash handshakeHash)2371 static void verify13CertificateVerifyServer(TlsClientContext clientContext, DigitallySigned certificateVerify, 2372 TlsHandshakeHash handshakeHash) throws IOException 2373 { 2374 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 2375 Certificate serverCertificate = securityParameters.getPeerCertificate(); 2376 TlsCertificate verifyingCert = serverCertificate.getCertificateAt(0); 2377 2378 SignatureAndHashAlgorithm sigAndHashAlg = certificateVerify.getAlgorithm(); 2379 verifySupportedSignatureAlgorithm(securityParameters.getClientSigAlgs(), sigAndHashAlg); 2380 2381 int signatureScheme = SignatureScheme.from(sigAndHashAlg); 2382 2383 // Verify the CertificateVerify message contains a correct signature. 2384 boolean verified; 2385 try 2386 { 2387 TlsVerifier verifier = verifyingCert.createVerifier(signatureScheme); 2388 2389 verified = verify13CertificateVerify(clientContext.getCrypto(), certificateVerify, verifier, 2390 "TLS 1.3, server CertificateVerify", handshakeHash); 2391 } 2392 catch (TlsFatalAlert e) 2393 { 2394 throw e; 2395 } 2396 catch (Exception e) 2397 { 2398 throw new TlsFatalAlert(AlertDescription.decrypt_error, e); 2399 } 2400 2401 if (!verified) 2402 { 2403 throw new TlsFatalAlert(AlertDescription.decrypt_error); 2404 } 2405 } 2406 verify13CertificateVerify(TlsCrypto crypto, DigitallySigned certificateVerify, TlsVerifier verifier, String contextString, TlsHandshakeHash handshakeHash)2407 private static boolean verify13CertificateVerify(TlsCrypto crypto, DigitallySigned certificateVerify, 2408 TlsVerifier verifier, String contextString, TlsHandshakeHash handshakeHash) throws IOException 2409 { 2410 TlsStreamVerifier streamVerifier = verifier.getStreamVerifier(certificateVerify); 2411 2412 byte[] header = getCertificateVerifyHeader(contextString); 2413 byte[] prfHash = getCurrentPRFHash(handshakeHash); 2414 2415 if (null != streamVerifier) 2416 { 2417 OutputStream output = streamVerifier.getOutputStream(); 2418 output.write(header, 0, header.length); 2419 output.write(prfHash, 0, prfHash.length); 2420 return streamVerifier.isVerified(); 2421 } 2422 2423 int signatureScheme = SignatureScheme.from(certificateVerify.getAlgorithm()); 2424 int cryptoHashAlgorithm = SignatureScheme.getCryptoHashAlgorithm(signatureScheme); 2425 2426 TlsHash tlsHash = crypto.createHash(cryptoHashAlgorithm); 2427 tlsHash.update(header, 0, header.length); 2428 tlsHash.update(prfHash, 0, prfHash.length); 2429 byte[] hash = tlsHash.calculateHash(); 2430 return verifier.verifyRawSignature(certificateVerify, hash); 2431 } 2432 getCertificateVerifyHeader(String contextString)2433 private static byte[] getCertificateVerifyHeader(String contextString) 2434 { 2435 int count = contextString.length(); 2436 byte[] header = new byte[64 + count + 1]; 2437 for (int i = 0; i < 64; ++i) 2438 { 2439 header[i] = 0x20; 2440 } 2441 for (int i = 0; i < count; ++i) 2442 { 2443 char c = contextString.charAt(i); 2444 header[64 + i] = (byte)c; 2445 } 2446 header[64 + count] = 0x00; 2447 return header; 2448 } 2449 generateServerKeyExchangeSignature(TlsContext context, TlsCredentialedSigner credentials, DigestInputBuffer digestBuffer)2450 static void generateServerKeyExchangeSignature(TlsContext context, TlsCredentialedSigner credentials, 2451 DigestInputBuffer digestBuffer) throws IOException 2452 { 2453 /* 2454 * RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2 2455 */ 2456 SignatureAndHashAlgorithm algorithm = getSignatureAndHashAlgorithm(context, credentials); 2457 TlsStreamSigner streamSigner = credentials.getStreamSigner(); 2458 2459 byte[] signature; 2460 if (streamSigner != null) 2461 { 2462 sendSignatureInput(context, digestBuffer, streamSigner.getOutputStream()); 2463 signature = streamSigner.getSignature(); 2464 } 2465 else 2466 { 2467 byte[] hash = calculateSignatureHash(context, algorithm, digestBuffer); 2468 signature = credentials.generateRawSignature(hash); 2469 } 2470 2471 DigitallySigned digitallySigned = new DigitallySigned(algorithm, signature); 2472 2473 digitallySigned.encode(digestBuffer); 2474 } 2475 verifyServerKeyExchangeSignature(TlsContext context, InputStream signatureInput, TlsCertificate serverCertificate, DigestInputBuffer digestBuffer)2476 static void verifyServerKeyExchangeSignature(TlsContext context, InputStream signatureInput, 2477 TlsCertificate serverCertificate, DigestInputBuffer digestBuffer) throws IOException 2478 { 2479 DigitallySigned digitallySigned = DigitallySigned.parse(context, signatureInput); 2480 2481 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 2482 int keyExchangeAlgorithm = securityParameters.getKeyExchangeAlgorithm(); 2483 2484 SignatureAndHashAlgorithm sigAndHashAlg = digitallySigned.getAlgorithm(); 2485 short signatureAlgorithm; 2486 2487 if (sigAndHashAlg == null) 2488 { 2489 signatureAlgorithm = getLegacySignatureAlgorithmServer(keyExchangeAlgorithm); 2490 } 2491 else 2492 { 2493 signatureAlgorithm = sigAndHashAlg.getSignature(); 2494 2495 if (!isValidSignatureAlgorithmForServerKeyExchange(signatureAlgorithm, keyExchangeAlgorithm)) 2496 { 2497 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 2498 } 2499 2500 verifySupportedSignatureAlgorithm(securityParameters.getClientSigAlgs(), sigAndHashAlg); 2501 } 2502 2503 TlsVerifier verifier = serverCertificate.createVerifier(signatureAlgorithm); 2504 TlsStreamVerifier streamVerifier = verifier.getStreamVerifier(digitallySigned); 2505 2506 boolean verified; 2507 if (streamVerifier != null) 2508 { 2509 sendSignatureInput(context, digestBuffer, streamVerifier.getOutputStream()); 2510 verified = streamVerifier.isVerified(); 2511 } 2512 else 2513 { 2514 byte[] hash = calculateSignatureHash(context, sigAndHashAlg, digestBuffer); 2515 verified = verifier.verifyRawSignature(digitallySigned, hash); 2516 } 2517 2518 if (!verified) 2519 { 2520 throw new TlsFatalAlert(AlertDescription.decrypt_error); 2521 } 2522 } 2523 trackHashAlgorithms(TlsHandshakeHash handshakeHash, Vector supportedSignatureAlgorithms)2524 static void trackHashAlgorithms(TlsHandshakeHash handshakeHash, Vector supportedSignatureAlgorithms) 2525 { 2526 if (supportedSignatureAlgorithms != null) 2527 { 2528 for (int i = 0; i < supportedSignatureAlgorithms.size(); ++i) 2529 { 2530 /* 2531 * TODO We could validate the signature algorithm part. Currently the impact is 2532 * that we might be tracking extra hashes pointlessly (but there are only a 2533 * limited number of recognized hash algorithms). 2534 */ 2535 SignatureAndHashAlgorithm signatureAndHashAlgorithm = (SignatureAndHashAlgorithm) 2536 supportedSignatureAlgorithms.elementAt(i); 2537 2538 int signatureScheme = SignatureScheme.from(signatureAndHashAlgorithm); 2539 int cryptoHashAlgorithm = SignatureScheme.getCryptoHashAlgorithm(signatureScheme); 2540 2541 if (cryptoHashAlgorithm >= 0) 2542 { 2543 handshakeHash.trackHashAlgorithm(cryptoHashAlgorithm); 2544 } 2545 else if (HashAlgorithm.Intrinsic == signatureAndHashAlgorithm.getHash()) 2546 { 2547 handshakeHash.forceBuffering(); 2548 } 2549 } 2550 } 2551 } 2552 hasSigningCapability(short clientCertificateType)2553 public static boolean hasSigningCapability(short clientCertificateType) 2554 { 2555 switch (clientCertificateType) 2556 { 2557 case ClientCertificateType.dss_sign: 2558 case ClientCertificateType.ecdsa_sign: 2559 case ClientCertificateType.rsa_sign: 2560 return true; 2561 default: 2562 return false; 2563 } 2564 } 2565 vectorOfOne(Object obj)2566 public static Vector vectorOfOne(Object obj) 2567 { 2568 Vector v = new Vector(1); 2569 v.addElement(obj); 2570 return v; 2571 } 2572 getCipherType(int cipherSuite)2573 public static int getCipherType(int cipherSuite) 2574 { 2575 int encryptionAlgorithm = getEncryptionAlgorithm(cipherSuite); 2576 2577 return getEncryptionAlgorithmType(encryptionAlgorithm); 2578 } 2579 getEncryptionAlgorithm(int cipherSuite)2580 public static int getEncryptionAlgorithm(int cipherSuite) 2581 { 2582 switch (cipherSuite) 2583 { 2584 case CipherSuite.TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: 2585 case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: 2586 case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: 2587 case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: 2588 case CipherSuite.TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: 2589 case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: 2590 case CipherSuite.TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: 2591 case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: 2592 case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: 2593 case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: 2594 case CipherSuite.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: 2595 case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: 2596 case CipherSuite.TLS_PSK_WITH_3DES_EDE_CBC_SHA: 2597 case CipherSuite.TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: 2598 case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: 2599 case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: 2600 case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: 2601 case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: 2602 return EncryptionAlgorithm._3DES_EDE_CBC; 2603 2604 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA: 2605 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA256: 2606 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: 2607 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: 2608 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: 2609 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: 2610 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: 2611 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: 2612 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA: 2613 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: 2614 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: 2615 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 2616 case CipherSuite.TLS_ECDH_anon_WITH_AES_128_CBC_SHA: 2617 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: 2618 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: 2619 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: 2620 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: 2621 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: 2622 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 2623 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: 2624 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: 2625 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: 2626 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 2627 case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA: 2628 case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256: 2629 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA: 2630 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: 2631 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: 2632 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: 2633 case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: 2634 case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: 2635 case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: 2636 return EncryptionAlgorithm.AES_128_CBC; 2637 2638 case CipherSuite.TLS_AES_128_CCM_SHA256: 2639 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: 2640 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: 2641 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM: 2642 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: 2643 case CipherSuite.TLS_PSK_WITH_AES_128_CCM: 2644 case CipherSuite.TLS_RSA_WITH_AES_128_CCM: 2645 return EncryptionAlgorithm.AES_128_CCM; 2646 2647 case CipherSuite.TLS_AES_128_CCM_8_SHA256: 2648 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: 2649 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: 2650 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: 2651 case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: 2652 case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: 2653 case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: 2654 return EncryptionAlgorithm.AES_128_CCM_8; 2655 2656 case CipherSuite.TLS_AES_128_GCM_SHA256: 2657 case CipherSuite.TLS_DH_anon_WITH_AES_128_GCM_SHA256: 2658 case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: 2659 case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: 2660 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: 2661 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: 2662 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 2663 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: 2664 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: 2665 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 2666 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: 2667 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 2668 case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: 2669 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: 2670 case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: 2671 return EncryptionAlgorithm.AES_128_GCM; 2672 2673 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA: 2674 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA256: 2675 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: 2676 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: 2677 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: 2678 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: 2679 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: 2680 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: 2681 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA: 2682 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: 2683 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: 2684 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 2685 case CipherSuite.TLS_ECDH_anon_WITH_AES_256_CBC_SHA: 2686 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: 2687 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: 2688 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: 2689 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: 2690 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: 2691 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 2692 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: 2693 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: 2694 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: 2695 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: 2696 case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA: 2697 case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: 2698 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA: 2699 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: 2700 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: 2701 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: 2702 case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: 2703 case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: 2704 case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: 2705 return EncryptionAlgorithm.AES_256_CBC; 2706 2707 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: 2708 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: 2709 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM: 2710 case CipherSuite.TLS_PSK_WITH_AES_256_CCM: 2711 case CipherSuite.TLS_RSA_WITH_AES_256_CCM: 2712 return EncryptionAlgorithm.AES_256_CCM; 2713 2714 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: 2715 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: 2716 case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: 2717 case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: 2718 case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: 2719 return EncryptionAlgorithm.AES_256_CCM_8; 2720 2721 case CipherSuite.TLS_AES_256_GCM_SHA384: 2722 case CipherSuite.TLS_DH_anon_WITH_AES_256_GCM_SHA384: 2723 case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: 2724 case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: 2725 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: 2726 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: 2727 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: 2728 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: 2729 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: 2730 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 2731 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: 2732 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 2733 case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: 2734 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: 2735 case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: 2736 return EncryptionAlgorithm.AES_256_GCM; 2737 2738 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_CBC_SHA256: 2739 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: 2740 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: 2741 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: 2742 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: 2743 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: 2744 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: 2745 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: 2746 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: 2747 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: 2748 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: 2749 case CipherSuite.TLS_PSK_WITH_ARIA_128_CBC_SHA256: 2750 case CipherSuite.TLS_RSA_WITH_ARIA_128_CBC_SHA256: 2751 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: 2752 return EncryptionAlgorithm.ARIA_128_CBC; 2753 2754 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_GCM_SHA256: 2755 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: 2756 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: 2757 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: 2758 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: 2759 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: 2760 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: 2761 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: 2762 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: 2763 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: 2764 case CipherSuite.TLS_PSK_WITH_ARIA_128_GCM_SHA256: 2765 case CipherSuite.TLS_RSA_WITH_ARIA_128_GCM_SHA256: 2766 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: 2767 return EncryptionAlgorithm.ARIA_128_GCM; 2768 2769 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_CBC_SHA384: 2770 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: 2771 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: 2772 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: 2773 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: 2774 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: 2775 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: 2776 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: 2777 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: 2778 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: 2779 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: 2780 case CipherSuite.TLS_PSK_WITH_ARIA_256_CBC_SHA384: 2781 case CipherSuite.TLS_RSA_WITH_ARIA_256_CBC_SHA384: 2782 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: 2783 return EncryptionAlgorithm.ARIA_256_CBC; 2784 2785 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_GCM_SHA384: 2786 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: 2787 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: 2788 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: 2789 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: 2790 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: 2791 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: 2792 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: 2793 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: 2794 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: 2795 case CipherSuite.TLS_PSK_WITH_ARIA_256_GCM_SHA384: 2796 case CipherSuite.TLS_RSA_WITH_ARIA_256_GCM_SHA384: 2797 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: 2798 return EncryptionAlgorithm.ARIA_256_GCM; 2799 2800 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA: 2801 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256: 2802 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: 2803 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: 2804 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: 2805 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 2806 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: 2807 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: 2808 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 2809 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: 2810 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 2811 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 2812 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 2813 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 2814 case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 2815 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 2816 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: 2817 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: 2818 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: 2819 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: 2820 return EncryptionAlgorithm.CAMELLIA_128_CBC; 2821 2822 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256: 2823 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: 2824 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 2825 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: 2826 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: 2827 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 2828 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 2829 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 2830 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 2831 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 2832 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: 2833 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: 2834 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: 2835 return EncryptionAlgorithm.CAMELLIA_128_GCM; 2836 2837 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA: 2838 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256: 2839 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: 2840 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: 2841 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: 2842 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: 2843 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: 2844 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: 2845 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2846 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: 2847 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: 2848 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 2849 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: 2850 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 2851 case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2852 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: 2853 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2854 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: 2855 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: 2856 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: 2857 return EncryptionAlgorithm.CAMELLIA_256_CBC; 2858 2859 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384: 2860 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: 2861 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2862 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: 2863 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: 2864 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2865 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 2866 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2867 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 2868 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2869 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: 2870 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: 2871 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: 2872 return EncryptionAlgorithm.CAMELLIA_256_GCM; 2873 2874 case CipherSuite.TLS_CHACHA20_POLY1305_SHA256: 2875 case CipherSuite.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 2876 case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 2877 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: 2878 case CipherSuite.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 2879 case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 2880 case CipherSuite.TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: 2881 case CipherSuite.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: 2882 return EncryptionAlgorithm.CHACHA20_POLY1305; 2883 2884 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA: 2885 case CipherSuite.TLS_ECDH_anon_WITH_NULL_SHA: 2886 case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: 2887 case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: 2888 case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: 2889 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA: 2890 case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: 2891 case CipherSuite.TLS_PSK_WITH_NULL_SHA: 2892 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA: 2893 case CipherSuite.TLS_RSA_WITH_NULL_SHA: 2894 return EncryptionAlgorithm.NULL; 2895 2896 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA256: 2897 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA256: 2898 case CipherSuite.TLS_PSK_WITH_NULL_SHA256: 2899 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA256: 2900 case CipherSuite.TLS_RSA_WITH_NULL_SHA256: 2901 return EncryptionAlgorithm.NULL; 2902 2903 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: 2904 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: 2905 case CipherSuite.TLS_PSK_WITH_NULL_SHA384: 2906 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: 2907 return EncryptionAlgorithm.NULL; 2908 2909 case CipherSuite.TLS_DH_anon_WITH_SEED_CBC_SHA: 2910 case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: 2911 case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: 2912 case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: 2913 case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: 2914 case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: 2915 return EncryptionAlgorithm.SEED_CBC; 2916 2917 case CipherSuite.TLS_SM4_CCM_SM3: 2918 return EncryptionAlgorithm.SM4_CCM; 2919 2920 case CipherSuite.TLS_SM4_GCM_SM3: 2921 return EncryptionAlgorithm.SM4_GCM; 2922 2923 default: 2924 return -1; 2925 } 2926 } 2927 getEncryptionAlgorithmType(int encryptionAlgorithm)2928 public static int getEncryptionAlgorithmType(int encryptionAlgorithm) 2929 { 2930 switch (encryptionAlgorithm) 2931 { 2932 case EncryptionAlgorithm.AES_128_CCM: 2933 case EncryptionAlgorithm.AES_128_CCM_8: 2934 case EncryptionAlgorithm.AES_128_GCM: 2935 case EncryptionAlgorithm.AES_256_CCM: 2936 case EncryptionAlgorithm.AES_256_CCM_8: 2937 case EncryptionAlgorithm.AES_256_GCM: 2938 case EncryptionAlgorithm.ARIA_128_GCM: 2939 case EncryptionAlgorithm.ARIA_256_GCM: 2940 case EncryptionAlgorithm.CAMELLIA_128_GCM: 2941 case EncryptionAlgorithm.CAMELLIA_256_GCM: 2942 case EncryptionAlgorithm.CHACHA20_POLY1305: 2943 case EncryptionAlgorithm.SM4_CCM: 2944 case EncryptionAlgorithm.SM4_GCM: 2945 return CipherType.aead; 2946 2947 case EncryptionAlgorithm.RC2_CBC_40: 2948 case EncryptionAlgorithm.IDEA_CBC: 2949 case EncryptionAlgorithm.DES40_CBC: 2950 case EncryptionAlgorithm.DES_CBC: 2951 case EncryptionAlgorithm._3DES_EDE_CBC: 2952 case EncryptionAlgorithm.AES_128_CBC: 2953 case EncryptionAlgorithm.AES_256_CBC: 2954 case EncryptionAlgorithm.ARIA_128_CBC: 2955 case EncryptionAlgorithm.ARIA_256_CBC: 2956 case EncryptionAlgorithm.CAMELLIA_128_CBC: 2957 case EncryptionAlgorithm.CAMELLIA_256_CBC: 2958 case EncryptionAlgorithm.SEED_CBC: 2959 case EncryptionAlgorithm.SM4_CBC: 2960 return CipherType.block; 2961 2962 case EncryptionAlgorithm.NULL: 2963 case EncryptionAlgorithm.RC4_40: 2964 case EncryptionAlgorithm.RC4_128: 2965 return CipherType.stream; 2966 2967 default: 2968 return -1; 2969 } 2970 } 2971 getKeyExchangeAlgorithm(int cipherSuite)2972 public static int getKeyExchangeAlgorithm(int cipherSuite) 2973 { 2974 switch (cipherSuite) 2975 { 2976 case CipherSuite.TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: 2977 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA: 2978 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA256: 2979 case CipherSuite.TLS_DH_anon_WITH_AES_128_GCM_SHA256: 2980 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA: 2981 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA256: 2982 case CipherSuite.TLS_DH_anon_WITH_AES_256_GCM_SHA384: 2983 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_CBC_SHA256: 2984 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_GCM_SHA256: 2985 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_CBC_SHA384: 2986 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_GCM_SHA384: 2987 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA: 2988 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256: 2989 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256: 2990 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA: 2991 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256: 2992 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384: 2993 case CipherSuite.TLS_DH_anon_WITH_SEED_CBC_SHA: 2994 return KeyExchangeAlgorithm.DH_anon; 2995 2996 case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: 2997 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: 2998 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: 2999 case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: 3000 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: 3001 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: 3002 case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: 3003 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: 3004 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: 3005 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: 3006 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: 3007 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: 3008 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: 3009 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: 3010 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: 3011 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: 3012 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: 3013 case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: 3014 return KeyExchangeAlgorithm.DH_DSS; 3015 3016 case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: 3017 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: 3018 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: 3019 case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: 3020 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: 3021 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: 3022 case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: 3023 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: 3024 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: 3025 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: 3026 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: 3027 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: 3028 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3029 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3030 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: 3031 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3032 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3033 case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: 3034 return KeyExchangeAlgorithm.DH_RSA; 3035 3036 case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: 3037 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: 3038 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: 3039 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: 3040 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: 3041 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: 3042 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: 3043 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: 3044 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: 3045 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: 3046 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: 3047 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: 3048 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: 3049 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: 3050 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: 3051 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: 3052 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: 3053 case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: 3054 return KeyExchangeAlgorithm.DHE_DSS; 3055 3056 case CipherSuite.TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: 3057 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA: 3058 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: 3059 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: 3060 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: 3061 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA: 3062 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: 3063 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: 3064 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: 3065 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: 3066 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: 3067 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: 3068 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: 3069 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3070 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3071 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3072 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3073 case CipherSuite.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 3074 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA: 3075 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA256: 3076 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: 3077 case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: 3078 case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: 3079 return KeyExchangeAlgorithm.DHE_PSK; 3080 3081 case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: 3082 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: 3083 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 3084 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: 3085 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: 3086 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 3087 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: 3088 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 3089 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: 3090 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: 3091 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: 3092 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: 3093 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: 3094 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: 3095 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: 3096 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: 3097 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3098 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3099 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: 3100 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3101 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3102 case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 3103 case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: 3104 return KeyExchangeAlgorithm.DHE_RSA; 3105 3106 case CipherSuite.TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: 3107 case CipherSuite.TLS_ECDH_anon_WITH_AES_128_CBC_SHA: 3108 case CipherSuite.TLS_ECDH_anon_WITH_AES_256_CBC_SHA: 3109 case CipherSuite.TLS_ECDH_anon_WITH_NULL_SHA: 3110 return KeyExchangeAlgorithm.ECDH_anon; 3111 3112 case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: 3113 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: 3114 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: 3115 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: 3116 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: 3117 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: 3118 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: 3119 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: 3120 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: 3121 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: 3122 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: 3123 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 3124 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 3125 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 3126 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 3127 case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: 3128 return KeyExchangeAlgorithm.ECDH_ECDSA; 3129 3130 case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: 3131 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: 3132 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: 3133 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: 3134 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: 3135 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: 3136 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: 3137 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: 3138 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: 3139 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: 3140 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: 3141 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3142 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3143 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: 3144 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3145 case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: 3146 return KeyExchangeAlgorithm.ECDH_RSA; 3147 3148 case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: 3149 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: 3150 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 3151 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM: 3152 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: 3153 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 3154 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: 3155 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 3156 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM: 3157 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: 3158 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 3159 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: 3160 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: 3161 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: 3162 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: 3163 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 3164 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 3165 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 3166 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 3167 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: 3168 case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: 3169 return KeyExchangeAlgorithm.ECDHE_ECDSA; 3170 3171 case CipherSuite.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: 3172 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: 3173 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: 3174 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: 3175 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: 3176 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: 3177 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: 3178 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: 3179 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: 3180 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: 3181 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: 3182 case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3183 case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3184 case CipherSuite.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 3185 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA: 3186 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA256: 3187 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: 3188 return KeyExchangeAlgorithm.ECDHE_PSK; 3189 3190 case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: 3191 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: 3192 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 3193 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 3194 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: 3195 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: 3196 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 3197 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: 3198 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: 3199 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: 3200 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: 3201 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3202 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3203 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: 3204 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3205 case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 3206 case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: 3207 return KeyExchangeAlgorithm.ECDHE_RSA; 3208 3209 case CipherSuite.TLS_AES_128_CCM_8_SHA256: 3210 case CipherSuite.TLS_AES_128_CCM_SHA256: 3211 case CipherSuite.TLS_AES_128_GCM_SHA256: 3212 case CipherSuite.TLS_AES_256_GCM_SHA384: 3213 case CipherSuite.TLS_CHACHA20_POLY1305_SHA256: 3214 case CipherSuite.TLS_SM4_CCM_SM3: 3215 case CipherSuite.TLS_SM4_GCM_SM3: 3216 return KeyExchangeAlgorithm.NULL; 3217 3218 case CipherSuite.TLS_PSK_WITH_3DES_EDE_CBC_SHA: 3219 case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA: 3220 case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256: 3221 case CipherSuite.TLS_PSK_WITH_AES_128_CCM: 3222 case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: 3223 case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: 3224 case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA: 3225 case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: 3226 case CipherSuite.TLS_PSK_WITH_AES_256_CCM: 3227 case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: 3228 case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: 3229 case CipherSuite.TLS_PSK_WITH_ARIA_128_CBC_SHA256: 3230 case CipherSuite.TLS_PSK_WITH_ARIA_128_GCM_SHA256: 3231 case CipherSuite.TLS_PSK_WITH_ARIA_256_CBC_SHA384: 3232 case CipherSuite.TLS_PSK_WITH_ARIA_256_GCM_SHA384: 3233 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3234 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3235 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3236 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3237 case CipherSuite.TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: 3238 case CipherSuite.TLS_PSK_WITH_NULL_SHA: 3239 case CipherSuite.TLS_PSK_WITH_NULL_SHA256: 3240 case CipherSuite.TLS_PSK_WITH_NULL_SHA384: 3241 return KeyExchangeAlgorithm.PSK; 3242 3243 case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: 3244 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: 3245 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: 3246 case CipherSuite.TLS_RSA_WITH_AES_128_CCM: 3247 case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: 3248 case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: 3249 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: 3250 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: 3251 case CipherSuite.TLS_RSA_WITH_AES_256_CCM: 3252 case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: 3253 case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: 3254 case CipherSuite.TLS_RSA_WITH_ARIA_128_CBC_SHA256: 3255 case CipherSuite.TLS_RSA_WITH_ARIA_128_GCM_SHA256: 3256 case CipherSuite.TLS_RSA_WITH_ARIA_256_CBC_SHA384: 3257 case CipherSuite.TLS_RSA_WITH_ARIA_256_GCM_SHA384: 3258 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: 3259 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3260 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3261 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: 3262 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3263 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3264 case CipherSuite.TLS_RSA_WITH_NULL_SHA: 3265 case CipherSuite.TLS_RSA_WITH_NULL_SHA256: 3266 case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: 3267 return KeyExchangeAlgorithm.RSA; 3268 3269 case CipherSuite.TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: 3270 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA: 3271 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: 3272 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: 3273 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA: 3274 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: 3275 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: 3276 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: 3277 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: 3278 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: 3279 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: 3280 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3281 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3282 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3283 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3284 case CipherSuite.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: 3285 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA: 3286 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA256: 3287 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: 3288 return KeyExchangeAlgorithm.RSA_PSK; 3289 3290 case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: 3291 case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: 3292 case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: 3293 return KeyExchangeAlgorithm.SRP; 3294 3295 case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: 3296 case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: 3297 case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: 3298 return KeyExchangeAlgorithm.SRP_DSS; 3299 3300 case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: 3301 case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: 3302 case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: 3303 return KeyExchangeAlgorithm.SRP_RSA; 3304 3305 default: 3306 return -1; 3307 } 3308 } 3309 getKeyExchangeAlgorithms(int[] cipherSuites)3310 public static Vector getKeyExchangeAlgorithms(int[] cipherSuites) 3311 { 3312 Vector result = new Vector(); 3313 if (null != cipherSuites) 3314 { 3315 for (int i = 0; i < cipherSuites.length; ++i) 3316 { 3317 addToSet(result, getKeyExchangeAlgorithm(cipherSuites[i])); 3318 } 3319 result.removeElement(Integers.valueOf(-1)); 3320 } 3321 return result; 3322 } 3323 getMACAlgorithm(int cipherSuite)3324 public static int getMACAlgorithm(int cipherSuite) 3325 { 3326 switch (cipherSuite) 3327 { 3328 case CipherSuite.TLS_AES_128_CCM_SHA256: 3329 case CipherSuite.TLS_AES_128_CCM_8_SHA256: 3330 case CipherSuite.TLS_AES_128_GCM_SHA256: 3331 case CipherSuite.TLS_AES_256_GCM_SHA384: 3332 case CipherSuite.TLS_CHACHA20_POLY1305_SHA256: 3333 case CipherSuite.TLS_DH_anon_WITH_AES_128_GCM_SHA256: 3334 case CipherSuite.TLS_DH_anon_WITH_AES_256_GCM_SHA384: 3335 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_GCM_SHA256: 3336 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_GCM_SHA384: 3337 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256: 3338 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384: 3339 case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: 3340 case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: 3341 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: 3342 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: 3343 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: 3344 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: 3345 case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: 3346 case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: 3347 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: 3348 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: 3349 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3350 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3351 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: 3352 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: 3353 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: 3354 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: 3355 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: 3356 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: 3357 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: 3358 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: 3359 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: 3360 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: 3361 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: 3362 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: 3363 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3364 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3365 case CipherSuite.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 3366 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: 3367 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: 3368 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 3369 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: 3370 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: 3371 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: 3372 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: 3373 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: 3374 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3375 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3376 case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 3377 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: 3378 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: 3379 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: 3380 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: 3381 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 3382 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 3383 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: 3384 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: 3385 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: 3386 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: 3387 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3388 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3389 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM: 3390 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: 3391 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 3392 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM: 3393 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: 3394 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 3395 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: 3396 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: 3397 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 3398 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 3399 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: 3400 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: 3401 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: 3402 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: 3403 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: 3404 case CipherSuite.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 3405 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 3406 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 3407 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: 3408 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: 3409 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3410 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3411 case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 3412 case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: 3413 case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: 3414 case CipherSuite.TLS_PSK_WITH_AES_128_CCM: 3415 case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: 3416 case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: 3417 case CipherSuite.TLS_PSK_WITH_AES_256_CCM: 3418 case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: 3419 case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: 3420 case CipherSuite.TLS_PSK_WITH_ARIA_128_GCM_SHA256: 3421 case CipherSuite.TLS_PSK_WITH_ARIA_256_GCM_SHA384: 3422 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3423 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3424 case CipherSuite.TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: 3425 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: 3426 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: 3427 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: 3428 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: 3429 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3430 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3431 case CipherSuite.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: 3432 case CipherSuite.TLS_RSA_WITH_AES_128_CCM: 3433 case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: 3434 case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: 3435 case CipherSuite.TLS_RSA_WITH_AES_256_CCM: 3436 case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: 3437 case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: 3438 case CipherSuite.TLS_RSA_WITH_ARIA_128_GCM_SHA256: 3439 case CipherSuite.TLS_RSA_WITH_ARIA_256_GCM_SHA384: 3440 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3441 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3442 case CipherSuite.TLS_SM4_CCM_SM3: 3443 case CipherSuite.TLS_SM4_GCM_SM3: 3444 return MACAlgorithm._null; 3445 3446 case CipherSuite.TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: 3447 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA: 3448 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA: 3449 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA: 3450 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA: 3451 case CipherSuite.TLS_DH_anon_WITH_SEED_CBC_SHA: 3452 case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: 3453 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: 3454 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: 3455 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: 3456 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: 3457 case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: 3458 case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: 3459 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: 3460 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: 3461 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: 3462 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: 3463 case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: 3464 case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: 3465 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: 3466 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: 3467 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: 3468 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: 3469 case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: 3470 case CipherSuite.TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: 3471 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA: 3472 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA: 3473 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA: 3474 case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: 3475 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: 3476 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: 3477 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: 3478 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: 3479 case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: 3480 case CipherSuite.TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: 3481 case CipherSuite.TLS_ECDH_anon_WITH_AES_128_CBC_SHA: 3482 case CipherSuite.TLS_ECDH_anon_WITH_AES_256_CBC_SHA: 3483 case CipherSuite.TLS_ECDH_anon_WITH_NULL_SHA: 3484 case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: 3485 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: 3486 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: 3487 case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: 3488 case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: 3489 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: 3490 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: 3491 case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: 3492 case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: 3493 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: 3494 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: 3495 case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: 3496 case CipherSuite.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: 3497 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: 3498 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: 3499 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA: 3500 case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: 3501 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: 3502 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: 3503 case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: 3504 case CipherSuite.TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: 3505 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA: 3506 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA: 3507 case CipherSuite.TLS_PSK_WITH_3DES_EDE_CBC_SHA: 3508 case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA: 3509 case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA: 3510 case CipherSuite.TLS_PSK_WITH_NULL_SHA: 3511 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA: 3512 case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: 3513 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: 3514 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: 3515 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: 3516 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: 3517 case CipherSuite.TLS_RSA_WITH_NULL_SHA: 3518 case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: 3519 case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: 3520 case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: 3521 case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: 3522 case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: 3523 case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: 3524 case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: 3525 case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: 3526 case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: 3527 case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: 3528 return MACAlgorithm.hmac_sha1; 3529 3530 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA256: 3531 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA256: 3532 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_CBC_SHA256: 3533 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256: 3534 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256: 3535 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: 3536 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: 3537 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: 3538 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: 3539 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: 3540 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: 3541 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: 3542 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: 3543 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3544 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3545 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: 3546 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: 3547 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: 3548 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: 3549 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: 3550 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: 3551 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: 3552 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3553 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA256: 3554 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 3555 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 3556 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: 3557 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3558 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3559 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: 3560 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: 3561 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 3562 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: 3563 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: 3564 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3565 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 3566 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: 3567 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 3568 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: 3569 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: 3570 case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3571 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA256: 3572 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 3573 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: 3574 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3575 case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256: 3576 case CipherSuite.TLS_PSK_WITH_ARIA_128_CBC_SHA256: 3577 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3578 case CipherSuite.TLS_PSK_WITH_NULL_SHA256: 3579 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: 3580 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: 3581 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: 3582 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA256: 3583 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: 3584 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: 3585 case CipherSuite.TLS_RSA_WITH_ARIA_128_CBC_SHA256: 3586 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3587 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3588 case CipherSuite.TLS_RSA_WITH_NULL_SHA256: 3589 return MACAlgorithm.hmac_sha256; 3590 3591 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_CBC_SHA384: 3592 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: 3593 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: 3594 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: 3595 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: 3596 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: 3597 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3598 case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: 3599 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: 3600 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: 3601 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: 3602 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 3603 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: 3604 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: 3605 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: 3606 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 3607 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: 3608 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 3609 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: 3610 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: 3611 case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3612 case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: 3613 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: 3614 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: 3615 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: 3616 case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: 3617 case CipherSuite.TLS_PSK_WITH_ARIA_256_CBC_SHA384: 3618 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3619 case CipherSuite.TLS_PSK_WITH_NULL_SHA384: 3620 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: 3621 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: 3622 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: 3623 case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: 3624 case CipherSuite.TLS_RSA_WITH_ARIA_256_CBC_SHA384: 3625 return MACAlgorithm.hmac_sha384; 3626 3627 default: 3628 return -1; 3629 } 3630 } 3631 getMinimumVersion(int cipherSuite)3632 public static ProtocolVersion getMinimumVersion(int cipherSuite) 3633 { 3634 switch (cipherSuite) 3635 { 3636 case CipherSuite.TLS_AES_128_CCM_SHA256: 3637 case CipherSuite.TLS_AES_128_CCM_8_SHA256: 3638 case CipherSuite.TLS_AES_128_GCM_SHA256: 3639 case CipherSuite.TLS_AES_256_GCM_SHA384: 3640 case CipherSuite.TLS_CHACHA20_POLY1305_SHA256: 3641 case CipherSuite.TLS_SM4_CCM_SM3: 3642 case CipherSuite.TLS_SM4_GCM_SM3: 3643 return ProtocolVersion.TLSv13; 3644 3645 case CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA256: 3646 case CipherSuite.TLS_DH_anon_WITH_AES_128_GCM_SHA256: 3647 case CipherSuite.TLS_DH_anon_WITH_AES_256_CBC_SHA256: 3648 case CipherSuite.TLS_DH_anon_WITH_AES_256_GCM_SHA384: 3649 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_CBC_SHA256: 3650 case CipherSuite.TLS_DH_anon_WITH_ARIA_128_GCM_SHA256: 3651 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_CBC_SHA384: 3652 case CipherSuite.TLS_DH_anon_WITH_ARIA_256_GCM_SHA384: 3653 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256: 3654 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256: 3655 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256: 3656 case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384: 3657 case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: 3658 case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: 3659 case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: 3660 case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: 3661 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: 3662 case CipherSuite.TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: 3663 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: 3664 case CipherSuite.TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: 3665 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: 3666 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: 3667 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: 3668 case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: 3669 case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: 3670 case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: 3671 case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: 3672 case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: 3673 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: 3674 case CipherSuite.TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: 3675 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: 3676 case CipherSuite.TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: 3677 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3678 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3679 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3680 case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3681 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: 3682 case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: 3683 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: 3684 case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: 3685 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: 3686 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: 3687 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: 3688 case CipherSuite.TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: 3689 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: 3690 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: 3691 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: 3692 case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: 3693 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: 3694 case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: 3695 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: 3696 case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: 3697 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: 3698 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: 3699 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: 3700 case CipherSuite.TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: 3701 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3702 case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3703 case CipherSuite.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 3704 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 3705 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: 3706 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: 3707 case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 3708 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 3709 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: 3710 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: 3711 case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: 3712 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: 3713 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: 3714 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: 3715 case CipherSuite.TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: 3716 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3717 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3718 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3719 case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3720 case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 3721 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: 3722 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: 3723 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: 3724 case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: 3725 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: 3726 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: 3727 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: 3728 case CipherSuite.TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: 3729 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 3730 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 3731 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 3732 case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 3733 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: 3734 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: 3735 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: 3736 case CipherSuite.TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: 3737 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: 3738 case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: 3739 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: 3740 case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: 3741 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3742 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3743 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: 3744 case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3745 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 3746 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM: 3747 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: 3748 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 3749 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 3750 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM: 3751 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: 3752 case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 3753 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: 3754 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: 3755 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: 3756 case CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: 3757 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 3758 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: 3759 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 3760 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: 3761 case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: 3762 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: 3763 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: 3764 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: 3765 case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: 3766 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: 3767 case CipherSuite.TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: 3768 case CipherSuite.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: 3769 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 3770 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 3771 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: 3772 case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 3773 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: 3774 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: 3775 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: 3776 case CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: 3777 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3778 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3779 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: 3780 case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3781 case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 3782 case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: 3783 case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: 3784 case CipherSuite.TLS_PSK_WITH_AES_128_CCM: 3785 case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: 3786 case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: 3787 case CipherSuite.TLS_PSK_WITH_AES_256_CCM: 3788 case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: 3789 case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: 3790 case CipherSuite.TLS_PSK_WITH_ARIA_128_CBC_SHA256: 3791 case CipherSuite.TLS_PSK_WITH_ARIA_128_GCM_SHA256: 3792 case CipherSuite.TLS_PSK_WITH_ARIA_256_CBC_SHA384: 3793 case CipherSuite.TLS_PSK_WITH_ARIA_256_GCM_SHA384: 3794 case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3795 case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3796 case CipherSuite.TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: 3797 case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: 3798 case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: 3799 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: 3800 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: 3801 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: 3802 case CipherSuite.TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: 3803 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: 3804 case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: 3805 case CipherSuite.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: 3806 case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: 3807 case CipherSuite.TLS_RSA_WITH_AES_128_CCM: 3808 case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: 3809 case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: 3810 case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: 3811 case CipherSuite.TLS_RSA_WITH_AES_256_CCM: 3812 case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: 3813 case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: 3814 case CipherSuite.TLS_RSA_WITH_ARIA_128_CBC_SHA256: 3815 case CipherSuite.TLS_RSA_WITH_ARIA_128_GCM_SHA256: 3816 case CipherSuite.TLS_RSA_WITH_ARIA_256_CBC_SHA384: 3817 case CipherSuite.TLS_RSA_WITH_ARIA_256_GCM_SHA384: 3818 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: 3819 case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: 3820 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: 3821 case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: 3822 case CipherSuite.TLS_RSA_WITH_NULL_SHA256: 3823 return ProtocolVersion.TLSv12; 3824 3825 default: 3826 return ProtocolVersion.SSLv3; 3827 } 3828 } 3829 getNamedGroupRoles(int[] cipherSuites)3830 public static Vector getNamedGroupRoles(int[] cipherSuites) 3831 { 3832 return getNamedGroupRoles(getKeyExchangeAlgorithms(cipherSuites)); 3833 } 3834 getNamedGroupRoles(Vector keyExchangeAlgorithms)3835 public static Vector getNamedGroupRoles(Vector keyExchangeAlgorithms) 3836 { 3837 Vector result = new Vector(); 3838 for (int i = 0; i < keyExchangeAlgorithms.size(); ++i) 3839 { 3840 int keyExchangeAlgorithm = ((Integer)keyExchangeAlgorithms.elementAt(i)).intValue(); 3841 switch (keyExchangeAlgorithm) 3842 { 3843 case KeyExchangeAlgorithm.DH_anon: 3844 case KeyExchangeAlgorithm.DH_DSS: 3845 case KeyExchangeAlgorithm.DH_RSA: 3846 case KeyExchangeAlgorithm.DHE_DSS: 3847 case KeyExchangeAlgorithm.DHE_PSK: 3848 case KeyExchangeAlgorithm.DHE_RSA: 3849 { 3850 addToSet(result, NamedGroupRole.dh); 3851 break; 3852 } 3853 3854 case KeyExchangeAlgorithm.ECDH_anon: 3855 case KeyExchangeAlgorithm.ECDH_RSA: 3856 case KeyExchangeAlgorithm.ECDHE_PSK: 3857 case KeyExchangeAlgorithm.ECDHE_RSA: 3858 { 3859 addToSet(result, NamedGroupRole.ecdh); 3860 break; 3861 } 3862 3863 case KeyExchangeAlgorithm.ECDH_ECDSA: 3864 case KeyExchangeAlgorithm.ECDHE_ECDSA: 3865 { 3866 addToSet(result, NamedGroupRole.ecdh); 3867 addToSet(result, NamedGroupRole.ecdsa); 3868 break; 3869 } 3870 3871 case KeyExchangeAlgorithm.NULL: 3872 { 3873 // TODO[tls13] We're conservatively adding both here, though maybe only one is needed 3874 addToSet(result, NamedGroupRole.dh); 3875 addToSet(result, NamedGroupRole.ecdh); 3876 break; 3877 } 3878 } 3879 } 3880 return result; 3881 } 3882 isAEADCipherSuite(int cipherSuite)3883 public static boolean isAEADCipherSuite(int cipherSuite) throws IOException 3884 { 3885 return CipherType.aead == getCipherType(cipherSuite); 3886 } 3887 isBlockCipherSuite(int cipherSuite)3888 public static boolean isBlockCipherSuite(int cipherSuite) throws IOException 3889 { 3890 return CipherType.block == getCipherType(cipherSuite); 3891 } 3892 isStreamCipherSuite(int cipherSuite)3893 public static boolean isStreamCipherSuite(int cipherSuite) throws IOException 3894 { 3895 return CipherType.stream == getCipherType(cipherSuite); 3896 } 3897 3898 /** 3899 * @return Whether a server can select the specified cipher suite given the available signature 3900 * algorithms for ServerKeyExchange. 3901 */ isValidCipherSuiteForSignatureAlgorithms(int cipherSuite, Vector sigAlgs)3902 public static boolean isValidCipherSuiteForSignatureAlgorithms(int cipherSuite, Vector sigAlgs) 3903 { 3904 final int keyExchangeAlgorithm = getKeyExchangeAlgorithm(cipherSuite); 3905 3906 switch (keyExchangeAlgorithm) 3907 { 3908 case KeyExchangeAlgorithm.DHE_DSS: 3909 case KeyExchangeAlgorithm.DHE_RSA: 3910 case KeyExchangeAlgorithm.ECDHE_ECDSA: 3911 case KeyExchangeAlgorithm.ECDHE_RSA: 3912 case KeyExchangeAlgorithm.NULL: 3913 case KeyExchangeAlgorithm.SRP_RSA: 3914 case KeyExchangeAlgorithm.SRP_DSS: 3915 break; 3916 3917 default: 3918 return true; 3919 } 3920 3921 int count = sigAlgs.size(); 3922 for (int i = 0; i < count; ++i) 3923 { 3924 Short sigAlg = (Short)sigAlgs.elementAt(i); 3925 if (null != sigAlg) 3926 { 3927 short signatureAlgorithm = sigAlg.shortValue(); 3928 3929 if (isValidSignatureAlgorithmForServerKeyExchange(signatureAlgorithm, keyExchangeAlgorithm)) 3930 { 3931 return true; 3932 } 3933 } 3934 } 3935 3936 return false; 3937 } 3938 3939 /** 3940 * @deprecated Use {@link #isValidVersionForCipherSuite(int, ProtocolVersion)} instead. 3941 */ isValidCipherSuiteForVersion(int cipherSuite, ProtocolVersion version)3942 public static boolean isValidCipherSuiteForVersion(int cipherSuite, ProtocolVersion version) 3943 { 3944 return isValidVersionForCipherSuite(cipherSuite, version); 3945 } 3946 isValidCipherSuiteSelection(int[] offeredCipherSuites, int cipherSuite)3947 static boolean isValidCipherSuiteSelection(int[] offeredCipherSuites, int cipherSuite) 3948 { 3949 return null != offeredCipherSuites 3950 && Arrays.contains(offeredCipherSuites, cipherSuite) 3951 && CipherSuite.TLS_NULL_WITH_NULL_NULL != cipherSuite 3952 && !CipherSuite.isSCSV(cipherSuite); 3953 } 3954 isValidKeyShareSelection(ProtocolVersion negotiatedVersion, int[] clientSupportedGroups, Hashtable clientAgreements, int keyShareGroup)3955 static boolean isValidKeyShareSelection(ProtocolVersion negotiatedVersion, int[] clientSupportedGroups, 3956 Hashtable clientAgreements, int keyShareGroup) 3957 { 3958 return null != clientSupportedGroups 3959 && Arrays.contains(clientSupportedGroups, keyShareGroup) 3960 && !clientAgreements.containsKey(Integers.valueOf(keyShareGroup)) 3961 && NamedGroup.canBeNegotiated(keyShareGroup, negotiatedVersion); 3962 } 3963 isValidSignatureAlgorithmForCertificateVerify(short signatureAlgorithm, short[] clientCertificateTypes)3964 static boolean isValidSignatureAlgorithmForCertificateVerify(short signatureAlgorithm, short[] clientCertificateTypes) 3965 { 3966 short clientCertificateType = SignatureAlgorithm.getClientCertificateType(signatureAlgorithm); 3967 3968 return clientCertificateType >= 0 && Arrays.contains(clientCertificateTypes, clientCertificateType); 3969 } 3970 isValidSignatureAlgorithmForServerKeyExchange(short signatureAlgorithm, int keyExchangeAlgorithm)3971 static boolean isValidSignatureAlgorithmForServerKeyExchange(short signatureAlgorithm, int keyExchangeAlgorithm) 3972 { 3973 // TODO[tls13] 3974 3975 switch (keyExchangeAlgorithm) 3976 { 3977 case KeyExchangeAlgorithm.DHE_RSA: 3978 case KeyExchangeAlgorithm.ECDHE_RSA: 3979 case KeyExchangeAlgorithm.SRP_RSA: 3980 switch (signatureAlgorithm) 3981 { 3982 case SignatureAlgorithm.rsa: 3983 case SignatureAlgorithm.rsa_pss_rsae_sha256: 3984 case SignatureAlgorithm.rsa_pss_rsae_sha384: 3985 case SignatureAlgorithm.rsa_pss_rsae_sha512: 3986 case SignatureAlgorithm.rsa_pss_pss_sha256: 3987 case SignatureAlgorithm.rsa_pss_pss_sha384: 3988 case SignatureAlgorithm.rsa_pss_pss_sha512: 3989 return true; 3990 default: 3991 return false; 3992 } 3993 3994 case KeyExchangeAlgorithm.DHE_DSS: 3995 case KeyExchangeAlgorithm.SRP_DSS: 3996 return SignatureAlgorithm.dsa == signatureAlgorithm; 3997 3998 case KeyExchangeAlgorithm.ECDHE_ECDSA: 3999 switch (signatureAlgorithm) 4000 { 4001 case SignatureAlgorithm.ecdsa: 4002 case SignatureAlgorithm.ed25519: 4003 case SignatureAlgorithm.ed448: 4004 return true; 4005 default: 4006 return false; 4007 } 4008 4009 case KeyExchangeAlgorithm.NULL: 4010 return SignatureAlgorithm.anonymous != signatureAlgorithm; 4011 4012 default: 4013 return false; 4014 } 4015 } 4016 isValidSignatureSchemeForServerKeyExchange(int signatureScheme, int keyExchangeAlgorithm)4017 public static boolean isValidSignatureSchemeForServerKeyExchange(int signatureScheme, int keyExchangeAlgorithm) 4018 { 4019 short signatureAlgorithm = SignatureScheme.getSignatureAlgorithm(signatureScheme); 4020 4021 return isValidSignatureAlgorithmForServerKeyExchange(signatureAlgorithm, keyExchangeAlgorithm); 4022 } 4023 isValidVersionForCipherSuite(int cipherSuite, ProtocolVersion version)4024 public static boolean isValidVersionForCipherSuite(int cipherSuite, ProtocolVersion version) 4025 { 4026 version = version.getEquivalentTLSVersion(); 4027 4028 ProtocolVersion minimumVersion = getMinimumVersion(cipherSuite); 4029 if (minimumVersion == version) 4030 { 4031 return true; 4032 } 4033 if (!minimumVersion.isEarlierVersionOf(version)) 4034 { 4035 return false; 4036 } 4037 return ProtocolVersion.TLSv13.isEqualOrEarlierVersionOf(minimumVersion) 4038 || ProtocolVersion.TLSv13.isLaterVersionOf(version); 4039 } 4040 chooseSignatureAndHashAlgorithm(TlsContext context, Vector sigHashAlgs, short signatureAlgorithm)4041 public static SignatureAndHashAlgorithm chooseSignatureAndHashAlgorithm(TlsContext context, Vector sigHashAlgs, 4042 short signatureAlgorithm) throws IOException 4043 { 4044 return chooseSignatureAndHashAlgorithm(context.getServerVersion(), sigHashAlgs, signatureAlgorithm); 4045 } 4046 chooseSignatureAndHashAlgorithm(ProtocolVersion negotiatedVersion, Vector sigHashAlgs, short signatureAlgorithm)4047 public static SignatureAndHashAlgorithm chooseSignatureAndHashAlgorithm(ProtocolVersion negotiatedVersion, 4048 Vector sigHashAlgs, short signatureAlgorithm) throws IOException 4049 { 4050 if (!isTLSv12(negotiatedVersion)) 4051 { 4052 return null; 4053 } 4054 4055 if (sigHashAlgs == null) 4056 { 4057 /* 4058 * TODO[tls13] RFC 8446 4.2.3 Clients which desire the server to authenticate itself via 4059 * a certificate MUST send the "signature_algorithms" extension. 4060 */ 4061 4062 sigHashAlgs = getDefaultSignatureAlgorithms(signatureAlgorithm); 4063 } 4064 4065 SignatureAndHashAlgorithm result = null; 4066 for (int i = 0; i < sigHashAlgs.size(); ++i) 4067 { 4068 SignatureAndHashAlgorithm sigHashAlg = (SignatureAndHashAlgorithm)sigHashAlgs.elementAt(i); 4069 if (sigHashAlg.getSignature() == signatureAlgorithm) 4070 { 4071 short hash = sigHashAlg.getHash(); 4072 if (hash < MINIMUM_HASH_STRICT) 4073 { 4074 continue; 4075 } 4076 if (result == null) 4077 { 4078 result = sigHashAlg; 4079 continue; 4080 } 4081 4082 short current = result.getHash(); 4083 if (current < MINIMUM_HASH_PREFERRED) 4084 { 4085 if (hash > current) 4086 { 4087 result = sigHashAlg; 4088 } 4089 } 4090 else if (hash >= MINIMUM_HASH_PREFERRED) 4091 { 4092 if (hash < current) 4093 { 4094 result = sigHashAlg; 4095 } 4096 } 4097 } 4098 } 4099 if (result == null) 4100 { 4101 throw new TlsFatalAlert(AlertDescription.internal_error); 4102 } 4103 return result; 4104 } 4105 getUsableSignatureAlgorithms(Vector sigHashAlgs)4106 public static Vector getUsableSignatureAlgorithms(Vector sigHashAlgs) 4107 { 4108 if (sigHashAlgs == null) 4109 { 4110 Vector v = new Vector(3); 4111 v.addElement(Shorts.valueOf(SignatureAlgorithm.rsa)); 4112 v.addElement(Shorts.valueOf(SignatureAlgorithm.dsa)); 4113 v.addElement(Shorts.valueOf(SignatureAlgorithm.ecdsa)); 4114 return v; 4115 } 4116 4117 Vector v = new Vector(); 4118 for (int i = 0; i < sigHashAlgs.size(); ++i) 4119 { 4120 SignatureAndHashAlgorithm sigHashAlg = (SignatureAndHashAlgorithm)sigHashAlgs.elementAt(i); 4121 if (sigHashAlg.getHash() >= MINIMUM_HASH_STRICT) 4122 { 4123 Short sigAlg = Shorts.valueOf(sigHashAlg.getSignature()); 4124 if (!v.contains(sigAlg)) 4125 { 4126 // TODO Check for crypto support before choosing (or pass in cached list?) 4127 v.addElement(sigAlg); 4128 } 4129 } 4130 } 4131 return v; 4132 } 4133 getCommonCipherSuite13(ProtocolVersion negotiatedVersion, int[] peerCipherSuites, int[] localCipherSuites, boolean useLocalOrder)4134 public static int getCommonCipherSuite13(ProtocolVersion negotiatedVersion, int[] peerCipherSuites, 4135 int[] localCipherSuites, boolean useLocalOrder) 4136 { 4137 int[] ordered = peerCipherSuites, unordered = localCipherSuites; 4138 if (useLocalOrder) 4139 { 4140 ordered = localCipherSuites; 4141 unordered = peerCipherSuites; 4142 } 4143 4144 for (int i = 0; i < ordered.length; ++i) 4145 { 4146 int candidate = ordered[i]; 4147 if (Arrays.contains(unordered, candidate) && 4148 isValidVersionForCipherSuite(candidate, negotiatedVersion)) 4149 { 4150 return candidate; 4151 } 4152 } 4153 4154 return -1; 4155 } 4156 getCommonCipherSuites(int[] peerCipherSuites, int[] localCipherSuites, boolean useLocalOrder)4157 public static int[] getCommonCipherSuites(int[] peerCipherSuites, int[] localCipherSuites, boolean useLocalOrder) 4158 { 4159 int[] ordered = peerCipherSuites, unordered = localCipherSuites; 4160 if (useLocalOrder) 4161 { 4162 ordered = localCipherSuites; 4163 unordered = peerCipherSuites; 4164 } 4165 4166 int count = 0, limit = Math.min(ordered.length, unordered.length); 4167 int[] candidates = new int[limit]; 4168 for (int i = 0; i < ordered.length; ++i) 4169 { 4170 int candidate = ordered[i]; 4171 if (!contains(candidates, 0, count, candidate) 4172 && Arrays.contains(unordered, candidate)) 4173 { 4174 candidates[count++] = candidate; 4175 } 4176 } 4177 4178 if (count < limit) 4179 { 4180 candidates = Arrays.copyOf(candidates, count); 4181 } 4182 4183 return candidates; 4184 } 4185 getSupportedCipherSuites(TlsCrypto crypto, int[] suites)4186 public static int[] getSupportedCipherSuites(TlsCrypto crypto, int[] suites) 4187 { 4188 return getSupportedCipherSuites(crypto, suites, suites.length); 4189 } 4190 getSupportedCipherSuites(TlsCrypto crypto, int[] suites, int suitesCount)4191 public static int[] getSupportedCipherSuites(TlsCrypto crypto, int[] suites, int suitesCount) 4192 { 4193 int[] supported = new int[suitesCount]; 4194 int count = 0; 4195 4196 for (int i = 0; i < suitesCount; ++i) 4197 { 4198 int suite = suites[i]; 4199 if (isSupportedCipherSuite(crypto, suite)) 4200 { 4201 supported[count++] = suite; 4202 } 4203 } 4204 4205 if (count < suitesCount) 4206 { 4207 supported = Arrays.copyOf(supported, count); 4208 } 4209 4210 return supported; 4211 } 4212 isSupportedCipherSuite(TlsCrypto crypto, int cipherSuite)4213 public static boolean isSupportedCipherSuite(TlsCrypto crypto, int cipherSuite) 4214 { 4215 return isSupportedKeyExchange(crypto, getKeyExchangeAlgorithm(cipherSuite)) 4216 && crypto.hasEncryptionAlgorithm(getEncryptionAlgorithm(cipherSuite)) 4217 && crypto.hasMacAlgorithm(getMACAlgorithm(cipherSuite)); 4218 } 4219 isSupportedKeyExchange(TlsCrypto crypto, int keyExchangeAlgorithm)4220 public static boolean isSupportedKeyExchange(TlsCrypto crypto, int keyExchangeAlgorithm) 4221 { 4222 switch (keyExchangeAlgorithm) 4223 { 4224 case KeyExchangeAlgorithm.DH_anon: 4225 case KeyExchangeAlgorithm.DH_DSS: 4226 case KeyExchangeAlgorithm.DH_RSA: 4227 case KeyExchangeAlgorithm.DHE_PSK: 4228 return crypto.hasDHAgreement(); 4229 4230 case KeyExchangeAlgorithm.DHE_DSS: 4231 return crypto.hasDHAgreement() 4232 && crypto.hasSignatureAlgorithm(SignatureAlgorithm.dsa); 4233 4234 case KeyExchangeAlgorithm.DHE_RSA: 4235 return crypto.hasDHAgreement() 4236 && hasAnyRSASigAlgs(crypto); 4237 4238 case KeyExchangeAlgorithm.ECDH_anon: 4239 case KeyExchangeAlgorithm.ECDH_ECDSA: 4240 case KeyExchangeAlgorithm.ECDH_RSA: 4241 case KeyExchangeAlgorithm.ECDHE_PSK: 4242 return crypto.hasECDHAgreement(); 4243 4244 case KeyExchangeAlgorithm.ECDHE_ECDSA: 4245 return crypto.hasECDHAgreement() 4246 && (crypto.hasSignatureAlgorithm(SignatureAlgorithm.ecdsa) 4247 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.ed25519) 4248 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.ed448)); 4249 4250 case KeyExchangeAlgorithm.ECDHE_RSA: 4251 return crypto.hasECDHAgreement() 4252 && hasAnyRSASigAlgs(crypto); 4253 4254 case KeyExchangeAlgorithm.NULL: 4255 case KeyExchangeAlgorithm.PSK: 4256 return true; 4257 4258 case KeyExchangeAlgorithm.RSA: 4259 case KeyExchangeAlgorithm.RSA_PSK: 4260 return crypto.hasRSAEncryption(); 4261 4262 case KeyExchangeAlgorithm.SRP: 4263 return crypto.hasSRPAuthentication(); 4264 4265 case KeyExchangeAlgorithm.SRP_DSS: 4266 return crypto.hasSRPAuthentication() 4267 && crypto.hasSignatureAlgorithm(SignatureAlgorithm.dsa); 4268 4269 case KeyExchangeAlgorithm.SRP_RSA: 4270 return crypto.hasSRPAuthentication() 4271 && hasAnyRSASigAlgs(crypto); 4272 4273 default: 4274 return false; 4275 } 4276 } 4277 hasAnyRSASigAlgs(TlsCrypto crypto)4278 static boolean hasAnyRSASigAlgs(TlsCrypto crypto) 4279 { 4280 return crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa) 4281 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa_pss_rsae_sha256) 4282 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa_pss_rsae_sha384) 4283 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa_pss_rsae_sha512) 4284 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa_pss_pss_sha256) 4285 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa_pss_pss_sha384) 4286 || crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa_pss_pss_sha512); 4287 } 4288 getCurrentPRFHash(TlsHandshakeHash handshakeHash)4289 static byte[] getCurrentPRFHash(TlsHandshakeHash handshakeHash) 4290 { 4291 return handshakeHash.forkPRFHash().calculateHash(); 4292 } 4293 sealHandshakeHash(TlsContext context, TlsHandshakeHash handshakeHash, boolean forceBuffering)4294 static void sealHandshakeHash(TlsContext context, TlsHandshakeHash handshakeHash, boolean forceBuffering) 4295 { 4296 if (forceBuffering || !context.getCrypto().hasAllRawSignatureAlgorithms()) 4297 { 4298 handshakeHash.forceBuffering(); 4299 } 4300 4301 handshakeHash.sealHashAlgorithms(); 4302 } 4303 createHash(TlsCrypto crypto, short hashAlgorithm)4304 private static TlsHash createHash(TlsCrypto crypto, short hashAlgorithm) 4305 { 4306 int cryptoHashAlgorithm = TlsCryptoUtils.getHash(hashAlgorithm); 4307 4308 return crypto.createHash(cryptoHashAlgorithm); 4309 } 4310 createKeyExchangeClient(TlsClient client, int keyExchange)4311 private static TlsKeyExchange createKeyExchangeClient(TlsClient client, int keyExchange) throws IOException 4312 { 4313 TlsKeyExchangeFactory factory = client.getKeyExchangeFactory(); 4314 4315 switch (keyExchange) 4316 { 4317 case KeyExchangeAlgorithm.DH_anon: 4318 return factory.createDHanonKeyExchangeClient(keyExchange, client.getDHGroupVerifier()); 4319 4320 case KeyExchangeAlgorithm.DH_DSS: 4321 case KeyExchangeAlgorithm.DH_RSA: 4322 return factory.createDHKeyExchange(keyExchange); 4323 4324 case KeyExchangeAlgorithm.DHE_DSS: 4325 case KeyExchangeAlgorithm.DHE_RSA: 4326 return factory.createDHEKeyExchangeClient(keyExchange, client.getDHGroupVerifier()); 4327 4328 case KeyExchangeAlgorithm.ECDH_anon: 4329 return factory.createECDHanonKeyExchangeClient(keyExchange); 4330 4331 case KeyExchangeAlgorithm.ECDH_ECDSA: 4332 case KeyExchangeAlgorithm.ECDH_RSA: 4333 return factory.createECDHKeyExchange(keyExchange); 4334 4335 case KeyExchangeAlgorithm.ECDHE_ECDSA: 4336 case KeyExchangeAlgorithm.ECDHE_RSA: 4337 return factory.createECDHEKeyExchangeClient(keyExchange); 4338 4339 case KeyExchangeAlgorithm.RSA: 4340 return factory.createRSAKeyExchange(keyExchange); 4341 4342 case KeyExchangeAlgorithm.DHE_PSK: 4343 return factory.createPSKKeyExchangeClient(keyExchange, client.getPSKIdentity(), 4344 client.getDHGroupVerifier()); 4345 4346 case KeyExchangeAlgorithm.ECDHE_PSK: 4347 case KeyExchangeAlgorithm.PSK: 4348 case KeyExchangeAlgorithm.RSA_PSK: 4349 return factory.createPSKKeyExchangeClient(keyExchange, client.getPSKIdentity(), null); 4350 4351 case KeyExchangeAlgorithm.SRP: 4352 case KeyExchangeAlgorithm.SRP_DSS: 4353 case KeyExchangeAlgorithm.SRP_RSA: 4354 return factory.createSRPKeyExchangeClient(keyExchange, client.getSRPIdentity(), 4355 client.getSRPConfigVerifier()); 4356 4357 default: 4358 /* 4359 * Note: internal error here; the TlsProtocol implementation verifies that the 4360 * server-selected cipher suite was in the list of client-offered cipher suites, so if 4361 * we now can't produce an implementation, we shouldn't have offered it! 4362 */ 4363 throw new TlsFatalAlert(AlertDescription.internal_error); 4364 } 4365 } 4366 createKeyExchangeServer(TlsServer server, int keyExchange)4367 private static TlsKeyExchange createKeyExchangeServer(TlsServer server, int keyExchange) throws IOException 4368 { 4369 TlsKeyExchangeFactory factory = server.getKeyExchangeFactory(); 4370 4371 switch (keyExchange) 4372 { 4373 case KeyExchangeAlgorithm.DH_anon: 4374 return factory.createDHanonKeyExchangeServer(keyExchange, server.getDHConfig()); 4375 4376 case KeyExchangeAlgorithm.DH_DSS: 4377 case KeyExchangeAlgorithm.DH_RSA: 4378 return factory.createDHKeyExchange(keyExchange); 4379 4380 case KeyExchangeAlgorithm.DHE_DSS: 4381 case KeyExchangeAlgorithm.DHE_RSA: 4382 return factory.createDHEKeyExchangeServer(keyExchange, server.getDHConfig()); 4383 4384 case KeyExchangeAlgorithm.ECDH_anon: 4385 return factory.createECDHanonKeyExchangeServer(keyExchange, server.getECDHConfig()); 4386 4387 case KeyExchangeAlgorithm.ECDH_ECDSA: 4388 case KeyExchangeAlgorithm.ECDH_RSA: 4389 return factory.createECDHKeyExchange(keyExchange); 4390 4391 case KeyExchangeAlgorithm.ECDHE_ECDSA: 4392 case KeyExchangeAlgorithm.ECDHE_RSA: 4393 return factory.createECDHEKeyExchangeServer(keyExchange, server.getECDHConfig()); 4394 4395 case KeyExchangeAlgorithm.RSA: 4396 return factory.createRSAKeyExchange(keyExchange); 4397 4398 case KeyExchangeAlgorithm.DHE_PSK: 4399 return factory.createPSKKeyExchangeServer(keyExchange, server.getPSKIdentityManager(), server.getDHConfig(), 4400 null); 4401 4402 case KeyExchangeAlgorithm.ECDHE_PSK: 4403 return factory.createPSKKeyExchangeServer(keyExchange, server.getPSKIdentityManager(), null, server.getECDHConfig()); 4404 4405 case KeyExchangeAlgorithm.PSK: 4406 case KeyExchangeAlgorithm.RSA_PSK: 4407 return factory.createPSKKeyExchangeServer(keyExchange, server.getPSKIdentityManager(), null, null); 4408 4409 case KeyExchangeAlgorithm.SRP: 4410 case KeyExchangeAlgorithm.SRP_DSS: 4411 case KeyExchangeAlgorithm.SRP_RSA: 4412 return factory.createSRPKeyExchangeServer(keyExchange, server.getSRPLoginParameters()); 4413 4414 default: 4415 /* 4416 * Note: internal error here; the TlsProtocol implementation verifies that the 4417 * server-selected cipher suite was in the list of client-offered cipher suites, so if 4418 * we now can't produce an implementation, we shouldn't have offered it! 4419 */ 4420 throw new TlsFatalAlert(AlertDescription.internal_error); 4421 } 4422 } 4423 initKeyExchangeClient(TlsClientContext clientContext, TlsClient client)4424 static TlsKeyExchange initKeyExchangeClient(TlsClientContext clientContext, TlsClient client) throws IOException 4425 { 4426 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 4427 TlsKeyExchange keyExchange = createKeyExchangeClient(client, securityParameters.getKeyExchangeAlgorithm()); 4428 keyExchange.init(clientContext); 4429 return keyExchange; 4430 } 4431 initKeyExchangeServer(TlsServerContext serverContext, TlsServer server)4432 static TlsKeyExchange initKeyExchangeServer(TlsServerContext serverContext, TlsServer server) throws IOException 4433 { 4434 SecurityParameters securityParameters = serverContext.getSecurityParametersHandshake(); 4435 TlsKeyExchange keyExchange = createKeyExchangeServer(server, securityParameters.getKeyExchangeAlgorithm()); 4436 keyExchange.init(serverContext); 4437 return keyExchange; 4438 } 4439 initCipher(TlsContext context)4440 static TlsCipher initCipher(TlsContext context) throws IOException 4441 { 4442 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 4443 int cipherSuite = securityParameters.getCipherSuite(); 4444 int encryptionAlgorithm = getEncryptionAlgorithm(cipherSuite); 4445 int macAlgorithm = getMACAlgorithm(cipherSuite); 4446 4447 if (encryptionAlgorithm < 0 || macAlgorithm < 0) 4448 { 4449 throw new TlsFatalAlert(AlertDescription.internal_error); 4450 } 4451 4452 return context.getCrypto().createCipher(new TlsCryptoParameters(context), encryptionAlgorithm, macAlgorithm); 4453 } 4454 4455 /** 4456 * Check the signature algorithm for certificates in the peer's CertPath as specified in RFC 4457 * 5246 7.4.2, 7.4.4, 7.4.6 and similar rules for earlier TLS versions. The supplied CertPath 4458 * should include the trust anchor (its signature algorithm isn't checked, but in the general 4459 * case checking a certificate requires the issuer certificate). 4460 * 4461 * @throws IOException 4462 * if any certificate in the CertPath (excepting the trust anchor) has a signature 4463 * algorithm that is not one of the locally supported signature algorithms. 4464 */ checkPeerSigAlgs(TlsContext context, TlsCertificate[] peerCertPath)4465 public static void checkPeerSigAlgs(TlsContext context, TlsCertificate[] peerCertPath) throws IOException 4466 { 4467 if (context.isServer()) 4468 { 4469 checkSigAlgOfClientCerts(context, peerCertPath); 4470 } 4471 else 4472 { 4473 checkSigAlgOfServerCerts(context, peerCertPath); 4474 } 4475 } 4476 checkSigAlgOfClientCerts(TlsContext context, TlsCertificate[] clientCertPath)4477 private static void checkSigAlgOfClientCerts(TlsContext context, TlsCertificate[] clientCertPath) throws IOException 4478 { 4479 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 4480 short[] clientCertTypes = securityParameters.getClientCertTypes(); 4481 Vector serverSigAlgsCert = securityParameters.getServerSigAlgsCert(); 4482 4483 int trustAnchorPos = clientCertPath.length - 1; 4484 for (int i = 0; i < trustAnchorPos; ++i) 4485 { 4486 TlsCertificate subjectCert = clientCertPath[i]; 4487 TlsCertificate issuerCert = clientCertPath[i + 1]; 4488 4489 SignatureAndHashAlgorithm sigAndHashAlg = getCertSigAndHashAlg(subjectCert, issuerCert); 4490 4491 boolean valid = false; 4492 if (null == sigAndHashAlg) 4493 { 4494 // We don't recognize the 'signatureAlgorithm' of the certificate 4495 } 4496 else if (null == serverSigAlgsCert) 4497 { 4498 // TODO Review this (legacy) logic with RFC 4346 (7.4?.2?) 4499 if (null != clientCertTypes) 4500 { 4501 for (int j = 0; j < clientCertTypes.length; ++j) 4502 { 4503 short signatureAlgorithm = getLegacySignatureAlgorithmClientCert(clientCertTypes[j]); 4504 if (sigAndHashAlg.getSignature() == signatureAlgorithm) 4505 { 4506 valid = true; 4507 break; 4508 } 4509 } 4510 } 4511 } 4512 else 4513 { 4514 /* 4515 * RFC 5246 7.4.4 Any certificates provided by the client MUST be signed using a 4516 * hash/signature algorithm pair found in supported_signature_algorithms. 4517 */ 4518 valid = containsSignatureAlgorithm(serverSigAlgsCert, sigAndHashAlg); 4519 } 4520 4521 if (!valid) 4522 { 4523 throw new TlsFatalAlert(AlertDescription.bad_certificate); 4524 } 4525 } 4526 } 4527 checkSigAlgOfServerCerts(TlsContext context, TlsCertificate[] serverCertPath)4528 private static void checkSigAlgOfServerCerts(TlsContext context, TlsCertificate[] serverCertPath) throws IOException 4529 { 4530 SecurityParameters securityParameters = context.getSecurityParametersHandshake(); 4531 Vector clientSigAlgsCert = securityParameters.getClientSigAlgsCert(); 4532 Vector clientSigAlgs = securityParameters.getClientSigAlgs(); 4533 4534 /* 4535 * NOTE: For TLS 1.2, we'll check 'signature_algorithms' too (if it's distinct), since 4536 * there's no way of knowing whether the server understood 'signature_algorithms_cert'. 4537 */ 4538 if (clientSigAlgs == clientSigAlgsCert || isTLSv13(securityParameters.getNegotiatedVersion())) 4539 { 4540 clientSigAlgs = null; 4541 } 4542 4543 int trustAnchorPos = serverCertPath.length - 1; 4544 for (int i = 0; i < trustAnchorPos; ++i) 4545 { 4546 TlsCertificate subjectCert = serverCertPath[i]; 4547 TlsCertificate issuerCert = serverCertPath[i + 1]; 4548 4549 SignatureAndHashAlgorithm sigAndHashAlg = getCertSigAndHashAlg(subjectCert, issuerCert); 4550 4551 boolean valid = false; 4552 if (null == sigAndHashAlg) 4553 { 4554 // We don't recognize the 'signatureAlgorithm' of the certificate 4555 } 4556 else if (null == clientSigAlgsCert) 4557 { 4558 /* 4559 * RFC 4346 7.4.2. Unless otherwise specified, the signing algorithm for the 4560 * certificate MUST be the same as the algorithm for the certificate key. 4561 */ 4562 short signatureAlgorithm = getLegacySignatureAlgorithmServerCert( 4563 securityParameters.getKeyExchangeAlgorithm()); 4564 4565 valid = (signatureAlgorithm == sigAndHashAlg.getSignature()); 4566 } 4567 else 4568 { 4569 /* 4570 * RFC 5246 7.4.2. If the client provided a "signature_algorithms" extension, then 4571 * all certificates provided by the server MUST be signed by a hash/signature algorithm 4572 * pair that appears in that extension. 4573 */ 4574 valid = containsSignatureAlgorithm(clientSigAlgsCert, sigAndHashAlg) 4575 || (null != clientSigAlgs && containsSignatureAlgorithm(clientSigAlgs, sigAndHashAlg)); 4576 } 4577 4578 if (!valid) 4579 { 4580 throw new TlsFatalAlert(AlertDescription.bad_certificate); 4581 } 4582 } 4583 } 4584 checkTlsFeatures(Certificate serverCertificate, Hashtable clientExtensions, Hashtable serverExtensions)4585 static void checkTlsFeatures(Certificate serverCertificate, Hashtable clientExtensions, Hashtable serverExtensions) throws IOException 4586 { 4587 /* 4588 * RFC 7633 4.3.3. A client MUST treat a certificate with a TLS feature extension as an 4589 * invalid certificate if the features offered by the server do not contain all features 4590 * present in both the client's ClientHello message and the TLS feature extension. 4591 */ 4592 byte[] tlsFeatures = serverCertificate.getCertificateAt(0).getExtension(TlsObjectIdentifiers.id_pe_tlsfeature); 4593 if (tlsFeatures != null) 4594 { 4595 Enumeration tlsExtensions = ((ASN1Sequence)readDERObject(tlsFeatures)).getObjects(); 4596 while (tlsExtensions.hasMoreElements()) 4597 { 4598 BigInteger tlsExtension = ((ASN1Integer)tlsExtensions.nextElement()).getPositiveValue(); 4599 if (tlsExtension.bitLength() <= 16) 4600 { 4601 Integer extensionType = Integers.valueOf(tlsExtension.intValue()); 4602 if (clientExtensions.containsKey(extensionType) && !serverExtensions.containsKey(extensionType)) 4603 { 4604 throw new TlsFatalAlert(AlertDescription.certificate_unknown); 4605 } 4606 } 4607 } 4608 } 4609 } 4610 processClientCertificate(TlsServerContext serverContext, Certificate clientCertificate, TlsKeyExchange keyExchange, TlsServer server)4611 static void processClientCertificate(TlsServerContext serverContext, Certificate clientCertificate, 4612 TlsKeyExchange keyExchange, TlsServer server) throws IOException 4613 { 4614 SecurityParameters securityParameters = serverContext.getSecurityParametersHandshake(); 4615 if (null != securityParameters.getPeerCertificate()) 4616 { 4617 throw new TlsFatalAlert(AlertDescription.unexpected_message); 4618 } 4619 4620 boolean isTLSv13 = isTLSv13(securityParameters.getNegotiatedVersion()); 4621 if (isTLSv13) 4622 { 4623 // 'keyExchange' not used 4624 } 4625 else if (clientCertificate.isEmpty()) 4626 { 4627 /* 4628 * NOTE: We tolerate SSLv3 clients sending an empty chain, although "If no suitable 4629 * certificate is available, the client should send a no_certificate alert instead". 4630 */ 4631 4632 keyExchange.skipClientCredentials(); 4633 } 4634 else 4635 { 4636 keyExchange.processClientCertificate(clientCertificate); 4637 } 4638 4639 securityParameters.peerCertificate = clientCertificate; 4640 4641 /* 4642 * RFC 5246 7.4.6. If the client does not send any certificates, the server MAY at its 4643 * discretion either continue the handshake without client authentication, or respond with a 4644 * fatal handshake_failure alert. Also, if some aspect of the certificate chain was 4645 * unacceptable (e.g., it was not signed by a known, trusted CA), the server MAY at its 4646 * discretion either continue the handshake (considering the client unauthenticated) or send 4647 * a fatal alert. 4648 */ 4649 server.notifyClientCertificate(clientCertificate); 4650 } 4651 processServerCertificate(TlsClientContext clientContext, CertificateStatus serverCertificateStatus, TlsKeyExchange keyExchange, TlsAuthentication clientAuthentication, Hashtable clientExtensions, Hashtable serverExtensions)4652 static void processServerCertificate(TlsClientContext clientContext, 4653 CertificateStatus serverCertificateStatus, TlsKeyExchange keyExchange, TlsAuthentication clientAuthentication, 4654 Hashtable clientExtensions, Hashtable serverExtensions) throws IOException 4655 { 4656 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 4657 boolean isTLSv13 = isTLSv13(securityParameters.getNegotiatedVersion()); 4658 4659 if (null == clientAuthentication) 4660 { 4661 if (isTLSv13) 4662 { 4663 throw new TlsFatalAlert(AlertDescription.internal_error); 4664 } 4665 4666 // There was no server certificate message; check it's OK 4667 keyExchange.skipServerCredentials(); 4668 securityParameters.tlsServerEndPoint = EMPTY_BYTES; 4669 return; 4670 } 4671 4672 Certificate serverCertificate = securityParameters.getPeerCertificate(); 4673 4674 checkTlsFeatures(serverCertificate, clientExtensions, serverExtensions); 4675 4676 if (!isTLSv13) 4677 { 4678 keyExchange.processServerCertificate(serverCertificate); 4679 } 4680 4681 clientAuthentication.notifyServerCertificate(new TlsServerCertificateImpl(serverCertificate, serverCertificateStatus)); 4682 } 4683 getCertSigAndHashAlg(TlsCertificate subjectCert, TlsCertificate issuerCert)4684 static SignatureAndHashAlgorithm getCertSigAndHashAlg(TlsCertificate subjectCert, TlsCertificate issuerCert) 4685 throws IOException 4686 { 4687 String sigAlgOID = subjectCert.getSigAlgOID(); 4688 4689 if (null != sigAlgOID) 4690 { 4691 if (!PKCSObjectIdentifiers.id_RSASSA_PSS.getId().equals(sigAlgOID)) 4692 { 4693 return (SignatureAndHashAlgorithm)CERT_SIG_ALG_OIDS.get(sigAlgOID); 4694 } 4695 4696 RSASSAPSSparams pssParams = RSASSAPSSparams.getInstance(subjectCert.getSigAlgParams()); 4697 if (null != pssParams) 4698 { 4699 ASN1ObjectIdentifier hashOID = pssParams.getHashAlgorithm().getAlgorithm(); 4700 if (NISTObjectIdentifiers.id_sha256.equals(hashOID)) 4701 { 4702 if (issuerCert.supportsSignatureAlgorithmCA(SignatureAlgorithm.rsa_pss_pss_sha256)) 4703 { 4704 return SignatureAndHashAlgorithm.rsa_pss_pss_sha256; 4705 } 4706 else if (issuerCert.supportsSignatureAlgorithmCA(SignatureAlgorithm.rsa_pss_rsae_sha256)) 4707 { 4708 return SignatureAndHashAlgorithm.rsa_pss_rsae_sha256; 4709 } 4710 } 4711 else if (NISTObjectIdentifiers.id_sha384.equals(hashOID)) 4712 { 4713 if (issuerCert.supportsSignatureAlgorithmCA(SignatureAlgorithm.rsa_pss_pss_sha384)) 4714 { 4715 return SignatureAndHashAlgorithm.rsa_pss_pss_sha384; 4716 } 4717 else if (issuerCert.supportsSignatureAlgorithmCA(SignatureAlgorithm.rsa_pss_rsae_sha384)) 4718 { 4719 return SignatureAndHashAlgorithm.rsa_pss_rsae_sha384; 4720 } 4721 } 4722 else if (NISTObjectIdentifiers.id_sha512.equals(hashOID)) 4723 { 4724 if (issuerCert.supportsSignatureAlgorithmCA(SignatureAlgorithm.rsa_pss_pss_sha512)) 4725 { 4726 return SignatureAndHashAlgorithm.rsa_pss_pss_sha512; 4727 } 4728 else if (issuerCert.supportsSignatureAlgorithmCA(SignatureAlgorithm.rsa_pss_rsae_sha512)) 4729 { 4730 return SignatureAndHashAlgorithm.rsa_pss_rsae_sha512; 4731 } 4732 } 4733 } 4734 } 4735 4736 return null; 4737 } 4738 validateCertificateRequest(CertificateRequest certificateRequest, TlsKeyExchange keyExchange)4739 static CertificateRequest validateCertificateRequest(CertificateRequest certificateRequest, TlsKeyExchange keyExchange) 4740 throws IOException 4741 { 4742 short[] validClientCertificateTypes = keyExchange.getClientCertificateTypes(); 4743 if (isNullOrEmpty(validClientCertificateTypes)) 4744 { 4745 throw new TlsFatalAlert(AlertDescription.unexpected_message); 4746 } 4747 4748 certificateRequest = normalizeCertificateRequest(certificateRequest, validClientCertificateTypes); 4749 if (certificateRequest == null) 4750 { 4751 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 4752 } 4753 4754 return certificateRequest; 4755 } 4756 normalizeCertificateRequest(CertificateRequest certificateRequest, short[] validClientCertificateTypes)4757 static CertificateRequest normalizeCertificateRequest(CertificateRequest certificateRequest, short[] validClientCertificateTypes) 4758 { 4759 if (containsAll(validClientCertificateTypes, certificateRequest.getCertificateTypes())) 4760 { 4761 return certificateRequest; 4762 } 4763 4764 short[] retained = retainAll(certificateRequest.getCertificateTypes(), validClientCertificateTypes); 4765 if (retained.length < 1) 4766 { 4767 return null; 4768 } 4769 4770 // TODO Filter for unique sigAlgs/CAs only 4771 return new CertificateRequest(retained, certificateRequest.getSupportedSignatureAlgorithms(), 4772 certificateRequest.getCertificateAuthorities()); 4773 } 4774 contains(int[] buf, int off, int len, int value)4775 static boolean contains(int[] buf, int off, int len, int value) 4776 { 4777 for (int i = 0; i < len; ++i) 4778 { 4779 if (value == buf[off + i]) 4780 { 4781 return true; 4782 } 4783 } 4784 return false; 4785 } 4786 containsAll(short[] container, short[] elements)4787 static boolean containsAll(short[] container, short[] elements) 4788 { 4789 for (int i = 0; i < elements.length; ++i) 4790 { 4791 if (!Arrays.contains(container, elements[i])) 4792 { 4793 return false; 4794 } 4795 } 4796 return true; 4797 } 4798 retainAll(short[] retainer, short[] elements)4799 static short[] retainAll(short[] retainer, short[] elements) 4800 { 4801 short[] retained = new short[Math.min(retainer.length, elements.length)]; 4802 4803 int count = 0; 4804 for (int i = 0; i < elements.length; ++i) 4805 { 4806 if (Arrays.contains(retainer, elements[i])) 4807 { 4808 retained[count++] = elements[i]; 4809 } 4810 } 4811 4812 return truncate(retained, count); 4813 } 4814 truncate(short[] a, int n)4815 static short[] truncate(short[] a, int n) 4816 { 4817 if (n < a.length) 4818 { 4819 return a; 4820 } 4821 4822 short[] t = new short[n]; 4823 System.arraycopy(a, 0, t, 0, n); 4824 return t; 4825 } 4826 requireAgreementCredentials(TlsCredentials credentials)4827 static TlsCredentialedAgreement requireAgreementCredentials(TlsCredentials credentials) 4828 throws IOException 4829 { 4830 if (!(credentials instanceof TlsCredentialedAgreement)) 4831 { 4832 throw new TlsFatalAlert(AlertDescription.internal_error); 4833 } 4834 4835 return (TlsCredentialedAgreement)credentials; 4836 } 4837 requireDecryptorCredentials(TlsCredentials credentials)4838 static TlsCredentialedDecryptor requireDecryptorCredentials(TlsCredentials credentials) 4839 throws IOException 4840 { 4841 if (!(credentials instanceof TlsCredentialedDecryptor)) 4842 { 4843 throw new TlsFatalAlert(AlertDescription.internal_error); 4844 } 4845 4846 return (TlsCredentialedDecryptor)credentials; 4847 } 4848 requireSignerCredentials(TlsCredentials credentials)4849 static TlsCredentialedSigner requireSignerCredentials(TlsCredentials credentials) 4850 throws IOException 4851 { 4852 if (!(credentials instanceof TlsCredentialedSigner)) 4853 { 4854 throw new TlsFatalAlert(AlertDescription.internal_error); 4855 } 4856 4857 return (TlsCredentialedSigner)credentials; 4858 } 4859 checkDowngradeMarker(byte[] randomBlock, byte[] downgradeMarker)4860 private static void checkDowngradeMarker(byte[] randomBlock, byte[] downgradeMarker) throws IOException 4861 { 4862 int len = downgradeMarker.length; 4863 if (constantTimeAreEqual(len, downgradeMarker, 0, randomBlock, randomBlock.length - len)) 4864 { 4865 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 4866 } 4867 } 4868 checkDowngradeMarker(ProtocolVersion version, byte[] randomBlock)4869 static void checkDowngradeMarker(ProtocolVersion version, byte[] randomBlock) throws IOException 4870 { 4871 version = version.getEquivalentTLSVersion(); 4872 4873 if (version.isEqualOrEarlierVersionOf(ProtocolVersion.TLSv11)) 4874 { 4875 checkDowngradeMarker(randomBlock, DOWNGRADE_TLS11); 4876 } 4877 if (version.isEqualOrEarlierVersionOf(ProtocolVersion.TLSv12)) 4878 { 4879 checkDowngradeMarker(randomBlock, DOWNGRADE_TLS12); 4880 } 4881 } 4882 writeDowngradeMarker(ProtocolVersion version, byte[] randomBlock)4883 static void writeDowngradeMarker(ProtocolVersion version, byte[] randomBlock) throws IOException 4884 { 4885 version = version.getEquivalentTLSVersion(); 4886 4887 byte[] marker; 4888 if (ProtocolVersion.TLSv12 == version) 4889 { 4890 marker = DOWNGRADE_TLS12; 4891 } 4892 else if (version.isEqualOrEarlierVersionOf(ProtocolVersion.TLSv11)) 4893 { 4894 marker = DOWNGRADE_TLS11; 4895 } 4896 else 4897 { 4898 throw new TlsFatalAlert(AlertDescription.internal_error); 4899 } 4900 4901 System.arraycopy(marker, 0, randomBlock, randomBlock.length - marker.length, marker.length); 4902 } 4903 receiveServerCertificate(TlsClientContext clientContext, TlsClient client, ByteArrayInputStream buf)4904 static TlsAuthentication receiveServerCertificate(TlsClientContext clientContext, TlsClient client, 4905 ByteArrayInputStream buf) throws IOException 4906 { 4907 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 4908 if (null != securityParameters.getPeerCertificate()) 4909 { 4910 throw new TlsFatalAlert(AlertDescription.unexpected_message); 4911 } 4912 4913 ByteArrayOutputStream endPointHash = new ByteArrayOutputStream(); 4914 4915 Certificate.ParseOptions options = new Certificate.ParseOptions() 4916 .setMaxChainLength(client.getMaxCertificateChainLength()); 4917 4918 Certificate serverCertificate = Certificate.parse(options, clientContext, buf, endPointHash); 4919 4920 TlsProtocol.assertEmpty(buf); 4921 4922 if (serverCertificate.isEmpty()) 4923 { 4924 throw new TlsFatalAlert(AlertDescription.decode_error); 4925 } 4926 4927 securityParameters.peerCertificate = serverCertificate; 4928 securityParameters.tlsServerEndPoint = endPointHash.toByteArray(); 4929 4930 TlsAuthentication authentication = client.getAuthentication(); 4931 if (null == authentication) 4932 { 4933 throw new TlsFatalAlert(AlertDescription.internal_error); 4934 } 4935 4936 return authentication; 4937 } 4938 receive13ServerCertificate(TlsClientContext clientContext, TlsClient client, ByteArrayInputStream buf)4939 static TlsAuthentication receive13ServerCertificate(TlsClientContext clientContext, TlsClient client, 4940 ByteArrayInputStream buf) throws IOException 4941 { 4942 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 4943 if (null != securityParameters.getPeerCertificate()) 4944 { 4945 throw new TlsFatalAlert(AlertDescription.unexpected_message); 4946 } 4947 4948 Certificate.ParseOptions options = new Certificate.ParseOptions() 4949 .setMaxChainLength(client.getMaxCertificateChainLength()); 4950 4951 Certificate serverCertificate = Certificate.parse(options, clientContext, buf, null); 4952 4953 TlsProtocol.assertEmpty(buf); 4954 4955 if (serverCertificate.getCertificateRequestContext().length > 0) 4956 { 4957 throw new TlsFatalAlert(AlertDescription.illegal_parameter); 4958 } 4959 4960 if (serverCertificate.isEmpty()) 4961 { 4962 throw new TlsFatalAlert(AlertDescription.decode_error); 4963 } 4964 4965 securityParameters.peerCertificate = serverCertificate; 4966 securityParameters.tlsServerEndPoint = null; 4967 4968 TlsAuthentication authentication = client.getAuthentication(); 4969 if (null == authentication) 4970 { 4971 throw new TlsFatalAlert(AlertDescription.internal_error); 4972 } 4973 4974 return authentication; 4975 } 4976 containsNonAscii(byte[] bs)4977 public static boolean containsNonAscii(byte[] bs) 4978 { 4979 for (int i = 0; i < bs.length; ++i) 4980 { 4981 int c = bs[i] & 0xFF;; 4982 if (c >= 0x80) 4983 { 4984 return true; 4985 } 4986 } 4987 return false; 4988 } 4989 containsNonAscii(String s)4990 public static boolean containsNonAscii(String s) 4991 { 4992 for (int i = 0; i < s.length(); ++i) 4993 { 4994 int c = s.charAt(i); 4995 if (c >= 0x80) 4996 { 4997 return true; 4998 } 4999 } 5000 return false; 5001 } 5002 addEarlyKeySharesToClientHello(TlsClientContext clientContext, TlsClient client, Hashtable clientExtensions)5003 static Hashtable addEarlyKeySharesToClientHello(TlsClientContext clientContext, TlsClient client, 5004 Hashtable clientExtensions) throws IOException 5005 { 5006 /* 5007 * RFC 8446 9.2. If containing a "supported_groups" extension, it MUST also contain a 5008 * "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is 5009 * permitted. 5010 */ 5011 if (!isTLSv13(clientContext.getClientVersion()) 5012 || !clientExtensions.containsKey(TlsExtensionsUtils.EXT_supported_groups)) 5013 { 5014 return null; 5015 } 5016 5017 int[] supportedGroups = TlsExtensionsUtils.getSupportedGroupsExtension(clientExtensions); 5018 Vector keyShareGroups = client.getEarlyKeyShareGroups(); 5019 Hashtable clientAgreements = new Hashtable(3); 5020 Vector clientShares = new Vector(2); 5021 5022 collectKeyShares(clientContext.getCrypto(), supportedGroups, keyShareGroups, clientAgreements, clientShares); 5023 5024 TlsExtensionsUtils.addKeyShareClientHello(clientExtensions, clientShares); 5025 5026 return clientAgreements; 5027 } 5028 addKeyShareToClientHelloRetry(TlsClientContext clientContext, Hashtable clientExtensions, int keyShareGroup)5029 static Hashtable addKeyShareToClientHelloRetry(TlsClientContext clientContext, Hashtable clientExtensions, 5030 int keyShareGroup) throws IOException 5031 { 5032 int[] supportedGroups = new int[]{ keyShareGroup }; 5033 Vector keyShareGroups = vectorOfOne(Integers.valueOf(keyShareGroup)); 5034 Hashtable clientAgreements = new Hashtable(1, 1.0f); 5035 Vector clientShares = new Vector(1); 5036 5037 collectKeyShares(clientContext.getCrypto(), supportedGroups, keyShareGroups, clientAgreements, clientShares); 5038 5039 TlsExtensionsUtils.addKeyShareClientHello(clientExtensions, clientShares); 5040 5041 if (clientAgreements.isEmpty() || clientShares.isEmpty()) 5042 { 5043 // NOTE: Probable cause is declaring an unsupported NamedGroup in supported_groups extension 5044 throw new TlsFatalAlert(AlertDescription.internal_error); 5045 } 5046 5047 return clientAgreements; 5048 } 5049 collectKeyShares(TlsCrypto crypto, int[] supportedGroups, Vector keyShareGroups, Hashtable clientAgreements, Vector clientShares)5050 private static void collectKeyShares(TlsCrypto crypto, int[] supportedGroups, Vector keyShareGroups, 5051 Hashtable clientAgreements, Vector clientShares) throws IOException 5052 { 5053 if (isNullOrEmpty(supportedGroups)) 5054 { 5055 return; 5056 } 5057 if (null == keyShareGroups || keyShareGroups.isEmpty()) 5058 { 5059 return; 5060 } 5061 5062 for (int i = 0; i < supportedGroups.length; ++i) 5063 { 5064 int supportedGroup = supportedGroups[i]; 5065 Integer supportedGroupElement = Integers.valueOf(supportedGroup); 5066 5067 if (!keyShareGroups.contains(supportedGroupElement) 5068 || clientAgreements.containsKey(supportedGroupElement) 5069 || !crypto.hasNamedGroup(supportedGroup)) 5070 { 5071 continue; 5072 } 5073 5074 TlsAgreement agreement = null; 5075 if (NamedGroup.refersToASpecificCurve(supportedGroup)) 5076 { 5077 if (crypto.hasECDHAgreement()) 5078 { 5079 agreement = crypto.createECDomain(new TlsECConfig(supportedGroup)).createECDH(); 5080 } 5081 } 5082 else if (NamedGroup.refersToASpecificFiniteField(supportedGroup)) 5083 { 5084 if (crypto.hasDHAgreement()) 5085 { 5086 agreement = crypto.createDHDomain(new TlsDHConfig(supportedGroup, true)).createDH(); 5087 } 5088 } 5089 5090 if (null != agreement) 5091 { 5092 byte[] key_exchange = agreement.generateEphemeral(); 5093 KeyShareEntry clientShare = new KeyShareEntry(supportedGroup, key_exchange); 5094 5095 clientShares.addElement(clientShare); 5096 clientAgreements.put(supportedGroupElement, agreement); 5097 } 5098 } 5099 } 5100 selectKeyShare(Vector clientShares, int keyShareGroup)5101 static KeyShareEntry selectKeyShare(Vector clientShares, int keyShareGroup) 5102 { 5103 if (null != clientShares && 1 == clientShares.size()) 5104 { 5105 KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(0); 5106 if (null != clientShare && clientShare.getNamedGroup() == keyShareGroup) 5107 { 5108 return clientShare; 5109 } 5110 } 5111 return null; 5112 } 5113 selectKeyShare(TlsCrypto crypto, ProtocolVersion negotiatedVersion, Vector clientShares, int[] clientSupportedGroups, int[] serverSupportedGroups)5114 static KeyShareEntry selectKeyShare(TlsCrypto crypto, ProtocolVersion negotiatedVersion, Vector clientShares, 5115 int[] clientSupportedGroups, int[] serverSupportedGroups) 5116 { 5117 if (null != clientShares && !isNullOrEmpty(clientSupportedGroups) && !isNullOrEmpty(serverSupportedGroups)) 5118 { 5119 for (int i = 0; i < clientShares.size(); ++i) 5120 { 5121 KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(i); 5122 5123 int group = clientShare.getNamedGroup(); 5124 5125 if (!NamedGroup.canBeNegotiated(group, negotiatedVersion)) 5126 { 5127 continue; 5128 } 5129 5130 if (!Arrays.contains(serverSupportedGroups, group) || 5131 !Arrays.contains(clientSupportedGroups, group)) 5132 { 5133 continue; 5134 } 5135 5136 if (!crypto.hasNamedGroup(group)) 5137 { 5138 continue; 5139 } 5140 5141 if ((NamedGroup.refersToASpecificCurve(group) && !crypto.hasECDHAgreement()) || 5142 (NamedGroup.refersToASpecificFiniteField(group) && !crypto.hasDHAgreement())) 5143 { 5144 continue; 5145 } 5146 5147 return clientShare; 5148 } 5149 } 5150 return null; 5151 } 5152 selectKeyShareGroup(TlsCrypto crypto, ProtocolVersion negotiatedVersion, int[] clientSupportedGroups, int[] serverSupportedGroups)5153 static int selectKeyShareGroup(TlsCrypto crypto, ProtocolVersion negotiatedVersion, 5154 int[] clientSupportedGroups, int[] serverSupportedGroups) 5155 { 5156 if (!isNullOrEmpty(clientSupportedGroups) && !isNullOrEmpty(serverSupportedGroups)) 5157 { 5158 for (int i = 0; i < clientSupportedGroups.length; ++i) 5159 { 5160 int group = clientSupportedGroups[i]; 5161 5162 if (!NamedGroup.canBeNegotiated(group, negotiatedVersion)) 5163 { 5164 continue; 5165 } 5166 5167 if (!Arrays.contains(serverSupportedGroups, group)) 5168 { 5169 continue; 5170 } 5171 5172 if (!crypto.hasNamedGroup(group)) 5173 { 5174 continue; 5175 } 5176 5177 if ((NamedGroup.refersToASpecificCurve(group) && !crypto.hasECDHAgreement()) || 5178 (NamedGroup.refersToASpecificFiniteField(group) && !crypto.hasDHAgreement())) 5179 { 5180 continue; 5181 } 5182 5183 return group; 5184 } 5185 } 5186 return -1; 5187 } 5188 readEncryptedPMS(TlsContext context, InputStream input)5189 static byte[] readEncryptedPMS(TlsContext context, InputStream input) throws IOException 5190 { 5191 if (isSSL(context)) 5192 { 5193 return SSL3Utils.readEncryptedPMS(input); 5194 } 5195 5196 return readOpaque16(input); 5197 } 5198 writeEncryptedPMS(TlsContext context, byte[] encryptedPMS, OutputStream output)5199 static void writeEncryptedPMS(TlsContext context, byte[] encryptedPMS, OutputStream output) throws IOException 5200 { 5201 if (isSSL(context)) 5202 { 5203 SSL3Utils.writeEncryptedPMS(encryptedPMS, output); 5204 } 5205 else 5206 { 5207 writeOpaque16(encryptedPMS, output); 5208 } 5209 } 5210 getSessionID(TlsSession tlsSession)5211 static byte[] getSessionID(TlsSession tlsSession) 5212 { 5213 if (null != tlsSession) 5214 { 5215 byte[] sessionID = tlsSession.getSessionID(); 5216 if (null != sessionID 5217 && sessionID.length > 0 5218 && sessionID.length <= 32) 5219 { 5220 return sessionID; 5221 } 5222 } 5223 return EMPTY_BYTES; 5224 } 5225 adjustTranscriptForRetry(TlsHandshakeHash handshakeHash)5226 static void adjustTranscriptForRetry(TlsHandshakeHash handshakeHash) 5227 throws IOException 5228 { 5229 byte[] clientHelloHash = getCurrentPRFHash(handshakeHash); 5230 handshakeHash.reset(); 5231 5232 int length = clientHelloHash.length; 5233 checkUint8(length); 5234 5235 byte[] synthetic = new byte[4 + length]; 5236 writeUint8(HandshakeType.message_hash, synthetic, 0); 5237 writeUint24(length, synthetic, 1); 5238 System.arraycopy(clientHelloHash, 0, synthetic, 4, length); 5239 5240 handshakeHash.update(synthetic, 0, synthetic.length); 5241 } 5242 establishClientCredentials(TlsAuthentication clientAuthentication, CertificateRequest certificateRequest)5243 static TlsCredentials establishClientCredentials(TlsAuthentication clientAuthentication, 5244 CertificateRequest certificateRequest) throws IOException 5245 { 5246 return validateCredentials(clientAuthentication.getClientCredentials(certificateRequest)); 5247 } 5248 establish13ClientCredentials(TlsAuthentication clientAuthentication, CertificateRequest certificateRequest)5249 static TlsCredentialedSigner establish13ClientCredentials(TlsAuthentication clientAuthentication, 5250 CertificateRequest certificateRequest) throws IOException 5251 { 5252 return validate13Credentials(clientAuthentication.getClientCredentials(certificateRequest)); 5253 } 5254 establishClientSigAlgs(SecurityParameters securityParameters, Hashtable clientExtensions)5255 static void establishClientSigAlgs(SecurityParameters securityParameters, Hashtable clientExtensions) 5256 throws IOException 5257 { 5258 securityParameters.clientSigAlgs = TlsExtensionsUtils.getSignatureAlgorithmsExtension(clientExtensions); 5259 securityParameters.clientSigAlgsCert = TlsExtensionsUtils.getSignatureAlgorithmsCertExtension(clientExtensions); 5260 } 5261 establishServerCredentials(TlsServer server)5262 static TlsCredentials establishServerCredentials(TlsServer server) throws IOException 5263 { 5264 return validateCredentials(server.getCredentials()); 5265 } 5266 establish13ServerCredentials(TlsServer server)5267 static TlsCredentialedSigner establish13ServerCredentials(TlsServer server) throws IOException 5268 { 5269 return validate13Credentials(server.getCredentials()); 5270 } 5271 establishServerSigAlgs(SecurityParameters securityParameters, CertificateRequest certificateRequest)5272 static void establishServerSigAlgs(SecurityParameters securityParameters, CertificateRequest certificateRequest) 5273 throws IOException 5274 { 5275 securityParameters.clientCertTypes = certificateRequest.getCertificateTypes(); 5276 securityParameters.serverSigAlgs = certificateRequest.getSupportedSignatureAlgorithms(); 5277 securityParameters.serverSigAlgsCert = certificateRequest.getSupportedSignatureAlgorithmsCert(); 5278 5279 if (null == securityParameters.getServerSigAlgsCert()) 5280 { 5281 securityParameters.serverSigAlgsCert = securityParameters.getServerSigAlgs(); 5282 } 5283 } 5284 validateCredentials(TlsCredentials credentials)5285 static TlsCredentials validateCredentials(TlsCredentials credentials) throws IOException 5286 { 5287 if (null != credentials) 5288 { 5289 int count = 0; 5290 count += (credentials instanceof TlsCredentialedAgreement) ? 1 : 0; 5291 count += (credentials instanceof TlsCredentialedDecryptor) ? 1 : 0; 5292 count += (credentials instanceof TlsCredentialedSigner) ? 1 : 0; 5293 if (count != 1) 5294 { 5295 throw new TlsFatalAlert(AlertDescription.internal_error); 5296 } 5297 } 5298 return credentials; 5299 } 5300 validate13Credentials(TlsCredentials credentials)5301 static TlsCredentialedSigner validate13Credentials(TlsCredentials credentials) throws IOException 5302 { 5303 if (null == credentials) 5304 { 5305 return null; 5306 } 5307 if (!(credentials instanceof TlsCredentialedSigner)) 5308 { 5309 throw new TlsFatalAlert(AlertDescription.internal_error); 5310 } 5311 return (TlsCredentialedSigner)credentials; 5312 } 5313 negotiatedCipherSuite(SecurityParameters securityParameters, int cipherSuite)5314 static void negotiatedCipherSuite(SecurityParameters securityParameters, int cipherSuite) throws IOException 5315 { 5316 securityParameters.cipherSuite = cipherSuite; 5317 securityParameters.keyExchangeAlgorithm = getKeyExchangeAlgorithm(cipherSuite); 5318 5319 int prfAlgorithm = getPRFAlgorithm(securityParameters, cipherSuite); 5320 securityParameters.prfAlgorithm = prfAlgorithm; 5321 5322 switch (prfAlgorithm) 5323 { 5324 case PRFAlgorithm.ssl_prf_legacy: 5325 case PRFAlgorithm.tls_prf_legacy: 5326 { 5327 securityParameters.prfHashAlgorithm = -1; 5328 securityParameters.prfHashLength = -1; 5329 break; 5330 } 5331 default: 5332 { 5333 short prfHashAlgorithm = getHashAlgorithmForPRFAlgorithm(prfAlgorithm); 5334 5335 securityParameters.prfHashAlgorithm = prfHashAlgorithm; 5336 securityParameters.prfHashLength = HashAlgorithm.getOutputSize(prfHashAlgorithm); 5337 break; 5338 } 5339 } 5340 5341 /* 5342 * TODO[tls13] We're slowly moving towards negotiating cipherSuite THEN version. We could 5343 * move this to "after parameter negotiation" i.e. after ServerHello/EncryptedExtensions. 5344 */ 5345 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 5346 if (isTLSv13(negotiatedVersion)) 5347 { 5348 securityParameters.verifyDataLength = securityParameters.getPRFHashLength(); 5349 } 5350 else 5351 { 5352 securityParameters.verifyDataLength = negotiatedVersion.isSSL() ? 36 : 12; 5353 } 5354 } 5355 negotiatedVersion(SecurityParameters securityParameters)5356 static void negotiatedVersion(SecurityParameters securityParameters) throws IOException 5357 { 5358 if (!isSignatureAlgorithmsExtensionAllowed(securityParameters.getNegotiatedVersion())) 5359 { 5360 securityParameters.clientSigAlgs = null; 5361 securityParameters.clientSigAlgsCert = null; 5362 return; 5363 } 5364 5365 if (null == securityParameters.getClientSigAlgs()) 5366 { 5367 securityParameters.clientSigAlgs = getLegacySupportedSignatureAlgorithms(); 5368 } 5369 5370 if (null == securityParameters.getClientSigAlgsCert()) 5371 { 5372 securityParameters.clientSigAlgsCert = securityParameters.getClientSigAlgs(); 5373 } 5374 } 5375 negotiatedVersionDTLSClient(TlsClientContext clientContext, TlsClient client)5376 static void negotiatedVersionDTLSClient(TlsClientContext clientContext, TlsClient client) throws IOException 5377 { 5378 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 5379 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 5380 5381 if (!ProtocolVersion.isSupportedDTLSVersionClient(negotiatedVersion)) 5382 { 5383 throw new TlsFatalAlert(AlertDescription.internal_error); 5384 } 5385 5386 negotiatedVersion(securityParameters); 5387 5388 client.notifyServerVersion(negotiatedVersion); 5389 } 5390 negotiatedVersionDTLSServer(TlsServerContext serverContext)5391 static void negotiatedVersionDTLSServer(TlsServerContext serverContext) throws IOException 5392 { 5393 SecurityParameters securityParameters = serverContext.getSecurityParametersHandshake(); 5394 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 5395 5396 if (!ProtocolVersion.isSupportedDTLSVersionServer(negotiatedVersion)) 5397 { 5398 throw new TlsFatalAlert(AlertDescription.internal_error); 5399 } 5400 5401 negotiatedVersion(securityParameters); 5402 } 5403 negotiatedVersionTLSClient(TlsClientContext clientContext, TlsClient client)5404 static void negotiatedVersionTLSClient(TlsClientContext clientContext, TlsClient client) throws IOException 5405 { 5406 SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake(); 5407 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 5408 5409 if (!ProtocolVersion.isSupportedTLSVersionClient(negotiatedVersion)) 5410 { 5411 throw new TlsFatalAlert(AlertDescription.internal_error); 5412 } 5413 5414 negotiatedVersion(securityParameters); 5415 5416 client.notifyServerVersion(negotiatedVersion); 5417 } 5418 negotiatedVersionTLSServer(TlsServerContext serverContext)5419 static void negotiatedVersionTLSServer(TlsServerContext serverContext) throws IOException 5420 { 5421 SecurityParameters securityParameters = serverContext.getSecurityParametersHandshake(); 5422 ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); 5423 5424 if (!ProtocolVersion.isSupportedTLSVersionServer(negotiatedVersion)) 5425 { 5426 throw new TlsFatalAlert(AlertDescription.internal_error); 5427 } 5428 5429 negotiatedVersion(securityParameters); 5430 } 5431 deriveSecret(SecurityParameters securityParameters, TlsSecret secret, String label, byte[] transcriptHash)5432 static TlsSecret deriveSecret(SecurityParameters securityParameters, TlsSecret secret, String label, 5433 byte[] transcriptHash) throws IOException 5434 { 5435 return TlsCryptoUtils.hkdfExpandLabel(secret, securityParameters.getPRFHashAlgorithm(), label, transcriptHash, 5436 securityParameters.getPRFHashLength()); 5437 } 5438 getSessionMasterSecret(TlsCrypto crypto, TlsSecret masterSecret)5439 static TlsSecret getSessionMasterSecret(TlsCrypto crypto, TlsSecret masterSecret) 5440 { 5441 if (null != masterSecret) 5442 { 5443 synchronized (masterSecret) 5444 { 5445 if (masterSecret.isAlive()) 5446 { 5447 return crypto.adoptSecret(masterSecret); 5448 } 5449 } 5450 } 5451 5452 return null; 5453 } 5454 isPermittedExtensionType13(int handshakeType, int extensionType)5455 static boolean isPermittedExtensionType13(int handshakeType, int extensionType) 5456 { 5457 switch (extensionType) 5458 { 5459 case ExtensionType.server_name: 5460 case ExtensionType.max_fragment_length: 5461 case ExtensionType.supported_groups: 5462 case ExtensionType.use_srtp: 5463 case ExtensionType.heartbeat: 5464 case ExtensionType.application_layer_protocol_negotiation: 5465 case ExtensionType.client_certificate_type: 5466 case ExtensionType.server_certificate_type: 5467 { 5468 switch (handshakeType) 5469 { 5470 case HandshakeType.client_hello: 5471 case HandshakeType.encrypted_extensions: 5472 return true; 5473 default: 5474 return false; 5475 } 5476 } 5477 case ExtensionType.status_request: 5478 case ExtensionType.signed_certificate_timestamp: 5479 { 5480 switch (handshakeType) 5481 { 5482 case HandshakeType.client_hello: 5483 case HandshakeType.certificate_request: 5484 case HandshakeType.certificate: 5485 return true; 5486 default: 5487 return false; 5488 } 5489 } 5490 case ExtensionType.signature_algorithms: 5491 case ExtensionType.certificate_authorities: 5492 case ExtensionType.signature_algorithms_cert: 5493 { 5494 switch (handshakeType) 5495 { 5496 case HandshakeType.client_hello: 5497 case HandshakeType.certificate_request: 5498 return true; 5499 default: 5500 return false; 5501 } 5502 } 5503 case ExtensionType.padding: 5504 case ExtensionType.psk_key_exchange_modes: 5505 case ExtensionType.post_handshake_auth: 5506 { 5507 switch (handshakeType) 5508 { 5509 case HandshakeType.client_hello: 5510 return true; 5511 default: 5512 return false; 5513 } 5514 } 5515 case ExtensionType.key_share: 5516 case ExtensionType.supported_versions: 5517 { 5518 switch (handshakeType) 5519 { 5520 case HandshakeType.client_hello: 5521 case HandshakeType.server_hello: 5522 case HandshakeType.hello_retry_request: 5523 return true; 5524 default: 5525 return false; 5526 } 5527 } 5528 case ExtensionType.pre_shared_key: 5529 { 5530 switch (handshakeType) 5531 { 5532 case HandshakeType.client_hello: 5533 case HandshakeType.server_hello: 5534 return true; 5535 default: 5536 return false; 5537 } 5538 } 5539 case ExtensionType.early_data: 5540 { 5541 switch (handshakeType) 5542 { 5543 case HandshakeType.client_hello: 5544 case HandshakeType.encrypted_extensions: 5545 case HandshakeType.new_session_ticket: 5546 return true; 5547 default: 5548 return false; 5549 } 5550 } 5551 case ExtensionType.cookie: 5552 { 5553 switch (handshakeType) 5554 { 5555 case HandshakeType.client_hello: 5556 case HandshakeType.hello_retry_request: 5557 return true; 5558 default: 5559 return false; 5560 } 5561 } 5562 case ExtensionType.oid_filters: 5563 { 5564 switch (handshakeType) 5565 { 5566 case HandshakeType.certificate_request: 5567 return true; 5568 default: 5569 return false; 5570 } 5571 } 5572 default: 5573 { 5574 return !ExtensionType.isRecognized(extensionType); 5575 } 5576 } 5577 } 5578 checkExtensionData13(Hashtable extensions, int handshakeType, short alertDescription)5579 static void checkExtensionData13(Hashtable extensions, int handshakeType, short alertDescription) throws IOException 5580 { 5581 Enumeration e = extensions.keys(); 5582 while (e.hasMoreElements()) 5583 { 5584 Integer extensionType = (Integer)e.nextElement(); 5585 if (null == extensionType || !isPermittedExtensionType13(handshakeType, extensionType.intValue())) 5586 { 5587 throw new TlsFatalAlert(alertDescription, "Invalid extension: " + ExtensionType.getText(extensionType.intValue())); 5588 } 5589 } 5590 } 5591 } 5592