1 /*
2  * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.  Oracle designates this
8  * particular file as subject to the "Classpath" exception as provided
9  * by Oracle in the LICENSE file that accompanied this code.
10  *
11  * This code is distributed in the hope that it will be useful, but WITHOUT
12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14  * version 2 for more details (a copy is included in the LICENSE file that
15  * accompanied this code).
16  *
17  * You should have received a copy of the GNU General Public License version
18  * 2 along with this work; if not, write to the Free Software Foundation,
19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20  *
21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22  * or visit www.oracle.com if you need additional information or have any
23  * questions.
24  */
25 package sun.security.ssl;
26 
27 import javax.crypto.KeyAgreement;
28 import javax.crypto.SecretKey;
29 import javax.crypto.spec.SecretKeySpec;
30 import javax.net.ssl.SSLHandshakeException;
31 import java.io.IOException;
32 import java.security.GeneralSecurityException;
33 import java.security.PrivateKey;
34 import java.security.PublicKey;
35 import java.security.spec.AlgorithmParameterSpec;
36 
37 /**
38  * A common class for creating various KeyDerivation types.
39  */
40 public class KAKeyDerivation implements SSLKeyDerivation {
41 
42     private final String algorithmName;
43     private final HandshakeContext context;
44     private final PrivateKey localPrivateKey;
45     private final PublicKey peerPublicKey;
46 
KAKeyDerivation(String algorithmName, HandshakeContext context, PrivateKey localPrivateKey, PublicKey peerPublicKey)47     KAKeyDerivation(String algorithmName,
48             HandshakeContext context,
49             PrivateKey localPrivateKey,
50             PublicKey peerPublicKey) {
51         this.algorithmName = algorithmName;
52         this.context = context;
53         this.localPrivateKey = localPrivateKey;
54         this.peerPublicKey = peerPublicKey;
55     }
56 
57     @Override
deriveKey(String algorithm, AlgorithmParameterSpec params)58     public SecretKey deriveKey(String algorithm,
59             AlgorithmParameterSpec params) throws IOException {
60         if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
61             return t12DeriveKey(algorithm, params);
62         } else {
63             return t13DeriveKey(algorithm, params);
64         }
65     }
66 
67     /**
68      * Handle the TLSv1-1.2 objects, which don't use the HKDF algorithms.
69      */
t12DeriveKey(String algorithm, AlgorithmParameterSpec params)70     private SecretKey t12DeriveKey(String algorithm,
71             AlgorithmParameterSpec params) throws IOException {
72         try {
73             KeyAgreement ka = KeyAgreement.getInstance(algorithmName);
74             ka.init(localPrivateKey);
75             ka.doPhase(peerPublicKey, true);
76             SecretKey preMasterSecret
77                     = ka.generateSecret("TlsPremasterSecret");
78             SSLMasterKeyDerivation mskd
79                     = SSLMasterKeyDerivation.valueOf(
80                             context.negotiatedProtocol);
81             if (mskd == null) {
82                 // unlikely
83                 throw new SSLHandshakeException(
84                         "No expected master key derivation for protocol: "
85                         + context.negotiatedProtocol.name);
86             }
87             SSLKeyDerivation kd = mskd.createKeyDerivation(
88                     context, preMasterSecret);
89             return kd.deriveKey("MasterSecret", params);
90         } catch (GeneralSecurityException gse) {
91             throw (SSLHandshakeException) new SSLHandshakeException(
92                     "Could not generate secret").initCause(gse);
93         }
94     }
95 
96     /**
97      * Handle the TLSv1.3 objects, which use the HKDF algorithms.
98      */
t13DeriveKey(String algorithm, AlgorithmParameterSpec params)99     private SecretKey t13DeriveKey(String algorithm,
100             AlgorithmParameterSpec params) throws IOException {
101         try {
102             KeyAgreement ka = KeyAgreement.getInstance(algorithmName);
103             ka.init(localPrivateKey);
104             ka.doPhase(peerPublicKey, true);
105             SecretKey sharedSecret
106                     = ka.generateSecret("TlsPremasterSecret");
107 
108             CipherSuite.HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;
109             SSLKeyDerivation kd = context.handshakeKeyDerivation;
110             HKDF hkdf = new HKDF(hashAlg.name);
111             if (kd == null) {   // No PSK is in use.
112                 // If PSK is not in use Early Secret will still be
113                 // HKDF-Extract(0, 0).
114                 byte[] zeros = new byte[hashAlg.hashLength];
115                 SecretKeySpec ikm
116                         = new SecretKeySpec(zeros, "TlsPreSharedSecret");
117                 SecretKey earlySecret
118                         = hkdf.extract(zeros, ikm, "TlsEarlySecret");
119                 kd = new SSLSecretDerivation(context, earlySecret);
120             }
121 
122             // derive salt secret
123             SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
124 
125             // derive handshake secret
126             return hkdf.extract(saltSecret, sharedSecret, algorithm);
127         } catch (GeneralSecurityException gse) {
128             throw (SSLHandshakeException) new SSLHandshakeException(
129                     "Could not generate secret").initCause(gse);
130         }
131     }
132 }
133