/* * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package com.sun.crypto.provider; import java.util.Arrays; import java.security.*; import java.security.spec.AlgorithmParameterSpec; import javax.crypto.*; import javax.crypto.spec.SecretKeySpec; import sun.security.internal.spec.TlsPrfParameterSpec; /** * KeyGenerator implementation for the TLS PRF function. *
* This class duplicates the HMAC functionality (RFC 2104) with * performance optimizations (e.g. XOR'ing keys with padding doesn't * need to be redone for each HMAC operation). * * @author Andreas Sterbenz * @since 1.6 */ abstract class TlsPrfGenerator extends KeyGeneratorSpi { // magic constants and utility functions, also used by other files // in this package private final static byte[] B0 = new byte[0]; final static byte[] LABEL_MASTER_SECRET = // "master secret" { 109, 97, 115, 116, 101, 114, 32, 115, 101, 99, 114, 101, 116 }; final static byte[] LABEL_KEY_EXPANSION = // "key expansion" { 107, 101, 121, 32, 101, 120, 112, 97, 110, 115, 105, 111, 110 }; final static byte[] LABEL_CLIENT_WRITE_KEY = // "client write key" { 99, 108, 105, 101, 110, 116, 32, 119, 114, 105, 116, 101, 32, 107, 101, 121 }; final static byte[] LABEL_SERVER_WRITE_KEY = // "server write key" { 115, 101, 114, 118, 101, 114, 32, 119, 114, 105, 116, 101, 32, 107, 101, 121 }; final static byte[] LABEL_IV_BLOCK = // "IV block" { 73, 86, 32, 98, 108, 111, 99, 107 }; /* * TLS HMAC "inner" and "outer" padding. This isn't a function * of the digest algorithm. */ private static final byte[] HMAC_ipad64 = genPad((byte)0x36, 64); private static final byte[] HMAC_ipad128 = genPad((byte)0x36, 128); private static final byte[] HMAC_opad64 = genPad((byte)0x5c, 64); private static final byte[] HMAC_opad128 = genPad((byte)0x5c, 128); // SSL3 magic mix constants ("A", "BB", "CCC", ...) final static byte[][] SSL3_CONST = genConst(); static byte[] genPad(byte b, int count) { byte[] padding = new byte[count]; Arrays.fill(padding, b); return padding; } static byte[] concat(byte[] b1, byte[] b2) { int n1 = b1.length; int n2 = b2.length; byte[] b = new byte[n1 + n2]; System.arraycopy(b1, 0, b, 0, n1); System.arraycopy(b2, 0, b, n1, n2); return b; } private static byte[][] genConst() { int n = 10; byte[][] arr = new byte[n][]; for (int i = 0; i < n; i++) { byte[] b = new byte[i + 1]; Arrays.fill(b, (byte)('A' + i)); arr[i] = b; } return arr; } // PRF implementation private final static String MSG = "TlsPrfGenerator must be " + "initialized using a TlsPrfParameterSpec"; private TlsPrfParameterSpec spec; public TlsPrfGenerator() { } protected void engineInit(SecureRandom random) { throw new InvalidParameterException(MSG); } protected void engineInit(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { if (params instanceof TlsPrfParameterSpec == false) { throw new InvalidAlgorithmParameterException(MSG); } this.spec = (TlsPrfParameterSpec)params; SecretKey key = spec.getSecret(); if ((key != null) && ("RAW".equals(key.getFormat()) == false)) { throw new InvalidAlgorithmParameterException( "Key encoding format must be RAW"); } } protected void engineInit(int keysize, SecureRandom random) { throw new InvalidParameterException(MSG); } SecretKey engineGenerateKey0(boolean tls12) { if (spec == null) { throw new IllegalStateException( "TlsPrfGenerator must be initialized"); } SecretKey key = spec.getSecret(); byte[] secret = (key == null) ? null : key.getEncoded(); try { byte[] labelBytes = spec.getLabel().getBytes("UTF8"); int n = spec.getOutputLength(); byte[] prfBytes = (tls12 ? doTLS12PRF(secret, labelBytes, spec.getSeed(), n, spec.getPRFHashAlg(), spec.getPRFHashLength(), spec.getPRFBlockSize()) : doTLS10PRF(secret, labelBytes, spec.getSeed(), n)); return new SecretKeySpec(prfBytes, "TlsPrf"); } catch (GeneralSecurityException e) { throw new ProviderException("Could not generate PRF", e); } catch (java.io.UnsupportedEncodingException e) { throw new ProviderException("Could not generate PRF", e); } } static byte[] doTLS12PRF(byte[] secret, byte[] labelBytes, byte[] seed, int outputLength, String prfHash, int prfHashLength, int prfBlockSize) throws NoSuchAlgorithmException, DigestException { if (prfHash == null) { throw new NoSuchAlgorithmException("Unspecified PRF algorithm"); } MessageDigest prfMD = MessageDigest.getInstance(prfHash); return doTLS12PRF(secret, labelBytes, seed, outputLength, prfMD, prfHashLength, prfBlockSize); } static byte[] doTLS12PRF(byte[] secret, byte[] labelBytes, byte[] seed, int outputLength, MessageDigest mdPRF, int mdPRFLen, int mdPRFBlockSize) throws DigestException { if (secret == null) { secret = B0; } // If we have a long secret, digest it first. if (secret.length > mdPRFBlockSize) { secret = mdPRF.digest(secret); } byte[] output = new byte[outputLength]; byte [] ipad; byte [] opad; switch (mdPRFBlockSize) { case 64: ipad = HMAC_ipad64.clone(); opad = HMAC_opad64.clone(); break; case 128: ipad = HMAC_ipad128.clone(); opad = HMAC_opad128.clone(); break; default: throw new DigestException("Unexpected block size."); } // P_HASH(Secret, label + seed) expand(mdPRF, mdPRFLen, secret, 0, secret.length, labelBytes, seed, output, ipad, opad); return output; } static byte[] doTLS10PRF(byte[] secret, byte[] labelBytes, byte[] seed, int outputLength) throws NoSuchAlgorithmException, DigestException { MessageDigest md5 = MessageDigest.getInstance("MD5"); MessageDigest sha = MessageDigest.getInstance("SHA1"); return doTLS10PRF(secret, labelBytes, seed, outputLength, md5, sha); } static byte[] doTLS10PRF(byte[] secret, byte[] labelBytes, byte[] seed, int outputLength, MessageDigest md5, MessageDigest sha) throws DigestException { /* * Split the secret into two halves S1 and S2 of same length. * S1 is taken from the first half of the secret, S2 from the * second half. * Their length is created by rounding up the length of the * overall secret divided by two; thus, if the original secret * is an odd number of bytes long, the last byte of S1 will be * the same as the first byte of S2. * * Note: Instead of creating S1 and S2, we determine the offset into * the overall secret where S2 starts. */ if (secret == null) { secret = B0; } int off = secret.length >> 1; int seclen = off + (secret.length & 1); byte[] output = new byte[outputLength]; // P_MD5(S1, label + seed) expand(md5, 16, secret, 0, seclen, labelBytes, seed, output, HMAC_ipad64.clone(), HMAC_opad64.clone()); // P_SHA-1(S2, label + seed) expand(sha, 20, secret, off, seclen, labelBytes, seed, output, HMAC_ipad64.clone(), HMAC_opad64.clone()); return output; } /* * @param digest the MessageDigest to produce the HMAC * @param hmacSize the HMAC size * @param secret the secret * @param secOff the offset into the secret * @param secLen the secret length * @param label the label * @param seed the seed * @param output the output array */ private static void expand(MessageDigest digest, int hmacSize, byte[] secret, int secOff, int secLen, byte[] label, byte[] seed, byte[] output, byte[] pad1, byte[] pad2) throws DigestException { /* * modify the padding used, by XORing the key into our copy of that * padding. That's to avoid doing that for each HMAC computation. */ for (int i = 0; i < secLen; i++) { pad1[i] ^= secret[i + secOff]; pad2[i] ^= secret[i + secOff]; } byte[] tmp = new byte[hmacSize]; byte[] aBytes = null; /* * compute: * * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) + * HMAC_hash(secret, A(2) + seed) + * HMAC_hash(secret, A(3) + seed) + ... * A() is defined as: * * A(0) = seed * A(i) = HMAC_hash(secret, A(i-1)) */ int remaining = output.length; int ofs = 0; while (remaining > 0) { /* * compute A() ... */ // inner digest digest.update(pad1); if (aBytes == null) { digest.update(label); digest.update(seed); } else { digest.update(aBytes); } digest.digest(tmp, 0, hmacSize); // outer digest digest.update(pad2); digest.update(tmp); if (aBytes == null) { aBytes = new byte[hmacSize]; } digest.digest(aBytes, 0, hmacSize); /* * compute HMAC_hash() ... */ // inner digest digest.update(pad1); digest.update(aBytes); digest.update(label); digest.update(seed); digest.digest(tmp, 0, hmacSize); // outer digest digest.update(pad2); digest.update(tmp); digest.digest(tmp, 0, hmacSize); int k = Math.min(hmacSize, remaining); for (int i = 0; i < k; i++) { output[ofs++] ^= tmp[i]; } remaining -= k; } } /** * A KeyGenerator implementation that supports TLS 1.2. *
* TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the PRF * calculations. As of 2010, there is no PKCS11-level support for TLS * 1.2 PRF calculations, and no known OS's have an internal variant * we could use. Therefore for TLS 1.2, we are updating JSSE to request * a different provider algorithm: "SunTls12Prf". If we reused the * name "SunTlsPrf", the PKCS11 provider would need be updated to * fail correctly when presented with the wrong version number * (via Provider.Service.supportsParameters()), and add the * appropriate supportsParamters() checks into KeyGenerators (not * currently there). */ static public class V12 extends TlsPrfGenerator { protected SecretKey engineGenerateKey() { return engineGenerateKey0(true); } } /** * A KeyGenerator implementation that supports TLS 1.0/1.1. */ static public class V10 extends TlsPrfGenerator { protected SecretKey engineGenerateKey() { return engineGenerateKey0(false); } } }