/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* ServerHandshaker does the protocol handshaking from the point
* of view of a server. It is driven asychronously by handshake messages
* as delivered by the parent Handshaker class, and also uses
* common functionality (e.g. key generation) that is provided there.
*
* @author David Brownell
*/
// is the server going to require the client to authenticate?
private byte doClientAuth;
// our authentication info
// flag to check for clientCertificateVerify message
private boolean needClientVerify = false;
/*
* For exportable ciphersuites using non-exportable key sizes, we use
* ephemeral RSA keys. We could also do anonymous RSA in the same way
* but there are no such ciphersuites currently defined.
*/
/*
* For anonymous and ephemeral Diffie-Hellman key exchange, we use
* ephemeral Diffie-Hellman keys.
*/
// Helper for ECDH based key exchanges
// version request by the client in its ClientHello
// we remember it for the RSA premaster secret version check
// the preferable signature algorithm used by ServerKeyExchange message
/*
* Constructor ... use the keys found in the auth context.
*/
boolean secureRenegotiation,
byte[] clientVerifyData, byte[] serverVerifyData) {
}
/*
* Constructor ... use the keys found in the auth context.
*/
boolean isInitialHandshake, boolean secureRenegotiation,
byte[] clientVerifyData, byte[] serverVerifyData) {
}
/*
* As long as handshaking has not started, we can change
* whether client authentication is required. Otherwise,
* we will need to wait for the next handshake.
*/
}
/*
* This routine handles all the server side handshake messages, one at
* a time. Given the message type (and in some cases the pending cipher
* spec) it parses the type-specific message. Then it calls a function
* that handles that specific message.
*
* It updates the state machine as each message is processed, and writes
* responses as needed using the connection in the constructor.
*/
throws IOException {
//
// In SSLv3 and TLS, messages follow strictly increasing
// numerical order _except_ for one annoying special case.
//
throw new SSLProtocolException(
"Handshake message sequence violation, state = " + state
+ ", type = " + type);
}
switch (type) {
/*
* send it off for processing.
*/
this.clientHello(ch);
break;
"client sent unsolicited cert chain");
// NOTREACHED
}
break;
switch (keyExchange) {
case K_RSA:
case K_RSA_EXPORT:
/*
* The client's pre-master secret is decrypted using
* either the server's normal private RSA key, or the
* temporary one used for non-export or signing-only
* certificates/keys.
*/
break;
case K_KRB5:
case K_KRB5_EXPORT:
preMasterSecret = this.clientKeyExchange(
kerberosKeys));
break;
case K_DHE_RSA:
case K_DHE_DSS:
case K_DH_ANON:
/*
* The pre-master secret is derived using the normal
* Diffie-Hellman calculation. Note that the main
* protocol difference in these five flavors is in how
* the ServerKeyExchange message was constructed!
*/
preMasterSecret = this.clientKeyExchange(
new DHClientKeyExchange(input));
break;
case K_ECDH_RSA:
case K_ECDH_ECDSA:
case K_ECDHE_RSA:
case K_ECDHE_ECDSA:
case K_ECDH_ANON:
preMasterSecret = this.clientKeyExchange
(new ECDHClientKeyExchange(input));
break;
default:
throw new SSLProtocolException
("Unrecognized key exchange: " + keyExchange);
}
//
// All keys are calculated from the premaster secret
// and the exchanged nonces in the same way.
//
break;
break;
case HandshakeMessage.ht_finished:
this.clientFinished(
break;
default:
throw new SSLProtocolException(
"Illegal server handshake msg, " + type);
}
//
// Move state machine forward if the message handling
// code didn't already do so
//
} else {
}
}
}
/*
* ClientHello presents the server with a bunch of options, to which the
* server replies with a ServerHello listing the ones which this session
* will use. If needed, it also writes its Certificate plus in some cases
* a ServerKeyExchange message. It may also write a CertificateRequest,
* to elicit a client certificate.
*
* All these messages are terminated by a ServerHelloDone message. In
* most cases, all this can be sent in a single Record.
*/
}
// Does the message include security renegotiation indication?
boolean renegotiationIndicated = false;
// check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV
renegotiationIndicated = true;
if (isInitialHandshake) {
secureRenegotiation = true;
} else {
// abort the handshake with a fatal handshake_failure alert
if (secureRenegotiation) {
"The SCSV is present in a secure renegotiation");
} else {
"The SCSV is present in a insecure renegotiation");
}
}
}
// check the "renegotiation_info" extension
if (clientHelloRI != null) {
renegotiationIndicated = true;
if (isInitialHandshake) {
// verify the length of the "renegotiated_connection" field
if (!clientHelloRI.isEmpty()) {
// abort the handshake with a fatal handshake_failure alert
"The renegotiation_info field is not empty");
}
secureRenegotiation = true;
} else {
if (!secureRenegotiation) {
// unexpected RI extension for insecure renegotiation,
// abort the handshake with a fatal handshake_failure alert
"The renegotiation_info is present in a insecure " +
"renegotiation");
}
// verify the client_verify_data value
"Incorrect verify data in ClientHello " +
"renegotiation_info message");
}
}
} else if (!isInitialHandshake && secureRenegotiation) {
// if the connection's "secure_renegotiation" flag is set to TRUE
// and the "renegotiation_info" extension is not present, abort
// the handshake.
"Inconsistent secure renegotiation indication");
}
// if there is no security renegotiation indication or the previous
// handshake is insecure.
if (!renegotiationIndicated || !secureRenegotiation) {
if (isInitialHandshake) {
if (!allowLegacyHelloMessages) {
// abort the handshake with a fatal handshake_failure alert
"Failed to negotiate the use of secure renegotiation");
}
// continue with legacy ClientHello
"indication in ClientHello, allow legacy ClientHello");
}
} else if (!allowUnsafeRenegotiation) {
// abort the handshake
// response with a no_renegotiation warning,
// invalidate the handshake so that the caller can
// dispose this object.
invalidated = true;
// If there is still unread block in the handshake
// input stream, it would be truncated with the disposal
// and the next handshake message will become incomplete.
//
// handshake message could immediately follow ClientHello
// or HelloRequest. But in case of any improper messages,
// we'd better check to ensure there is no remaining bytes
// in the handshake input stream.
"ClientHello followed by an unexpected " +
"handshake message");
}
return;
} else {
// For SSLv3, send the handshake_failure fatal error.
// Note that SSLv3 does not define a no_renegotiation
// alert like TLSv1. However we cannot ignore the message
// simply, otherwise the other side was waiting for a
// response that would never come.
"Renegotiation is not allowed");
}
} else { // !isInitialHandshake && allowUnsafeRenegotiation
// continue with unsafe renegotiation.
"Warning: continue with insecure renegotiation");
}
}
}
/*
* Always make sure this entire record has been digested before we
* start emitting output, to ensure correct digesting order.
*/
/*
* FIRST, construct the ServerHello using the options and priorities
* from the ClientHello. Update the (pending) cipher spec as we do
* so, and save the client's version to protect against rollback
* attacks.
*
* There are a bunch of minor tasks here, and one major one: deciding
* if the short or the full handshake sequence will be used.
*/
// select a proper protocol version.
if (selectedVersion == null ||
"Client requested protocol " + clientRequestedVersion +
" not enabled or not supported");
}
//
// random ... save client and server values for later use
// in computing the master secret (from pre-master secret)
// and thence the other crypto keys.
//
// NOTE: this use of three inputs to generating _each_ set
// of ciphers slows things down, but it does increase the
// security since each connection in the session can hold
// its own authenticated (and strong) keys. One could make
// creation of a session a rare thing...
//
//
// Here we go down either of two paths: (a) the fast one, where
// the client's asked to rejoin an existing session, and the server
// permits this; (b) the other one, where a new session is created.
//
// client is trying to resume a session, let's see...
//
// Check if we can use the fast path, resuming a session. We
// can do so iff we have a valid record for that session, and
// the cipher suite for that session was on the list which the
// client requested, and if we're not forgetting any needed
// authentication on the part of the client.
//
if (resumingSession) {
// cannot resume session with different version
if (oldVersion != protocolVersion) {
resumingSession = false;
}
}
if (resumingSession &&
try {
} catch (SSLPeerUnverifiedException e) {
resumingSession = false;
}
}
// validate subject identity
if (resumingSession) {
try {
new PrivilegedExceptionAction<Subject>() {
return
}});
} catch (PrivilegedActionException e) {
" subject failed!");
}
}
// Eliminate dependency on KerberosPrincipal
resumingSession = false;
" is not the same");
}
} else {
" is same");
}
} else {
resumingSession = false;
" not present in the current Subject;" +
" check if " +
" javax.security.auth.useSubjectAsCreds" +
" system property has been set to false");
}
}
}
if (resumingSession) {
// verify that the ciphersuite from the cached session
// is in the list of client requested ciphersuites and
// we have it enabled
if ((isNegotiable(suite) == false) ||
resumingSession = false;
} else {
// everything looks ok, set the ciphersuite
// this should be done last when we are sure we
// will resume
}
}
if (resumingSession) {
}
}
}
} // else client did not try to resume
//
// If client hasn't specified a session we can resume, start a
// new one and choose its cipher suite and compression options.
// Unless new session creation is disabled for this connection!
//
if (!enableNewSession) {
throw new SSLException("Client did not resume a session");
}
// We only need to handle the "signature_algorithm" extension
// for full handshakes and TLS 1.2 or later.
throw new SSLHandshakeException(
"No peer supported signature algorithms");
}
if (supportedPeerSignAlgs.isEmpty()) {
throw new SSLHandshakeException(
"No supported signature and hash algorithm " +
"in common");
}
} // else, need to use peer implicit supported signature algs
}
getHostAddressSE(), getPortSE());
if (peerSupportedSignAlgs != null) {
} // else, we will set the implicit peer supported signature
// algorithms in chooseCipherSuite()
}
// set the handshake session
// choose cipher suite and corresponding private key
// chooseCompression(mesg);
} else {
// set the handshake session
}
if (resumingSession) {
}
}
if (secureRenegotiation) {
// For ServerHellos that are initial handshakes, then the
// "renegotiated_connection" field in "renegotiation_info"
// extension is of zero length.
//
// For ServerHellos that are renegotiating, this field contains
// the concatenation of client_verify_data and server_verify_data.
//
// Note that for initial handshakes, both the clientVerifyData
// variable and serverVerifyData variable are of zero length.
}
}
//
// If we are resuming a session, we finish writing handshake
// messages right now and then finish.
//
if (resumingSession) {
sendChangeCipherAndFinish(false);
return;
}
/*
* SECOND, write the server Certificate(s) if we need to.
*
* NOTE: while an "anonymous RSA" mode is explicitly allowed by
* the protocol, we can't support it since all of the SSL flavors
* defined in the protocol spec are explicitly stated to require
* using RSA certificates.
*/
// Server certificates are omitted for Kerberos ciphers
throw new RuntimeException("no certificates");
}
/*
* Set local certs in the SSLSession, output
* debug info, and then actually write to the client.
*/
}
// XXX has some side effects with OS TCP buffering,
// leave it out for now
// let client verify chain in the meantime...
// output.flush();
} else {
throw new RuntimeException("anonymous keyexchange with certs");
}
}
/*
* THIRD, the ServerKeyExchange message ... iff it's needed.
*
* It's usually needed unless there's an encryption-capable
* RSA cert, or a D-H cert. The notable exception is that
* exportable ciphers used with big RSA keys need to downgrade
*/
switch (keyExchange) {
case K_RSA:
case K_KRB5:
case K_KRB5_EXPORT:
// no server key exchange for RSA or KRB5 ciphersuites
break;
case K_RSA_EXPORT:
try {
m3 = new RSA_ServerKeyExchange(
} catch (GeneralSecurityException e) {
("Error generating RSA server key exchange", e);
}
} else {
// RSA_EXPORT with short key, don't need ServerKeyExchange
}
break;
case K_DHE_RSA:
case K_DHE_DSS:
try {
} catch (GeneralSecurityException e) {
throwSSLException("Error generating DH server key exchange", e);
}
break;
case K_DH_ANON:
break;
case K_ECDHE_RSA:
case K_ECDHE_ECDSA:
case K_ECDH_ANON:
try {
} catch (GeneralSecurityException e) {
"Error generating ECDH server key exchange", e);
}
break;
case K_ECDH_RSA:
case K_ECDH_ECDSA:
// ServerKeyExchange not used for fixed ECDH
break;
default:
}
}
}
//
// FOURTH, the CertificateRequest message. The details of
// the message can be affected by the key exchange algorithm
// in use. For example, certs with fixed Diffie-Hellman keys
// are only useful with the DH_DSS and DH_RSA key exchange
// algorithms.
//
// Needed only if server requires client to authenticate self.
// Illegal for anonymous flavors, so we need to check that.
//
// CertificateRequest is omitted for Kerberos ciphers
// We currently use all local upported signature and hash
// algorithms. However, to minimize the computation cost
// of requested hash algorithms, we may use a restricted
// set of signature algorithms in the future.
if (localSignAlgs.isEmpty()) {
throw new SSLHandshakeException(
"No supported signature algorithm");
}
if (localHashAlgs.isEmpty()) {
throw new SSLHandshakeException(
"No supported signature algorithm");
}
}
}
} else {
}
}
/*
* FIFTH, say ServerHelloDone.
*/
}
/*
* Flush any buffered messages so the client will see them.
* Ideally, all the messages above go in a single network level
* message to the client. Without big Certificate chains, it's
* going to be the common case.
*/
}
/*
* Choose cipher suite from among those supported by client. Sets
* the cipherSuite and keyExchange variables.
*/
if (isNegotiable(suite) == false) {
continue;
}
continue;
}
}
if (trySetCipherSuite(suite) == false) {
continue;
}
return;
}
"no cipher suites in common");
}
/**
* Set the given CipherSuite, if possible. Return the result.
* The call succeeds if the CipherSuite is available and we have
* the necessary certificates to complete the handshake. We don't
* check if the CipherSuite is actually enabled.
*
* If successful, this method also generates ephemeral keys if
* required for this ciphersuite. This may take some time, so this
* method should only be called if you really want to use the
* CipherSuite.
*
* This method is called from chooseCipherSuite() in this class.
*/
/*
* If we're resuming a session we know we can
* support this key exchange algorithm and in fact
* have already cached the result of it in
* the session state.
*/
if (resumingSession) {
return true;
}
if (suite.isNegotiable() == false) {
return false;
}
// must not negotiate the obsoleted weak cipher suites.
return false;
}
// must not negotiate unsupported cipher suites.
return false;
}
// null out any existing references
privateKey = null;
if (peerSupportedSignAlgs != null) {
} else {
// we may optimize the performance
switch (keyExchange) {
// If the negotiated key exchange algorithm is one of
// (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA),
// behave as if client had sent the value {sha1,rsa}.
case K_RSA:
case K_DHE_RSA:
case K_DH_RSA:
// case K_RSA_PSK:
case K_ECDH_RSA:
case K_ECDHE_RSA:
break;
// If the negotiated key exchange algorithm is one of
// (DHE_DSS, DH_DSS), behave as if the client had
// sent the value {sha1,dsa}.
case K_DHE_DSS:
case K_DH_DSS:
break;
// If the negotiated key exchange algorithm is one of
// (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client
// had sent value {sha1,ecdsa}.
case K_ECDH_ECDSA:
case K_ECDHE_ECDSA:
break;
default:
// no peer supported signature algorithms
}
} else {
}
// Sets the peer supported signature algorithm to use in KM
// temporarily.
}
}
switch (keyExchange) {
case K_RSA:
// need RSA certs for authentication
if (setupPrivateKeyAndChain("RSA") == false) {
return false;
}
break;
case K_RSA_EXPORT:
// need RSA certs for authentication
if (setupPrivateKeyAndChain("RSA") == false) {
return false;
}
try {
return false;
}
}
} catch (RuntimeException e) {
// could not determine keylength, ignore key
return false;
}
break;
case K_DHE_RSA:
// need RSA certs for authentication
if (setupPrivateKeyAndChain("RSA") == false) {
return false;
}
// get preferable peer signature algorithm for server key exchange
if (preferableSignatureAlgorithm == null) {
return false;
}
}
break;
case K_ECDHE_RSA:
// need RSA certs for authentication
if (setupPrivateKeyAndChain("RSA") == false) {
return false;
}
// get preferable peer signature algorithm for server key exchange
if (preferableSignatureAlgorithm == null) {
return false;
}
}
if (setupEphemeralECDHKeys() == false) {
return false;
}
break;
case K_DHE_DSS:
// get preferable peer signature algorithm for server key exchange
supportedSignAlgs, "DSA");
if (preferableSignatureAlgorithm == null) {
return false;
}
}
// need DSS certs for authentication
if (setupPrivateKeyAndChain("DSA") == false) {
return false;
}
break;
case K_ECDHE_ECDSA:
// get preferable peer signature algorithm for server key exchange
supportedSignAlgs, "ECDSA");
if (preferableSignatureAlgorithm == null) {
return false;
}
}
// need EC cert signed using EC
if (setupPrivateKeyAndChain("EC_EC") == false) {
return false;
}
if (setupEphemeralECDHKeys() == false) {
return false;
}
break;
case K_ECDH_RSA:
// need EC cert signed using RSA
if (setupPrivateKeyAndChain("EC_RSA") == false) {
return false;
}
break;
case K_ECDH_ECDSA:
// need EC cert signed using EC
if (setupPrivateKeyAndChain("EC_EC") == false) {
return false;
}
break;
case K_KRB5:
case K_KRB5_EXPORT:
// need Kerberos Key
if (!setupKerberosKeys()) {
return false;
}
break;
case K_DH_ANON:
// no certs needed for anonymous
break;
case K_ECDH_ANON:
// no certs needed for anonymous
if (setupEphemeralECDHKeys() == false) {
return false;
}
break;
default:
// internal error, unknown key exchange
}
// set the peer implicit supported signature algorithms
if (peerSupportedSignAlgs == null) {
// we had alreay update the session
}
}
return true;
}
/*
* Get some "ephemeral" RSA keys for this context. This means
* generating them if it's not already been done.
*
* Note that we currently do not implement any ciphersuites that use
* strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites
* and standard RSA ciphersuites prohibit ephemeral mode for some reason)
* This means that export is always true and 512 bit keys are generated.
*/
return false;
} else {
return true;
}
}
/*
* Acquire some "ephemeral" Diffie-Hellman keys for this handshake.
* We don't reuse these, for improved forward secrecy.
*/
/*
* Diffie-Hellman keys ... we use 768 bit private keys due
* to the "use twice as many key bits as bits you want secret"
* rule of thumb, assuming we want the same size premaster
* secret with Diffie-Hellman and RSA key exchanges. Except
* that exportable ciphers max out at 512 bits modulus values.
*/
}
// Setup the ephemeral ECDH parameters.
// If we cannot continue because we do not support any of the curves that
// the client requested, return false. Otherwise (all is well), return true.
private boolean setupEphemeralECDHKeys() {
int index = -1;
if (supportedCurves != null) {
// if the client sent the supported curves extension, pick the
// first one that we support;
break;
}
}
if (index < 0) {
// no match found, cannot use this ciphersuite
return false;
}
} else {
// pick our preference
}
return true;
}
private void setupStaticECDHKeys() {
// don't need to check whether the curve is supported, already done
// in setupPrivateKeyAndChain().
}
/**
* Retrieve the server key and certificate for the specified algorithm
* from the KeyManager and set the instance variables.
*
* @return true if successful, false if not available or invalid
*/
} else {
}
return false;
}
if (tempPrivateKey == null) {
return false;
}
return false;
}
return false;
}
// For ECC certs, check whether we support the EC domain parameters.
// If the client sent a SupportedEllipticCurves ClientHello extension,
// check against that too.
if (publicKey instanceof ECPublicKey == false) {
return false;
}
return false;
}
return false;
}
}
this.privateKey = tempPrivateKey;
return true;
}
/**
* Retrieve the Kerberos key for the specified server principal
* from the JAAS configuration file.
*
* @return true if successful, false if not available or invalid
*/
private boolean setupKerberosKeys() {
if (kerberosKeys != null) {
return true;
}
try {
// Eliminate dependency on KerberosKey
new PrivilegedExceptionAction<SecretKey[]>() {
// get kerberos key for the default principal
}});
// check permission to access and use the secret key of the
// Kerberized "host" service
for (SecretKey k: kerberosKeys) {
k);
}
}
try {
// Eliminate dependency on ServicePermission
}
} catch (SecurityException se) {
kerberosKeys = null;
// %%% destroy keys? or will that affect Subject?
+ " secret key denied");
return false;
}
}
} catch (PrivilegedActionException e) {
// Likely exception here is LoginExceptin
+ e.toString());
}
return false;
}
}
/*
* For Kerberos ciphers, the premaster secret is encrypted using
* the session key. See RFC 2712.
*/
throws IOException {
}
// Record the principals involved in exchange
byte[] b = mesg.getUnencryptedPreMasterSecret();
return new SecretKeySpec(b, "TlsPremasterSecret");
}
/*
* Diffie Hellman key exchange is used when the server presented
* or else the server presented no certificate but sent D-H params
* in a ServerKeyExchange message. Use of D-H is specified by the
* cipher suite chosen.
*
* The message optionally contains the client's D-H public key (if
* it wasn't not sent in a client certificate). As always with D-H,
* if a client and a server have each other's D-H public keys and
* they use common algorithm parameters, they have a shared key
* that's derived via the D-H calculation. That key becomes the
* pre-master secret.
*/
throws IOException {
}
}
throws IOException {
}
}
/*
* Client wrote a message to verify the certificate it sent earlier.
*
* Note that this certificate isn't involved in key exchange. Client
* authentication messages are included in the checksums used to
* validate the handshake (e.g. Finished messages). Other than that,
* the _exact_ identity of the client is less fundamental to protocol
* security than its role in selecting keys via the pre-master secret.
*/
throws IOException {
}
throw new SSLHandshakeException(
"Illegal CertificateVerify message");
}
throw new SSLHandshakeException(
"No supported hash algorithm");
}
}
try {
if (valid == false) {
"certificate verify message signature error");
}
} catch (GeneralSecurityException e) {
"certificate verify format error", e);
}
// reset the flag for clientCertificateVerify message
needClientVerify = false;
}
/*
* Client writes "finished" at the end of its handshake, after cipher
* spec is changed. We verify it and then send ours.
*
* When we're resuming a session, we'll have already sent our own
* Finished message so just the verification is needed.
*/
}
/*
* Verify if client did send the certificate when client
* authentication was required, otherwise server should not proceed
*/
// get X500Principal of the end-entity certificate for X509-based
// ciphersuites, or Kerberos principal for Kerberos ciphersuites
}
/*
* Verify if client did send clientCertificateVerify message following
* the client Certificate, otherwise server should not proceed
*/
if (needClientVerify) {
"client did not send certificate verify message");
}
/*
* Verify the client's message with the "before" digest of messages,
* and forget about continuing to use that digest.
*/
if (!verified) {
"client 'finished' message doesn't verify");
// NOTREACHED
}
/*
* save client verify data for secure renegotiation
*/
if (secureRenegotiation) {
}
/*
* OK, it verified. If we're doing the full handshake, add that
* "Finished" message to the hash of handshake messages, then send
* the change_cipher_spec and Finished message.
*/
if (!resumingSession) {
sendChangeCipherAndFinish(true);
}
/*
* Update the session cache only after the handshake completed, else
* we're open to an attack against a partially completed handshake.
*/
"%% Cached server session: " + session);
}
} else if (!resumingSession &&
"%% Didn't cache non-resumable server session: "
+ session);
}
}
/*
* Compute finished message with the "server" digest (and then forget
* about that digest, it can't be used again).
*/
throws IOException {
/*
* Send the change_cipher_spec record; then our Finished handshake
* message will be the last handshake message. Flush, and now we
* are ready for application data!!
*/
/*
* save server verify data for secure renegotiation
*/
if (secureRenegotiation) {
}
/*
* Update state machine so client MUST send 'finished' next
* The update should only take place if it is not in the fast
* handshake mode since the server has to wait for a finished
* message from the client.
*/
if (finishedTag) {
}
}
/*
* Returns a HelloRequest message to kickstart renegotiations
*/
return new HelloRequest();
}
/*
* Fault detected during handshake.
*/
+ message);
}
/*
* It's ok to get a no_certificate alert from a client of which
* we *requested* authentication information.
* However, if we *required* it, then this is not acceptable.
*
* Anyone calling getPeerCertificates() on the
* session will get an SSLPeerUnverifiedException.
*/
return;
}
}
/*
* RSA key exchange is normally used. The client encrypts a "pre-master
* secret" with the server's public key, from the Certificate (or else
* ServerKeyExchange) message that was sent to it by the server. That's
* decrypted using the private key before we get here.
*/
throws IOException {
}
}
/*
* Verify the certificate sent by the client. We'll only get one if we
* sent a CertificateRequest to request client authentication. If we
* are in TLS mode, the client may send a message with no certificates
* to indicate it does not have an appropriate chain. (In SSLv3 mode,
* it would send a no certificate alert).
*/
}
/*
* If the client authentication is only *REQUESTED* (e.g.
* not *REQUIRED*, this is an acceptable condition.)
*/
// Smart (aka stupid) to forecast that no CertificateVerify
// message will be received.
}
return;
} else {
"null cert chain");
}
}
// ask the trust manager to verify the chain
try {
// find out the types of client authentication used
authType = "RSA";
authType = "DSA";
authType = "EC";
} else {
// unknown public key type
authType = "UNKNOWN";
}
if (tm instanceof X509ExtendedTrustManager) {
conn);
} else {
engine);
}
} else {
// Unlikely to happen, because we have wrapped the old
// X509TrustManager with the new X509ExtendedTrustManager.
throw new CertificateException(
"Improper X509TrustManager implementation");
}
} catch (CertificateException e) {
// This will throw an exception, so include the original error.
}
// set the flag for clientCertificateVerify message
needClientVerify = true;
}
}