1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
/*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
//
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
//
/*
* @test
* @bug 8255867
* @summary SignatureScheme JSSE property does not preserve ordering in handshake messages
* @library /javax/net/ssl/templates
* @run main/othervm SigSchemePropOrdering
*/
import java.nio.ByteBuffer;
import java.util.*;
import java.util.AbstractMap.SimpleImmutableEntry;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
public class SigSchemePropOrdering extends SSLEngineTemplate {
// Helper map to correlate integral SignatureScheme identifiers to
// their IANA string name counterparts.
static final Map<Integer, String> sigSchemeMap = Map.ofEntries(
new SimpleImmutableEntry(0x0401, "rsa_pkcs1_sha256"),
new SimpleImmutableEntry(0x0501, "rsa_pkcs1_sha384"),
new SimpleImmutableEntry(0x0601, "rsa_pkcs1_sha512"),
new SimpleImmutableEntry(0x0403, "ecdsa_secp256r1_sha256"),
new SimpleImmutableEntry(0x0503, "ecdsa_secp384r1_sha384"),
new SimpleImmutableEntry(0x0603, "ecdsa_secp521r1_sha512"),
new SimpleImmutableEntry(0x0804, "rsa_pss_rsae_sha256"),
new SimpleImmutableEntry(0x0805, "rsa_pss_rsae_sha384"),
new SimpleImmutableEntry(0x0806, "rsa_pss_rsae_sha512"),
new SimpleImmutableEntry(0x0807, "ed25519"),
new SimpleImmutableEntry(0x0808, "ed448"),
new SimpleImmutableEntry(0x0809, "rsa_pss_pss_sha256"),
new SimpleImmutableEntry(0x080a, "rsa_pss_pss_sha384"),
new SimpleImmutableEntry(0x080b, "rsa_pss_pss_sha512"),
new SimpleImmutableEntry(0x0101, "rsa_md5"),
new SimpleImmutableEntry(0x0201, "rsa_pkcs1_sha1"),
new SimpleImmutableEntry(0x0202, "dsa_sha1"),
new SimpleImmutableEntry(0x0203, "ecdsa_sha1"),
new SimpleImmutableEntry(0x0301, "rsa_sha224"),
new SimpleImmutableEntry(0x0302, "dsa_sha224"),
new SimpleImmutableEntry(0x0303, "ecdsa_sha224"),
new SimpleImmutableEntry(0x0402, "rsa_pkcs1_sha256"));
// Other useful TLS definitions for these tests
private static final int TLS_HS_CLI_HELLO = 1;
private static final int TLS_HS_CERT_REQ = 13;
private static final int HELLO_EXT_SIG_ALGS = 13;
private static final String SIG_SCHEME_STR =
"rsa_pkcs1_sha256,rsa_pss_rsae_sha256,rsa_pss_pss_sha256," +
"ed448,ed25519,ecdsa_secp256r1_sha256";
SigSchemePropOrdering() throws Exception {
super();
}
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "ssl:handshake");
System.setProperty("jdk.tls.client.SignatureSchemes", SIG_SCHEME_STR);
System.setProperty("jdk.tls.server.SignatureSchemes", SIG_SCHEME_STR);
new SigSchemePropOrdering().run();
}
@Override
protected SSLEngine configureClientEngine(SSLEngine clientEngine) {
clientEngine.setUseClientMode(true);
clientEngine.setEnabledProtocols(new String[] { "TLSv1.2" });
return clientEngine;
}
@Override
protected SSLEngine configureServerEngine(SSLEngine serverEngine) {
serverEngine.setUseClientMode(false);
serverEngine.setWantClientAuth(true);
return serverEngine;
}
private void run() throws Exception {
// Start the handshake. Check the ClientHello's signature_algorithms
// extension and make sure the ordering matches what we specified
// in the property above.
List<String> expectedSS = Arrays.asList(SIG_SCHEME_STR.split(","));
clientEngine.wrap(clientOut, cTOs);
cTOs.flip();
List<String> actualSS = getSigSchemesCliHello(
extractHandshakeMsg(cTOs, TLS_HS_CLI_HELLO));
// Make sure the ordering is correct
if (!expectedSS.equals(actualSS)) {
System.out.println("FAIL: Mismatch between property ordering " +
"and ClientHello message");
System.out.print("Expected SigSchemes: ");
expectedSS.forEach(ss -> System.out.print(ss + " "));
System.out.println();
System.out.print("Actual SigSchemes: ");
actualSS.forEach(ss -> System.out.print(ss + " "));
System.out.println();
throw new RuntimeException(
"FAIL: Expected and Actual values differ.");
}
// Consume the ClientHello and get the server flight of handshake
// messages. We expect that it will be one TLS record containing
// multiple handshake messages, one of which is a CertificateRequest.
serverEngine.unwrap(cTOs, serverIn);
runDelegatedTasks(serverEngine);
// Wrap the server flight
serverEngine.wrap(serverOut, sTOc);
sTOc.flip();
actualSS = getSigSchemesCertReq(
extractHandshakeMsg(sTOc, TLS_HS_CERT_REQ));
// Make sure the ordering is correct
if (!expectedSS.equals(actualSS)) {
System.out.println("FAIL: Mismatch between property ordering " +
"and CertificateRequest message");
System.out.print("Expected SigSchemes: ");
expectedSS.forEach(ss -> System.out.print(ss + " "));
System.out.println();
System.out.print("Actual SigSchemes: ");
actualSS.forEach(ss -> System.out.print(ss + " "));
System.out.println();
throw new RuntimeException(
"FAIL: Expected and Actual values differ.");
}
}
/**
* Given a TLS record containing one or more handshake messages, return
* the specific handshake message as a ByteBuffer (a slice of the record)
*
* @param tlsRecord a ByteBuffer containing a TLS record. It is assumed
* that the position of the ByteBuffer is on the first byte of the TLS
* record header.
* @param hsMsgId the message identifier for the handshake message being
* sought.
*
* @return a ByteBuffer containing the TLS handshake message. The position
* of the returned ByteBuffer will be on the first byte of the TLS
* handshake message data, immediately following the handshake header.
* If the message is not found, null will be returned.
*
* @throws SSLException if the incoming ByteBuffer does not contain a
* well-formed TLS message.
*/
private static ByteBuffer extractHandshakeMsg(ByteBuffer tlsRecord,
int hsMsgId) throws SSLException {
Objects.requireNonNull(tlsRecord);
tlsRecord.mark();
// Process the TLS record header
int type = Byte.toUnsignedInt(tlsRecord.get());
int ver_major = Byte.toUnsignedInt(tlsRecord.get());
int ver_minor = Byte.toUnsignedInt(tlsRecord.get());
int recLen = Short.toUnsignedInt(tlsRecord.getShort());
// Simple sanity checks
if (type != 22) {
throw new SSLException("Not a handshake: Type = " + type);
} else if (recLen > tlsRecord.remaining()) {
throw new SSLException("Incomplete record in buffer: " +
"Record length = " + recLen + ", Remaining = " +
tlsRecord.remaining());
}
while (tlsRecord.hasRemaining()) {
// Grab the handshake message header.
int msgHdr = tlsRecord.getInt();
int msgType = (msgHdr >> 24) & 0x000000FF;
int msgLen = msgHdr & 0x00FFFFFF;
if (msgType == hsMsgId) {
// Slice the buffer such that it contains the entire
// handshake message (less the handshake header).
ByteBuffer buf = tlsRecord.slice(tlsRecord.position(), msgLen);
tlsRecord.reset();
return buf;
} else {
// Skip to the next handshake message, if there is one
tlsRecord.position(tlsRecord.position() + msgLen);
}
}
tlsRecord.reset();
return null;
}
/**
* Parses the ClientHello message and extracts from it a list of
* SignatureScheme values in string form. It is assumed that the provided
* ByteBuffer has its position set at the first byte of the ClientHello
* message body (AFTER the handshake header) and contains the entire
* hello message. Upon successful completion of this method the ByteBuffer
* will have its position reset to the initial offset in the buffer.
* If an exception is thrown the position at the time of the exception
* will be preserved.
*
* @param data the ByteBuffer containing the ClientHello bytes
*
* @return A List of the signature schemes in string form. If no
* signature_algorithms extension is present in the client hello then
* an empty list will be returned.
*/
private static List<String> getSigSchemesCliHello(ByteBuffer data) {
Objects.requireNonNull(data);
data.mark();
// Skip over the protocol version and client random
data.position(data.position() + 34);
// Jump past the session ID (if there is one)
int sessLen = Byte.toUnsignedInt(data.get());
if (sessLen != 0) {
data.position(data.position() + sessLen);
}
// Jump past the cipher suites
int csLen = Short.toUnsignedInt(data.getShort());
if (csLen != 0) {
data.position(data.position() + csLen);
}
// ...and the compression
int compLen = Byte.toUnsignedInt(data.get());
if (compLen != 0) {
data.position(data.position() + compLen);
}
// Now for the fun part. Go through the extensions and look
// for the two status request exts.
List<String> extSigAlgs = new ArrayList();
int extsLen = Short.toUnsignedInt(data.getShort());
while (data.hasRemaining()) {
int extType = Short.toUnsignedInt(data.getShort());
int extLen = Short.toUnsignedInt(data.getShort());
if (extType == HELLO_EXT_SIG_ALGS) {
// Start processing signature algorithms
int sigSchemeLen = Short.toUnsignedInt(data.getShort());
for (int ssOff = 0; ssOff < sigSchemeLen; ssOff += 2) {
String schemeName = sigSchemeMap.get(
Short.toUnsignedInt(data.getShort()));
if (schemeName != null) {
extSigAlgs.add(schemeName);
}
}
} else {
// Not the extension we're looking for. Skip past the
// extension data
data.position(data.position() + extLen);
}
}
// We should be at the end of the ClientHello
data.reset();
return extSigAlgs;
}
/**
* Parses the CertificateRequest message and extracts from it a list of
* SignatureScheme values in string form. It is assumed that the provided
* ByteBuffer has its position set at the first byte of the
* CertificateRequest message body (AFTER the handshake header) and
* contains the entire CR message. Upon successful completion of this
* method the ByteBuffer will have its position reset to the initial
* offset in the buffer.
* If an exception is thrown the position at the time of the exception
* will be preserved.
*
* @param data the ByteBuffer containing the CertificateRequest bytes
*
* @return A List of the signature schemes in string form. If no
* signature_algorithms extension is present in the CertificateRequest
* then an empty list will be returned.
*/
private static List<String> getSigSchemesCertReq(ByteBuffer data) {
Objects.requireNonNull(data);
data.mark();
// Jump past the certificate types
int certTypeLen = Byte.toUnsignedInt(data.get());
if (certTypeLen != 0) {
data.position(data.position() + certTypeLen);
}
// Collect the SignatureAndHashAlgorithms
List<String> extSigAlgs = new ArrayList();
int sigSchemeLen = Short.toUnsignedInt(data.getShort());
for (int ssOff = 0; ssOff < sigSchemeLen; ssOff += 2) {
String schemeName = sigSchemeMap.get(
Short.toUnsignedInt(data.getShort()));
if (schemeName != null) {
extSigAlgs.add(schemeName);
}
}
data.reset();
return extSigAlgs;
}
}
|
