1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
|
using System;
using System.Collections;
using System.IO;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto.Agreement;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Crypto.Tls
{
/**
* ECDH key exchange (see RFC 4492)
*/
internal class TlsECDHKeyExchange
: TlsKeyExchange
{
protected TlsClientContext context;
protected int keyExchange;
protected TlsSigner tlsSigner;
protected AsymmetricKeyParameter serverPublicKey;
protected ECPublicKeyParameters ecAgreeServerPublicKey;
protected TlsAgreementCredentials agreementCredentials;
protected ECPrivateKeyParameters ecAgreeClientPrivateKey = null;
internal TlsECDHKeyExchange(TlsClientContext context, int keyExchange)
{
switch (keyExchange)
{
case KeyExchangeAlgorithm.ECDHE_RSA:
this.tlsSigner = new TlsRsaSigner();
break;
case KeyExchangeAlgorithm.ECDHE_ECDSA:
this.tlsSigner = new TlsECDsaSigner();
break;
case KeyExchangeAlgorithm.ECDH_RSA:
case KeyExchangeAlgorithm.ECDH_ECDSA:
this.tlsSigner = null;
break;
default:
throw new ArgumentException("unsupported key exchange algorithm", "keyExchange");
}
this.context = context;
this.keyExchange = keyExchange;
}
public virtual void SkipServerCertificate()
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
public virtual void ProcessServerCertificate(Certificate serverCertificate)
{
X509CertificateStructure x509Cert = serverCertificate.GetCertificateAt(0);
SubjectPublicKeyInfo keyInfo = x509Cert.SubjectPublicKeyInfo;
try
{
this.serverPublicKey = PublicKeyFactory.CreateKey(keyInfo);
}
catch (Exception)
{
throw new TlsFatalAlert(AlertDescription.unsupported_certificate);
}
if (tlsSigner == null)
{
try
{
this.ecAgreeServerPublicKey = ValidateECPublicKey((ECPublicKeyParameters)this.serverPublicKey);
}
catch (InvalidCastException)
{
throw new TlsFatalAlert(AlertDescription.certificate_unknown);
}
TlsUtilities.ValidateKeyUsage(x509Cert, KeyUsage.KeyAgreement);
}
else
{
if (!tlsSigner.IsValidPublicKey(this.serverPublicKey))
{
throw new TlsFatalAlert(AlertDescription.certificate_unknown);
}
TlsUtilities.ValidateKeyUsage(x509Cert, KeyUsage.DigitalSignature);
}
// TODO
/*
* Perform various checks per RFC2246 7.4.2: "Unless otherwise specified, the
* signing algorithm for the certificate must be the same as the algorithm for the
* certificate key."
*/
}
public virtual void SkipServerKeyExchange()
{
// do nothing
}
public virtual void ProcessServerKeyExchange(Stream input)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
public virtual void ValidateCertificateRequest(CertificateRequest certificateRequest)
{
/*
* RFC 4492 3. [...] The ECDSA_fixed_ECDH and RSA_fixed_ECDH mechanisms are usable
* with ECDH_ECDSA and ECDH_RSA. Their use with ECDHE_ECDSA and ECDHE_RSA is
* prohibited because the use of a long-term ECDH client key would jeopardize the
* forward secrecy property of these algorithms.
*/
byte[] types = certificateRequest.CertificateTypes;
foreach (byte type in types)
{
switch (type)
{
case ClientCertificateType.rsa_sign:
case ClientCertificateType.dss_sign:
case ClientCertificateType.ecdsa_sign:
case ClientCertificateType.rsa_fixed_ecdh:
case ClientCertificateType.ecdsa_fixed_ecdh:
break;
default:
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
}
}
public virtual void SkipClientCredentials()
{
this.agreementCredentials = null;
}
public virtual void ProcessClientCredentials(TlsCredentials clientCredentials)
{
if (clientCredentials is TlsAgreementCredentials)
{
// TODO Validate client cert has matching parameters (see 'AreOnSameCurve')?
this.agreementCredentials = (TlsAgreementCredentials)clientCredentials;
}
else if (clientCredentials is TlsSignerCredentials)
{
// OK
}
else
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
}
public virtual void GenerateClientKeyExchange(Stream output)
{
if (agreementCredentials == null)
{
GenerateEphemeralClientKeyExchange(ecAgreeServerPublicKey.Parameters, output);
}
}
public virtual byte[] GeneratePremasterSecret()
{
if (agreementCredentials != null)
{
return agreementCredentials.GenerateAgreement(ecAgreeServerPublicKey);
}
return CalculateECDHBasicAgreement(ecAgreeServerPublicKey, ecAgreeClientPrivateKey);
}
protected virtual bool AreOnSameCurve(ECDomainParameters a, ECDomainParameters b)
{
// TODO Move to ECDomainParameters.Equals() or other utility method?
return a.Curve.Equals(b.Curve) && a.G.Equals(b.G) && a.N.Equals(b.N) && a.H.Equals(b.H);
}
protected virtual byte[] ExternalizeKey(ECPublicKeyParameters keyParameters)
{
// TODO Add support for compressed encoding and SPF extension
/*
* RFC 4492 5.7. ...an elliptic curve point in uncompressed or compressed format.
* Here, the format MUST conform to what the server has requested through a
* Supported Point Formats Extension if this extension was used, and MUST be
* uncompressed if this extension was not used.
*/
return keyParameters.Q.GetEncoded();
}
protected virtual AsymmetricCipherKeyPair GenerateECKeyPair(ECDomainParameters ecParams)
{
ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator();
ECKeyGenerationParameters keyGenerationParameters = new ECKeyGenerationParameters(ecParams,
context.SecureRandom);
keyPairGenerator.Init(keyGenerationParameters);
return keyPairGenerator.GenerateKeyPair();
}
protected virtual void GenerateEphemeralClientKeyExchange(ECDomainParameters ecParams, Stream output)
{
AsymmetricCipherKeyPair ecAgreeClientKeyPair = GenerateECKeyPair(ecParams);
this.ecAgreeClientPrivateKey = (ECPrivateKeyParameters)ecAgreeClientKeyPair.Private;
byte[] keData = ExternalizeKey((ECPublicKeyParameters)ecAgreeClientKeyPair.Public);
TlsUtilities.WriteOpaque8(keData, output);
}
protected virtual byte[] CalculateECDHBasicAgreement(ECPublicKeyParameters publicKey,
ECPrivateKeyParameters privateKey)
{
ECDHBasicAgreement basicAgreement = new ECDHBasicAgreement();
basicAgreement.Init(privateKey);
BigInteger agreementValue = basicAgreement.CalculateAgreement(publicKey);
/*
* RFC 4492 5.10. Note that this octet string (Z in IEEE 1363 terminology) as output by
* FE2OSP, the Field Element to Octet String Conversion Primitive, has constant length for
* any given field; leading zeros found in this octet string MUST NOT be truncated.
*/
return BigIntegers.AsUnsignedByteArray(basicAgreement.GetFieldSize(), agreementValue);
}
protected virtual ECPublicKeyParameters ValidateECPublicKey(ECPublicKeyParameters key)
{
// TODO Check RFC 4492 for validation
return key;
}
}
}
|
