TlsECDHKeyExchange.cs 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
  1. #if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR)
  2. using System;
  3. using System.Collections;
  4. using System.IO;
  5. using Org.BouncyCastle.Asn1.X509;
  6. using Org.BouncyCastle.Crypto.Parameters;
  7. using Org.BouncyCastle.Security;
  8. namespace Org.BouncyCastle.Crypto.Tls
  9. {
  10. /// <summary>(D)TLS ECDH key exchange (see RFC 4492).</summary>
  11. public class TlsECDHKeyExchange
  12. : AbstractTlsKeyExchange
  13. {
  14. protected TlsSigner mTlsSigner;
  15. protected int[] mNamedCurves;
  16. protected byte[] mClientECPointFormats, mServerECPointFormats;
  17. protected AsymmetricKeyParameter mServerPublicKey;
  18. protected TlsAgreementCredentials mAgreementCredentials;
  19. protected ECPrivateKeyParameters mECAgreePrivateKey;
  20. protected ECPublicKeyParameters mECAgreePublicKey;
  21. public TlsECDHKeyExchange(int keyExchange, IList supportedSignatureAlgorithms, int[] namedCurves,
  22. byte[] clientECPointFormats, byte[] serverECPointFormats)
  23. : base(keyExchange, supportedSignatureAlgorithms)
  24. {
  25. switch (keyExchange)
  26. {
  27. case KeyExchangeAlgorithm.ECDHE_RSA:
  28. this.mTlsSigner = new TlsRsaSigner();
  29. break;
  30. case KeyExchangeAlgorithm.ECDHE_ECDSA:
  31. this.mTlsSigner = new TlsECDsaSigner();
  32. break;
  33. case KeyExchangeAlgorithm.ECDH_anon:
  34. case KeyExchangeAlgorithm.ECDH_RSA:
  35. case KeyExchangeAlgorithm.ECDH_ECDSA:
  36. this.mTlsSigner = null;
  37. break;
  38. default:
  39. throw new InvalidOperationException("unsupported key exchange algorithm");
  40. }
  41. this.mNamedCurves = namedCurves;
  42. this.mClientECPointFormats = clientECPointFormats;
  43. this.mServerECPointFormats = serverECPointFormats;
  44. }
  45. public override void Init(TlsContext context)
  46. {
  47. base.Init(context);
  48. if (this.mTlsSigner != null)
  49. {
  50. this.mTlsSigner.Init(context);
  51. }
  52. }
  53. public override void SkipServerCredentials()
  54. {
  55. if (mKeyExchange != KeyExchangeAlgorithm.ECDH_anon)
  56. throw new TlsFatalAlert(AlertDescription.unexpected_message);
  57. }
  58. public override void ProcessServerCertificate(Certificate serverCertificate)
  59. {
  60. if (mKeyExchange == KeyExchangeAlgorithm.ECDH_anon)
  61. throw new TlsFatalAlert(AlertDescription.unexpected_message);
  62. if (serverCertificate.IsEmpty)
  63. throw new TlsFatalAlert(AlertDescription.bad_certificate);
  64. X509CertificateStructure x509Cert = serverCertificate.GetCertificateAt(0);
  65. SubjectPublicKeyInfo keyInfo = x509Cert.SubjectPublicKeyInfo;
  66. try
  67. {
  68. this.mServerPublicKey = PublicKeyFactory.CreateKey(keyInfo);
  69. }
  70. catch (Exception e)
  71. {
  72. throw new TlsFatalAlert(AlertDescription.unsupported_certificate, e);
  73. }
  74. if (mTlsSigner == null)
  75. {
  76. try
  77. {
  78. this.mECAgreePublicKey = TlsEccUtilities.ValidateECPublicKey((ECPublicKeyParameters) this.mServerPublicKey);
  79. }
  80. catch (InvalidCastException e)
  81. {
  82. throw new TlsFatalAlert(AlertDescription.certificate_unknown, e);
  83. }
  84. TlsUtilities.ValidateKeyUsage(x509Cert, KeyUsage.KeyAgreement);
  85. }
  86. else
  87. {
  88. if (!mTlsSigner.IsValidPublicKey(this.mServerPublicKey))
  89. throw new TlsFatalAlert(AlertDescription.certificate_unknown);
  90. TlsUtilities.ValidateKeyUsage(x509Cert, KeyUsage.DigitalSignature);
  91. }
  92. base.ProcessServerCertificate(serverCertificate);
  93. }
  94. public override bool RequiresServerKeyExchange
  95. {
  96. get
  97. {
  98. switch (mKeyExchange)
  99. {
  100. case KeyExchangeAlgorithm.ECDH_anon:
  101. case KeyExchangeAlgorithm.ECDHE_ECDSA:
  102. case KeyExchangeAlgorithm.ECDHE_RSA:
  103. return true;
  104. default:
  105. return false;
  106. }
  107. }
  108. }
  109. public override byte[] GenerateServerKeyExchange()
  110. {
  111. if (!RequiresServerKeyExchange)
  112. return null;
  113. // ECDH_anon is handled here, ECDHE_* in a subclass
  114. MemoryStream buf = new MemoryStream();
  115. this.mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralServerKeyExchange(mContext.SecureRandom, mNamedCurves,
  116. mClientECPointFormats, buf);
  117. return buf.ToArray();
  118. }
  119. public override void ProcessServerKeyExchange(Stream input)
  120. {
  121. if (!RequiresServerKeyExchange)
  122. throw new TlsFatalAlert(AlertDescription.unexpected_message);
  123. // ECDH_anon is handled here, ECDHE_* in a subclass
  124. ECDomainParameters curve_params = TlsEccUtilities.ReadECParameters(mNamedCurves, mClientECPointFormats, input);
  125. byte[] point = TlsUtilities.ReadOpaque8(input);
  126. this.mECAgreePublicKey = TlsEccUtilities.ValidateECPublicKey(TlsEccUtilities.DeserializeECPublicKey(
  127. mClientECPointFormats, curve_params, point));
  128. }
  129. public override void ValidateCertificateRequest(CertificateRequest certificateRequest)
  130. {
  131. /*
  132. * RFC 4492 3. [...] The ECDSA_fixed_ECDH and RSA_fixed_ECDH mechanisms are usable with
  133. * ECDH_ECDSA and ECDH_RSA. Their use with ECDHE_ECDSA and ECDHE_RSA is prohibited because
  134. * the use of a long-term ECDH client key would jeopardize the forward secrecy property of
  135. * these algorithms.
  136. */
  137. byte[] types = certificateRequest.CertificateTypes;
  138. for (int i = 0; i < types.Length; ++i)
  139. {
  140. switch (types[i])
  141. {
  142. case ClientCertificateType.rsa_sign:
  143. case ClientCertificateType.dss_sign:
  144. case ClientCertificateType.ecdsa_sign:
  145. case ClientCertificateType.rsa_fixed_ecdh:
  146. case ClientCertificateType.ecdsa_fixed_ecdh:
  147. break;
  148. default:
  149. throw new TlsFatalAlert(AlertDescription.illegal_parameter);
  150. }
  151. }
  152. }
  153. public override void ProcessClientCredentials(TlsCredentials clientCredentials)
  154. {
  155. if (mKeyExchange == KeyExchangeAlgorithm.ECDH_anon)
  156. throw new TlsFatalAlert(AlertDescription.internal_error);
  157. if (clientCredentials is TlsAgreementCredentials)
  158. {
  159. // TODO Validate client cert has matching parameters (see 'TlsEccUtilities.AreOnSameCurve')?
  160. this.mAgreementCredentials = (TlsAgreementCredentials)clientCredentials;
  161. }
  162. else if (clientCredentials is TlsSignerCredentials)
  163. {
  164. // OK
  165. }
  166. else
  167. {
  168. throw new TlsFatalAlert(AlertDescription.internal_error);
  169. }
  170. }
  171. public override void GenerateClientKeyExchange(Stream output)
  172. {
  173. if (mAgreementCredentials == null)
  174. {
  175. this.mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralClientKeyExchange(mContext.SecureRandom,
  176. mServerECPointFormats, mECAgreePublicKey.Parameters, output);
  177. }
  178. }
  179. public override void ProcessClientCertificate(Certificate clientCertificate)
  180. {
  181. if (mKeyExchange == KeyExchangeAlgorithm.ECDH_anon)
  182. throw new TlsFatalAlert(AlertDescription.unexpected_message);
  183. // TODO Extract the public key
  184. // TODO If the certificate is 'fixed', take the public key as mECAgreeClientPublicKey
  185. }
  186. public override void ProcessClientKeyExchange(Stream input)
  187. {
  188. if (mECAgreePublicKey != null)
  189. {
  190. // For ecdsa_fixed_ecdh and rsa_fixed_ecdh, the key arrived in the client certificate
  191. return;
  192. }
  193. byte[] point = TlsUtilities.ReadOpaque8(input);
  194. ECDomainParameters curve_params = this.mECAgreePrivateKey.Parameters;
  195. this.mECAgreePublicKey = TlsEccUtilities.ValidateECPublicKey(TlsEccUtilities.DeserializeECPublicKey(
  196. mServerECPointFormats, curve_params, point));
  197. }
  198. public override byte[] GeneratePremasterSecret()
  199. {
  200. if (mAgreementCredentials != null)
  201. {
  202. return mAgreementCredentials.GenerateAgreement(mECAgreePublicKey);
  203. }
  204. if (mECAgreePrivateKey != null)
  205. {
  206. return TlsEccUtilities.CalculateECDHBasicAgreement(mECAgreePublicKey, mECAgreePrivateKey);
  207. }
  208. throw new TlsFatalAlert(AlertDescription.internal_error);
  209. }
  210. }
  211. }
  212. #endif