package org.ibex.net;
-import org.ibex.der.DER.Exception;
-import org.ibex.der.DER.InputStream;
-import org.ibex.x509.X509Certificate;
-import org.ibex.x509.RSAPublicKey;
-import org.ibex.x509.X509Name;
-import org.ibex.crypto.HMAC;
-import org.ibex.crypto.PKCS1;
-import org.ibex.crypto.RC4;
-import org.ibex.crypto.RSA;
-import org.ibex.crypto.Digest;
-import org.ibex.crypto.MD5;
-import org.ibex.crypto.SHA1;
-
+import org.ibex.crypto.*;
import java.security.SecureRandom;
import java.net.Socket;
}
private void negotiateNew() throws IOException {
- X509Certificate[] certs = receiveServerCertificates();
+ X509.Certificate[] certs = receiveServerCertificates();
debug("got Certificate");
boolean gotCertificateRequest = false;
if(buf[p++] != 0x0) throw new Exn("unsupported compression " + buf[p-1]);
}
- private X509Certificate[] receiveServerCertificates() throws IOException {
+ private X509.Certificate[] receiveServerCertificates() throws IOException {
byte[] buf = readHandshake();
if(buf[0] != 11) throw new Exn("expected a Certificate message");
if((((buf[4]&0xff)<<16)|((buf[5]&0xff)<<8)|((buf[6]&0xff)<<0)) != buf.length-7) throw new Exn("size mismatch in Certificate message");
for(int i=p;i<buf.length-3;i+=((buf[p+0]&0xff)<<16)|((buf[p+1]&0xff)<<8)|((buf[p+2]&0xff)<<0)) count++;
if(count == 0) throw new Exn("server didn't provide any certificates");
- X509Certificate[] certs = new X509Certificate[count];
+ X509.Certificate[] certs = new X509.Certificate[count];
count = 0;
while(p < buf.length) {
int len = ((buf[p+0]&0xff)<<16)|((buf[p+1]&0xff)<<8)|((buf[p+2]&0xff)<<0);
p += 3;
if(p + len > buf.length) throw new Exn("Certificate message cut short");
- certs[count++] = new X509Certificate(new ByteArrayInputStream(buf,p,len));
+ certs[count++] = new X509.Certificate(new ByteArrayInputStream(buf,p,len));
p += len;
}
return certs;
}
- private void sendClientKeyExchange(X509Certificate serverCert) throws IOException {
+ private void sendClientKeyExchange(X509.Certificate serverCert) throws IOException {
byte[] encryptedPreMasterSecret;
- RSAPublicKey pks = serverCert.getRSAPublicKey();
+ RSA.PublicKey pks = serverCert.getRSAPublicKey();
PKCS1 pkcs1 = new PKCS1(new RSA(pks.modulus,pks.exponent,false),random);
encryptedPreMasterSecret = pkcs1.encode(preMasterSecret);
byte[] buf;
return ret;
}
- public static class SSLv3HMAC implements Digest {
+ public static class SSLv3HMAC extends Digest {
private final Digest h;
private final byte[] digest;
private final byte[] key;
h.doFinal(out,off);
reset();
}
+ protected void processWord(byte[] in, int inOff) {}
+ protected void processLength(long bitLength) {}
+ protected void processBlock() {}
}
//
private static void debug(Object o) { if(debugOn) System.err.println("[BriSSL-Debug] " + o.toString()); }
private static void log(Object o) { System.err.println("[BriSSL] " + o.toString()); }
- private static void verifyCerts(X509Certificate[] certs) throws DER.Exception, Exn {
+ private static void verifyCerts(X509.Certificate[] certs) throws DER.Exception, Exn {
try {
verifyCerts_(certs);
} catch(RuntimeException e) {
}
}
- private static void verifyCerts_(X509Certificate[] certs) throws DER.Exception, Exn {
+ private static void verifyCerts_(X509.Certificate[] certs) throws DER.Exception, Exn {
boolean ignoreLast = false;
for(int i=0;i<certs.length;i++) {
debug("Cert " + i + ": " + certs[i].subject + " ok");
if(!certs[i].isValid())
throw new Exn("Certificate " + i + " in certificate chain is not valid (" + certs[i].startDate + " - " + certs[i].endDate + ")");
if(i != 0) {
- X509Certificate.BC bc = certs[i].basicContraints;
+ X509.Certificate.BC bc = certs[i].basicContraints;
if(bc == null) {
if(i == certs.length - 1) {
ignoreLast = true;
}
}
- X509Certificate cert = certs[ignoreLast ? certs.length - 2 : certs.length-1];
+ X509.Certificate cert = certs[ignoreLast ? certs.length - 2 : certs.length-1];
- RSAPublicKey pks = (RSAPublicKey) caKeys.get(cert.issuer);
+ RSA.PublicKey pks = (RSA.PublicKey) caKeys.get(cert.issuer);
if(pks == null) throw new Exn("Certificate is signed by an unknown CA (" + cert.issuer + ")");
if(!cert.isSignedWith(pks)) throw new Exn("Certificate is not signed by its CA");
log("" + cert.subject + " is signed by " + cert.issuer);
}
public static void addCACert(byte[] b) throws IOException { addCACert(new ByteArrayInputStream(b)); }
- public static void addCACert(InputStream is) throws IOException { addCACert(new X509Certificate(is)); }
- public static void addCACert(X509Certificate cert) throws DER.Exception { addCAKey(cert.subject,cert.getRSAPublicKey()); }
- public static void addCAKey(X509Name subject, RSAPublicKey pks) {
+ public static void addCACert(InputStream is) throws IOException { addCACert(new X509.Certificate(is)); }
+ public static void addCACert(X509.Certificate cert) throws DER.Exception { addCAKey(cert.subject,cert.getRSAPublicKey()); }
+ public static void addCAKey(X509.Name subject, RSA.PublicKey pks) {
synchronized(caKeys) {
if(caKeys.get(subject) != null)
throw new IllegalArgumentException(subject.toString() + " already exists!");
Vector seq = (Vector) new DER.InputStream(is).readObject();
for(Enumeration e = seq.elements(); e.hasMoreElements();) {
Vector seq2 = (Vector) e.nextElement();
- X509Name subject = new X509Name(seq2.elementAt(0));
- RSAPublicKey pks = new RSAPublicKey(seq2.elementAt(1));
+ X509.Name subject = new X509.Name(seq2.elementAt(0));
+ RSA.PublicKey pks = new RSA.PublicKey(seq2.elementAt(1));
addCAKey(subject,pks);
}
return seq.size();
}
public interface VerifyCallback {
- public boolean checkCerts(X509Certificate[] certs, String hostname, Exn exn);
+ public boolean checkCerts(X509.Certificate[] certs, String hostname, Exn exn);
}
// Helper methods