PskKeyManager.java revision b0d1d914073256db05aa33feb6b2d6018802635e
1b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin/* 2b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Copyright 2014 The Android Open Source Project 3b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 4b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Licensed under the Apache License, Version 2.0 (the "License"); 5b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * you may not use this file except in compliance with the License. 6b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * You may obtain a copy of the License at 7b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 8b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * http://www.apache.org/licenses/LICENSE-2.0 9b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 10b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Unless required by applicable law or agreed to in writing, software 11b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * distributed under the License is distributed on an "AS IS" BASIS, 12b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * See the License for the specific language governing permissions and 14b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * limitations under the License. 15b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 16b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 17b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinpackage android.net; 18b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 19b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinimport java.net.Socket; 20b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinimport javax.crypto.SecretKey; 21b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinimport javax.net.ssl.SSLEngine; 22b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 23b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin/** 24b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Provider of key material for pre-shared key (PSK) key exchange used in TLS-PSK cipher suites. 25b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 26b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Overview of TLS-PSK</h3> 27b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 28b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>TLS-PSK is a set of TLS/SSL cipher suites which rely on a symmetric pre-shared key (PSK) to 29b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * secure the TLS/SSL connection and mutually authenticate its peers. These cipher suites may be 30b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * a more natural fit compared to conventional public key based cipher suites in some scenarios 31b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * where communication between peers is bootstrapped via a separate step (for example, a pairing 32b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * step) and requires both peers to authenticate each other. In such scenarios a symmetric key (PSK) 33b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * can be exchanged during the bootstrapping step, removing the need to generate and exchange public 34b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * key pairs and X.509 certificates.</p> 35b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 36b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>When a TLS-PSK cipher suite is used, both peers have to use the same key for the TLS/SSL 37b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * handshake to succeed. Thus, both peers are implicitly authenticated by a successful handshake. 38b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * This removes the need to use a {@code TrustManager} in conjunction with this {@code KeyManager}. 39b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * </p> 40b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 41b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Supporting multiple keys</h3> 42b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 43b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>A peer may have multiple keys to choose from. To help choose the right key, during the handshake 44b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * the server can provide a <em>PSK identity hint</em> to the client, and the client can provide a 45b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <em>PSK identity</em> to the server. The contents of these two pieces of information are specific 46b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * to application-level protocols.</p> 47b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 48b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p><em>NOTE: Both the PSK identity hint and the PSK identity are transmitted in cleartext. 49b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Moreover, these data are received and processed prior to peer having been authenticated. Thus, 50b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * they must not contain or leak key material or other sensitive information, and should be 51b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * treated (e.g., parsed) with caution, as untrusted data.</em></p> 52b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 53b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>The high-level flow leading to peers choosing a key during TLS/SSL handshake is as follows: 54b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <ol> 55b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Server receives a handshake request from client. 56b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Server replies, optionally providing a PSK identity hint to client.</li> 57b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Client chooses the key.</li> 58b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Client provides a PSK identity of the chosen key to server.</li> 59b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Server chooses the key.</li> 60b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * </ol></p> 61b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 62b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>In the flow above, either peer can signal that they do not have a suitable key, in which case 63b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * the the handshake will be aborted immediately. This may enable a network attacker who does not 64b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * know the key to learn which PSK identity hints or PSK identities are supported. If this is a 65b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * concern then a randomly generated key should be used in the scenario where no key is available. 66b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * This will lead to the handshake aborting later, due to key mismatch -- same as in the scenario 67b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * where a key is available -- making it appear to the attacker that all PSK identity hints and PSK 68b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * identities are supported.</p> 69b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 70b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Maximum sizes</h3> 71b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 72b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>The maximum supported sizes are as follows: 73b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <ul> 74b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>256 bytes for keys (see {@link #MAX_KEY_LENGTH_BYTES}),</li> 75b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>128 bytes for PSK identity and PSK identity hint (in modified UTF-8 representation) (see 76b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * {@link #MAX_IDENTITY_LENGTH_BYTES} and {@link #MAX_IDENTITY_HINT_LENGTH_BYTES}).</li> 77b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * </ul></p> 78b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 79b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Example</h3> 80b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * The following example illustrates how to create an {@code SSLContext} which enables the use of 81b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * TLS-PSK in {@code SSLSocket}, {@code SSLServerSocket} and {@code SSLEngine} instances obtained 82b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * from it. 83b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <pre> {@code 84b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * PSKKeyManager myPskKeyManager = ...; 85b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 86b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * SSLContext sslContext = SSLContext.getInstance("TLS"); 87b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * sslContext.init( 88b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * new KeyManager[] {myPskKeyManager}, 89b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * new TrustManager[0], // No TrustManagers needed in TLS-PSK 90b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * null // Use the default source of entropy 91b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * ); 92b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 93b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * SSLSocket sslSocket = (SSLSocket) sslContext.getSocketFactory().createSocket(...); 94b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * // Enable a TLS-PSK cipher suite (no TLS-PSK cipher suites are enabled by default) 95b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * sslSocket.setEnabledCipherSuites(new String[] {"TLS_PSK_WITH_AES_128_CBC_SHA"}); 96b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * sslSocket.startHandshake(); 97b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * }</pre> 98b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 99b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinpublic interface PSKKeyManager extends com.android.org.conscrypt.PSKKeyManager { 100b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // IMPLEMENTATION DETAILS: This class exists only because the default implemenetation of the 101b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // TLS/SSL JSSE provider (currently Conscrypt) cannot depend on Android framework classes. 102b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // As a result, this framework class simply extends the PSKKeyManager interface from Conscrypt 103b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // without adding any new methods or fields. Moreover, for technical reasons (Conscrypt classes 104b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // are "hidden") this class replaces the Javadoc of Conscrypt's PSKKeyManager. 105b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 106b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 107b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Maximum supported length (in bytes) for PSK identity hint (in modified UTF-8 representation). 108b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 109b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin int MAX_IDENTITY_HINT_LENGTH_BYTES = 110b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin com.android.org.conscrypt.PSKKeyManager.MAX_IDENTITY_HINT_LENGTH_BYTES; 111b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 112b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** Maximum supported length (in bytes) for PSK identity (in modified UTF-8 representation). */ 113b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin int MAX_IDENTITY_LENGTH_BYTES = 114b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin com.android.org.conscrypt.PSKKeyManager.MAX_IDENTITY_LENGTH_BYTES; 115b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 116b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** Maximum supported length (in bytes) for PSK. */ 117b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin int MAX_KEY_LENGTH_BYTES = com.android.org.conscrypt.PSKKeyManager.MAX_KEY_LENGTH_BYTES; 118b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 119b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 120b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity hint to report to the client to help agree on the PSK for the provided 121b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * socket. 122b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 123b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity hint to be provided to the client or {@code null} to provide no hint. 124b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 125b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 126b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin String chooseServerKeyIdentityHint(Socket socket); 127b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 128b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 129b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity hint to report to the client to help agree on the PSK for the provided 130b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * engine. 131b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 132b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity hint to be provided to the client or {@code null} to provide no hint. 133b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 134b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 135b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin String chooseServerKeyIdentityHint(SSLEngine engine); 136b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 137b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 138b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity to report to the server to help agree on the PSK for the provided 139b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * socket. 140b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 141b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server or {@code null} if none provided. 142b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 143b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity to provide to the server. {@code null} is permitted but will be 144b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * converted into an empty string. 145b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 146b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 147b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin String chooseClientKeyIdentity(String identityHint, Socket socket); 148b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 149b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 150b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity to report to the server to help agree on the PSK for the provided 151b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * engine. 152b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 153b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server or {@code null} if none provided. 154b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 155b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity to provide to the server. {@code null} is permitted but will be 156b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * converted into an empty string. 157b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 158b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 159b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin String chooseClientKeyIdentity(String identityHint, SSLEngine engine); 160b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 161b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 162b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK to use for the provided socket. 163b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 164b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server to help select the key or 165b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * {@code null} if none provided. 166b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identity identity provided by the client to help select the key. 167b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 168b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return key or {@code null} to signal to peer that no suitable key is available and to abort 169b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * the handshake. 170b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 171b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 172b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin SecretKey getKey(String identityHint, String identity, Socket socket); 173b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 174b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 175b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK to use for the provided engine. 176b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 177b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server to help select the key or 178b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * {@code null} if none provided. 179b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identity identity provided by the client to help select the key. 180b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 181b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return key or {@code null} to signal to peer that no suitable key is available and to abort 182b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * the handshake. 183b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 184b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 185b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin SecretKey getKey(String identityHint, String identity, SSLEngine engine); 186b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin} 187