org.bouncycastle.tls.TlsServerProtocol Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of impersonator Show documentation
Show all versions of impersonator Show documentation
Spoof TLS/JA3/JA4 and HTTP/2 fingerprints in Java
package org.bouncycastle.tls;
import org.bouncycastle.tls.crypto.TlsAgreement;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.TlsDHConfig;
import org.bouncycastle.tls.crypto.TlsECConfig;
import org.bouncycastle.tls.crypto.TlsKemConfig;
import org.bouncycastle.tls.crypto.TlsSecret;
import org.bouncycastle.util.Arrays;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Vector;
public class TlsServerProtocol
extends TlsProtocol
{
protected TlsServer tlsServer = null;
TlsServerContextImpl tlsServerContext = null;
protected int[] offeredCipherSuites = null;
protected TlsKeyExchange keyExchange = null;
protected CertificateRequest certificateRequest = null;
/**
* Constructor for non-blocking mode.
*
* When data is received, use {@link #offerInput(byte[])} to provide the received ciphertext,
* then use {@link #readInput(byte[], int, int)} to read the corresponding cleartext.
*
* Similarly, when data needs to be sent, use {@link #writeApplicationData(byte[], int, int)} to
* provide the cleartext, then use {@link #readOutput(byte[], int, int)} to get the
* corresponding ciphertext.
*/
public TlsServerProtocol()
{
super();
}
/**
* Constructor for blocking mode.
* @param input The stream of data from the client
* @param output The stream of data to the client
*/
public TlsServerProtocol(InputStream input, OutputStream output)
{
super(input, output);
}
/**
* Receives a TLS handshake in the role of server.
*
* In blocking mode, this will not return until the handshake is complete.
* In non-blocking mode, use {@link TlsPeer#notifyHandshakeComplete()} to
* receive a callback when the handshake is complete.
*
* @param tlsServer
* @throws IOException If in blocking mode and handshake was not successful.
*/
public void accept(TlsServer tlsServer) throws IOException
{
if (tlsServer == null)
{
throw new IllegalArgumentException("'tlsServer' cannot be null");
}
if (this.tlsServer != null)
{
throw new IllegalStateException("'accept' can only be called once");
}
this.tlsServer = tlsServer;
this.tlsServerContext = new TlsServerContextImpl(tlsServer.getCrypto());
tlsServer.init(tlsServerContext);
tlsServer.notifyCloseHandle(this);
beginHandshake(false);
if (blocking)
{
blockForHandshake();
}
}
// public boolean renegotiate() throws IOException
// {
// boolean allowed = super.renegotiate();
// if (allowed)
// {
// sendHelloRequestMessage();
// }
// return allowed;
// }
protected void cleanupHandshake()
{
super.cleanupHandshake();
this.offeredCipherSuites = null;
this.keyExchange = null;
this.certificateRequest = null;
}
protected boolean expectCertificateVerifyMessage()
{
if (null == certificateRequest)
{
return false;
}
Certificate clientCertificate = tlsServerContext.getSecurityParametersHandshake().getPeerCertificate();
return null != clientCertificate && !clientCertificate.isEmpty()
&& (null == keyExchange || keyExchange.requiresCertificateVerify());
}
protected ServerHello generate13HelloRetryRequest(ClientHello clientHello) throws IOException
{
// TODO[tls13] In future there might be other reasons for a HelloRetryRequest.
if (retryGroup < 0)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake();
ProtocolVersion serverVersion = securityParameters.getNegotiatedVersion();
Map serverHelloExtensions = new LinkedHashMap<>();
TlsExtensionsUtils.addSupportedVersionsExtensionServer(serverHelloExtensions, serverVersion);
if (retryGroup >= 0)
{
TlsExtensionsUtils.addKeyShareHelloRetryRequest(serverHelloExtensions, retryGroup);
}
if (null != retryCookie)
{
TlsExtensionsUtils.addCookieExtension(serverHelloExtensions, retryCookie);
}
TlsUtils.checkExtensionData13(serverHelloExtensions, HandshakeType.hello_retry_request,
AlertDescription.internal_error);
return new ServerHello(clientHello.getSessionID(), securityParameters.getCipherSuite(), serverHelloExtensions);
}
protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMessageInput clientHelloMessage,
boolean afterHelloRetryRequest) throws IOException
{
SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake();
if (securityParameters.isRenegotiating())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
byte[] legacy_session_id = clientHello.getSessionID();
Map clientHelloExtensions = clientHello.getExtensions();
if (null == clientHelloExtensions)
{
throw new TlsFatalAlert(AlertDescription.missing_extension);
}
ProtocolVersion serverVersion = securityParameters.getNegotiatedVersion();
TlsCrypto crypto = tlsServerContext.getCrypto();
// NOTE: Will only select for psk_dhe_ke
OfferedPsks.SelectedConfig selectedPSK = TlsUtils.selectPreSharedKey(tlsServerContext, tlsServer,
clientHelloExtensions, clientHelloMessage, handshakeHash, afterHelloRetryRequest);
Vector clientShares = TlsExtensionsUtils.getKeyShareClientHello(clientHelloExtensions);
KeyShareEntry clientShare = null;
if (afterHelloRetryRequest)
{
if (retryGroup < 0)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
if (null == selectedPSK)
{
/*
* RFC 8446 4.2.3. If a server is authenticating via a certificate and the client has
* not sent a "signature_algorithms" extension, then the server MUST abort the handshake
* with a "missing_extension" alert.
*/
if (null == securityParameters.getClientSigAlgs())
{
throw new TlsFatalAlert(AlertDescription.missing_extension);
}
}
else
{
// TODO[tls13] Maybe filter the offered PSKs by PRF algorithm before server selection instead
if (selectedPSK.psk.getPRFAlgorithm() != securityParameters.getPRFAlgorithm())
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
}
/*
* TODO[tls13] Confirm fields in the ClientHello haven't changed
*
* RFC 8446 4.1.2 [..] when the server has responded to its ClientHello with a
* HelloRetryRequest [..] the client MUST send the same ClientHello without
* modification, except as follows: [key_share, early_data, cookie, pre_shared_key,
* padding].
*/
byte[] cookie = TlsExtensionsUtils.getCookieExtension(clientHelloExtensions);
if (!Arrays.areEqual(retryCookie, cookie))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.retryCookie = null;
clientShare = TlsUtils.selectKeyShare(clientShares, retryGroup);
if (null == clientShare)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
}
else
{
{
securityParameters.serverRandom = createRandomBlock(false, tlsServerContext);
if (!serverVersion.equals(ProtocolVersion.getLatestTLS(tlsServer.getProtocolVersions())))
{
TlsUtils.writeDowngradeMarker(serverVersion, securityParameters.getServerRandom());
}
}
this.clientExtensions = clientHelloExtensions;
securityParameters.secureRenegotiation = false;
// NOTE: Validates the padding extension data, if present
TlsExtensionsUtils.getPaddingExtension(clientHelloExtensions);
securityParameters.clientServerNames = TlsExtensionsUtils
.getServerNameExtensionClient(clientHelloExtensions);
TlsUtils.establishClientSigAlgs(securityParameters, clientHelloExtensions);
/*
* RFC 8446 4.2.3. If a server is authenticating via a certificate and the client has
* not sent a "signature_algorithms" extension, then the server MUST abort the handshake
* with a "missing_extension" alert.
*/
if (null == selectedPSK && null == securityParameters.getClientSigAlgs())
{
throw new TlsFatalAlert(AlertDescription.missing_extension);
}
tlsServer.processClientExtensions(clientHelloExtensions);
/*
* NOTE: Currently no server support for session resumption
*
* If adding support, ensure securityParameters.tlsUnique is set to the localVerifyData, but
* ONLY when extended_master_secret has been negotiated (otherwise NULL).
*/
{
// TODO[tls13] Resumption/PSK
securityParameters.resumedSession = false;
this.tlsSession = TlsUtils.importSession(TlsUtils.EMPTY_BYTES, null);
this.sessionParameters = null;
this.sessionMasterSecret = null;
}
securityParameters.sessionID = tlsSession.getSessionID();
tlsServer.notifySession(tlsSession);
TlsUtils.negotiatedVersionTLSServer(tlsServerContext);
{
// TODO[tls13] Constrain selection when PSK selected
int cipherSuite = tlsServer.getSelectedCipherSuite();
if (!TlsUtils.isValidCipherSuiteSelection(offeredCipherSuites, cipherSuite) ||
!TlsUtils.isValidVersionForCipherSuite(cipherSuite, serverVersion))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
TlsUtils.negotiatedCipherSuite(securityParameters, cipherSuite);
}
int[] clientSupportedGroups = securityParameters.getClientSupportedGroups();
int[] serverSupportedGroups = securityParameters.getServerSupportedGroups();
clientShare = TlsUtils.selectKeyShare(crypto, serverVersion, clientShares, clientSupportedGroups,
serverSupportedGroups);
if (null == clientShare)
{
this.retryGroup = TlsUtils.selectKeyShareGroup(crypto, serverVersion, clientSupportedGroups,
serverSupportedGroups);
if (retryGroup < 0)
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
this.retryCookie = tlsServerContext.getNonceGenerator().generateNonce(16);
return generate13HelloRetryRequest(clientHello);
}
if (clientShare.getNamedGroup() != serverSupportedGroups[0])
{
/*
* TODO[tls13] RFC 8446 4.2.7. As of TLS 1.3, servers are permitted to send the
* "supported_groups" extension to the client. Clients MUST NOT act upon any
* information found in "supported_groups" prior to successful completion of the
* handshake but MAY use the information learned from a successfully completed
* handshake to change what groups they use in their "key_share" extension in
* subsequent connections. If the server has a group it prefers to the ones in the
* "key_share" extension but is still willing to accept the ClientHello, it SHOULD
* send "supported_groups" to update the client's view of its preferences; this
* extension SHOULD contain all groups the server supports, regardless of whether
* they are currently supported by the client.
*/
}
}
Map serverHelloExtensions = new LinkedHashMap<>();
Map serverEncryptedExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(tlsServer.getServerExtensions());
tlsServer.getServerExtensionsForConnection(serverEncryptedExtensions);
ProtocolVersion serverLegacyVersion = ProtocolVersion.TLSv12;
TlsExtensionsUtils.addSupportedVersionsExtensionServer(serverHelloExtensions, serverVersion);
/*
* RFC 8446 Appendix D. Because TLS 1.3 always hashes in the transcript up to the server
* Finished, implementations which support both TLS 1.3 and earlier versions SHOULD indicate
* the use of the Extended Master Secret extension in their APIs whenever TLS 1.3 is used.
*/
securityParameters.extendedMasterSecret = true;
/*
* RFC 7301 3.1. When session resumption or session tickets [...] are used, the previous
* contents of this extension are irrelevant, and only the values in the new handshake
* messages are considered.
*/
securityParameters.applicationProtocol = TlsExtensionsUtils.getALPNExtensionServer(serverEncryptedExtensions);
securityParameters.applicationProtocolSet = true;
if (!serverEncryptedExtensions.isEmpty())
{
securityParameters.maxFragmentLength = TlsUtils.processMaxFragmentLengthExtension(
securityParameters.isResumedSession() ? null : clientHelloExtensions, serverEncryptedExtensions,
AlertDescription.internal_error);
if (!securityParameters.isResumedSession())
{
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension13(
clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension13(
clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error);
}
}
securityParameters.encryptThenMAC = false;
securityParameters.truncatedHMac = false;
/*
* TODO[tls13] RFC 8446 4.4.2.1. OCSP Status and SCT Extensions.
*
* OCSP information is carried in an extension for a CertificateEntry.
*/
securityParameters.statusRequestVersion = clientHelloExtensions.containsKey(TlsExtensionsUtils.EXT_status_request)
? 1 : 0;
this.expectSessionTicket = false;
TlsSecret pskEarlySecret = null;
if (null != selectedPSK)
{
pskEarlySecret = selectedPSK.earlySecret;
this.selectedPSK13 = true;
TlsExtensionsUtils.addPreSharedKeyServerHello(serverHelloExtensions, selectedPSK.index);
}
TlsSecret sharedSecret;
{
int namedGroup = clientShare.getNamedGroup();
TlsAgreement agreement;
if (NamedGroup.refersToAnECDHCurve(namedGroup))
{
agreement = crypto.createECDomain(new TlsECConfig(namedGroup)).createECDH();
}
else if (NamedGroup.refersToASpecificFiniteField(namedGroup))
{
agreement = crypto.createDHDomain(new TlsDHConfig(namedGroup, true)).createDH();
}
else if (NamedGroup.refersToASpecificKem(namedGroup))
{
agreement = crypto.createKemDomain(new TlsKemConfig(namedGroup, true)).createKem();
}
else
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
agreement.receivePeerValue(clientShare.getKeyExchange());
byte[] key_exchange = agreement.generateEphemeral();
KeyShareEntry serverShare = new KeyShareEntry(namedGroup, key_exchange);
TlsExtensionsUtils.addKeyShareServerHello(serverHelloExtensions, serverShare);
sharedSecret = agreement.calculateSecret();
}
TlsUtils.establish13PhaseSecrets(tlsServerContext, pskEarlySecret, sharedSecret);
this.serverExtensions = serverEncryptedExtensions;
applyMaxFragmentLengthExtension(securityParameters.getMaxFragmentLength());
TlsUtils.checkExtensionData13(serverHelloExtensions, HandshakeType.server_hello,
AlertDescription.internal_error);
return new ServerHello(serverLegacyVersion, securityParameters.getServerRandom(), legacy_session_id,
securityParameters.getCipherSuite(), serverHelloExtensions);
}
protected ServerHello generateServerHello(ClientHello clientHello, HandshakeMessageInput clientHelloMessage)
throws IOException
{
ProtocolVersion clientLegacyVersion = clientHello.getVersion();
if (!clientLegacyVersion.isTLS())
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.offeredCipherSuites = clientHello.getCipherSuites();
SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake();
tlsServerContext.setClientSupportedVersions(
TlsExtensionsUtils.getSupportedVersionsExtensionClient(clientHello.getExtensions()));
ProtocolVersion clientVersion = clientLegacyVersion;
if (null == tlsServerContext.getClientSupportedVersions())
{
if (clientVersion.isLaterVersionOf(ProtocolVersion.TLSv12))
{
clientVersion = ProtocolVersion.TLSv12;
}
tlsServerContext.setClientSupportedVersions(clientVersion.downTo(ProtocolVersion.SSLv3));
}
else
{
clientVersion = ProtocolVersion.getLatestTLS(tlsServerContext.getClientSupportedVersions());
}
// Set the legacy_record_version to use for early alerts
recordStream.setWriteVersion(clientVersion);
if (!ProtocolVersion.SERVER_EARLIEST_SUPPORTED_TLS.isEqualOrEarlierVersionOf(clientVersion))
{
throw new TlsFatalAlert(AlertDescription.protocol_version);
}
if (securityParameters.isRenegotiating())
{
// Check that this is either the originally offered version or the negotiated version
if (!clientVersion.equals(tlsServerContext.getClientVersion()) &&
!clientVersion.equals(tlsServerContext.getServerVersion()))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
}
else
{
tlsServerContext.setClientVersion(clientVersion);
}
tlsServer.notifyClientVersion(tlsServerContext.getClientVersion());
securityParameters.clientRandom = clientHello.getRandom();
tlsServer.notifyFallback(Arrays.contains(offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV));
tlsServer.notifyOfferedCipherSuites(offeredCipherSuites);
// TODO[tls13] Negotiate cipher suite first?
ProtocolVersion serverVersion;
if (securityParameters.isRenegotiating())
{
// Always select the negotiated version from the initial handshake
serverVersion = tlsServerContext.getServerVersion();
}
else
{
serverVersion = tlsServer.getServerVersion();
if (!ProtocolVersion.contains(tlsServerContext.getClientSupportedVersions(), serverVersion))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
securityParameters.negotiatedVersion = serverVersion;
}
securityParameters.clientSupportedGroups = TlsExtensionsUtils.getSupportedGroupsExtension(
clientHello.getExtensions());
securityParameters.serverSupportedGroups = tlsServer.getSupportedGroups();
if (ProtocolVersion.TLSv13.isEqualOrEarlierVersionOf(serverVersion))
{
// See RFC 8446 D.4.
recordStream.setIgnoreChangeCipherSpec(true);
recordStream.setWriteVersion(ProtocolVersion.TLSv12);
return generate13ServerHello(clientHello, clientHelloMessage, false);
}
recordStream.setWriteVersion(serverVersion);
{
boolean useGMTUnixTime = tlsServer.shouldUseGMTUnixTime();
securityParameters.serverRandom = createRandomBlock(useGMTUnixTime, tlsServerContext);
if (!serverVersion.equals(ProtocolVersion.getLatestTLS(tlsServer.getProtocolVersions())))
{
TlsUtils.writeDowngradeMarker(serverVersion, securityParameters.getServerRandom());
}
}
this.clientExtensions = clientHello.getExtensions();
byte[] clientRenegExtData = TlsUtils.getExtensionData(clientExtensions, EXT_RenegotiationInfo);
if (securityParameters.isRenegotiating())
{
/*
* RFC 5746 3.7. Server Behavior: Secure Renegotiation
*
* This text applies if the connection's "secure_renegotiation" flag is set to TRUE.
*/
if (!securityParameters.isSecureRenegotiation())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
/*
* When a ClientHello is received, the server MUST verify that it does not contain the
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If the SCSV is present, the server MUST abort
* the handshake.
*/
if (Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
/*
* The server MUST verify that the "renegotiation_info" extension is present; if it is
* not, the server MUST abort the handshake.
*/
if (null == clientRenegExtData)
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
/*
* The server MUST verify that the value of the "renegotiated_connection" field is equal
* to the saved client_verify_data value; if it is not, the server MUST abort the
* handshake.
*/
SecurityParameters saved = tlsServerContext.getSecurityParametersConnection();
byte[] reneg_conn_info = saved.getPeerVerifyData();
if (!Arrays.constantTimeAreEqual(clientRenegExtData, createRenegotiationInfo(reneg_conn_info)))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
}
else
{
/*
* RFC 5746 3.6. Server Behavior: Initial Handshake (both full and session-resumption)
*/
/*
* RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
* or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
* ClientHello. Including both is NOT RECOMMENDED.
*/
/*
* When a ClientHello is received, the server MUST check if it includes the
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag
* to TRUE.
*/
if (Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
{
securityParameters.secureRenegotiation = true;
}
/*
* The server MUST check if the "renegotiation_info" extension is included in the
* ClientHello.
*/
if (clientRenegExtData != null)
{
/*
* If the extension is present, set secure_renegotiation flag to TRUE. The
* server MUST then verify that the length of the "renegotiated_connection"
* field is zero, and if it is not, MUST abort the handshake.
*/
securityParameters.secureRenegotiation = true;
if (!Arrays.constantTimeAreEqual(clientRenegExtData, createRenegotiationInfo(TlsUtils.EMPTY_BYTES)))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
}
}
tlsServer.notifySecureRenegotiation(securityParameters.isSecureRenegotiation());
if (clientExtensions != null)
{
// NOTE: Validates the padding extension data, if present
TlsExtensionsUtils.getPaddingExtension(clientExtensions);
securityParameters.clientServerNames = TlsExtensionsUtils.getServerNameExtensionClient(clientExtensions);
/*
* RFC 5246 7.4.1.4.1. Note: this extension is not meaningful for TLS versions prior
* to 1.2. Clients MUST NOT offer it if they are offering prior versions.
*/
if (TlsUtils.isSignatureAlgorithmsExtensionAllowed(clientVersion))
{
TlsUtils.establishClientSigAlgs(securityParameters, clientExtensions);
}
securityParameters.clientSupportedGroups = TlsExtensionsUtils.getSupportedGroupsExtension(clientExtensions);
tlsServer.processClientExtensions(clientExtensions);
}
TlsSession sessionToResume = tlsServer.getSessionToResume(clientHello.getSessionID());
boolean resumedSession = establishSession(sessionToResume);
if (resumedSession && !serverVersion.equals(sessionParameters.getNegotiatedVersion()))
{
resumedSession = false;
}
// TODO Check the session cipher suite is selectable by the same rules that getSelectedCipherSuite uses
// TODO Check the resumed session has a peer certificate if we NEED client-auth
// extended_master_secret
{
boolean negotiateEMS = false;
if (TlsUtils.isExtendedMasterSecretOptional(serverVersion) &&
tlsServer.shouldUseExtendedMasterSecret())
{
if (TlsExtensionsUtils.hasExtendedMasterSecretExtension(clientExtensions))
{
negotiateEMS = true;
}
else if (tlsServer.requiresExtendedMasterSecret())
{
throw new TlsFatalAlert(AlertDescription.handshake_failure,
"Extended Master Secret extension is required");
}
else if (resumedSession)
{
if (sessionParameters.isExtendedMasterSecret())
{
throw new TlsFatalAlert(AlertDescription.handshake_failure,
"Extended Master Secret extension is required for EMS session resumption");
}
if (!tlsServer.allowLegacyResumption())
{
throw new TlsFatalAlert(AlertDescription.handshake_failure,
"Extended Master Secret extension is required for legacy session resumption");
}
}
}
if (resumedSession && negotiateEMS != sessionParameters.isExtendedMasterSecret())
{
resumedSession = false;
}
securityParameters.extendedMasterSecret = negotiateEMS;
}
if (!resumedSession)
{
cancelSession();
byte[] newSessionID = tlsServer.getNewSessionID();
if (null == newSessionID)
{
newSessionID = TlsUtils.EMPTY_BYTES;
}
this.tlsSession = TlsUtils.importSession(newSessionID, null);
}
securityParameters.resumedSession = resumedSession;
securityParameters.sessionID = tlsSession.getSessionID();
tlsServer.notifySession(tlsSession);
TlsUtils.negotiatedVersionTLSServer(tlsServerContext);
{
int cipherSuite = resumedSession ? sessionParameters.getCipherSuite() : tlsServer.getSelectedCipherSuite();
if (!TlsUtils.isValidCipherSuiteSelection(offeredCipherSuites, cipherSuite) ||
!TlsUtils.isValidVersionForCipherSuite(cipherSuite, serverVersion))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
TlsUtils.negotiatedCipherSuite(securityParameters, cipherSuite);
}
tlsServerContext.setRSAPreMasterSecretVersion(clientLegacyVersion);
{
Map sessionServerExtensions = resumedSession
? sessionParameters.readServerExtensions()
: tlsServer.getServerExtensions();
this.serverExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(sessionServerExtensions);
}
tlsServer.getServerExtensionsForConnection(serverExtensions);
if (securityParameters.isRenegotiating())
{
/*
* The server MUST include a "renegotiation_info" extension containing the saved
* client_verify_data and server_verify_data in the ServerHello.
*/
if (!securityParameters.isSecureRenegotiation())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
SecurityParameters saved = tlsServerContext.getSecurityParametersConnection();
byte[] reneg_conn_info = TlsUtils.concat(saved.getPeerVerifyData(), saved.getLocalVerifyData());
this.serverExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(reneg_conn_info));
}
else
{
/*
* RFC 5746 3.6. Server Behavior: Initial Handshake (both full and session-resumption)
*/
if (securityParameters.isSecureRenegotiation())
{
byte[] serverRenegExtData = TlsUtils.getExtensionData(this.serverExtensions, EXT_RenegotiationInfo);
boolean noRenegExt = (null == serverRenegExtData);
if (noRenegExt)
{
/*
* Note that sending a "renegotiation_info" extension in response to a ClientHello
* containing only the SCSV is an explicit exception to the prohibition in RFC 5246,
* Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed
* because the client is signaling its willingness to receive the extension via the
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV.
*/
/*
* If the secure_renegotiation flag is set to TRUE, the server MUST include an empty
* "renegotiation_info" extension in the ServerHello message.
*/
this.serverExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(TlsUtils.EMPTY_BYTES));
}
}
}
if (securityParameters.isExtendedMasterSecret())
{
TlsExtensionsUtils.addExtendedMasterSecretExtension(serverExtensions);
}
else
{
serverExtensions.remove(TlsExtensionsUtils.EXT_extended_master_secret);
}
securityParameters.applicationProtocol = TlsExtensionsUtils.getALPNExtensionServer(serverExtensions);
securityParameters.applicationProtocolSet = true;
if (!this.serverExtensions.isEmpty())
{
securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(serverExtensions);
securityParameters.maxFragmentLength = TlsUtils.processMaxFragmentLengthExtension(
resumedSession ? null : clientExtensions, serverExtensions, AlertDescription.internal_error);
securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(serverExtensions);
if (!resumedSession)
{
if (TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsExtensionsUtils.EXT_status_request_v2,
AlertDescription.internal_error))
{
securityParameters.statusRequestVersion = 2;
}
else if (TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsExtensionsUtils.EXT_status_request,
AlertDescription.internal_error))
{
securityParameters.statusRequestVersion = 1;
}
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension(
clientExtensions, serverExtensions, AlertDescription.internal_error);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension(
clientExtensions, serverExtensions, AlertDescription.internal_error);
this.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(serverExtensions,
TlsProtocol.EXT_SessionTicket, AlertDescription.internal_error);
}
}
applyMaxFragmentLengthExtension(securityParameters.getMaxFragmentLength());
return new ServerHello(serverVersion, securityParameters.getServerRandom(), securityParameters.getSessionID(),
securityParameters.getCipherSuite(), serverExtensions);
}
protected TlsContext getContext()
{
return tlsServerContext;
}
AbstractTlsContext getContextAdmin()
{
return tlsServerContext;
}
protected TlsPeer getPeer()
{
return tlsServer;
}
protected void handle13HandshakeMessage(short type, HandshakeMessageInput buf)
throws IOException
{
if (!isTLSv13ConnectionState())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
/*
* TODO[tls13] Abbreviated handshakes (PSK resumption)
*
* NOTE: No CertificateRequest, Certificate, CertificateVerify messages, but client
* might now send EndOfEarlyData after receiving server Finished message.
*/
switch (type)
{
case HandshakeType.certificate:
{
switch (this.connection_state)
{
case CS_SERVER_FINISHED:
{
receive13ClientCertificate(buf);
this.connection_state = CS_CLIENT_CERTIFICATE;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.certificate_verify:
{
switch (this.connection_state)
{
case CS_CLIENT_CERTIFICATE:
{
receive13ClientCertificateVerify(buf);
buf.updateHash(handshakeHash);
this.connection_state = CS_CLIENT_CERTIFICATE_VERIFY;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.client_hello:
{
switch (this.connection_state)
{
case CS_START:
{
// NOTE: Legacy handler should be dispatching initial ClientHello.
throw new TlsFatalAlert(AlertDescription.internal_error);
}
case CS_SERVER_HELLO_RETRY_REQUEST:
{
ClientHello clientHelloRetry = receiveClientHelloMessage(buf);
this.connection_state = CS_CLIENT_HELLO_RETRY;
ServerHello serverHello = generate13ServerHello(clientHelloRetry, buf, true);
sendServerHelloMessage(serverHello);
this.connection_state = CS_SERVER_HELLO;
send13ServerHelloCoda(serverHello, true);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.finished:
{
switch (this.connection_state)
{
case CS_SERVER_FINISHED:
{
skip13ClientCertificate();
// NB: Fall through to next case label
}
case CS_CLIENT_CERTIFICATE:
{
skip13ClientCertificateVerify();
// NB: Fall through to next case label
}
case CS_CLIENT_CERTIFICATE_VERIFY:
{
receive13ClientFinished(buf);
this.connection_state = CS_CLIENT_FINISHED;
// See RFC 8446 D.4.
recordStream.setIgnoreChangeCipherSpec(false);
// NOTE: Completes the switch to application-data phase (server entered after CS_SERVER_FINISHED).
recordStream.enablePendingCipherRead(false);
completeHandshake();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.key_update:
{
receive13KeyUpdate(buf);
break;
}
case HandshakeType.certificate_request:
case HandshakeType.certificate_status:
case HandshakeType.certificate_url:
case HandshakeType.client_key_exchange:
case HandshakeType.compressed_certificate:
case HandshakeType.encrypted_extensions:
case HandshakeType.end_of_early_data:
case HandshakeType.hello_request:
case HandshakeType.hello_verify_request:
case HandshakeType.message_hash:
case HandshakeType.new_session_ticket:
case HandshakeType.server_hello:
case HandshakeType.server_hello_done:
case HandshakeType.server_key_exchange:
case HandshakeType.supplemental_data:
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
throws IOException
{
final SecurityParameters securityParameters = tlsServerContext.getSecurityParameters();
if (connection_state > CS_CLIENT_HELLO
&& TlsUtils.isTLSv13(securityParameters.getNegotiatedVersion()))
{
if (securityParameters.isResumedSession())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
handle13HandshakeMessage(type, buf);
return;
}
if (!isLegacyConnectionState())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
if (securityParameters.isResumedSession() && type != HandshakeType.client_hello)
{
if (type != HandshakeType.finished || this.connection_state != CS_SERVER_FINISHED)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
processFinishedMessage(buf);
this.connection_state = CS_CLIENT_FINISHED;
completeHandshake();
return;
}
switch (type)
{
case HandshakeType.client_hello:
{
if (isApplicationDataReady())
{
if (!handleRenegotiation())
{
break;
}
this.connection_state = CS_START;
}
switch (this.connection_state)
{
case CS_END:
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
case CS_START:
{
ClientHello clientHello = receiveClientHelloMessage(buf);
this.connection_state = CS_CLIENT_HELLO;
ServerHello serverHello = generateServerHello(clientHello, buf);
handshakeHash.notifyPRFDetermined();
if (TlsUtils.isTLSv13(securityParameters.getNegotiatedVersion()))
{
handshakeHash.sealHashAlgorithms();
if (serverHello.isHelloRetryRequest())
{
TlsUtils.adjustTranscriptForRetry(handshakeHash);
sendServerHelloMessage(serverHello);
this.connection_state = CS_SERVER_HELLO_RETRY_REQUEST;
// See RFC 8446 D.4.
sendChangeCipherSpecMessage();
}
else
{
sendServerHelloMessage(serverHello);
this.connection_state = CS_SERVER_HELLO;
// See RFC 8446 D.4.
sendChangeCipherSpecMessage();
send13ServerHelloCoda(serverHello, false);
}
break;
}
// For TLS 1.3+, this was already done by generateServerHello
buf.updateHash(handshakeHash);
sendServerHelloMessage(serverHello);
this.connection_state = CS_SERVER_HELLO;
if (securityParameters.isResumedSession())
{
securityParameters.masterSecret = sessionMasterSecret;
recordStream.setPendingCipher(TlsUtils.initCipher(tlsServerContext));
sendChangeCipherSpec();
sendFinishedMessage();
this.connection_state = CS_SERVER_FINISHED;
break;
}
Vector serverSupplementalData = tlsServer.getServerSupplementalData();
if (serverSupplementalData != null)
{
sendSupplementalDataMessage(serverSupplementalData);
this.connection_state = CS_SERVER_SUPPLEMENTAL_DATA;
}
this.keyExchange = TlsUtils.initKeyExchangeServer(tlsServerContext, tlsServer);
TlsCredentials serverCredentials = null;
if (!KeyExchangeAlgorithm.isAnonymous(securityParameters.getKeyExchangeAlgorithm()))
{
serverCredentials = TlsUtils.establishServerCredentials(tlsServer);
}
// Server certificate
{
Certificate serverCertificate = null;
ByteArrayOutputStream endPointHash = new ByteArrayOutputStream();
if (null == serverCredentials)
{
this.keyExchange.skipServerCredentials();
}
else
{
this.keyExchange.processServerCredentials(serverCredentials);
serverCertificate = serverCredentials.getCertificate();
sendCertificateMessage(serverCertificate, endPointHash);
this.connection_state = CS_SERVER_CERTIFICATE;
}
securityParameters.tlsServerEndPoint = endPointHash.toByteArray();
// TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus
if (null == serverCertificate || serverCertificate.isEmpty())
{
securityParameters.statusRequestVersion = 0;
}
}
if (securityParameters.getStatusRequestVersion() > 0)
{
CertificateStatus certificateStatus = tlsServer.getCertificateStatus();
if (certificateStatus != null)
{
sendCertificateStatusMessage(certificateStatus);
this.connection_state = CS_SERVER_CERTIFICATE_STATUS;
}
}
byte[] serverKeyExchange = this.keyExchange.generateServerKeyExchange();
if (serverKeyExchange != null)
{
sendServerKeyExchangeMessage(serverKeyExchange);
this.connection_state = CS_SERVER_KEY_EXCHANGE;
}
if (null != serverCredentials)
{
this.certificateRequest = tlsServer.getCertificateRequest();
if (null == this.certificateRequest)
{
/*
* For static agreement key exchanges, CertificateRequest is required since
* the client Certificate message is mandatory but can only be sent if the
* server requests it.
*/
if (!keyExchange.requiresCertificateVerify())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
}
else
{
if (TlsUtils.isTLSv12(tlsServerContext) != (certificateRequest.getSupportedSignatureAlgorithms() != null))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
this.certificateRequest = TlsUtils.validateCertificateRequest(this.certificateRequest, this.keyExchange);
TlsUtils.establishServerSigAlgs(securityParameters, certificateRequest);
if (ProtocolVersion.TLSv12.equals(securityParameters.getNegotiatedVersion()))
{
TlsUtils.trackHashAlgorithms(handshakeHash, securityParameters.getServerSigAlgs());
if (tlsServerContext.getCrypto().hasAnyStreamVerifiers(securityParameters.getServerSigAlgs()))
{
handshakeHash.forceBuffering();
}
}
else
{
if (tlsServerContext.getCrypto().hasAnyStreamVerifiersLegacy(certificateRequest.getCertificateTypes()))
{
handshakeHash.forceBuffering();
}
}
}
}
handshakeHash.sealHashAlgorithms();
if (null != certificateRequest)
{
sendCertificateRequestMessage(certificateRequest);
this.connection_state = CS_SERVER_CERTIFICATE_REQUEST;
}
sendServerHelloDoneMessage();
this.connection_state = CS_SERVER_HELLO_DONE;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.supplemental_data:
{
switch (this.connection_state)
{
case CS_SERVER_HELLO_DONE:
{
tlsServer.processClientSupplementalData(readSupplementalDataMessage(buf));
this.connection_state = CS_CLIENT_SUPPLEMENTAL_DATA;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.certificate:
{
switch (this.connection_state)
{
case CS_SERVER_HELLO_DONE:
{
tlsServer.processClientSupplementalData(null);
// NB: Fall through to next case label
}
case CS_CLIENT_SUPPLEMENTAL_DATA:
{
receiveCertificateMessage(buf);
this.connection_state = CS_CLIENT_CERTIFICATE;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.client_key_exchange:
{
switch (this.connection_state)
{
case CS_SERVER_HELLO_DONE:
{
tlsServer.processClientSupplementalData(null);
// NB: Fall through to next case label
}
case CS_CLIENT_SUPPLEMENTAL_DATA:
{
if (null == certificateRequest)
{
this.keyExchange.skipClientCredentials();
}
else if (TlsUtils.isTLSv12(tlsServerContext))
{
/*
* RFC 5246 If no suitable certificate is available, the client MUST send a
* certificate message containing no certificates.
*
* NOTE: In previous RFCs, this was SHOULD instead of MUST.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
else if (TlsUtils.isSSL(tlsServerContext))
{
/*
* SSL 3.0 If the server has sent a certificate request Message, the client must
* send either the certificate message or a no_certificate alert.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
else
{
notifyClientCertificate(Certificate.EMPTY_CHAIN);
}
// NB: Fall through to next case label
}
case CS_CLIENT_CERTIFICATE:
{
receiveClientKeyExchangeMessage(buf);
this.connection_state = CS_CLIENT_KEY_EXCHANGE;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.certificate_verify:
{
switch (this.connection_state)
{
case CS_CLIENT_KEY_EXCHANGE:
{
/*
* RFC 5246 7.4.8 This message is only sent following a client certificate that has
* signing capability (i.e., all certificates except those containing fixed
* Diffie-Hellman parameters).
*/
if (!expectCertificateVerifyMessage())
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
receiveCertificateVerifyMessage(buf);
buf.updateHash(handshakeHash);
this.connection_state = CS_CLIENT_CERTIFICATE_VERIFY;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.finished:
{
switch (this.connection_state)
{
case CS_CLIENT_KEY_EXCHANGE:
{
if (expectCertificateVerifyMessage())
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
// NB: Fall through to next case label
}
case CS_CLIENT_CERTIFICATE_VERIFY:
{
processFinishedMessage(buf);
buf.updateHash(handshakeHash);
this.connection_state = CS_CLIENT_FINISHED;
if (this.expectSessionTicket)
{
/*
* TODO[new_session_ticket] Check the server-side rules regarding the session ID, since
* the client is going to ignore any session ID it received once it sees the
* new_session_ticket message.
*/
sendNewSessionTicketMessage(tlsServer.getNewSessionTicket());
this.connection_state = CS_SERVER_SESSION_TICKET;
}
sendChangeCipherSpec();
sendFinishedMessage();
this.connection_state = CS_SERVER_FINISHED;
completeHandshake();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.certificate_request:
case HandshakeType.certificate_status:
case HandshakeType.certificate_url:
case HandshakeType.compressed_certificate:
case HandshakeType.encrypted_extensions:
case HandshakeType.end_of_early_data:
case HandshakeType.hello_request:
case HandshakeType.hello_verify_request:
case HandshakeType.key_update:
case HandshakeType.message_hash:
case HandshakeType.new_session_ticket:
case HandshakeType.server_hello:
case HandshakeType.server_hello_done:
case HandshakeType.server_key_exchange:
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
protected void handleAlertWarningMessage(short alertDescription)
throws IOException
{
/*
* SSL 3.0 If the server has sent a certificate request Message, the client must send
* either the certificate message or a no_certificate alert.
*/
if (AlertDescription.no_certificate == alertDescription && null != certificateRequest
&& TlsUtils.isSSL(tlsServerContext))
{
switch (this.connection_state)
{
case CS_SERVER_HELLO_DONE:
{
tlsServer.processClientSupplementalData(null);
// NB: Fall through to next case label
}
case CS_CLIENT_SUPPLEMENTAL_DATA:
{
notifyClientCertificate(Certificate.EMPTY_CHAIN);
this.connection_state = CS_CLIENT_CERTIFICATE;
return;
}
}
}
super.handleAlertWarningMessage(alertDescription);
}
protected void notifyClientCertificate(Certificate clientCertificate)
throws IOException
{
if (null == certificateRequest)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
TlsUtils.processClientCertificate(tlsServerContext, clientCertificate, keyExchange, tlsServer);
}
protected void receive13ClientCertificate(ByteArrayInputStream buf)
throws IOException
{
// TODO[tls13] This currently just duplicates 'receiveCertificateMessage'
if (null == certificateRequest)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
Certificate.ParseOptions options = new Certificate.ParseOptions()
.setCertificateType(tlsServerContext.getSecurityParametersHandshake().getClientCertificateType())
.setMaxChainLength(tlsServer.getMaxCertificateChainLength());
Certificate clientCertificate = Certificate.parse(options, tlsServerContext, buf, null);
assertEmpty(buf);
notifyClientCertificate(clientCertificate);
}
protected void receive13ClientCertificateVerify(ByteArrayInputStream buf)
throws IOException
{
Certificate clientCertificate = tlsServerContext.getSecurityParametersHandshake().getPeerCertificate();
if (null == clientCertificate || clientCertificate.isEmpty())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
CertificateVerify certificateVerify = CertificateVerify.parse(tlsServerContext, buf);
assertEmpty(buf);
TlsUtils.verify13CertificateVerifyClient(tlsServerContext, handshakeHash, certificateVerify);
}
protected void receive13ClientFinished(ByteArrayInputStream buf) throws IOException
{
process13FinishedMessage(buf);
}
protected void receiveCertificateMessage(ByteArrayInputStream buf)
throws IOException
{
if (null == certificateRequest)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
Certificate.ParseOptions options = new Certificate.ParseOptions()
.setCertificateType(tlsServerContext.getSecurityParametersHandshake().getClientCertificateType())
.setMaxChainLength(tlsServer.getMaxCertificateChainLength());
Certificate clientCertificate = Certificate.parse(options, tlsServerContext, buf, null);
assertEmpty(buf);
notifyClientCertificate(clientCertificate);
}
protected void receiveCertificateVerifyMessage(ByteArrayInputStream buf)
throws IOException
{
DigitallySigned certificateVerify = DigitallySigned.parse(tlsServerContext, buf);
assertEmpty(buf);
TlsUtils.verifyCertificateVerifyClient(tlsServerContext, certificateRequest, certificateVerify, handshakeHash);
handshakeHash.stopTracking();
}
protected ClientHello receiveClientHelloMessage(ByteArrayInputStream buf)
throws IOException
{
return ClientHello.parse(buf, null);
}
protected void receiveClientKeyExchangeMessage(ByteArrayInputStream buf)
throws IOException
{
keyExchange.processClientKeyExchange(buf);
assertEmpty(buf);
final boolean isSSL = TlsUtils.isSSL(tlsServerContext);
if (isSSL)
{
// NOTE: For SSLv3 (only), master_secret needed to calculate session hash
establishMasterSecret(tlsServerContext, keyExchange);
}
tlsServerContext.getSecurityParametersHandshake().sessionHash = TlsUtils.getCurrentPRFHash(handshakeHash);
if (!isSSL)
{
// NOTE: For (D)TLS, session hash potentially needed for extended_master_secret
establishMasterSecret(tlsServerContext, keyExchange);
}
recordStream.setPendingCipher(TlsUtils.initCipher(tlsServerContext));
if (!expectCertificateVerifyMessage())
{
handshakeHash.stopTracking();
}
}
protected void send13EncryptedExtensionsMessage(Map serverExtensions) throws IOException
{
// TODO[tls13] Avoid extra copy; use placeholder to write opaque-16 data directly to message buffer
byte[] extBytes = writeExtensionsData(serverExtensions);
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.encrypted_extensions);
TlsUtils.writeOpaque16(extBytes, message);
message.send(this);
}
protected void send13ServerHelloCoda(ServerHello serverHello, boolean afterHelloRetryRequest) throws IOException
{
final SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake();
byte[] serverHelloTranscriptHash = TlsUtils.getCurrentPRFHash(handshakeHash);
TlsUtils.establish13PhaseHandshake(tlsServerContext, serverHelloTranscriptHash, recordStream);
recordStream.enablePendingCipherWrite();
recordStream.enablePendingCipherRead(true);
send13EncryptedExtensionsMessage(serverExtensions);
this.connection_state = CS_SERVER_ENCRYPTED_EXTENSIONS;
if (selectedPSK13)
{
/*
* For PSK-only key exchange, there's no CertificateRequest, Certificate, CertificateVerify.
*/
}
else
{
// CertificateRequest
{
this.certificateRequest = tlsServer.getCertificateRequest();
if (null != certificateRequest)
{
if (!certificateRequest.hasCertificateRequestContext(TlsUtils.EMPTY_BYTES))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
TlsUtils.establishServerSigAlgs(securityParameters, certificateRequest);
sendCertificateRequestMessage(certificateRequest);
this.connection_state = CS_SERVER_CERTIFICATE_REQUEST;
}
}
TlsCredentialedSigner serverCredentials = TlsUtils.establish13ServerCredentials(tlsServer);
if (null == serverCredentials)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
// Certificate
{
/*
* TODO[tls13] Note that we are expecting the TlsServer implementation to take care of e.g.
* adding optional "status_request" extension to each CertificateEntry.
*/
/*
* No CertificateStatus message is sent; TLS 1.3 uses per-CertificateEntry "status_request"
* extension instead.
*/
Certificate serverCertificate = serverCredentials.getCertificate();
send13CertificateMessage(serverCertificate);
securityParameters.tlsServerEndPoint = null;
this.connection_state = CS_SERVER_CERTIFICATE;
}
// CertificateVerify
{
DigitallySigned certificateVerify = TlsUtils.generate13CertificateVerify(tlsServerContext,
serverCredentials, handshakeHash);
send13CertificateVerifyMessage(certificateVerify);
this.connection_state = CS_CLIENT_CERTIFICATE_VERIFY;
}
}
// Finished
{
send13FinishedMessage();
this.connection_state = CS_SERVER_FINISHED;
}
byte[] serverFinishedTranscriptHash = TlsUtils.getCurrentPRFHash(handshakeHash);
TlsUtils.establish13PhaseApplication(tlsServerContext, serverFinishedTranscriptHash, recordStream);
recordStream.enablePendingCipherWrite();
}
protected void sendCertificateRequestMessage(CertificateRequest certificateRequest)
throws IOException
{
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.certificate_request);
certificateRequest.encode(tlsServerContext, message);
message.send(this);
}
protected void sendCertificateStatusMessage(CertificateStatus certificateStatus)
throws IOException
{
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.certificate_status);
// TODO[tls13] Ensure this cannot happen for (D)TLS1.3+
certificateStatus.encode(message);
message.send(this);
}
protected void sendHelloRequestMessage()
throws IOException
{
HandshakeMessageOutput.send(this, HandshakeType.hello_request, TlsUtils.EMPTY_BYTES);
}
protected void sendNewSessionTicketMessage(NewSessionTicket newSessionTicket)
throws IOException
{
if (newSessionTicket == null)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.new_session_ticket);
newSessionTicket.encode(message);
message.send(this);
}
protected void sendServerHelloDoneMessage()
throws IOException
{
HandshakeMessageOutput.send(this, HandshakeType.server_hello_done, TlsUtils.EMPTY_BYTES);
}
protected void sendServerHelloMessage(ServerHello serverHello)
throws IOException
{
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.server_hello);
serverHello.encode(tlsServerContext, message);
message.send(this);
}
protected void sendServerKeyExchangeMessage(byte[] serverKeyExchange)
throws IOException
{
HandshakeMessageOutput.send(this, HandshakeType.server_key_exchange, serverKeyExchange);
}
protected void skip13ClientCertificate() throws IOException
{
if (null != certificateRequest)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
protected void skip13ClientCertificateVerify() throws IOException
{
if (expectCertificateVerifyMessage())
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
}