Module tech.kwik.agent15

Package net.luminis.tls.engine.impl

Class TlsClientEngineImpl

java.lang.Object

net.luminis.tls.engine.impl.TlsEngineImpl

net.luminis.tls.engine.impl.TlsClientEngineImpl

All Implemented Interfaces:

ClientMessageProcessor, MessageProcessor, TlsClientEngine, TlsEngine, TrafficSecrets

public class TlsClientEngineImpl
extends TlsEngineImpl
implements TlsClientEngine, ClientMessageProcessor

Field Summary

Fields

Modifier and Type	Field	Description
static java.util.List<TlsConstants.SignatureScheme>	AVAILABLE_SIGNATURES

Fields inherited from class net.luminis.tls.engine.impl.TlsEngineImpl

algorithmMapping, privateKey, publicKey, state

Constructor Summary

Constructors

Constructor	Description
TlsClientEngineImpl(ClientMessageSender clientMessageSender, TlsStatusEventHandler tlsStatusHandler)

Method Summary

Modifier and Type	Method	Description
void	add(Extension extension)	Adds an extension to the list of extensions to be included in the ClientHello message.
void	addExtensions(java.util.List<Extension> extensions)	Adds extensions to the list of extensions to be included in the ClientHello message.
void	addSupportedCiphers(java.util.List<TlsConstants.CipherSuite> supportedCiphers)	Adds ciphers to the list of the symmetric cipher options supported by the client (specifically the record protection algorithm (including secret key length) and a hash to be used with HKDF), in descending order of client preference.
protected void	checkCertificateValidity(java.util.List<java.security.cert.X509Certificate> certificates)
java.util.List<NewSessionTicket>	getNewSessionTickets()	Returns tickets provided by the current connection.
TlsConstants.CipherSuite	getSelectedCipher()	Returns the selected (negotiated) cipher suite.
java.util.List<java.security.cert.X509Certificate>	getServerCertificateChain()	Returns the server certificate chain.
boolean	handshakeFinished()	Returns whether the handshake has (successfully) finished.
void	received(CertificateMessage certificateMessage, ProtectionKeysType protectedBy)
void	received(CertificateRequestMessage certificateRequestMessage, ProtectionKeysType protectedBy)
void	received(CertificateVerifyMessage certificateVerifyMessage, ProtectionKeysType protectedBy)
void	received(EncryptedExtensions encryptedExtensions, ProtectionKeysType protectedBy)
void	received(FinishedMessage finishedMessage, ProtectionKeysType protectedBy)
void	received(NewSessionTicketMessage nst, ProtectionKeysType protectedBy)
void	received(ServerHello serverHello, ProtectionKeysType protectedBy)	Updates the (handshake) state with a received Server Hello message.
void	setClientCertificateCallback(java.util.function.Function<java.util.List<javax.security.auth.x500.X500Principal>,CertificateWithPrivateKey> callback)	Set the callback to be used for selecting the client certificate (for client authentication).
void	setCompatibilityMode(boolean compatibilityMode)	Sets the compatibility mode, see https://davidwong.fr/tls13/#appendix-D.4 Only for use in a TLS 1.3 context.
void	setHostnameVerifier(HostnameVerifier hostnameVerifier)	Sets the hostname verifier to use for verifying the server name against the server certificate.
void	setNewSessionTicket(NewSessionTicket newSessionTicket)	Add ticket to use for a new session.
void	setServerName(java.lang.String serverName)	Set the name of the server that is connected; will be used in the SNI extension.
void	setTrustManager(javax.net.ssl.X509TrustManager customTrustManager)	Sets the trust manager to use for verifying the server certificate.
void	startHandshake()	Start TLS handshake with default parameters
void	startHandshake(TlsConstants.NamedGroup ecCurve)	Start TLS handshake with given parameters
void	startHandshake(TlsConstants.NamedGroup ecCurve, java.util.List<TlsConstants.SignatureScheme> signatureSchemes)	Start TLS handshake with given parameters
protected boolean	verifySignature(byte[] signatureToVerify, TlsConstants.SignatureScheme signatureScheme, java.security.cert.Certificate certificate, byte[] transcriptHash)

Methods inherited from class net.luminis.tls.engine.impl.TlsEngineImpl

computeFinishedVerifyData, computeSignature, generateKeys, getClientApplicationTrafficSecret, getClientEarlyTrafficSecret, getClientHandshakeTrafficSecret, getServerApplicationTrafficSecret, getServerHandshakeTrafficSecret, getSignatureAlgorithm, hashLength, keyLength, recognizedExtension

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.luminis.tls.engine.ClientMessageProcessor

received

Methods inherited from interface net.luminis.tls.engine.TrafficSecrets

getClientApplicationTrafficSecret, getClientEarlyTrafficSecret, getClientHandshakeTrafficSecret, getServerApplicationTrafficSecret, getServerHandshakeTrafficSecret

Field Detail

AVAILABLE_SIGNATURES

public static final java.util.List<TlsConstants.SignatureScheme> AVAILABLE_SIGNATURES

Constructor Detail

TlsClientEngineImpl

public TlsClientEngineImpl(ClientMessageSender clientMessageSender,
                           TlsStatusEventHandler tlsStatusHandler)

Method Detail

startHandshake

public void startHandshake()
                    throws java.io.IOException

Description copied from interface: TlsClientEngine

Start TLS handshake with default parameters

Specified by:

startHandshake in interface TlsClientEngine

Throws:

java.io.IOException

startHandshake

public void startHandshake(TlsConstants.NamedGroup ecCurve)
                    throws java.io.IOException

Description copied from interface: TlsClientEngine

Start TLS handshake with given parameters

Specified by:

startHandshake in interface TlsClientEngine

Parameters:

ecCurve - the EC named group to use both for the DHE key generation (and thus for the key share extension) and (as the only supported group) in the supported group extension.

Throws:

java.io.IOException

startHandshake

public void startHandshake(TlsConstants.NamedGroup ecCurve,
                           java.util.List<TlsConstants.SignatureScheme> signatureSchemes)
                    throws java.io.IOException

Start TLS handshake with given parameters

Specified by:

startHandshake in interface TlsClientEngine

Parameters:

ecCurve - the EC named group to use both for the DHE key generation (and thus for the key share extension) and (as the only supported group) in the supported group extension.

signatureSchemes - the signature algorithms this peer is willing to accept

Throws:

java.io.IOException

received

public void received(ServerHello serverHello,
                     ProtectionKeysType protectedBy)
              throws MissingExtensionAlert,
                     IllegalParameterAlert

Updates the (handshake) state with a received Server Hello message.

Specified by:

received in interface MessageProcessor

Specified by:

received in interface TlsClientEngine

Parameters:

serverHello -

protectedBy -

Throws:

MissingExtensionAlert

IllegalParameterAlert

received

public void received(EncryptedExtensions encryptedExtensions,
                     ProtectionKeysType protectedBy)
              throws TlsProtocolException

Specified by:

received in interface MessageProcessor

Specified by:

received in interface TlsClientEngine

Throws:

TlsProtocolException

received

public void received(CertificateMessage certificateMessage,
                     ProtectionKeysType protectedBy)
              throws TlsProtocolException

Specified by:

received in interface MessageProcessor

Specified by:

received in interface TlsClientEngine

Throws:

TlsProtocolException

received

public void received(CertificateVerifyMessage certificateVerifyMessage,
                     ProtectionKeysType protectedBy)
              throws TlsProtocolException

Specified by:

received in interface MessageProcessor

Specified by:

received in interface TlsClientEngine

Throws:

TlsProtocolException

received

public void received(FinishedMessage finishedMessage,
                     ProtectionKeysType protectedBy)
              throws ErrorAlert,
                     java.io.IOException

Specified by:

received in interface MessageProcessor

Specified by:

received in interface TlsClientEngine

Throws:

ErrorAlert

java.io.IOException

received

public void received(NewSessionTicketMessage nst,
                     ProtectionKeysType protectedBy)
              throws UnexpectedMessageAlert

Specified by:

received in interface MessageProcessor

Specified by:

received in interface TlsClientEngine

Throws:

UnexpectedMessageAlert

received

public void received(CertificateRequestMessage certificateRequestMessage,
                     ProtectionKeysType protectedBy)
              throws TlsProtocolException,
                     java.io.IOException

Specified by:

received in interface MessageProcessor

Specified by:

received in interface TlsClientEngine

Throws:

TlsProtocolException

java.io.IOException

verifySignature

protected boolean verifySignature(byte[] signatureToVerify,
                                  TlsConstants.SignatureScheme signatureScheme,
                                  java.security.cert.Certificate certificate,
                                  byte[] transcriptHash)
                           throws HandshakeFailureAlert

Throws:

HandshakeFailureAlert

checkCertificateValidity

protected void checkCertificateValidity(java.util.List<java.security.cert.X509Certificate> certificates)
                                 throws BadCertificateAlert

Throws:

BadCertificateAlert

setServerName

public void setServerName(java.lang.String serverName)

Description copied from interface: TlsClientEngine

Set the name of the server that is connected; will be used in the SNI extension.

Specified by:

setServerName in interface TlsClientEngine

setCompatibilityMode

public void setCompatibilityMode(boolean compatibilityMode)

Description copied from interface: TlsClientEngine

Sets the compatibility mode, see https://davidwong.fr/tls13/#appendix-D.4 Only for use in a TLS 1.3 context. Must _not_ be set for QUIC usage, see https://www.rfc-editor.org/rfc/rfc9001.html#name-prohibit-tls-middlebox-com: "A client MUST NOT request the use of the TLS 1.3 compatibility mode."

Specified by:

setCompatibilityMode in interface TlsClientEngine

addSupportedCiphers

public void addSupportedCiphers(java.util.List<TlsConstants.CipherSuite> supportedCiphers)

Description copied from interface: TlsClientEngine

Adds ciphers to the list of the symmetric cipher options supported by the client (specifically the record protection algorithm (including secret key length) and a hash to be used with HKDF), in descending order of client preference.

Specified by:

addSupportedCiphers in interface TlsClientEngine

addExtensions

public void addExtensions(java.util.List<Extension> extensions)

Description copied from interface: TlsClientEngine

Adds extensions to the list of extensions to be included in the ClientHello message.

Specified by:

addExtensions in interface TlsClientEngine

add

public void add(Extension extension)

Description copied from interface: TlsClientEngine

Adds an extension to the list of extensions to be included in the ClientHello message.

Specified by:

add in interface TlsClientEngine

setTrustManager

public void setTrustManager(javax.net.ssl.X509TrustManager customTrustManager)

Description copied from interface: TlsClientEngine

Sets the trust manager to use for verifying the server certificate. If not set, the default Java trust manager is used.

Specified by:

setTrustManager in interface TlsClientEngine

setNewSessionTicket

public void setNewSessionTicket(NewSessionTicket newSessionTicket)

Add ticket to use for a new session.

Specified by:

setNewSessionTicket in interface TlsClientEngine

Parameters:

newSessionTicket -

getSelectedCipher

public TlsConstants.CipherSuite getSelectedCipher()

Description copied from interface: TlsClientEngine

Returns the selected (negotiated) cipher suite.

Specified by:

getSelectedCipher in interface TlsClientEngine

Specified by:

getSelectedCipher in class TlsEngineImpl

Returns:

getNewSessionTickets

public java.util.List<NewSessionTicket> getNewSessionTickets()

Returns tickets provided by the current connection.

Specified by:

getNewSessionTickets in interface TlsClientEngine

Returns:

getServerCertificateChain

public java.util.List<java.security.cert.X509Certificate> getServerCertificateChain()

Description copied from interface: TlsClientEngine

Returns the server certificate chain.

Specified by:

getServerCertificateChain in interface TlsClientEngine

Returns:

setHostnameVerifier

public void setHostnameVerifier(HostnameVerifier hostnameVerifier)

Description copied from interface: TlsClientEngine

Sets the hostname verifier to use for verifying the server name against the server certificate. If not set, the DefaultHostnameVerifier is used, which checks that - the server name equals the CN part of the certificate's subject DN, or - the server name matches one of the dnsName-type "Subject Alternative Name" entries of the certificate.

Specified by:

setHostnameVerifier in interface TlsClientEngine

handshakeFinished

public boolean handshakeFinished()

Description copied from interface: TlsClientEngine

Returns whether the handshake has (successfully) finished.

Specified by:

handshakeFinished in interface TlsClientEngine

Returns:

setClientCertificateCallback

public void setClientCertificateCallback(java.util.function.Function<java.util.List<javax.security.auth.x500.X500Principal>,CertificateWithPrivateKey> callback)

Description copied from interface: TlsClientEngine

Set the callback to be used for selecting the client certificate (for client authentication).

Specified by:

setClientCertificateCallback in interface TlsClientEngine