Package org.bouncycastle.tls

Class AbstractTlsClient

java.lang.Object

org.bouncycastle.tls.AbstractTlsPeer

org.bouncycastle.tls.AbstractTlsClient

All Implemented Interfaces:

TlsClient, TlsPeer

Direct Known Subclasses:

DefaultTlsClient, PSKTlsClient, SRPTlsClient

public abstract class AbstractTlsClient
extends AbstractTlsPeer
implements TlsClient

Base class for a TLS client.

Field Summary

Fields

Modifier and Type	Field	Description
protected int[]	cipherSuites
protected TlsClientContext	context
protected ProtocolVersion[]	protocolVersions
protected Vector	supportedGroups
protected Vector	supportedSignatureAlgorithms
protected Vector	supportedSignatureAlgorithmsCert

Constructor Summary

Constructors

Constructor	Description
AbstractTlsClient(TlsCrypto crypto)

Method Summary

Modifier and Type	Method	Description
protected boolean	allowUnexpectedServerExtension(Integer extensionType, byte[] extensionData)
protected void	checkForUnexpectedServerExtension(Hashtable serverExtensions, Integer extensionType)
protected short[]	getAllowedClientCertificateTypes()
protected short[]	getAllowedServerCertificateTypes()
protected Vector	getCertificateAuthorities()
protected CertificateStatusRequest	getCertificateStatusRequest()
int[]	getCipherSuites()
Hashtable	getClientExtensions()
Vector	getClientSupplementalData()
TlsDHGroupVerifier	getDHGroupVerifier()
Vector	getEarlyKeyShareGroups()	If this client is offering TLS 1.3 or higher, this method may be called to determine for which groups a key share should be included in the initial ClientHello.
Vector	getExternalPSKs()	Return the external PSKs to offer in the ClientHello.
protected Vector	getMultiCertStatusRequest()
protected Vector	getNamedGroupRoles()
protected byte[]	getNewConnectionID()	RFC 9146 DTLS connection ID.
protected Vector	getProtocolNames()
ProtocolVersion[]	getProtocolVersions()
TlsPSKIdentity	getPSKIdentity()
TlsSession	getSessionToResume()	Return the session this client wants to resume, if any.
protected Vector	getSNIServerNames()
TlsSRPConfigVerifier	getSRPConfigVerifier()
TlsSRPIdentity	getSRPIdentity()
protected Vector	getSupportedGroups(Vector namedGroupRoles)	The default getClientExtensions() implementation calls this to determine which named groups to include in the supported_groups extension for the ClientHello.
protected Vector	getSupportedSignatureAlgorithms()
protected Vector	getSupportedSignatureAlgorithmsCert()
protected Vector	getTrustedCAIndication()
void	init(TlsClientContext context)
boolean	isFallback()
void	notifyHandshakeBeginning()	Notifies the peer that a new handshake is about to begin.
void	notifyNewSessionTicket(NewSessionTicket newSessionTicket)	RFC 5077 3.3.
void	notifySelectedCipherSuite(int selectedCipherSuite)
void	notifySelectedPSK(TlsPSK selectedPSK)
void	notifyServerVersion(ProtocolVersion serverVersion)
void	notifySessionID(byte[] sessionID)	Notifies the client of the session_id sent in the ServerHello.
void	notifySessionToResume(TlsSession session)	Notifies the client of the session that will be offered in ClientHello for resumption, if any.
void	processServerExtensions(Hashtable serverExtensions)	The TlsClientProtocol implementation validates that any server extensions received correspond to client extensions sent.
void	processServerSupplementalData(Vector serverSupplementalData)
boolean	shouldUseCompatibilityMode()

Methods inherited from class org.bouncycastle.tls.AbstractTlsPeer

allowLegacyResumption, cancel, getCrypto, getHandshakeResendTimeMillis, getHandshakeTimeoutMillis, getHeartbeat, getHeartbeatPolicy, getKeyExchangeFactory, getMaxCertificateChainLength, getMaxHandshakeMessageSize, getPskKeyExchangeModes, getRenegotiationPolicy, getSupportedCipherSuites, getSupportedVersions, notifyAlertRaised, notifyAlertReceived, notifyCloseHandle, notifyConnectionClosed, notifyHandshakeComplete, notifySecureRenegotiation, requiresCloseNotify, requiresExtendedMasterSecret, shouldCheckSigAlgOfPeerCerts, shouldUseExtendedMasterSecret, shouldUseExtendedPadding, shouldUseGMTUnixTime

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.bouncycastle.tls.TlsClient

getAuthentication

Methods inherited from interface org.bouncycastle.tls.TlsPeer

allowLegacyResumption, cancel, getCrypto, getHandshakeResendTimeMillis, getHandshakeTimeoutMillis, getHeartbeat, getHeartbeatPolicy, getKeyExchangeFactory, getMaxCertificateChainLength, getMaxHandshakeMessageSize, getPskKeyExchangeModes, getRenegotiationPolicy, notifyAlertRaised, notifyAlertReceived, notifyCloseHandle, notifyConnectionClosed, notifyHandshakeComplete, notifySecureRenegotiation, requiresCloseNotify, requiresExtendedMasterSecret, shouldCheckSigAlgOfPeerCerts, shouldUseExtendedMasterSecret, shouldUseExtendedPadding, shouldUseGMTUnixTime

Field Details

context

protected TlsClientContext context

protocolVersions

protected ProtocolVersion[] protocolVersions

cipherSuites

protected int[] cipherSuites

supportedGroups

protected Vector supportedGroups

supportedSignatureAlgorithms

protected Vector supportedSignatureAlgorithms

supportedSignatureAlgorithmsCert

protected Vector supportedSignatureAlgorithmsCert

Constructor Details

AbstractTlsClient

public AbstractTlsClient(TlsCrypto crypto)

Method Details

allowUnexpectedServerExtension

protected boolean allowUnexpectedServerExtension(Integer extensionType,
 byte[] extensionData)
                                          throws IOException

Throws:

IOException

getNamedGroupRoles

protected Vector getNamedGroupRoles()

checkForUnexpectedServerExtension

protected void checkForUnexpectedServerExtension(Hashtable serverExtensions,
 Integer extensionType)
                                          throws IOException

Throws:

IOException

getNewConnectionID

protected byte[] getNewConnectionID()

RFC 9146 DTLS connection ID.

The default getClientExtensions() implementation calls this to get the connection_id extension the client will send. As future communication doesn't include the connection IDs length, this should either be fixed-length or include the connection ID's length. (see explanation in RFC 9146 4. "cid:")

Returns:

The connection ID to use.

getPSKIdentity

public TlsPSKIdentity getPSKIdentity()
                              throws IOException

Specified by:

getPSKIdentity in interface TlsClient

Throws:

IOException

getSRPIdentity

public TlsSRPIdentity getSRPIdentity()
                              throws IOException

Specified by:

getSRPIdentity in interface TlsClient

Throws:

IOException

getDHGroupVerifier

public TlsDHGroupVerifier getDHGroupVerifier()

Specified by:

getDHGroupVerifier in interface TlsClient

getSRPConfigVerifier

public TlsSRPConfigVerifier getSRPConfigVerifier()

Specified by:

getSRPConfigVerifier in interface TlsClient

getCertificateAuthorities

protected Vector getCertificateAuthorities()

getProtocolNames

protected Vector getProtocolNames()

getCertificateStatusRequest

protected CertificateStatusRequest getCertificateStatusRequest()

getMultiCertStatusRequest

protected Vector getMultiCertStatusRequest()

Returns:

a Vector of CertificateStatusRequestItemV2 (or null).

getSNIServerNames

protected Vector getSNIServerNames()

getSupportedGroups

protected Vector getSupportedGroups(Vector namedGroupRoles)

The default getClientExtensions() implementation calls this to determine which named groups to include in the supported_groups extension for the ClientHello.

Parameters:

namedGroupRoles - The named group roles for which there should be at least one supported group. By default this is inferred from the offered cipher suites and signature algorithms.

Returns:

a Vector of Integer. See NamedGroup for group constants.

getSupportedSignatureAlgorithms

protected Vector getSupportedSignatureAlgorithms()

getSupportedSignatureAlgorithmsCert

protected Vector getSupportedSignatureAlgorithmsCert()

getTrustedCAIndication

protected Vector getTrustedCAIndication()

getAllowedClientCertificateTypes

protected short[] getAllowedClientCertificateTypes()

getAllowedServerCertificateTypes

protected short[] getAllowedServerCertificateTypes()

init

public void init(TlsClientContext context)

Specified by:

init in interface TlsClient

getProtocolVersions

public ProtocolVersion[] getProtocolVersions()

Specified by:

getProtocolVersions in interface TlsPeer

getCipherSuites

public int[] getCipherSuites()

Specified by:

getCipherSuites in interface TlsPeer

notifyHandshakeBeginning

public void notifyHandshakeBeginning()
                              throws IOException

Description copied from interface: TlsPeer

Notifies the peer that a new handshake is about to begin.

Specified by:

notifyHandshakeBeginning in interface TlsPeer

Overrides:

notifyHandshakeBeginning in class AbstractTlsPeer

Throws:

IOException

getSessionToResume

public TlsSession getSessionToResume()

Description copied from interface: TlsClient

Return the session this client wants to resume, if any. Note that the peer's certificate chain for the session (if any) may need to be periodically revalidated.

Specified by:

getSessionToResume in interface TlsClient

Returns:

A TlsSession representing the resumable session to be used for this connection, or null to use a new session.

See Also:

• SessionParameters.getPeerCertificate()

getExternalPSKs

public Vector getExternalPSKs()

Description copied from interface: TlsClient

Return the external PSKs to offer in the ClientHello. Note that this will only be called when TLS 1.3 or higher is amongst the offered protocol versions.

Specified by:

getExternalPSKs in interface TlsClient

Returns:

a Vector of TlsPSKExternal instances, or null if none should be offered.

isFallback

public boolean isFallback()

Specified by:

isFallback in interface TlsClient

getClientExtensions

public Hashtable getClientExtensions()
                              throws IOException

Specified by:

getClientExtensions in interface TlsClient

Throws:

IOException

getEarlyKeyShareGroups

public Vector getEarlyKeyShareGroups()

Description copied from interface: TlsClient

If this client is offering TLS 1.3 or higher, this method may be called to determine for which groups a key share should be included in the initial ClientHello. Groups that were not included in the supported_groups extension (by TlsClient.getClientExtensions() will be ignored. The protocol will then add a suitable key_share extension to the ClientHello extensions.

Specified by:

getEarlyKeyShareGroups in interface TlsClient

Returns:

a Vector of named group values, possibly empty or null.

shouldUseCompatibilityMode

public boolean shouldUseCompatibilityMode()

Specified by:

shouldUseCompatibilityMode in interface TlsClient

notifyServerVersion

public void notifyServerVersion(ProtocolVersion serverVersion)
                         throws IOException

Specified by:

notifyServerVersion in interface TlsClient

Throws:

IOException

notifySessionToResume

public void notifySessionToResume(TlsSession session)

Description copied from interface: TlsClient

Notifies the client of the session that will be offered in ClientHello for resumption, if any. This will be either the session returned from TlsClient.getSessionToResume() or null if that session was unusable. NOTE: the actual negotiated session_id is notified by TlsClient.notifySessionID(byte[]).

Specified by:

notifySessionToResume in interface TlsClient

Parameters:

session - The TlsSession representing the resumable session to be offered for this connection, or null if there is none.

See Also:

• TlsClient.notifySessionID(byte[])

notifySessionID

public void notifySessionID(byte[] sessionID)

Description copied from interface: TlsClient

Notifies the client of the session_id sent in the ServerHello.

Specified by:

notifySessionID in interface TlsClient

Parameters:

sessionID -

See Also:

• TlsContext.getSession()

notifySelectedCipherSuite

public void notifySelectedCipherSuite(int selectedCipherSuite)

Specified by:

notifySelectedCipherSuite in interface TlsClient

notifySelectedPSK

public void notifySelectedPSK(TlsPSK selectedPSK)
                       throws IOException

Specified by:

notifySelectedPSK in interface TlsClient

Throws:

IOException

processServerExtensions

public void processServerExtensions(Hashtable serverExtensions)
                             throws IOException

Description copied from interface: TlsClient

The TlsClientProtocol implementation validates that any server extensions received correspond to client extensions sent. If further processing of the server extensions is needed, it can be done in this callback. NOTE: This is not called for session resumption handshakes.

Specified by:

processServerExtensions in interface TlsClient

Parameters:

serverExtensions - (Integer -> byte[])

Throws:

IOException

processServerSupplementalData

public void processServerSupplementalData(Vector serverSupplementalData)
                                   throws IOException

Specified by:

processServerSupplementalData in interface TlsClient

Throws:

IOException

getClientSupplementalData

public Vector getClientSupplementalData()
                                 throws IOException

Specified by:

getClientSupplementalData in interface TlsClient

Throws:

IOException

notifyNewSessionTicket

public void notifyNewSessionTicket(NewSessionTicket newSessionTicket)
                            throws IOException

Description copied from interface: TlsClient

RFC 5077 3.3. NewSessionTicket Handshake Message

This method will be called (only) when a NewSessionTicket handshake message is received. The ticket is opaque to the client and clients MUST NOT examine the ticket under the assumption that it complies with e.g. RFC 5077 4. Recommended Ticket Construction.

Specified by:

notifyNewSessionTicket in interface TlsClient

Parameters:

newSessionTicket - The ticket.

Throws:

IOException