Package org.bouncycastle.tls

Class AbstractTlsServer

java.lang.Object

org.bouncycastle.tls.AbstractTlsPeer

org.bouncycastle.tls.AbstractTlsServer

All Implemented Interfaces:

TlsPeer, TlsServer

Direct Known Subclasses:

DefaultTlsServer, PSKTlsServer, SRPTlsServer

public abstract class AbstractTlsServer
extends AbstractTlsPeer
implements TlsServer

Base class for a TLS server.

Field Summary

Fields

Modifier and Type	Field	Description
protected CertificateStatusRequest	certificateStatusRequest
protected int[]	cipherSuites
protected Hashtable	clientExtensions
protected Vector	clientProtocolNames
protected boolean	clientSentECPointFormats
protected TlsServerContext	context
protected boolean	encryptThenMACOffered
protected short	maxFragmentLengthOffered
protected int[]	offeredCipherSuites
protected ProtocolVersion[]	protocolVersions
protected int	selectedCipherSuite
protected ProtocolName	selectedProtocolName
protected final Hashtable	serverExtensions
protected Vector	statusRequestV2
protected boolean	truncatedHMacOffered
protected Vector	trustedCAKeys

Constructor Summary

Constructors

Constructor	Description
AbstractTlsServer(TlsCrypto crypto)

Method Summary

Modifier and Type	Method	Description
protected boolean	allowCertificateStatus()
protected boolean	allowEncryptThenMAC()
protected boolean	allowMultiCertStatus()
protected boolean	allowTruncatedHMac()
protected boolean	allowTrustedCAIndication()
protected Hashtable	checkServerExtensions()	Deprecated. Use 'serverExtensions' directly, it is now never null
protected short[]	getAllowedClientCertificateTypes()
CertificateRequest	getCertificateRequest()
CertificateStatus	getCertificateStatus()	This method will be called (only) if the server included an extension of type "status_request" with empty "extension_data" in the extended server hello.
int[]	getCipherSuites()
protected String	getDetailMessageNoCipherSuite()
TlsDHConfig	getDHConfig()
TlsECConfig	getECDHConfig()
TlsPSKExternal	getExternalPSK(Vector identities)	WARNING: EXPERIMENTAL FEATURE, UNSTABLE API Return the external PSK to select from the ClientHello.
protected int	getMaximumDefaultCurveBits()
protected int	getMaximumDefaultFiniteFieldBits()
protected int	getMaximumNegotiableCurveBits()
protected int	getMaximumNegotiableFiniteFieldBits()
protected byte[]	getNewConnectionID()	RFC 9146 DTLS connection ID.
byte[]	getNewSessionID()
NewSessionTicket	getNewSessionTicket()	RFC 5077 3.3.
protected Vector	getProtocolNames()
ProtocolVersion[]	getProtocolVersions()
TlsPSKIdentityManager	getPSKIdentityManager()
int	getSelectedCipherSuite()
Hashtable	getServerExtensions()
void	getServerExtensionsForConnection(Hashtable serverExtensions)
Vector	getServerSupplementalData()
ProtocolVersion	getServerVersion()
TlsSession	getSessionToResume(byte[] sessionID)	Return the specified session, if available.
TlsSRPLoginParameters	getSRPLoginParameters()
int[]	getSupportedGroups()
void	init(TlsServerContext context)
protected boolean	isSelectableCipherSuite(int cipherSuite, int availCurveBits, int availFiniteFieldBits, Vector sigAlgs)
void	notifyClientCertificate(Certificate clientCertificate)	Called by the protocol handler to report the client certificate, only if TlsServer.getCertificateRequest() returned non-null.
void	notifyClientVersion(ProtocolVersion clientVersion)
void	notifyFallback(boolean isFallback)
void	notifyHandshakeBeginning()	Notifies the peer that a new handshake is about to begin.
void	notifyOfferedCipherSuites(int[] offeredCipherSuites)
void	notifySession(TlsSession session)
protected boolean	preferLocalCipherSuites()
protected boolean	preferLocalClientCertificateTypes()
void	processClientExtensions(Hashtable clientExtensions)
void	processClientSupplementalData(Vector clientSupplementalData)
protected boolean	selectCipherSuite(int cipherSuite)
protected int	selectDH(int minimumFiniteFieldBits)
protected int	selectDHDefault(int minimumFiniteFieldBits)
protected int	selectECDH(int minimumCurveBits)
protected int	selectECDHDefault(int minimumCurveBits)
protected ProtocolName	selectProtocolName()
protected ProtocolName	selectProtocolName(Vector clientProtocolNames, Vector serverProtocolNames)
protected boolean	shouldSelectProtocolNameEarly()

Methods inherited from class org.bouncycastle.tls.AbstractTlsPeer

allowLegacyResumption, cancel, getCrypto, getHandshakeResendTimeMillis, getHandshakeTimeoutMillis, getHeartbeat, getHeartbeatPolicy, getKeyExchangeFactory, getMaxCertificateChainLength, getMaxHandshakeMessageSize, getPskKeyExchangeModes, getRenegotiationPolicy, getSupportedCipherSuites, getSupportedVersions, notifyAlertRaised, notifyAlertReceived, notifyCloseHandle, notifyConnectionClosed, notifyHandshakeComplete, notifySecureRenegotiation, requiresCloseNotify, requiresExtendedMasterSecret, shouldCheckSigAlgOfPeerCerts, shouldUseExtendedMasterSecret, shouldUseExtendedPadding, shouldUseGMTUnixTime

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.bouncycastle.tls.TlsPeer

allowLegacyResumption, cancel, getCrypto, getHandshakeResendTimeMillis, getHandshakeTimeoutMillis, getHeartbeat, getHeartbeatPolicy, getKeyExchangeFactory, getMaxCertificateChainLength, getMaxHandshakeMessageSize, getPskKeyExchangeModes, getRenegotiationPolicy, notifyAlertRaised, notifyAlertReceived, notifyCloseHandle, notifyConnectionClosed, notifyHandshakeComplete, notifySecureRenegotiation, requiresCloseNotify, requiresExtendedMasterSecret, shouldCheckSigAlgOfPeerCerts, shouldUseExtendedMasterSecret, shouldUseExtendedPadding, shouldUseGMTUnixTime

Methods inherited from interface org.bouncycastle.tls.TlsServer

getCredentials

Field Details

context

protected TlsServerContext context

protocolVersions

protected ProtocolVersion[] protocolVersions

cipherSuites

protected int[] cipherSuites

offeredCipherSuites

protected int[] offeredCipherSuites

clientExtensions

protected Hashtable clientExtensions

encryptThenMACOffered

protected boolean encryptThenMACOffered

maxFragmentLengthOffered

protected short maxFragmentLengthOffered

truncatedHMacOffered

protected boolean truncatedHMacOffered

clientSentECPointFormats

protected boolean clientSentECPointFormats

certificateStatusRequest

protected CertificateStatusRequest certificateStatusRequest

statusRequestV2

protected Vector statusRequestV2

trustedCAKeys

protected Vector trustedCAKeys

selectedCipherSuite

protected int selectedCipherSuite

clientProtocolNames

protected Vector clientProtocolNames

selectedProtocolName

protected ProtocolName selectedProtocolName

serverExtensions

protected final Hashtable serverExtensions

Constructor Details

AbstractTlsServer

public AbstractTlsServer(TlsCrypto crypto)

Method Details

allowCertificateStatus

protected boolean allowCertificateStatus()

allowEncryptThenMAC

protected boolean allowEncryptThenMAC()

allowMultiCertStatus

protected boolean allowMultiCertStatus()

allowTruncatedHMac

protected boolean allowTruncatedHMac()

allowTrustedCAIndication

protected boolean allowTrustedCAIndication()

checkServerExtensions

protected Hashtable checkServerExtensions()

Deprecated.

Use 'serverExtensions' directly, it is now never null

getDetailMessageNoCipherSuite

protected String getDetailMessageNoCipherSuite()

getMaximumDefaultCurveBits

protected int getMaximumDefaultCurveBits()

getMaximumDefaultFiniteFieldBits

protected int getMaximumDefaultFiniteFieldBits()

getMaximumNegotiableCurveBits

protected int getMaximumNegotiableCurveBits()

getMaximumNegotiableFiniteFieldBits

protected int getMaximumNegotiableFiniteFieldBits()

getProtocolNames

protected Vector getProtocolNames()

isSelectableCipherSuite

protected boolean isSelectableCipherSuite(int cipherSuite,
 int availCurveBits,
 int availFiniteFieldBits,
 Vector sigAlgs)

preferLocalCipherSuites

protected boolean preferLocalCipherSuites()

selectCipherSuite

protected boolean selectCipherSuite(int cipherSuite)
                             throws IOException

Throws:

IOException

selectDH

protected int selectDH(int minimumFiniteFieldBits)

selectDHDefault

protected int selectDHDefault(int minimumFiniteFieldBits)

selectECDH

protected int selectECDH(int minimumCurveBits)

selectECDHDefault

protected int selectECDHDefault(int minimumCurveBits)

selectProtocolName

protected ProtocolName selectProtocolName()
                                   throws IOException

Throws:

IOException

selectProtocolName

protected ProtocolName selectProtocolName(Vector clientProtocolNames,
 Vector serverProtocolNames)

shouldSelectProtocolNameEarly

protected boolean shouldSelectProtocolNameEarly()

preferLocalClientCertificateTypes

protected boolean preferLocalClientCertificateTypes()

getAllowedClientCertificateTypes

protected short[] getAllowedClientCertificateTypes()

getNewConnectionID

protected byte[] getNewConnectionID()

RFC 9146 DTLS connection ID.

This method will be called if a connection_id extension was sent by the client. If the return value is non-null, the server will send this connection ID to the client to use in future packets. As future communication doesn't include the connection IDs length, this should either be fixed-length or include the connection ID's length. (see explanation in RFC 9146 4. "cid:")

Returns:

The connection ID to use.

init

public void init(TlsServerContext context)

Specified by:

init in interface TlsServer

getProtocolVersions

public ProtocolVersion[] getProtocolVersions()

Specified by:

getProtocolVersions in interface TlsPeer

getCipherSuites

public int[] getCipherSuites()

Specified by:

getCipherSuites in interface TlsPeer

notifyHandshakeBeginning

public void notifyHandshakeBeginning()
                              throws IOException

Description copied from interface: TlsPeer

Notifies the peer that a new handshake is about to begin.

Specified by:

notifyHandshakeBeginning in interface TlsPeer

Overrides:

notifyHandshakeBeginning in class AbstractTlsPeer

Throws:

IOException

getSessionToResume

public TlsSession getSessionToResume(byte[] sessionID)

Description copied from interface: TlsServer

Return the specified session, if available. Note that the peer's certificate chain for the session (if any) may need to be periodically revalidated.

Specified by:

getSessionToResume in interface TlsServer

Parameters:

sessionID - the ID of the session to resume.

Returns:

A TlsSession with the specified session ID, or null.

See Also:

• SessionParameters.getPeerCertificate()

getNewSessionID

public byte[] getNewSessionID()

Specified by:

getNewSessionID in interface TlsServer

getExternalPSK

public TlsPSKExternal getExternalPSK(Vector identities)

Description copied from interface: TlsServer

WARNING: EXPERIMENTAL FEATURE, UNSTABLE API Return the external PSK to select from the ClientHello. Note that this will only be called when TLS 1.3 or higher is amongst the offered protocol versions, and one or more PSKs are actually offered.

Specified by:

getExternalPSK in interface TlsServer

Parameters:

identities - a Vector of PskIdentity instances.

Returns:

the TlsPSKExternal corresponding to the selected identity, or null to not select any.

notifySession

public void notifySession(TlsSession session)

Specified by:

notifySession in interface TlsServer

notifyClientVersion

public void notifyClientVersion(ProtocolVersion clientVersion)
                         throws IOException

Specified by:

notifyClientVersion in interface TlsServer

Throws:

IOException

notifyFallback

public void notifyFallback(boolean isFallback)
                    throws IOException

Specified by:

notifyFallback in interface TlsServer

Throws:

IOException

notifyOfferedCipherSuites

public void notifyOfferedCipherSuites(int[] offeredCipherSuites)
                               throws IOException

Specified by:

notifyOfferedCipherSuites in interface TlsServer

Throws:

IOException

processClientExtensions

public void processClientExtensions(Hashtable clientExtensions)
                             throws IOException

Specified by:

processClientExtensions in interface TlsServer

Throws:

IOException

getServerVersion

public ProtocolVersion getServerVersion()
                                 throws IOException

Specified by:

getServerVersion in interface TlsServer

Throws:

IOException

getSupportedGroups

public int[] getSupportedGroups()
                         throws IOException

Specified by:

getSupportedGroups in interface TlsServer

Throws:

IOException

getSelectedCipherSuite

public int getSelectedCipherSuite()
                           throws IOException

Specified by:

getSelectedCipherSuite in interface TlsServer

Throws:

IOException

getServerExtensions

public Hashtable getServerExtensions()
                              throws IOException

Specified by:

getServerExtensions in interface TlsServer

Throws:

IOException

getServerExtensionsForConnection

public void getServerExtensionsForConnection(Hashtable serverExtensions)
                                      throws IOException

Specified by:

getServerExtensionsForConnection in interface TlsServer

Throws:

IOException

getServerSupplementalData

public Vector getServerSupplementalData()
                                 throws IOException

Specified by:

getServerSupplementalData in interface TlsServer

Throws:

IOException

getCertificateStatus

public CertificateStatus getCertificateStatus()
                                       throws IOException

Description copied from interface: TlsServer

This method will be called (only) if the server included an extension of type "status_request" with empty "extension_data" in the extended server hello. See RFC 3546 3.6. Certificate Status Request. If a non-null CertificateStatus is returned, it is sent to the client as a handshake message of type "certificate_status".

Specified by:

getCertificateStatus in interface TlsServer

Returns:

A CertificateStatus to be sent to the client (or null for none).

Throws:

IOException

getCertificateRequest

public CertificateRequest getCertificateRequest()
                                         throws IOException

Specified by:

getCertificateRequest in interface TlsServer

Throws:

IOException

getPSKIdentityManager

public TlsPSKIdentityManager getPSKIdentityManager()
                                            throws IOException

Specified by:

getPSKIdentityManager in interface TlsServer

Throws:

IOException

getSRPLoginParameters

public TlsSRPLoginParameters getSRPLoginParameters()
                                            throws IOException

Specified by:

getSRPLoginParameters in interface TlsServer

Throws:

IOException

getDHConfig

public TlsDHConfig getDHConfig()
                        throws IOException

Specified by:

getDHConfig in interface TlsServer

Throws:

IOException

getECDHConfig

public TlsECConfig getECDHConfig()
                          throws IOException

Specified by:

getECDHConfig in interface TlsServer

Throws:

IOException

processClientSupplementalData

public void processClientSupplementalData(Vector clientSupplementalData)
                                   throws IOException

Specified by:

processClientSupplementalData in interface TlsServer

Throws:

IOException

notifyClientCertificate

public void notifyClientCertificate(Certificate clientCertificate)
                             throws IOException

Description copied from interface: TlsServer

Called by the protocol handler to report the client certificate, only if TlsServer.getCertificateRequest() returned non-null. Note: this method is responsible for certificate verification and validation.

Specified by:

notifyClientCertificate in interface TlsServer

Parameters:

clientCertificate - the effective client certificate (may be an empty chain).

Throws:

IOException

getNewSessionTicket

public NewSessionTicket getNewSessionTicket()
                                     throws IOException

Description copied from interface: TlsServer

RFC 5077 3.3. NewSessionTicket Handshake Message.

This method will be called (only) if a NewSessionTicket extension was sent by the server. See RFC 5077 4. Recommended Ticket Construction for recommended format and protection.

Specified by:

getNewSessionTicket in interface TlsServer

Returns:

The ticket.

Throws:

IOException