diff options
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java')
| -rw-r--r-- | bcprov/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java | 77 |
1 files changed, 47 insertions, 30 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java b/bcprov/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java index 9e113f9..7d4fd03 100644 --- a/bcprov/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java +++ b/bcprov/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java @@ -8,12 +8,13 @@ public abstract class AbstractTlsClient extends AbstractTlsPeer implements TlsClient { - protected TlsCipherFactory cipherFactory; protected TlsClientContext context; protected Vector supportedSignatureAlgorithms; + protected int[] namedCurves; + protected short[] clientECPointFormats, serverECPointFormats; protected int selectedCipherSuite; protected short selectedCompressionMethod; @@ -33,6 +34,11 @@ public abstract class AbstractTlsClient this.context = context; } + public TlsSession getSessionToResume() + { + return null; + } + /** * RFC 5246 E.1. "TLS clients that wish to negotiate with older servers MAY send any value * {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest @@ -46,7 +52,7 @@ public abstract class AbstractTlsClient // return ProtocolVersion.SSLv3; // "the lowest version number supported by the client" - // return getMinimumServerVersion(); + // return getMinimumVersion(); // "the value of ClientHello.client_version" return getClientVersion(); @@ -54,13 +60,12 @@ public abstract class AbstractTlsClient public ProtocolVersion getClientVersion() { - return ProtocolVersion.TLSv11; + return ProtocolVersion.TLSv12; } public Hashtable getClientExtensions() throws IOException { - Hashtable clientExtensions = null; ProtocolVersion clientVersion = context.getClientVersion(); @@ -71,14 +76,13 @@ public abstract class AbstractTlsClient */ if (TlsUtils.isSignatureAlgorithmsExtensionAllowed(clientVersion)) { - // TODO Provide a way for the user to specify the acceptable hash/signature algorithms. - short[] hashAlgorithms = new short[]{HashAlgorithm.sha512, HashAlgorithm.sha384, HashAlgorithm.sha256, - HashAlgorithm.sha224, HashAlgorithm.sha1}; + short[] hashAlgorithms = new short[]{ HashAlgorithm.sha512, HashAlgorithm.sha384, HashAlgorithm.sha256, + HashAlgorithm.sha224, HashAlgorithm.sha1 }; // TODO Sort out ECDSA signatures and add them as the preferred option here - short[] signatureAlgorithms = new short[]{SignatureAlgorithm.rsa}; + short[] signatureAlgorithms = new short[]{ SignatureAlgorithm.rsa }; this.supportedSignatureAlgorithms = new Vector(); for (int i = 0; i < hashAlgorithms.length; ++i) @@ -96,14 +100,33 @@ public abstract class AbstractTlsClient this.supportedSignatureAlgorithms.addElement(new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.dsa)); - if (clientExtensions == null) - { - clientExtensions = new Hashtable(); - } + clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(clientExtensions); TlsUtils.addSignatureAlgorithmsExtension(clientExtensions, supportedSignatureAlgorithms); } + if (TlsECCUtils.containsECCCipherSuites(getCipherSuites())) + { + /* + * RFC 4492 5.1. A client that proposes ECC cipher suites in its ClientHello message + * appends these extensions (along with any others), enumerating the curves it supports + * and the point formats it can parse. Clients SHOULD send both the Supported Elliptic + * Curves Extension and the Supported Point Formats Extension. + */ + /* + * TODO Could just add all the curves since we support them all, but users may not want + * to use unnecessarily large fields. Need configuration options. + */ + this.namedCurves = new int[]{ NamedCurve.secp256r1, NamedCurve.secp384r1 }; + this.clientECPointFormats = new short[]{ ECPointFormat.uncompressed, + ECPointFormat.ansiX962_compressed_prime, ECPointFormat.ansiX962_compressed_char2, }; + + clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(clientExtensions); + + TlsECCUtils.addSupportedEllipticCurvesExtension(clientExtensions, namedCurves); + TlsECCUtils.addSupportedPointFormatsExtension(clientExtensions, clientECPointFormats); + } + return clientExtensions; } @@ -141,19 +164,6 @@ public abstract class AbstractTlsClient this.selectedCompressionMethod = selectedCompressionMethod; } - public void notifySecureRenegotiation(boolean secureRenegotiation) - throws IOException - { - if (!secureRenegotiation) - { - /* - * RFC 5746 3.4. In this case, some clients may want to terminate the handshake instead - * of continuing; see Section 4.1 for discussion. - */ - // throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - public void processServerExtensions(Hashtable serverExtensions) throws IOException { @@ -170,6 +180,18 @@ public abstract class AbstractTlsClient { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } + + int[] namedCurves = TlsECCUtils.getSupportedEllipticCurvesExtension(serverExtensions); + if (namedCurves != null) + { + throw new TlsFatalAlert(AlertDescription.illegal_parameter); + } + + this.serverECPointFormats = TlsECCUtils.getSupportedPointFormatsExtension(serverExtensions); + if (this.serverECPointFormats != null && !TlsECCUtils.isECCCipherSuite(this.selectedCipherSuite)) + { + throw new TlsFatalAlert(AlertDescription.illegal_parameter); + } } } @@ -210,9 +232,4 @@ public abstract class AbstractTlsClient throws IOException { } - - public void notifyHandshakeComplete() - throws IOException - { - } } |