diff options
Diffstat (limited to 'core/src/main/java/org/spongycastle/crypto/tls/SRPTlsClient.java')
-rw-r--r-- | core/src/main/java/org/spongycastle/crypto/tls/SRPTlsClient.java | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/core/src/main/java/org/spongycastle/crypto/tls/SRPTlsClient.java b/core/src/main/java/org/spongycastle/crypto/tls/SRPTlsClient.java new file mode 100644 index 00000000..65aa6cee --- /dev/null +++ b/core/src/main/java/org/spongycastle/crypto/tls/SRPTlsClient.java @@ -0,0 +1,121 @@ +package org.spongycastle.crypto.tls; + +import java.io.IOException; +import java.util.Hashtable; + +import org.spongycastle.util.Arrays; + +public abstract class SRPTlsClient + extends AbstractTlsClient +{ + /** + * @deprecated use TlsSRPUtils.EXT_SRP instead + */ + public static final Integer EXT_SRP = TlsSRPUtils.EXT_SRP; + + protected byte[] identity; + protected byte[] password; + + public SRPTlsClient(byte[] identity, byte[] password) + { + super(); + this.identity = Arrays.clone(identity); + this.password = Arrays.clone(password); + } + + public SRPTlsClient(TlsCipherFactory cipherFactory, byte[] identity, byte[] password) + { + super(cipherFactory); + this.identity = Arrays.clone(identity); + this.password = Arrays.clone(password); + } + + public int[] getCipherSuites() + { + return new int[] { CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA }; + } + + public Hashtable getClientExtensions() + throws IOException + { + Hashtable clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(super.getClientExtensions()); + TlsSRPUtils.addSRPExtension(clientExtensions, this.identity); + return clientExtensions; + } + + public void processServerExtensions(Hashtable serverExtensions) + throws IOException + { + if (!TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsSRPUtils.EXT_SRP, AlertDescription.illegal_parameter)) + { + // No explicit guidance in RFC 5054 here; we allow an optional empty extension from server + } + } + + public TlsKeyExchange getKeyExchange() + throws IOException + { + + switch (selectedCipherSuite) + { + case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: + return createSRPKeyExchange(KeyExchangeAlgorithm.SRP); + + case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: + return createSRPKeyExchange(KeyExchangeAlgorithm.SRP_RSA); + + case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: + return createSRPKeyExchange(KeyExchangeAlgorithm.SRP_DSS); + + default: + /* + * Note: internal error here; the TlsProtocol implementation verifies that the + * server-selected cipher suite was in the list of client-offered cipher suites, so if + * we now can't produce an implementation, we shouldn't have offered it! + */ + throw new TlsFatalAlert(AlertDescription.internal_error); + } + } + + public TlsCipher getCipher() + throws IOException + { + + switch (selectedCipherSuite) + { + case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: + return cipherFactory.createCipher(context, EncryptionAlgorithm._3DES_EDE_CBC, MACAlgorithm.hmac_sha1); + + case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: + return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha1); + + case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: + case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: + return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha1); + + default: + /* + * Note: internal error here; the TlsProtocol implementation verifies that the + * server-selected cipher suite was in the list of client-offered cipher suites, so if + * we now can't produce an implementation, we shouldn't have offered it! + */ + throw new TlsFatalAlert(AlertDescription.internal_error); + } + } + + protected TlsKeyExchange createSRPKeyExchange(int keyExchange) + { + return new TlsSRPKeyExchange(keyExchange, supportedSignatureAlgorithms, identity, password); + } +} |