tttls1.3 0.2.14 → 0.2.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3861f9a9864268fda75836b387c4a1f83e4edea0e885595155f2a352f69695ea
-  data.tar.gz: 617f9b12aa8ac8e39367b1b5f9fcba57d1bd3dc669fe645c7c6888a7140795bd
+  metadata.gz: c2b9bfcfb3b52aaf74864e31adc9f132ab9ce94f4610bcaaefd8c7a5048666e5
+  data.tar.gz: 77ccec36eaeec3d0d569a8428209b14749d0d2d80ce33348ed1cdb6f5cbd6ec8
 SHA512:
-  metadata.gz: 1f97901b82520b9c0a1fbc864e7e101749d9dacba3554e721eaf223fb1d4026384bf0756c8e9ac4578bcab37eb9c7b8e9c50b0387f3dfd7e8cf2d8456e709b14
-  data.tar.gz: a0d104b2e5dba0e7e7f8297a51b858f0912007f59350e1842e026639c1cc27d107c2737292f01cc2bf1fbc6c3374cb3426696f00ee2462c72d014c841ea3ce7d
+  metadata.gz: 29ffa56dd58069ec5096bc0a19d81d79ee71a34f57d2381f91a1039d33b9ec0ca5cd965904a586d2f342957c3a05e92167e2c249fc2aad0ea4bfe2cebf9dc30f
+  data.tar.gz: a1cd0087f0d9ab6a2c7adf5245f9acca5756da7cd3084d1e2b79a601c6606b00680291be5fe7fcf442bdb9d90cdb22dc26a241bcf26ac754ff0476e889c3f092

data/.github/workflows/ci.yml

@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     branches:
-      - master
+      - main
   pull_request:
     branches:
       - '*'
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.6.x', '2.7.x']
+        ruby-version: ['2.7.x', '3.0.x', '3.1.x']
     steps:
       - uses: docker://thekuwayama/openssl:latest
       - name: Set up Ruby

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 2.7
 
 Style/ConditionalAssignment:
   Enabled: false
@@ -28,3 +28,7 @@ Metrics/BlockLength:
 Layout/LineLength:
   Exclude:
     - 'tttls1.3.gemspec'
+
+# https://github.com/rubocop/rubocop/issues/10258
+Layout/BlockAlignment:
+  Enabled: false

data/Gemfile

@@ -7,9 +7,8 @@ gem 'openssl'
 gem 'rake'
 
 group :test do
-  gem 'pry'
-  gem 'pry-byebug'
-  gem 'rspec', '3.8.0'
+  gem 'byebug'
+  gem 'rspec', '3.9.0'
   gem 'rubocop', '0.78.0'
 end
 

data/README.md

@@ -74,7 +74,7 @@ server.write(YOUR_MESSAGE)
 server.close
 ```
 
-[Here](https://github.com/thekuwayama/tttls1.3/tree/master/example) are some examples of HTTPS.
+[Here](https://github.com/thekuwayama/tttls1.3/tree/main/example) are some examples of HTTPS.
 
 
 ## Settings
@@ -102,6 +102,7 @@ tttls1.3 client is configurable using keyword arguments.
 | `:record_size_limit` | Integer | nil | The record\_size\_limit offerd in ClientHello extensions. If not needed to be present, set nil. |
 | `:check_certificate_status` | Boolean | false | If needed to check certificate status, set true. |
 | `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
+| `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
 
@@ -120,6 +121,7 @@ tttls1.3 server is configurable using keyword arguments.
 | `:supported_groups` | Array of TTTLS13::NamedGroup constant | `SECP256R1`, `SECP384R1`, `SECP521R1` | List of supported named groups. |
 | `:alpn` | Array of String | nil | List of supported application protocols. If not needed to check this extension, set nil. |
 | `:process_ocsp_response` | Proc | nil | Proc that gets OpenSSL::OCSP::Response. If not needed to staple OCSP::Response, set nil. |
+| `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
 

data/lib/tttls1.3/client.rb

@@ -43,6 +43,11 @@ module TTTLS13
   ].freeze
   private_constant :DEFAULT_CH_NAMED_GROUP_LIST
 
+  DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS = [
+    Message::Extension::CertificateCompressionAlgorithm::ZLIB
+  ].freeze
+  private_constant :DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS
+
   DEFAULT_CLIENT_SETTINGS = {
     ca_file: nil,
     cipher_suites: DEFAULT_CH_CIPHER_SUITES,
@@ -61,6 +66,7 @@ module TTTLS13
     record_size_limit: nil,
     check_certificate_status: false,
     process_certificate_status: nil,
+    compress_certificate_algorithms: DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS,
     compatibility_mode: true,
     loglevel: Logger::WARN
   }.freeze
@@ -154,8 +160,8 @@ module TTTLS13
 
           extensions, priv_keys = gen_ch_extensions
           binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
-          transcript[CH] = send_client_hello(extensions, binder_key)
-
+          ch = send_client_hello(extensions, binder_key)
+          transcript[CH] = [ch, ch.serialize]
           send_ccs if @settings[:compatibility_mode]
           if use_early_data?
             e_wcipher = gen_cipher(
@@ -170,7 +176,7 @@ module TTTLS13
         when ClientState::WAIT_SH
           logger.debug('ClientState::WAIT_SH')
 
-          sh = transcript[SH] = recv_server_hello
+          sh, = transcript[SH] = recv_server_hello
 
           # downgrade protection
           if !sh.negotiated_tls_1_3? && sh.downgraded?
@@ -187,7 +193,7 @@ module TTTLS13
             unless sh.legacy_compression_method == "\x00"
 
           # validate sh using ch
-          ch = transcript[CH]
+          ch, = transcript[CH]
           terminate(:illegal_parameter) \
             unless sh.legacy_version == ch.legacy_version
           terminate(:illegal_parameter) \
@@ -199,7 +205,7 @@ module TTTLS13
 
           # validate sh using hrr
           if transcript.include?(HRR)
-            hrr = transcript[HRR]
+            hrr, = transcript[HRR]
             terminate(:illegal_parameter) \
               unless sh.cipher_suite == hrr.cipher_suite
 
@@ -212,8 +218,9 @@ module TTTLS13
           # handling HRR
           if sh.hrr?
             terminate(:unexpected_message) if transcript.include?(HRR)
-            ch1 = transcript[CH1] = transcript.delete(CH)
-            hrr = transcript[HRR] = transcript.delete(SH)
+
+            ch1, = transcript[CH1] = transcript.delete(CH)
+            hrr, = transcript[HRR] = transcript.delete(SH)
 
             # validate cookie
             diff_sets = sh.extensions.keys - ch1.extensions.keys
@@ -235,8 +242,9 @@ module TTTLS13
             extensions, pk = gen_newch_extensions(ch1, hrr)
             priv_keys = pk.merge(priv_keys)
             binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
-            transcript[CH] = send_new_client_hello(ch1, hrr, extensions,
-                                                   binder_key)
+            ch = send_new_client_hello(ch1, hrr, extensions, binder_key)
+            transcript[CH] = [ch, ch.serialize]
+
             @state = ClientState::WAIT_SH
             next
           end
@@ -277,37 +285,46 @@ module TTTLS13
         when ClientState::WAIT_EE
           logger.debug('ClientState::WAIT_EE')
 
-          ee = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
+          ee, = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
           terminate(:illegal_parameter) unless ee.appearable_extensions?
 
-          ch = transcript[CH]
+          ch, = transcript[CH]
           terminate(:unsupported_extension) \
             unless (ee.extensions.keys - ch.extensions.keys).empty?
 
           rsl = ee.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
           @recv_record_size = rsl.record_size_limit unless rsl.nil?
-
           @succeed_early_data = true \
             if ee.extensions.include?(Message::ExtensionType::EARLY_DATA)
-
           @alpn = ee.extensions[
             Message::ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION
           ]&.protocol_name_list&.first
-
           @state = ClientState::WAIT_CERT_CR
           @state = ClientState::WAIT_FINISHED unless psk.nil?
         when ClientState::WAIT_CERT_CR
           logger.debug('ClientState::WAIT_CERT_CR')
 
-          message = recv_message(receivable_ccs: true, cipher: hs_rcipher)
-          if message.msg_type == Message::HandshakeType::CERTIFICATE
-            ct = transcript[CT] = message
-            alert = check_invalid_certificate(ct, transcript[CH])
+          message, orig_msg = recv_message(
+            receivable_ccs: true,
+            cipher: hs_rcipher
+          )
+          case message.msg_type
+          when Message::HandshakeType::CERTIFICATE,
+               Message::HandshakeType::COMPRESSED_CERTIFICATE
+            ct, = transcript[CT] = [message, orig_msg]
+            terminate(:bad_certificate) \
+              if ct.is_a?(Message::CompressedCertificate) &&
+                 !@settings[:compress_certificate_algorithms]
+                 .include?(ct.algorithm)
+
+            ct = ct.certificate_message \
+              if ct.is_a?(Message::CompressedCertificate)
+            alert = check_invalid_certificate(ct, transcript[CH].first)
             terminate(alert) unless alert.nil?
 
             @state = ClientState::WAIT_CV
-          elsif message.msg_type == Message::HandshakeType::CERTIFICATE_REQUEST
-            transcript[CR] = message
+          when Message::HandshakeType::CERTIFICATE_REQUEST
+            transcript[CR] = [message, orig_msg]
             # TODO: client authentication
             @state = ClientState::WAIT_CERT
           else
@@ -316,46 +333,56 @@ module TTTLS13
         when ClientState::WAIT_CERT
           logger.debug('ClientState::WAIT_CERT')
 
-          ct = transcript[CT] = recv_certificate(hs_rcipher)
-          alert = check_invalid_certificate(ct, transcript[CH])
+          ct, = transcript[CT] = recv_certificate(hs_rcipher)
+          if ct.is_a?(Message::CompressedCertificate) &&
+             !@settings[:compress_certificate_algorithms].include?(ct.algorithm)
+            terminate(:bad_certificate)
+          elsif ct.is_a?(Message::CompressedCertificate)
+            ct = ct.certificate_message
+          end
+
+          alert = check_invalid_certificate(ct, transcript[CH].first)
           terminate(alert) unless alert.nil?
 
           @state = ClientState::WAIT_CV
         when ClientState::WAIT_CV
           logger.debug('ClientState::WAIT_CV')
 
-          cv = transcript[CV] = recv_certificate_verify(hs_rcipher)
+          cv, = transcript[CV] = recv_certificate_verify(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
           hash = transcript.hash(digest, CT)
+          ct, = transcript[CT]
+          ct = ct.certificate_message \
+            if ct.is_a?(Message::CompressedCertificate)
           terminate(:decrypt_error) \
-            unless verified_certificate_verify?(transcript[CT], cv, hash)
+            unless verified_certificate_verify?(ct, cv, hash)
 
           @signature_scheme = cv.signature_scheme
-
           @state = ClientState::WAIT_FINISHED
         when ClientState::WAIT_FINISHED
           logger.debug('ClientState::WAIT_FINISHED')
 
-          sf = transcript[SF] = recv_finished(hs_rcipher)
+          sf, = transcript[SF] = recv_finished(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
-          verified = verified_finished?(
+          terminate(:decrypt_error) unless verified_finished?(
             finished: sf,
             digest: digest,
             finished_key: key_schedule.server_finished_key,
             hash: transcript.hash(digest, CV)
           )
-          terminate(:decrypt_error) unless verified
-
-          transcript[EOED] = send_eoed(e_wcipher) \
-            if use_early_data? && succeed_early_data?
 
+          if use_early_data? && succeed_early_data?
+            eoed = send_eoed(e_wcipher)
+            transcript[EOED] = [eoed, eoed.serialize]
+          end
           # TODO: Send Certificate [+ CertificateVerify]
           signature = sign_finished(
             digest: digest,
             finished_key: key_schedule.client_finished_key,
             hash: transcript.hash(digest, EOED)
           )
-          transcript[CF] = send_finished(signature, hs_wcipher)
+          cf = send_finished(signature, hs_wcipher)
+          transcript[CF] = [cf, cf.serialize]
           @alert_wcipher = @ap_wcipher = gen_cipher(
             @cipher_suite,
             key_schedule.client_application_write_key,
@@ -578,6 +605,14 @@ module TTTLS13
       exs << Message::Extension::OCSPStatusRequest.new \
         if @settings[:check_certificate_status]
 
+      # compress_certificate
+      if !@settings[:compress_certificate_algorithms].nil? &&
+         !@settings[:compress_certificate_algorithms].empty?
+        exs << Message::Extension::CompressCertificate.new(
+          @settings[:compress_certificate_algorithms]
+        )
+      end
+
       [exs, priv_keys]
     end
     # rubocop: enable Metrics/AbcSize
@@ -735,11 +770,15 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::ServerHello]
+    # @return [String]
     def recv_server_hello
-      sh = recv_message(receivable_ccs: true, cipher: Cryptograph::Passer.new)
+      sh, orig_msg = recv_message(
+        receivable_ccs: true,
+        cipher: Cryptograph::Passer.new
+      )
       terminate(:unexpected_message) unless sh.is_a?(Message::ServerHello)
 
-      sh
+      [sh, orig_msg]
     end
 
     # @param cipher [TTTLS13::Cryptograph::Aead]
@@ -747,12 +786,13 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::EncryptedExtensions]
+    # @return [String]
     def recv_encrypted_extensions(cipher)
-      ee = recv_message(receivable_ccs: true, cipher: cipher)
+      ee, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) \
         unless ee.is_a?(Message::EncryptedExtensions)
 
-      ee
+      [ee, orig_msg]
     end
 
     # @param cipher [TTTLS13::Cryptograph::Aead]
@@ -760,11 +800,12 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Certificate]
+    # @return [String]
     def recv_certificate(cipher)
-      ct = recv_message(receivable_ccs: true, cipher: cipher)
+      ct, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless ct.is_a?(Message::Certificate)
 
-      ct
+      [ct, orig_msg]
     end
 
     # @param cipher [TTTLS13::Cryptograph::Aead]
@@ -772,11 +813,12 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::CertificateVerify]
+    # @return [String]
     def recv_certificate_verify(cipher)
-      cv = recv_message(receivable_ccs: true, cipher: cipher)
+      cv, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless cv.is_a?(Message::CertificateVerify)
 
-      cv
+      [cv, orig_msg]
     end
 
     # @param cipher [TTTLS13::Cryptograph::Aead]
@@ -784,11 +826,12 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Finished]
+    # @return [String]
     def recv_finished(cipher)
-      sf = recv_message(receivable_ccs: true, cipher: cipher)
+      sf, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless sf.is_a?(Message::Finished)
 
-      sf
+      [sf, orig_msg]
     end
 
     # @param cipher [TTTLS13::Cryptograph::Aead]

data/lib/tttls1.3/connection.rb

@@ -16,7 +16,7 @@ module TTTLS13
       @ap_wcipher = Cryptograph::Passer.new
       @ap_rcipher = Cryptograph::Passer.new
       @alert_wcipher = Cryptograph::Passer.new
-      @message_queue = [] # Array of TTTLS13::Message::$Object
+      @message_queue = [] # Array of [TTTLS13::Message::$Object, String]
       @binary_buffer = '' # deposit Record.surplus_binary
       @cipher_suite = nil # TTTLS13::CipherSuite
       @named_group = nil # TTTLS13::NamedGroup
@@ -42,7 +42,7 @@ module TTTLS13
 
       message = nil
       loop do
-        message = recv_message(receivable_ccs: false, cipher: @ap_rcipher)
+        message, = recv_message(receivable_ccs: false, cipher: @ap_rcipher)
         # At any time after the server has received the client Finished
         # message, it MAY send a NewSessionTicket message.
         break unless message.is_a?(Message::NewSessionTicket)
@@ -220,13 +220,15 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts
     #
     # @return [TTTLS13::Message::$Object]
+    # @return [String]
     # rubocop: disable Metrics/CyclomaticComplexity
     def recv_message(receivable_ccs:, cipher:)
       return @message_queue.shift unless @message_queue.empty?
 
       messages = nil
+      orig_msgs = []
       loop do
-        record = recv_record(cipher)
+        record, orig_msgs = recv_record(cipher)
         case record.type
         when Message::ContentType::HANDSHAKE,
              Message::ContentType::APPLICATION_DATA
@@ -243,20 +245,22 @@ module TTTLS13
         end
       end
 
-      @message_queue += messages[1..]
+      @message_queue += messages[1..].zip(orig_msgs[1..])
       message = messages.first
+      orig_msg = orig_msgs.first
       if message.is_a?(Message::Alert)
         handle_received_alert(message)
         return nil
       end
 
-      message
+      [message, orig_msg]
     end
     # rubocop: enable Metrics/CyclomaticComplexity
 
     # @param cipher [TTTLS13::Cryptograph::Aead, Passer]
     #
     # @return [TTTLS13::Message::Record]
+    # @return [Array of String]
     def recv_record(cipher)
       binary = @socket.read(5)
       record_len = Convert.bin2i(binary.slice(3, 2))
@@ -264,9 +268,13 @@ module TTTLS13
 
       begin
         buffer = @binary_buffer
-        record = Message::Record.deserialize(binary, cipher, buffer,
-                                             @recv_record_size)
-        @binary_buffer = record.surplus_binary
+        record, orig_msgs, surplus_binary = Message::Record.deserialize(
+          binary,
+          cipher,
+          buffer,
+          @recv_record_size
+        )
+        @binary_buffer = surplus_binary
       rescue Error::ErrorAlerts => e
         terminate(e.message.to_sym)
       end
@@ -278,7 +286,7 @@ module TTTLS13
       end
 
       logger.debug("receive \n" + record.pretty_inspect)
-      record
+      [record, orig_msgs]
     end
 
     # @param ch1 [TTTLS13::Message::ClientHello]
@@ -292,11 +300,9 @@ module TTTLS13
       # TODO: ext binder
       hash_len = OpenSSL::Digest.new(digest).digest_length
       tt = Transcript.new
-      tt.merge!(
-        CH1 => ch1,
-        HRR => hrr,
-        CH => ch
-      )
+      tt[CH1] = [ch1, ch1.serialize] unless ch1.nil?
+      tt[HRR] = [hrr, hrr.serialize] unless hrr.nil?
+      tt[CH] = [ch, ch.serialize]
       # transcript-hash (CH1 + HRR +) truncated-CH
       hash = tt.truncate_hash(digest, CH, hash_len + 3)
       OpenSSL::HMAC.digest(digest, binder_key, hash)
@@ -500,11 +506,10 @@ module TTTLS13
       return false if san.nil?
 
       ostr = OpenSSL::ASN1.decode(san.to_der).value.last
-      matching = OpenSSL::ASN1.decode(ostr.value).map(&:value)
-                              .map { |s| s.gsub('.', '\.').gsub('*', '.*') }
-                              .any? { |s| name.match(/#{s}/) }
-
-      matching
+      OpenSSL::ASN1.decode(ostr.value)
+                   .map(&:value)
+                   .map { |s| s.gsub('.', '\.').gsub('*', '.*') }
+                   .any? { |s| name.match(/#{s}/) }
     end
 
     # @param signature_algorithms [Array of SignatureAlgorithms]

data/lib/tttls1.3/message/client_hello.rb

@@ -18,6 +18,7 @@ module TTTLS13
       ExtensionType::CLIENT_CERTIFICATE_TYPE,
       ExtensionType::SERVER_CERTIFICATE_TYPE,
       ExtensionType::PADDING,
+      ExtensionType::COMPRESS_CERTIFICATE,
       ExtensionType::RECORD_SIZE_LIMIT,
       ExtensionType::PWD_PROTECT,
       ExtensionType::PWD_CLEAR,

data/lib/tttls1.3/message/compressed_certificate.rb

@@ -0,0 +1,82 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    class CompressedCertificate
+      attr_reader :msg_type
+      attr_reader :certificate_message
+      attr_reader :algorithm
+
+      # @param certificate_message [TTTLS13::Message::Certificate]
+      # @param algorithm [CertificateCompressionAlgorithm]
+      def initialize(certificate_message:, algorithm:)
+        @msg_type = HandshakeType::COMPRESSED_CERTIFICATE
+        @certificate_message = certificate_message
+        @algorithm = algorithm
+      end
+
+      # @return [String]
+      def serialize
+        binary = ''
+        binary += @algorithm
+        ct_bin = @certificate_message.serialize[4..]
+        binary += ct_bin.length.to_uint24
+        case @algorithm
+        when Extension::CertificateCompressionAlgorithm::ZLIB
+          binary += Zlib::Deflate.deflate(ct_bin).prefix_uint24_length
+        else # TODO: orig_msgs, ZSTD
+          raise Error::ErrorAlerts, :internal_error
+        end
+
+        @msg_type + binary.prefix_uint24_length
+      end
+
+      alias fragment serialize
+
+      # @param binary [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      #
+      # @return [TTTLS13::Message::CompressedCertificate]
+      # rubocop: disable Metrics/AbcSize
+      # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
+      def self.deserialize(binary)
+        raise Error::ErrorAlerts, :internal_error if binary.nil?
+        raise Error::ErrorAlerts, :decode_error if binary.length < 5
+        raise Error::ErrorAlerts, :internal_error \
+          unless binary[0] == HandshakeType::COMPRESSED_CERTIFICATE
+
+        msg_len = Convert.bin2i(binary.slice(1, 3))
+        algorithm = binary.slice(4, 2)
+        uncompressed_length = Convert.bin2i(binary.slice(6, 3))
+        ccm_len = Convert.bin2i(binary.slice(9, 3))
+        ct_bin = ''
+        case algorithm
+        when Extension::CertificateCompressionAlgorithm::ZLIB
+          ct_bin = Zlib::Inflate.inflate(binary.slice(12, ccm_len))
+        else # TODO: BROTLI, ZSTD
+          raise Error::ErrorAlerts, :bad_certificate
+        end
+
+        raise Error::ErrorAlerts, :bad_certificate \
+          unless ct_bin.length == uncompressed_length
+        raise Error::ErrorAlerts, :decode_error \
+          unless ccm_len + 12 == binary.length && msg_len + 4 == binary.length
+
+        certificate_message = Certificate.deserialize(
+          HandshakeType::CERTIFICATE + ct_bin.prefix_uint24_length
+        )
+        CompressedCertificate.new(
+          certificate_message: certificate_message,
+          algorithm: algorithm
+        )
+      end
+      # rubocop: enable Metrics/AbcSize
+      # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
+    end
+  end
+end

data/lib/tttls1.3/message/end_of_early_data.rb

@@ -2,11 +2,18 @@
 # frozen_string_literal: true
 
 module TTTLS13
+  using Refinements
   module Message
     class EndOfEarlyData
+      attr_reader :msg_type
+
+      def initialize
+        @msg_type = HandshakeType::END_OF_EARLY_DATA
+      end
+
       # @return [String]
       def serialize
-        ''
+        @msg_type + ''.prefix_uint24_length
       end
 
       # @param binary [String]

data/lib/tttls1.3/message/extension/alpn.rb

@@ -27,9 +27,12 @@ module TTTLS13
 
         # @return [String]
         def serialize
-          binary = @protocol_name_list.map(&:prefix_uint8_length).join
+          binary = @protocol_name_list
+                   .map(&:prefix_uint8_length)
+                   .join
+                   .prefix_uint16_length
 
-          @extension_type + binary.prefix_uint16_length.prefix_uint16_length
+          @extension_type + binary.prefix_uint16_length
         end
 
         # @param binary [String]