tttls1.3 0.3.1 → 0.3.3

data/lib/tttls1.3/ech.rb

@@ -0,0 +1,426 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+
+  SUPPORTED_ECHCONFIG_VERSIONS = ["\xfe\x0d"].freeze
+  private_constant :SUPPORTED_ECHCONFIG_VERSIONS
+
+  DEFAULT_ECH_OUTER_EXTENSIONS = [
+    Message::ExtensionType::KEY_SHARE
+  ].freeze
+  private_constant :DEFAULT_ECH_OUTER_EXTENSIONS
+
+  # rubocop: disable Metrics/ClassLength
+  class Ech
+    # @param inner [TTTLS13::Message::ClientHello]
+    # @param ech_config [ECHConfig]
+    # @param hpke_cipher_suite_selector [Method]
+    #
+    # @return [TTTLS13::Message::ClientHello]
+    # @return [TTTLS13::Message::ClientHello]
+    # @return [TTTLS13::EchState]
+    # rubocop: disable Metrics/AbcSize
+    def self.offer_ech(inner, ech_config, hpke_cipher_suite_selector)
+      return [new_greased_ch(inner, new_grease_ech), nil, nil] \
+        if ech_config.nil? ||
+           !SUPPORTED_ECHCONFIG_VERSIONS.include?(ech_config.version)
+
+      # Encrypted ClientHello Configuration
+      ech_state, enc = encrypted_ech_config(
+        ech_config,
+        hpke_cipher_suite_selector
+      )
+      return [new_greased_ch(inner, new_grease_ech), nil, nil] \
+        if ech_state.nil? || enc.nil?
+
+      # for ech_outer_extensions
+      replaced = \
+        inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)
+
+      # Encoding the ClientHelloInner
+      encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
+      overhead_len = aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
+
+      # Authenticating the ClientHelloOuter
+      aad = new_ch_outer_aad(
+        inner,
+        ech_state.cipher_suite,
+        ech_state.config_id,
+        enc,
+        encoded.length + overhead_len,
+        ech_state.public_name
+      )
+
+      outer = new_ch_outer(
+        aad,
+        ech_state.cipher_suite,
+        ech_state.config_id,
+        enc,
+        # which does not include the Handshake structure's four byte header.
+        ech_state.ctx.seal(aad.serialize[4..], encoded)
+      )
+
+      [outer, inner, ech_state]
+    end
+    # rubocop: enable Metrics/AbcSize
+
+    # @param ech_config [ECHConfig]
+    # @param hpke_cipher_suite_selector [Method]
+    #
+    # @return [TTTLS13::EchState or nil]
+    # @return [String or nil]
+    # rubocop: disable Metrics/AbcSize
+    def self.encrypted_ech_config(ech_config, hpke_cipher_suite_selector)
+      public_name = ech_config.echconfig_contents.public_name
+      key_config = ech_config.echconfig_contents.key_config
+      public_key = key_config.public_key.opaque
+      kem_id = key_config&.kem_id&.uint16
+      config_id = key_config.config_id
+      cipher_suite = hpke_cipher_suite_selector.call(key_config)
+      aead_cipher = aead_id2aead_cipher(cipher_suite&.aead_id&.uint16)
+      kdf_hash = kdf_id2kdf_hash(cipher_suite&.kdf_id&.uint16)
+      return [nil, nil] \
+        if [kem_id, aead_cipher, kdf_hash].any?(&:nil?)
+
+      kem_curve_name, kem_hash = kem_id2dhkem(kem_id)
+      dhkem = kem_curve_name2dhkem(kem_curve_name)
+      pkr = dhkem&.new(kem_hash)&.deserialize_public_key(public_key)
+      return [nil, nil] if pkr.nil?
+
+      hpke = HPKE.new(kem_curve_name, kem_hash, kdf_hash, aead_cipher)
+      base_s = hpke.setup_base_s(pkr, "tls ech\x00" + ech_config.encode)
+      enc = base_s[:enc]
+      ctx = base_s[:context_s]
+      mnl = ech_config.echconfig_contents.maximum_name_length
+      ech_state = EchState.new(
+        mnl,
+        config_id,
+        cipher_suite,
+        public_name,
+        ctx
+      )
+
+      [ech_state, enc]
+    end
+    # rubocop: enable Metrics/AbcSize
+
+    # @param inner [TTTLS13::Message::ClientHello]
+    # @param ech_state [TTTLS13::EchState]
+    #
+    # @return [TTTLS13::Message::ClientHello]
+    # @return [TTTLS13::Message::ClientHello]
+    def self.offer_new_ech(inner, ech_state)
+      # for ech_outer_extensions
+      replaced = \
+        inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)
+
+      # Encoding the ClientHelloInner
+      encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
+      overhead_len = \
+        aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
+
+      # It encrypts EncodedClientHelloInner as described in Section 6.1.1, using
+      # the second partial ClientHelloOuterAAD, to obtain a second
+      # ClientHelloOuter. It reuses the original HPKE encryption context
+      # computed in Section 6.1 and uses the empty string for enc.
+      #
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.1.5-4.4.1
+      aad = new_ch_outer_aad(
+        inner,
+        ech_state.cipher_suite,
+        ech_state.config_id,
+        '',
+        encoded.length + overhead_len,
+        ech_state.public_name
+      )
+
+      # Authenticating the ClientHelloOuter
+      outer = new_ch_outer(
+        aad,
+        ech_state.cipher_suite,
+        ech_state.config_id,
+        '',
+        # which does not include the Handshake structure's four byte header.
+        ech_state.ctx.seal(aad.serialize[4..], encoded)
+      )
+
+      [outer, inner]
+    end
+
+    # @param inner [TTTLS13::Message::ClientHello]
+    # @param maximum_name_length [Integer]
+    # @param replaced [TTTLS13::Message::Extensions]
+    #
+    # @return [String] EncodedClientHelloInner
+    def self.encode_ch_inner(inner, maximum_name_length, replaced)
+      encoded = Message::ClientHello.new(
+        legacy_version: inner.legacy_version,
+        random: inner.random,
+        legacy_session_id: '',
+        cipher_suites: inner.cipher_suites,
+        legacy_compression_methods: inner.legacy_compression_methods,
+        extensions: replaced
+      )
+      server_name_length = \
+        replaced[Message::ExtensionType::SERVER_NAME].server_name.length
+
+      padding_encoded_ch_inner(
+        # which does not include the Handshake structure's four byte header.
+        encoded.serialize[4..],
+        server_name_length,
+        maximum_name_length
+      )
+    end
+
+    # @param s [String]
+    # @param server_name_length [Integer]
+    # @param maximum_name_length [Integer]
+    #
+    # @return [String]
+    def self.padding_encoded_ch_inner(s,
+                                      server_name_length,
+                                      maximum_name_length)
+      padding_len =
+        if server_name_length.positive?
+          [maximum_name_length - server_name_length, 0].max
+        else
+          9 + maximum_name_length
+        end
+
+      padding_len = 31 - ((s.length + padding_len - 1) % 32)
+      s + padding_len.zeros
+    end
+
+    # @param inner [TTTLS13::Message::ClientHello]
+    # @param cipher_suite [HpkeSymmetricCipherSuite]
+    # @param config_id [Integer]
+    # @param enc [String]
+    # @param payload_len [Integer]
+    # @param server_name [String]
+    #
+    # @return [TTTLS13::Message::ClientHello]
+    # rubocop: disable Metrics/ParameterLists
+    def self.new_ch_outer_aad(inner,
+                              cipher_suite,
+                              config_id,
+                              enc,
+                              payload_len,
+                              server_name)
+      aad_ech = Message::Extension::ECHClientHello.new_outer(
+        cipher_suite: cipher_suite,
+        config_id: config_id,
+        enc: enc,
+        payload: payload_len.zeros
+      )
+      Message::ClientHello.new(
+        legacy_version: inner.legacy_version,
+        legacy_session_id: inner.legacy_session_id,
+        cipher_suites: inner.cipher_suites,
+        legacy_compression_methods: inner.legacy_compression_methods,
+        extensions: inner.extensions.merge(
+          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => aad_ech,
+          Message::ExtensionType::SERVER_NAME => \
+            Message::Extension::ServerName.new(server_name)
+        )
+      )
+    end
+    # rubocop: enable Metrics/ParameterLists
+
+    # @param aad [TTTLS13::Message::ClientHello]
+    # @param cipher_suite [HpkeSymmetricCipherSuite]
+    # @param config_id [Integer]
+    # @param enc [String]
+    # @param payload [String]
+    #
+    # @return [TTTLS13::Message::ClientHello]
+    def self.new_ch_outer(aad, cipher_suite, config_id, enc, payload)
+      outer_ech = Message::Extension::ECHClientHello.new_outer(
+        cipher_suite: cipher_suite,
+        config_id: config_id,
+        enc: enc,
+        payload: payload
+      )
+      Message::ClientHello.new(
+        legacy_version: aad.legacy_version,
+        random: aad.random,
+        legacy_session_id: aad.legacy_session_id,
+        cipher_suites: aad.cipher_suites,
+        legacy_compression_methods: aad.legacy_compression_methods,
+        extensions: aad.extensions.merge(
+          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => outer_ech
+        )
+      )
+    end
+
+    # @return [Message::Extension::ECHClientHello]
+    def self.new_grease_ech
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#name-compliance-requirements
+      cipher_suite = HpkeSymmetricCipherSuite.new(
+        HpkeSymmetricCipherSuite::HpkeKdfId.new(
+          KdfId::HKDF_SHA256
+        ),
+        HpkeSymmetricCipherSuite::HpkeAeadId.new(
+          AeadId::AES_128_GCM
+        )
+      )
+      # Set the enc field to a randomly-generated valid encapsulated public key
+      # output by the HPKE KEM.
+      #
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.3.1
+      public_key = OpenSSL::PKey.read(
+        OpenSSL::PKey.generate_key('X25519').public_to_pem
+      )
+      hpke = HPKE.new(:x25519, :sha256, :sha256, :aes_128_gcm)
+      enc = hpke.setup_base_s(public_key, '')[:enc]
+      # Set the payload field to a randomly-generated string of L+C bytes, where
+      # C is the ciphertext expansion of the selected AEAD scheme and L is the
+      # size of the EncodedClientHelloInner the client would compute when
+      # offering ECH, padded according to Section 6.1.3.
+      #
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.4.1
+      payload_len = placeholder_encoded_ch_inner_len \
+                    + aead_id2overhead_len(AeadId::AES_128_GCM)
+
+      Message::Extension::ECHClientHello.new_outer(
+        cipher_suite: cipher_suite,
+        config_id: Convert.bin2i(OpenSSL::Random.random_bytes(1)),
+        enc: enc,
+        payload: OpenSSL::Random.random_bytes(payload_len)
+      )
+    end
+
+    # @return [Integer]
+    def self.placeholder_encoded_ch_inner_len
+      448
+    end
+
+    # @param inner [TTTLS13::Message::ClientHello]
+    # @param ech [Message::Extension::ECHClientHello]
+    #
+    # @return [TTTLS13::Message::ClientHello]
+    def self.new_greased_ch(inner, ech)
+      Message::ClientHello.new(
+        legacy_version: inner.legacy_version,
+        random: inner.random,
+        legacy_session_id: inner.legacy_session_id,
+        cipher_suites: inner.cipher_suites,
+        legacy_compression_methods: inner.legacy_compression_methods,
+        extensions: inner.extensions.merge(
+          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => ech
+        )
+      )
+    end
+
+    module KemId
+      # https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-kem-ids
+      P_256_SHA256  = 0x0010
+      P_384_SHA384  = 0x0011
+      P_521_SHA512  = 0x0012
+      X25519_SHA256 = 0x0020
+      X448_SHA512   = 0x0021
+    end
+
+    def self.kem_id2dhkem(kem_id)
+      case kem_id
+      when KemId::P_256_SHA256
+        %i[p_256 sha256]
+      when KemId::P_384_SHA384
+        %i[p_384 sha384]
+      when KemId::P_521_SHA512
+        %i[p_521 sha512]
+      when KemId::X25519_SHA256
+        %i[x25519 sha256]
+      when KemId::X448_SHA512
+        %i[x448 sha512]
+      end
+    end
+
+    def self.kem_curve_name2dhkem(kem_curve_name)
+      case kem_curve_name
+      when :p_256
+        HPKE::DHKEM::EC::P_256
+      when :p_384
+        HPKE::DHKEM::EC::P_384
+      when :p_521
+        HPKE::DHKEM::EC::P_521
+      when :x25519
+        HPKE::DHKEM::X25519
+      when :x448
+        HPKE::DHKEM::X448
+      end
+    end
+
+    module KdfId
+      # https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-kdf-ids
+      HKDF_SHA256 = 0x0001
+      HKDF_SHA384 = 0x0002
+      HKDF_SHA512 = 0x0003
+    end
+
+    def self.kdf_id2kdf_hash(kdf_id)
+      case kdf_id
+      when KdfId::HKDF_SHA256
+        :sha256
+      when KdfId::HKDF_SHA384
+        :sha384
+      when KdfId::HKDF_SHA512
+        :sha512
+      end
+    end
+
+    module AeadId
+      # https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-aead-ids
+      AES_128_GCM       = 0x0001
+      AES_256_GCM       = 0x0002
+      CHACHA20_POLY1305 = 0x0003
+    end
+
+    def self.aead_id2overhead_len(aead_id)
+      case aead_id
+      when AeadId::AES_128_GCM, AeadId::CHACHA20_POLY1305
+        16
+      when AeadId::AES_256_GCM
+        32
+      end
+    end
+
+    def self.aead_id2aead_cipher(aead_id)
+      case aead_id
+      when AeadId::AES_128_GCM
+        :aes_128_gcm
+      when AeadId::AES_256_GCM
+        :aes_256_gcm
+      when AeadId::CHACHA20_POLY1305
+        :chacha20_poly1305
+      end
+    end
+  end
+
+  class EchState
+    attr_reader :maximum_name_length
+    attr_reader :config_id
+    attr_reader :cipher_suite
+    attr_reader :public_name
+    attr_reader :ctx
+
+    # @param maximum_name_length [Integer]
+    # @param config_id [Integer]
+    # @param cipher_suite [HpkeSymmetricCipherSuite]
+    # @param public_name [String]
+    # @param ctx [HPKE::ContextS]
+    def initialize(maximum_name_length,
+                   config_id,
+                   cipher_suite,
+                   public_name,
+                   ctx)
+      @maximum_name_length = maximum_name_length
+      @config_id = config_id
+      @cipher_suite = cipher_suite
+      @public_name = public_name
+      @ctx = ctx
+    end
+  end
+  # rubocop: enable Metrics/ClassLength
+end

data/lib/tttls1.3/endpoint.rb

@@ -0,0 +1,276 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  # rubocop: disable Metrics/ClassLength
+  class Endpoint
+    # @param label [String]
+    # @param context [String]
+    # @param key_length [Integer]
+    # @param exporter_secret [String]
+    # @param cipher_suite [TTTLS13::CipherSuite]
+    #
+    # @return [String, nil]
+    def self.exporter(label, context, key_length, exporter_secret, cipher_suite)
+      return nil if exporter_secret.nil? || cipher_suite.nil?
+
+      digest = CipherSuite.digest(cipher_suite)
+      do_exporter(exporter_secret, digest, label, context, key_length)
+    end
+
+    # @param cipher_suite [TTTLS13::CipherSuite]
+    # @param write_key [String]
+    # @param write_iv [String]
+    #
+    # @return [TTTLS13::Cryptograph::Aead]
+    def self.gen_cipher(cipher_suite, write_key, write_iv)
+      seq_num = SequenceNumber.new
+      Cryptograph::Aead.new(
+        cipher_suite: cipher_suite,
+        write_key: write_key,
+        write_iv: write_iv,
+        sequence_number: seq_num
+      )
+    end
+
+    # @param ch1 [TTTLS13::Message::ClientHello]
+    # @param hrr [TTTLS13::Message::ServerHello]
+    # @param ch [TTTLS13::Message::ClientHello]
+    # @param binder_key [String]
+    # @param digest [String] name of digest algorithm
+    #
+    # @return [String]
+    def self.sign_psk_binder(ch1:, hrr:, ch:, binder_key:, digest:)
+      # TODO: ext binder
+      hash_len = OpenSSL::Digest.new(digest).digest_length
+      tt = Transcript.new
+      tt[CH1] = [ch1, ch1.serialize] unless ch1.nil?
+      tt[HRR] = [hrr, hrr.serialize] unless hrr.nil?
+      tt[CH] = [ch, ch.serialize]
+      # transcript-hash (CH1 + HRR +) truncated-CH
+      hash = tt.truncate_hash(digest, CH, hash_len + 3)
+      OpenSSL::HMAC.digest(digest, binder_key, hash)
+    end
+
+    # @param key [OpenSSL::PKey::PKey]
+    # @param signature_scheme [TTTLS13::SignatureScheme]
+    # @param context [String]
+    # @param hash [String]
+    #
+    # @raise [TTTLS13::Error::ErrorAlerts]
+    #
+    # @return [String]
+    # rubocop: disable Metrics/CyclomaticComplexity
+    def self.sign_certificate_verify(key:, signature_scheme:, context:, hash:)
+      content = "\x20" * 64 + context + "\x00" + hash
+
+      # RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether
+      # RSASSA-PKCS1-v1_5 algorithms appear in "signature_algorithms".
+      case signature_scheme
+      when SignatureScheme::RSA_PKCS1_SHA256,
+           SignatureScheme::RSA_PSS_RSAE_SHA256,
+           SignatureScheme::RSA_PSS_PSS_SHA256
+        key.sign_pss('SHA256', content, salt_length: :digest,
+                                        mgf1_hash: 'SHA256')
+      when SignatureScheme::RSA_PKCS1_SHA384,
+           SignatureScheme::RSA_PSS_RSAE_SHA384,
+           SignatureScheme::RSA_PSS_PSS_SHA384
+        key.sign_pss('SHA384', content, salt_length: :digest,
+                                        mgf1_hash: 'SHA384')
+      when SignatureScheme::RSA_PKCS1_SHA512,
+           SignatureScheme::RSA_PSS_RSAE_SHA512,
+           SignatureScheme::RSA_PSS_PSS_SHA512
+        key.sign_pss('SHA512', content, salt_length: :digest,
+                                        mgf1_hash: 'SHA512')
+      when SignatureScheme::ECDSA_SECP256R1_SHA256
+        key.sign('SHA256', content)
+      when SignatureScheme::ECDSA_SECP384R1_SHA384
+        key.sign('SHA384', content)
+      when SignatureScheme::ECDSA_SECP521R1_SHA512
+        key.sign('SHA512', content)
+      else # TODO: ED25519, ED448
+        terminate(:internal_error)
+      end
+    end
+    # rubocop: enable Metrics/CyclomaticComplexity
+
+    # @param public_key [OpenSSL::PKey::PKey]
+    # @param signature_scheme [TTTLS13::SignatureScheme]
+    # @param signature [String]
+    # @param context [String]
+    # @param hash [String]
+    #
+    # @raise [TTTLS13::Error::ErrorAlerts]
+    #
+    # @return [Boolean]
+    # rubocop: disable Metrics/CyclomaticComplexity
+    def self.verified_certificate_verify?(public_key:, signature_scheme:,
+                                          signature:, context:, hash:)
+      content = "\x20" * 64 + context + "\x00" + hash
+
+      # RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether
+      # RSASSA-PKCS1-v1_5 algorithms appear in "signature_algorithms".
+      case signature_scheme
+      when SignatureScheme::RSA_PKCS1_SHA256,
+           SignatureScheme::RSA_PSS_RSAE_SHA256,
+           SignatureScheme::RSA_PSS_PSS_SHA256
+        public_key.verify_pss('SHA256', signature, content, salt_length: :auto,
+                                                            mgf1_hash: 'SHA256')
+      when SignatureScheme::RSA_PKCS1_SHA384,
+           SignatureScheme::RSA_PSS_RSAE_SHA384,
+           SignatureScheme::RSA_PSS_PSS_SHA384
+        public_key.verify_pss('SHA384', signature, content, salt_length: :auto,
+                                                            mgf1_hash: 'SHA384')
+      when SignatureScheme::RSA_PKCS1_SHA512,
+           SignatureScheme::RSA_PSS_RSAE_SHA512,
+           SignatureScheme::RSA_PSS_PSS_SHA512
+        public_key.verify_pss('SHA512', signature, content, salt_length: :auto,
+                                                            mgf1_hash: 'SHA512')
+      when SignatureScheme::ECDSA_SECP256R1_SHA256
+        public_key.verify('SHA256', signature, content)
+      when SignatureScheme::ECDSA_SECP384R1_SHA384
+        public_key.verify('SHA384', signature, content)
+      when SignatureScheme::ECDSA_SECP521R1_SHA512
+        public_key.verify('SHA512', signature, content)
+      else # TODO: ED25519, ED448
+        terminate(:internal_error)
+      end
+    end
+    # rubocop: enable Metrics/CyclomaticComplexity
+
+    # @param digest [String] name of digest algorithm
+    # @param finished_key [String]
+    # @param hash [String]
+    #
+    # @return [String]
+    def self.sign_finished(digest:, finished_key:, hash:)
+      OpenSSL::HMAC.digest(digest, finished_key, hash)
+    end
+
+    # @param finished [TTTLS13::Message::Finished]
+    # @param digest [String] name of digest algorithm
+    # @param finished_key [String]
+    # @param hash [String]
+    #
+    # @return [Boolean]
+    def self.verified_finished?(finished:, digest:, finished_key:, hash:)
+      sign_finished(digest: digest, finished_key: finished_key, hash: hash) \
+      == finished.verify_data
+    end
+
+    # @param key_exchange [String]
+    # @param priv_key [OpenSSL::PKey::$Object]
+    # @param group [TTTLS13::NamedGroup]
+    #
+    # @return [String]
+    def self.gen_shared_secret(key_exchange, priv_key, group)
+      curve = NamedGroup.curve_name(group)
+      terminate(:internal_error) if curve.nil?
+
+      pub_key = OpenSSL::PKey::EC::Point.new(
+        OpenSSL::PKey::EC::Group.new(curve),
+        OpenSSL::BN.new(key_exchange, 2)
+      )
+
+      priv_key.dh_compute_key(pub_key)
+    end
+
+    # @param certificate_list [Array of CertificateEntry]
+    # @param ca_file [String] path to ca.crt
+    # @param hostname [String]
+    #
+    # @return [Boolean]
+    def self.trusted_certificate?(certificate_list,
+                                  ca_file = nil,
+                                  hostname = nil)
+      chain = certificate_list.map(&:cert_data).map do |c|
+        OpenSSL::X509::Certificate.new(c)
+      end
+      cert = chain.shift
+
+      # not support CN matching, only support SAN matching
+      return false if !hostname.nil? && !matching_san?(cert, hostname)
+
+      store = OpenSSL::X509::Store.new
+      store.set_default_paths
+      store.add_file(ca_file) unless ca_file.nil?
+      # TODO: parse authorityInfoAccess::CA Issuers
+      ctx = OpenSSL::X509::StoreContext.new(store, cert, chain)
+      now = Time.now
+      ctx.verify && cert.not_before < now && now < cert.not_after
+    end
+
+    # @param signature_algorithms [Array of SignatureAlgorithms]
+    # @param crt [OpenSSL::X509::Certificate]
+    #
+    # @return [Array of TTTLS13::Message::Extension::SignatureAlgorithms]
+    def self.select_signature_algorithms(signature_algorithms, crt)
+      pka = OpenSSL::ASN1.decode(crt.public_key.to_der)
+                         .value.first.value.first.value
+      signature_algorithms.select do |sa|
+        case sa
+        when SignatureScheme::ECDSA_SECP256R1_SHA256,
+             SignatureScheme::ECDSA_SECP384R1_SHA384,
+             SignatureScheme::ECDSA_SECP521R1_SHA512
+          pka == 'id-ecPublicKey'
+        when SignatureScheme::RSA_PSS_PSS_SHA256,
+             SignatureScheme::RSA_PSS_PSS_SHA384,
+             SignatureScheme::RSA_PSS_PSS_SHA512
+          pka == 'rsassaPss'
+        when SignatureScheme::RSA_PSS_RSAE_SHA256,
+             SignatureScheme::RSA_PSS_RSAE_SHA384,
+             SignatureScheme::RSA_PSS_RSAE_SHA512
+          pka == 'rsaEncryption'
+        else
+          # RSASSA-PKCS1-v1_5 algorithms refer solely to signatures which appear
+          # in certificates and are not defined for use in signed TLS handshake
+          # messages
+          false
+        end
+      end
+    end
+
+    # @param cert [OpenSSL::X509::Certificate]
+    # @param name [String]
+    #
+    # @return [Boolean]
+    def self.matching_san?(cert, name)
+      san = cert.extensions.find { |ex| ex.oid == 'subjectAltName' }
+      return false if san.nil?
+
+      ostr = OpenSSL::ASN1.decode(san.to_der).value.last
+      OpenSSL::ASN1.decode(ostr.value)
+                   .map(&:value)
+                   .map { |s| s.gsub('.', '\.').gsub('*', '.*') }
+                   .any? { |s| name.match(/#{s}/) }
+    end
+
+    class << self
+      # @param secret [String] (early_)exporter_secret
+      # @param digest [String] name of digest algorithm
+      # @param label [String]
+      # @param context [String]
+      # @param key_length [Integer]
+      #
+      # @return [String]
+      def do_exporter(secret, digest, label, context, key_length)
+        derived_secret = KeySchedule.hkdf_expand_label(
+          secret,
+          label,
+          OpenSSL::Digest.digest(digest, ''),
+          OpenSSL::Digest.new(digest).digest_length,
+          digest
+        )
+
+        KeySchedule.hkdf_expand_label(
+          derived_secret,
+          'exporter',
+          OpenSSL::Digest.digest(digest, context),
+          key_length,
+          digest
+        )
+      end
+    end
+  end
+  # rubocop: enable Metrics/ClassLength
+end

data/lib/tttls1.3/message/certificate_verify.rb

@@ -47,7 +47,7 @@ module TTTLS13
         signature_scheme = binary.slice(4, 2)
         signature_len = Convert.bin2i(binary.slice(6, 2))
         signature = binary.slice(8, signature_len)
-        raise Error::ErrorAlerts, :internal_error \
+        raise Error::ErrorAlerts, :decode_error \
           unless signature_len + 4 == msg_len &&
                  signature_len + 8 == binary.length