@joclaim/tls 0.1.0

package/lib/utils/constants.js

@@ -0,0 +1,244 @@
+/** Max size of an encrypted packet */
+export const MAX_ENC_PACKET_SIZE = 16380;
+export const TLS_PROTOCOL_VERSION_MAP = {
+    'TLS1_3': new Uint8Array([0x03, 0x04]),
+    'TLS1_2': new Uint8Array([0x03, 0x03]),
+};
+export const SUPPORTED_NAMED_CURVE_MAP = {
+    SECP256R1: {
+        identifier: new Uint8Array([0x00, 0x17]),
+        algorithm: 'P-256'
+    },
+    SECP384R1: {
+        identifier: new Uint8Array([0x00, 0x18]),
+        algorithm: 'P-384'
+    },
+    X25519: {
+        identifier: new Uint8Array([0x00, 0x1d]),
+        algorithm: 'X25519'
+    },
+};
+export const SUPPORTED_RECORD_TYPE_MAP = {
+    CLIENT_HELLO: 0x01,
+    SERVER_HELLO: 0x02,
+    HELLO_RETRY_REQUEST: 0x03,
+    SESSION_TICKET: 0x04,
+    ENCRYPTED_EXTENSIONS: 0x08,
+    CERTIFICATE: 0x0b,
+    SERVER_KEY_SHARE: 0x0c,
+    CERTIFICATE_REQUEST: 0x0d,
+    SERVER_HELLO_DONE: 0x0e,
+    CERTIFICATE_VERIFY: 0x0f,
+    CLIENT_KEY_SHARE: 0x10,
+    FINISHED: 0x14,
+    KEY_UPDATE: 0x18
+};
+export const CONTENT_TYPE_MAP = {
+    CHANGE_CIPHER_SPEC: 0x14,
+    ALERT: 0x15,
+    HANDSHAKE: 0x16,
+    APPLICATION_DATA: 0x17,
+};
+// The length of AEAD auth tag, appended after encrypted data in wrapped records
+export const AUTH_TAG_BYTE_LENGTH = 16;
+export const SUPPORTED_NAMED_CURVES = Object.keys(SUPPORTED_NAMED_CURVE_MAP);
+/**
+ * Supported cipher suites.
+ * In a client hello, these are sent in order of preference
+ * as listed below
+ */
+export const SUPPORTED_CIPHER_SUITE_MAP = {
+    // TLS 1.3 --------------------
+    TLS_CHACHA20_POLY1305_SHA256: {
+        identifier: new Uint8Array([0x13, 0x03]),
+        keyLength: 32,
+        hashLength: 32,
+        ivLength: 12,
+        hashAlgorithm: 'SHA-256',
+        cipher: 'CHACHA20-POLY1305'
+    },
+    TLS_AES_256_GCM_SHA384: {
+        identifier: new Uint8Array([0x13, 0x02]),
+        keyLength: 32,
+        hashLength: 48,
+        ivLength: 12,
+        hashAlgorithm: 'SHA-384',
+        cipher: 'AES-256-GCM',
+    },
+    TLS_AES_128_GCM_SHA256: {
+        identifier: new Uint8Array([0x13, 0x01]),
+        keyLength: 16,
+        hashLength: 32,
+        ivLength: 12,
+        hashAlgorithm: 'SHA-256',
+        cipher: 'AES-128-GCM',
+    },
+    // TLS 1.2 -------------------
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: {
+        identifier: new Uint8Array([0xcc, 0xa8]),
+        keyLength: 32,
+        hashLength: 32,
+        ivLength: 12,
+        hashAlgorithm: 'SHA-256',
+        cipher: 'CHACHA20-POLY1305',
+    },
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: {
+        identifier: new Uint8Array([0xcc, 0xa9]),
+        keyLength: 32,
+        hashLength: 32,
+        ivLength: 12,
+        hashAlgorithm: 'SHA-256',
+        cipher: 'CHACHA20-POLY1305',
+    },
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: {
+        identifier: new Uint8Array([0xc0, 0x2f]),
+        keyLength: 16,
+        hashLength: 32,
+        ivLength: 4,
+        hashAlgorithm: 'SHA-256',
+        cipher: 'AES-128-GCM',
+    },
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: {
+        identifier: new Uint8Array([0xc0, 0x2b]),
+        keyLength: 16,
+        hashLength: 32,
+        ivLength: 4,
+        hashAlgorithm: 'SHA-256',
+        cipher: 'AES-128-GCM',
+    },
+    TLS_RSA_WITH_AES_128_GCM_SHA256: {
+        identifier: new Uint8Array([0x00, 0x9c]),
+        keyLength: 16,
+        hashLength: 32,
+        ivLength: 4,
+        hashAlgorithm: 'SHA-256',
+        cipher: 'AES-128-GCM',
+        isRsaEcdh: true, // RSA key exchange
+    },
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: {
+        identifier: new Uint8Array([0xc0, 0x30]),
+        keyLength: 32,
+        hashLength: 48,
+        ivLength: 4,
+        hashAlgorithm: 'SHA-384',
+        cipher: 'AES-256-GCM',
+    },
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: {
+        identifier: new Uint8Array([0xc0, 0x2c]),
+        keyLength: 32,
+        hashLength: 48,
+        ivLength: 4,
+        hashAlgorithm: 'SHA-384',
+        cipher: 'AES-256-GCM',
+    },
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: {
+        identifier: new Uint8Array([0xc0, 0x13]),
+        keyLength: 16,
+        hashLength: 20,
+        ivLength: 16,
+        hashAlgorithm: 'SHA-1',
+        prfHashAlgorithm: 'SHA-256',
+        cipher: 'AES-128-CBC',
+    },
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: {
+        identifier: new Uint8Array([0xc0, 0x09]),
+        keyLength: 16,
+        hashLength: 20,
+        ivLength: 16,
+        hashAlgorithm: 'SHA-1',
+        prfHashAlgorithm: 'SHA-256',
+        cipher: 'AES-128-CBC',
+    },
+};
+export const ALERT_LEVEL = {
+    WARNING: 1,
+    FATAL: 2,
+};
+export const ALERT_DESCRIPTION = {
+    CLOSE_NOTIFY: 0,
+    UNEXPECTED_MESSAGE: 10,
+    BAD_RECORD_MAC: 20,
+    RECORD_OVERFLOW: 22,
+    HANDSHAKE_FAILURE: 40,
+    BAD_CERTIFICATE: 42,
+    UNSUPPORTED_CERTIFICATE: 43,
+    CERTIFICATE_REVOKED: 44,
+    CERTIFICATE_EXPIRED: 45,
+    CERTIFICATE_UNKNOWN: 46,
+    ILLEGAL_PARAMETER: 47,
+    UNKNOWN_CA: 48,
+    ACCESS_DENIED: 49,
+    DECODE_ERROR: 50,
+    DECRYPT_ERROR: 51,
+    PROTOCOL_VERSION: 70,
+    INSUFFICIENT_SECURITY: 71,
+    INTERNAL_ERROR: 80,
+    INAPPROPRIATE_FALLBACK: 86,
+    USER_CANCELED: 90,
+    MISSING_EXTENSION: 109,
+    UNSUPPORTED_EXTENSION: 110,
+    UNRECOGNIZED_NAME: 112,
+    BAD_CERTIFICATE_STATUS_RESPONSE: 113,
+    UNKNOWN_PSK_IDENTITY: 115,
+    CERTIFICATE_REQUIRED: 116,
+    NO_APPLICATION_PROTOCOL: 120,
+    // TLS1.2
+    DECRYPTION_FAILED_RESERVED: 21,
+    DECOMPRESSION_FAILURE: 30,
+    NO_CERTIFICATE_RESERVED: 41,
+    EXPORT_RESTRICTION_RESERVED: 60,
+    NO_RENEGOTIATION: 100,
+};
+export const SUPPORTED_CIPHER_SUITES = Object.keys(SUPPORTED_CIPHER_SUITE_MAP);
+export const SUPPORTED_SIGNATURE_ALGS_MAP = {
+    ECDSA_SECP256R1_SHA256: {
+        identifier: new Uint8Array([0x04, 0x03]),
+        algorithm: 'ECDSA-SECP256R1-SHA256'
+    },
+    ECDSA_SECP384R1_SHA256: {
+        identifier: new Uint8Array([0x05, 0x03]),
+        algorithm: 'ECDSA-SECP384R1-SHA384'
+    },
+    RSA_PSS_RSAE_SHA256: {
+        identifier: new Uint8Array([0x08, 0x04]),
+        algorithm: 'RSA-PSS-SHA256',
+    },
+    RSA_PKCS1_SHA256: {
+        identifier: new Uint8Array([0x04, 0x01]),
+        algorithm: 'RSA-PKCS1-SHA256',
+    },
+    RSA_PKCS1_SHA384: {
+        identifier: new Uint8Array([0x05, 0x01]),
+        algorithm: 'RSA-PKCS1-SHA384',
+    },
+    RSA_PKCS1_SHA512: {
+        identifier: new Uint8Array([0x06, 0x01]),
+        algorithm: 'RSA-PKCS1-SHA512'
+    },
+};
+export const SUPPORTED_SIGNATURE_ALGS = Object.keys(SUPPORTED_SIGNATURE_ALGS_MAP);
+export const SUPPORTED_EXTENSION_MAP = {
+    SERVER_NAME: 0x00,
+    MAX_FRAGMENT_LENGTH: 0x01,
+    KEY_SHARE: 0x33,
+    SUPPORTED_GROUPS: 0x0a,
+    SIGNATURE_ALGS: 0x0d,
+    SUPPORTED_VERSIONS: 0x2b,
+    SESSION_TICKET: 0x23,
+    EARLY_DATA: 0x2a,
+    PRE_SHARED_KEY: 0x29,
+    PRE_SHARED_KEY_MODE: 0x2d,
+    // application layer protocol negotiation
+    ALPN: 0x10,
+};
+export const SUPPORTED_EXTENSIONS = Object.keys(SUPPORTED_EXTENSION_MAP);
+export const PACKET_TYPE = {
+    HELLO: 0x16,
+    WRAPPED_RECORD: 0x17,
+    CHANGE_CIPHER_SPEC: 0x14,
+    ALERT: 0x15,
+};
+export const KEY_UPDATE_TYPE_MAP = {
+    UPDATE_NOT_REQUESTED: 0,
+    UPDATE_REQUESTED: 1
+};

package/lib/utils/decryption-utils.d.ts

@@ -0,0 +1,64 @@
+import type { CipherSuite, HashAlgorithm } from '../types/index.ts';
+type DeriveTrafficKeysOptions = {
+    masterSecret: Uint8Array;
+    /** used to derive keys when resuming session */
+    earlySecret?: Uint8Array;
+    cipherSuite: CipherSuite;
+    /** list of handshake message to hash; or the hash itself */
+    hellos: Uint8Array[] | Uint8Array;
+    /** type of secret; handshake or provider-data */
+    secretType: 'hs' | 'ap';
+};
+type DeriveTrafficKeysOptionsTls12 = {
+    preMasterSecret: Uint8Array;
+    clientRandom: Uint8Array;
+    serverRandom: Uint8Array;
+    cipherSuite: CipherSuite;
+};
+export type SharedKeyData = Awaited<ReturnType<typeof computeSharedKeys>> | Awaited<ReturnType<typeof computeSharedKeysTls12>>;
+export declare function computeSharedKeysTls12(opts: DeriveTrafficKeysOptionsTls12): Promise<{
+    type: "TLS1_2";
+    masterSecret: Uint8Array<ArrayBuffer>;
+    clientMacKey: unknown;
+    serverMacKey: unknown;
+    clientEncKey: unknown;
+    serverEncKey: unknown;
+    clientIv: Uint8Array<ArrayBuffer>;
+    serverIv: Uint8Array<ArrayBuffer>;
+    serverSecret: Uint8Array<ArrayBuffer>;
+    clientSecret: Uint8Array<ArrayBuffer>;
+}>;
+export declare function computeUpdatedTrafficMasterSecret(masterSecret: Uint8Array, cipherSuite: CipherSuite): Promise<Uint8Array<ArrayBuffer>>;
+export declare function computeSharedKeys({ hellos, masterSecret: masterKey, cipherSuite, secretType, earlySecret }: DeriveTrafficKeysOptions): Promise<{
+    type: "TLS1_3";
+    masterSecret: Uint8Array<ArrayBufferLike>;
+    clientSecret: Uint8Array<ArrayBuffer>;
+    serverSecret: Uint8Array<ArrayBuffer>;
+    clientEncKey: unknown;
+    serverEncKey: unknown;
+    clientIv: Uint8Array<ArrayBuffer>;
+    serverIv: Uint8Array<ArrayBuffer>;
+}>;
+export declare function deriveTrafficKeys({ masterSecret, cipherSuite, hellos, secretType, }: DeriveTrafficKeysOptions): Promise<{
+    type: "TLS1_3";
+    masterSecret: Uint8Array<ArrayBufferLike>;
+    clientSecret: Uint8Array<ArrayBuffer>;
+    serverSecret: Uint8Array<ArrayBuffer>;
+    clientEncKey: unknown;
+    serverEncKey: unknown;
+    clientIv: Uint8Array<ArrayBuffer>;
+    serverIv: Uint8Array<ArrayBuffer>;
+}>;
+export declare function deriveTrafficKeysForSide(masterSecret: Uint8Array, cipherSuite: CipherSuite): Promise<{
+    masterSecret: Uint8Array<ArrayBufferLike>;
+    encKey: unknown;
+    iv: Uint8Array<ArrayBuffer>;
+}>;
+export declare function hkdfExtractAndExpandLabel(algorithm: HashAlgorithm, secret: Uint8Array, label: string, context: Uint8Array, length: number): Promise<Uint8Array<ArrayBuffer>>;
+export declare function getHash(msgs: Uint8Array[] | Uint8Array, cipherSuite: CipherSuite): Promise<Uint8Array<ArrayBufferLike>>;
+/**
+ * Get the PRF algorithm for the given cipher suite
+ * Relevant for TLS 1.2
+ */
+export declare function getPrfHashAlgorithm(cipherSuite: CipherSuite): "SHA-256" | "SHA-384";
+export {};

package/lib/utils/decryption-utils.js

@@ -0,0 +1,166 @@
+import { crypto } from "../crypto/index.js";
+import { SUPPORTED_CIPHER_SUITE_MAP } from "./constants.js";
+import { asciiToUint8Array, concatenateUint8Arrays, hkdfExpand, isSymmetricCipher, uint8ArrayToDataView } from "./generics.js";
+import { packWithLength } from "./packets.js";
+const TLS1_2_BASE_SEED = asciiToUint8Array('master secret');
+const TLS1_2_KEY_EXPANSION_SEED = asciiToUint8Array('key expansion');
+export async function computeSharedKeysTls12(opts) {
+    const { clientRandom, serverRandom, cipherSuite, } = opts;
+    const masterSecret = await generateMasterSecret(opts);
+    // all key derivation in TLS 1.2 uses SHA-256
+    const hashAlgorithm = getPrfHashAlgorithm(cipherSuite);
+    const { keyLength, cipher, hashLength, hashAlgorithm: cipherHashAlg, ivLength } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+    const masterKey = await crypto
+        .importKey(hashAlgorithm, masterSecret);
+    const seed = concatenateUint8Arrays([
+        TLS1_2_KEY_EXPANSION_SEED,
+        serverRandom,
+        clientRandom,
+    ]);
+    const expandedSecretArr = [];
+    let lastSeed = seed;
+    for (let i = 0; i < 4; i++) {
+        lastSeed = await crypto.hmac(hashAlgorithm, masterKey, lastSeed);
+        const expandedSecret = await crypto.hmac(hashAlgorithm, masterKey, concatenateUint8Arrays([
+            lastSeed,
+            seed
+        ]));
+        expandedSecretArr.push(expandedSecret);
+    }
+    let expandedSecret = concatenateUint8Arrays(expandedSecretArr);
+    const needsMac = isSymmetricCipher(cipher);
+    const clientMacKey = needsMac ? await crypto.importKey(cipherHashAlg, readExpandedSecret(hashLength)) : undefined;
+    const serverMacKey = needsMac ? await crypto.importKey(cipherHashAlg, readExpandedSecret(hashLength)) : undefined;
+    const clientEncKey = await crypto.importKey(cipher, readExpandedSecret(keyLength));
+    const serverEncKey = await crypto.importKey(cipher, readExpandedSecret(keyLength));
+    const clientIv = readExpandedSecret(ivLength);
+    const serverIv = readExpandedSecret(ivLength);
+    return {
+        type: 'TLS1_2',
+        masterSecret,
+        clientMacKey,
+        serverMacKey,
+        clientEncKey,
+        serverEncKey,
+        clientIv,
+        serverIv,
+        serverSecret: masterSecret,
+        clientSecret: masterSecret,
+    };
+    function readExpandedSecret(len) {
+        const returnVal = expandedSecret
+            .slice(0, len);
+        expandedSecret = expandedSecret
+            .slice(len);
+        return returnVal;
+    }
+}
+async function generateMasterSecret({ preMasterSecret, clientRandom, serverRandom, cipherSuite }) {
+    // all key derivation in TLS 1.2 uses SHA-256
+    const hashAlgorithm = getPrfHashAlgorithm(cipherSuite);
+    const preMasterKey = await crypto
+        .importKey(hashAlgorithm, preMasterSecret);
+    const seed = concatenateUint8Arrays([
+        TLS1_2_BASE_SEED,
+        clientRandom,
+        serverRandom
+    ]);
+    const a1 = await crypto.hmac(hashAlgorithm, preMasterKey, seed);
+    const a2 = await crypto.hmac(hashAlgorithm, preMasterKey, a1);
+    const p1 = await crypto.hmac(hashAlgorithm, preMasterKey, concatenateUint8Arrays([
+        a1,
+        seed
+    ]));
+    const p2 = await crypto.hmac(hashAlgorithm, preMasterKey, concatenateUint8Arrays([
+        a2,
+        seed
+    ]));
+    return concatenateUint8Arrays([p1, p2])
+        .slice(0, 48);
+}
+export function computeUpdatedTrafficMasterSecret(masterSecret, cipherSuite) {
+    const { hashAlgorithm, hashLength } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+    return hkdfExtractAndExpandLabel(hashAlgorithm, masterSecret, 'traffic upd', new Uint8Array(), hashLength);
+}
+export async function computeSharedKeys({ hellos, masterSecret: masterKey, cipherSuite, secretType, earlySecret }) {
+    const { hashAlgorithm, hashLength } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+    const emptyHash = await crypto.hash(hashAlgorithm, new Uint8Array());
+    const zeros = new Uint8Array(hashLength);
+    let handshakeTrafficSecret;
+    if (secretType === 'hs') {
+        // some hashes
+        earlySecret = earlySecret
+            || await crypto.extract(hashAlgorithm, hashLength, zeros, '');
+        const derivedSecret = await hkdfExtractAndExpandLabel(hashAlgorithm, earlySecret, 'derived', emptyHash, hashLength);
+        handshakeTrafficSecret = await crypto.extract(hashAlgorithm, hashLength, masterKey, derivedSecret);
+    }
+    else {
+        const derivedSecret = await hkdfExtractAndExpandLabel(hashAlgorithm, masterKey, 'derived', emptyHash, hashLength);
+        handshakeTrafficSecret = await crypto.extract(hashAlgorithm, hashLength, zeros, derivedSecret);
+    }
+    return deriveTrafficKeys({
+        hellos,
+        cipherSuite,
+        masterSecret: handshakeTrafficSecret,
+        secretType
+    });
+}
+export async function deriveTrafficKeys({ masterSecret, cipherSuite, hellos, secretType, }) {
+    const { hashAlgorithm, hashLength } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+    const handshakeHash = await getHash(hellos, cipherSuite);
+    const clientSecret = await hkdfExtractAndExpandLabel(hashAlgorithm, masterSecret, `c ${secretType} traffic`, handshakeHash, hashLength);
+    const serverSecret = await hkdfExtractAndExpandLabel(hashAlgorithm, masterSecret, `s ${secretType} traffic`, handshakeHash, hashLength);
+    const { encKey: clientEncKey, iv: clientIv } = await deriveTrafficKeysForSide(clientSecret, cipherSuite);
+    const { encKey: serverEncKey, iv: serverIv } = await deriveTrafficKeysForSide(serverSecret, cipherSuite);
+    return {
+        type: 'TLS1_3',
+        masterSecret,
+        clientSecret,
+        serverSecret,
+        clientEncKey,
+        serverEncKey,
+        clientIv,
+        serverIv,
+    };
+}
+export async function deriveTrafficKeysForSide(masterSecret, cipherSuite) {
+    const { hashAlgorithm, keyLength, cipher, ivLength } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+    const encKey = await hkdfExtractAndExpandLabel(hashAlgorithm, masterSecret, 'key', new Uint8Array(), keyLength);
+    const iv = await hkdfExtractAndExpandLabel(hashAlgorithm, masterSecret, 'iv', new Uint8Array(0), ivLength);
+    return {
+        masterSecret,
+        encKey: await crypto.importKey(cipher, encKey),
+        iv
+    };
+}
+export async function hkdfExtractAndExpandLabel(algorithm, secret, label, context, length) {
+    const tmpLabel = `tls13 ${label}`;
+    const lengthBuffer = new Uint8Array(2);
+    const lengthBufferView = uint8ArrayToDataView(lengthBuffer);
+    lengthBufferView.setUint16(0, length);
+    const hkdfLabel = concatenateUint8Arrays([
+        lengthBuffer,
+        packWithLength(asciiToUint8Array(tmpLabel)).slice(1),
+        packWithLength(context).slice(1)
+    ]);
+    const key = await crypto.importKey(algorithm, secret);
+    return hkdfExpand(algorithm, length, key, length, hkdfLabel, crypto);
+}
+export async function getHash(msgs, cipherSuite) {
+    if (Array.isArray(msgs) && !(msgs instanceof Uint8Array)) {
+        const { hashAlgorithm } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+        return crypto.hash(hashAlgorithm, concatenateUint8Arrays(msgs));
+    }
+    return msgs;
+}
+/**
+ * Get the PRF algorithm for the given cipher suite
+ * Relevant for TLS 1.2
+ */
+export function getPrfHashAlgorithm(cipherSuite) {
+    const opts = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+    // all key derivation in TLS 1.2 uses min SHA-256
+    return ('prfHashAlgorithm' in opts)
+        ? opts.prfHashAlgorithm
+        : opts.hashAlgorithm;
+}

package/lib/utils/finish-messages.d.ts

@@ -0,0 +1,11 @@
+import type { CipherSuite } from '../types/index.ts';
+type VerifyFinishMessageOptions = {
+    secret: Uint8Array;
+    handshakeMessages: Uint8Array[];
+    cipherSuite: CipherSuite;
+};
+export declare function verifyFinishMessage(verifyData: Uint8Array, opts: VerifyFinishMessageOptions): Promise<void>;
+export declare function packFinishMessagePacket(opts: VerifyFinishMessageOptions): Promise<Uint8Array<ArrayBufferLike>>;
+export declare function packClientFinishTls12(opts: VerifyFinishMessageOptions): Promise<Uint8Array<ArrayBufferLike>>;
+export declare function generateFinishTls12(type: 'client' | 'server', { secret, handshakeMessages, cipherSuite }: VerifyFinishMessageOptions): Promise<Uint8Array<ArrayBuffer>>;
+export {};

package/lib/utils/finish-messages.js

@@ -0,0 +1,49 @@
+import { crypto } from "../crypto/index.js";
+import { getHash, getPrfHashAlgorithm, hkdfExtractAndExpandLabel } from "../utils/decryption-utils.js";
+import { SUPPORTED_CIPHER_SUITE_MAP, SUPPORTED_RECORD_TYPE_MAP } from "./constants.js";
+import { areUint8ArraysEqual, asciiToUint8Array, concatenateUint8Arrays } from "./generics.js";
+import { packWith3ByteLength, packWithLength } from "./packets.js";
+export async function verifyFinishMessage(verifyData, opts) {
+    const computedData = await computeFinishMessageHash(opts);
+    if (!areUint8ArraysEqual(computedData, verifyData)) {
+        throw new Error('Invalid finish message');
+    }
+}
+export async function packFinishMessagePacket(opts) {
+    const hash = await computeFinishMessageHash(opts);
+    const packet = concatenateUint8Arrays([
+        new Uint8Array([SUPPORTED_RECORD_TYPE_MAP.FINISHED, 0x00]),
+        packWithLength(hash)
+    ]);
+    return packet;
+}
+async function computeFinishMessageHash({ secret, handshakeMessages, cipherSuite }) {
+    const { hashAlgorithm, hashLength } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+    const handshakeHash = await getHash(handshakeMessages, cipherSuite);
+    const finishKey = await hkdfExtractAndExpandLabel(hashAlgorithm, secret, 'finished', new Uint8Array(0), hashLength);
+    const hmacKey = await crypto.importKey(hashAlgorithm, finishKey);
+    return crypto.hmac(hashAlgorithm, hmacKey, handshakeHash);
+}
+const TLS12_CLIENT_FINISH_DATA_LABEL = asciiToUint8Array('client finished');
+const TLS12_SERVER_FINISH_DATA_LABEL = asciiToUint8Array('server finished');
+export async function packClientFinishTls12(opts) {
+    return concatenateUint8Arrays([
+        new Uint8Array([SUPPORTED_RECORD_TYPE_MAP.FINISHED]),
+        packWith3ByteLength(await generateFinishTls12('client', opts))
+    ]);
+}
+export async function generateFinishTls12(type, { secret, handshakeMessages, cipherSuite }) {
+    // all key derivation in TLS 1.2 uses SHA-256
+    const hashAlgorithm = getPrfHashAlgorithm(cipherSuite);
+    const handshakeHash = await crypto.hash(hashAlgorithm, concatenateUint8Arrays(handshakeMessages));
+    const seed = concatenateUint8Arrays([
+        type === 'client'
+            ? TLS12_CLIENT_FINISH_DATA_LABEL
+            : TLS12_SERVER_FINISH_DATA_LABEL,
+        handshakeHash
+    ]);
+    const key = await crypto.importKey(hashAlgorithm, secret);
+    const a1 = await crypto.hmac(hashAlgorithm, key, seed);
+    const p1 = await crypto.hmac(hashAlgorithm, key, concatenateUint8Arrays([a1, seed]));
+    return p1.slice(0, 12);
+}

package/lib/utils/generics.d.ts

@@ -0,0 +1,35 @@
+import type { AuthenticatedSymmetricCryptoAlgorithm, Crypto, HashAlgorithm, Key, SymmetricCryptoAlgorithm, TLSProtocolVersion } from '../types/index.ts';
+/**
+ * Converts a buffer to a hex string with whitespace between each byte
+ * @returns eg. '01 02 03 04'
+ */
+export declare function toHexStringWithWhitespace(buff: Uint8Array, whitespace?: string): string;
+export declare function xor(a: Uint8Array, b: Uint8Array): Uint8Array<ArrayBuffer>;
+export declare function concatenateUint8Arrays(arrays: Uint8Array[]): Uint8Array;
+export declare function areUint8ArraysEqual(a: Uint8Array, b: Uint8Array): boolean;
+export declare function uint8ArrayToDataView(arr: Uint8Array): DataView<ArrayBufferLike>;
+export declare function asciiToUint8Array(str: string): Uint8Array<ArrayBufferLike>;
+/**
+ * convert a Uint8Array to a binary encoded str
+ * from: https://github.com/feross/buffer/blob/795bbb5bda1b39f1370ebd784bea6107b087e3a7/index.js#L1063
+ * @param buf
+ * @returns
+ */
+export declare function uint8ArrayToBinaryStr(buf: Uint8Array): string;
+export declare function generateIV(iv: Uint8Array, recordNumber: number): Uint8Array<ArrayBuffer>;
+/**
+ * TLS has this special sort of padding where the last byte
+ * is the number of padding bytes, and all the padding bytes
+ * are the same as the last byte.
+ * Eg. for an 8 byte block [ 0x0a, 0x0b, 0x0c, 0xd ]
+ * -> [ 0x0a, 0x0b, 0x0c, 0x04, 0x04, 0x04, 0x04, 0x04 ]
+ */
+export declare function padTls(data: Uint8Array, blockSize: number): Uint8Array<ArrayBuffer>;
+/**
+ * Unpad a TLS-spec padded buffer
+ */
+export declare function unpadTls(data: Uint8Array): Uint8Array<ArrayBuffer>;
+export declare function isSymmetricCipher(cipher: SymmetricCryptoAlgorithm | AuthenticatedSymmetricCryptoAlgorithm): cipher is SymmetricCryptoAlgorithm;
+export declare function chunkUint8Array(arr: Uint8Array, chunkSize: number): Uint8Array<ArrayBufferLike>[];
+export declare function getTlsVersionFromBytes(bytes: Uint8Array): TLSProtocolVersion;
+export declare const hkdfExpand: (alg: HashAlgorithm, hashLength: number, key: Key, expLength: number, info: Uint8Array, crypto: Crypto<unknown>) => Promise<Uint8Array<ArrayBuffer>>;