September 13, 2013

Java Bouncy Castle TLS PSK example

This is an example how to use the Bouncy Castle library to write a TLS-PSK client. The server was tested with was an openssl server (openssl s_server). Keep in mind that I do not write Java program regularly, so you may find some style/usage not the best.

Source:

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintStream;
import java.net.InetAddress;
import java.net.Socket;
import java.security.SecureRandom;
import java.security.Provider;
import java.security.Security;
import javax.xml.bind.DatatypeConverter;

import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.crypto.tls.AlertLevel;
import org.bouncycastle.crypto.tls.CipherSuite;
import org.bouncycastle.crypto.tls.DefaultTlsClient;
import org.bouncycastle.crypto.tls.ServerOnlyTlsAuthentication;
import org.bouncycastle.crypto.tls.TlsAuthentication;
import org.bouncycastle.crypto.tls.TlsClientProtocol;
import org.bouncycastle.crypto.tls.TlsPSKIdentity;
import org.bouncycastle.crypto.tls.PSKTlsClient;
import org.bouncycastle.util.io.Streams;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/**
 * A simple test designed to conduct a TLS-PSK handshake with an external TLS server.
 */
public class PSKTlsClientTest
{

 static String convertStreamToString(java.io.InputStream is) {
  java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
  return s.hasNext() ? s.next() : "";
 }

 static class Z_PSKIdentity implements TlsPSKIdentity {

  void Z_PSKIdentity(){};

  public void skipIdentityHint(){
         System.out.println("skipIdentityHint called\n");
  }

  public void notifyIdentityHint(byte[] PSK_identity_hint){
         System.out.println("notifyIdentityHint called\n");
  }

  public byte[] getPSKIdentity(){
   return "Client_identity".getBytes();
  }

  public byte[] getPSK(){
   return DatatypeConverter.parseHexBinary("1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A");
  }

 }


    public static void main(String[] args)
        throws Exception
    {

  Z_PSKIdentity pskIdentity = new Z_PSKIdentity();

        Security.addProvider(new BouncyCastleProvider());

        Socket socket = new Socket(InetAddress.getByName("192.168.1.201"), 10443);

        SecureRandom secureRandom = new SecureRandom();
        TlsClientProtocol protocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(),
            secureRandom);

        MyPSKTlsClient client = new MyPSKTlsClient(pskIdentity);
        protocol.connect(client);

        OutputStream output = protocol.getOutputStream();
        output.write("GET / HTTP/1.1\r\n\r\n".getBytes("UTF-8"));

        InputStream input = protocol.getInputStream();
        System.out.println(convertStreamToString(input));

        protocol.close();
        socket.close();
    }

    static class MyPSKTlsClient
        extends PSKTlsClient
    {

  public MyPSKTlsClient(TlsPSKIdentity id){
   super(id);
  }

        public void notifyAlertRaised(short alertLevel, short alertDescription, String message, Exception cause)
        {
            PrintStream out = (alertLevel == AlertLevel.fatal) ? System.err : System.out;
            out.println("TLS client raised alert (AlertLevel." + alertLevel + ", AlertDescription." + alertDescription + ")");
            if (message != null) {
                out.println(message);
            }
            if (cause != null) {
                cause.printStackTrace(out);
            }
        }

        public void notifyAlertReceived(short alertLevel, short alertDescription)
        {
            PrintStream out = (alertLevel == AlertLevel.fatal) ? System.err : System.out;
            out.println("TLS client received alert (AlertLevel." + alertLevel + ", AlertDescription."
                + alertDescription + ")");
        }

        public TlsAuthentication getAuthentication()
            throws IOException
        {
            return new ServerOnlyTlsAuthentication()
            {
                public void notifyServerCertificate(org.bouncycastle.crypto.tls.Certificate serverCertificate)
                    throws IOException
                {
                    System.out.println("in getAuthentication");
                }
            };
        }
    }
}


The simple Makefile (I installed gnuwin32 so my system has "rm" )


all:
        javac -cp "jce-jdk13-149.jar;." PSKTlsClientTest.java
        jar -cfm tls.jar  manifest.txt PSKTlsClient*.class

run:
        run.bat -jar tls.jar
clean:
        rm -f PskTlsClient*.class PskTlsClient*.jar

The Server side. Keep in mind that openssl s_server by default uses id "Client_identity". The hint is just a hint. It does not change the fact that the serve requires the client to provide the id "Client_identity". Of course this can be changed if you make your own application. So below you can use anything for the psk_hint, or even omit the argument.

$ cat psk_server.sh
openssl s_server \
        -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A \
        -psk_hint Client_identity\
        -cipher PSK-AES256-CBC-SHA \
        -debug -state -nocert -accept 10443 -tls1 -www
manifest.txt file

Main-Class: PSKTlsClientTest
Class-Path: . jce-jdk13-149.jar
run.bat file (The host is Windows 7)

java -cp "jce-jdk13-149.jar;." %*

5 comments:

  1. Thanks for very useful information!

    Do you know how to implement server-side BouncyCastle TLS PSK?

    ReplyDelete
    Replies
    1. Hey, do you get any way to use tls_psk on both sides client and server in java. I do not know how to start . Plz help me at himanshu.rawal19@gmail.com or reply to this comment

      Delete
  2. hi, brother. Do you have psk_tls code, both client and server. can you sent to me? now i need to use java implement tls psk, but I do not know how to start. please help me, thanks a lot

    ReplyDelete
  3. @Override
    public int[] getCipherSuites()
    {
    return new int[] { CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256, CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA};
    }

    ReplyDelete
  4. Hey, do you get any way to use tls_psk on both sides client and server in java. I do not know how to start . Plz help me at himanshu.rawal19@gmail.com or reply to this comment

    ReplyDelete