tlslite.extensions module
Helper package for handling TLS extensions encountered in ClientHello and ServerHello messages.
- class tlslite.extensions.ALPNExtension[source]
Bases:
TLSExtension
Handling of Application Layer Protocol Negotiation extension from RFC 7301.
- Variables:
- create(protocol_names=None)[source]
Create an instance of ALPNExtension with specified protocols
- Parameters:
protocols (list) – list of protocol names that are to be sent
- parse(parser)[source]
Parse the extension from on the wire format
- Parameters:
parser (Parser) – data to be parsed as extension
- Raises:
DecodeError – when the encoding of the extension is self inconsistent
- Return type:
- class tlslite.extensions.CertificateStatusExtension[source]
Bases:
TLSExtension
Handling of Certificate Status response as redefined in TLS1.3
- property extData
Serialise the object.
- class tlslite.extensions.ClientCertTypeExtension[source]
Bases:
VarListExtension
This class handles the (client variant of) Certificate Type extension
See RFC 6091.
- Variables:
Bases:
TLSExtension
Class for handling the Client Hello version of the Key Share extension.
Extension for sending the key shares to server
Create instance of the object.
Output human readable representation of the object.
Set the advertised client shares in the extension.
Return the on the wire raw encoding of the extension
- Return type:
Parse the extension from on the wire format
- Parameters:
parser (Parser) – data to be parsed
- Raises:
DecodeError – when the data does not match the definition
- Return type:
- class tlslite.extensions.CookieExtension[source]
Bases:
VarBytesExtension
Handling of the TLS 1.3 cookie extension.
- class tlslite.extensions.CustomNameExtension(field_name, extType)[source]
Bases:
TLSExtension
Abstract class for handling custom name for payload variable.
Used for handling arbitrary extensions that deal with a single value in payload (either an opaque data, single value or single array).
Must be subclassed.
- create(values)[source]
Set the list to specified values.
- Parameters:
values (list) – list of values to save
- parse(parser)[source]
Deserialise extension from on-the-wire data.
- Parameters:
parser (tlslite.utils.codec.Parser) – data
- Return type:
Extension
- class tlslite.extensions.ECPointFormatsExtension[source]
Bases:
VarListExtension
Client side list of supported ECC point formats.
See RFC4492.
Bases:
TLSExtension
Class for handling the Hello Retry Request variant of the Key Share ext.
Extension for notifying the client of the server selected group for key exchange.
Create instance of the object.
Set the selected group in the extension.
Serialise the payload of the extension.
Parse the extension from on the wire format.
- Parameters:
parser (Parser) – data to be parsed
- Return type:
- class tlslite.extensions.HeartbeatExtension[source]
Bases:
IntExtension
Heartbeat extension from RFC 6520
- Variables:
mode – mode if peer is allowed or nor allowed to send responses
- class tlslite.extensions.IntExtension(elem_length, field_name, ext_type, item_enum=None)[source]
Bases:
CustomNameExtension
Abstract class for extensions that deal with single integer in payload.
Extension for handling arbitrary extensions that have a payload that is a single integer of a given size (1, 2, … bytes)
- __init__(elem_length, field_name, ext_type, item_enum=None)[source]
Create handler for extension that has a single integer as payload.
- parse(parser)[source]
Deserialise extension from on-the-wire data.
- Parameters:
parser (tlslite.utils.codec.Parser) – data
- Return type:
Extension
Bases:
object
Handler for of the item of the Key Share extension.
Initialise the object.
Returns human readable representation of the extension.
Initialise the Key Share Entry from Key Share extension.
- Parameters:
- Return type:
Parse the value from on the wire format.
- Parameters:
parser (Parser) – data to be parsed as extension
- Return type:
Write the on the wire representation of the item to writer.
- Parameters:
writer (Writer) – buffer to write the data to
- class tlslite.extensions.ListExtension(fieldName, extType, item_enum=None)[source]
Bases:
CustomNameExtension
Abstract class for extensions that deal with single list in payload.
Extension for handling arbitrary extensions comprising of just a list of same-sized elementes inside an array
- class tlslite.extensions.NPNExtension[source]
Bases:
TLSExtension
This class handles the unofficial Next Protocol Negotiation TLS extension.
- Variables:
- create(protocols=None)[source]
Create an instance of NPNExtension with specified protocols
- Parameters:
protocols (list) – list of protocol names that are supported
- parse(p)[source]
Parse the extension from on the wire format
- Parameters:
p (Parser) – data to be parsed
- Raises:
DecodeError – when the size of the passed element doesn’t match the internal representation
- Return type:
- class tlslite.extensions.PaddingExtension[source]
Bases:
TLSExtension
ClientHello message padding with a desired size.
Can be used to pad ClientHello messages to a desired size in order to avoid implementation bugs caused by certain ClientHello sizes.
See RFC7685.
- create(size)[source]
Set the padding size and create null byte padding of defined size.
- Parameters:
size (int) – required padding size in bytes
- parse(p)[source]
Deserialise extension from on the wire data.
- Parameters:
p (Parser) – data to be parsed
- Raises:
DecodeError – when the size of the passed element doesn’t match the internal representation
- Return type:
Bases:
TLSExtension
Class for handling Pre Shared Key negotiation.
Create instance of class.
Set list of offered PSKs.
Serialise the payload of the extension.
Parse the extension from on the wire format.
- class tlslite.extensions.PskIdentity[source]
Bases:
object
Handling of PskIdentity from PreSharedKey Extension.
- class tlslite.extensions.PskKeyExchangeModesExtension[source]
Bases:
VarListExtension
Handling of the PSK Key Exchange Modes extension.
- class tlslite.extensions.RecordSizeLimitExtension[source]
Bases:
IntExtension
Class for handling the record_size_limit extension from RFC 8449.
- class tlslite.extensions.RenegotiationInfoExtension[source]
Bases:
VarBytesExtension
Client and Server Hello secure renegotiation extension from RFC 5746
Should have an empty renegotiated_connection field in case of initial connection
- class tlslite.extensions.SNIExtension[source]
Bases:
TLSExtension
Class for handling Server Name Indication (server_name) extension from RFC 4366.
Note that while usually the client does advertise just one name, it is possible to provide a list of names, each of different type. The type is a single byte value (represented by ints), the names are opaque byte strings, in case of DNS host names (records of type 0) they are UTF-8 encoded domain names (without the ending dot).
- Variables:
hostNames (tuple of bytearrays) –
tuple of hostnames (server name records of type 0) advertised in the extension. Note that it may not include all names from client hello as the client can advertise other types. Also note that while it’s not possible to change the returned array in place, it is possible to assign a new set of names. IOW, this won’t work:
sni_extension.hostNames[0] = bytearray(b'example.com')
while this will work:
names = list(sni_extension.hostNames) names[0] = bytearray(b'example.com') sni_extension.hostNames = names
serverNames (list of
ServerName
) – list of all names advertised in extension.ServerName
is a namedtuple with two elements, the first element (type) defines the type of the name (encoded as int) while the other (name) is a bytearray that carries the value. Known types are defined intlslite.constants.NameType
. The list will be empty if the on the wire extension had and empty list while it will be None if the extension was empty.extType (int) – numeric type of SNIExtension, i.e. 0
~.extData (bytearray) – raw representation of the extension
- class ServerName(name_type, name)
Bases:
tuple
- __repr__()
Return a nicely formatted representation string
- name
Alias for field number 1
- name_type
Alias for field number 0
- create(hostname=None, hostNames=None, serverNames=None)[source]
Initializes an instance with provided hostname, host names or raw server names.
Any of the parameters may be None, in that case the list inside the extension won’t be defined, if either hostNames or serverNames is an empty list, then the extension will define a list of length 0.
If multiple parameters are specified at the same time, then the resulting list of names will be concatenated in order of hostname, hostNames and serverNames last.
- Parameters:
- Return type:
- property extData
Raw encoding of extension data, without type and length header.
- Return type:
- property hostNames
Returns a simulated list of hostNames from the extension.
- Return type:
tuple of bytearrays
- parse(p)[source]
Deserialise the extension from on-the-wire data
The parser should not include the type or length of extension!
- Parameters:
p (tlslite.util.codec.Parser) – data to be parsed
- Return type:
- Raises:
DecodeError – when the internal sizes don’t match the attached data
- class tlslite.extensions.SRPExtension[source]
Bases:
TLSExtension
This class handles the Secure Remote Password protocol TLS extension defined in RFC 5054.
- Variables:
- create(identity=None)[source]
Create and instance of SRPExtension with specified protocols
- Parameters:
identity (bytearray) – UTF-8 encoded identity (user name) to be provided to user. MUST be shorter than 2^8-1.
- Raises:
ValueError – when the identity lenght is longer than 2^8-1
- parse(p)[source]
Parse the extension from on the wire format
- Parameters:
p (Parser) – data to be parsed
- Raises:
DecodeError – when the data is internally inconsistent
- Return type:
- class tlslite.extensions.ServerCertTypeExtension[source]
Bases:
IntExtension
This class handles the Certificate Type extension (variant sent by server) defined in RFC 6091.
- Variables:
Bases:
TLSExtension
Class for handling the Server Hello variant of the Key Share extension.
Extension for sending the key shares to client
Create instance of the object.
Set the advertised server share in the extension.
Serialise the payload of the extension
Parse the extension from on the wire format.
- Parameters:
parser (Parser) – data to be parsed
- Return type:
- class tlslite.extensions.SessionTicketExtension[source]
Bases:
TLSExtension
Client and server session ticket extension from RFC 5077
- create(ticket)[source]
Initializes a generic TLS extension.
The extension can carry arbitrary data and have arbitrary payload, can be used in client hello or server hello messages.
The legacy calling method uses two arguments - the extType and data. If the new calling method is used, only one argument is passed in - data.
Child classes need to override this method so that it is possible to set values for all fields used by the extension.
- Parameters:
- Return type:
- property extData
Serialise the payload of the extension.
- class tlslite.extensions.SignatureAlgorithmsCertExtension[source]
Bases:
_SigListExt
Client side list of supported signatures in certificates.
Should be used when the signatures supported in certificates and in TLS messages differ.
See TLS1.3 RFC
- class tlslite.extensions.SignatureAlgorithmsExtension[source]
Bases:
_SigListExt
Client side list of supported signature algorithms.
Should be used by server to select certificate and signing method for Server Key Exchange messages. In practice used only for the latter.
See RFC5246.
Bases:
IntExtension
Handling of the Pre Shared Key extension from server.
Create instance of class.
- class tlslite.extensions.SrvSupportedVersionsExtension[source]
Bases:
TLSExtension
Handling of SupportedVersion extension in SH and HRR in TLS 1.3.
See draft-ietf-tls-tls13.
- Variables:
- __init__()[source]
Creates a generic TLS extension.
You’ll need to use
create()
orparse()
methods to create an extension that is actually usable.- Parameters:
server (bool) – whether to select ClientHello or ServerHello version for parsing
extType (int) – type of extension encoded as an integer, to be used by subclasses
encExt (bool) – whether to select the EncryptedExtensions type for parsing
cert (bool) – whether to select the Certificate type of extension for parsing
hrr (bool) – whether to select the Hello Retry Request type of extension for parsing
- create(version)[source]
Set the version supported by the server.
- Parameters:
version (tuple) – Version selected by server.
- Return type:
- property extData
Raw encoding of extension data, without type and length header.
- Return type:
- class tlslite.extensions.StatusRequestExtension[source]
Bases:
TLSExtension
Handling of the Certificate Status Request extension from RFC 6066.
- Variables:
- create(status_type=1, responder_id_list=(), request_extensions=b'')[source]
Create an instance of StatusRequestExtension with specified options.
- class tlslite.extensions.SupportedGroupsExtension[source]
Bases:
VarListExtension
Client side list of supported groups of (EC)DHE key exchage.
See RFC4492, RFC7027 and RFC-ietf-tls-negotiated-ff-dhe-10
- Variables:
groups (int) – list of groups that the client supports
- class tlslite.extensions.SupportedVersionsExtension[source]
Bases:
VarSeqListExtension
This class handles the SupportedVersion extensions used in TLS 1.3.
See draft-ietf-tls-tls13.
- Variables:
- class tlslite.extensions.TACKExtension[source]
Bases:
TLSExtension
This class handles the server side TACK extension (see draft-perrin-tls-tack-02).
- Variables:
- class TACK[source]
Bases:
object
Implementation of the single TACK
- __eq__(other)[source]
Tests if the other object is equivalent to this TACK
Returns False for every object that’s not a TACK
- create(public_key, min_generation, generation, expiration, target_hash, signature)[source]
Initialise the TACK with data
- parse(p)[source]
Parse the TACK from on the wire format
- Parameters:
p (Parser) – data to be parsed
- Return type:
- Raises:
DecodeError – when the internal sizes don’t match the provided data
- class tlslite.extensions.TLSExtension(server=False, extType=None, encExt=False, cert=False, hrr=False)[source]
Bases:
object
Base class for handling handshake protocol hello messages extensions.
This class handles the generic information about TLS extensions used by both sides of connection in Client Hello and Server Hello messages. See https://tools.ietf.org/html/rfc4366 for more info.
It is used as a base class for specific users and as a way to store extensions that are not implemented in library.
To implement a new extension you will need to create a new class which calls this class contructor (__init__), usually specifying just the extType parameter. The other methods which need to be implemented are: extData, create, parse and __repr__. If the parser can be used for client and optionally server extensions, the extension constructor should be added to _universalExtensions. Otherwise, when the client and server extensions have completely different forms, you should add client form to the _universalExtensions and the server form to _serverExtensions. Since the server MUST NOT send extensions not advertised by client, there are no purely server-side extensions. But if the client side extension is just marked by presence and has no payload, the client side (thus the _universalExtensions may be skipped, then the TLSExtension class will be used for implementing it. See end of the file for type-to-constructor bindings.
Note
Subclassing for the purpose of parsing extensions is not an officially supported part of API (just as underscores in their names would indicate).
- Variables:
extType (int) – a 2^16-1 limited integer specifying the type of the extension that it contains, e.g. 0 indicates server name extension
~.extData (bytearray) – a byte array containing the value of the extension as to be written on the wire
serverType (boolean) – indicates that the extension was parsed with ServerHello specific parser, otherwise it used universal or ClientHello specific parser
encExtType (boolean) – indicates that the extension should be the type from Encrypted Extensions
_universalExtensions (dict) – dictionary with concrete implementations of specific TLS extensions where key is the numeric value of the extension ID. Contains ClientHello version of extensions or universal implementations
_serverExtensions (dict) – dictionary with concrete implementations of specific TLS extensions where key is the numeric value of the extension ID. Includes only those extensions that require special handlers for ServerHello versions.
_certificateExtensions (dict) – dictionary with concrete implementations of specific TLS extensions where the key is the numeric value of the type of the extension and the value is the class. Includes only those extensions that require special handlers for Certificate message.
_hrrExtensions (dict) – dictionary with concrete implementation of specific TLS extensions where the key is the numeric type of the extension and the value is the class. Includes only those extensions that require special handlers for the Hello Retry Request message.
- __eq__(that)[source]
Test if two TLS extensions are effectively the same
Will check if encoding them will result in the same on the wire representation.
Will return False for every object that’s not an extension.
- __init__(server=False, extType=None, encExt=False, cert=False, hrr=False)[source]
Creates a generic TLS extension.
You’ll need to use
create()
orparse()
methods to create an extension that is actually usable.- Parameters:
server (bool) – whether to select ClientHello or ServerHello version for parsing
extType (int) – type of extension encoded as an integer, to be used by subclasses
encExt (bool) – whether to select the EncryptedExtensions type for parsing
cert (bool) – whether to select the Certificate type of extension for parsing
hrr (bool) – whether to select the Hello Retry Request type of extension for parsing
- __repr__()[source]
Output human readable representation of object
Child classes should override this method to support more appropriate string rendering of the extension.
- Return type:
- create(*args, **kwargs)[source]
Initializes a generic TLS extension.
The extension can carry arbitrary data and have arbitrary payload, can be used in client hello or server hello messages.
The legacy calling method uses two arguments - the extType and data. If the new calling method is used, only one argument is passed in - data.
Child classes need to override this method so that it is possible to set values for all fields used by the extension.
- Parameters:
- Return type:
- property extData
Return the on the wire encoding of extension
Child classes need to override this property so that it returns just the payload of an extension, that is, without the 4 byte generic header common to all extension. In other words, without the extension ID and overall extension length.
- Return type:
- parse(p)[source]
Parses extension from on the wire format
Child classes should override this method so that it parses the extension from on the wire data. Note that child class parsers will not receive the generic header of the extension, but just a parser with the payload. In other words, the method should be the exact reverse of the extData property.
- Parameters:
p (tlslite.util.codec.Parser) – data to be parsed
- Raises:
DecodeError – when the size of the passed element doesn’t match the internal representation
- Return type:
- write()[source]
Returns encoded extension, as encoded on the wire
Note that child classes in general don’t need to override this method.
- Return type:
- Returns:
An array of bytes formatted as is supposed to be written on the wire, including the extension_type, length and the extension data
- Raises:
AssertionError – when the object was not initialized
- class tlslite.extensions.VarBytesExtension(field_name, length_length, ext_type)[source]
Bases:
CustomNameExtension
Abstract class for extension that deal with single byte array payload.
Extension for handling arbitrary extensions that comprise of just a single bytearray of variable size.
- parse(parser)[source]
Deserialise extension from on-the-wire data.
- Parameters:
parser (tlslite.utils.codec.Parser) – data
- Return type:
- class tlslite.extensions.VarListExtension(elemLength, lengthLength, fieldName, extType, item_enum=None)[source]
Bases:
ListExtension
Abstract extension for handling extensions comprised of uniform value list.
Extension for handling arbitrary extensions comprising of just a list of same-sized elementes inside an array
- __init__(elemLength, lengthLength, fieldName, extType, item_enum=None)[source]
Create handler for extension that has a list of items as payload.
- Parameters:
elemLength (int) – number of bytes needed to encode single element
lengthLength (int) – number of bytes needed to encode length field
fieldName (str) – name of the field storing the list of elements
extType (int) – numerical ID of the extension encoded
item_enum (class) – TLSEnum class that defines entries in the list
- parse(parser)[source]
Deserialise extension from on-the-wire data.
- Parameters:
parser (tlslite.utils.codec.Parser) – data
- Return type:
Extension
- class tlslite.extensions.VarSeqListExtension(elemLength, elemNum, lengthLength, fieldName, extType, item_enum=None)[source]
Bases:
ListExtension
Abstract extension for handling extensions comprised of tuple list.
Extension for handling arbitrary extensions comprising of a single list of same-sized elements in same-sized tuples
- __init__(elemLength, elemNum, lengthLength, fieldName, extType, item_enum=None)[source]
Create a handler for extension that has a list of tuples as payload.
- Parameters:
elemLength (int) – number of bytes needed to encode single element of a tuple
elemNum (int) – number of elements in a tuple
lengthLength (int) – number of bytes needed to encode overall length of the list
fieldName (str) – name of the field storing the list of elements
extType (int) – numerical ID of the extension encoded
item_enum (class) – TLSEnum class that defines entries in the list
- parse(parser)[source]
Deserialise extension from on-the-wire data.
- Parameters:
parser (tlslite.utils.codec.Parser) – data
- Return type:
Extension