Skip to content

Add an easy to know if foregin peer is using PSK in TlsServer.getCredentials() #2144

New issue
New issue
Closed
Closed
Add an easy to know if foregin peer is using PSK in TlsServer.getCredentials()#2144
Labels
enhancementNew feature or request
@sbernard31

Description

@sbernard31
sbernard31
opened on Aug 11, 2025

In my case I have a DTLS server (using bouncy castle low level API), which need to support PSK, RPK and X509.

Currently,

  • when client want to use RPK or X509, TlsServer.getCredentials() should return BcDefaultTlsCredentialedSigner.
  • When client want to use PSK then TlsServer.getCredentials() should return null.

But there is no easy way to know what choose the client with current API.

KeyExchange negociation is done at :

bc-java/tls/src/main/java/org/bouncycastle/tls/DTLSServerProtocol.java

Line 189 in d858403

state.keyExchange = TlsUtils.initKeyExchangeServer(serverContext, server);

And

bc-java/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java

Lines 4534 to 4589 in d858403

private static TlsKeyExchange createKeyExchangeServer(TlsServer server, int keyExchange) throws IOException
{
TlsKeyExchangeFactory factory = server.getKeyExchangeFactory();
switch (keyExchange)
{
case KeyExchangeAlgorithm.DH_anon:
return factory.createDHanonKeyExchangeServer(keyExchange, server.getDHConfig());
case KeyExchangeAlgorithm.DH_DSS:
case KeyExchangeAlgorithm.DH_RSA:
return factory.createDHKeyExchange(keyExchange);
case KeyExchangeAlgorithm.DHE_DSS:
case KeyExchangeAlgorithm.DHE_RSA:
return factory.createDHEKeyExchangeServer(keyExchange, server.getDHConfig());
case KeyExchangeAlgorithm.ECDH_anon:
return factory.createECDHanonKeyExchangeServer(keyExchange, server.getECDHConfig());
case KeyExchangeAlgorithm.ECDH_ECDSA:
case KeyExchangeAlgorithm.ECDH_RSA:
return factory.createECDHKeyExchange(keyExchange);
case KeyExchangeAlgorithm.ECDHE_ECDSA:
case KeyExchangeAlgorithm.ECDHE_RSA:
return factory.createECDHEKeyExchangeServer(keyExchange, server.getECDHConfig());
case KeyExchangeAlgorithm.RSA:
return factory.createRSAKeyExchange(keyExchange);
case KeyExchangeAlgorithm.DHE_PSK:
return factory.createPSKKeyExchangeServer(keyExchange, server.getPSKIdentityManager(), server.getDHConfig(),
null);
case KeyExchangeAlgorithm.ECDHE_PSK:
return factory.createPSKKeyExchangeServer(keyExchange, server.getPSKIdentityManager(), null, server.getECDHConfig());
case KeyExchangeAlgorithm.PSK:
case KeyExchangeAlgorithm.RSA_PSK:
return factory.createPSKKeyExchangeServer(keyExchange, server.getPSKIdentityManager(), null, null);
case KeyExchangeAlgorithm.SRP:
case KeyExchangeAlgorithm.SRP_DSS:
case KeyExchangeAlgorithm.SRP_RSA:
return factory.createSRPKeyExchangeServer(keyExchange, server.getSRPLoginParameters());
default:
/*
* Note: internal error here; the TlsProtocol implementation verifies that the
* server-selected cipher suite was in the list of client-offered cipher suites, so if
* we now can't produce an implementation, we shouldn't have offered it!
*/
throw new TlsFatalAlert(AlertDescription.internal_error);
}
}

But there is nothing store which can be reused in TlsServer.getCredentials() (Or at least I didn't find it)

For now I use this not so good alternative :
https://github.com/eclipse-leshan/leshan/blob/07d2f3e00b0dfa4bfea61e07b6cf6bf886a6519d/leshan-tl-jc-server-coaps/src/main/java/org/eclipse/leshan/transport/javacoap/server/coaps/bc/endpoint/LwM2mTlsServer.java#L113-L124

If would better if we could have the negotiated information about that in API or maybe in that case TlsServer.getCredentials() should not even be called ? (not sure about that)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions