ProHoster > Blog > internet news > The first release of the TLS 1.3 protocol implementation in Java with GOST algorithms in accordance with RFC 9367

The first release of the TLS 1.3 protocol implementation in Java with GOST algorithms in accordance with RFC 9367

Unit crypto-gost-tls13 contains the implementation TLS 1.3 (RFC 8446 + RFC 9367) with GOST cryptography. This release is the initial version of the library and is ready for internal use.

A unique feature of the library is its pure Java implementation. All cryptographic operations are performed using the library's built-in tools, with no external dependencies.

This is one of the first open source implementations of TLS 1.3 with GOST in Java, so interop testing has been done to the minimum extent possible.

Below are the library's capabilities.

  1. Protocols:
  • Handshake: full (client/server), short (PSK), mutual (mTLS).
  • ALPN (RFC 7301) - Application Layer Protocol Negotiation (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Name Indication Server for multi-tenant deployments.
  • KeyUpdate (RFC 8446 §4.6.3) – updating traffic encryption keys.
  • Cipher suites: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-bit), CryptoPro-B (512-bit)
  • Per-record TLSTREE re-keying — changing the encryption key for each TLS record.
  • Fragmentation and reassembly of handshakes and records (RFC 8446 §5.1).
  • Session resumption: PSK via NewSessionTicket (PskStore in-memory, single-use).
  • OCSP stapling: server appends the OCSP response to the certificate.
  • Post-handshake messages: NewSessionTicket (save for PSK).
  1. Cryptography:
  • Key schedule: HKDF-Streebog (RFC 5869) over TLS 1.3 (RFC 8446 §7.1).
  • Record protection: MGM-AEAD (Kuznyechik) with nonce according to RFC 8446 §5.3.
  • Ephemeral keys are erased after use.
  1. Certificates:
  • X.509v3 parsing (GOST R 34.10-2012) — built-in DER parser.
  • Validation chain: signatures, DN (issuer → subject), Basic Constraints, Key Usage, Extended Key * Usage (serverAuth / clientAuth), pathLen.
  • Hostname check: dNSName + iPAddress (RFC 6125).
  • Verification of OCSP responses (RFC 6960).

4.Transport:

  • TlsTransport - interface.
  • InMemoryTlsTransport - for tests and single-process scenarios (in-memory queue).
  • SocketTlsTransport — blocking I/O over java.net.Socket.
  • ChannelTlsTransport - NIO SocketChannel-based transport (blocking mode, interruptible).
  1. Step-by-step handshake:
  • TlsHandshakeEngine is a state machine for handshake (decoupled from I/O). It uses TlsSession as an orchestrator and is suitable for integration with JSSE (SSLEngine).
  1. ByteBuffer API:
  • TlsRecord.protect/unprotect — ByteBuffer overloads for zero-copy integration with NIO. Loading keys:
  • Pkcs12Loader — reading PFX (PKCS#12) with PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. End of session:
  • close_notify - correct closing according to the protocol.
  • Wiping of key material when closing or making an error.
  • Handling alert: fatal - immediate closing + erasing.
  1. Implementation security:
  • Constant-time comparisons for verify_data and PSK binders (protection against timing attacks)
  • Wiping key material: destroy() on all objects with keys (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), on close, fatal alert, exception in handshake
  • DoS protection: limits on certificate chain length (10), post-handshake messages, record size.
  • MGM nonce: The MSB of the first byte is cleared for ICN (RFC 9058 §3, RFC 9367 §3.3).
  • The ECDHE private key and handshake transcript are destroyed after the handshake completes.
  • HMAC key material is erased after use (HkdfStreebog, KdfGostR3411_2012_256).
  1. Limitations:
  • Resumption PSK only (0-RTT and external PSK are not supported).
  • Only psk_dhe_ke (pure PSK without ECDHE is not supported).
  • HelloRetryRequest (RFC 8446 §4.1.4) is not supported - only one named group is used (GC256A by default).
  • GOST only (non-GOST cipher suites are not supported).
  1. Testing:
  • The library contains Known Answer Tests from RFC 9367 Appendix A.1 (L and S variants)—the full key schedule, TLSTREE, AEAD, and ECDHE. It also passes the full range of KAT tests.
  • 4 integration tests (self-interop) via real TCP sockets.
  • Fuzz tests for parsers: TlsMessageParser (8 methods), TlsDerParser (3 methods), TlsOcspVerifier (1 method), to ensure security and reduce the attack vector on parsers.
  1. Architectural solutions:
  • TlsHandshakeEngine - state machine decoupled from I/O (for future JSSE module).
  • ByteBuffer overloads of TlsRecord.protect/unprotect for NIO/JSSE.
  • TLSTREE cache (TlsTreeCache) - recalculation of only changed levels (RFC 9367).
  • InMemoryTlsTransport.Pair is a bidirectional pair for tests and single-process communication.

The library is distributed under a free license.

Source: linux.org.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers 🔥 Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster