From a29ec435380b1c268fb9da11fdb3c07837e0cc06 Mon Sep 17 00:00:00 2001 From: tuliperis <181785897+tuliperis@users.noreply.github.com> Date: Wed, 28 Jan 2026 23:50:18 +0100 Subject: [PATCH 1/2] fix(ja4): support non-alphanumeric alpns --- src/core/lib/JA4.mjs | 38 ++++++++++++++++++++++++++++------ src/core/lib/TLS.mjs | 10 ++++----- tests/operations/tests/JA4.mjs | 22 ++++++++++++++++++++ 3 files changed, 59 insertions(+), 11 deletions(-) diff --git a/src/core/lib/JA4.mjs b/src/core/lib/JA4.mjs index f600f4d8..2886c6d5 100644 --- a/src/core/lib/JA4.mjs +++ b/src/core/lib/JA4.mjs @@ -91,9 +91,7 @@ export function toJA4(bytes) { let alpn = "00"; for (const ext of tlsr.handshake.value.extensions.value) { if (ext.type.value === "application_layer_protocol_negotiation") { - alpn = parseFirstALPNValue(ext.value.data); - alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1); - if (alpn.charCodeAt(0) > 127) alpn = "99"; + alpn = alpnFingerprint(parseFirstALPNValue(ext.value.data)); break; } } @@ -212,9 +210,7 @@ export function toJA4S(bytes) { let alpn = "00"; for (const ext of tlsr.handshake.value.extensions.value) { if (ext.type.value === "application_layer_protocol_negotiation") { - alpn = parseFirstALPNValue(ext.value.data); - alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1); - if (alpn.charCodeAt(0) > 127) alpn = "99"; + alpn = alpnFingerprint(parseFirstALPNValue(ext.value.data)); break; } } @@ -262,3 +258,33 @@ function tlsVersionMapper(version) { default: return "00"; // Unknown } } + +/** + * Checks if a byte is ASCII alphanumeric (0-9, A-Z, a-z). + * @param {number} byte + * @returns {boolean} + */ +function isAlphanumeric(byte) { + return (byte >= 0x30 && byte <= 0x39) || + (byte >= 0x41 && byte <= 0x5A) || + (byte >= 0x61 && byte <= 0x7A); +} + +/** + * Computes the 2-character ALPN fingerprint from raw ALPN bytes. + * If both first and last bytes are ASCII alphanumeric, returns their characters. + * Otherwise, returns first hex digit of first byte + last hex digit of last byte. + * @param {Uint8Array|null} rawBytes + * @returns {string} + */ +function alpnFingerprint(rawBytes) { + if (!rawBytes || rawBytes.length === 0) return "00"; + const firstByte = rawBytes[0]; + const lastByte = rawBytes[rawBytes.length - 1]; + if (isAlphanumeric(firstByte) && isAlphanumeric(lastByte)) { + return String.fromCharCode(firstByte) + String.fromCharCode(lastByte); + } + const firstHex = firstByte.toString(16).padStart(2, "0"); + const lastHex = lastByte.toString(16).padStart(2, "0"); + return firstHex[0] + lastHex[1]; +} \ No newline at end of file diff --git a/src/core/lib/TLS.mjs b/src/core/lib/TLS.mjs index 6373bfa2..eaf661a8 100644 --- a/src/core/lib/TLS.mjs +++ b/src/core/lib/TLS.mjs @@ -863,15 +863,15 @@ export function parseHighestSupportedVersion(bytes) { } /** - * Parses the application_layer_protocol_negotiation extension and returns the first value. + * Parses the application_layer_protocol_negotiation extension and returns the first value as raw bytes. * @param {Uint8Array} bytes - * @returns {number} + * @returns {Uint8Array|null} */ export function parseFirstALPNValue(bytes) { const s = new Stream(bytes); const alpnExtLen = s.readInt(2); - if (alpnExtLen < 3) return "00"; + if (alpnExtLen < 2) return null; const strLen = s.readInt(1); - if (strLen < 2) return "00"; - return s.readString(strLen); + if (strLen < 1) return null; + return s.getBytes(strLen); } diff --git a/tests/operations/tests/JA4.mjs b/tests/operations/tests/JA4.mjs index 0fb4624e..699dca40 100644 --- a/tests/operations/tests/JA4.mjs +++ b/tests/operations/tests/JA4.mjs @@ -30,6 +30,28 @@ TestRegister.addTests([ } ], }, + { + name: "JA4 Fingerprint: TLS 1.3 with whitespace-only ALPN", + input: "1603010200010001fc0303ed338a18e711d670cdc472ff570a5b59f1ace12e5365918bf68bf845019147b6207e4437bfb062d98a4aeb753be8f09022a9dc9413d7694dad4db57fcdcf076e820024130213031301c02cc030c02bc02fcca9cca8c024c028c023c027009f009e006b006700ff0100018f0000001800160000136465762e636f6e74656e74677261622e6e6574000b000403000102000a00160014001d0017001e00190018010001010102010301040023000000100004000201200016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d00207af053336d5e2c1675aa4c6ce78de5e5fdbd296538113f051ea17ccb64289f22001500d2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + expectedOutput: "t13d181220_85036bcba153_d41ae481755e", + recipeConfig: [ + { + "op": "JA4 Fingerprint", + "args": ["Hex", "JA4"] + } + ], + }, + { + name: "JA4 Fingerprint: TLS 1.3 with ALPN containing a whitespace", + input: "1603010200010001fc0303273682a603be3f64dd025df4ad0f4d2d13043c3a233405a68bb29b865808749a20f4dfc40242b2fce38fae26c516ef9bef20a1b9349eba3c003780168d72471f5c0024130213031301c02cc030c02bc02fcca9cca8c024c028c023c027009f009e006b006700ff0100018f0000001800160000136465762e636f6e74656e74677261622e6e6574000b000403000102000a00160014001d0017001e0019001801000101010201030104002300000010000500030261200016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020f4dd1567bd858d3a9f1d88db1fee6a10ab0ea1aa6afe96ffb6a7c4d79dea4075001500d10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + expectedOutput: "t13d181260_85036bcba153_d41ae481755e", + recipeConfig: [ + { + "op": "JA4 Fingerprint", + "args": ["Hex", "JA4"] + } + ], + }, { name: "JA4 Fingerprint: TLS 1.2", input: "1603010200010001fc0303ecb2691addb2bf6c599c7aaae23de5f42561cc04eb41029acc6fc050a16ac1d22046f8617b580ac9358e2aa44e306d52466bcc989c87c8ca64309f5faf50ba7b4d0022130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f00350100019100000021001f00001c636f6e74696c652e73657276696365732e6d6f7a696c6c612e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000010000e000c02683208687474702f312e310005000501000000000022000a000804030503060302030033006b0069001d00208909858fbeb6ed2f1248ba5b9e2978bead0e840110192c61daed0096798b184400170041044d183d91f5eed35791fa982464e3b0214aaa5f5d1b78616d9b9fbebc22d11f535b2f94c686143136aa795e6e5a875d6c08064ad5b76d44caad766e2483012748002b00050403040303000d0018001604030503060308040805080604010501060102030201002d00020101001c000240010015007a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", From b1b9e91e5a39bbe7dd0feb881f46b570a0726443 Mon Sep 17 00:00:00 2001 From: tuliperis <181785897+tuliperis@users.noreply.github.com> Date: Wed, 28 Jan 2026 23:55:50 +0100 Subject: [PATCH 2/2] format(ja4): add newline --- src/core/lib/JA4.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/lib/JA4.mjs b/src/core/lib/JA4.mjs index 2886c6d5..58422bca 100644 --- a/src/core/lib/JA4.mjs +++ b/src/core/lib/JA4.mjs @@ -287,4 +287,4 @@ function alpnFingerprint(rawBytes) { const firstHex = firstByte.toString(16).padStart(2, "0"); const lastHex = lastByte.toString(16).padStart(2, "0"); return firstHex[0] + lastHex[1]; -} \ No newline at end of file +}