mirrors/CyberChef
1
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2026-05-27 22:41:58 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix the processing of ALPNs for JA4 to align with new specification update (#2165)
Some checks failed
CodeQL Analysis / Analyze (push) Has been cancelled
Details
Master Build, Test & Deploy / main (push) Has been cancelled
Details

Browse source
This commit is contained in:
FS 2026-01-31 13:01:10 +01:00 committed by GitHub
parent 9512444eee
commit e0c4957da4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 59 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

38
src/core/lib/JA4.mjs
View file

@ -91,9 +91,7 @@ export function toJA4(bytes) {
let alpn = "00";
for (const ext of tlsr.handshake.value.extensions.value) {
if (ext.type.value === "application_layer_protocol_negotiation") {
alpn = parseFirstALPNValue(ext.value.data);
alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1);
if (alpn.charCodeAt(0) > 127) alpn = "99";
alpn = alpnFingerprint(parseFirstALPNValue(ext.value.data));
break;
}
}
@ -212,9 +210,7 @@ export function toJA4S(bytes) {
let alpn = "00";
for (const ext of tlsr.handshake.value.extensions.value) {
if (ext.type.value === "application_layer_protocol_negotiation") {
alpn = parseFirstALPNValue(ext.value.data);
alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1);
if (alpn.charCodeAt(0) > 127) alpn = "99";
alpn = alpnFingerprint(parseFirstALPNValue(ext.value.data));
break;
}
}
@ -262,3 +258,33 @@ function tlsVersionMapper(version) {
default: return "00"; // Unknown
}
}
/**
* Checks if a byte is ASCII alphanumeric (0-9, A-Z, a-z).
* @param {number} byte
* @returns {boolean}
*/
function isAlphanumeric(byte) {
return (byte >= 0x30 && byte <= 0x39) ||
(byte >= 0x41 && byte <= 0x5A) ||
(byte >= 0x61 && byte <= 0x7A);
}
/**
* Computes the 2-character ALPN fingerprint from raw ALPN bytes.
* If both first and last bytes are ASCII alphanumeric, returns their characters.
* Otherwise, returns first hex digit of first byte + last hex digit of last byte.
* @param {Uint8Array|null} rawBytes
* @returns {string}
*/
function alpnFingerprint(rawBytes) {
if (!rawBytes || rawBytes.length === 0) return "00";
const firstByte = rawBytes[0];
const lastByte = rawBytes[rawBytes.length - 1];
if (isAlphanumeric(firstByte) && isAlphanumeric(lastByte)) {
return String.fromCharCode(firstByte) + String.fromCharCode(lastByte);
}
const firstHex = firstByte.toString(16).padStart(2, "0");
const lastHex = lastByte.toString(16).padStart(2, "0");
return firstHex[0] + lastHex[1];
}

10
src/core/lib/TLS.mjs
View file

@ -863,15 +863,15 @@ export function parseHighestSupportedVersion(bytes) {
}
/**
* Parses the application_layer_protocol_negotiation extension and returns the first value.
* Parses the application_layer_protocol_negotiation extension and returns the first value as raw bytes.
* @param {Uint8Array} bytes
* @returns {number}
* @returns {Uint8Array|null}
*/
export function parseFirstALPNValue(bytes) {
const s = new Stream(bytes);
const alpnExtLen = s.readInt(2);
if (alpnExtLen < 3) return "00";
if (alpnExtLen < 2) return null;
const strLen = s.readInt(1);
if (strLen < 2) return "00";
return s.readString(strLen);
if (strLen < 1) return null;
return s.getBytes(strLen);
}